diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-06-20 20:40:47 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-06-20 20:40:47 -0400 |
commit | 845d88931e05031ae2fad88e07f2614be2f698b8 (patch) | |
tree | 7721033842a868a29fcd3c4d6fd0272a8213ab73 /3.2.46/4450_grsec-kconfig-default-gids.patch | |
parent | Add 4427_force_XATTR_PAX_tmpfs patch (diff) | |
download | hardened-patchset-845d88931e05031ae2fad88e07f2614be2f698b8.tar.gz hardened-patchset-845d88931e05031ae2fad88e07f2614be2f698b8.tar.bz2 hardened-patchset-845d88931e05031ae2fad88e07f2614be2f698b8.zip |
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.6}-20130618203320130618
Diffstat (limited to '3.2.46/4450_grsec-kconfig-default-gids.patch')
-rw-r--r-- | 3.2.46/4450_grsec-kconfig-default-gids.patch | 111 |
1 files changed, 0 insertions, 111 deletions
diff --git a/3.2.46/4450_grsec-kconfig-default-gids.patch b/3.2.46/4450_grsec-kconfig-default-gids.patch deleted file mode 100644 index c882e28..0000000 --- a/3.2.46/4450_grsec-kconfig-default-gids.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> -Updated patch for the new Kconfig system in grsec 2.9.1 - ---- -From: Kerin Millar <kerframil@gmail.com> - -grsecurity contains a number of options which allow certain protections -to be applied to or exempted from members of a given group. However, the -default GIDs specified in the upstream patch are entirely arbitrary and -there is no telling which (if any) groups the GIDs will correlate with -on an end-user's system. Because some users don't pay a great deal of -attention to the finer points of kernel configuration, it is probably -wise to specify some reasonable defaults so as to stop careless users -from shooting themselves in the foot. - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 -+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -610,7 +610,7 @@ - config GRKERNSEC_AUDIT_GID - int "GID for auditing" - depends on GRKERNSEC_AUDIT_GROUP -- default 1007 -+ default 100 - - config GRKERNSEC_EXECLOG - bool "Exec logging" -@@ -830,7 +830,7 @@ - config GRKERNSEC_TPE_UNTRUSTED_GID - int "GID for TPE-untrusted users" - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT -- default 1005 -+ default 100 - help - Setting this GID determines what group TPE restrictions will be - *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -839,7 +839,7 @@ - config GRKERNSEC_TPE_TRUSTED_GID - int "GID for TPE-trusted users" - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT -- default 1005 -+ default 10 - help - Setting this GID determines what group TPE restrictions will be - *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -932,7 +932,7 @@ - config GRKERNSEC_SOCKET_ALL_GID - int "GID to deny all sockets for" - depends on GRKERNSEC_SOCKET_ALL -- default 1004 -+ default 65534 - help - Here you can choose the GID to disable socket access for. Remember to - add the users you want socket access disabled for to the GID -@@ -953,7 +953,7 @@ - config GRKERNSEC_SOCKET_CLIENT_GID - int "GID to deny client sockets for" - depends on GRKERNSEC_SOCKET_CLIENT -- default 1003 -+ default 65534 - help - Here you can choose the GID to disable client socket access for. - Remember to add the users you want client socket access disabled for to -@@ -971,7 +971,7 @@ - config GRKERNSEC_SOCKET_SERVER_GID - int "GID to deny server sockets for" - depends on GRKERNSEC_SOCKET_SERVER -- default 1002 -+ default 65534 - help - Here you can choose the GID to disable server socket access for. - Remember to add the users you want server socket access disabled for to -diff -Nuar a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 -+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 -@@ -193,7 +193,7 @@ - - config GRKERNSEC_PROC_GID - int "GID exempted from /proc restrictions" -- default 1001 -+ default 10 - help - Setting this GID determines which group will be exempted from - grsecurity's /proc restrictions, allowing users of the specified -@@ -204,7 +204,7 @@ - config GRKERNSEC_TPE_UNTRUSTED_GID - int "GID for TPE-untrusted users" - depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT -- default 1005 -+ default 100 - help - Setting this GID determines which group untrusted users should - be added to. These users will be placed under grsecurity's Trusted Path -@@ -216,7 +216,7 @@ - config GRKERNSEC_TPE_TRUSTED_GID - int "GID for TPE-trusted users" - depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT -- default 1005 -+ default 10 - help - Setting this GID determines what group TPE restrictions will be - *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -225,7 +225,7 @@ - config GRKERNSEC_SYMLINKOWN_GID - int "GID for users with kernel-enforced SymlinksIfOwnerMatch" - depends on GRKERNSEC_CONFIG_SERVER -- default 1006 -+ default 100 - help - Setting this GID determines what group kernel-enforced - SymlinksIfOwnerMatch will be enabled for. If the sysctl option |