Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.6.38/4430_grsec-kconfig-default-gids.patch
diff options
context:
space:
mode:
Diffstat (limited to '2.6.38/4430_grsec-kconfig-default-gids.patch')
-rw-r--r--2.6.38/4430_grsec-kconfig-default-gids.patch76
1 files changed, 76 insertions, 0 deletions
diff --git a/2.6.38/4430_grsec-kconfig-default-gids.patch b/2.6.38/4430_grsec-kconfig-default-gids.patch
new file mode 100644
index 0000000..82a9b18
--- /dev/null
+++ b/2.6.38/4430_grsec-kconfig-default-gids.patch
@@ -0,0 +1,76 @@
+From: Kerin Millar <kerframil@gmail.com>
+
+grsecurity contains a number of options which allow certain protections
+to be applied to or exempted from members of a given group. However, the
+default GIDs specified in the upstream patch are entirely arbitrary and
+there is no telling which (if any) groups the GIDs will correlate with
+on an end-user's system. Because some users don't pay a great deal of
+attention to the finer points of kernel configuration, it is probably
+wise to specify some reasonable defaults so as to stop careless users
+from shooting themselves in the foot.
+
+--- a/grsecurity/Kconfig
++++ b/grsecurity/Kconfig
+@@ -406,7 +406,7 @@
+ config GRKERNSEC_PROC_GID
+ int "GID for special group"
+ depends on GRKERNSEC_PROC_USERGROUP
+- default 1001
++ default 10
+
+ config GRKERNSEC_PROC_ADD
+ bool "Additional restrictions"
+@@ -630,7 +630,7 @@
+ config GRKERNSEC_AUDIT_GID
+ int "GID for auditing"
+ depends on GRKERNSEC_AUDIT_GROUP
+- default 1007
++ default 100
+
+ config GRKERNSEC_EXECLOG
+ bool "Exec logging"
+@@ -816,7 +816,7 @@
+ config GRKERNSEC_TPE_GID
+ int "GID for untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+- default 1005
++ default 100
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+@@ -825,7 +825,7 @@
+ config GRKERNSEC_TPE_GID
+ int "GID for trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+- default 1005
++ default 10
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *disabled* for. If the sysctl option is enabled, a sysctl option
+@@ -896,7 +896,7 @@
+ config GRKERNSEC_SOCKET_ALL_GID
+ int "GID to deny all sockets for"
+ depends on GRKERNSEC_SOCKET_ALL
+- default 1004
++ default 65534
+ help
+ Here you can choose the GID to disable socket access for. Remember to
+ add the users you want socket access disabled for to the GID
+@@ -917,7 +917,7 @@
+ config GRKERNSEC_SOCKET_CLIENT_GID
+ int "GID to deny client sockets for"
+ depends on GRKERNSEC_SOCKET_CLIENT
+- default 1003
++ default 65534
+ help
+ Here you can choose the GID to disable client socket access for.
+ Remember to add the users you want client socket access disabled for to
+@@ -935,7 +935,7 @@
+ config GRKERNSEC_SOCKET_SERVER_GID
+ int "GID to deny server sockets for"
+ depends on GRKERNSEC_SOCKET_SERVER
+- default 1002
++ default 65534
+ help
+ Here you can choose the GID to disable server socket access for.
+ Remember to add the users you want server socket access disabled for to