diff options
Diffstat (limited to '3.3.8/4450_grsec-kconfig-default-gids.patch')
-rw-r--r-- | 3.3.8/4450_grsec-kconfig-default-gids.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/3.3.8/4450_grsec-kconfig-default-gids.patch b/3.3.8/4450_grsec-kconfig-default-gids.patch new file mode 100644 index 0000000..123f877 --- /dev/null +++ b/3.3.8/4450_grsec-kconfig-default-gids.patch @@ -0,0 +1,77 @@ +From: Kerin Millar <kerframil@gmail.com> + +grsecurity contains a number of options which allow certain protections +to be applied to or exempted from members of a given group. However, the +default GIDs specified in the upstream patch are entirely arbitrary and +there is no telling which (if any) groups the GIDs will correlate with +on an end-user's system. Because some users don't pay a great deal of +attention to the finer points of kernel configuration, it is probably +wise to specify some reasonable defaults so as to stop careless users +from shooting themselves in the foot. + +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500 ++++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500 +@@ -443,7 +443,7 @@ + config GRKERNSEC_PROC_GID + int "GID for special group" + depends on GRKERNSEC_PROC_USERGROUP +- default 1001 ++ default 10 + + config GRKERNSEC_PROC_ADD + bool "Additional restrictions" +@@ -671,7 +671,7 @@ + config GRKERNSEC_AUDIT_GID + int "GID for auditing" + depends on GRKERNSEC_AUDIT_GROUP +- default 1007 ++ default 100 + + config GRKERNSEC_EXECLOG + bool "Exec logging" +@@ -875,7 +875,7 @@ + config GRKERNSEC_TPE_GID + int "GID for untrusted users" + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT +- default 1005 ++ default 100 + help + Setting this GID determines what group TPE restrictions will be + *enabled* for. If the sysctl option is enabled, a sysctl option +@@ -884,7 +884,7 @@ + config GRKERNSEC_TPE_GID + int "GID for trusted users" + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT +- default 1005 ++ default 10 + help + Setting this GID determines what group TPE restrictions will be + *disabled* for. If the sysctl option is enabled, a sysctl option +@@ -957,7 +957,7 @@ + config GRKERNSEC_SOCKET_ALL_GID + int "GID to deny all sockets for" + depends on GRKERNSEC_SOCKET_ALL +- default 1004 ++ default 65534 + help + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID +@@ -978,7 +978,7 @@ + config GRKERNSEC_SOCKET_CLIENT_GID + int "GID to deny client sockets for" + depends on GRKERNSEC_SOCKET_CLIENT +- default 1003 ++ default 65534 + help + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to +@@ -996,7 +996,7 @@ + config GRKERNSEC_SOCKET_SERVER_GID + int "GID to deny server sockets for" + depends on GRKERNSEC_SOCKET_SERVER +- default 1002 ++ default 65534 + help + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to |