testing/gradm: move to main

4 files changed, 0 insertions, 415 deletions

diff --git a/testing/gradm/APKBUILD b/testing/gradm/APKBUILD
deleted file mode 100644
index 08dbd3af00..0000000000
--- a/testing/gradm/APKBUILD
+++ /dev/null
@@ -1,57 +0,0 @@
-# Contributor: William Pitcock <nenolod@dereferenced.org>
-# Maintainer: William Pitcock <nenolod@dereferenced.org>
-pkgname=gradm
-pkgver=2.2.0
-pkgrel=5
-pkgdesc="administrative utility for grsecurity kernels"
-url="http://www.grsecurity.org/"
-arch="all"
-license="GPL"
-makedepends="bison flex"
-install=""
-subpackages="$pkgname-doc"
-source="http://grsecurity.net/stable/gradm-2.2.0-201011061849.tar.gz
-	policy
-	base.policyd
-	grsec-rbac.initd"
-
-_builddir="$srcdir/gradm2"
-prepare() {
-	local i
-	cd "$_builddir"
-	for i in $source; do
-		case $i in
-		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
-		esac
-	done
-}
-
-build() {
-	cd "$_builddir"
-	make || return 1
-}
-
-package() {
-	cd "$_builddir"
-	make DESTDIR="$pkgdir" install || return 1
-
-	# we don't want the grsecurity-recommended policy as it's old
-	# and non-modular.
-	rm "$pkgdir"/etc/grsec/policy
-
-	# install the base policy file which pulls in everything else.
-	install -m644 "$srcdir"/policy "$pkgdir"/etc/grsec/policy
-
-	# prepare and install base policy to /var/lib/grsec/policy.d
-	install -d -D "$pkgdir"/var/lib/grsec/policy.d
-	install -m644 "$srcdir"/base.policyd "$pkgdir"/var/lib/grsec/policy.d/00-base
-
-	# install grsec-rbac into initd
-	install -d -D "$pkgdir"/etc/init.d
-	install -m755 "$srcdir"/grsec-rbac.initd "$pkgdir"/etc/init.d/grsec-rbac
-}
-
-md5sums="081765637a407dd7e4cd07f95413d6b8  gradm-2.2.0-201011061849.tar.gz
-38ee3aef884bdcfe6a5b925760f6220b  policy
-1d4a2c2e522b7124ad901ae102181e72  base.policyd
-2fc5d055dd43a2d9e1bed378dcab8641  grsec-rbac.initd"
diff --git a/testing/gradm/base.policyd b/testing/gradm/base.policyd
deleted file mode 100644
index cf66e7301e..0000000000
--- a/testing/gradm/base.policyd
+++ /dev/null
@@ -1,133 +0,0 @@
-role admin sA
-subject / rvka
-	/ rwcdmlxi
-
-role default G
-role_transitions admin
-subject / dpo
-	/		r
-	/opt		rx
-	/home		rwxcd
-	/mnt		rw
-	/dev
-	/dev/grsec	h
-	/dev/urandom	r
-	/dev/random	r
-	/dev/zero	rw
-	/dev/input	rw
-	/dev/psaux	rw
-	/dev/null	rw
-	/dev/tty?	rw
-	/dev/hvc?	rw
-	/dev/console	rw
-	/dev/tty	rw
-	/dev/pts	rw
-	/dev/ptmx	rw
-	/dev/dsp	rw
-	/dev/mixer	rw
-	/dev/initctl	rw
-	/dev/fd0	r
-	/dev/cdrom	r
-	/dev/mem	h
-	/dev/kmem	h
-	/dev/port	h
-	/bin		rx
-	/sbin		rx
-	/lib		rx
-	/usr		rx
-	/etc		rx
-	/proc		rwx
-	/proc/slabinfo	h
-	/proc/kcore	h
-	/proc/kallsyms  h
-	/proc/modules   h
-	/proc/sys	r
-	/root		r
-	/tmp		rwcd
-	/var		rwxcd
-	/var/tmp	rwcd
-	/var/log	r
-	/boot		h
-	/lib/modules	h
-	/etc/grsec	h
-	/var/lib/grsec	h
-	
-	-CAP_KILL
-	-CAP_SYS_TTY_CONFIG
-	-CAP_LINUX_IMMUTABLE
-	-CAP_NET_RAW
-	-CAP_MKNOD
-	-CAP_SYS_ADMIN
-	-CAP_SYS_RAWIO
-	-CAP_SYS_MODULE
-	-CAP_SYS_PTRACE
-	-CAP_NET_ADMIN
-	-CAP_NET_BIND_SERVICE
-	-CAP_NET_RAW
-	-CAP_SYS_CHROOT
-	-CAP_SYS_BOOT
-	-CAP_SETFCAP
-
-# the d flag protects /proc fd and mem entries for sshd
-# all daemons should have 'p' in their subject mode to prevent
-# an attacker from killing the service (and restarting it with trojaned
-# config file or taking the port it reserved to run a trojaned service)
-subject /usr/sbin/sshd dpo
-	/		h
-	/bin/sh		x
-	/bin/bash	x
-	/dev		h
-	/dev/log	rw
-	/dev/random	r
-	/dev/urandom	r
-	/dev/null	rw
-	/dev/ptmx	rw
-	/dev/pts	rw
-	/dev/tty	rw
-	/dev/tty?	rw
-	/etc		r
-	/etc/passwd	r
-	/etc/shadow	r
-	/etc/grsec	h
-	/home		rwcd
-	/lib		rx
-	/root
-	/proc		r
-	/proc/*/oom_adj	w
-	/proc/kcore	h
-	/proc/sys	h
-	/usr/lib	rx
-	/usr/share/zoneinfo r
-	/var/log
-	/var/mail
-	/var/log/lastlog	rw
-	/var/log/wtmp		w
-	/var/run/sshd
-	/var/run/utmp		rw
-	/var/empty		rw
-
-	-CAP_ALL
-	+CAP_CHOWN
-	+CAP_SETGID
-	+CAP_SETUID
-	+CAP_SYS_CHROOT
-	+CAP_SYS_RESOURCE
-	+CAP_SYS_TTY_CONFIG
-
-subject /usr/bin/ssh
-	/etc/ssh/ssh_config r
-
-subject /bin/busybox
-	+CAP_SYS_ADMIN
-	+CAP_SYS_BOOT
-	/root/.ash_history rw
-	/dev/log rwc
-	/var/log rwc
-	/var/log/messages rwc
-	/var/log/wtmp w
-	/var/log/faillog rwcd
-
-subject /usr/bin/sudo
-	+CAP_SYS_ADMIN
-	/dev/log rw
-
diff --git a/testing/gradm/grsec-rbac.initd b/testing/gradm/grsec-rbac.initd
deleted file mode 100644
index fe0eec55cc..0000000000
--- a/testing/gradm/grsec-rbac.initd
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/sbin/runscript
-
-start() {
-	ebegin "Enabling grsecurity RBAC policy"
-		gradm -E
-	eend $?
-}
-
-stop() {
-	ebegin "Disabling grsecurity RBAC policy"
-		gradm -D
-	eend $?
-}
-
diff --git a/testing/gradm/policy b/testing/gradm/policy
deleted file mode 100644
index e5a3df439c..0000000000
--- a/testing/gradm/policy
+++ /dev/null
@@ -1,211 +0,0 @@
-# Base grsecurity policy for Alpine.
-#
-# If you want to use a custom policy, or add on local modifications to
-# the system policy, edit below the include line or remove the include
-# line to completely remove the system policy entirely from your setup.
-#
-# Documentation on the file format as provided in the sample policy file
-# follow below for your reference:
-## Role flags:
-# A -> This role is an administrative role, thus it has special privilege normal
-#      roles do not have.  In particular, this role bypasses the 
-#      additional ptrace restrictions
-# N -> Don't require authentication for this role.  To access
-#      the role, use gradm -n <rolename>
-# s -> This role is a special role, meaning it does not belong to a
-#      user or group, and does not require an enforced secure policy
-#      base to be included in the ruleset
-# u -> This role is a user role
-# g -> This role is a group role
-# G -> This role can use gradm to authenticate to the kernel
-#      A policy for gradm will automatically be added to the role
-# T -> Enable TPE for this role
-# l -> Enable learning for this role
-# P -> Use PAM authentication for this role.
-#
-# a role can only be one of user, group, or special
-#
-# role_allow_ip IP/optional netmask
-# eg: role_allow_ip 192.168.1.0/24
-# You can have as many of these per role as you want
-# They restrict the use of a role to a list of IPs.  If a user
-# is on the system that would normally get the role does not
-# belong to those lists of IPs, the system falls back through
-# its method of determining a role for the user
-#
-# Role hierarchy
-# user -> group -> default
-# First a user role attempts to match, if one is not found,
-# a group role attempts to match, if one is not found,
-# the default role is used.
-#
-# role_transitions <special role 1> <special role 2> ... <special role n>
-# eg: role_transitions www_admin dns_admin
-#
-# role transitions specify which special roles a given role is allowed
-# to authenticate to.  This applies to special roles that do not
-# require password authentication as well.  If a user tries to
-# authenticate to a role that is not within his transition table, he
-# will receive a permission denied error
-#
-# Nested subjects
-# subject /bin/su:/bin/bash:/bin/cat
-#	  / rwx
-#	  +CAP_ALL
-# grant privilege to specific processes if they are executed
-# within a trusted path.  In this case, privilege is
-# granted if /bin/cat is executed from /bin/bash, which is
-# executed from /bin/su.
-#
-# Configuration inheritance on nested subjects
-# nested subjects inherit rules from their parents.  In the
-# example above, the nested subject would inherit rules
-# from the nested subject for /bin/su:/bin/bash,
-# and the subject /bin/su
-# View the 1.9.x documentation for more information on
-# configuration inheritance
-#
-# new object modes:
-# m -> allow creation of setuid/setgid files/directories
-#      and modification of files/directories to be setuid/setgid
-# M -> audit the setuid/setgid creation/modification
-# c -> allow creation of the file/directory
-# C -> audit the creation
-# d -> allow deletion of the file/directory
-# D -> audit the deletion
-# p -> reject all ptraces to this object
-# l -> allow a hardlink at this path
-#	(hardlinking requires at a minimum c and l modes, and the target
-#	 link cannot have any greater permission than the source file)
-# L -> audit link creation
-# new subject modes:
-# O -> disable "writable library" restrictions for this task
-# t -> allow this process to ptrace any process (use with caution)
-# r -> relax ptrace restrictions (allows process to ptrace processes
-#      other than its own descendants)
-# i -> enable inheritance-based learning for this subject, causing
-#      all accesses of this subject and anything it executes to be placed
-#      in this subject, and inheritance flags added to executable objects
-#      in this subject
-# a -> allow this process to talk to the /dev/grsec device
-#
-# user/group transitions:
-# You may now specify what users and groups a given subject can
-# transition to.  This can be done on an inclusive or exclusive basis.
-# Omitting these rules allows a process with proper privilege granted by
-# capabilities to transition to any user/group.
-#
-# Examples:
-# subject /bin/su
-# user_transition_allow root spender
-# group_transition_allow root spender
-# subject /bin/su
-# user_transition_deny evilhacker
-# subject /bin/su
-# group_transition_deny evilhacker1 evilhacker2
-#
-# Domains:
-# With domains you can combine users that don't share a common
-# GID as well as groups so that they share a single policy
-# Domains work just like roles, with the only exception being that
-# the line starting with "role" is replaced with one of the following:
-# domain somedomainname u user1 user2 user3 user4 ... usern
-# domain somedomainname g group1 group2 group3 group4 ... groupn
-#
-# Inverted socket policies:
-# Rules such as
-# connect ! www.google.com:80 stream tcp
-# are now allowed, which allows you to specify that a process can connect to anything
-# except to port 80 of www.google.com with a stream tcp socket
-# the inverted socket matching also works on bind rules
-#
-# INADDR_ANY overriding
-# You can now force a given subject to bind to a particular IP address on the machine
-# This is useful for some chrooted environments, to ensure that the source IP they
-# use is one of your choosing
-# to use, add a line like:
-# ip_override 192.168.0.1
-#
-# Per-interface socket policies:
-# Rules such as
-# bind eth1:80 stream tcp
-# bind eth0#1:22 stream tcp
-# are now allowed, giving you the ability to tie specific socket rules 
-# to a single interface (or by using the inverted rules, all but one 
-# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
-# syntax.  If an interface is specified, no IP/netmask or host may be
-# specified for the rule.
-#
-# New learning system:
-# To learn on a given subject: add l (the letter l, not the number 1)
-# to the subject mode
-# If you want to learn with the most restrictive policy, use the 
-# following:
-# subject /path/to/bin lo
-#    / h
-#    -CAP_ALL
-#    connect disabled
-#    bind disabled
-# Resource learning is also supported, so lines like
-#    RES_AS 0 0
-# can be used to learn a particular resource
-#
-# To learn on a given role, add l to the role mode
-# For both of these, to enable learning, enable the system like:
-# gradm -L /etc/grsec/learning.logs -E
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
-# To use full system learning, enable the system like:
-# gradm -F -L /etc/grsec/learning.logs
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
-#
-# New PaX flag format (replaces PaX subject flags):
-# PaX flags can be forced on or off, regardless of the flags on the 
-# binary, by using + or - before the following PaX flag names:
-# PAX_SEGMEXEC
-# PAX_PAGEEXEC
-# PAX_MPROTECT
-# PAX_RANDMMAP
-# PAX_EMUTRAMP
-#
-# New feature for easier policy maintenance:
-# replace <variable name> <replace string>
-# e.g.:
-# replace CVSROOT /home/cvs
-# now $(CVSROOT) can be used in any subject or object pathname, like:
-# $(CVSROOT)/grsecurity r
-# This will translate to /home/cvs/grsecurity r
-# This feature makes it easier to update policies by naming specific
-# paths by their function, then only having to update those paths once
-# to have it affect a large number of subjects/objects.
-#
-# capability auditing / log suppression
-# use of a capability can be audited by adding "audit" to the line, eg:
-# +CAP_SYS_RAWIO audit
-# log suppression for denial of a capbility can be done by adding "suppress":
-# -CAP_SYS_RAWIO suppress
-#
-# Note that the omission of any feature of a role or subject
-# results in a default-allow
-# For instance, if no capability rules are added, an implicit +CAP_ALL is used
-#
-
-#
-# Default security policy provided by packages in Alpine are installed into
-# /var/lib/grsec/policy.d as /var/lib/grsec/policy.d/$pkgname where $pkgname
-# is the package name.  It is not recommended that you edit those definitions
-# unless you know what you're doing, as the Alpine system may depend on the
-# presence of those definitions.
-#
-
-include </var/lib/grsec/policy.d>
-
-#
-# If you wish to add any additions to the system policy, you may do so below
-# this line.  As the configuration is read top-to-bottom, any changes you make
-# here may override the default security policy.
-#
-