{2.6.32,3.2.31,3.6.1}/4450_grsec-kconfig-default-gids.patch: fix (un)trusted GIDs

author: Anthony G. Basile <blueness@gentoo.org> 2012-10-13 10:13:24 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2012-10-13 10:13:24 -0400
commit: 4d81df47c8520897537f6bbc39d6cbae317b80fb (patch)
tree: 4826a8ad9aa46505f9c52aef01d1173748e47a58
parent: scripts/just_fetch.pl: add gpg verification (diff)
download: hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.gz
hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.bz2
hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.zip
3 files changed, 96 insertions, 15 deletions
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index 4e54edf..d4b0b7e 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably
 wise to specify some reasonable defaults so as to stop careless users
 from shooting themselves in the foot.
 
-diff -Nuar a/grsecurity/Kconfig b/Kconfig
---- a/grsecurity/Kconfig	2012-07-01 12:54:58.000000000 -0400
-+++ b/grsecurity/Kconfig	2012-07-01 13:00:04.000000000 -0400
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
 @@ -522,7 +522,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
@@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	  Here you can choose the GID to disable server socket access for.
  	  Remember to add the users you want server socket access disabled for to
 diff -Nuar a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2012-07-01 12:51:41.000000000 -0400
-+++ b/security/Kconfig	2012-07-01 13:00:23.000000000 -0400
+--- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
 @@ -191,7 +191,7 @@
  
  config GRKERNSEC_PROC_GID
@@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
+@@ -202,7 +202,7 @@
+ config GRKERNSEC_TPE_UNTRUSTED_GID
+         int "GID for TPE-untrusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 100
+         help
+ 	  Setting this GID determines which group untrusted users should
+ 	  be added to.  These users will be placed under grsecurity's Trusted Path
+@@ -214,7 +214,7 @@
+ config GRKERNSEC_TPE_TRUSTED_GID
+         int "GID for TPE-trusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 10
+         help
+           Setting this GID determines what group TPE restrictions will be
+           *disabled* for.  If the sysctl option is enabled, a sysctl option
+@@ -223,7 +223,7 @@
+ config GRKERNSEC_SYMLINKOWN_GID
+         int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
+         depends on GRKERNSEC_CONFIG_SERVER
+-        default 1006
++        default 100
+         help
+           Setting this GID determines what group kernel-enforced
+           SymlinksIfOwnerMatch will be enabled for.  If the sysctl option
diff --git a/3.2.31/4450_grsec-kconfig-default-gids.patch b/3.2.31/4450_grsec-kconfig-default-gids.patch
index 4e54edf..d4b0b7e 100644
--- a/3.2.31/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.31/4450_grsec-kconfig-default-gids.patch
@@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably
 wise to specify some reasonable defaults so as to stop careless users
 from shooting themselves in the foot.
 
-diff -Nuar a/grsecurity/Kconfig b/Kconfig
---- a/grsecurity/Kconfig	2012-07-01 12:54:58.000000000 -0400
-+++ b/grsecurity/Kconfig	2012-07-01 13:00:04.000000000 -0400
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
 @@ -522,7 +522,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
@@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	  Here you can choose the GID to disable server socket access for.
  	  Remember to add the users you want server socket access disabled for to
 diff -Nuar a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2012-07-01 12:51:41.000000000 -0400
-+++ b/security/Kconfig	2012-07-01 13:00:23.000000000 -0400
+--- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
 @@ -191,7 +191,7 @@
  
  config GRKERNSEC_PROC_GID
@@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
+@@ -202,7 +202,7 @@
+ config GRKERNSEC_TPE_UNTRUSTED_GID
+         int "GID for TPE-untrusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 100
+         help
+ 	  Setting this GID determines which group untrusted users should
+ 	  be added to.  These users will be placed under grsecurity's Trusted Path
+@@ -214,7 +214,7 @@
+ config GRKERNSEC_TPE_TRUSTED_GID
+         int "GID for TPE-trusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 10
+         help
+           Setting this GID determines what group TPE restrictions will be
+           *disabled* for.  If the sysctl option is enabled, a sysctl option
+@@ -223,7 +223,7 @@
+ config GRKERNSEC_SYMLINKOWN_GID
+         int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
+         depends on GRKERNSEC_CONFIG_SERVER
+-        default 1006
++        default 100
+         help
+           Setting this GID determines what group kernel-enforced
+           SymlinksIfOwnerMatch will be enabled for.  If the sysctl option
diff --git a/3.6.1/4450_grsec-kconfig-default-gids.patch b/3.6.1/4450_grsec-kconfig-default-gids.patch
index 4e54edf..d4b0b7e 100644
--- a/3.6.1/4450_grsec-kconfig-default-gids.patch
+++ b/3.6.1/4450_grsec-kconfig-default-gids.patch
@@ -13,9 +13,9 @@ attention to the finer points of kernel configuration, it is probably
 wise to specify some reasonable defaults so as to stop careless users
 from shooting themselves in the foot.
 
-diff -Nuar a/grsecurity/Kconfig b/Kconfig
---- a/grsecurity/Kconfig	2012-07-01 12:54:58.000000000 -0400
-+++ b/grsecurity/Kconfig	2012-07-01 13:00:04.000000000 -0400
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
 @@ -522,7 +522,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
@@ -71,8 +71,8 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	  Here you can choose the GID to disable server socket access for.
  	  Remember to add the users you want server socket access disabled for to
 diff -Nuar a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2012-07-01 12:51:41.000000000 -0400
-+++ b/security/Kconfig	2012-07-01 13:00:23.000000000 -0400
+--- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
++++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
 @@ -191,7 +191,7 @@
  
  config GRKERNSEC_PROC_GID
@@ -82,3 +82,30 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
+@@ -202,7 +202,7 @@
+ config GRKERNSEC_TPE_UNTRUSTED_GID
+         int "GID for TPE-untrusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 100
+         help
+ 	  Setting this GID determines which group untrusted users should
+ 	  be added to.  These users will be placed under grsecurity's Trusted Path
+@@ -214,7 +214,7 @@
+ config GRKERNSEC_TPE_TRUSTED_GID
+         int "GID for TPE-trusted users"
+         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+-        default 1005
++        default 10
+         help
+           Setting this GID determines what group TPE restrictions will be
+           *disabled* for.  If the sysctl option is enabled, a sysctl option
+@@ -223,7 +223,7 @@
+ config GRKERNSEC_SYMLINKOWN_GID
+         int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
+         depends on GRKERNSEC_CONFIG_SERVER
+-        default 1006
++        default 100
+         help
+           Setting this GID determines what group kernel-enforced
+           SymlinksIfOwnerMatch will be enabled for.  If the sysctl option
author	Anthony G. Basile <blueness@gentoo.org>	2012-10-13 10:13:24 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2012-10-13 10:13:24 -0400
commit	4d81df47c8520897537f6bbc39d6cbae317b80fb (patch)
tree	4826a8ad9aa46505f9c52aef01d1173748e47a58
parent	scripts/just_fetch.pl: add gpg verification (diff)
download	hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.gz hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.tar.bz2 hardened-patchset-4d81df47c8520897537f6bbc39d6cbae317b80fb.zip