#!/sbin/runscript # grsecurity configuration script # part of the grsecurity init.d script writen for Gentoo by Bluefox Icy # DO NOT SIMPLIFY THIS FILE! IT TOOK ME OVER FOUR HOURS TO WRITE THIS AND I # WILL BE PISSED OFF AT YOU AND MIGHT FIND YOU AND KICK YOUR ASS!!! BZIP2 IT # FOR DISTRIBUTION GOD!!!!! # Distributed under gpl v2.0. All clauses apply, especially that of # NO WARRENTY # This file reads options GRSEC_{SYSCTL} which are in the grsecurity conf.d # file and uses them to set the sysctl's. # # These each have a description attatched to them in the conf.d file. # I would prefer a function setSecurity(sysrq, value) setsecurity() { i=0 ebegin "Setting $1 to $2" echo "$2" > ${GRSECURITY_SYSCTL_DIR}/$1 || i=1 if [ "$i" -eq "1" ] then eerror "failed to set $1" GRSECURITY_ERROR=1 fi eend $i } stop() { ebegin "Faking a grsecurity stop" #eerror "CANNOT STOP GRSECURITY!" eend 0 return 00 } start() { ebegin "Bringing up grsecurity" if [ "${GRSECURITY_CRITICAL}" -eq 1 ] then echo "Warning: grsecurity is set as mission critical. You have five seconds to abort. If grsecurity does not load properly, the system will immediately drop into runlevel 1 for root-only console matinence due to a severe security compromise." fi i=0 # countdown depricated. # foreach i in {5 4 3 2 1} { # echo -n "$i " # sleep 1 # } # echo -e "\n" GRSECURITY_ERROR="0" ebegin "Loading config..." . /etc/conf.d/grsconfity || GRSECURITY_ERROR=1 if [ "${GRSECURITY_ERROR}" -eq "1" ] then eerror "Can not load config!!!" eend 1 eerror "Loading grsecurity failed!!!" eend 1 return 1 fi eend 0 # This seems to not be read/write, not what it seems # setsecurity "acl" "${GRSEC_ACL}" setsecurity "linking_restrictions" "${GRSEC_LINKING_RESTRICTIONS}" setsecurity "fifo_restrictions" "${GRSEC_FIFO_RESTRICTIONS}" setsecurity "chroot_deny_mount" "${GRSEC_CHROOT_DENY_MOUNT}" setsecurity "chroot_deny_chroot" "${GRSEC_CHROOT_DENY_CHROOT}" setsecurity "chroot_deny_pivot" "${GRSEC_CHROOT_DENY_PIVOT}" setsecurity "chroot_enforce_chdir" "${GRSEC_CHROOT_ENFORCE_CHDIR}" setsecurity "chroot_deny_chmod" "${GRSEC_CHROOT_DENY_CHMOD}" setsecurity "chroot_deny_fchdir" "${GRSEC_CHROOT_DENY_FCHDIR}" setsecurity "chroot_deny_mknod" "${GRSEC_CHROOT_DENY_MKNOD}" setsecurity "chroot_deny_shmat" "${GRSEC_CHROOT_DENY_SHMAT}" setsecurity "chroot_deny_unix" "${GRSEC_CHROOT_DENY_UNIX}" setsecurity "chroot_findtask" "${GRSEC_CHROOT_FINDTASK}" setsecurity "chroot_restrict_nice" "${GRSEC_CHROOT_RESTRICT_NICE}" setsecurity "chroot_deny_sysctl" "${CHROOT_DENY_SYSCTL}" setsecurity "chroot_caps" "${GRSEC_CHROOT_CAPS}" setsecurity "audit_group" "${GRSEC_AUDIT_GROUP}" setsecurity "audit_gid" "${GRSEC_AUDIT_GID}" setsecurity "exec_logging" "${GRSEC_EXEC_LOGGING}" setsecurity "chroot_execlog" "${GRSEC_CHROOT_EXECLOG}" setsecurity "audit_chdir" "${GRSEC_AUDIT_CHDIR}" setsecurity "audit_mount" "${GRSEC_AUDIT_MOUNT}" setsecurity "audit_ipc" "${GRSEC_AUDIT_IPC}" setsecurity "signal_logging" "${GRSEC_SIGNAL_LOGGING}" setsecurity "forkfail_logging" "${GRSEC_FORKFAIL_LOGGING}" setsecurity "timechange_logging" "${GRSEC_TIMECHANGE_LOGGING}" setsecurity "execve_limiting" "${GRSEC_EXECVE_LIMITING}" setsecurity "dmesg" "${GRSEC_DMESG}" setsecurity "rand_pids" "${GRSEC_RAND_PIDS}" setsecurity "tpe" "${GRSEC_TPE}" setsecurity "tpe_gid" "${GRSEC_TPE_GID}" setsecurity "tpe_restrict_all" "${GRSEC_TPE_RESTRICT_ALL}" setsecurity "rand_isns" "${GRSEC_RAND_ISNS}" setsecurity "rand_ip_ids" "${GRSEC_RAND_IP_IDS}" setsecurity "rand_tcp_src_ports" "${GRSEC_RAND_TCP_SRC_PORTS}" setsecurity "rand_rpc" "${GRSEC_RAND_RPC}" setsecurity "altered_pings" "${GRSEC_ALTERED_PINGS}" setsecurity "socket_all" "${GRSEC_SOCKET_ALL}" setsecurity "socket_all_gid" "${GRSEC_SOCKET_ALL_GID}" setsecurity "socket_client" "${GRSEC_SOCKET_CLIENT}" setsecurity "socket_client_gid" "${GRSEC_SOCKET_CLIENT_GID}" setsecurity "socket_server" "${GRSEC_SOCKET_SERVER}" setsecurity "socket_server_gid" "${GRSEC_SOCKET_SERVER_GID}" # Now, if there's an error, scream at us and if we are a mission critical box # then send us into matinence mode, superuser only. if [ "${GRSECURITY_HIDESYS}" -eq "1" ] then GRSYSDIR2="[GRSECURITY_HIDESYS set to 1, GRSECURITY_SYSCTL_DIR not being shown]" else GRSYSDIR2="${GRSECURITY_SYSCTL_DIR}" fi if [ "${GRSECURITY_ERROR}" -eq "1" ] then eerror "Warning: Some of grsecurity could not be set. Please check your kernel configuration. Make sure sysctl is compiled in and that ALL options with sysctl are compiled in. Check /etc/conf.d/grsecurity for a list of supported options with sysctl objects in /proc. Also, make sure the version of grsecurity you are using uses sysctl directory '${GRSYSDIR2}'. If it does NOT use that directory, please edit /etc/conf.d/grsconfity and alter the GRSECURITY_SYSCTL_DIR variable to match the sysctl directory that grsecurity uses." if [ "${GRSECURITY_CRITICAL}" -eq "1" ] then telinit 1 fi if [ "${GRSECURITY_NO_LOCK_ON_ERROR}" -eq "1" ] then eend "${GRSECURITY_ERROR}" return "${GRSECURITY_ERROR}" fi fi # Good. Now, LOCK all the grsecurity settings. If this fails, give a severe # warning about security being compromised. If mission crit, then telinit 1. i=0 if [ "${GRSECURITY_AUTO_GRSEC_LOCK}" = "1" ] then ebegin "Locking grsecurity" echo "1" > ${GRSECURITY_SYSCTL_DIR}/grsec_lock || i=1 if [ "$i" -eq "1" ] then eerror "WARNING!!! SEVERE ERROR: CANNOT LOCK GRSECURITY! SYSTEM IS NOT SECURE!!!" GRSECURITY_ERROR=100 if [ "${GRSECURITY_CRITICAL}" -eq "1" ] then telinit 1 fi fi eend $i # Critical; security not started! eend "${GRSECURITY_ERROR}" return "${GRSECURITY_ERROR}" fi # If we got this far, it means we've allowed lock/finish on trivial error and # did not have a lock error eend 0 return ${GRSECURITY_ERROR} } # end of file