Date: Monday, August 4, 2014 @ 23:40:54 Author: thestinger Revision: 116869
move linux-grsec config / groups to grsec-common Added: grsec-common/ grsec-common/repos/ grsec-common/trunk/ grsec-common/trunk/05-grsecurity.conf grsec-common/trunk/PKGBUILD grsec-common/trunk/grsec-common.install Modified: linux-grsec/trunk/PKGBUILD (contents, properties) linux-grsec/trunk/linux-grsec.install Deleted: linux-grsec/trunk/sysctl.conf -----------------------------------------+ grsec-common/trunk/05-grsecurity.conf | 130 +++++++++++++++++++++++++++++ grsec-common/trunk/PKGBUILD | 17 +++ grsec-common/trunk/grsec-common.install | 19 ++++ linux-grsec/trunk/PKGBUILD | 14 +-- linux-grsec/trunk/linux-grsec.install | 45 ---------- linux-grsec/trunk/sysctl.conf | 131 ------------------------------ 6 files changed, 171 insertions(+), 185 deletions(-) Added: grsec-common/trunk/05-grsecurity.conf =================================================================== --- grsec-common/trunk/05-grsecurity.conf (rev 0) +++ grsec-common/trunk/05-grsecurity.conf 2014-08-04 21:40:54 UTC (rev 116869) @@ -0,0 +1,130 @@ +# All features in the kernel.grsecurity namespace are disabled by default. + +# +# Disable PaX enforcement by default. +# +# The `paxd` package sets softmode back to 0 in a configuration file loaded +# after this one. It automatically handles setting exceptions from the PaX +# exploit mitigations after Pacman operations. Altering the setting manually +# rather than using `paxd` is not recommended. +# + +kernel.pax.softmode = 1 + +# +# Memory protections +# + +#kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.deter_bruteforce = 1 + +# +# Race free SymLinksIfOwnerMatch for web servers +# +# symlinkown_gid: http group +# + +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 33 + +# +# FIFO restrictions +# +# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp), +# unless the owner of the FIFO is the same owner of the directory it's held in. +# + +kernel.grsecurity.fifo_restrictions = 1 + +# +# Deny any further rw mounts +# + +#kernel.grsecurity.romount_protect = 1 + +# +# chroot restrictions (the commented options will break containers) +# + +#kernel.grsecurity.chroot_caps = 1 +#kernel.grsecurity.chroot_deny_chmod = 1 +#kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_fchdir = 1 +#kernel.grsecurity.chroot_deny_mknod = 1 +#kernel.grsecurity.chroot_deny_mount = 1 +#kernel.grsecurity.chroot_deny_pivot = 1 +kernel.grsecurity.chroot_deny_shmat = 1 +kernel.grsecurity.chroot_deny_sysctl = 1 +kernel.grsecurity.chroot_deny_unix = 1 +kernel.grsecurity.chroot_enforce_chdir = 1 +kernel.grsecurity.chroot_findtask = 1 +#kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel auditing +# +# audit_group: Restrict exec/chdir logging to a group. +# audit_gid: audit group +# + +#kernel.grsecurity.audit_group = 1 +kernel.grsecurity.audit_gid = 201 +#kernel.grsecurity.exec_logging = 1 +#kernel.grsecurity.resource_logging = 1 +#kernel.grsecurity.chroot_execlog = 1 +#kernel.grsecurity.audit_ptrace = 1 +#kernel.grsecurity.audit_chdir = 1 +#kernel.grsecurity.audit_mount = 1 +#kernel.grsecurity.signal_logging = 1 +#kernel.grsecurity.forkfail_logging = 1 +#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable protections +# + +kernel.grsecurity.harden_ptrace = 1 +kernel.grsecurity.ptrace_readexec = 1 +kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.harden_ipc = 1 + +# +# Trusted Path Execution +# +# tpe_gid: tpe group +# + +#kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 200 +#kernel.grsecurity.tpe_invert = 1 +#kernel.grsecurity.tpe_restrict_all = 1 + +# +# Network protections +# +# socket_all_gid: socket-deny-all group +# socket_client_gid: socket-deny-client group +# socket_server_gid: socket-deny-server group +# + +#kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all_gid = 202 +kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server_gid = 204 + +# +# Prevent any new USB devices from being recognized by the OS. +# + +#kernel.grsecurity.deny_new_usb = 1 + +# +# Restrict grsec sysctl changes after this was set +# + +#kernel.grsecurity.grsec_lock = 1 Added: grsec-common/trunk/PKGBUILD =================================================================== --- grsec-common/trunk/PKGBUILD (rev 0) +++ grsec-common/trunk/PKGBUILD 2014-08-04 21:40:54 UTC (rev 116869) @@ -0,0 +1,17 @@ +# $Id$ +# Maintainer: Daniel Micay <[email protected]> +pkgname=grsec-common +pkgver=1 +pkgrel=1 +pkgdesc='Base package for grsecurity kernels' +arch=(any) +url='https://archlinux.org/' +license=('GPL2') +install=$pkgname.install +source=(05-grsecurity.conf) +sha1sums=('dc6b38e1c89376b81246588956e3b93f59620822') +backup=(etc/sysctl.d/05-grsecurity.conf) + +package() { + install -Dm600 05-grsecurity.conf "$pkgdir/etc/sysctl.d/05-grsecurity.conf" +} Property changes on: grsec-common/trunk/PKGBUILD ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Id \ No newline at end of property Added: grsec-common/trunk/grsec-common.install =================================================================== --- grsec-common/trunk/grsec-common.install (rev 0) +++ grsec-common/trunk/grsec-common.install 2014-08-04 21:40:54 UTC (rev 116869) @@ -0,0 +1,19 @@ +post_install() { + getent group tpe >/dev/null || groupadd -g 200 tpe + getent group audit >/dev/null || groupadd -g 201 audit + getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all + getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client + getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server +} + +post_upgrade() { + post_install +} + +post_remove() { + for group in tpe audit socket-deny-server socket-deny-client socket-deny-all; do + if getent group $group >/dev/null; then + groupdel $group + fi + done +} Modified: linux-grsec/trunk/PKGBUILD =================================================================== --- linux-grsec/trunk/PKGBUILD 2014-08-04 20:40:02 UTC (rev 116868) +++ linux-grsec/trunk/PKGBUILD 2014-08-04 21:40:54 UTC (rev 116869) @@ -1,3 +1,4 @@ +# $Id$ # Maintainer: Daniel Micay <[email protected]> # Contributor: Tobias Powalowski <[email protected]> # Contributor: Thomas Baechler <[email protected]> @@ -11,7 +12,7 @@ _timestamp=201408040708 _grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch" pkgver=$_pkgver.$_timestamp -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url=https://grsecurity.net/ license=('GPL2') @@ -27,7 +28,6 @@ 'linux.preset' 'change-default-console-loglevel.patch' Revert-userns-Allow-unprivileged-users-to-create-use.patch - sysctl.conf ) sha256sums=('c3927e87be4040fa8aca1b58663dc0776aaf00485604ff88a623be2f3fb07794' 'e25557b19dfebc91e42939aa9a62f7a4d4e36ea2cc659368cded51fb2c703456' @@ -37,8 +37,7 @@ 'aaeea9587701bd8e1a23dfa9e5c32dcda454ce26497175a9ad9f2bd3c260f6ea' 'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' - '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754' - 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31') + '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754') _kernelname=${pkgbase#linux} @@ -104,7 +103,7 @@ _package() { pkgdesc="The Linux kernel and modules with grsecurity/PaX patches" [ "${pkgbase}" = "linux" ] && groups=('base') - depends=('coreutils' 'linux-firmware' 'kmod' 'mkinitcpio>=0.7') + depends=('coreutils' 'linux-firmware' 'kmod' 'mkinitcpio>=0.7' 'grsec-common') optdepends=('crda: to set the correct wireless channels of your country' 'gradm: to configure and enable Role Based Access Control (RBAC)' 'paxd: to enable PaX exploit mitigations and apply exceptions automatically') @@ -111,7 +110,7 @@ provides=("kernel26${_kernelname}=${_pkgver}") conflicts=("kernel26${_kernelname}") replaces=("kernel26${_kernelname}") - backup=("etc/mkinitcpio.d/${pkgbase}.preset" etc/sysctl.d/05-grsecurity.conf) + backup=("etc/mkinitcpio.d/${pkgbase}.preset") install=${pkgbase}.install cd "${srcdir}/${_srcname}" @@ -174,9 +173,6 @@ mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin" install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \ "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin" - - # install sysctl configuration for grsecurity switches - install -Dm600 "$srcdir/sysctl.conf" "$pkgdir/etc/sysctl.d/05-grsecurity.conf" } _package-headers() { Property changes on: linux-grsec/trunk/PKGBUILD ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Id \ No newline at end of property Modified: linux-grsec/trunk/linux-grsec.install =================================================================== --- linux-grsec/trunk/linux-grsec.install 2014-08-04 20:40:02 UTC (rev 116868) +++ linux-grsec/trunk/linux-grsec.install 2014-08-04 21:40:54 UTC (rev 116869) @@ -15,46 +15,6 @@ fi } -_add_groups() { - if getent group tpe-trusted >/dev/null; then - groupmod -g 200 -n tpe tpe-trusted - fi - - if ! getent group tpe >/dev/null; then - groupadd -g 200 -r tpe - fi - - if ! getent group audit >/dev/null; then - groupadd -g 201 -r audit - fi - - if getent group socket-deny-all >/dev/null; then - groupmod -g 202 socket-deny-all - else - groupadd -g 202 -r socket-deny-all - fi - - if getent group socket-deny-client >/dev/null; then - groupmod -g 203 socket-deny-client - else - groupadd -g 203 -r socket-deny-client - fi - - if getent group socket-deny-server >/dev/null; then - groupmod -g 204 socket-deny-server - else - groupadd -g 204 -r socket-deny-server - fi -} - -_remove_groups() { - for group in tpe socket-deny-server socket-deny-client socket-deny-all; do - if getent group $group >/dev/null; then - groupdel $group - fi - done -} - post_install() { # updating module dependencies echo ">>> Updating module dependencies. Please wait ..." @@ -62,7 +22,6 @@ echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..." mkinitcpio -p linux${KERNEL_NAME} - _add_groups _uderef_warning } @@ -87,8 +46,6 @@ echo ">>> include the 'keyboard' hook in your mkinitcpio.conf." fi - _add_groups - if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then _uderef_warning fi @@ -98,6 +55,4 @@ # also remove the compat symlinks rm -f boot/initramfs-linux${KERNEL_NAME}.img rm -f boot/initramfs-linux${KERNEL_NAME}-fallback.img - - _remove_groups } Deleted: linux-grsec/trunk/sysctl.conf =================================================================== --- linux-grsec/trunk/sysctl.conf 2014-08-04 20:40:02 UTC (rev 116868) +++ linux-grsec/trunk/sysctl.conf 2014-08-04 21:40:54 UTC (rev 116869) @@ -1,131 +0,0 @@ -# All features in the kernel.grsecurity namespace are disabled by default in -# the kernel and must be enabled here. - -# -# Disable PaX enforcement by default. -# -# The `paxd` package sets softmode back to 0 in a configuration file loaded -# after this one. It automatically handles setting exceptions from the PaX -# exploit mitigations after Pacman operations. Altering the setting here rather -# than using `paxd` is not recommended. -# - -kernel.pax.softmode = 1 - -# -# Memory protections -# - -#kernel.grsecurity.disable_priv_io = 1 -kernel.grsecurity.deter_bruteforce = 1 - -# -# Race free SymLinksIfOwnerMatch for web servers -# -# symlinkown_gid: http group -# - -kernel.grsecurity.enforce_symlinksifowner = 1 -kernel.grsecurity.symlinkown_gid = 33 - -# -# FIFO restrictions -# -# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp), -# unless the owner of the FIFO is the same owner of the directory it's held in. -# - -kernel.grsecurity.fifo_restrictions = 1 - -# -# Deny any further rw mounts -# - -#kernel.grsecurity.romount_protect = 1 - -# -# chroot restrictions (the commented options will break containers) -# - -#kernel.grsecurity.chroot_caps = 1 -#kernel.grsecurity.chroot_deny_chmod = 1 -#kernel.grsecurity.chroot_deny_chroot = 1 -kernel.grsecurity.chroot_deny_fchdir = 1 -#kernel.grsecurity.chroot_deny_mknod = 1 -#kernel.grsecurity.chroot_deny_mount = 1 -#kernel.grsecurity.chroot_deny_pivot = 1 -kernel.grsecurity.chroot_deny_shmat = 1 -kernel.grsecurity.chroot_deny_sysctl = 1 -kernel.grsecurity.chroot_deny_unix = 1 -kernel.grsecurity.chroot_enforce_chdir = 1 -kernel.grsecurity.chroot_findtask = 1 -#kernel.grsecurity.chroot_restrict_nice = 1 - -# -# Kernel auditing -# -# audit_group: Restrict exec/chdir logging to a group. -# audit_gid: audit group -# - -#kernel.grsecurity.audit_group = 1 -kernel.grsecurity.audit_gid = 201 -#kernel.grsecurity.exec_logging = 1 -#kernel.grsecurity.resource_logging = 1 -#kernel.grsecurity.chroot_execlog = 1 -#kernel.grsecurity.audit_ptrace = 1 -#kernel.grsecurity.audit_chdir = 1 -#kernel.grsecurity.audit_mount = 1 -#kernel.grsecurity.signal_logging = 1 -#kernel.grsecurity.forkfail_logging = 1 -#kernel.grsecurity.timechange_logging = 1 -kernel.grsecurity.rwxmap_logging = 1 - -# -# Executable protections -# - -kernel.grsecurity.harden_ptrace = 1 -kernel.grsecurity.ptrace_readexec = 1 -kernel.grsecurity.consistent_setxid = 1 -kernel.grsecurity.harden_ipc = 1 - -# -# Trusted Path Execution -# -# tpe_gid: tpe group -# - -#kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 200 -#kernel.grsecurity.tpe_invert = 1 -#kernel.grsecurity.tpe_restrict_all = 1 - -# -# Network protections -# -# socket_all_gid: socket-deny-all group -# socket_client_gid: socket-deny-client group -# socket_server_gid: socket-deny-server group -# - -#kernel.grsecurity.ip_blackhole = 1 -kernel.grsecurity.lastack_retries = 4 -kernel.grsecurity.socket_all = 1 -kernel.grsecurity.socket_all_gid = 202 -kernel.grsecurity.socket_client = 1 -kernel.grsecurity.socket_client_gid = 203 -kernel.grsecurity.socket_server = 1 -kernel.grsecurity.socket_server_gid = 204 - -# -# Prevent any new USB devices from being recognized by the OS. -# - -#kernel.grsecurity.deny_new_usb = 1 - -# -# Restrict grsec sysctl changes after this was set -# - -kernel.grsecurity.grsec_lock = 0
