diff options
Diffstat (limited to 'sys-apps/gradm/files')
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.9.14 | 1 | ||||
-rw-r--r-- | sys-apps/gradm/files/grsecurity | 32 | ||||
-rw-r--r-- | sys-apps/gradm/files/grsecurity.rc | 40 |
3 files changed, 36 insertions, 37 deletions
diff --git a/sys-apps/gradm/files/digest-gradm-1.9.14 b/sys-apps/gradm/files/digest-gradm-1.9.14 new file mode 100644 index 000000000000..9a774cb0ae51 --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-1.9.14 @@ -0,0 +1 @@ +MD5 64b4f00004d24eeca54ef7b6f0885ded gradm-1.9.14.tar.gz 32139 diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity index 2352dfbe21bd..e746201aced4 100644 --- a/sys-apps/gradm/files/grsecurity +++ b/sys-apps/gradm/files/grsecurity @@ -1,22 +1,8 @@ # GR Security toggles. # +# Note: chpax support has been removed from this init script. +# Configure /etc/conf.d/chpax instead -# Files that we should remove PAGE_EXEC enforcement from -PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86 /usr/lib/wine/bin/wine" - -# Files we should turn off trampoline emmulation for -TRAMPOLINE_EXEMPT="" - -# Files we should not restrict mprotect on -MPROTECT_EXEMPT="" - -# Files we should not randomize mmap for -MMAP_EXEMPT="" - -# Files not to enforce segmentation based non-executable pages -SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}" - -# # Check your running kernel for valid options. # "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'" # @@ -80,8 +66,22 @@ SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}" # tpe_glibc # tpe_restrict_all +# Strict set with negligible performance impact: +#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \ +# chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \ +# chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \ +# chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \ +# chroot_enforce_chdir chroot_execlog chroot_findtask \ +# chroot_restrict_nice dmesg exec_logging execve_limiting \ +# fifo_restrictions forkfail_logging linking_restrictions rand_isns \ +# rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \ +# socket_all socket_client socket_server timechange_logging tpe" + ENABLED="" +# Set when audit_group is enabled +audit_gid=1007 + # Set when allow_ptrace_group is enabled ptrace_gid=10 diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc index b4a9ed4303ff..679100bd6dc5 100644 --- a/sys-apps/gradm/files/grsecurity.rc +++ b/sys-apps/gradm/files/grsecurity.rc @@ -1,12 +1,17 @@ #!/sbin/runscript # Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.7 2003/06/16 18:37:01 solar Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.8 2004/03/11 22:45:09 eradicator Exp $ + +# Note: chpax support has been removed from this init script. +# Configure /etc/conf.d/chpax and add chpax to your default runlevel instead + PROCDIR=/proc/sys/kernel/grsecurity depend() { need bootmisc localmount + after chpax } checkconfig() { @@ -25,22 +30,35 @@ start() { # [ -f ${PROCDIR}/${x} ] && continue # einfo "\tEnabling kernel.grsecurity.${x}" case "${x}" in + audit_group) + echo ${audit_gid} > ${PROCDIR}/audit_gid + echo 1 > ${PROCDIR}/${x} + ;; + tpe) + echo ${tpe_gid} > ${PROCDIR}/tpe_gid + echo 1 > ${PROCDIR}/${x} + ;; allow_ptrace_group) echo ${ptrace_gid} > ${PROCDIR}/ptrace_gid + echo 1 > ${PROCDIR}/${x} ;; fork_bomb_prot) echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max + echo 1 > ${PROCDIR}/${x} ;; socket_all) echo ${socket_all_gid} >${PROCDIR}/socket_all_gid + echo 1 > ${PROCDIR}/${x} ;; socket_client) echo ${socket_client_gid} >${PROCDIR}/socket_client_gid + echo 1 > ${PROCDIR}/${x} ;; socket_server) echo ${socket_server_gid} >${PROCDIR}/socket_server_gid + echo 1 > ${PROCDIR}/${x} ;; *) [ -f ${PROCDIR}/${x} ] && echo 1 >${PROCDIR}/${x} @@ -48,26 +66,6 @@ start() { esac done - for x in ${PAGE_EXEC_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -p ${x} - done - - for x in ${TRAMPOLINE_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -e ${x} - done - - for x in ${MPROTECT_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -m ${x} - done - - for x in ${MMAP_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -r ${x} - done - - for x in ${SEGMENTATION_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -s ${x} - done - [ -f ${PROCDIR}/grsec_lock ] && echo ${LOCK} >${PROCDIR}/grsec_lock eend ${?} |