diff options
author | Preston A. Elder <prez@gentoo.org> | 2002-05-01 17:39:37 +0000 |
---|---|---|
committer | Preston A. Elder <prez@gentoo.org> | 2002-05-01 17:39:37 +0000 |
commit | dd3e2934c335a04f2a0465be41801d3396602186 (patch) | |
tree | 9ffb63d4bcb6dc0a519e7ba4129f0760fcf39388 /sys-apps/gradm | |
parent | New ebuild. resolves #2302 (diff) | |
download | historical-dd3e2934c335a04f2a0465be41801d3396602186.tar.gz historical-dd3e2934c335a04f2a0465be41801d3396602186.tar.bz2 historical-dd3e2934c335a04f2a0465be41801d3396602186.zip |
Added gradm, and appropriate init scripts to handle grsecurity.
Diffstat (limited to 'sys-apps/gradm')
-rw-r--r-- | sys-apps/gradm/ChangeLog | 9 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.2.1 | 2 | ||||
-rw-r--r-- | sys-apps/gradm/files/grsecurity | 84 | ||||
-rw-r--r-- | sys-apps/gradm/files/grsecurity.rc | 77 | ||||
-rw-r--r-- | sys-apps/gradm/gradm-1.2.1.ebuild | 37 |
5 files changed, 209 insertions, 0 deletions
diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog new file mode 100644 index 000000000000..7dab3d08c6de --- /dev/null +++ b/sys-apps/gradm/ChangeLog @@ -0,0 +1,9 @@ +# ChangeLog for media-gfx/scrot +# Copyright 2002 Gentoo Technologies, Inc.; Distributed under the GPL +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.1 2002/05/01 17:39:37 prez Exp $ + +*gradm-1.2.1 (1 May 2002) + + 1 May 2002; Preston A. Elder <prez@gentoo.org> ChangeLog : + + Initial ebuild... Enjoy.. diff --git a/sys-apps/gradm/files/digest-gradm-1.2.1 b/sys-apps/gradm/files/digest-gradm-1.2.1 new file mode 100644 index 000000000000..708b71ab7204 --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-1.2.1 @@ -0,0 +1,2 @@ +MD5 c01a10eecf430eb4a58180900b37903a gradm-1.2.1.tar.gz 41602 +MD5 618ddb3d563f4e3cbfb13c9c770dd99c chpax.c 4776 diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity new file mode 100644 index 000000000000..59e746042c6e --- /dev/null +++ b/sys-apps/gradm/files/grsecurity @@ -0,0 +1,84 @@ +# GR Security toggles. +# + +# Files that we should remove PAGE_EXEC enforcement from +PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86" + +# Files we should turn off trampoline emmulation for +TRAMPOLINE_EXEMPT="" + +# Files we should not restrict mprotect on +MPROTECT_EXEMPT="" + +# Files we should not randomize mmap for +MMAP_EXEMPT="" + +# Kernel options are: +# +# allow_ptrace_group +# alt_ipc_perms +# altered_pings +# audit_chdir +# audit_group +# audit_ipc +# audit_mount +# audit_ptrace +# chroot_caps +# chroot_deny_chdir +# chroot_deny_chmod +# chroot_deny_chroot +# chroot_deny_mknod +# chroot_deny_mount +# chroot_deny_ptrace +# chroot_execlog +# chroot_restrict_nice +# chroot_restrict_sigs +# coredump +# deny_phys_root +# deny_serial_root +# deny_pseudo_root +# dmesg +# exec_logging +# execve_limiting +# fifo_restrictions +# fork_bomb_prot +# forkfail_logging +# linking_restrictions +# rand_ip_ids +# rand_pids +# rand_rpc +# rand_tcp_src_ports +# rand_ttl +# restrict_ptrace +# secure_fds +# secure_kbmap +# signal_logging +# socket_all +# socket_client +# socket_server +# suid_logging +# suid_root_logging +# timechange_logging +# tpe +# tpe_glibc +# tpe_restrict_all +ENABLED="" + +# Set when allow_ptrace_group is enabled +ptrace_gid=10 + +# Set when tpe is enabled +tpe_gid=1005 + +# Set when fork_bomb_prot is enabled +fork_bomb_gid=1006 +fork_bomb_sec=40 +fork_bomb_max=20 + +# Set when one of socket_* is enabled +socket_all_gid=1004 +socket_cilent_gid=1003 +socket_server_gid=1002 + +# Lock the above settings on boot +LOCK=0 diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc new file mode 100644 index 000000000000..25a93545382c --- /dev/null +++ b/sys-apps/gradm/files/grsecurity.rc @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2002 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License, v2 or later +# /space/gentoo/cvsroot/gentoo-x86/sys-libs/gpm/files/gpm.rc6,v 1.7 2002/01/20 10:00:55 azarah Exp + +#NB: Config is in /etc/conf.d/gpm + +PROCDIR=/proc/sys/kernel/grsecurity + +depend() { + need bootmisc localmount +} + +checkconfig() { + if [ ! -d ${PROCDIR} ] ; then + eerror "You must have GR security turned on in your kernel." + return 1 + fi +} + +start() { + checkconfig || return 1 + + ebegin "Starting grsecurity" + + for x in ${ENABLED} ; do + if [ -f ${PROCDIR}/${x} ]; then + echo 1 >${PROCDIR}/${x} + fi + case "${x}" in + allow_ptrace_group) + echo ${ptrace_gid} >${PROCDIR}/ptrace_gid + ;; + fork_bomb_prot) + echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid + echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec + echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max + ;; + socket_all) + echo ${socket_all_gid} >${PROCDIR}/socket_all_gid + ;; + socket_client) + echo ${socket_client_gid} >${PROCDIR}/socket_client_gid + ;; + socket_server) + echo ${socket_server_gid} >${PROCDIR}/socket_server_gid + ;; + esac + done + + for x in ${PAGE_EXEC_EXEMPT} ; do + /sbin/chpax -p ${x} + done + + for x in ${TRAMPOLINE_EXEMPT} ; do + /sbin/chpax -e ${x} + done + + for x in ${MPROTECT_EXEMPT} ; do + /sbin/chpax -m ${x} + done + + for x in ${MMAP_EXEMPT} ; do + /sbin/chpax -r ${x} + done + + if [ -d ${PROCDIR}/grsec_lock ] ; then + echo ${LOCK} >${PROCDIR}/grsec_lock + fi + + eend ${?} +} + +#stop() { +# ebegin "Stopping grsecurity" +# eend ${?} +#} diff --git a/sys-apps/gradm/gradm-1.2.1.ebuild b/sys-apps/gradm/gradm-1.2.1.ebuild new file mode 100644 index 000000000000..c93931224262 --- /dev/null +++ b/sys-apps/gradm/gradm-1.2.1.ebuild @@ -0,0 +1,37 @@ +# Copyright 1999-2001 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License, v2 or later +# Author Preston A. Elder <prez@goth.net> + +DESCRIPTION="Administratinve interface to grsecurity" +SRC_URI="http://www.grsecurity.net/gradm-1.2.1.tar.gz + http://pageexec.virtualave.net/chpax.c" +HOMEPAGE="http://www.grsecurity.net" +#DEPEND="" + +src_unpack() { + unpack ${P}.tar.gz + cd ${S} + cp ${DISTDIR}/chpax.c . +} + +src_compile() { + ./configure || die + emake || die + emake chpax || die +} + +src_install() { + dodir /sbin /etc/grsec /etc/init.d /etc/conf.d /usr/share/man/man8 + + cp gradm ${D}/sbin + gzip -9 gradm.8 + cp gradm.8.gz ${D}/usr/share/man/man8 + cp chpax ${D}/sbin + chmod 0700 ${D}/sbin/* + cp ${FILESDIR}/grsecurity.rc ${D}/etc/init.d/grsecurity + chmod 755 ${D}/etc/init.d/* + cp ${FILESDIR}/grsecurity ${D}/etc/conf.d/grsecurity + chmod 644 ${D}/etc/conf.d/* + + dodoc ChangeLog* INSTALL COPYING +} |