main/gradm: move to unmaintained

Alpine has not supported grsecurity in years, so the policy has bitrotted
and is certainly useless by now.

4 files changed, 415 insertions, 0 deletions

diff --git a/unmaintained/gradm/APKBUILD b/unmaintained/gradm/APKBUILD
new file mode 100644
index 0000000000..adc2a88b8f
--- /dev/null
+++ b/unmaintained/gradm/APKBUILD
@@ -0,0 +1,57 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=gradm
+pkgver=3.1.201607172312
+_ver=${pkgver/.20/-20}
+pkgrel=0
+pkgdesc="administrative utility for grsecurity kernels"
+url="http://www.grsecurity.org/"
+arch="all"
+license="GPL"
+makedepends="bison flex-dev linux-headers"
+install=""
+subpackages="$pkgname-doc"
+source="https://dev.gentoo.org/~blueness/hardened-sources/gradm/gradm-$_ver.tar.gz
+        policy
+        base.policyd
+        grsec-rbac.initd"
+
+_builddir="$srcdir/gradm"
+prepare() {
+        local i
+        cd "$_builddir"
+        for i in $source; do
+                case $i in
+                *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+                esac
+        done
+}
+
+build() {
+        cd "$_builddir"
+        make LIBS="" || return 1
+}
+
+package() {
+        cd "$_builddir"
+        make LIBS="" INSTALL=install DESTDIR="$pkgdir" install || return 1
+
+        # we don't want the grsecurity-recommended policy as it's old
+        # and non-modular.
+        rm "$pkgdir"/etc/grsec/policy
+
+        # install the base policy file which pulls in everything else.
+        install -m644 "$srcdir"/policy "$pkgdir"/etc/grsec/policy
+
+        # prepare and install base policy to /var/lib/grsec/policy.d
+        install -d -D "$pkgdir"/var/lib/grsec/policy.d
+        install -m644 "$srcdir"/base.policyd "$pkgdir"/var/lib/grsec/policy.d/00-base
+
+        # install grsec-rbac into initd
+        install -d -D "$pkgdir"/etc/init.d
+        install -m755 "$srcdir"/grsec-rbac.initd "$pkgdir"/etc/init.d/grsec-rbac
+}
+
+sha512sums="61f14038ee555b99e4d0096dd01697d8adba45e057ffceadb44eafbdfba807b53030684c5073d169c005902acfa6baa673975ed4ab00ad035941c209f8f1d2e2  gradm-3.1-201607172312.tar.gz
+0cd4a85d40815813129c669400a9e2fb4b5258c1d20dae8075e3f3123c3ff1ece9dc3a16209ef8d6cb968477ab687926923bcdca0b78fb3beff105a699284a01  policy
+8b6a3a6cf550119dbf162d6dffcf5acef30cae6b070a028d5d5697bf20ce5e0d7e1900992f7c88c60b2eb5e5118561753e8111440a6032922780620ac25ee7cb  base.policyd
+7f53992506edcedfd97b5b3581da80ffbc1a1a79ad3c5e7b7982f9d41387bea34077045d36595a631a87e96a25819b3c569ca94c344a0581ead8c5e5dbd32c1d  grsec-rbac.initd"
diff --git a/unmaintained/gradm/base.policyd b/unmaintained/gradm/base.policyd
new file mode 100644
index 0000000000..cf66e7301e
--- /dev/null
+++ b/unmaintained/gradm/base.policyd
@@ -0,0 +1,133 @@
+role admin sA
+subject / rvka
+        / rwcdmlxi
+
+role default G
+role_transitions admin
+subject / dpo
+        /               r
+        /opt            rx
+        /home           rwxcd
+        /mnt            rw
+        /dev
+        /dev/grsec      h
+        /dev/urandom    r
+        /dev/random     r
+        /dev/zero       rw
+        /dev/input      rw
+        /dev/psaux      rw
+        /dev/null       rw
+        /dev/tty?       rw
+        /dev/hvc?       rw
+        /dev/console    rw
+        /dev/tty        rw
+        /dev/pts        rw
+        /dev/ptmx       rw
+        /dev/dsp        rw
+        /dev/mixer      rw
+        /dev/initctl    rw
+        /dev/fd0        r
+        /dev/cdrom      r
+        /dev/mem        h
+        /dev/kmem       h
+        /dev/port       h
+        /bin            rx
+        /sbin           rx
+        /lib            rx
+        /usr            rx
+        /etc            rx
+        /proc           rwx
+        /proc/slabinfo  h
+        /proc/kcore     h
+        /proc/kallsyms  h
+        /proc/modules   h
+        /proc/sys       r
+        /root           r
+        /tmp            rwcd
+        /var            rwxcd
+        /var/tmp        rwcd
+        /var/log        r
+        /boot           h
+        /lib/modules    h
+        /etc/grsec      h
+        /var/lib/grsec  h
+        
+        -CAP_KILL
+        -CAP_SYS_TTY_CONFIG
+        -CAP_LINUX_IMMUTABLE
+        -CAP_NET_RAW
+        -CAP_MKNOD
+        -CAP_SYS_ADMIN
+        -CAP_SYS_RAWIO
+        -CAP_SYS_MODULE
+        -CAP_SYS_PTRACE
+        -CAP_NET_ADMIN
+        -CAP_NET_BIND_SERVICE
+        -CAP_NET_RAW
+        -CAP_SYS_CHROOT
+        -CAP_SYS_BOOT
+        -CAP_SETFCAP
+
+# the d flag protects /proc fd and mem entries for sshd
+# all daemons should have 'p' in their subject mode to prevent
+# an attacker from killing the service (and restarting it with trojaned
+# config file or taking the port it reserved to run a trojaned service)
+subject /usr/sbin/sshd dpo
+        /               h
+        /bin/sh         x
+        /bin/bash       x
+        /dev            h
+        /dev/log        rw
+        /dev/random     r
+        /dev/urandom    r
+        /dev/null       rw
+        /dev/ptmx       rw
+        /dev/pts        rw
+        /dev/tty        rw
+        /dev/tty?       rw
+        /etc            r
+        /etc/passwd     r
+        /etc/shadow     r
+        /etc/grsec      h
+        /home           rwcd
+        /lib            rx
+        /root
+        /proc           r
+        /proc/*/oom_adj w
+        /proc/kcore     h
+        /proc/sys       h
+        /usr/lib        rx
+        /usr/share/zoneinfo r
+        /var/log
+        /var/mail
+        /var/log/lastlog        rw
+        /var/log/wtmp           w
+        /var/run/sshd
+        /var/run/utmp           rw
+        /var/empty              rw
+
+        -CAP_ALL
+        +CAP_CHOWN
+        +CAP_SETGID
+        +CAP_SETUID
+        +CAP_SYS_CHROOT
+        +CAP_SYS_RESOURCE
+        +CAP_SYS_TTY_CONFIG
+
+subject /usr/bin/ssh
+        /etc/ssh/ssh_config r
+
+subject /bin/busybox
+        +CAP_SYS_ADMIN
+        +CAP_SYS_BOOT
+        /root/.ash_history rw
+        /dev/log rwc
+        /var/log rwc
+        /var/log/messages rwc
+        /var/log/wtmp w
+        /var/log/faillog rwcd
+
+subject /usr/bin/sudo
+        +CAP_SYS_ADMIN
+        /dev/log rw
+
diff --git a/unmaintained/gradm/grsec-rbac.initd b/unmaintained/gradm/grsec-rbac.initd
new file mode 100644
index 0000000000..65ef1c5b67
--- /dev/null
+++ b/unmaintained/gradm/grsec-rbac.initd
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+
+start() {
+        ebegin "Enabling grsecurity RBAC policy"
+                gradm -E
+        eend $?
+}
+
+stop() {
+        ebegin "Disabling grsecurity RBAC policy"
+                gradm -D
+        eend $?
+}
+
diff --git a/unmaintained/gradm/policy b/unmaintained/gradm/policy
new file mode 100644
index 0000000000..e5a3df439c
--- /dev/null
+++ b/unmaintained/gradm/policy
@@ -0,0 +1,211 @@
+# Base grsecurity policy for Alpine.
+#
+# If you want to use a custom policy, or add on local modifications to
+# the system policy, edit below the include line or remove the include
+# line to completely remove the system policy entirely from your setup.
+#
+# Documentation on the file format as provided in the sample policy file
+# follow below for your reference:
+## Role flags:
+# A -> This role is an administrative role, thus it has special privilege normal
+#      roles do not have.  In particular, this role bypasses the 
+#      additional ptrace restrictions
+# N -> Don't require authentication for this role.  To access
+#      the role, use gradm -n <rolename>
+# s -> This role is a special role, meaning it does not belong to a
+#      user or group, and does not require an enforced secure policy
+#      base to be included in the ruleset
+# u -> This role is a user role
+# g -> This role is a group role
+# G -> This role can use gradm to authenticate to the kernel
+#      A policy for gradm will automatically be added to the role
+# T -> Enable TPE for this role
+# l -> Enable learning for this role
+# P -> Use PAM authentication for this role.
+#
+# a role can only be one of user, group, or special
+#
+# role_allow_ip IP/optional netmask
+# eg: role_allow_ip 192.168.1.0/24
+# You can have as many of these per role as you want
+# They restrict the use of a role to a list of IPs.  If a user
+# is on the system that would normally get the role does not
+# belong to those lists of IPs, the system falls back through
+# its method of determining a role for the user
+#
+# Role hierarchy
+# user -> group -> default
+# First a user role attempts to match, if one is not found,
+# a group role attempts to match, if one is not found,
+# the default role is used.
+#
+# role_transitions <special role 1> <special role 2> ... <special role n>
+# eg: role_transitions www_admin dns_admin
+#
+# role transitions specify which special roles a given role is allowed
+# to authenticate to.  This applies to special roles that do not
+# require password authentication as well.  If a user tries to
+# authenticate to a role that is not within his transition table, he
+# will receive a permission denied error
+#
+# Nested subjects
+# subject /bin/su:/bin/bash:/bin/cat
+#         / rwx
+#         +CAP_ALL
+# grant privilege to specific processes if they are executed
+# within a trusted path.  In this case, privilege is
+# granted if /bin/cat is executed from /bin/bash, which is
+# executed from /bin/su.
+#
+# Configuration inheritance on nested subjects
+# nested subjects inherit rules from their parents.  In the
+# example above, the nested subject would inherit rules
+# from the nested subject for /bin/su:/bin/bash,
+# and the subject /bin/su
+# View the 1.9.x documentation for more information on
+# configuration inheritance
+#
+# new object modes:
+# m -> allow creation of setuid/setgid files/directories
+#      and modification of files/directories to be setuid/setgid
+# M -> audit the setuid/setgid creation/modification
+# c -> allow creation of the file/directory
+# C -> audit the creation
+# d -> allow deletion of the file/directory
+# D -> audit the deletion
+# p -> reject all ptraces to this object
+# l -> allow a hardlink at this path
+#       (hardlinking requires at a minimum c and l modes, and the target
+#        link cannot have any greater permission than the source file)
+# L -> audit link creation
+# new subject modes:
+# O -> disable "writable library" restrictions for this task
+# t -> allow this process to ptrace any process (use with caution)
+# r -> relax ptrace restrictions (allows process to ptrace processes
+#      other than its own descendants)
+# i -> enable inheritance-based learning for this subject, causing
+#      all accesses of this subject and anything it executes to be placed
+#      in this subject, and inheritance flags added to executable objects
+#      in this subject
+# a -> allow this process to talk to the /dev/grsec device
+#
+# user/group transitions:
+# You may now specify what users and groups a given subject can
+# transition to.  This can be done on an inclusive or exclusive basis.
+# Omitting these rules allows a process with proper privilege granted by
+# capabilities to transition to any user/group.
+#
+# Examples:
+# subject /bin/su
+# user_transition_allow root spender
+# group_transition_allow root spender
+# subject /bin/su
+# user_transition_deny evilhacker
+# subject /bin/su
+# group_transition_deny evilhacker1 evilhacker2
+#
+# Domains:
+# With domains you can combine users that don't share a common
+# GID as well as groups so that they share a single policy
+# Domains work just like roles, with the only exception being that
+# the line starting with "role" is replaced with one of the following:
+# domain somedomainname u user1 user2 user3 user4 ... usern
+# domain somedomainname g group1 group2 group3 group4 ... groupn
+#
+# Inverted socket policies:
+# Rules such as
+# connect ! www.google.com:80 stream tcp
+# are now allowed, which allows you to specify that a process can connect to anything
+# except to port 80 of www.google.com with a stream tcp socket
+# the inverted socket matching also works on bind rules
+#
+# INADDR_ANY overriding
+# You can now force a given subject to bind to a particular IP address on the machine
+# This is useful for some chrooted environments, to ensure that the source IP they
+# use is one of your choosing
+# to use, add a line like:
+# ip_override 192.168.0.1
+#
+# Per-interface socket policies:
+# Rules such as
+# bind eth1:80 stream tcp
+# bind eth0#1:22 stream tcp
+# are now allowed, giving you the ability to tie specific socket rules 
+# to a single interface (or by using the inverted rules, all but one 
+# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
+# syntax.  If an interface is specified, no IP/netmask or host may be
+# specified for the rule.
+#
+# New learning system:
+# To learn on a given subject: add l (the letter l, not the number 1)
+# to the subject mode
+# If you want to learn with the most restrictive policy, use the 
+# following:
+# subject /path/to/bin lo
+#    / h
+#    -CAP_ALL
+#    connect disabled
+#    bind disabled
+# Resource learning is also supported, so lines like
+#    RES_AS 0 0
+# can be used to learn a particular resource
+#
+# To learn on a given role, add l to the role mode
+# For both of these, to enable learning, enable the system like:
+# gradm -L /etc/grsec/learning.logs -E
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
+# To use full system learning, enable the system like:
+# gradm -F -L /etc/grsec/learning.logs
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
+#
+# New PaX flag format (replaces PaX subject flags):
+# PaX flags can be forced on or off, regardless of the flags on the 
+# binary, by using + or - before the following PaX flag names:
+# PAX_SEGMEXEC
+# PAX_PAGEEXEC
+# PAX_MPROTECT
+# PAX_RANDMMAP
+# PAX_EMUTRAMP
+#
+# New feature for easier policy maintenance:
+# replace <variable name> <replace string>
+# e.g.:
+# replace CVSROOT /home/cvs
+# now $(CVSROOT) can be used in any subject or object pathname, like:
+# $(CVSROOT)/grsecurity r
+# This will translate to /home/cvs/grsecurity r
+# This feature makes it easier to update policies by naming specific
+# paths by their function, then only having to update those paths once
+# to have it affect a large number of subjects/objects.
+#
+# capability auditing / log suppression
+# use of a capability can be audited by adding "audit" to the line, eg:
+# +CAP_SYS_RAWIO audit
+# log suppression for denial of a capbility can be done by adding "suppress":
+# -CAP_SYS_RAWIO suppress
+#
+# Note that the omission of any feature of a role or subject
+# results in a default-allow
+# For instance, if no capability rules are added, an implicit +CAP_ALL is used
+#
+
+#
+# Default security policy provided by packages in Alpine are installed into
+# /var/lib/grsec/policy.d as /var/lib/grsec/policy.d/$pkgname where $pkgname
+# is the package name.  It is not recommended that you edit those definitions
+# unless you know what you're doing, as the Alpine system may depend on the
+# presence of those definitions.
+#
+
+include </var/lib/grsec/policy.d>
+
+#
+# If you wish to add any additions to the system policy, you may do so below
+# this line.  As the configuration is read top-to-bottom, any changes you make
+# here may override the default security policy.
+#
+