1 files changed, 129 insertions, 0 deletions

diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
new file mode 100644
index 000000000..a1af2c48e
--- /dev/null
+++ b/libre/linux-libre-grsec/sysctl.conf
@@ -0,0 +1,129 @@
+# All features in the kernel.grsecurity namespace are disabled by default.
+
+#
+# Disable PaX enforcement by default, due to lacking integration with packages.
+#
+# This is considered a major flaw in this package and will be corrected in the
+# future. Many binaries need to be flagged as requiring an exception from the
+# PaX rules.
+#
+
+kernel.pax.softmode = 1
+
+#
+# Memory protections
+#
+
+#kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.deter_bruteforce = 1
+
+#
+# Race free SymLinksIfOwnerMatch for web servers
+#
+# symlinkown_gid: http group
+#
+
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 33
+
+#
+# FIFO restrictions
+#
+# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
+# unless the owner of the FIFO is the same owner of the directory it's held in.
+#
+
+kernel.grsecurity.fifo_restrictions = 1
+
+#
+# Deny any further rw mounts
+#
+
+#kernel.grsecurity.romount_protect = 1
+
+#
+# chroot restrictions (these will break containers)
+#
+
+#kernel.grsecurity.chroot_caps = 1
+#kernel.grsecurity.chroot_deny_chmod = 1
+#kernel.grsecurity.chroot_deny_chroot = 1
+#kernel.grsecurity.chroot_deny_fchdir = 1
+#kernel.grsecurity.chroot_deny_mknod = 1
+#kernel.grsecurity.chroot_deny_mount = 1
+#kernel.grsecurity.chroot_deny_pivot = 1
+#kernel.grsecurity.chroot_deny_shmat = 1
+#kernel.grsecurity.chroot_deny_sysctl = 1
+#kernel.grsecurity.chroot_deny_unix = 1
+#kernel.grsecurity.chroot_enforce_chdir = 1
+#kernel.grsecurity.chroot_findtask = 1
+#kernel.grsecurity.chroot_restrict_nice = 1
+
+#
+# Kernel auditing
+#
+# audit_group: Restrict exec/chdir logging to a group.
+# audit_gid: audit group
+#
+
+#kernel.grsecurity.audit_group = 1
+kernel.grsecurity.audit_gid = 201
+#kernel.grsecurity.exec_logging = 1
+#kernel.grsecurity.resource_logging = 1
+#kernel.grsecurity.chroot_execlog = 1
+#kernel.grsecurity.audit_ptrace = 1
+#kernel.grsecurity.audit_chdir = 1
+#kernel.grsecurity.audit_mount = 1
+#kernel.grsecurity.signal_logging = 1
+#kernel.grsecurity.forkfail_logging = 1
+#kernel.grsecurity.timechange_logging = 1
+#kernel.grsecurity.rwxmap_logging = 1
+
+#
+# Executable protections
+#
+
+kernel.grsecurity.harden_ptrace = 1
+kernel.grsecurity.ptrace_readexec = 1
+kernel.grsecurity.consistent_setxid = 1
+kernel.grsecurity.harden_ipc = 1
+
+#
+# Trusted Path Execution
+#
+# tpe_gid: tpe group
+#
+
+#kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_gid = 200
+#kernel.grsecurity.tpe_invert = 1
+#kernel.grsecurity.tpe_restrict_all = 1
+
+#
+# Network protections
+#
+# socket_all_gid:    socket-deny-all group
+# socket_client_gid: socket-deny-client group
+# socket_server_gid: socket-deny-server group
+#
+
+#kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
+kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all_gid = 202
+kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client_gid = 203
+kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server_gid = 204
+
+#
+# Prevent any new USB devices from being recognized by the OS.
+#
+
+#kernel.grsecurity.deny_new_usb = 1
+
+#
+# Restrict grsec sysctl changes after this was set
+#
+
+kernel.grsecurity.grsec_lock = 0