summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/gradm/files')
-rw-r--r--sys-apps/gradm/files/digest-gradm-1.9.141
-rw-r--r--sys-apps/gradm/files/grsecurity32
-rw-r--r--sys-apps/gradm/files/grsecurity.rc40
3 files changed, 36 insertions, 37 deletions
diff --git a/sys-apps/gradm/files/digest-gradm-1.9.14 b/sys-apps/gradm/files/digest-gradm-1.9.14
new file mode 100644
index 000000000000..9a774cb0ae51
--- /dev/null
+++ b/sys-apps/gradm/files/digest-gradm-1.9.14
@@ -0,0 +1 @@
+MD5 64b4f00004d24eeca54ef7b6f0885ded gradm-1.9.14.tar.gz 32139
diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity
index 2352dfbe21bd..e746201aced4 100644
--- a/sys-apps/gradm/files/grsecurity
+++ b/sys-apps/gradm/files/grsecurity
@@ -1,22 +1,8 @@
# GR Security toggles.
#
+# Note: chpax support has been removed from this init script.
+# Configure /etc/conf.d/chpax instead
-# Files that we should remove PAGE_EXEC enforcement from
-PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86 /usr/lib/wine/bin/wine"
-
-# Files we should turn off trampoline emmulation for
-TRAMPOLINE_EXEMPT=""
-
-# Files we should not restrict mprotect on
-MPROTECT_EXEMPT=""
-
-# Files we should not randomize mmap for
-MMAP_EXEMPT=""
-
-# Files not to enforce segmentation based non-executable pages
-SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}"
-
-#
# Check your running kernel for valid options.
# "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'"
#
@@ -80,8 +66,22 @@ SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}"
# tpe_glibc
# tpe_restrict_all
+# Strict set with negligible performance impact:
+#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \
+# chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \
+# chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \
+# chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \
+# chroot_enforce_chdir chroot_execlog chroot_findtask \
+# chroot_restrict_nice dmesg exec_logging execve_limiting \
+# fifo_restrictions forkfail_logging linking_restrictions rand_isns \
+# rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \
+# socket_all socket_client socket_server timechange_logging tpe"
+
ENABLED=""
+# Set when audit_group is enabled
+audit_gid=1007
+
# Set when allow_ptrace_group is enabled
ptrace_gid=10
diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc
index b4a9ed4303ff..679100bd6dc5 100644
--- a/sys-apps/gradm/files/grsecurity.rc
+++ b/sys-apps/gradm/files/grsecurity.rc
@@ -1,12 +1,17 @@
#!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.7 2003/06/16 18:37:01 solar Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.8 2004/03/11 22:45:09 eradicator Exp $
+
+# Note: chpax support has been removed from this init script.
+# Configure /etc/conf.d/chpax and add chpax to your default runlevel instead
+
PROCDIR=/proc/sys/kernel/grsecurity
depend() {
need bootmisc localmount
+ after chpax
}
checkconfig() {
@@ -25,22 +30,35 @@ start() {
# [ -f ${PROCDIR}/${x} ] && continue
# einfo "\tEnabling kernel.grsecurity.${x}"
case "${x}" in
+ audit_group)
+ echo ${audit_gid} > ${PROCDIR}/audit_gid
+ echo 1 > ${PROCDIR}/${x}
+ ;;
+ tpe)
+ echo ${tpe_gid} > ${PROCDIR}/tpe_gid
+ echo 1 > ${PROCDIR}/${x}
+ ;;
allow_ptrace_group)
echo ${ptrace_gid} > ${PROCDIR}/ptrace_gid
+ echo 1 > ${PROCDIR}/${x}
;;
fork_bomb_prot)
echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid
echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec
echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max
+ echo 1 > ${PROCDIR}/${x}
;;
socket_all)
echo ${socket_all_gid} >${PROCDIR}/socket_all_gid
+ echo 1 > ${PROCDIR}/${x}
;;
socket_client)
echo ${socket_client_gid} >${PROCDIR}/socket_client_gid
+ echo 1 > ${PROCDIR}/${x}
;;
socket_server)
echo ${socket_server_gid} >${PROCDIR}/socket_server_gid
+ echo 1 > ${PROCDIR}/${x}
;;
*)
[ -f ${PROCDIR}/${x} ] && echo 1 >${PROCDIR}/${x}
@@ -48,26 +66,6 @@ start() {
esac
done
- for x in ${PAGE_EXEC_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -p ${x}
- done
-
- for x in ${TRAMPOLINE_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -e ${x}
- done
-
- for x in ${MPROTECT_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -m ${x}
- done
-
- for x in ${MMAP_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -r ${x}
- done
-
- for x in ${SEGMENTATION_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -s ${x}
- done
-
[ -f ${PROCDIR}/grsec_lock ] && echo ${LOCK} >${PROCDIR}/grsec_lock
eend ${?}