FYI,
systemd's MemoryDenyWriteExecute=yes breaks "git grep" because of pcre2jit.
An easy test command is something like this:
$ journalctl --user -fn0 & # so you see the error
$ systemd-run --property=MemoryDenyWriteExecute=yes --user git -C
/srv/vcs/kb grep -Fwi mutt
--error--> git[2289491]: fatal: Couldn't JIT the PCRE2 pattern 'mutt', got
'-48'
A real-world use case is hardening gitit.service,
a git-based wiki <https://packages.debian.org/stable/gitit>.
With MemoryDenyWriteExecute=yes, gitit works perfectly, EXCEPT for search
(which uses "git grep" under the hood).
Is there a way for a sysadmin to disable pcre2jit at runtime, e.g. with an
environment variable?
I understand it makes pcre2 slower, but I might actually prefer to make that
security-vs-speed tradeoff.
I looked at https://manpages.debian.org/pcre2jit but only found compile-time
options.
See also https://github.com/systemd/systemd/issues/5970
