On 12/04/2023 06:13, Trent W. Buck wrote:
FYI,systemd's MemoryDenyWriteExecute=yes breaks "git grep" because of pcre2jit. An easy test command is something like this: $ journalctl --user -fn0 & # so you see the error $ systemd-run --property=MemoryDenyWriteExecute=yes --user git -C /srv/vcs/kb grep -Fwi mutt --error--> git[2289491]: fatal: Couldn't JIT the PCRE2 pattern 'mutt', got '-48' A real-world use case is hardening gitit.service, a git-based wiki <https://packages.debian.org/stable/gitit>. With MemoryDenyWriteExecute=yes, gitit works perfectly, EXCEPT for search (which uses "git grep" under the hood). Is there a way for a sysadmin to disable pcre2jit at runtime, e.g. with an environment variable? I understand it makes pcre2 slower, but I might actually prefer to make that security-vs-speed tradeoff. I looked at https://manpages.debian.org/pcre2jit but only found compile-time options.
Software authors that use pcre2 can opt to not use jit (e.g. by specifying PCRE2_NO_JIT in the arguments to pcre2_match, not calling pcre2_jit_compile()). So I think if you wanted git to not use PCRE2's JIT, the git authors would be the people to ask for that feature.
You could ask the PCRE2 authors to consider an environment variable to disable JIT at runtime, but I suspect they'd say this was the sort of thing that applications using PCRE2 should do instead.
Regards, Matthew
