diff options
-rw-r--r-- | sys-apps/gradm/ChangeLog | 7 | ||||
-rw-r--r-- | sys-apps/gradm/Manifest | 21 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-2.0-r1 | 1 | ||||
-rw-r--r-- | sys-apps/gradm/files/gradm2-cvs-20Jun2004.diff | 230 | ||||
-rw-r--r-- | sys-apps/gradm/gradm-2.0-r1.ebuild | 88 |
5 files changed, 332 insertions, 15 deletions
diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog index f551a93bcadf..127799820a89 100644 --- a/sys-apps/gradm/ChangeLog +++ b/sys-apps/gradm/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for sys-apps/gradm # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.32 2004/05/08 13:18:12 solar Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.33 2004/06/20 18:24:11 pfeifer Exp $ + +*gradm-2.0-r1 (20 Jun 2004) + + 20 Jun 2004; <pfeifer@gentoo.org> gradm-2.0-r1.ebuild: + Added patch to support changes to hardened-dev-sources-2.6.5-r5. 08 May 2004; <solar@gentoo.org> gradm-2.0.ebuild: removed unneeded dep of paxctl diff --git a/sys-apps/gradm/Manifest b/sys-apps/gradm/Manifest index 240530fcc7a2..28264b549494 100644 --- a/sys-apps/gradm/Manifest +++ b/sys-apps/gradm/Manifest @@ -1,19 +1,12 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -MD5 336c77b0c62688814bf5aa53e6969be0 ChangeLog 4797 +MD5 e90f8447085c749b073ac9b96ff719df gradm-1.9.14.ebuild 1650 MD5 c7a91944d74821f5abd399f1aa91010c gradm-2.0.ebuild 2324 +MD5 8eda56e04bad8a3260b35f9a090503f0 ChangeLog 4950 +MD5 2cc863ab3c5dbc9b1b3e2d73a5000f72 gradm-2.0-r1.ebuild 2511 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164 -MD5 cc10e9aff7c1035daec6c5a83f48d7d1 gradm-1.9.14.ebuild 1651 +MD5 d171c9355d72f37bed011aa069c00726 files/grsecurity.rc 1820 +MD5 36344ecbd7f54bdd4979c2fe6322c9c7 files/grsecurity 2325 MD5 62ba83f9a7bd71b4011ad2a2cf48f4a3 files/digest-gradm-2.0 60 +MD5 264e377e7c3221570d3730444e84d792 files/gradm2-cvs-20Jun2004.diff 8251 MD5 c2618fc7963e008681dfd08db6886058 files/gradm_parse.c-1.9.x.patch 524 -MD5 36344ecbd7f54bdd4979c2fe6322c9c7 files/grsecurity 2325 -MD5 1f31101dab2d3a9deb64ea31bf7339e3 files/grsecurity.rc 1821 MD5 f008a8f1133ea0db35a4ee305d390c23 files/digest-gradm-1.9.14 63 ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.9.8 (GNU/Linux) - -iD8DBQFA0942HTu7gpaalycRAnLeAKDODxHTjr7ntsYL7YNRoakbkwgWagCeK4c1 -64iMrpBflR08ryZQVXp4uDY= -=sE8d ------END PGP SIGNATURE----- +MD5 62ba83f9a7bd71b4011ad2a2cf48f4a3 files/digest-gradm-2.0-r1 60 diff --git a/sys-apps/gradm/files/digest-gradm-2.0-r1 b/sys-apps/gradm/files/digest-gradm-2.0-r1 new file mode 100644 index 000000000000..48bc98e985b1 --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-2.0-r1 @@ -0,0 +1 @@ +MD5 4b1c99ec6ea415fcc75ac1b89edc90f0 gradm-2.0.tar.gz 48424 diff --git a/sys-apps/gradm/files/gradm2-cvs-20Jun2004.diff b/sys-apps/gradm/files/gradm2-cvs-20Jun2004.diff new file mode 100644 index 000000000000..0ba07710003e --- /dev/null +++ b/sys-apps/gradm/files/gradm2-cvs-20Jun2004.diff @@ -0,0 +1,230 @@ +diff -Naupr gradm2-release/Makefile gradm2-cvs-20Jun2004/Makefile +--- gradm2-release/Makefile 2004-04-03 23:19:40.000000000 -0600 ++++ gradm2-cvs-20Jun2004/Makefile 2004-06-17 20:51:29.000000000 -0500 +@@ -23,9 +23,8 @@ STRIP=/usr/bin/strip + #LIBS= + LIBS=-lfl + KERNVER=`uname -r | cut -d"." -f 2` +-#for sparc64 +-#OPT_FLAGS=-O2 -m64 -mcpu=ultrasparc -mcmodel=medlow -ffixed-g4 \ +-# -fcall-used-g5 -fcall-used-g5 -fcall-used-g7 -Wno-sign-compare ++#for 64-bit archs ++#OPT_FLAGS=-O2 -m64 + OPT_FLAGS=-O2 + CFLAGS=$(OPT_FLAGS) -DGRSEC_DIR=\"$(GRSEC_DIR)\" -DKERNVER=$(KERNVER) + LDFLAGS= +diff -Naupr gradm2-release/gradm_analyze.c gradm2-cvs-20Jun2004/gradm_analyze.c +--- gradm2-release/gradm_analyze.c 2004-03-02 14:42:31.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_analyze.c 2004-05-31 10:03:56.000000000 -0500 +@@ -319,9 +319,22 @@ analyze_acls(void) + struct chk_perm chk; + unsigned int errs_found = 0; + struct role_acl *role; ++ int def_role_found = 0; + + check_role_transitions(); + ++ for_each_role(role, current_role) ++ if (role->roletype & GR_ROLE_DEFAULT) ++ def_role_found = 1; ++ ++ if (!def_role_found) { ++ fprintf(stderr, "There is no default role present in your " ++ "configuration.\nPlease read the RBAC " ++ "documentation and create a default role before " ++ "attempting to enable the RBAC system.\n\n"); ++ exit(EXIT_FAILURE); ++ } ++ + for_each_role(role, current_role) { + if (role->roletype & GR_ROLE_SPECIAL) + continue; +diff -Naupr gradm2-release/gradm_arg.c gradm2-cvs-20Jun2004/gradm_arg.c +--- gradm2-release/gradm_arg.c 2004-04-03 10:22:56.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_arg.c 2004-06-12 04:04:36.000000000 -0500 +@@ -140,9 +140,8 @@ parse_args(int argc, char *argv[]) + show_help(); + entry.mode = GRADM_UNSPROLE; + check_acl_status(entry.mode); +- get_user_passwd(&entry, GR_PWONLY); + grarg = conv_user_to_kernel(&entry); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + break; + case 'R': +@@ -157,7 +156,7 @@ parse_args(int argc, char *argv[]) + grarg = conv_user_to_kernel(&entry); + read_saltandpass(entry.rolename, grarg->salt, + grarg->sum); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + break; + case 'M': +@@ -174,7 +173,7 @@ parse_args(int argc, char *argv[]) + conv_name_to_num(optarg, &entry.segv_dev, + &entry.segv_inode); + grarg = conv_user_to_kernel(&entry); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + exit(EXIT_SUCCESS); + break; +@@ -185,7 +184,7 @@ parse_args(int argc, char *argv[]) + check_acl_status(entry.mode); + get_user_passwd(&entry, GR_PWONLY); + grarg = conv_user_to_kernel(&entry); +- if (transmit_to_kernel(grarg, sizeof (struct gr_arg))) ++ if (transmit_to_kernel(grarg)) + memset(grarg, 0, sizeof (struct gr_arg)); + else { + memset(grarg, 0, sizeof (struct gr_arg)); +@@ -246,7 +245,7 @@ parse_args(int argc, char *argv[]) + check_acl_status(entry.mode); + get_user_passwd(&entry, GR_PWONLY); + grarg = conv_user_to_kernel(&entry); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + exit(EXIT_SUCCESS); + break; +@@ -258,7 +257,7 @@ parse_args(int argc, char *argv[]) + entry.mode = GRADM_SPROLE; + check_acl_status(entry.mode); + grarg = conv_user_to_kernel(&entry); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + exit(EXIT_SUCCESS); + break; +@@ -298,7 +297,7 @@ parse_args(int argc, char *argv[]) + grarg = conv_user_to_kernel(&entry); + read_saltandpass(entry.rolename, grarg->salt, + grarg->sum); +- transmit_to_kernel(grarg, sizeof (struct gr_arg)); ++ transmit_to_kernel(grarg); + memset(grarg, 0, sizeof (struct gr_arg)); + } else if (gr_learn && gr_output) { + FILE *stream; +diff -Naupr gradm2-release/gradm_func.h gradm2-cvs-20Jun2004/gradm_func.h +--- gradm2-release/gradm_func.h 2004-03-30 19:20:18.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_func.h 2004-06-17 20:50:57.000000000 -0500 +@@ -1,7 +1,7 @@ + void yyerror(const char *s); + FILE *open_acl_file(const char *filename); + void get_user_passwd(struct gr_pw_entry *entry, int mode); +-int transmit_to_kernel(void *buf, unsigned long len); ++int transmit_to_kernel(struct gr_arg *buf); + void generate_salt(struct gr_pw_entry *entry); + void write_user_passwd(struct gr_pw_entry *entry); + void parse_acls(void); +@@ -126,3 +126,4 @@ void gr_dyn_free(void *addr); + void insert_acl_object(struct proc_acl *subject, struct file_acl *object); + void insert_acl_subject(struct role_acl *role, struct proc_acl *subject); + ++void insert_nested_acl_subject(struct proc_acl *subject); +diff -Naupr gradm2-release/gradm_lib.c gradm2-cvs-20Jun2004/gradm_lib.c +--- gradm2-release/gradm_lib.c 2004-03-07 18:22:09.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_lib.c 2004-06-17 20:50:57.000000000 -0500 +@@ -554,3 +554,8 @@ void insert_acl_subject(struct role_acl + return; + } + ++void insert_nested_acl_subject(struct proc_acl *subject) ++{ ++ subject->hash = create_hash_table(GR_HASH_OBJECT); ++ return; ++} +diff -Naupr gradm2-release/gradm_misc.c gradm2-cvs-20Jun2004/gradm_misc.c +--- gradm2-release/gradm_misc.c 2004-03-09 19:45:17.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_misc.c 2004-06-12 23:12:04.000000000 -0500 +@@ -14,17 +14,18 @@ open_acl_file(const char *filename) + } + + int +-transmit_to_kernel(void *buf, unsigned long len) ++transmit_to_kernel(struct gr_arg *buf) + { + int fd; + int err = 0; ++ void *pbuf = buf; + + if ((fd = open(GRDEV_PATH, O_WRONLY)) < 0) { + fprintf(stderr, "Could not open %s.\n", GRDEV_PATH); + failure("open"); + } + +- if (write(fd, buf, len) != len) { ++ if (write(fd, &pbuf, sizeof(struct gr_arg *)) != sizeof(struct gr_arg *)) { + err = 1; + switch (errno) { + case EFAULT: +@@ -65,6 +66,7 @@ void check_acl_status(__u16 reqmode) + int fd; + int retval; + struct gr_arg arg; ++ struct gr_arg *parg = &arg; + + arg.mode = GRADM_STATUS; + +@@ -73,7 +75,7 @@ void check_acl_status(__u16 reqmode) + failure("open"); + } + +- retval = write(fd, &arg, sizeof(arg)); ++ retval = write(fd, &parg, sizeof(struct gr_arg *)); + close(fd); + + switch (reqmode) { +diff -Naupr gradm2-release/gradm_newlearn.c gradm2-cvs-20Jun2004/gradm_newlearn.c +--- gradm2-release/gradm_newlearn.c 2004-04-06 14:09:33.000000000 -0500 ++++ gradm2-cvs-20Jun2004/gradm_newlearn.c 2004-06-17 21:50:20.000000000 -0500 +@@ -1652,7 +1652,10 @@ insert_learn_role(struct gr_learn_role_e + (*((*role_list) + num)) = (struct gr_learn_role_entry *)gr_stat_alloc(sizeof(struct gr_learn_role_entry)); + (*((*role_list) + num))->rolename = rolename; + (*((*role_list) + num))->rolemode = rolemode; +- ++ ++ /* give every learned role a / subject */ ++ insert_learn_role_subject(*((*role_list) + num), conv_filename_to_struct("/", GR_FIND)); ++ + return (*((*role_list) + num)); + } + +diff -Naupr gradm2-release/gradm_opt.c gradm2-cvs-20Jun2004/gradm_opt.c +--- gradm2-release/gradm_opt.c 2004-03-30 19:20:18.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_opt.c 2004-05-08 14:26:47.000000000 -0500 +@@ -10,11 +10,10 @@ expand_acl(struct proc_acl *proc, struct + strcpy(tmpproc, proc->filename); + + while (parent_dir(proc->filename, &tmpproc)) { +- for_each_subject(tmpp, role) { +- if (!strcmp(tmpproc, tmpp->filename)) { +- proc->parent_subject = tmpp; +- return; +- } ++ tmpp = lookup_acl_subject_by_name(role, tmpproc); ++ if (tmpp) { ++ proc->parent_subject = tmpp; ++ return; + } + } + +diff -Naupr gradm2-release/gradm_parse.c gradm2-cvs-20Jun2004/gradm_parse.c +--- gradm2-release/gradm_parse.c 2004-04-03 11:18:11.000000000 -0600 ++++ gradm2-cvs-20Jun2004/gradm_parse.c 2004-06-17 20:50:57.000000000 -0500 +@@ -565,7 +565,12 @@ add_proc_subject_acl(struct role_acl *ro + return 0; + } + +- insert_acl_subject(role, p); ++ /* don't insert nested subjects into main hash */ ++ if (!(flag & GR_FFAKE)) ++ insert_acl_subject(role, p); ++ else ++ insert_nested_acl_subject(p); ++ + current_subject = p; + + return 1; diff --git a/sys-apps/gradm/gradm-2.0-r1.ebuild b/sys-apps/gradm/gradm-2.0-r1.ebuild new file mode 100644 index 000000000000..188669e0e49c --- /dev/null +++ b/sys-apps/gradm/gradm-2.0-r1.ebuild @@ -0,0 +1,88 @@ +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-2.0-r1.ebuild,v 1.1 2004/06/20 18:24:11 pfeifer Exp $ + +inherit flag-o-matic gcc + +#MY_PV=2.0-${PV/*_/} + +MAINTAINER="solar@gentoo.org" +DESCRIPTION="Administrative interface for grsecuritys2 access control lists" +HOMEPAGE="http://www.grsecurity.net/" +SRC_URI="http://www.grsecurity.net/gradm-${PV}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc ~arm ~amd64" ; # ~alpha" +IUSE="" + +DEPEND="virtual/glibc + sys-devel/bison + sys-devel/flex + sys-apps/chpax" + +S="${WORKDIR}/${PN}2" + +src_unpack() { + unpack ${A} + cd ${S} + + # Fixup for hardened-dev-sources-2.6.5-r5 + ebegin "Patching gradm 2.0 sources with a few cvs fixes" + patch -p1 -s -N -E -d ${S} < ${FILESDIR}/gradm2-cvs-20Jun2004.diff || die + eend $? + + # (Jan 03 2004) - <solar@gentoo> + # static linking required for proper operation of gradm + # however ssp is known to break static linking when it's enabled + # in >=gcc-3.3.1 && <=gcc-3.3.2-r5 . So we strip ssp if needed. + gmicro=$(gcc-micro-version) + if [ "$(gcc-version)" == "3.3" -a -n "${gmicro}" -a ${gmicro} -le 2 ]; then + # extract out gentoo revision + gentoo_gcc_r=$($(gcc-getCC) -v 2>&1 | tail -n 1 | awk '{print $7}') + gentoo_gcc_r=${gentoo_gcc_r/,/} + gentoo_gcc_r=${gentoo_gcc_r/-/ } + gentoo_gcc_r=${gentoo_gcc_r:7} + [ -n "${gentoo_gcc_r}" -a ${gentoo_gcc_r} -le 5 ] && \ + filter-flags -fstack-protector -fstack-protector-all + fi + + ebegin "Patching Makefile to use gentoo CFLAGS" + sed -i -e "s|-O2|${CFLAGS}|" Makefile + eend $? + +} + +src_compile() { + cd ${S} + emake CC="$(gcc-getCC)" || die "compile problem" +} + +src_install() { + cd ${S} + # Were not ready for init.d,script functions yet. + #exeinto /etc/init.d + #newexe ${FILESDIR}/grsecurity2.rc grsecurity2 + #insinto /etc/conf.d + #doins ${FILESDIR}/grsecurity2 + + mkdir -p -m 700 ${D}/etc/grsec + doman gradm.8 + dodoc acl + + into / + dosbin grlearn gradm || die + + # Normal users can authenticate to special roles now and thus + # need execution permission on gradm2. We remove group,other readable bits + # to help ensure that our gradm2 binary is as protected from misbehaving users. + fperms 711 ${D}/sbin/gradm +} + +pkg_postinst() { + if [ ! -e /dev/grsec ] ; then + einfo "Making character device for grsec2 learning mode" + mkdir -p -m 755 /dev/ + mknod -m 0622 /dev/grsec c 1 10 || die "Cant mknod for grsec learning device" + fi +} |