diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2015-03-10 12:48:27 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2015-03-10 12:48:27 -0400 |
commit | 9eef19a7507c231b5a48f19c4c2cd281c9c53a64 (patch) | |
tree | 5b0f8bb7dee30d348d05108fdd0fbaebf69a33ed /3.18.9/4450_grsec-kconfig-default-gids.patch | |
parent | Grsec/PaX: 3.1-{3.2.67,3.14.34,3.18.8}-201502271843 (diff) | |
download | hardened-patchset-9eef19a7507c231b5a48f19c4c2cd281c9c53a64.tar.gz hardened-patchset-9eef19a7507c231b5a48f19c4c2cd281c9c53a64.tar.bz2 hardened-patchset-9eef19a7507c231b5a48f19c4c2cd281c9c53a64.zip |
Grsec/PaX: 3.1-{3.2.68,3.14.35,3.18.9}-201503071142
Diffstat (limited to '3.18.9/4450_grsec-kconfig-default-gids.patch')
-rw-r--r-- | 3.18.9/4450_grsec-kconfig-default-gids.patch | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/3.18.9/4450_grsec-kconfig-default-gids.patch b/3.18.9/4450_grsec-kconfig-default-gids.patch new file mode 100644 index 0000000..5c025da --- /dev/null +++ b/3.18.9/4450_grsec-kconfig-default-gids.patch @@ -0,0 +1,111 @@ +From: Anthony G. Basile <blueness@gentoo.org> +Updated patch for the new Kconfig system in grsec 2.9.1 + +--- +From: Kerin Millar <kerframil@gmail.com> + +grsecurity contains a number of options which allow certain protections +to be applied to or exempted from members of a given group. However, the +default GIDs specified in the upstream patch are entirely arbitrary and +there is no telling which (if any) groups the GIDs will correlate with +on an end-user's system. Because some users don't pay a great deal of +attention to the finer points of kernel configuration, it is probably +wise to specify some reasonable defaults so as to stop careless users +from shooting themselves in the foot. + +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 +@@ -694,7 +694,7 @@ + config GRKERNSEC_AUDIT_GID + int "GID for auditing" + depends on GRKERNSEC_AUDIT_GROUP +- default 1007 ++ default 100 + + config GRKERNSEC_EXECLOG + bool "Exec logging" +@@ -925,7 +925,7 @@ + config GRKERNSEC_TPE_UNTRUSTED_GID + int "GID for TPE-untrusted users" + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines what group TPE restrictions will be + *enabled* for. If the sysctl option is enabled, a sysctl option +@@ -934,7 +934,7 @@ + config GRKERNSEC_TPE_TRUSTED_GID + int "GID for TPE-trusted users" + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -1019,7 +1019,7 @@ + config GRKERNSEC_SOCKET_ALL_GID + int "GID to deny all sockets for" + depends on GRKERNSEC_SOCKET_ALL +- default 1004 ++ default 65534 + help + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID +@@ -1040,7 +1040,7 @@ + config GRKERNSEC_SOCKET_CLIENT_GID + int "GID to deny client sockets for" + depends on GRKERNSEC_SOCKET_CLIENT +- default 1003 ++ default 65534 + help + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to +@@ -1058,7 +1058,7 @@ + config GRKERNSEC_SOCKET_SERVER_GID + int "GID to deny server sockets for" + depends on GRKERNSEC_SOCKET_SERVER +- default 1002 ++ default 65534 + help + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to +diff -Nuar a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 ++++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 +@@ -201,7 +201,7 @@ + + config GRKERNSEC_PROC_GID + int "GID exempted from /proc restrictions" +- default 1001 ++ default 10 + help + Setting this GID determines which group will be exempted from + grsecurity's /proc restrictions, allowing users of the specified +@@ -212,7 +212,7 @@ + config GRKERNSEC_TPE_UNTRUSTED_GID + int "GID for TPE-untrusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines which group untrusted users should + be added to. These users will be placed under grsecurity's Trusted Path +@@ -224,7 +224,7 @@ + config GRKERNSEC_TPE_TRUSTED_GID + int "GID for TPE-trusted users" + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -233,7 +233,7 @@ + config GRKERNSEC_SYMLINKOWN_GID + int "GID for users with kernel-enforced SymlinksIfOwnerMatch" + depends on GRKERNSEC_CONFIG_SERVER +- default 1006 ++ default 100 + help + Setting this GID determines what group kernel-enforced + SymlinksIfOwnerMatch will be enabled for. If the sysctl option |