summaryrefslogtreecommitdiff
blob: ff7afebac8afea6a82230cad8e12a76e7232cb64 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
From: Anthony G. Basile <blueness@gentoo.org>
Updated patch for the new Kconfig system in grsec 2.9.1

---
From: Kerin Millar <kerframil@gmail.com>

grsecurity contains a number of options which allow certain protections
to be applied to or exempted from members of a given group. However, the
default GIDs specified in the upstream patch are entirely arbitrary and
there is no telling which (if any) groups the GIDs will correlate with
on an end-user's system. Because some users don't pay a great deal of
attention to the finer points of kernel configuration, it is probably
wise to specify some reasonable defaults so as to stop careless users
from shooting themselves in the foot.

diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
@@ -680,7 +680,7 @@
 config GRKERNSEC_AUDIT_GID
 	int "GID for auditing"
 	depends on GRKERNSEC_AUDIT_GROUP
-	default 1007
+	default 100
 
 config GRKERNSEC_EXECLOG
 	bool "Exec logging"
@@ -911,7 +911,7 @@
 config GRKERNSEC_TPE_UNTRUSTED_GID
 	int "GID for TPE-untrusted users"
 	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
-	default 1005
+	default 100
 	help
 	  Setting this GID determines what group TPE restrictions will be
 	  *enabled* for.  If the sysctl option is enabled, a sysctl option
@@ -920,7 +920,7 @@
 config GRKERNSEC_TPE_TRUSTED_GID
 	int "GID for TPE-trusted users"
 	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
-	default 1005
+	default 10
 	help
 	  Setting this GID determines what group TPE restrictions will be
 	  *disabled* for.  If the sysctl option is enabled, a sysctl option
@@ -1005,7 +1005,7 @@
 config GRKERNSEC_SOCKET_ALL_GID
 	int "GID to deny all sockets for"
 	depends on GRKERNSEC_SOCKET_ALL
-	default 1004
+	default 65534
 	help
 	  Here you can choose the GID to disable socket access for. Remember to
 	  add the users you want socket access disabled for to the GID
@@ -1026,7 +1026,7 @@
 config GRKERNSEC_SOCKET_CLIENT_GID
 	int "GID to deny client sockets for"
 	depends on GRKERNSEC_SOCKET_CLIENT
-	default 1003
+	default 65534
 	help
 	  Here you can choose the GID to disable client socket access for.
 	  Remember to add the users you want client socket access disabled for to
@@ -1044,7 +1044,7 @@
 config GRKERNSEC_SOCKET_SERVER_GID
 	int "GID to deny server sockets for"
 	depends on GRKERNSEC_SOCKET_SERVER
-	default 1002
+	default 65534
 	help
 	  Here you can choose the GID to disable server socket access for.
 	  Remember to add the users you want server socket access disabled for to
diff -Nuar a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
+++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
@@ -196,7 +196,7 @@
 
 config GRKERNSEC_PROC_GID
 	int "GID exempted from /proc restrictions"
-	default 1001
+	default 10
 	help
 	  Setting this GID determines which group will be exempted from
 	  grsecurity's /proc restrictions, allowing users of the specified
@@ -207,7 +207,7 @@
 config GRKERNSEC_TPE_UNTRUSTED_GID
         int "GID for TPE-untrusted users"
         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
-        default 1005
+        default 100
         help
 	  Setting this GID determines which group untrusted users should
 	  be added to.  These users will be placed under grsecurity's Trusted Path
@@ -219,7 +219,7 @@
 config GRKERNSEC_TPE_TRUSTED_GID
         int "GID for TPE-trusted users"
         depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
-        default 1005
+        default 10
         help
           Setting this GID determines what group TPE restrictions will be
           *disabled* for.  If the sysctl option is enabled, a sysctl option
@@ -228,7 +228,7 @@
 config GRKERNSEC_SYMLINKOWN_GID
         int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
         depends on GRKERNSEC_CONFIG_SERVER
-        default 1006
+        default 100
         help
           Setting this GID determines what group kernel-enforced
           SymlinksIfOwnerMatch will be enabled for.  If the sysctl option