/etc/init.d script for grsecurity -- reads grsconfity from /etc/conf.d and flips sysctl's accordingly /etc/conf.d script for grsecurity -- grseconfity, used to determine which sysctl'able grescurity options are activated and such defconfig.diff -- Patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity settings reliant on this script The grsecurity script should be added to the boot runlevel, and should execute as soon as the /proc filesystem is available. It will only work properly if all of the sysctl options in the grsecurity patch are on, and sysctl is compiled in for grsec. The settings I have in there for grsecurity do not include the /dev/kmem /dev/mem and such options because they break X for me (TNT2 nVidia card, using nvidia-kernel and nvidia-glx, which is pretty normal). Notice that there are options in the grsconfity file that allow for several things to happen: 1) Setting GRSECURITY_SYSCTL_DIR will change the base dir used for grsecurity sysctl's. This is good if you have hacked your grsecurity code to use a different part of proc, which would increase security. 2) Setting GRSECURITY_CRITICAL to 1 (any non-1 is 0, sorry but I don't care for jokers thinking they can say "10000" or "y" or "b0rk!" or "@*%G *%@BPU@" and that I'll check for just != 0) will cause any failure in initializing grsecurity to immediately telinit 1 (this is untested but the code looks okay). This is for things like servers that hold things you don't want people breaking into, and that you would rather have downtime on instead of a security hole. 3) Setting GRSECURITY_HIDESYS to 1 will cause the "grsecurity did not load well, make sure the sysctl directory is [...] or check grseconfity" error to NOT display the sysctl path (in case you changed it and have no-read scripts and do not want anyone to see where it is). Put this on 1 4) Setting GRSECURITY_AUTO_GRSEC_LOCK to 1 will cause grsec_lock to be set at the end of the script, preventing any more changes until reboot. LEAVE THIS SET!!!!!!!!!!!!!!!!! 5) Setting GRSECURITY_NO_LOCK_ON_ERROR to 1 will prevent grsec_lock from being set if there are any errors starting grsecurity, even if GRSECURITY_AUTO_GRSEC_LOCK is on. Set this on non-mission critical systems. All of the GRSEC_* variables are sysctl settings. Set the ones that are 1/0 to 1 or 0, and set the GID's to the GID's of your choice. I recommend also having the groups: audit:x:1007: untrusted:x:1005: socketalldeny:x:1004: socketclideny:x:1003: socketserdeny:x:1002: Added to /etc/group during new installs (or updates) to work with grsecurity.
Created attachment 14355 [details, diff] patch for linux-2.4.20-gentoo-r5/arch/i386/defconfig to set up safe grsecurity Patch linux-2.4.20-gentoo-r5/arch/i386/defconfig with this to turn on the settings I used for grsecurity. They were the maximum I could use without hindering myself. It's suitable for most users and won't get in the way.
Created attachment 14356 [details] grsecurity startup script A grsecurity script that reads /etc/conf.d/grsconfity for settings and sets up the sysctl's for grsecurity at boot. `rc-update add grsecurity boot` and please modify to run as soon as /proc is accessable!
Created attachment 14357 [details] grsecurity startup script configuration file Configuration file for grsecurity startup script. VERY well commented. Don't mess with it, it took me >5 hours to do this! --Bluefox Icy
These patches and scripts made by Bluefox Icy. Sorry, forgot to leave my print ;-) --Bluefox Icy
This script is not backwards compatible with the existing one, however if your interested in expanding on what currently exists vs a total rewrite then we can consider it for inclusion.
Changing bug status
I was not aware one existed. What is this not backwards-compatible with? Is there another script/conf.d combination? The reason I wrote this was because I didn't see a current implimentation. I was concerned with coming up with a viable setup that provided security without posing a hindrance to the user. Though, with the default settings, it will prevent running of apps with wine in a world-writable fake C:; however, tpe can be turned off (or the C: can be made user writable, which is what an install of wine does if nothing else is around anyway; creates a fake_root in $HOME) At any rate, what currently is used for grsecurity startup?
/etc/{init,conf.}d/grsecurity get created by installing the userland tool gradm. you can peep the current revision by doing user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity user@gentoo $ cat /usr/portage/sys-apps/gradm/files/grsecurity.rc
Note: Also the userland tool gradm2 exists in portage to add support for grsec2 support. For this we have no init or conf files for yet. More info on grsec & gentoo can be found at http://www.gentoo.org/proj/en/hardened/ and http://www.gentoo.org/proj/en/hardened/grsecurity.xml
