Summary: | Startup script for grsecurity | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | mlmoser |
Component: | [OLD] Core system | Assignee: | solar (RETIRED) <solar> |
Status: | RESOLVED REMIND | ||
Severity: | enhancement | ||
Priority: | High | ||
Version: | 1.4_rc4 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity
grsecurity startup script grsecurity startup script configuration file |
Description
mlmoser
2003-07-10 14:45:53 UTC
Created attachment 14355 [details, diff]
patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity
Patch linux-2.4.20-gentoo-r5/arch/i386/defconfig with this to turn on the
settings I used for grsecurity. They were the maximum I could use without
hindering myself. It's suitable for most users and won't get in the way.
Created attachment 14356 [details]
grsecurity startup script
A grsecurity script that reads /etc/conf.d/grsconfity for settings and sets up
the sysctl's for grsecurity at boot. `rc-update add grsecurity boot` and
please modify to run as soon as /proc is accessable!
Created attachment 14357 [details]
grsecurity startup script configuration file
Configuration file for grsecurity startup script. VERY well commented. Don't
mess with it, it took me >5 hours to do this!
--Bluefox Icy
These patches and scripts made by Bluefox Icy. Sorry, forgot to leave my print ;-) --Bluefox Icy This script is not backwards compatible with the existing one, however if your interested in expanding on what currently exists vs a total rewrite then we can consider it for inclusion. Changing bug status I was not aware one existed. What is this not backwards-compatible with? Is there another script/conf.d combination? The reason I wrote this was because I didn't see a current implimentation. I was concerned with coming up with a viable setup that provided security without posing a hindrance to the user. Though, with the default settings, it will prevent running of apps with wine in a world-writable fake C:; however, tpe can be turned off (or the C: can be made user writable, which is what an install of wine does if nothing else is around anyway; creates a fake_root in $HOME) At any rate, what currently is used for grsecurity startup? /etc/{init,conf.}d/grsecurity get created by installing the userland tool gradm. you can peep the current revision by doing user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity.rc Note: Also the userland tool gradm2 exists in portage to add support for grsec2 support. For this we have no init or conf files for yet. More info on grsec & gentoo can be found at http://www.gentoo.org/proj/en/hardened/ and http://www.gentoo.org/proj/en/hardened/grsecurity.xml |