summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2017-02-15 08:26:28 -0500
committerAnthony G. Basile <blueness@gentoo.org>2017-02-15 08:26:28 -0500
commitc5ee04267efee24744bf49ef28585f5d924bd816 (patch)
treee5b40a8f54ba0185a3f69a76bbec25a852fa570d /4.9.9/4450_grsec-kconfig-default-gids.patch
parentgrsecurity-3.1-4.8.17-201701151620 (diff)
downloadhardened-patchset-c5ee04267efee24744bf49ef28585f5d924bd816.tar.gz
hardened-patchset-c5ee04267efee24744bf49ef28585f5d924bd816.tar.bz2
hardened-patchset-c5ee04267efee24744bf49ef28585f5d924bd816.zip
grsecurity-3.1-4.9.9-20170212204420170212
Diffstat (limited to '4.9.9/4450_grsec-kconfig-default-gids.patch')
-rw-r--r--4.9.9/4450_grsec-kconfig-default-gids.patch111
1 files changed, 111 insertions, 0 deletions
diff --git a/4.9.9/4450_grsec-kconfig-default-gids.patch b/4.9.9/4450_grsec-kconfig-default-gids.patch
new file mode 100644
index 0000000..cee6e27
--- /dev/null
+++ b/4.9.9/4450_grsec-kconfig-default-gids.patch
@@ -0,0 +1,111 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+Updated patch for the new Kconfig system in grsec 2.9.1
+
+---
+From: Kerin Millar <kerframil@gmail.com>
+
+grsecurity contains a number of options which allow certain protections
+to be applied to or exempted from members of a given group. However, the
+default GIDs specified in the upstream patch are entirely arbitrary and
+there is no telling which (if any) groups the GIDs will correlate with
+on an end-user's system. Because some users don't pay a great deal of
+attention to the finer points of kernel configuration, it is probably
+wise to specify some reasonable defaults so as to stop careless users
+from shooting themselves in the foot.
+
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
++++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
+@@ -700,7 +700,7 @@
+ config GRKERNSEC_AUDIT_GID
+ int "GID for auditing"
+ depends on GRKERNSEC_AUDIT_GROUP
+- default 1007
++ default 100
+
+ config GRKERNSEC_EXECLOG
+ bool "Exec logging"
+@@ -949,7 +949,7 @@
+ config GRKERNSEC_TPE_UNTRUSTED_GID
+ int "GID for TPE-untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+- default 1005
++ default 100
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+@@ -958,7 +958,7 @@
+ config GRKERNSEC_TPE_TRUSTED_GID
+ int "GID for TPE-trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+- default 1005
++ default 10
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *disabled* for. If the sysctl option is enabled, a sysctl option
+@@ -1043,7 +1043,7 @@
+ config GRKERNSEC_SOCKET_ALL_GID
+ int "GID to deny all sockets for"
+ depends on GRKERNSEC_SOCKET_ALL
+- default 1004
++ default 65534
+ help
+ Here you can choose the GID to disable socket access for. Remember to
+ add the users you want socket access disabled for to the GID
+@@ -1064,7 +1064,7 @@
+ config GRKERNSEC_SOCKET_CLIENT_GID
+ int "GID to deny client sockets for"
+ depends on GRKERNSEC_SOCKET_CLIENT
+- default 1003
++ default 65534
+ help
+ Here you can choose the GID to disable client socket access for.
+ Remember to add the users you want client socket access disabled for to
+@@ -1082,7 +1082,7 @@
+ config GRKERNSEC_SOCKET_SERVER_GID
+ int "GID to deny server sockets for"
+ depends on GRKERNSEC_SOCKET_SERVER
+- default 1002
++ default 65534
+ help
+ Here you can choose the GID to disable server socket access for.
+ Remember to add the users you want server socket access disabled for to
+diff -Nuar a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
++++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
+@@ -202,7 +202,7 @@
+
+ config GRKERNSEC_PROC_GID
+ int "GID exempted from /proc restrictions"
+- default 1001
++ default 10
+ help
+ Setting this GID determines which group will be exempted from
+ grsecurity's /proc restrictions, allowing users of the specified
+@@ -213,7 +213,7 @@
+ config GRKERNSEC_TPE_UNTRUSTED_GID
+ int "GID for TPE-untrusted users"
+ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+- default 1005
++ default 100
+ help
+ Setting this GID determines which group untrusted users should
+ be added to. These users will be placed under grsecurity's Trusted Path
+@@ -225,7 +225,7 @@
+ config GRKERNSEC_TPE_TRUSTED_GID
+ int "GID for TPE-trusted users"
+ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+- default 1005
++ default 10
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *disabled* for. If the sysctl option is enabled, a sysctl option
+@@ -234,7 +234,7 @@
+ config GRKERNSEC_SYMLINKOWN_GID
+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
+ depends on GRKERNSEC_CONFIG_SERVER
+- default 1006
++ default 100
+ help
+ Setting this GID determines what group kernel-enforced
+ SymlinksIfOwnerMatch will be enabled for. If the sysctl option