summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '3.3.8/4450_grsec-kconfig-default-gids.patch')
-rw-r--r--3.3.8/4450_grsec-kconfig-default-gids.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/3.3.8/4450_grsec-kconfig-default-gids.patch b/3.3.8/4450_grsec-kconfig-default-gids.patch
new file mode 100644
index 0000000..123f877
--- /dev/null
+++ b/3.3.8/4450_grsec-kconfig-default-gids.patch
@@ -0,0 +1,77 @@
+From: Kerin Millar <kerframil@gmail.com>
+
+grsecurity contains a number of options which allow certain protections
+to be applied to or exempted from members of a given group. However, the
+default GIDs specified in the upstream patch are entirely arbitrary and
+there is no telling which (if any) groups the GIDs will correlate with
+on an end-user's system. Because some users don't pay a great deal of
+attention to the finer points of kernel configuration, it is probably
+wise to specify some reasonable defaults so as to stop careless users
+from shooting themselves in the foot.
+
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500
++++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500
+@@ -443,7 +443,7 @@
+ config GRKERNSEC_PROC_GID
+ int "GID for special group"
+ depends on GRKERNSEC_PROC_USERGROUP
+- default 1001
++ default 10
+
+ config GRKERNSEC_PROC_ADD
+ bool "Additional restrictions"
+@@ -671,7 +671,7 @@
+ config GRKERNSEC_AUDIT_GID
+ int "GID for auditing"
+ depends on GRKERNSEC_AUDIT_GROUP
+- default 1007
++ default 100
+
+ config GRKERNSEC_EXECLOG
+ bool "Exec logging"
+@@ -875,7 +875,7 @@
+ config GRKERNSEC_TPE_GID
+ int "GID for untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+- default 1005
++ default 100
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+@@ -884,7 +884,7 @@
+ config GRKERNSEC_TPE_GID
+ int "GID for trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+- default 1005
++ default 10
+ help
+ Setting this GID determines what group TPE restrictions will be
+ *disabled* for. If the sysctl option is enabled, a sysctl option
+@@ -957,7 +957,7 @@
+ config GRKERNSEC_SOCKET_ALL_GID
+ int "GID to deny all sockets for"
+ depends on GRKERNSEC_SOCKET_ALL
+- default 1004
++ default 65534
+ help
+ Here you can choose the GID to disable socket access for. Remember to
+ add the users you want socket access disabled for to the GID
+@@ -978,7 +978,7 @@
+ config GRKERNSEC_SOCKET_CLIENT_GID
+ int "GID to deny client sockets for"
+ depends on GRKERNSEC_SOCKET_CLIENT
+- default 1003
++ default 65534
+ help
+ Here you can choose the GID to disable client socket access for.
+ Remember to add the users you want client socket access disabled for to
+@@ -996,7 +996,7 @@
+ config GRKERNSEC_SOCKET_SERVER_GID
+ int "GID to deny server sockets for"
+ depends on GRKERNSEC_SOCKET_SERVER
+- default 1002
++ default 65534
+ help
+ Here you can choose the GID to disable server socket access for.
+ Remember to add the users you want server socket access disabled for to