diff options
author | Ariadne Conill <ariadne@dereferenced.org> | 2020-03-22 08:53:27 +0000 |
---|---|---|
committer | Ariadne Conill <ariadne@dereferenced.org> | 2020-03-22 08:54:21 +0000 |
commit | 4752e2ea33e3239638b4fddf93071a8b6367b636 (patch) | |
tree | 92c2cec979850151060656e19c78ae9cd021820b /unmaintained | |
parent | b2ef659b31b2c0916f030ad284e51a7aef39bf10 (diff) | |
download | alpine_aports-4752e2ea33e3239638b4fddf93071a8b6367b636.tar.bz2 alpine_aports-4752e2ea33e3239638b4fddf93071a8b6367b636.tar.xz alpine_aports-4752e2ea33e3239638b4fddf93071a8b6367b636.zip |
main/gradm: move to unmaintained
Alpine has not supported grsecurity in years, so the policy has bitrotted
and is certainly useless by now.
Diffstat (limited to 'unmaintained')
-rw-r--r-- | unmaintained/gradm/APKBUILD | 57 | ||||
-rw-r--r-- | unmaintained/gradm/base.policyd | 133 | ||||
-rw-r--r-- | unmaintained/gradm/grsec-rbac.initd | 14 | ||||
-rw-r--r-- | unmaintained/gradm/policy | 211 |
4 files changed, 415 insertions, 0 deletions
diff --git a/unmaintained/gradm/APKBUILD b/unmaintained/gradm/APKBUILD new file mode 100644 index 0000000000..adc2a88b8f --- /dev/null +++ b/unmaintained/gradm/APKBUILD | |||
@@ -0,0 +1,57 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | ||
2 | pkgname=gradm | ||
3 | pkgver=3.1.201607172312 | ||
4 | _ver=${pkgver/.20/-20} | ||
5 | pkgrel=0 | ||
6 | pkgdesc="administrative utility for grsecurity kernels" | ||
7 | url="http://www.grsecurity.org/" | ||
8 | arch="all" | ||
9 | license="GPL" | ||
10 | makedepends="bison flex-dev linux-headers" | ||
11 | install="" | ||
12 | subpackages="$pkgname-doc" | ||
13 | source="https://dev.gentoo.org/~blueness/hardened-sources/gradm/gradm-$_ver.tar.gz | ||
14 | policy | ||
15 | base.policyd | ||
16 | grsec-rbac.initd" | ||
17 | |||
18 | _builddir="$srcdir/gradm" | ||
19 | prepare() { | ||
20 | local i | ||
21 | cd "$_builddir" | ||
22 | for i in $source; do | ||
23 | case $i in | ||
24 | *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; | ||
25 | esac | ||
26 | done | ||
27 | } | ||
28 | |||
29 | build() { | ||
30 | cd "$_builddir" | ||
31 | make LIBS="" || return 1 | ||
32 | } | ||
33 | |||
34 | package() { | ||
35 | cd "$_builddir" | ||
36 | make LIBS="" INSTALL=install DESTDIR="$pkgdir" install || return 1 | ||
37 | |||
38 | # we don't want the grsecurity-recommended policy as it's old | ||
39 | # and non-modular. | ||
40 | rm "$pkgdir"/etc/grsec/policy | ||
41 | |||
42 | # install the base policy file which pulls in everything else. | ||
43 | install -m644 "$srcdir"/policy "$pkgdir"/etc/grsec/policy | ||
44 | |||
45 | # prepare and install base policy to /var/lib/grsec/policy.d | ||
46 | install -d -D "$pkgdir"/var/lib/grsec/policy.d | ||
47 | install -m644 "$srcdir"/base.policyd "$pkgdir"/var/lib/grsec/policy.d/00-base | ||
48 | |||
49 | # install grsec-rbac into initd | ||
50 | install -d -D "$pkgdir"/etc/init.d | ||
51 | install -m755 "$srcdir"/grsec-rbac.initd "$pkgdir"/etc/init.d/grsec-rbac | ||
52 | } | ||
53 | |||
54 | sha512sums="61f14038ee555b99e4d0096dd01697d8adba45e057ffceadb44eafbdfba807b53030684c5073d169c005902acfa6baa673975ed4ab00ad035941c209f8f1d2e2 gradm-3.1-201607172312.tar.gz | ||
55 | 0cd4a85d40815813129c669400a9e2fb4b5258c1d20dae8075e3f3123c3ff1ece9dc3a16209ef8d6cb968477ab687926923bcdca0b78fb3beff105a699284a01 policy | ||
56 | 8b6a3a6cf550119dbf162d6dffcf5acef30cae6b070a028d5d5697bf20ce5e0d7e1900992f7c88c60b2eb5e5118561753e8111440a6032922780620ac25ee7cb base.policyd | ||
57 | 7f53992506edcedfd97b5b3581da80ffbc1a1a79ad3c5e7b7982f9d41387bea34077045d36595a631a87e96a25819b3c569ca94c344a0581ead8c5e5dbd32c1d grsec-rbac.initd" | ||
diff --git a/unmaintained/gradm/base.policyd b/unmaintained/gradm/base.policyd new file mode 100644 index 0000000000..cf66e7301e --- /dev/null +++ b/unmaintained/gradm/base.policyd | |||
@@ -0,0 +1,133 @@ | |||
1 | role admin sA | ||
2 | subject / rvka | ||
3 | / rwcdmlxi | ||
4 | |||
5 | role default G | ||
6 | role_transitions admin | ||
7 | subject / dpo | ||
8 | / r | ||
9 | /opt rx | ||
10 | /home rwxcd | ||
11 | /mnt rw | ||
12 | /dev | ||
13 | /dev/grsec h | ||
14 | /dev/urandom r | ||
15 | /dev/random r | ||
16 | /dev/zero rw | ||
17 | /dev/input rw | ||
18 | /dev/psaux rw | ||
19 | /dev/null rw | ||
20 | /dev/tty? rw | ||
21 | /dev/hvc? rw | ||
22 | /dev/console rw | ||
23 | /dev/tty rw | ||
24 | /dev/pts rw | ||
25 | /dev/ptmx rw | ||
26 | /dev/dsp rw | ||
27 | /dev/mixer rw | ||
28 | /dev/initctl rw | ||
29 | /dev/fd0 r | ||
30 | /dev/cdrom r | ||
31 | /dev/mem h | ||
32 | /dev/kmem h | ||
33 | /dev/port h | ||
34 | /bin rx | ||
35 | /sbin rx | ||
36 | /lib rx | ||
37 | /usr rx | ||
38 | /etc rx | ||
39 | /proc rwx | ||
40 | /proc/slabinfo h | ||
41 | /proc/kcore h | ||
42 | /proc/kallsyms h | ||
43 | /proc/modules h | ||
44 | /proc/sys r | ||
45 | /root r | ||
46 | /tmp rwcd | ||
47 | /var rwxcd | ||
48 | /var/tmp rwcd | ||
49 | /var/log r | ||
50 | /boot h | ||
51 | /lib/modules h | ||
52 | /etc/grsec h | ||
53 | /var/lib/grsec h | ||
54 | |||
55 | -CAP_KILL | ||
56 | -CAP_SYS_TTY_CONFIG | ||
57 | -CAP_LINUX_IMMUTABLE | ||
58 | -CAP_NET_RAW | ||
59 | -CAP_MKNOD | ||
60 | -CAP_SYS_ADMIN | ||
61 | -CAP_SYS_RAWIO | ||
62 | -CAP_SYS_MODULE | ||
63 | -CAP_SYS_PTRACE | ||
64 | -CAP_NET_ADMIN | ||
65 | -CAP_NET_BIND_SERVICE | ||
66 | -CAP_NET_RAW | ||
67 | -CAP_SYS_CHROOT | ||
68 | -CAP_SYS_BOOT | ||
69 | -CAP_SETFCAP | ||
70 | |||
71 | # the d flag protects /proc fd and mem entries for sshd | ||
72 | # all daemons should have 'p' in their subject mode to prevent | ||
73 | # an attacker from killing the service (and restarting it with trojaned | ||
74 | # config file or taking the port it reserved to run a trojaned service) | ||
75 | subject /usr/sbin/sshd dpo | ||
76 | / h | ||
77 | /bin/sh x | ||
78 | /bin/bash x | ||
79 | /dev h | ||
80 | /dev/log rw | ||
81 | /dev/random r | ||
82 | /dev/urandom r | ||
83 | /dev/null rw | ||
84 | /dev/ptmx rw | ||
85 | /dev/pts rw | ||
86 | /dev/tty rw | ||
87 | /dev/tty? rw | ||
88 | /etc r | ||
89 | /etc/passwd r | ||
90 | /etc/shadow r | ||
91 | /etc/grsec h | ||
92 | /home rwcd | ||
93 | /lib rx | ||
94 | /root | ||
95 | /proc r | ||
96 | /proc/*/oom_adj w | ||
97 | /proc/kcore h | ||
98 | /proc/sys h | ||
99 | /usr/lib rx | ||
100 | /usr/share/zoneinfo r | ||
101 | /var/log | ||
102 | /var/mail | ||
103 | /var/log/lastlog rw | ||
104 | /var/log/wtmp w | ||
105 | /var/run/sshd | ||
106 | /var/run/utmp rw | ||
107 | /var/empty rw | ||
108 | |||
109 | -CAP_ALL | ||
110 | +CAP_CHOWN | ||
111 | +CAP_SETGID | ||
112 | +CAP_SETUID | ||
113 | +CAP_SYS_CHROOT | ||
114 | +CAP_SYS_RESOURCE | ||
115 | +CAP_SYS_TTY_CONFIG | ||
116 | |||
117 | subject /usr/bin/ssh | ||
118 | /etc/ssh/ssh_config r | ||
119 | |||
120 | subject /bin/busybox | ||
121 | +CAP_SYS_ADMIN | ||
122 | +CAP_SYS_BOOT | ||
123 | /root/.ash_history rw | ||
124 | /dev/log rwc | ||
125 | /var/log rwc | ||
126 | /var/log/messages rwc | ||
127 | /var/log/wtmp w | ||
128 | /var/log/faillog rwcd | ||
129 | |||
130 | subject /usr/bin/sudo | ||
131 | +CAP_SYS_ADMIN | ||
132 | /dev/log rw | ||
133 | |||
diff --git a/unmaintained/gradm/grsec-rbac.initd b/unmaintained/gradm/grsec-rbac.initd new file mode 100644 index 0000000000..65ef1c5b67 --- /dev/null +++ b/unmaintained/gradm/grsec-rbac.initd | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/sbin/openrc-run | ||
2 | |||
3 | start() { | ||
4 | ebegin "Enabling grsecurity RBAC policy" | ||
5 | gradm -E | ||
6 | eend $? | ||
7 | } | ||
8 | |||
9 | stop() { | ||
10 | ebegin "Disabling grsecurity RBAC policy" | ||
11 | gradm -D | ||
12 | eend $? | ||
13 | } | ||
14 | |||
diff --git a/unmaintained/gradm/policy b/unmaintained/gradm/policy new file mode 100644 index 0000000000..e5a3df439c --- /dev/null +++ b/unmaintained/gradm/policy | |||
@@ -0,0 +1,211 @@ | |||
1 | # Base grsecurity policy for Alpine. | ||
2 | # | ||
3 | # If you want to use a custom policy, or add on local modifications to | ||
4 | # the system policy, edit below the include line or remove the include | ||
5 | # line to completely remove the system policy entirely from your setup. | ||
6 | # | ||
7 | # Documentation on the file format as provided in the sample policy file | ||
8 | # follow below for your reference: | ||
9 | ## Role flags: | ||
10 | # A -> This role is an administrative role, thus it has special privilege normal | ||
11 | # roles do not have. In particular, this role bypasses the | ||
12 | # additional ptrace restrictions | ||
13 | # N -> Don't require authentication for this role. To access | ||
14 | # the role, use gradm -n <rolename> | ||
15 | # s -> This role is a special role, meaning it does not belong to a | ||
16 | # user or group, and does not require an enforced secure policy | ||
17 | # base to be included in the ruleset | ||
18 | # u -> This role is a user role | ||
19 | # g -> This role is a group role | ||
20 | # G -> This role can use gradm to authenticate to the kernel | ||
21 | # A policy for gradm will automatically be added to the role | ||
22 | # T -> Enable TPE for this role | ||
23 | # l -> Enable learning for this role | ||
24 | # P -> Use PAM authentication for this role. | ||
25 | # | ||
26 | # a role can only be one of user, group, or special | ||
27 | # | ||
28 | # role_allow_ip IP/optional netmask | ||
29 | # eg: role_allow_ip 192.168.1.0/24 | ||
30 | # You can have as many of these per role as you want | ||
31 | # They restrict the use of a role to a list of IPs. If a user | ||
32 | # is on the system that would normally get the role does not | ||
33 | # belong to those lists of IPs, the system falls back through | ||
34 | # its method of determining a role for the user | ||
35 | # | ||
36 | # Role hierarchy | ||
37 | # user -> group -> default | ||
38 | # First a user role attempts to match, if one is not found, | ||
39 | # a group role attempts to match, if one is not found, | ||
40 | # the default role is used. | ||
41 | # | ||
42 | # role_transitions <special role 1> <special role 2> ... <special role n> | ||
43 | # eg: role_transitions www_admin dns_admin | ||
44 | # | ||
45 | # role transitions specify which special roles a given role is allowed | ||
46 | # to authenticate to. This applies to special roles that do not | ||
47 | # require password authentication as well. If a user tries to | ||
48 | # authenticate to a role that is not within his transition table, he | ||
49 | # will receive a permission denied error | ||
50 | # | ||
51 | # Nested subjects | ||
52 | # subject /bin/su:/bin/bash:/bin/cat | ||
53 | # / rwx | ||
54 | # +CAP_ALL | ||
55 | # grant privilege to specific processes if they are executed | ||
56 | # within a trusted path. In this case, privilege is | ||
57 | # granted if /bin/cat is executed from /bin/bash, which is | ||
58 | # executed from /bin/su. | ||
59 | # | ||
60 | # Configuration inheritance on nested subjects | ||
61 | # nested subjects inherit rules from their parents. In the | ||
62 | # example above, the nested subject would inherit rules | ||
63 | # from the nested subject for /bin/su:/bin/bash, | ||
64 | # and the subject /bin/su | ||
65 | # View the 1.9.x documentation for more information on | ||
66 | # configuration inheritance | ||
67 | # | ||
68 | # new object modes: | ||
69 | # m -> allow creation of setuid/setgid files/directories | ||
70 | # and modification of files/directories to be setuid/setgid | ||
71 | # M -> audit the setuid/setgid creation/modification | ||
72 | # c -> allow creation of the file/directory | ||
73 | # C -> audit the creation | ||
74 | # d -> allow deletion of the file/directory | ||
75 | # D -> audit the deletion | ||
76 | # p -> reject all ptraces to this object | ||
77 | # l -> allow a hardlink at this path | ||
78 | # (hardlinking requires at a minimum c and l modes, and the target | ||
79 | # link cannot have any greater permission than the source file) | ||
80 | # L -> audit link creation | ||
81 | # new subject modes: | ||
82 | # O -> disable "writable library" restrictions for this task | ||
83 | # t -> allow this process to ptrace any process (use with caution) | ||
84 | # r -> relax ptrace restrictions (allows process to ptrace processes | ||
85 | # other than its own descendants) | ||
86 | # i -> enable inheritance-based learning for this subject, causing | ||
87 | # all accesses of this subject and anything it executes to be placed | ||
88 | # in this subject, and inheritance flags added to executable objects | ||
89 | # in this subject | ||
90 | # a -> allow this process to talk to the /dev/grsec device | ||
91 | # | ||
92 | # user/group transitions: | ||
93 | # You may now specify what users and groups a given subject can | ||
94 | # transition to. This can be done on an inclusive or exclusive basis. | ||
95 | # Omitting these rules allows a process with proper privilege granted by | ||
96 | # capabilities to transition to any user/group. | ||
97 | # | ||
98 | # Examples: | ||
99 | # subject /bin/su | ||
100 | # user_transition_allow root spender | ||
101 | # group_transition_allow root spender | ||
102 | # subject /bin/su | ||
103 | # user_transition_deny evilhacker | ||
104 | # subject /bin/su | ||
105 | # group_transition_deny evilhacker1 evilhacker2 | ||
106 | # | ||
107 | # Domains: | ||
108 | # With domains you can combine users that don't share a common | ||
109 | # GID as well as groups so that they share a single policy | ||
110 | # Domains work just like roles, with the only exception being that | ||
111 | # the line starting with "role" is replaced with one of the following: | ||
112 | # domain somedomainname u user1 user2 user3 user4 ... usern | ||
113 | # domain somedomainname g group1 group2 group3 group4 ... groupn | ||
114 | # | ||
115 | # Inverted socket policies: | ||
116 | # Rules such as | ||
117 | # connect ! www.google.com:80 stream tcp | ||
118 | # are now allowed, which allows you to specify that a process can connect to anything | ||
119 | # except to port 80 of www.google.com with a stream tcp socket | ||
120 | # the inverted socket matching also works on bind rules | ||
121 | # | ||
122 | # INADDR_ANY overriding | ||
123 | # You can now force a given subject to bind to a particular IP address on the machine | ||
124 | # This is useful for some chrooted environments, to ensure that the source IP they | ||
125 | # use is one of your choosing | ||
126 | # to use, add a line like: | ||
127 | # ip_override 192.168.0.1 | ||
128 | # | ||
129 | # Per-interface socket policies: | ||
130 | # Rules such as | ||
131 | # bind eth1:80 stream tcp | ||
132 | # bind eth0#1:22 stream tcp | ||
133 | # are now allowed, giving you the ability to tie specific socket rules | ||
134 | # to a single interface (or by using the inverted rules, all but one | ||
135 | # interface). Virtual interfaces are specified by the <ifname>#<vindex> | ||
136 | # syntax. If an interface is specified, no IP/netmask or host may be | ||
137 | # specified for the rule. | ||
138 | # | ||
139 | # New learning system: | ||
140 | # To learn on a given subject: add l (the letter l, not the number 1) | ||
141 | # to the subject mode | ||
142 | # If you want to learn with the most restrictive policy, use the | ||
143 | # following: | ||
144 | # subject /path/to/bin lo | ||
145 | # / h | ||
146 | # -CAP_ALL | ||
147 | # connect disabled | ||
148 | # bind disabled | ||
149 | # Resource learning is also supported, so lines like | ||
150 | # RES_AS 0 0 | ||
151 | # can be used to learn a particular resource | ||
152 | # | ||
153 | # To learn on a given role, add l to the role mode | ||
154 | # For both of these, to enable learning, enable the system like: | ||
155 | # gradm -L /etc/grsec/learning.logs -E | ||
156 | # and then generate the rules after disabling the system after the | ||
157 | # learning phase with: | ||
158 | # gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy | ||
159 | # To use full system learning, enable the system like: | ||
160 | # gradm -F -L /etc/grsec/learning.logs | ||
161 | # and then generate the rules after disabling the system after the | ||
162 | # learning phase with: | ||
163 | # gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy | ||
164 | # | ||
165 | # New PaX flag format (replaces PaX subject flags): | ||
166 | # PaX flags can be forced on or off, regardless of the flags on the | ||
167 | # binary, by using + or - before the following PaX flag names: | ||
168 | # PAX_SEGMEXEC | ||
169 | # PAX_PAGEEXEC | ||
170 | # PAX_MPROTECT | ||
171 | # PAX_RANDMMAP | ||
172 | # PAX_EMUTRAMP | ||
173 | # | ||
174 | # New feature for easier policy maintenance: | ||
175 | # replace <variable name> <replace string> | ||
176 | # e.g.: | ||
177 | # replace CVSROOT /home/cvs | ||
178 | # now $(CVSROOT) can be used in any subject or object pathname, like: | ||
179 | # $(CVSROOT)/grsecurity r | ||
180 | # This will translate to /home/cvs/grsecurity r | ||
181 | # This feature makes it easier to update policies by naming specific | ||
182 | # paths by their function, then only having to update those paths once | ||
183 | # to have it affect a large number of subjects/objects. | ||
184 | # | ||
185 | # capability auditing / log suppression | ||
186 | # use of a capability can be audited by adding "audit" to the line, eg: | ||
187 | # +CAP_SYS_RAWIO audit | ||
188 | # log suppression for denial of a capbility can be done by adding "suppress": | ||
189 | # -CAP_SYS_RAWIO suppress | ||
190 | # | ||
191 | # Note that the omission of any feature of a role or subject | ||
192 | # results in a default-allow | ||
193 | # For instance, if no capability rules are added, an implicit +CAP_ALL is used | ||
194 | # | ||
195 | |||
196 | # | ||
197 | # Default security policy provided by packages in Alpine are installed into | ||
198 | # /var/lib/grsec/policy.d as /var/lib/grsec/policy.d/$pkgname where $pkgname | ||
199 | # is the package name. It is not recommended that you edit those definitions | ||
200 | # unless you know what you're doing, as the Alpine system may depend on the | ||
201 | # presence of those definitions. | ||
202 | # | ||
203 | |||
204 | include </var/lib/grsec/policy.d> | ||
205 | |||
206 | # | ||
207 | # If you wish to add any additions to the system policy, you may do so below | ||
208 | # this line. As the configuration is read top-to-bottom, any changes you make | ||
209 | # here may override the default security policy. | ||
210 | # | ||
211 | |||