summaryrefslogtreecommitdiff
path: root/kernels
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-04-18 11:19:35 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-04-18 11:19:35 -0300
commit7bde0d8d3b849a6e2bebf65a302a489ff83de417 (patch)
treed11601d8f96ffe68c777345a8ab81fa307f178b5 /kernels
parent67f5381e33ab5fbf9acdfc5d97ead8de4dad352f (diff)
gradm: remove package because it was implemented on [community]
Diffstat (limited to 'kernels')
-rw-r--r--kernels/gradm/PKGBUILD36
-rw-r--r--kernels/gradm/learn_config169
-rw-r--r--kernels/gradm/policy487
3 files changed, 0 insertions, 692 deletions
diff --git a/kernels/gradm/PKGBUILD b/kernels/gradm/PKGBUILD
deleted file mode 100644
index 6ca4aacd9..000000000
--- a/kernels/gradm/PKGBUILD
+++ /dev/null
@@ -1,36 +0,0 @@
-# Contributors:
-# Jonathan Liu <net147@gmail.com>
-# henning mueller <henning@orgizm.net>
-# s1gma, Ahmad24, maxrp
-
-pkgname=gradm
-pkgver=3.0
-_timestamp=201401291757
-pkgrel=4
-pkgdesc='Administrative interface for the grsecurity Role Based Access Control system'
-arch=(i686 x86_64 mips64el)
-url=http://grsecurity.net/
-license=(GPL2)
-depends=(pam)
-source=(
- http://grsecurity.net/stable/$pkgname-$pkgver-$_timestamp.tar.gz
- learn_config
- policy
-)
-
-build() {
- cd "$srcdir/$pkgname"
- sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
- make
-}
-
-package() {
- cd "$srcdir/$pkgname"
- make DESTDIR="$pkgdir" install
- cp "$startdir"/{learn_config,policy} "$pkgdir/etc/grsec"
- rm -rf "$pkgdir/dev"
-}
-
-sha256sums=('9c99714e6d10797a7348c6ffe2561dfcfe5e7659c9d86118d381b8bdb09ae7a6'
- 'ec8e824e8a29a67be76bf853814ee85e80c4063009e5693d5db8cdb45bd45813'
- '61c0e84098e8386e5496dafce559558adef32e2a4a1241a9fa3bd56eab192dcd')
diff --git a/kernels/gradm/learn_config b/kernels/gradm/learn_config
deleted file mode 100644
index 24c4cbc25..000000000
--- a/kernels/gradm/learn_config
+++ /dev/null
@@ -1,169 +0,0 @@
-#This configuration file aids the learning process by tweaking
-#the learning algorithm for specific paths.
-#
-#It accepts lines in the form of <command> <pathname>
-#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
-#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
-#read-protected-path, and always-reduce-path
-#
-#inherit-learn, no-learn, and inherit-no-learn operate only with
-#full learning
-#
-#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
-#and high-protected-path operate on both full and and regular learning
-#(subject and role learning)
-#
-#inherit-learn changes the learning process for the specified path
-#by throwing all learned accesses for every binary executed by the
-#processes contained in the pathname into the subject specified
-#by the pathname. This is useful for cron in the case of full
-#system learning, so that scripts that eventually end up executing
-#mv or rm with privilege don't cause the root policy to grant
-#that privilege to mv or rm in all cases.
-#
-#no-learn allows processes within the path to perform any operation
-#that normal system usage would allow without restriction. If
-#a process is generating a huge number of learning logs, it may be
-#best to use this command on that process and configure its policy
-#manually.
-#
-#inherit-no-learn combines the above two cases, such that processes
-#within the specified path will be able to perform any normal system
-#operation without restriction as will any binaries executed by
-#these processes.
-#
-#high-reduce-path modifies the heuristics of the learning process
-#to weight in favor of reducing accesses for this path
-#
-#dont-reduce-path modifies the heuristics of the learning process
-#so that it will never reduce accesses for this path
-#
-#always-reduce-path modifies the heuristics of the learning process
-#so that the path specified will always have all files and directories
-#within it reduced to the path specified.
-#
-#protected-path specifies a path on your system that is considered an
-#important resource. Any process that modifies one of these paths
-#is given its own subject in the learning process, facilitating
-#a secure policy.
-#
-#read-protected-path specifies a path on your system that contains
-#sensitive information. Any process that reads one of these paths is
-#given its own subject in the learning process, facilitating a secure
-#policy.
-#
-#high-protected-path specifies a path that should be hidden from
-#all processes but those that access it directly. It is recommended
-#to use highly sensitive files for this command.
-#
-#regular expressions are not supported for pathnames in this config file
-#
-#
-# uncomment this next line if you don't wish to generate a policy that
-# restricts roles to specific IP ranges:
-# dont-learn-allowed-ips
-#
-# to write out your generated policy such that roles are split into separate
-# files by the name of the role (within user/group directories), uncomment
-# the next line:
-# split-roles
-
-always-reduce-path /dev/pts
-always-reduce-path /var/spool/qmailscan/tmp
-always-reduce-path /var/spool/exim4
-always-reduce-path /var/run/screen
-always-reduce-path /usr/share/locale
-always-reduce-path /usr/share/zoneinfo
-always-reduce-path /usr/share/terminfo
-always-reduce-path /tmp
-always-reduce-path /var/tmp
-
-high-reduce-path /dev/.udev
-high-reduce-path /dev/mapper
-high-reduce-path /dev/snd
-high-reduce-path /proc
-high-reduce-path /usr/lib
-high-reduce-path /usr/lib/tls
-high-reduce-path /usr/lib/libreoffice
-high-reduce-path /usr/lib32
-high-reduce-path /usr/lib32/tls
-high-reduce-path /usr/lib64
-high-reduce-path /usr/lib64/tls
-high-reduce-path /var/lib
-high-reduce-path /usr/bin
-high-reduce-path /usr/sbin
-high-reduce-path /usr/local/share
-high-reduce-path /usr/local/bin
-high-reduce-path /usr/local/sbin
-high-reduce-path /usr/local/etc
-high-reduce-path /usr/local/lib
-high-reduce-path /usr/share
-high-reduce-path /usr/X11R6/lib
-high-reduce-path /var/lib/openldap-data
-high-reduce-path /var/lib/krb5kdc
-
-dont-reduce-path /
-dont-reduce-path /home
-dont-reduce-path /dev
-dont-reduce-path /usr
-dont-reduce-path /var
-dont-reduce-path /opt
-
-protected-path /boot
-protected-path /dev/log
-protected-path /etc
-protected-path /opt
-protected-path /root
-protected-path /run
-protected-path /sys
-protected-path /usr
-protected-path /var
-
-read-protected-path /etc/ssh
-read-protected-path /proc/kallsyms
-read-protected-path /proc/kcore
-read-protected-path /proc/slabinfo
-read-protected-path /proc/modules
-read-protected-path /usr/lib/modules
-read-protected-path /usr/lib64/modules
-read-protected-path /boot
-read-protected-path /etc/shadow
-read-protected-path /etc/shadow-
-read-protected-path /etc/gshadow
-read-protected-path /etc/gshadow-
-read-protected-path /sys
-
-high-protected-path /etc/ssh
-high-protected-path /proc/kcore
-high-protected-path /proc/sys
-high-protected-path /proc/bus
-high-protected-path /proc/slabinfo
-high-protected-path /proc/modules
-high-protected-path /proc/kallsyms
-high-protected-path /etc/passwd
-high-protected-path /etc/shadow
-high-protected-path /var/backups
-high-protected-path /etc/shadow-
-high-protected-path /etc/gshadow
-high-protected-path /etc/gshadow-
-high-protected-path /var/log
-high-protected-path /dev/mem
-high-protected-path /dev/kmem
-high-protected-path /dev/port
-high-protected-path /dev/log
-high-protected-path /sys
-high-protected-path /etc/ppp
-high-protected-path /etc/samba/smbpasswd
-#to protect kernel images
-high-protected-path /boot
-high-protected-path /usr/lib/modules
-high-protected-path /usr/lib64/modules
-high-protected-path /usr/src
-
-inherit-learn /etc/cron.d
-inherit-learn /etc/cron.hourly
-inherit-learn /etc/cron.daily
-inherit-learn /etc/cron.weekly
-inherit-learn /etc/cron.monthly
-inherit-learn /etc/init.d
-inherit-learn /etc/rc.d/init.d
diff --git a/kernels/gradm/policy b/kernels/gradm/policy
deleted file mode 100644
index 55a5811c8..000000000
--- a/kernels/gradm/policy
+++ /dev/null
@@ -1,487 +0,0 @@
-#sample default policy for grsecurity
-#
-# Role flags:
-# A -> This role is an administrative role, thus it has special privilege normal
-# roles do not have. In particular, this role bypasses the
-# additional ptrace restrictions
-# N -> Don't require authentication for this role. To access
-# the role, use gradm -n <rolename>
-# s -> This role is a special role, meaning it does not belong to a
-# user or group, and does not require an enforced secure policy
-# base to be included in the ruleset
-# u -> This role is a user role
-# g -> This role is a group role
-# G -> This role can use gradm to authenticate to the kernel
-# A policy for gradm will automatically be added to the role
-# T -> Enable TPE for this role
-# l -> Enable learning for this role
-# P -> Use PAM authentication for this role.
-# R -> Enable persistence of special role. Normal special roles will
-# be removed upon exit of the process that entered the role, or
-# upon unauth (this is what changes the apache process' role back
-# to its normal role after being restarted from the admin role, for
-# instance). Role persistence allows a special role to be used for
-# system shutdown, as the point at which the admin's shell/SSH
-# session is terminated won't cause the rest of the shutdown
-# sequence to execute with reduced privilege. Do *NOT* use this
-# flag with any role that does anything but shut the system down.
-# This role will also be transferred to the init process upon
-# writing to /dev/initctl. This allows init to execute the rc
-# scripts for shutdown with the necessary privilege.
-# For usability reasons, we allow the removal of persistence through
-# the normal unauth process (so persistence only survives exit).
-#
-# a role can only be one of user, group, or special
-#
-# role_allow_ip IP/optional netmask
-# eg: role_allow_ip 192.168.1.0/24
-# You can have as many of these per role as you want
-# They restrict the use of a role to a list of IPs. If a user
-# is on the system that would normally get the role does not
-# belong to those lists of IPs, the system falls back through
-# its method of determining a role for the user
-#
-# Role hierarchy
-# user -> group -> default
-# First a user role attempts to match, if one is not found,
-# a group role attempts to match, if one is not found,
-# the default role is used.
-#
-# role_transitions <special role 1> <special role 2> ... <special role n>
-# eg: role_transitions www_admin dns_admin
-#
-# role transitions specify which special roles a given role is allowed
-# to authenticate to. This applies to special roles that do not
-# require password authentication as well. If a user tries to
-# authenticate to a role that is not within his transition table, he
-# will receive a permission denied error
-#
-# Nested subjects
-# subject /bin/su:/bin/bash:/bin/cat
-# / rwx
-# +CAP_ALL
-# grant privilege to specific processes if they are executed
-# within a trusted path. In this case, privilege is
-# granted if /bin/cat is executed from /bin/bash, which is
-# executed from /bin/su.
-#
-# Configuration inheritance on nested subjects
-# nested subjects inherit rules from their parents. In the
-# example above, the nested subject would inherit rules
-# from the nested subject for /bin/su:/bin/bash,
-# and the subject /bin/su
-# View the 1.9.x documentation for more information on
-# configuration inheritance
-#
-# new object modes:
-# m -> allow creation of setuid/setgid files/directories
-# and modification of files/directories to be setuid/setgid
-# M -> audit the setuid/setgid creation/modification
-# c -> allow creation of the file/directory
-# C -> audit the creation
-# d -> allow deletion of the file/directory
-# D -> audit the deletion
-# p -> reject all ptraces to this object
-# l -> allow a hardlink at this path
-# (hardlinking requires at a minimum c and l modes, and the target
-# link cannot have any greater permission than the source file)
-# L -> audit link creation
-# f -> needed to mark the pipe used for communication with init
-# to transfer the privilege of the persistent role; only valid
-# within a persistent role. Transfer only occurs when the file is
-# opened for writing
-#
-# new subject modes:
-# O -> disable "writable library" restrictions for this task
-# t -> allow this process to ptrace any process (use with caution)
-# r -> relax ptrace restrictions (allows process to ptrace processes
-# other than its own descendants)
-# i -> enable inheritance-based learning for this subject, causing
-# all accesses of this subject and anything it executes to be placed
-# in this subject, and inheritance flags added to executable objects
-# in this subject
-# a -> allow this process to talk to the /dev/grsec device
-# s -> enable AT_SECURE when entering this subject
-# (enables the same environment sanitization that occurs in glibc
-# upon execution of a suid binary)
-# x -> allows executable anonymous shared memory for this subject
-#
-# user/group transitions:
-# You may now specify what users and groups a given subject can
-# transition to. This can be done on an inclusive or exclusive basis.
-# Omitting these rules allows a process with proper privilege granted by
-# capabilities to transition to any user/group.
-#
-# Examples:
-# subject /bin/su
-# user_transition_allow root spender
-# group_transition_allow root spender
-# subject /bin/su
-# user_transition_deny evilhacker
-# subject /bin/su
-# group_transition_deny evilhacker1 evilhacker2
-#
-# Domains:
-# With domains you can combine users that don't share a common
-# GID as well as groups so that they share a single policy
-# Domains work just like roles, with the only exception being that
-# the line starting with "role" is replaced with one of the following:
-# domain somedomainname u user1 user2 user3 user4 ... usern
-# domain somedomainname g group1 group2 group3 group4 ... groupn
-#
-# Inverted socket policies:
-# Rules such as
-# connect ! www.google.com:80 stream tcp
-# are now allowed, which allows you to specify that a process can connect to anything
-# except to port 80 of www.google.com with a stream tcp socket
-# the inverted socket matching also works on bind rules
-#
-# INADDR_ANY overriding
-# You can now force a given subject to bind to a particular IP address on the machine
-# This is useful for some chrooted environments, to ensure that the source IP they
-# use is one of your choosing
-# to use, add a line like:
-# ip_override 192.168.0.1
-#
-# Per-interface socket policies:
-# Rules such as
-# bind eth1:80 stream tcp
-# bind eth0#1:22 stream tcp
-# are now allowed, giving you the ability to tie specific socket rules
-# to a single interface (or by using the inverted rules, all but one
-# interface). Virtual interfaces are specified by the <ifname>#<vindex>
-# syntax. If an interface is specified, no IP/netmask or host may be
-# specified for the rule.
-#
-# Allowing additional socket families:
-# Before v2.2.1 of the RBAC system, a subject that specified
-# connect/bind rules limited only the socket usage of IPv4, allowing
-# any other socket families to be used. Starting with v2.2.1 of the
-# RBAC system, when connect/bind rules are used, additional rules
-# will be required to unlock the use of additional socket families
-# (outside of the common unix family). Multiple families can be
-# specified per line.
-# To enable use of IPv6, add the line:
-# sock_allow_family ipv6
-# To enable use of netlink, add the line:
-# sock_allow_family netlink
-# To enable all other families, add the line:
-# sock_allow_family all
-#
-# New learning system:
-# To learn on a given subject: add l (the letter l, not the number 1)
-# to the subject mode
-# If you want to learn with the most restrictive policy, use the
-# following:
-# subject /path/to/bin lo
-# / h
-# -CAP_ALL
-# connect disabled
-# bind disabled
-# Resource learning is also supported, so lines like
-# RES_AS 0 0
-# can be used to learn a particular resource
-#
-# To learn on a given role, add l to the role mode
-# For both of these, to enable learning, enable the system like:
-# gradm -L /etc/grsec/learning.logs -E
-# and then generate the rules after disabling the system after the
-# learning phase with:
-# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
-# To use full system learning, enable the system like:
-# gradm -F -L /etc/grsec/learning.logs
-# and then generate the rules after disabling the system after the
-# learning phase with:
-# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
-#
-# New PaX flag format (replaces PaX subject flags):
-# PaX flags can be forced on or off, regardless of the flags on the
-# binary, by using + or - before the following PaX flag names:
-# PAX_SEGMEXEC
-# PAX_PAGEEXEC
-# PAX_MPROTECT
-# PAX_RANDMMAP
-# PAX_EMUTRAMP
-#
-# New feature for easier policy maintenance:
-# replace <variable name> <replace string>
-# e.g.:
-# replace CVSROOT /home/cvs
-# now $(CVSROOT) can be used in any subject or object pathname, like:
-# $(CVSROOT)/grsecurity r
-# This will translate to /home/cvs/grsecurity r
-# This feature makes it easier to update policies by naming specific
-# paths by their function, then only having to update those paths once
-# to have it affect a large number of subjects/objects.
-#
-# capability auditing / log suppression
-# use of a capability can be audited by adding "audit" to the line, eg:
-# +CAP_SYS_RAWIO audit
-# log suppression for denial of a capbility can be done by adding "suppress":
-# -CAP_SYS_RAWIO suppress
-#
-# Per-role umask enforcement:
-# If you have a user that you want to be assured cannot accidentally
-# create a file that others can read (a confidentiality issue)
-# add the following under the role declaration:
-# role_umask 077
-# any normal octal umask may be specified
-# Note that unlike the normal umask, this umask will also apply
-# to the permissions one can chmod/fchmod a file to
-#
-# Note that the omission of any feature of a role or subject
-# results in a default-allow
-# For instance, if no capability rules are added, an implicit +CAP_ALL is used
-#
-# Commonly-used objects can be defined and used in multiple subjects
-# As an example, we'll create a variable out of a list of objects
-# and their associated permissions that RBAC enforces
-define grsec_denied {
- /boot h
- /dev/grsec h
- /dev/kmem h
- /dev/mem h
- /dev/port h
- /etc/grsec h
- /proc/kcore h
- /proc/slabinfo h
- /proc/modules h
- /proc/kallsyms h
- # hide and suppress logs about accessing this path
- /usr/lib/modules hs
- /etc/ssh h
-}
-# usage:
-# $grsec_denied
-
-role shutdown sARG
-subject / rvka
- /
- /dev
- /dev/urandom r
- /dev/random r
- /etc r
- /usr rx
- /proc r
- $grsec_denied
- -CAP_ALL
- connect disabled
- bind disabled
-
-subject /usr/lib/systemd/systemd rvkao
- / rwcdmlxi
-subject /usr/bin/systemctl rvkao
- / rwcdmlxi
- /dev/initctl rwf
- /run/initctl rwf
-
-# Make sure to unauthenticate with gradm -u from
-# the admin role after restarting a service
-# The service started will run with admin
-# privileges until you run gradm -u or your shell exits
-
-role admin sA
-subject / rvka
- / rwcdmlxi
-
-role default G
-role_transitions admin shutdown
-subject /
- / r
- /opt rx
- /home rwxcd
- /mnt rw
- /dev
- /dev/urandom r
- /dev/random r
- /dev/zero rw
- /dev/input rw
- /dev/psaux rw
- /dev/null rw
- /dev/tty? rw
- /dev/console rw
- /dev/tty rw
- /dev/pts rw
- /dev/ptmx rw
- /dev/dsp rw
- /dev/mixer rw
- /dev/initctl rw
- /dev/fd0 r
- /dev/cdrom r
- /usr rx
-# compilation of kernel code should be done within the admin role
- /usr/src h
- /etc rx
- /proc rwx
- /proc/sys r
- /sys h
- /root r
- /run r
- /tmp rwcd
- /var rwxcd
- /var/tmp rwcd
- /var/log r
-# hide the kernel images and modules
- $grsec_denied
-
-# if sshd needs to be restarted, it can be done through the admin role
-# restarting sshd should be followed immediately by a gradm -u
- /usr/sbin/sshd
-
- /home/*/.gem/ruby/2.0.0/bin rx
- /home/*/.rbenv/shims rx
- /home/*/.rbenv/versions*/bin rx
- /home/*/.cabal/bin rx
- /home/*/dev/env rx
-
- -CAP_KILL
- -CAP_SYS_TTY_CONFIG
- -CAP_LINUX_IMMUTABLE
- -CAP_NET_RAW
- -CAP_MKNOD
- -CAP_SYS_ADMIN
- -CAP_SYS_RAWIO
- -CAP_SYS_MODULE
- -CAP_SYS_PTRACE
- -CAP_NET_ADMIN
- -CAP_NET_BIND_SERVICE
- -CAP_NET_RAW
- -CAP_SYS_CHROOT
- -CAP_SYS_BOOT
- -CAP_SETFCAP
- -CAP_SYSLOG
-
-# RES_AS 100M 100M
-
-# connect 192.168.1.0/24:22 stream tcp
-# bind 0.0.0.0 stream dgram tcp udp
-
-# the d flag protects /proc fd and mem entries for sshd
-# all daemons should have 'p' in their subject mode to prevent
-# an attacker from killing the service (and restarting it with trojaned
-# config file or taking the port it reserved to run a trojaned service)
-
-subject /usr/sbin/sshd dpo
- /
- /* h
- /bin/bash x
- /dev h
- /dev/log rw
- /dev/random r
- /dev/urandom r
- /dev/null rw
- /dev/ptmx rw
- /dev/pts rw
- /dev/tty rw
- /dev/tty? rw
- /etc r
- /etc/grsec h
- /home
- /home/*/.ssh/authorized_keys r
- /root
- /proc r
- /proc/*/oom_adj rw
- /proc/kcore h
- /proc/sys h
- /proc/sys/kernel/ngroups_max r
- /selinux r
- /usr/lib rx
- /usr/share/zoneinfo r
- /var/log
- /var/mail
- /var/log/lastlog rw
- /var/log/wtmp w
- /var/run
- /run
- /var/run/sshd
- /var/run/utmp rw
- /var/run/utmpx rw
- /var/run/.nscd_socket rw
-
- -CAP_ALL
- +CAP_CHOWN
- +CAP_SETGID
- +CAP_SETUID
- +CAP_SYS_CHROOT
- +CAP_SYS_RESOURCE
- +CAP_SYS_TTY_CONFIG
- +CAP_AUDIT_WRITE
- # to access user keys
- +CAP_DAC_OVERRIDE
-
-subject /usr/bin/Xorg
- /dev/mem rw
-
- +CAP_SYS_ADMIN
- +CAP_SYS_TTY_CONFIG
- +CAP_SYS_RAWIO
-
-subject /usr/bin/ssh
- /etc/ssh/ssh_config r
-
-subject /usr/bin/postgres
- /dev/log rw
-
-subject /usr/bin/exim
- /dev/log rw
-
-subject /usr/sbin/syslog-ng
- +CAP_SYS_ADMIN
-
-subject /usr/sbin/rsyslogd
- +CAP_SYS_ADMIN
-
-subject /usr/sbin/cron
- /dev/log rw
-
-subject /usr/sbin/crond
- /dev/log rw
-
-subject /bin/login
- /dev/log rw
- /var/log/wtmp w
- /var/log/faillog rwcd
-
-subject /bin/su
- /dev/log rw
-
-subject /usr/bin/sudo
- /dev/log rw
-
-subject /sbin/agetty
- /var/log/wtmp w
-
-subject /sbin/init
- /var/log/wtmp w
-
-subject /usr/bin/xauth
- /home r
- /home/*/.Xauthority-* rwcdl
-
-# prevent ld.so breakouts of subjects with /lib rx
-
-# many distros clutter up /lib with shell scripts
-# that can be easily hijacked for malicious purposes
-subject /usr/lib o
- / h
- -CAP_ALL
- connect disabled
- bind disabled
-
-subject /usr/lib32 o
- / h
- -CAP_ALL
- connect disabled
- bind disabled
-
-subject /usr/lib/ld-linux.so.2 o
- / h
- -CAP_ALL
- connect disabled
- bind disabled
-
-subject /usr/lib/ld-linux-x86-64.so.2 o
- / h
- -CAP_ALL
- connect disabled
- bind disabled