diff options
Diffstat (limited to '3.0.4/4430_grsec-kconfig-default-gids.patch')
-rw-r--r-- | 3.0.4/4430_grsec-kconfig-default-gids.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/3.0.4/4430_grsec-kconfig-default-gids.patch b/3.0.4/4430_grsec-kconfig-default-gids.patch new file mode 100644 index 0000000..6a448bf --- /dev/null +++ b/3.0.4/4430_grsec-kconfig-default-gids.patch @@ -0,0 +1,77 @@ +From: Kerin Millar <kerframil@gmail.com> + +grsecurity contains a number of options which allow certain protections +to be applied to or exempted from members of a given group. However, the +default GIDs specified in the upstream patch are entirely arbitrary and +there is no telling which (if any) groups the GIDs will correlate with +on an end-user's system. Because some users don't pay a great deal of +attention to the finer points of kernel configuration, it is probably +wise to specify some reasonable defaults so as to stop careless users +from shooting themselves in the foot. + +diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig +--- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400 ++++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400 +@@ -433,7 +433,7 @@ + config GRKERNSEC_PROC_GID + int "GID for special group" + depends on GRKERNSEC_PROC_USERGROUP +- default 1001 ++ default 10 + + config GRKERNSEC_PROC_ADD + bool "Additional restrictions" +@@ -657,7 +657,7 @@ + config GRKERNSEC_AUDIT_GID + int "GID for auditing" + depends on GRKERNSEC_AUDIT_GROUP +- default 1007 ++ default 100 + + config GRKERNSEC_EXECLOG + bool "Exec logging" +@@ -835,7 +835,7 @@ + config GRKERNSEC_TPE_GID + int "GID for untrusted users" + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines what group TPE restrictions will be + *enabled* for. If the sysctl option is enabled, a sysctl option +@@ -844,7 +844,7 @@ + config GRKERNSEC_TPE_GID + int "GID for trusted users" + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -917,7 +917,7 @@ + config GRKERNSEC_SOCKET_ALL_GID + int "GID to deny all sockets for" + depends on GRKERNSEC_SOCKET_ALL +- default 1004 ++ default 65534 + help + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID +@@ -938,7 +938,7 @@ + config GRKERNSEC_SOCKET_CLIENT_GID + int "GID to deny client sockets for" + depends on GRKERNSEC_SOCKET_CLIENT +- default 1003 ++ default 65534 + help + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to +@@ -956,7 +956,7 @@ + config GRKERNSEC_SOCKET_SERVER_GID + int "GID to deny server sockets for" + depends on GRKERNSEC_SOCKET_SERVER +- default 1002 ++ default 65534 + help + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to |