[arch-commits] Commit in (9 files)
Daniel Micay
thestinger at archlinux.org
Mon Aug 4 21:40:54 UTC 2014
Date: Monday, August 4, 2014 @ 23:40:54
Author: thestinger
Revision: 116869
move linux-grsec config / groups to grsec-common
Added:
grsec-common/
grsec-common/repos/
grsec-common/trunk/
grsec-common/trunk/05-grsecurity.conf
grsec-common/trunk/PKGBUILD
grsec-common/trunk/grsec-common.install
Modified:
linux-grsec/trunk/PKGBUILD (contents, properties)
linux-grsec/trunk/linux-grsec.install
Deleted:
linux-grsec/trunk/sysctl.conf
-----------------------------------------+
grsec-common/trunk/05-grsecurity.conf | 130 +++++++++++++++++++++++++++++
grsec-common/trunk/PKGBUILD | 17 +++
grsec-common/trunk/grsec-common.install | 19 ++++
linux-grsec/trunk/PKGBUILD | 14 +--
linux-grsec/trunk/linux-grsec.install | 45 ----------
linux-grsec/trunk/sysctl.conf | 131 ------------------------------
6 files changed, 171 insertions(+), 185 deletions(-)
Added: grsec-common/trunk/05-grsecurity.conf
===================================================================
--- grsec-common/trunk/05-grsecurity.conf (rev 0)
+++ grsec-common/trunk/05-grsecurity.conf 2014-08-04 21:40:54 UTC (rev 116869)
@@ -0,0 +1,130 @@
+# All features in the kernel.grsecurity namespace are disabled by default.
+
+#
+# Disable PaX enforcement by default.
+#
+# The `paxd` package sets softmode back to 0 in a configuration file loaded
+# after this one. It automatically handles setting exceptions from the PaX
+# exploit mitigations after Pacman operations. Altering the setting manually
+# rather than using `paxd` is not recommended.
+#
+
+kernel.pax.softmode = 1
+
+#
+# Memory protections
+#
+
+#kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.deter_bruteforce = 1
+
+#
+# Race free SymLinksIfOwnerMatch for web servers
+#
+# symlinkown_gid: http group
+#
+
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 33
+
+#
+# FIFO restrictions
+#
+# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
+# unless the owner of the FIFO is the same owner of the directory it's held in.
+#
+
+kernel.grsecurity.fifo_restrictions = 1
+
+#
+# Deny any further rw mounts
+#
+
+#kernel.grsecurity.romount_protect = 1
+
+#
+# chroot restrictions (the commented options will break containers)
+#
+
+#kernel.grsecurity.chroot_caps = 1
+#kernel.grsecurity.chroot_deny_chmod = 1
+#kernel.grsecurity.chroot_deny_chroot = 1
+kernel.grsecurity.chroot_deny_fchdir = 1
+#kernel.grsecurity.chroot_deny_mknod = 1
+#kernel.grsecurity.chroot_deny_mount = 1
+#kernel.grsecurity.chroot_deny_pivot = 1
+kernel.grsecurity.chroot_deny_shmat = 1
+kernel.grsecurity.chroot_deny_sysctl = 1
+kernel.grsecurity.chroot_deny_unix = 1
+kernel.grsecurity.chroot_enforce_chdir = 1
+kernel.grsecurity.chroot_findtask = 1
+#kernel.grsecurity.chroot_restrict_nice = 1
+
+#
+# Kernel auditing
+#
+# audit_group: Restrict exec/chdir logging to a group.
+# audit_gid: audit group
+#
+
+#kernel.grsecurity.audit_group = 1
+kernel.grsecurity.audit_gid = 201
+#kernel.grsecurity.exec_logging = 1
+#kernel.grsecurity.resource_logging = 1
+#kernel.grsecurity.chroot_execlog = 1
+#kernel.grsecurity.audit_ptrace = 1
+#kernel.grsecurity.audit_chdir = 1
+#kernel.grsecurity.audit_mount = 1
+#kernel.grsecurity.signal_logging = 1
+#kernel.grsecurity.forkfail_logging = 1
+#kernel.grsecurity.timechange_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
+
+#
+# Executable protections
+#
+
+kernel.grsecurity.harden_ptrace = 1
+kernel.grsecurity.ptrace_readexec = 1
+kernel.grsecurity.consistent_setxid = 1
+kernel.grsecurity.harden_ipc = 1
+
+#
+# Trusted Path Execution
+#
+# tpe_gid: tpe group
+#
+
+#kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_gid = 200
+#kernel.grsecurity.tpe_invert = 1
+#kernel.grsecurity.tpe_restrict_all = 1
+
+#
+# Network protections
+#
+# socket_all_gid: socket-deny-all group
+# socket_client_gid: socket-deny-client group
+# socket_server_gid: socket-deny-server group
+#
+
+#kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
+kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all_gid = 202
+kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client_gid = 203
+kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server_gid = 204
+
+#
+# Prevent any new USB devices from being recognized by the OS.
+#
+
+#kernel.grsecurity.deny_new_usb = 1
+
+#
+# Restrict grsec sysctl changes after this was set
+#
+
+#kernel.grsecurity.grsec_lock = 1
Added: grsec-common/trunk/PKGBUILD
===================================================================
--- grsec-common/trunk/PKGBUILD (rev 0)
+++ grsec-common/trunk/PKGBUILD 2014-08-04 21:40:54 UTC (rev 116869)
@@ -0,0 +1,17 @@
+# $Id$
+# Maintainer: Daniel Micay <danielmicay at gmail.com>
+pkgname=grsec-common
+pkgver=1
+pkgrel=1
+pkgdesc='Base package for grsecurity kernels'
+arch=(any)
+url='https://archlinux.org/'
+license=('GPL2')
+install=$pkgname.install
+source=(05-grsecurity.conf)
+sha1sums=('dc6b38e1c89376b81246588956e3b93f59620822')
+backup=(etc/sysctl.d/05-grsecurity.conf)
+
+package() {
+ install -Dm600 05-grsecurity.conf "$pkgdir/etc/sysctl.d/05-grsecurity.conf"
+}
Property changes on: grsec-common/trunk/PKGBUILD
___________________________________________________________________
Added: svn:keywords
## -0,0 +1 ##
+Id
\ No newline at end of property
Added: grsec-common/trunk/grsec-common.install
===================================================================
--- grsec-common/trunk/grsec-common.install (rev 0)
+++ grsec-common/trunk/grsec-common.install 2014-08-04 21:40:54 UTC (rev 116869)
@@ -0,0 +1,19 @@
+post_install() {
+ getent group tpe >/dev/null || groupadd -g 200 tpe
+ getent group audit >/dev/null || groupadd -g 201 audit
+ getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+ getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+ getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+}
+
+post_upgrade() {
+ post_install
+}
+
+post_remove() {
+ for group in tpe audit socket-deny-server socket-deny-client socket-deny-all; do
+ if getent group $group >/dev/null; then
+ groupdel $group
+ fi
+ done
+}
Modified: linux-grsec/trunk/PKGBUILD
===================================================================
--- linux-grsec/trunk/PKGBUILD 2014-08-04 20:40:02 UTC (rev 116868)
+++ linux-grsec/trunk/PKGBUILD 2014-08-04 21:40:54 UTC (rev 116869)
@@ -1,3 +1,4 @@
+# $Id$
# Maintainer: Daniel Micay <danielmicay at gmail.com>
# Contributor: Tobias Powalowski <tpowa at archlinux.org>
# Contributor: Thomas Baechler <thomas at archlinux.org>
@@ -11,7 +12,7 @@
_timestamp=201408040708
_grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch"
pkgver=$_pkgver.$_timestamp
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
url=https://grsecurity.net/
license=('GPL2')
@@ -27,7 +28,6 @@
'linux.preset'
'change-default-console-loglevel.patch'
Revert-userns-Allow-unprivileged-users-to-create-use.patch
- sysctl.conf
)
sha256sums=('c3927e87be4040fa8aca1b58663dc0776aaf00485604ff88a623be2f3fb07794'
'e25557b19dfebc91e42939aa9a62f7a4d4e36ea2cc659368cded51fb2c703456'
@@ -37,8 +37,7 @@
'aaeea9587701bd8e1a23dfa9e5c32dcda454ce26497175a9ad9f2bd3c260f6ea'
'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d'
'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
- '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754'
- 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31')
+ '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754')
_kernelname=${pkgbase#linux}
@@ -104,7 +103,7 @@
_package() {
pkgdesc="The Linux kernel and modules with grsecurity/PaX patches"
[ "${pkgbase}" = "linux" ] && groups=('base')
- depends=('coreutils' 'linux-firmware' 'kmod' 'mkinitcpio>=0.7')
+ depends=('coreutils' 'linux-firmware' 'kmod' 'mkinitcpio>=0.7' 'grsec-common')
optdepends=('crda: to set the correct wireless channels of your country'
'gradm: to configure and enable Role Based Access Control (RBAC)'
'paxd: to enable PaX exploit mitigations and apply exceptions automatically')
@@ -111,7 +110,7 @@
provides=("kernel26${_kernelname}=${_pkgver}")
conflicts=("kernel26${_kernelname}")
replaces=("kernel26${_kernelname}")
- backup=("etc/mkinitcpio.d/${pkgbase}.preset" etc/sysctl.d/05-grsecurity.conf)
+ backup=("etc/mkinitcpio.d/${pkgbase}.preset")
install=${pkgbase}.install
cd "${srcdir}/${_srcname}"
@@ -174,9 +173,6 @@
mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \
"$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
-
- # install sysctl configuration for grsecurity switches
- install -Dm600 "$srcdir/sysctl.conf" "$pkgdir/etc/sysctl.d/05-grsecurity.conf"
}
_package-headers() {
Property changes on: linux-grsec/trunk/PKGBUILD
___________________________________________________________________
Added: svn:keywords
## -0,0 +1 ##
+Id
\ No newline at end of property
Modified: linux-grsec/trunk/linux-grsec.install
===================================================================
--- linux-grsec/trunk/linux-grsec.install 2014-08-04 20:40:02 UTC (rev 116868)
+++ linux-grsec/trunk/linux-grsec.install 2014-08-04 21:40:54 UTC (rev 116869)
@@ -15,46 +15,6 @@
fi
}
-_add_groups() {
- if getent group tpe-trusted >/dev/null; then
- groupmod -g 200 -n tpe tpe-trusted
- fi
-
- if ! getent group tpe >/dev/null; then
- groupadd -g 200 -r tpe
- fi
-
- if ! getent group audit >/dev/null; then
- groupadd -g 201 -r audit
- fi
-
- if getent group socket-deny-all >/dev/null; then
- groupmod -g 202 socket-deny-all
- else
- groupadd -g 202 -r socket-deny-all
- fi
-
- if getent group socket-deny-client >/dev/null; then
- groupmod -g 203 socket-deny-client
- else
- groupadd -g 203 -r socket-deny-client
- fi
-
- if getent group socket-deny-server >/dev/null; then
- groupmod -g 204 socket-deny-server
- else
- groupadd -g 204 -r socket-deny-server
- fi
-}
-
-_remove_groups() {
- for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
- if getent group $group >/dev/null; then
- groupdel $group
- fi
- done
-}
-
post_install() {
# updating module dependencies
echo ">>> Updating module dependencies. Please wait ..."
@@ -62,7 +22,6 @@
echo ">>> Generating initial ramdisk, using mkinitcpio. Please wait..."
mkinitcpio -p linux${KERNEL_NAME}
- _add_groups
_uderef_warning
}
@@ -87,8 +46,6 @@
echo ">>> include the 'keyboard' hook in your mkinitcpio.conf."
fi
- _add_groups
-
if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
_uderef_warning
fi
@@ -98,6 +55,4 @@
# also remove the compat symlinks
rm -f boot/initramfs-linux${KERNEL_NAME}.img
rm -f boot/initramfs-linux${KERNEL_NAME}-fallback.img
-
- _remove_groups
}
Deleted: linux-grsec/trunk/sysctl.conf
===================================================================
--- linux-grsec/trunk/sysctl.conf 2014-08-04 20:40:02 UTC (rev 116868)
+++ linux-grsec/trunk/sysctl.conf 2014-08-04 21:40:54 UTC (rev 116869)
@@ -1,131 +0,0 @@
-# All features in the kernel.grsecurity namespace are disabled by default in
-# the kernel and must be enabled here.
-
-#
-# Disable PaX enforcement by default.
-#
-# The `paxd` package sets softmode back to 0 in a configuration file loaded
-# after this one. It automatically handles setting exceptions from the PaX
-# exploit mitigations after Pacman operations. Altering the setting here rather
-# than using `paxd` is not recommended.
-#
-
-kernel.pax.softmode = 1
-
-#
-# Memory protections
-#
-
-#kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-#
-# Race free SymLinksIfOwnerMatch for web servers
-#
-# symlinkown_gid: http group
-#
-
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-#
-# FIFO restrictions
-#
-# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
-# unless the owner of the FIFO is the same owner of the directory it's held in.
-#
-
-kernel.grsecurity.fifo_restrictions = 1
-
-#
-# Deny any further rw mounts
-#
-
-#kernel.grsecurity.romount_protect = 1
-
-#
-# chroot restrictions (the commented options will break containers)
-#
-
-#kernel.grsecurity.chroot_caps = 1
-#kernel.grsecurity.chroot_deny_chmod = 1
-#kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-#kernel.grsecurity.chroot_deny_mknod = 1
-#kernel.grsecurity.chroot_deny_mount = 1
-#kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_findtask = 1
-#kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel auditing
-#
-# audit_group: Restrict exec/chdir logging to a group.
-# audit_gid: audit group
-#
-
-#kernel.grsecurity.audit_group = 1
-kernel.grsecurity.audit_gid = 201
-#kernel.grsecurity.exec_logging = 1
-#kernel.grsecurity.resource_logging = 1
-#kernel.grsecurity.chroot_execlog = 1
-#kernel.grsecurity.audit_ptrace = 1
-#kernel.grsecurity.audit_chdir = 1
-#kernel.grsecurity.audit_mount = 1
-#kernel.grsecurity.signal_logging = 1
-#kernel.grsecurity.forkfail_logging = 1
-#kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable protections
-#
-
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-kernel.grsecurity.consistent_setxid = 1
-kernel.grsecurity.harden_ipc = 1
-
-#
-# Trusted Path Execution
-#
-# tpe_gid: tpe group
-#
-
-#kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 200
-#kernel.grsecurity.tpe_invert = 1
-#kernel.grsecurity.tpe_restrict_all = 1
-
-#
-# Network protections
-#
-# socket_all_gid: socket-deny-all group
-# socket_client_gid: socket-deny-client group
-# socket_server_gid: socket-deny-server group
-#
-
-#kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 202
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 203
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 204
-
-#
-# Prevent any new USB devices from being recognized by the OS.
-#
-
-#kernel.grsecurity.deny_new_usb = 1
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-
-kernel.grsecurity.grsec_lock = 0
More information about the arch-commits
mailing list