Date: Friday, September 23, 2016 @ 14:10:27 Author: thestinger Revision: 190211
archrelease: copy trunk to community-i686, community-x86_64 Added: gradm/repos/community-i686/PKGBUILD (from rev 190210, gradm/trunk/PKGBUILD) gradm/repos/community-i686/learn_config (from rev 190210, gradm/trunk/learn_config) gradm/repos/community-i686/policy (from rev 190210, gradm/trunk/policy) gradm/repos/community-x86_64/PKGBUILD (from rev 190210, gradm/trunk/PKGBUILD) gradm/repos/community-x86_64/learn_config (from rev 190210, gradm/trunk/learn_config) gradm/repos/community-x86_64/policy (from rev 190210, gradm/trunk/policy) Deleted: gradm/repos/community-i686/PKGBUILD gradm/repos/community-i686/learn_config gradm/repos/community-i686/policy gradm/repos/community-x86_64/PKGBUILD gradm/repos/community-x86_64/learn_config gradm/repos/community-x86_64/policy -------------------------------+ /PKGBUILD | 92 +++ /learn_config | 336 +++++++++++++ /policy | 982 ++++++++++++++++++++++++++++++++++++++++ community-i686/PKGBUILD | 46 - community-i686/learn_config | 168 ------ community-i686/policy | 491 -------------------- community-x86_64/PKGBUILD | 46 - community-x86_64/learn_config | 168 ------ community-x86_64/policy | 491 -------------------- 9 files changed, 1410 insertions(+), 1410 deletions(-) Deleted: community-i686/PKGBUILD =================================================================== --- community-i686/PKGBUILD 2016-09-23 14:09:52 UTC (rev 190210) +++ community-i686/PKGBUILD 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,46 +0,0 @@ -# $Id$ -# Maintainer: Daniel Micay <danielmi...@gmail.com> -# Contributor: Jonathan Liu <net...@gmail.com> -# Contributor: henning mueller <henn...@orgizm.net> -# Contributor: s1gma <s1...@mindslicer.com> -# Contributor: Ahmad24 <myitra...@gmail.com> -# Contributor: maxrp <m...@pdx.edu> - -pkgname=gradm -_version=3.1 -_timestamp=201607172312 -pkgver=$_version.$_timestamp -pkgrel=1 -pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)" -arch=(i686 x86_64) -url=https://grsecurity.net/ -license=(GPL2) -depends=(pam) -source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz - https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig - learn_config - policy) -sha256sums=('4281c72e3e82f0ea2c01d124975c19326b2157c10911fa065c1549195d5e6ee4' - 'SKIP' - '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0' - '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440') -validpgpkeys=( - 'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler -) - -prepare() { - cd $pkgname - sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile -} - -build() { - cd $pkgname - make -} - -package() { - cd $pkgname - make DESTDIR="$pkgdir" install - cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec" - rm -r "$pkgdir/dev" -} Copied: gradm/repos/community-i686/PKGBUILD (from rev 190210, gradm/trunk/PKGBUILD) =================================================================== --- community-i686/PKGBUILD (rev 0) +++ community-i686/PKGBUILD 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,46 @@ +# $Id$ +# Maintainer: Daniel Micay <danielmi...@gmail.com> +# Contributor: Jonathan Liu <net...@gmail.com> +# Contributor: henning mueller <henn...@orgizm.net> +# Contributor: s1gma <s1...@mindslicer.com> +# Contributor: Ahmad24 <myitra...@gmail.com> +# Contributor: maxrp <m...@pdx.edu> + +pkgname=gradm +_version=3.1 +_timestamp=201608131257 +pkgver=$_version.$_timestamp +pkgrel=1 +pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)" +arch=(i686 x86_64) +url=https://grsecurity.net/ +license=(GPL2) +depends=(pam) +source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz + https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig + learn_config + policy) +sha256sums=('2b771346458f55805713e4cdfc4fefba1da88826dd9ecff38dacd0087331a578' + 'SKIP' + '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0' + '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440') +validpgpkeys=( + 'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler +) + +prepare() { + cd $pkgname + sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile +} + +build() { + cd $pkgname + make +} + +package() { + cd $pkgname + make DESTDIR="$pkgdir" install + cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec" + rm -r "$pkgdir/dev" +} Deleted: community-i686/learn_config =================================================================== --- community-i686/learn_config 2016-09-23 14:09:52 UTC (rev 190210) +++ community-i686/learn_config 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,168 +0,0 @@ -#This configuration file aids the learning process by tweaking -#the learning algorithm for specific paths. -# -#It accepts lines in the form of <command> <pathname> -#Where <command> can be inherit-learn, no-learn, inherit-no-learn, -#high-reduce-path, dont-reduce-path, protected-path, high-protected-path, -#read-protected-path, and always-reduce-path -# -#inherit-learn, no-learn, and inherit-no-learn operate only with -#full learning -# -#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, -#and high-protected-path operate on both full and and regular learning -#(subject and role learning) -# -#inherit-learn changes the learning process for the specified path -#by throwing all learned accesses for every binary executed by the -#processes contained in the pathname into the subject specified -#by the pathname. This is useful for cron in the case of full -#system learning, so that scripts that eventually end up executing -#mv or rm with privilege don't cause the root policy to grant -#that privilege to mv or rm in all cases. -# -#no-learn allows processes within the path to perform any operation -#that normal system usage would allow without restriction. If -#a process is generating a huge number of learning logs, it may be -#best to use this command on that process and configure its policy -#manually. -# -#inherit-no-learn combines the above two cases, such that processes -#within the specified path will be able to perform any normal system -#operation without restriction as will any binaries executed by -#these processes. -# -#high-reduce-path modifies the heuristics of the learning process -#to weight in favor of reducing accesses for this path -# -#dont-reduce-path modifies the heuristics of the learning process -#so that it will never reduce accesses for this path -# -#always-reduce-path modifies the heuristics of the learning process -#so that the path specified will always have all files and directories -#within it reduced to the path specified. -# -#protected-path specifies a path on your system that is considered an -#important resource. Any process that modifies one of these paths -#is given its own subject in the learning process, facilitating -#a secure policy. -# -#read-protected-path specifies a path on your system that contains -#sensitive information. Any process that reads one of these paths is -#given its own subject in the learning process, facilitating a secure -#policy. -# -#high-protected-path specifies a path that should be hidden from -#all processes but those that access it directly. It is recommended -#to use highly sensitive files for this command. -# -#regular expressions are not supported for pathnames in this config file -# -# -# uncomment this next line if you don't wish to generate a policy that -# restricts roles to specific IP ranges: -# dont-learn-allowed-ips -# -# to write out your generated policy such that roles are split into separate -# files by the name of the role (within user/group directories), uncomment -# the next line: -# split-roles - -always-reduce-path /dev/pts -always-reduce-path /var/spool/qmailscan/tmp -always-reduce-path /var/spool/exim4 -always-reduce-path /run/screen -always-reduce-path /usr/share/locale -always-reduce-path /usr/share/zoneinfo -always-reduce-path /usr/share/terminfo -always-reduce-path /var/abs -always-reduce-path /tmp -always-reduce-path /var/tmp - -high-reduce-path /run/udev -high-reduce-path /dev/mapper -high-reduce-path /dev/snd -high-reduce-path /proc -high-reduce-path /usr/lib/security -high-reduce-path /usr/lib/modules -high-reduce-path /usr/lib -high-reduce-path /usr/lib32 -high-reduce-path /usr/libx32 -high-reduce-path /usr/lib/tls -high-reduce-path /usr/lib32/tls -high-reduce-path /usr/libx32/tls -high-reduce-path /usr/lib/libreoffice -high-reduce-path /var/lib -high-reduce-path /usr/bin -high-reduce-path /usr/sbin -high-reduce-path /usr/local/share -high-reduce-path /usr/local/bin -high-reduce-path /usr/local/sbin -high-reduce-path /usr/local/etc -high-reduce-path /usr/local/lib -high-reduce-path /usr/share -high-reduce-path /usr/X11R6/lib -high-reduce-path /var/lib/openldap-data -high-reduce-path /var/lib/krb5kdc - -dont-reduce-path / -dont-reduce-path /home -dont-reduce-path /dev -dont-reduce-path /usr -dont-reduce-path /var -dont-reduce-path /opt - -protected-path /etc -protected-path /boot -protected-path /run -protected-path /usr -protected-path /opt -protected-path /var -protected-path /dev/log -protected-path /root -protected-path /sys - -read-protected-path /etc/ssh -read-protected-path /proc/kallsyms -read-protected-path /proc/kcore -read-protected-path /proc/slabinfo -read-protected-path /proc/modules -read-protected-path /usr/lib/modules -read-protected-path /boot -read-protected-path /etc/shadow -read-protected-path /etc/shadow- -read-protected-path /etc/gshadow -read-protected-path /etc/gshadow- -read-protected-path /sys - -high-protected-path /etc/ssh -high-protected-path /proc/kcore -high-protected-path /proc/sys -high-protected-path /proc/bus -high-protected-path /proc/slabinfo -high-protected-path /proc/modules -high-protected-path /proc/kallsyms -high-protected-path /etc/passwd -high-protected-path /etc/shadow -high-protected-path /var/backups -high-protected-path /etc/shadow- -high-protected-path /etc/gshadow -high-protected-path /etc/gshadow- -high-protected-path /var/log -high-protected-path /dev/mem -high-protected-path /dev/kmem -high-protected-path /dev/port -high-protected-path /dev/log -high-protected-path /sys -high-protected-path /etc/ppp -high-protected-path /etc/samba/smbpasswd -#to protect kernel images -high-protected-path /boot -high-protected-path /usr/lib/modules -high-protected-path /usr/src - -inherit-learn /etc/cron.d -inherit-learn /etc/cron.hourly -inherit-learn /etc/cron.daily -inherit-learn /etc/cron.weekly -inherit-learn /etc/cron.monthly Copied: gradm/repos/community-i686/learn_config (from rev 190210, gradm/trunk/learn_config) =================================================================== --- community-i686/learn_config (rev 0) +++ community-i686/learn_config 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,168 @@ +#This configuration file aids the learning process by tweaking +#the learning algorithm for specific paths. +# +#It accepts lines in the form of <command> <pathname> +#Where <command> can be inherit-learn, no-learn, inherit-no-learn, +#high-reduce-path, dont-reduce-path, protected-path, high-protected-path, +#read-protected-path, and always-reduce-path +# +#inherit-learn, no-learn, and inherit-no-learn operate only with +#full learning +# +#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, +#and high-protected-path operate on both full and and regular learning +#(subject and role learning) +# +#inherit-learn changes the learning process for the specified path +#by throwing all learned accesses for every binary executed by the +#processes contained in the pathname into the subject specified +#by the pathname. This is useful for cron in the case of full +#system learning, so that scripts that eventually end up executing +#mv or rm with privilege don't cause the root policy to grant +#that privilege to mv or rm in all cases. +# +#no-learn allows processes within the path to perform any operation +#that normal system usage would allow without restriction. If +#a process is generating a huge number of learning logs, it may be +#best to use this command on that process and configure its policy +#manually. +# +#inherit-no-learn combines the above two cases, such that processes +#within the specified path will be able to perform any normal system +#operation without restriction as will any binaries executed by +#these processes. +# +#high-reduce-path modifies the heuristics of the learning process +#to weight in favor of reducing accesses for this path +# +#dont-reduce-path modifies the heuristics of the learning process +#so that it will never reduce accesses for this path +# +#always-reduce-path modifies the heuristics of the learning process +#so that the path specified will always have all files and directories +#within it reduced to the path specified. +# +#protected-path specifies a path on your system that is considered an +#important resource. Any process that modifies one of these paths +#is given its own subject in the learning process, facilitating +#a secure policy. +# +#read-protected-path specifies a path on your system that contains +#sensitive information. Any process that reads one of these paths is +#given its own subject in the learning process, facilitating a secure +#policy. +# +#high-protected-path specifies a path that should be hidden from +#all processes but those that access it directly. It is recommended +#to use highly sensitive files for this command. +# +#regular expressions are not supported for pathnames in this config file +# +# +# uncomment this next line if you don't wish to generate a policy that +# restricts roles to specific IP ranges: +# dont-learn-allowed-ips +# +# to write out your generated policy such that roles are split into separate +# files by the name of the role (within user/group directories), uncomment +# the next line: +# split-roles + +always-reduce-path /dev/pts +always-reduce-path /var/spool/qmailscan/tmp +always-reduce-path /var/spool/exim4 +always-reduce-path /run/screen +always-reduce-path /usr/share/locale +always-reduce-path /usr/share/zoneinfo +always-reduce-path /usr/share/terminfo +always-reduce-path /var/abs +always-reduce-path /tmp +always-reduce-path /var/tmp + +high-reduce-path /run/udev +high-reduce-path /dev/mapper +high-reduce-path /dev/snd +high-reduce-path /proc +high-reduce-path /usr/lib/security +high-reduce-path /usr/lib/modules +high-reduce-path /usr/lib +high-reduce-path /usr/lib32 +high-reduce-path /usr/libx32 +high-reduce-path /usr/lib/tls +high-reduce-path /usr/lib32/tls +high-reduce-path /usr/libx32/tls +high-reduce-path /usr/lib/libreoffice +high-reduce-path /var/lib +high-reduce-path /usr/bin +high-reduce-path /usr/sbin +high-reduce-path /usr/local/share +high-reduce-path /usr/local/bin +high-reduce-path /usr/local/sbin +high-reduce-path /usr/local/etc +high-reduce-path /usr/local/lib +high-reduce-path /usr/share +high-reduce-path /usr/X11R6/lib +high-reduce-path /var/lib/openldap-data +high-reduce-path /var/lib/krb5kdc + +dont-reduce-path / +dont-reduce-path /home +dont-reduce-path /dev +dont-reduce-path /usr +dont-reduce-path /var +dont-reduce-path /opt + +protected-path /etc +protected-path /boot +protected-path /run +protected-path /usr +protected-path /opt +protected-path /var +protected-path /dev/log +protected-path /root +protected-path /sys + +read-protected-path /etc/ssh +read-protected-path /proc/kallsyms +read-protected-path /proc/kcore +read-protected-path /proc/slabinfo +read-protected-path /proc/modules +read-protected-path /usr/lib/modules +read-protected-path /boot +read-protected-path /etc/shadow +read-protected-path /etc/shadow- +read-protected-path /etc/gshadow +read-protected-path /etc/gshadow- +read-protected-path /sys + +high-protected-path /etc/ssh +high-protected-path /proc/kcore +high-protected-path /proc/sys +high-protected-path /proc/bus +high-protected-path /proc/slabinfo +high-protected-path /proc/modules +high-protected-path /proc/kallsyms +high-protected-path /etc/passwd +high-protected-path /etc/shadow +high-protected-path /var/backups +high-protected-path /etc/shadow- +high-protected-path /etc/gshadow +high-protected-path /etc/gshadow- +high-protected-path /var/log +high-protected-path /dev/mem +high-protected-path /dev/kmem +high-protected-path /dev/port +high-protected-path /dev/log +high-protected-path /sys +high-protected-path /etc/ppp +high-protected-path /etc/samba/smbpasswd +#to protect kernel images +high-protected-path /boot +high-protected-path /usr/lib/modules +high-protected-path /usr/src + +inherit-learn /etc/cron.d +inherit-learn /etc/cron.hourly +inherit-learn /etc/cron.daily +inherit-learn /etc/cron.weekly +inherit-learn /etc/cron.monthly Deleted: community-i686/policy =================================================================== --- community-i686/policy 2016-09-23 14:09:52 UTC (rev 190210) +++ community-i686/policy 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,491 +0,0 @@ -#sample default policy for grsecurity -# -# Role flags: -# A -> This role is an administrative role, thus it has special privilege normal -# roles do not have. In particular, this role bypasses the -# additional ptrace restrictions -# N -> Don't require authentication for this role. To access -# the role, use gradm -n <rolename> -# s -> This role is a special role, meaning it does not belong to a -# user or group, and does not require an enforced secure policy -# base to be included in the ruleset -# u -> This role is a user role -# g -> This role is a group role -# G -> This role can use gradm to authenticate to the kernel -# A policy for gradm will automatically be added to the role -# T -> Enable TPE for this role -# l -> Enable learning for this role -# P -> Use PAM authentication for this role. -# R -> Enable persistence of special role. Normal special roles will -# be removed upon exit of the process that entered the role, or -# upon unauth (this is what changes the apache process' role back -# to its normal role after being restarted from the admin role, for -# instance). Role persistence allows a special role to be used for -# system shutdown, as the point at which the admin's shell/SSH -# session is terminated won't cause the rest of the shutdown -# sequence to execute with reduced privilege. Do *NOT* use this -# flag with any role that does anything but shut the system down. -# This role will also be transferred to the init process upon -# writing to /dev/initctl. This allows init to execute the rc -# scripts for shutdown with the necessary privilege. -# For usability reasons, we allow the removal of persistence through -# the normal unauth process (so persistence only survives exit). -# -# a role can only be one of user, group, or special -# -# role_allow_ip IP/optional netmask -# eg: role_allow_ip 192.168.1.0/24 -# You can have as many of these per role as you want -# They restrict the use of a role to a list of IPs. If a user -# is on the system that would normally get the role does not -# belong to those lists of IPs, the system falls back through -# its method of determining a role for the user -# -# Role hierarchy -# user -> group -> default -# First a user role attempts to match, if one is not found, -# a group role attempts to match, if one is not found, -# the default role is used. -# -# role_transitions <special role 1> <special role 2> ... <special role n> -# eg: role_transitions www_admin dns_admin -# -# role transitions specify which special roles a given role is allowed -# to authenticate to. This applies to special roles that do not -# require password authentication as well. If a user tries to -# authenticate to a role that is not within his transition table, he -# will receive a permission denied error -# -# Nested subjects -# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat -# / rwx -# +CAP_ALL -# grant privilege to specific processes if they are executed -# within a trusted path. In this case, privilege is -# granted if /usr/bin/cat is executed from /usr/bin/bash, which is -# executed from /usr/bin/su. -# -# Configuration inheritance on nested subjects -# nested subjects inherit rules from their parents. In the -# example above, the nested subject would inherit rules -# from the nested subject for /usr/bin/su:/usr/bin/bash, -# and the subject /usr/bin/su -# View the 1.9.x documentation for more information on -# configuration inheritance -# -# new object modes: -# m -> allow creation of setuid/setgid files/directories -# and modification of files/directories to be setuid/setgid -# M -> audit the setuid/setgid creation/modification -# c -> allow creation of the file/directory -# C -> audit the creation -# d -> allow deletion of the file/directory -# D -> audit the deletion -# p -> reject all ptraces to this object -# l -> allow a hardlink at this path -# (hardlinking requires at a minimum c and l modes, and the target -# link cannot have any greater permission than the source file) -# L -> audit link creation -# f -> needed to mark the pipe used for communication with init -# to transfer the privilege of the persistent role; only valid -# within a persistent role. Transfer only occurs when the file is -# opened for writing -# Z -> tells gradm to ignore earlier object of the same name and use this -# one instead -# -# new subject modes: -# O -> disable "writable library" restrictions for this task -# t -> allow this process to ptrace any process (use with caution) -# r -> relax ptrace restrictions (allows process to ptrace processes -# other than its own descendants) -# i -> enable inheritance-based learning for this subject, causing -# all accesses of this subject and anything it executes to be placed -# in this subject, and inheritance flags added to executable objects -# in this subject -# a -> allow this process to talk to the /dev/grsec device -# s -> enable AT_SECURE when entering this subject -# (enables the same environment sanitization that occurs in glibc -# upon execution of a suid binary) -# x -> allows executable anonymous shared memory for this subject -# Z -> tells gradm to ignore earlier subject of the same path and use this -# one instead - -# user/group transitions: -# You may now specify what users and groups a given subject can -# transition to. This can be done on an inclusive or exclusive basis. -# Omitting these rules allows a process with proper privilege granted by -# capabilities to transition to any user/group. -# -# Examples: -# subject /usr/bin/su -# user_transition_allow root spender -# group_transition_allow root spender -# subject /usr/bin/su -# user_transition_deny evilhacker -# subject /usr/bin/su -# group_transition_deny evilhacker1 evilhacker2 -# -# Domains: -# With domains you can combine users that don't share a common -# GID as well as groups so that they share a single policy -# Domains work just like roles, with the only exception being that -# the line starting with "role" is replaced with one of the following: -# domain somedomainname u user1 user2 user3 user4 ... usern -# domain somedomainname g group1 group2 group3 group4 ... groupn -# -# Inverted socket policies: -# Rules such as -# connect ! www.google.com:80 stream tcp -# are now allowed, which allows you to specify that a process can connect to anything -# except to port 80 of www.google.com with a stream tcp socket -# the inverted socket matching also works on bind rules -# -# INADDR_ANY overriding -# You can now force a given subject to bind to a particular IP address on the machine -# This is useful for some chrooted environments, to ensure that the source IP they -# use is one of your choosing -# to use, add a line like: -# ip_override 192.168.0.1 -# -# Per-interface socket policies: -# Rules such as -# bind eth1:80 stream tcp -# bind eth0#1:22 stream tcp -# are now allowed, giving you the ability to tie specific socket rules -# to a single interface (or by using the inverted rules, all but one -# interface). Virtual interfaces are specified by the <ifname>#<vindex> -# syntax. If an interface is specified, no IP/netmask or host may be -# specified for the rule. -# -# Allowing additional socket families: -# Before v2.2.1 of the RBAC system, a subject that specified -# connect/bind rules limited only the socket usage of IPv4, allowing -# any other socket families to be used. Starting with v2.2.1 of the -# RBAC system, when connect/bind rules are used, additional rules -# will be required to unlock the use of additional socket families -# (outside of the common unix family). Multiple families can be -# specified per line. -# To enable use of IPv6, add the line: -# sock_allow_family ipv6 -# To enable use of netlink, add the line: -# sock_allow_family netlink -# To enable all other families, add the line: -# sock_allow_family all -# -# New learning system: -# To learn on a given subject: add l (the letter l, not the number 1) -# to the subject mode -# If you want to learn with the most restrictive policy, use the -# following: -# subject /path/to/bin lo -# / h -# -CAP_ALL -# connect disabled -# bind disabled -# Resource learning is also supported, so lines like -# RES_AS 0 0 -# can be used to learn a particular resource -# -# To learn on a given role, add l to the role mode -# For both of these, to enable learning, enable the system like: -# gradm -L /etc/grsec/learning.logs -E -# and then generate the rules after disabling the system after the -# learning phase with: -# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy -# To use full system learning, enable the system like: -# gradm -F -L /etc/grsec/learning.logs -# and then generate the rules after disabling the system after the -# learning phase with: -# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy -# -# New PaX flag format (replaces PaX subject flags): -# PaX flags can be forced on or off, regardless of the flags on the -# binary, by using + or - before the following PaX flag names: -# PAX_SEGMEXEC -# PAX_PAGEEXEC -# PAX_MPROTECT -# PAX_RANDMMAP -# PAX_EMUTRAMP -# -# New feature for easier policy maintenance: -# replace <variable name> <replace string> -# e.g.: -# replace CVSROOT /home/cvs -# now $(CVSROOT) can be used in any subject or object pathname, like: -# $(CVSROOT)/grsecurity r -# This will translate to /home/cvs/grsecurity r -# This feature makes it easier to update policies by naming specific -# paths by their function, then only having to update those paths once -# to have it affect a large number of subjects/objects. -# -# capability auditing / log suppression -# use of a capability can be audited by adding "audit" to the line, eg: -# +CAP_SYS_RAWIO audit -# log suppression for denial of a capbility can be done by adding "suppress": -# -CAP_SYS_RAWIO suppress -# -# Per-role umask enforcement: -# If you have a user that you want to be assured cannot accidentally -# create a file that others can read (a confidentiality issue) -# add the following under the role declaration: -# role_umask 077 -# any normal octal umask may be specified -# Note that unlike the normal umask, this umask will also apply -# to the permissions one can chmod/fchmod a file to -# -# Note that the omission of any feature of a role or subject -# results in a default-allow -# For instance, if no capability rules are added in a subject without -# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used -# -# Also note that policy inheritance does not exist for network policies, only -# file objects and capabilities inherit policy -# -# Commonly-used objects can be defined and used in multiple subjects -# As an example, we'll create a variable out of a list of objects -# and their associated permissions that RBAC enforces -# files, connect/bind rules, and capabilities can currently be added to a define - -define grsec_denied { - /boot h - /dev/grsec h - /dev/kmem h - /dev/mem h - /dev/port h - /etc/grsec h - /proc/kcore h - /proc/slabinfo h - /proc/modules h - /proc/kallsyms h - # hide and suppress logs about accessing this path - /usr/lib/modules hs - /etc/ssh h -} -# usage: -# $grsec_denied - -role shutdown sARG -subject / rvka - / - /dev - /dev/urandom r - /dev/random r - /etc r - /usr rx - /proc r - $grsec_denied - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/systemd/systemd rvkao - / rwcdmlxi -subject /usr/bin/systemctl rvkao - / rwcdmlxi - /dev/initctl rwf - /run/initctl rwf - -# Make sure to unauthenticate with gradm -u from -# the admin role after restarting a service -# The service started will run with admin -# privileges until you run gradm -u or your shell exits - -role admin sA -subject / rvka - / rwcdmlxi - -role default G -role_transitions admin shutdown -subject / - / r - /opt rx - /home rwxcd - /mnt rw - /dev - /dev/urandom r - /dev/random r - /dev/zero rw - /dev/input rw - /dev/psaux rw - /dev/null rw - /dev/tty? rw - /dev/console rw - /dev/tty rw - /dev/pts rw - /dev/ptmx rw - /dev/dsp rw - /dev/mixer rw - /dev/initctl rw - /dev/fd0 r - /dev/sr0 r - /usr rx -# compilation of kernel code should be done within the admin role - /usr/src h - /etc rx - /proc rwx - /proc/sys r - /sys h - /root r - /run r - /tmp rwcd - /var rwxcd - /var/tmp rwcd - /var/log r -# hide the kernel images and modules - $grsec_denied - -# if sshd needs to be restarted, it can be done through the admin role -# restarting sshd should be followed immediately by a gradm -u - /usr/bin/sshd - - -CAP_KILL - -CAP_SYS_TTY_CONFIG - -CAP_LINUX_IMMUTABLE - -CAP_NET_RAW - -CAP_MKNOD - -CAP_SYS_ADMIN - -CAP_SYS_RAWIO - -CAP_SYS_MODULE - -CAP_SYS_PTRACE - -CAP_NET_ADMIN - -CAP_NET_BIND_SERVICE - -CAP_NET_RAW - -CAP_SYS_CHROOT - -CAP_SYS_BOOT - -CAP_SETFCAP - -CAP_SYSLOG - -# RES_AS 100M 100M - -# connect 192.168.1.0/24:22 stream tcp -# bind 0.0.0.0 stream dgram tcp udp - -# the d flag protects /proc fd and mem entries for sshd -# all daemons should have 'p' in their subject mode to prevent -# an attacker from killing the service (and restarting it with trojaned -# config file or taking the port it reserved to run a trojaned service) - -subject /usr/bin/sshd dpo - / - /* h - /usr/bin/bash x - /dev h - /dev/random r - /dev/urandom r - /dev/null rw - /dev/ptmx rw - /dev/pts rw - /dev/tty rw - /dev/tty? rw - /etc r - /etc/grsec h - /home - /home/*/.ssh/authorized_keys r - /root - /proc r - /proc/*/oom_adj rw - /proc/*/oom_score_adj rw - /proc/kcore h - /proc/sys h - /proc/sys/kernel/ngroups_max r - /selinux r - /usr/lib rx - /usr/lib32 rx - /usr/libx32 rx - /usr/share/zoneinfo r - /var/log - /var/spool/mail - /var/log/lastlog rw - /var/log/wtmp w - /var/run - /run - /run/systemd/journal/dev-log rw - /var/run/sshd - /var/run/utmp rw - /var/run/utmpx rw - /var/run/.nscd_socket rw - - -CAP_ALL - +CAP_CHOWN - +CAP_SETGID - +CAP_SETUID - +CAP_SYS_CHROOT - +CAP_SYS_RESOURCE - +CAP_SYS_TTY_CONFIG - +CAP_AUDIT_WRITE - # to access user keys - +CAP_DAC_OVERRIDE - -subject /usr/bin/Xorg - /dev/mem rw - - +CAP_SYS_ADMIN - +CAP_SYS_TTY_CONFIG - +CAP_SYS_RAWIO - -subject /usr/bin/ssh - /etc/ssh/ssh_config r - -subject /usr/bin/postgres - /run/systemd/journal/dev-log rw - -subject /usr/bin/exim - /run/systemd/journal/dev-log rw - -subject /usr/bin/syslog-ng - +CAP_SYS_ADMIN - -subject /usr/bin/rsyslogd - +CAP_SYS_ADMIN - -subject /usr/bin/cron - /run/systemd/journal/dev-log rw - -subject /usr/bin/crond - /run/systemd/journal/dev-log rw - -subject /usr/bin/login - /run/systemd/journal/dev-log rw - /var/log/wtmp w - /var/log/faillog rwcd - -subject /usr/bin/su - /run/systemd/journal/dev-log rw - -subject /usr/bin/sudo - /run/systemd/journal/dev-log rw - -subject /usr/bin/agetty - /var/log/wtmp w - -subject /usr/bin/xauth - /home r - /home/*/.Xauthority-* rwcdl - -# prevent ld.so breakouts of subjects with /usr/lib rx - -# many distros clutter up /usr/lib with shell scripts -# that can be easily hijacked for malicious purposes -subject /usr/lib o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib32 o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/ld-linux.so.2 o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/ld-linux-x86-64.so.2 o - / h - -CAP_ALL - connect disabled - bind disabled Copied: gradm/repos/community-i686/policy (from rev 190210, gradm/trunk/policy) =================================================================== --- community-i686/policy (rev 0) +++ community-i686/policy 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,491 @@ +#sample default policy for grsecurity +# +# Role flags: +# A -> This role is an administrative role, thus it has special privilege normal +# roles do not have. In particular, this role bypasses the +# additional ptrace restrictions +# N -> Don't require authentication for this role. To access +# the role, use gradm -n <rolename> +# s -> This role is a special role, meaning it does not belong to a +# user or group, and does not require an enforced secure policy +# base to be included in the ruleset +# u -> This role is a user role +# g -> This role is a group role +# G -> This role can use gradm to authenticate to the kernel +# A policy for gradm will automatically be added to the role +# T -> Enable TPE for this role +# l -> Enable learning for this role +# P -> Use PAM authentication for this role. +# R -> Enable persistence of special role. Normal special roles will +# be removed upon exit of the process that entered the role, or +# upon unauth (this is what changes the apache process' role back +# to its normal role after being restarted from the admin role, for +# instance). Role persistence allows a special role to be used for +# system shutdown, as the point at which the admin's shell/SSH +# session is terminated won't cause the rest of the shutdown +# sequence to execute with reduced privilege. Do *NOT* use this +# flag with any role that does anything but shut the system down. +# This role will also be transferred to the init process upon +# writing to /dev/initctl. This allows init to execute the rc +# scripts for shutdown with the necessary privilege. +# For usability reasons, we allow the removal of persistence through +# the normal unauth process (so persistence only survives exit). +# +# a role can only be one of user, group, or special +# +# role_allow_ip IP/optional netmask +# eg: role_allow_ip 192.168.1.0/24 +# You can have as many of these per role as you want +# They restrict the use of a role to a list of IPs. If a user +# is on the system that would normally get the role does not +# belong to those lists of IPs, the system falls back through +# its method of determining a role for the user +# +# Role hierarchy +# user -> group -> default +# First a user role attempts to match, if one is not found, +# a group role attempts to match, if one is not found, +# the default role is used. +# +# role_transitions <special role 1> <special role 2> ... <special role n> +# eg: role_transitions www_admin dns_admin +# +# role transitions specify which special roles a given role is allowed +# to authenticate to. This applies to special roles that do not +# require password authentication as well. If a user tries to +# authenticate to a role that is not within his transition table, he +# will receive a permission denied error +# +# Nested subjects +# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat +# / rwx +# +CAP_ALL +# grant privilege to specific processes if they are executed +# within a trusted path. In this case, privilege is +# granted if /usr/bin/cat is executed from /usr/bin/bash, which is +# executed from /usr/bin/su. +# +# Configuration inheritance on nested subjects +# nested subjects inherit rules from their parents. In the +# example above, the nested subject would inherit rules +# from the nested subject for /usr/bin/su:/usr/bin/bash, +# and the subject /usr/bin/su +# View the 1.9.x documentation for more information on +# configuration inheritance +# +# new object modes: +# m -> allow creation of setuid/setgid files/directories +# and modification of files/directories to be setuid/setgid +# M -> audit the setuid/setgid creation/modification +# c -> allow creation of the file/directory +# C -> audit the creation +# d -> allow deletion of the file/directory +# D -> audit the deletion +# p -> reject all ptraces to this object +# l -> allow a hardlink at this path +# (hardlinking requires at a minimum c and l modes, and the target +# link cannot have any greater permission than the source file) +# L -> audit link creation +# f -> needed to mark the pipe used for communication with init +# to transfer the privilege of the persistent role; only valid +# within a persistent role. Transfer only occurs when the file is +# opened for writing +# Z -> tells gradm to ignore earlier object of the same name and use this +# one instead +# +# new subject modes: +# O -> disable "writable library" restrictions for this task +# t -> allow this process to ptrace any process (use with caution) +# r -> relax ptrace restrictions (allows process to ptrace processes +# other than its own descendants) +# i -> enable inheritance-based learning for this subject, causing +# all accesses of this subject and anything it executes to be placed +# in this subject, and inheritance flags added to executable objects +# in this subject +# a -> allow this process to talk to the /dev/grsec device +# s -> enable AT_SECURE when entering this subject +# (enables the same environment sanitization that occurs in glibc +# upon execution of a suid binary) +# x -> allows executable anonymous shared memory for this subject +# Z -> tells gradm to ignore earlier subject of the same path and use this +# one instead + +# user/group transitions: +# You may now specify what users and groups a given subject can +# transition to. This can be done on an inclusive or exclusive basis. +# Omitting these rules allows a process with proper privilege granted by +# capabilities to transition to any user/group. +# +# Examples: +# subject /usr/bin/su +# user_transition_allow root spender +# group_transition_allow root spender +# subject /usr/bin/su +# user_transition_deny evilhacker +# subject /usr/bin/su +# group_transition_deny evilhacker1 evilhacker2 +# +# Domains: +# With domains you can combine users that don't share a common +# GID as well as groups so that they share a single policy +# Domains work just like roles, with the only exception being that +# the line starting with "role" is replaced with one of the following: +# domain somedomainname u user1 user2 user3 user4 ... usern +# domain somedomainname g group1 group2 group3 group4 ... groupn +# +# Inverted socket policies: +# Rules such as +# connect ! www.google.com:80 stream tcp +# are now allowed, which allows you to specify that a process can connect to anything +# except to port 80 of www.google.com with a stream tcp socket +# the inverted socket matching also works on bind rules +# +# INADDR_ANY overriding +# You can now force a given subject to bind to a particular IP address on the machine +# This is useful for some chrooted environments, to ensure that the source IP they +# use is one of your choosing +# to use, add a line like: +# ip_override 192.168.0.1 +# +# Per-interface socket policies: +# Rules such as +# bind eth1:80 stream tcp +# bind eth0#1:22 stream tcp +# are now allowed, giving you the ability to tie specific socket rules +# to a single interface (or by using the inverted rules, all but one +# interface). Virtual interfaces are specified by the <ifname>#<vindex> +# syntax. If an interface is specified, no IP/netmask or host may be +# specified for the rule. +# +# Allowing additional socket families: +# Before v2.2.1 of the RBAC system, a subject that specified +# connect/bind rules limited only the socket usage of IPv4, allowing +# any other socket families to be used. Starting with v2.2.1 of the +# RBAC system, when connect/bind rules are used, additional rules +# will be required to unlock the use of additional socket families +# (outside of the common unix family). Multiple families can be +# specified per line. +# To enable use of IPv6, add the line: +# sock_allow_family ipv6 +# To enable use of netlink, add the line: +# sock_allow_family netlink +# To enable all other families, add the line: +# sock_allow_family all +# +# New learning system: +# To learn on a given subject: add l (the letter l, not the number 1) +# to the subject mode +# If you want to learn with the most restrictive policy, use the +# following: +# subject /path/to/bin lo +# / h +# -CAP_ALL +# connect disabled +# bind disabled +# Resource learning is also supported, so lines like +# RES_AS 0 0 +# can be used to learn a particular resource +# +# To learn on a given role, add l to the role mode +# For both of these, to enable learning, enable the system like: +# gradm -L /etc/grsec/learning.logs -E +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy +# To use full system learning, enable the system like: +# gradm -F -L /etc/grsec/learning.logs +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy +# +# New PaX flag format (replaces PaX subject flags): +# PaX flags can be forced on or off, regardless of the flags on the +# binary, by using + or - before the following PaX flag names: +# PAX_SEGMEXEC +# PAX_PAGEEXEC +# PAX_MPROTECT +# PAX_RANDMMAP +# PAX_EMUTRAMP +# +# New feature for easier policy maintenance: +# replace <variable name> <replace string> +# e.g.: +# replace CVSROOT /home/cvs +# now $(CVSROOT) can be used in any subject or object pathname, like: +# $(CVSROOT)/grsecurity r +# This will translate to /home/cvs/grsecurity r +# This feature makes it easier to update policies by naming specific +# paths by their function, then only having to update those paths once +# to have it affect a large number of subjects/objects. +# +# capability auditing / log suppression +# use of a capability can be audited by adding "audit" to the line, eg: +# +CAP_SYS_RAWIO audit +# log suppression for denial of a capbility can be done by adding "suppress": +# -CAP_SYS_RAWIO suppress +# +# Per-role umask enforcement: +# If you have a user that you want to be assured cannot accidentally +# create a file that others can read (a confidentiality issue) +# add the following under the role declaration: +# role_umask 077 +# any normal octal umask may be specified +# Note that unlike the normal umask, this umask will also apply +# to the permissions one can chmod/fchmod a file to +# +# Note that the omission of any feature of a role or subject +# results in a default-allow +# For instance, if no capability rules are added in a subject without +# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used +# +# Also note that policy inheritance does not exist for network policies, only +# file objects and capabilities inherit policy +# +# Commonly-used objects can be defined and used in multiple subjects +# As an example, we'll create a variable out of a list of objects +# and their associated permissions that RBAC enforces +# files, connect/bind rules, and capabilities can currently be added to a define + +define grsec_denied { + /boot h + /dev/grsec h + /dev/kmem h + /dev/mem h + /dev/port h + /etc/grsec h + /proc/kcore h + /proc/slabinfo h + /proc/modules h + /proc/kallsyms h + # hide and suppress logs about accessing this path + /usr/lib/modules hs + /etc/ssh h +} +# usage: +# $grsec_denied + +role shutdown sARG +subject / rvka + / + /dev + /dev/urandom r + /dev/random r + /etc r + /usr rx + /proc r + $grsec_denied + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/systemd/systemd rvkao + / rwcdmlxi +subject /usr/bin/systemctl rvkao + / rwcdmlxi + /dev/initctl rwf + /run/initctl rwf + +# Make sure to unauthenticate with gradm -u from +# the admin role after restarting a service +# The service started will run with admin +# privileges until you run gradm -u or your shell exits + +role admin sA +subject / rvka + / rwcdmlxi + +role default G +role_transitions admin shutdown +subject / + / r + /opt rx + /home rwxcd + /mnt rw + /dev + /dev/urandom r + /dev/random r + /dev/zero rw + /dev/input rw + /dev/psaux rw + /dev/null rw + /dev/tty? rw + /dev/console rw + /dev/tty rw + /dev/pts rw + /dev/ptmx rw + /dev/dsp rw + /dev/mixer rw + /dev/initctl rw + /dev/fd0 r + /dev/sr0 r + /usr rx +# compilation of kernel code should be done within the admin role + /usr/src h + /etc rx + /proc rwx + /proc/sys r + /sys h + /root r + /run r + /tmp rwcd + /var rwxcd + /var/tmp rwcd + /var/log r +# hide the kernel images and modules + $grsec_denied + +# if sshd needs to be restarted, it can be done through the admin role +# restarting sshd should be followed immediately by a gradm -u + /usr/bin/sshd + + -CAP_KILL + -CAP_SYS_TTY_CONFIG + -CAP_LINUX_IMMUTABLE + -CAP_NET_RAW + -CAP_MKNOD + -CAP_SYS_ADMIN + -CAP_SYS_RAWIO + -CAP_SYS_MODULE + -CAP_SYS_PTRACE + -CAP_NET_ADMIN + -CAP_NET_BIND_SERVICE + -CAP_NET_RAW + -CAP_SYS_CHROOT + -CAP_SYS_BOOT + -CAP_SETFCAP + -CAP_SYSLOG + +# RES_AS 100M 100M + +# connect 192.168.1.0/24:22 stream tcp +# bind 0.0.0.0 stream dgram tcp udp + +# the d flag protects /proc fd and mem entries for sshd +# all daemons should have 'p' in their subject mode to prevent +# an attacker from killing the service (and restarting it with trojaned +# config file or taking the port it reserved to run a trojaned service) + +subject /usr/bin/sshd dpo + / + /* h + /usr/bin/bash x + /dev h + /dev/random r + /dev/urandom r + /dev/null rw + /dev/ptmx rw + /dev/pts rw + /dev/tty rw + /dev/tty? rw + /etc r + /etc/grsec h + /home + /home/*/.ssh/authorized_keys r + /root + /proc r + /proc/*/oom_adj rw + /proc/*/oom_score_adj rw + /proc/kcore h + /proc/sys h + /proc/sys/kernel/ngroups_max r + /selinux r + /usr/lib rx + /usr/lib32 rx + /usr/libx32 rx + /usr/share/zoneinfo r + /var/log + /var/spool/mail + /var/log/lastlog rw + /var/log/wtmp w + /var/run + /run + /run/systemd/journal/dev-log rw + /var/run/sshd + /var/run/utmp rw + /var/run/utmpx rw + /var/run/.nscd_socket rw + + -CAP_ALL + +CAP_CHOWN + +CAP_SETGID + +CAP_SETUID + +CAP_SYS_CHROOT + +CAP_SYS_RESOURCE + +CAP_SYS_TTY_CONFIG + +CAP_AUDIT_WRITE + # to access user keys + +CAP_DAC_OVERRIDE + +subject /usr/bin/Xorg + /dev/mem rw + + +CAP_SYS_ADMIN + +CAP_SYS_TTY_CONFIG + +CAP_SYS_RAWIO + +subject /usr/bin/ssh + /etc/ssh/ssh_config r + +subject /usr/bin/postgres + /run/systemd/journal/dev-log rw + +subject /usr/bin/exim + /run/systemd/journal/dev-log rw + +subject /usr/bin/syslog-ng + +CAP_SYS_ADMIN + +subject /usr/bin/rsyslogd + +CAP_SYS_ADMIN + +subject /usr/bin/cron + /run/systemd/journal/dev-log rw + +subject /usr/bin/crond + /run/systemd/journal/dev-log rw + +subject /usr/bin/login + /run/systemd/journal/dev-log rw + /var/log/wtmp w + /var/log/faillog rwcd + +subject /usr/bin/su + /run/systemd/journal/dev-log rw + +subject /usr/bin/sudo + /run/systemd/journal/dev-log rw + +subject /usr/bin/agetty + /var/log/wtmp w + +subject /usr/bin/xauth + /home r + /home/*/.Xauthority-* rwcdl + +# prevent ld.so breakouts of subjects with /usr/lib rx + +# many distros clutter up /usr/lib with shell scripts +# that can be easily hijacked for malicious purposes +subject /usr/lib o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib32 o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/ld-linux.so.2 o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/ld-linux-x86-64.so.2 o + / h + -CAP_ALL + connect disabled + bind disabled Deleted: community-x86_64/PKGBUILD =================================================================== --- community-x86_64/PKGBUILD 2016-09-23 14:09:52 UTC (rev 190210) +++ community-x86_64/PKGBUILD 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,46 +0,0 @@ -# $Id$ -# Maintainer: Daniel Micay <danielmi...@gmail.com> -# Contributor: Jonathan Liu <net...@gmail.com> -# Contributor: henning mueller <henn...@orgizm.net> -# Contributor: s1gma <s1...@mindslicer.com> -# Contributor: Ahmad24 <myitra...@gmail.com> -# Contributor: maxrp <m...@pdx.edu> - -pkgname=gradm -_version=3.1 -_timestamp=201607172312 -pkgver=$_version.$_timestamp -pkgrel=1 -pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)" -arch=(i686 x86_64) -url=https://grsecurity.net/ -license=(GPL2) -depends=(pam) -source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz - https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig - learn_config - policy) -sha256sums=('4281c72e3e82f0ea2c01d124975c19326b2157c10911fa065c1549195d5e6ee4' - 'SKIP' - '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0' - '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440') -validpgpkeys=( - 'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler -) - -prepare() { - cd $pkgname - sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile -} - -build() { - cd $pkgname - make -} - -package() { - cd $pkgname - make DESTDIR="$pkgdir" install - cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec" - rm -r "$pkgdir/dev" -} Copied: gradm/repos/community-x86_64/PKGBUILD (from rev 190210, gradm/trunk/PKGBUILD) =================================================================== --- community-x86_64/PKGBUILD (rev 0) +++ community-x86_64/PKGBUILD 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,46 @@ +# $Id$ +# Maintainer: Daniel Micay <danielmi...@gmail.com> +# Contributor: Jonathan Liu <net...@gmail.com> +# Contributor: henning mueller <henn...@orgizm.net> +# Contributor: s1gma <s1...@mindslicer.com> +# Contributor: Ahmad24 <myitra...@gmail.com> +# Contributor: maxrp <m...@pdx.edu> + +pkgname=gradm +_version=3.1 +_timestamp=201608131257 +pkgver=$_version.$_timestamp +pkgrel=1 +pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)" +arch=(i686 x86_64) +url=https://grsecurity.net/ +license=(GPL2) +depends=(pam) +source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz + https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig + learn_config + policy) +sha256sums=('2b771346458f55805713e4cdfc4fefba1da88826dd9ecff38dacd0087331a578' + 'SKIP' + '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0' + '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440') +validpgpkeys=( + 'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler +) + +prepare() { + cd $pkgname + sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile +} + +build() { + cd $pkgname + make +} + +package() { + cd $pkgname + make DESTDIR="$pkgdir" install + cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec" + rm -r "$pkgdir/dev" +} Deleted: community-x86_64/learn_config =================================================================== --- community-x86_64/learn_config 2016-09-23 14:09:52 UTC (rev 190210) +++ community-x86_64/learn_config 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,168 +0,0 @@ -#This configuration file aids the learning process by tweaking -#the learning algorithm for specific paths. -# -#It accepts lines in the form of <command> <pathname> -#Where <command> can be inherit-learn, no-learn, inherit-no-learn, -#high-reduce-path, dont-reduce-path, protected-path, high-protected-path, -#read-protected-path, and always-reduce-path -# -#inherit-learn, no-learn, and inherit-no-learn operate only with -#full learning -# -#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, -#and high-protected-path operate on both full and and regular learning -#(subject and role learning) -# -#inherit-learn changes the learning process for the specified path -#by throwing all learned accesses for every binary executed by the -#processes contained in the pathname into the subject specified -#by the pathname. This is useful for cron in the case of full -#system learning, so that scripts that eventually end up executing -#mv or rm with privilege don't cause the root policy to grant -#that privilege to mv or rm in all cases. -# -#no-learn allows processes within the path to perform any operation -#that normal system usage would allow without restriction. If -#a process is generating a huge number of learning logs, it may be -#best to use this command on that process and configure its policy -#manually. -# -#inherit-no-learn combines the above two cases, such that processes -#within the specified path will be able to perform any normal system -#operation without restriction as will any binaries executed by -#these processes. -# -#high-reduce-path modifies the heuristics of the learning process -#to weight in favor of reducing accesses for this path -# -#dont-reduce-path modifies the heuristics of the learning process -#so that it will never reduce accesses for this path -# -#always-reduce-path modifies the heuristics of the learning process -#so that the path specified will always have all files and directories -#within it reduced to the path specified. -# -#protected-path specifies a path on your system that is considered an -#important resource. Any process that modifies one of these paths -#is given its own subject in the learning process, facilitating -#a secure policy. -# -#read-protected-path specifies a path on your system that contains -#sensitive information. Any process that reads one of these paths is -#given its own subject in the learning process, facilitating a secure -#policy. -# -#high-protected-path specifies a path that should be hidden from -#all processes but those that access it directly. It is recommended -#to use highly sensitive files for this command. -# -#regular expressions are not supported for pathnames in this config file -# -# -# uncomment this next line if you don't wish to generate a policy that -# restricts roles to specific IP ranges: -# dont-learn-allowed-ips -# -# to write out your generated policy such that roles are split into separate -# files by the name of the role (within user/group directories), uncomment -# the next line: -# split-roles - -always-reduce-path /dev/pts -always-reduce-path /var/spool/qmailscan/tmp -always-reduce-path /var/spool/exim4 -always-reduce-path /run/screen -always-reduce-path /usr/share/locale -always-reduce-path /usr/share/zoneinfo -always-reduce-path /usr/share/terminfo -always-reduce-path /var/abs -always-reduce-path /tmp -always-reduce-path /var/tmp - -high-reduce-path /run/udev -high-reduce-path /dev/mapper -high-reduce-path /dev/snd -high-reduce-path /proc -high-reduce-path /usr/lib/security -high-reduce-path /usr/lib/modules -high-reduce-path /usr/lib -high-reduce-path /usr/lib32 -high-reduce-path /usr/libx32 -high-reduce-path /usr/lib/tls -high-reduce-path /usr/lib32/tls -high-reduce-path /usr/libx32/tls -high-reduce-path /usr/lib/libreoffice -high-reduce-path /var/lib -high-reduce-path /usr/bin -high-reduce-path /usr/sbin -high-reduce-path /usr/local/share -high-reduce-path /usr/local/bin -high-reduce-path /usr/local/sbin -high-reduce-path /usr/local/etc -high-reduce-path /usr/local/lib -high-reduce-path /usr/share -high-reduce-path /usr/X11R6/lib -high-reduce-path /var/lib/openldap-data -high-reduce-path /var/lib/krb5kdc - -dont-reduce-path / -dont-reduce-path /home -dont-reduce-path /dev -dont-reduce-path /usr -dont-reduce-path /var -dont-reduce-path /opt - -protected-path /etc -protected-path /boot -protected-path /run -protected-path /usr -protected-path /opt -protected-path /var -protected-path /dev/log -protected-path /root -protected-path /sys - -read-protected-path /etc/ssh -read-protected-path /proc/kallsyms -read-protected-path /proc/kcore -read-protected-path /proc/slabinfo -read-protected-path /proc/modules -read-protected-path /usr/lib/modules -read-protected-path /boot -read-protected-path /etc/shadow -read-protected-path /etc/shadow- -read-protected-path /etc/gshadow -read-protected-path /etc/gshadow- -read-protected-path /sys - -high-protected-path /etc/ssh -high-protected-path /proc/kcore -high-protected-path /proc/sys -high-protected-path /proc/bus -high-protected-path /proc/slabinfo -high-protected-path /proc/modules -high-protected-path /proc/kallsyms -high-protected-path /etc/passwd -high-protected-path /etc/shadow -high-protected-path /var/backups -high-protected-path /etc/shadow- -high-protected-path /etc/gshadow -high-protected-path /etc/gshadow- -high-protected-path /var/log -high-protected-path /dev/mem -high-protected-path /dev/kmem -high-protected-path /dev/port -high-protected-path /dev/log -high-protected-path /sys -high-protected-path /etc/ppp -high-protected-path /etc/samba/smbpasswd -#to protect kernel images -high-protected-path /boot -high-protected-path /usr/lib/modules -high-protected-path /usr/src - -inherit-learn /etc/cron.d -inherit-learn /etc/cron.hourly -inherit-learn /etc/cron.daily -inherit-learn /etc/cron.weekly -inherit-learn /etc/cron.monthly Copied: gradm/repos/community-x86_64/learn_config (from rev 190210, gradm/trunk/learn_config) =================================================================== --- community-x86_64/learn_config (rev 0) +++ community-x86_64/learn_config 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,168 @@ +#This configuration file aids the learning process by tweaking +#the learning algorithm for specific paths. +# +#It accepts lines in the form of <command> <pathname> +#Where <command> can be inherit-learn, no-learn, inherit-no-learn, +#high-reduce-path, dont-reduce-path, protected-path, high-protected-path, +#read-protected-path, and always-reduce-path +# +#inherit-learn, no-learn, and inherit-no-learn operate only with +#full learning +# +#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, +#and high-protected-path operate on both full and and regular learning +#(subject and role learning) +# +#inherit-learn changes the learning process for the specified path +#by throwing all learned accesses for every binary executed by the +#processes contained in the pathname into the subject specified +#by the pathname. This is useful for cron in the case of full +#system learning, so that scripts that eventually end up executing +#mv or rm with privilege don't cause the root policy to grant +#that privilege to mv or rm in all cases. +# +#no-learn allows processes within the path to perform any operation +#that normal system usage would allow without restriction. If +#a process is generating a huge number of learning logs, it may be +#best to use this command on that process and configure its policy +#manually. +# +#inherit-no-learn combines the above two cases, such that processes +#within the specified path will be able to perform any normal system +#operation without restriction as will any binaries executed by +#these processes. +# +#high-reduce-path modifies the heuristics of the learning process +#to weight in favor of reducing accesses for this path +# +#dont-reduce-path modifies the heuristics of the learning process +#so that it will never reduce accesses for this path +# +#always-reduce-path modifies the heuristics of the learning process +#so that the path specified will always have all files and directories +#within it reduced to the path specified. +# +#protected-path specifies a path on your system that is considered an +#important resource. Any process that modifies one of these paths +#is given its own subject in the learning process, facilitating +#a secure policy. +# +#read-protected-path specifies a path on your system that contains +#sensitive information. Any process that reads one of these paths is +#given its own subject in the learning process, facilitating a secure +#policy. +# +#high-protected-path specifies a path that should be hidden from +#all processes but those that access it directly. It is recommended +#to use highly sensitive files for this command. +# +#regular expressions are not supported for pathnames in this config file +# +# +# uncomment this next line if you don't wish to generate a policy that +# restricts roles to specific IP ranges: +# dont-learn-allowed-ips +# +# to write out your generated policy such that roles are split into separate +# files by the name of the role (within user/group directories), uncomment +# the next line: +# split-roles + +always-reduce-path /dev/pts +always-reduce-path /var/spool/qmailscan/tmp +always-reduce-path /var/spool/exim4 +always-reduce-path /run/screen +always-reduce-path /usr/share/locale +always-reduce-path /usr/share/zoneinfo +always-reduce-path /usr/share/terminfo +always-reduce-path /var/abs +always-reduce-path /tmp +always-reduce-path /var/tmp + +high-reduce-path /run/udev +high-reduce-path /dev/mapper +high-reduce-path /dev/snd +high-reduce-path /proc +high-reduce-path /usr/lib/security +high-reduce-path /usr/lib/modules +high-reduce-path /usr/lib +high-reduce-path /usr/lib32 +high-reduce-path /usr/libx32 +high-reduce-path /usr/lib/tls +high-reduce-path /usr/lib32/tls +high-reduce-path /usr/libx32/tls +high-reduce-path /usr/lib/libreoffice +high-reduce-path /var/lib +high-reduce-path /usr/bin +high-reduce-path /usr/sbin +high-reduce-path /usr/local/share +high-reduce-path /usr/local/bin +high-reduce-path /usr/local/sbin +high-reduce-path /usr/local/etc +high-reduce-path /usr/local/lib +high-reduce-path /usr/share +high-reduce-path /usr/X11R6/lib +high-reduce-path /var/lib/openldap-data +high-reduce-path /var/lib/krb5kdc + +dont-reduce-path / +dont-reduce-path /home +dont-reduce-path /dev +dont-reduce-path /usr +dont-reduce-path /var +dont-reduce-path /opt + +protected-path /etc +protected-path /boot +protected-path /run +protected-path /usr +protected-path /opt +protected-path /var +protected-path /dev/log +protected-path /root +protected-path /sys + +read-protected-path /etc/ssh +read-protected-path /proc/kallsyms +read-protected-path /proc/kcore +read-protected-path /proc/slabinfo +read-protected-path /proc/modules +read-protected-path /usr/lib/modules +read-protected-path /boot +read-protected-path /etc/shadow +read-protected-path /etc/shadow- +read-protected-path /etc/gshadow +read-protected-path /etc/gshadow- +read-protected-path /sys + +high-protected-path /etc/ssh +high-protected-path /proc/kcore +high-protected-path /proc/sys +high-protected-path /proc/bus +high-protected-path /proc/slabinfo +high-protected-path /proc/modules +high-protected-path /proc/kallsyms +high-protected-path /etc/passwd +high-protected-path /etc/shadow +high-protected-path /var/backups +high-protected-path /etc/shadow- +high-protected-path /etc/gshadow +high-protected-path /etc/gshadow- +high-protected-path /var/log +high-protected-path /dev/mem +high-protected-path /dev/kmem +high-protected-path /dev/port +high-protected-path /dev/log +high-protected-path /sys +high-protected-path /etc/ppp +high-protected-path /etc/samba/smbpasswd +#to protect kernel images +high-protected-path /boot +high-protected-path /usr/lib/modules +high-protected-path /usr/src + +inherit-learn /etc/cron.d +inherit-learn /etc/cron.hourly +inherit-learn /etc/cron.daily +inherit-learn /etc/cron.weekly +inherit-learn /etc/cron.monthly Deleted: community-x86_64/policy =================================================================== --- community-x86_64/policy 2016-09-23 14:09:52 UTC (rev 190210) +++ community-x86_64/policy 2016-09-23 14:10:27 UTC (rev 190211) @@ -1,491 +0,0 @@ -#sample default policy for grsecurity -# -# Role flags: -# A -> This role is an administrative role, thus it has special privilege normal -# roles do not have. In particular, this role bypasses the -# additional ptrace restrictions -# N -> Don't require authentication for this role. To access -# the role, use gradm -n <rolename> -# s -> This role is a special role, meaning it does not belong to a -# user or group, and does not require an enforced secure policy -# base to be included in the ruleset -# u -> This role is a user role -# g -> This role is a group role -# G -> This role can use gradm to authenticate to the kernel -# A policy for gradm will automatically be added to the role -# T -> Enable TPE for this role -# l -> Enable learning for this role -# P -> Use PAM authentication for this role. -# R -> Enable persistence of special role. Normal special roles will -# be removed upon exit of the process that entered the role, or -# upon unauth (this is what changes the apache process' role back -# to its normal role after being restarted from the admin role, for -# instance). Role persistence allows a special role to be used for -# system shutdown, as the point at which the admin's shell/SSH -# session is terminated won't cause the rest of the shutdown -# sequence to execute with reduced privilege. Do *NOT* use this -# flag with any role that does anything but shut the system down. -# This role will also be transferred to the init process upon -# writing to /dev/initctl. This allows init to execute the rc -# scripts for shutdown with the necessary privilege. -# For usability reasons, we allow the removal of persistence through -# the normal unauth process (so persistence only survives exit). -# -# a role can only be one of user, group, or special -# -# role_allow_ip IP/optional netmask -# eg: role_allow_ip 192.168.1.0/24 -# You can have as many of these per role as you want -# They restrict the use of a role to a list of IPs. If a user -# is on the system that would normally get the role does not -# belong to those lists of IPs, the system falls back through -# its method of determining a role for the user -# -# Role hierarchy -# user -> group -> default -# First a user role attempts to match, if one is not found, -# a group role attempts to match, if one is not found, -# the default role is used. -# -# role_transitions <special role 1> <special role 2> ... <special role n> -# eg: role_transitions www_admin dns_admin -# -# role transitions specify which special roles a given role is allowed -# to authenticate to. This applies to special roles that do not -# require password authentication as well. If a user tries to -# authenticate to a role that is not within his transition table, he -# will receive a permission denied error -# -# Nested subjects -# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat -# / rwx -# +CAP_ALL -# grant privilege to specific processes if they are executed -# within a trusted path. In this case, privilege is -# granted if /usr/bin/cat is executed from /usr/bin/bash, which is -# executed from /usr/bin/su. -# -# Configuration inheritance on nested subjects -# nested subjects inherit rules from their parents. In the -# example above, the nested subject would inherit rules -# from the nested subject for /usr/bin/su:/usr/bin/bash, -# and the subject /usr/bin/su -# View the 1.9.x documentation for more information on -# configuration inheritance -# -# new object modes: -# m -> allow creation of setuid/setgid files/directories -# and modification of files/directories to be setuid/setgid -# M -> audit the setuid/setgid creation/modification -# c -> allow creation of the file/directory -# C -> audit the creation -# d -> allow deletion of the file/directory -# D -> audit the deletion -# p -> reject all ptraces to this object -# l -> allow a hardlink at this path -# (hardlinking requires at a minimum c and l modes, and the target -# link cannot have any greater permission than the source file) -# L -> audit link creation -# f -> needed to mark the pipe used for communication with init -# to transfer the privilege of the persistent role; only valid -# within a persistent role. Transfer only occurs when the file is -# opened for writing -# Z -> tells gradm to ignore earlier object of the same name and use this -# one instead -# -# new subject modes: -# O -> disable "writable library" restrictions for this task -# t -> allow this process to ptrace any process (use with caution) -# r -> relax ptrace restrictions (allows process to ptrace processes -# other than its own descendants) -# i -> enable inheritance-based learning for this subject, causing -# all accesses of this subject and anything it executes to be placed -# in this subject, and inheritance flags added to executable objects -# in this subject -# a -> allow this process to talk to the /dev/grsec device -# s -> enable AT_SECURE when entering this subject -# (enables the same environment sanitization that occurs in glibc -# upon execution of a suid binary) -# x -> allows executable anonymous shared memory for this subject -# Z -> tells gradm to ignore earlier subject of the same path and use this -# one instead - -# user/group transitions: -# You may now specify what users and groups a given subject can -# transition to. This can be done on an inclusive or exclusive basis. -# Omitting these rules allows a process with proper privilege granted by -# capabilities to transition to any user/group. -# -# Examples: -# subject /usr/bin/su -# user_transition_allow root spender -# group_transition_allow root spender -# subject /usr/bin/su -# user_transition_deny evilhacker -# subject /usr/bin/su -# group_transition_deny evilhacker1 evilhacker2 -# -# Domains: -# With domains you can combine users that don't share a common -# GID as well as groups so that they share a single policy -# Domains work just like roles, with the only exception being that -# the line starting with "role" is replaced with one of the following: -# domain somedomainname u user1 user2 user3 user4 ... usern -# domain somedomainname g group1 group2 group3 group4 ... groupn -# -# Inverted socket policies: -# Rules such as -# connect ! www.google.com:80 stream tcp -# are now allowed, which allows you to specify that a process can connect to anything -# except to port 80 of www.google.com with a stream tcp socket -# the inverted socket matching also works on bind rules -# -# INADDR_ANY overriding -# You can now force a given subject to bind to a particular IP address on the machine -# This is useful for some chrooted environments, to ensure that the source IP they -# use is one of your choosing -# to use, add a line like: -# ip_override 192.168.0.1 -# -# Per-interface socket policies: -# Rules such as -# bind eth1:80 stream tcp -# bind eth0#1:22 stream tcp -# are now allowed, giving you the ability to tie specific socket rules -# to a single interface (or by using the inverted rules, all but one -# interface). Virtual interfaces are specified by the <ifname>#<vindex> -# syntax. If an interface is specified, no IP/netmask or host may be -# specified for the rule. -# -# Allowing additional socket families: -# Before v2.2.1 of the RBAC system, a subject that specified -# connect/bind rules limited only the socket usage of IPv4, allowing -# any other socket families to be used. Starting with v2.2.1 of the -# RBAC system, when connect/bind rules are used, additional rules -# will be required to unlock the use of additional socket families -# (outside of the common unix family). Multiple families can be -# specified per line. -# To enable use of IPv6, add the line: -# sock_allow_family ipv6 -# To enable use of netlink, add the line: -# sock_allow_family netlink -# To enable all other families, add the line: -# sock_allow_family all -# -# New learning system: -# To learn on a given subject: add l (the letter l, not the number 1) -# to the subject mode -# If you want to learn with the most restrictive policy, use the -# following: -# subject /path/to/bin lo -# / h -# -CAP_ALL -# connect disabled -# bind disabled -# Resource learning is also supported, so lines like -# RES_AS 0 0 -# can be used to learn a particular resource -# -# To learn on a given role, add l to the role mode -# For both of these, to enable learning, enable the system like: -# gradm -L /etc/grsec/learning.logs -E -# and then generate the rules after disabling the system after the -# learning phase with: -# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy -# To use full system learning, enable the system like: -# gradm -F -L /etc/grsec/learning.logs -# and then generate the rules after disabling the system after the -# learning phase with: -# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy -# -# New PaX flag format (replaces PaX subject flags): -# PaX flags can be forced on or off, regardless of the flags on the -# binary, by using + or - before the following PaX flag names: -# PAX_SEGMEXEC -# PAX_PAGEEXEC -# PAX_MPROTECT -# PAX_RANDMMAP -# PAX_EMUTRAMP -# -# New feature for easier policy maintenance: -# replace <variable name> <replace string> -# e.g.: -# replace CVSROOT /home/cvs -# now $(CVSROOT) can be used in any subject or object pathname, like: -# $(CVSROOT)/grsecurity r -# This will translate to /home/cvs/grsecurity r -# This feature makes it easier to update policies by naming specific -# paths by their function, then only having to update those paths once -# to have it affect a large number of subjects/objects. -# -# capability auditing / log suppression -# use of a capability can be audited by adding "audit" to the line, eg: -# +CAP_SYS_RAWIO audit -# log suppression for denial of a capbility can be done by adding "suppress": -# -CAP_SYS_RAWIO suppress -# -# Per-role umask enforcement: -# If you have a user that you want to be assured cannot accidentally -# create a file that others can read (a confidentiality issue) -# add the following under the role declaration: -# role_umask 077 -# any normal octal umask may be specified -# Note that unlike the normal umask, this umask will also apply -# to the permissions one can chmod/fchmod a file to -# -# Note that the omission of any feature of a role or subject -# results in a default-allow -# For instance, if no capability rules are added in a subject without -# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used -# -# Also note that policy inheritance does not exist for network policies, only -# file objects and capabilities inherit policy -# -# Commonly-used objects can be defined and used in multiple subjects -# As an example, we'll create a variable out of a list of objects -# and their associated permissions that RBAC enforces -# files, connect/bind rules, and capabilities can currently be added to a define - -define grsec_denied { - /boot h - /dev/grsec h - /dev/kmem h - /dev/mem h - /dev/port h - /etc/grsec h - /proc/kcore h - /proc/slabinfo h - /proc/modules h - /proc/kallsyms h - # hide and suppress logs about accessing this path - /usr/lib/modules hs - /etc/ssh h -} -# usage: -# $grsec_denied - -role shutdown sARG -subject / rvka - / - /dev - /dev/urandom r - /dev/random r - /etc r - /usr rx - /proc r - $grsec_denied - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/systemd/systemd rvkao - / rwcdmlxi -subject /usr/bin/systemctl rvkao - / rwcdmlxi - /dev/initctl rwf - /run/initctl rwf - -# Make sure to unauthenticate with gradm -u from -# the admin role after restarting a service -# The service started will run with admin -# privileges until you run gradm -u or your shell exits - -role admin sA -subject / rvka - / rwcdmlxi - -role default G -role_transitions admin shutdown -subject / - / r - /opt rx - /home rwxcd - /mnt rw - /dev - /dev/urandom r - /dev/random r - /dev/zero rw - /dev/input rw - /dev/psaux rw - /dev/null rw - /dev/tty? rw - /dev/console rw - /dev/tty rw - /dev/pts rw - /dev/ptmx rw - /dev/dsp rw - /dev/mixer rw - /dev/initctl rw - /dev/fd0 r - /dev/sr0 r - /usr rx -# compilation of kernel code should be done within the admin role - /usr/src h - /etc rx - /proc rwx - /proc/sys r - /sys h - /root r - /run r - /tmp rwcd - /var rwxcd - /var/tmp rwcd - /var/log r -# hide the kernel images and modules - $grsec_denied - -# if sshd needs to be restarted, it can be done through the admin role -# restarting sshd should be followed immediately by a gradm -u - /usr/bin/sshd - - -CAP_KILL - -CAP_SYS_TTY_CONFIG - -CAP_LINUX_IMMUTABLE - -CAP_NET_RAW - -CAP_MKNOD - -CAP_SYS_ADMIN - -CAP_SYS_RAWIO - -CAP_SYS_MODULE - -CAP_SYS_PTRACE - -CAP_NET_ADMIN - -CAP_NET_BIND_SERVICE - -CAP_NET_RAW - -CAP_SYS_CHROOT - -CAP_SYS_BOOT - -CAP_SETFCAP - -CAP_SYSLOG - -# RES_AS 100M 100M - -# connect 192.168.1.0/24:22 stream tcp -# bind 0.0.0.0 stream dgram tcp udp - -# the d flag protects /proc fd and mem entries for sshd -# all daemons should have 'p' in their subject mode to prevent -# an attacker from killing the service (and restarting it with trojaned -# config file or taking the port it reserved to run a trojaned service) - -subject /usr/bin/sshd dpo - / - /* h - /usr/bin/bash x - /dev h - /dev/random r - /dev/urandom r - /dev/null rw - /dev/ptmx rw - /dev/pts rw - /dev/tty rw - /dev/tty? rw - /etc r - /etc/grsec h - /home - /home/*/.ssh/authorized_keys r - /root - /proc r - /proc/*/oom_adj rw - /proc/*/oom_score_adj rw - /proc/kcore h - /proc/sys h - /proc/sys/kernel/ngroups_max r - /selinux r - /usr/lib rx - /usr/lib32 rx - /usr/libx32 rx - /usr/share/zoneinfo r - /var/log - /var/spool/mail - /var/log/lastlog rw - /var/log/wtmp w - /var/run - /run - /run/systemd/journal/dev-log rw - /var/run/sshd - /var/run/utmp rw - /var/run/utmpx rw - /var/run/.nscd_socket rw - - -CAP_ALL - +CAP_CHOWN - +CAP_SETGID - +CAP_SETUID - +CAP_SYS_CHROOT - +CAP_SYS_RESOURCE - +CAP_SYS_TTY_CONFIG - +CAP_AUDIT_WRITE - # to access user keys - +CAP_DAC_OVERRIDE - -subject /usr/bin/Xorg - /dev/mem rw - - +CAP_SYS_ADMIN - +CAP_SYS_TTY_CONFIG - +CAP_SYS_RAWIO - -subject /usr/bin/ssh - /etc/ssh/ssh_config r - -subject /usr/bin/postgres - /run/systemd/journal/dev-log rw - -subject /usr/bin/exim - /run/systemd/journal/dev-log rw - -subject /usr/bin/syslog-ng - +CAP_SYS_ADMIN - -subject /usr/bin/rsyslogd - +CAP_SYS_ADMIN - -subject /usr/bin/cron - /run/systemd/journal/dev-log rw - -subject /usr/bin/crond - /run/systemd/journal/dev-log rw - -subject /usr/bin/login - /run/systemd/journal/dev-log rw - /var/log/wtmp w - /var/log/faillog rwcd - -subject /usr/bin/su - /run/systemd/journal/dev-log rw - -subject /usr/bin/sudo - /run/systemd/journal/dev-log rw - -subject /usr/bin/agetty - /var/log/wtmp w - -subject /usr/bin/xauth - /home r - /home/*/.Xauthority-* rwcdl - -# prevent ld.so breakouts of subjects with /usr/lib rx - -# many distros clutter up /usr/lib with shell scripts -# that can be easily hijacked for malicious purposes -subject /usr/lib o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib32 o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/ld-linux.so.2 o - / h - -CAP_ALL - connect disabled - bind disabled - -subject /usr/lib/ld-linux-x86-64.so.2 o - / h - -CAP_ALL - connect disabled - bind disabled Copied: gradm/repos/community-x86_64/policy (from rev 190210, gradm/trunk/policy) =================================================================== --- community-x86_64/policy (rev 0) +++ community-x86_64/policy 2016-09-23 14:10:27 UTC (rev 190211) @@ -0,0 +1,491 @@ +#sample default policy for grsecurity +# +# Role flags: +# A -> This role is an administrative role, thus it has special privilege normal +# roles do not have. In particular, this role bypasses the +# additional ptrace restrictions +# N -> Don't require authentication for this role. To access +# the role, use gradm -n <rolename> +# s -> This role is a special role, meaning it does not belong to a +# user or group, and does not require an enforced secure policy +# base to be included in the ruleset +# u -> This role is a user role +# g -> This role is a group role +# G -> This role can use gradm to authenticate to the kernel +# A policy for gradm will automatically be added to the role +# T -> Enable TPE for this role +# l -> Enable learning for this role +# P -> Use PAM authentication for this role. +# R -> Enable persistence of special role. Normal special roles will +# be removed upon exit of the process that entered the role, or +# upon unauth (this is what changes the apache process' role back +# to its normal role after being restarted from the admin role, for +# instance). Role persistence allows a special role to be used for +# system shutdown, as the point at which the admin's shell/SSH +# session is terminated won't cause the rest of the shutdown +# sequence to execute with reduced privilege. Do *NOT* use this +# flag with any role that does anything but shut the system down. +# This role will also be transferred to the init process upon +# writing to /dev/initctl. This allows init to execute the rc +# scripts for shutdown with the necessary privilege. +# For usability reasons, we allow the removal of persistence through +# the normal unauth process (so persistence only survives exit). +# +# a role can only be one of user, group, or special +# +# role_allow_ip IP/optional netmask +# eg: role_allow_ip 192.168.1.0/24 +# You can have as many of these per role as you want +# They restrict the use of a role to a list of IPs. If a user +# is on the system that would normally get the role does not +# belong to those lists of IPs, the system falls back through +# its method of determining a role for the user +# +# Role hierarchy +# user -> group -> default +# First a user role attempts to match, if one is not found, +# a group role attempts to match, if one is not found, +# the default role is used. +# +# role_transitions <special role 1> <special role 2> ... <special role n> +# eg: role_transitions www_admin dns_admin +# +# role transitions specify which special roles a given role is allowed +# to authenticate to. This applies to special roles that do not +# require password authentication as well. If a user tries to +# authenticate to a role that is not within his transition table, he +# will receive a permission denied error +# +# Nested subjects +# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat +# / rwx +# +CAP_ALL +# grant privilege to specific processes if they are executed +# within a trusted path. In this case, privilege is +# granted if /usr/bin/cat is executed from /usr/bin/bash, which is +# executed from /usr/bin/su. +# +# Configuration inheritance on nested subjects +# nested subjects inherit rules from their parents. In the +# example above, the nested subject would inherit rules +# from the nested subject for /usr/bin/su:/usr/bin/bash, +# and the subject /usr/bin/su +# View the 1.9.x documentation for more information on +# configuration inheritance +# +# new object modes: +# m -> allow creation of setuid/setgid files/directories +# and modification of files/directories to be setuid/setgid +# M -> audit the setuid/setgid creation/modification +# c -> allow creation of the file/directory +# C -> audit the creation +# d -> allow deletion of the file/directory +# D -> audit the deletion +# p -> reject all ptraces to this object +# l -> allow a hardlink at this path +# (hardlinking requires at a minimum c and l modes, and the target +# link cannot have any greater permission than the source file) +# L -> audit link creation +# f -> needed to mark the pipe used for communication with init +# to transfer the privilege of the persistent role; only valid +# within a persistent role. Transfer only occurs when the file is +# opened for writing +# Z -> tells gradm to ignore earlier object of the same name and use this +# one instead +# +# new subject modes: +# O -> disable "writable library" restrictions for this task +# t -> allow this process to ptrace any process (use with caution) +# r -> relax ptrace restrictions (allows process to ptrace processes +# other than its own descendants) +# i -> enable inheritance-based learning for this subject, causing +# all accesses of this subject and anything it executes to be placed +# in this subject, and inheritance flags added to executable objects +# in this subject +# a -> allow this process to talk to the /dev/grsec device +# s -> enable AT_SECURE when entering this subject +# (enables the same environment sanitization that occurs in glibc +# upon execution of a suid binary) +# x -> allows executable anonymous shared memory for this subject +# Z -> tells gradm to ignore earlier subject of the same path and use this +# one instead + +# user/group transitions: +# You may now specify what users and groups a given subject can +# transition to. This can be done on an inclusive or exclusive basis. +# Omitting these rules allows a process with proper privilege granted by +# capabilities to transition to any user/group. +# +# Examples: +# subject /usr/bin/su +# user_transition_allow root spender +# group_transition_allow root spender +# subject /usr/bin/su +# user_transition_deny evilhacker +# subject /usr/bin/su +# group_transition_deny evilhacker1 evilhacker2 +# +# Domains: +# With domains you can combine users that don't share a common +# GID as well as groups so that they share a single policy +# Domains work just like roles, with the only exception being that +# the line starting with "role" is replaced with one of the following: +# domain somedomainname u user1 user2 user3 user4 ... usern +# domain somedomainname g group1 group2 group3 group4 ... groupn +# +# Inverted socket policies: +# Rules such as +# connect ! www.google.com:80 stream tcp +# are now allowed, which allows you to specify that a process can connect to anything +# except to port 80 of www.google.com with a stream tcp socket +# the inverted socket matching also works on bind rules +# +# INADDR_ANY overriding +# You can now force a given subject to bind to a particular IP address on the machine +# This is useful for some chrooted environments, to ensure that the source IP they +# use is one of your choosing +# to use, add a line like: +# ip_override 192.168.0.1 +# +# Per-interface socket policies: +# Rules such as +# bind eth1:80 stream tcp +# bind eth0#1:22 stream tcp +# are now allowed, giving you the ability to tie specific socket rules +# to a single interface (or by using the inverted rules, all but one +# interface). Virtual interfaces are specified by the <ifname>#<vindex> +# syntax. If an interface is specified, no IP/netmask or host may be +# specified for the rule. +# +# Allowing additional socket families: +# Before v2.2.1 of the RBAC system, a subject that specified +# connect/bind rules limited only the socket usage of IPv4, allowing +# any other socket families to be used. Starting with v2.2.1 of the +# RBAC system, when connect/bind rules are used, additional rules +# will be required to unlock the use of additional socket families +# (outside of the common unix family). Multiple families can be +# specified per line. +# To enable use of IPv6, add the line: +# sock_allow_family ipv6 +# To enable use of netlink, add the line: +# sock_allow_family netlink +# To enable all other families, add the line: +# sock_allow_family all +# +# New learning system: +# To learn on a given subject: add l (the letter l, not the number 1) +# to the subject mode +# If you want to learn with the most restrictive policy, use the +# following: +# subject /path/to/bin lo +# / h +# -CAP_ALL +# connect disabled +# bind disabled +# Resource learning is also supported, so lines like +# RES_AS 0 0 +# can be used to learn a particular resource +# +# To learn on a given role, add l to the role mode +# For both of these, to enable learning, enable the system like: +# gradm -L /etc/grsec/learning.logs -E +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy +# To use full system learning, enable the system like: +# gradm -F -L /etc/grsec/learning.logs +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy +# +# New PaX flag format (replaces PaX subject flags): +# PaX flags can be forced on or off, regardless of the flags on the +# binary, by using + or - before the following PaX flag names: +# PAX_SEGMEXEC +# PAX_PAGEEXEC +# PAX_MPROTECT +# PAX_RANDMMAP +# PAX_EMUTRAMP +# +# New feature for easier policy maintenance: +# replace <variable name> <replace string> +# e.g.: +# replace CVSROOT /home/cvs +# now $(CVSROOT) can be used in any subject or object pathname, like: +# $(CVSROOT)/grsecurity r +# This will translate to /home/cvs/grsecurity r +# This feature makes it easier to update policies by naming specific +# paths by their function, then only having to update those paths once +# to have it affect a large number of subjects/objects. +# +# capability auditing / log suppression +# use of a capability can be audited by adding "audit" to the line, eg: +# +CAP_SYS_RAWIO audit +# log suppression for denial of a capbility can be done by adding "suppress": +# -CAP_SYS_RAWIO suppress +# +# Per-role umask enforcement: +# If you have a user that you want to be assured cannot accidentally +# create a file that others can read (a confidentiality issue) +# add the following under the role declaration: +# role_umask 077 +# any normal octal umask may be specified +# Note that unlike the normal umask, this umask will also apply +# to the permissions one can chmod/fchmod a file to +# +# Note that the omission of any feature of a role or subject +# results in a default-allow +# For instance, if no capability rules are added in a subject without +# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used +# +# Also note that policy inheritance does not exist for network policies, only +# file objects and capabilities inherit policy +# +# Commonly-used objects can be defined and used in multiple subjects +# As an example, we'll create a variable out of a list of objects +# and their associated permissions that RBAC enforces +# files, connect/bind rules, and capabilities can currently be added to a define + +define grsec_denied { + /boot h + /dev/grsec h + /dev/kmem h + /dev/mem h + /dev/port h + /etc/grsec h + /proc/kcore h + /proc/slabinfo h + /proc/modules h + /proc/kallsyms h + # hide and suppress logs about accessing this path + /usr/lib/modules hs + /etc/ssh h +} +# usage: +# $grsec_denied + +role shutdown sARG +subject / rvka + / + /dev + /dev/urandom r + /dev/random r + /etc r + /usr rx + /proc r + $grsec_denied + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/systemd/systemd rvkao + / rwcdmlxi +subject /usr/bin/systemctl rvkao + / rwcdmlxi + /dev/initctl rwf + /run/initctl rwf + +# Make sure to unauthenticate with gradm -u from +# the admin role after restarting a service +# The service started will run with admin +# privileges until you run gradm -u or your shell exits + +role admin sA +subject / rvka + / rwcdmlxi + +role default G +role_transitions admin shutdown +subject / + / r + /opt rx + /home rwxcd + /mnt rw + /dev + /dev/urandom r + /dev/random r + /dev/zero rw + /dev/input rw + /dev/psaux rw + /dev/null rw + /dev/tty? rw + /dev/console rw + /dev/tty rw + /dev/pts rw + /dev/ptmx rw + /dev/dsp rw + /dev/mixer rw + /dev/initctl rw + /dev/fd0 r + /dev/sr0 r + /usr rx +# compilation of kernel code should be done within the admin role + /usr/src h + /etc rx + /proc rwx + /proc/sys r + /sys h + /root r + /run r + /tmp rwcd + /var rwxcd + /var/tmp rwcd + /var/log r +# hide the kernel images and modules + $grsec_denied + +# if sshd needs to be restarted, it can be done through the admin role +# restarting sshd should be followed immediately by a gradm -u + /usr/bin/sshd + + -CAP_KILL + -CAP_SYS_TTY_CONFIG + -CAP_LINUX_IMMUTABLE + -CAP_NET_RAW + -CAP_MKNOD + -CAP_SYS_ADMIN + -CAP_SYS_RAWIO + -CAP_SYS_MODULE + -CAP_SYS_PTRACE + -CAP_NET_ADMIN + -CAP_NET_BIND_SERVICE + -CAP_NET_RAW + -CAP_SYS_CHROOT + -CAP_SYS_BOOT + -CAP_SETFCAP + -CAP_SYSLOG + +# RES_AS 100M 100M + +# connect 192.168.1.0/24:22 stream tcp +# bind 0.0.0.0 stream dgram tcp udp + +# the d flag protects /proc fd and mem entries for sshd +# all daemons should have 'p' in their subject mode to prevent +# an attacker from killing the service (and restarting it with trojaned +# config file or taking the port it reserved to run a trojaned service) + +subject /usr/bin/sshd dpo + / + /* h + /usr/bin/bash x + /dev h + /dev/random r + /dev/urandom r + /dev/null rw + /dev/ptmx rw + /dev/pts rw + /dev/tty rw + /dev/tty? rw + /etc r + /etc/grsec h + /home + /home/*/.ssh/authorized_keys r + /root + /proc r + /proc/*/oom_adj rw + /proc/*/oom_score_adj rw + /proc/kcore h + /proc/sys h + /proc/sys/kernel/ngroups_max r + /selinux r + /usr/lib rx + /usr/lib32 rx + /usr/libx32 rx + /usr/share/zoneinfo r + /var/log + /var/spool/mail + /var/log/lastlog rw + /var/log/wtmp w + /var/run + /run + /run/systemd/journal/dev-log rw + /var/run/sshd + /var/run/utmp rw + /var/run/utmpx rw + /var/run/.nscd_socket rw + + -CAP_ALL + +CAP_CHOWN + +CAP_SETGID + +CAP_SETUID + +CAP_SYS_CHROOT + +CAP_SYS_RESOURCE + +CAP_SYS_TTY_CONFIG + +CAP_AUDIT_WRITE + # to access user keys + +CAP_DAC_OVERRIDE + +subject /usr/bin/Xorg + /dev/mem rw + + +CAP_SYS_ADMIN + +CAP_SYS_TTY_CONFIG + +CAP_SYS_RAWIO + +subject /usr/bin/ssh + /etc/ssh/ssh_config r + +subject /usr/bin/postgres + /run/systemd/journal/dev-log rw + +subject /usr/bin/exim + /run/systemd/journal/dev-log rw + +subject /usr/bin/syslog-ng + +CAP_SYS_ADMIN + +subject /usr/bin/rsyslogd + +CAP_SYS_ADMIN + +subject /usr/bin/cron + /run/systemd/journal/dev-log rw + +subject /usr/bin/crond + /run/systemd/journal/dev-log rw + +subject /usr/bin/login + /run/systemd/journal/dev-log rw + /var/log/wtmp w + /var/log/faillog rwcd + +subject /usr/bin/su + /run/systemd/journal/dev-log rw + +subject /usr/bin/sudo + /run/systemd/journal/dev-log rw + +subject /usr/bin/agetty + /var/log/wtmp w + +subject /usr/bin/xauth + /home r + /home/*/.Xauthority-* rwcdl + +# prevent ld.so breakouts of subjects with /usr/lib rx + +# many distros clutter up /usr/lib with shell scripts +# that can be easily hijacked for malicious purposes +subject /usr/lib o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib32 o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/ld-linux.so.2 o + / h + -CAP_ALL + connect disabled + bind disabled + +subject /usr/lib/ld-linux-x86-64.so.2 o + / h + -CAP_ALL + connect disabled + bind disabled