aboutsummaryrefslogtreecommitdiffstats
path: root/testing/gradm/base.policyd
blob: 3c80101a2d24f08b44ae07e3168c14313382602c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
role admin sA
subject / rvka
	/ rwcdmlxi

role default G
role_transitions admin
subject / dpo
	/		r
	/opt		rx
	/home		rwxcd
	/mnt		rw
	/dev
	/dev/grsec	h
	/dev/urandom	r
	/dev/random	r
	/dev/zero	rw
	/dev/input	rw
	/dev/psaux	rw
	/dev/null	rw
	/dev/tty?	rw
	/dev/console	rw
	/dev/tty	rw
	/dev/pts	rw
	/dev/ptmx	rw
	/dev/dsp	rw
	/dev/mixer	rw
	/dev/initctl	rw
	/dev/fd0	r
	/dev/cdrom	r
	/dev/mem	h
	/dev/kmem	h
	/dev/port	h
	/bin		rx
	/sbin		rx
	/lib		rx
	/usr		rx
	/etc		rx
	/proc		rwx
	/proc/slabinfo	h
	/proc/kcore	h
	/proc/kallsyms  h
	/proc/modules   h
	/proc/sys	r
	/root		r
	/tmp		rwcd
	/var		rwxcd
	/var/tmp	rwcd
	/var/log	r
	/boot		h
	/lib/modules	h
	/etc/grsec	h
	/var/lib/grsec	h
	
	-CAP_KILL
	-CAP_SYS_TTY_CONFIG
	-CAP_LINUX_IMMUTABLE
	-CAP_NET_RAW
	-CAP_MKNOD
	-CAP_SYS_ADMIN
	-CAP_SYS_RAWIO
	-CAP_SYS_MODULE
	-CAP_SYS_PTRACE
	-CAP_NET_ADMIN
	-CAP_NET_BIND_SERVICE
	-CAP_NET_RAW
	-CAP_SYS_CHROOT
	-CAP_SYS_BOOT
	-CAP_SETFCAP

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)
subject /usr/sbin/sshd dpo
	/		h
	/bin/sh		x
	/bin/bash	x
	/dev		h
	/dev/log	rw
	/dev/random	r
	/dev/urandom	r
	/dev/null	rw
	/dev/ptmx	rw
	/dev/pts	rw
	/dev/tty	rw
	/dev/tty?	rw
	/etc		r
	/etc/passwd	r
	/etc/shadow	r
	/etc/grsec	h
	/home		rwcd
	/lib		rx
	/root
	/proc		r
	/proc/*/oom_adj	w
	/proc/kcore	h
	/proc/sys	h
	/usr/lib	rx
	/usr/share/zoneinfo r
	/var/log
	/var/mail
	/var/log/lastlog	rw
	/var/log/wtmp		w
	/var/run/sshd
	/var/run/utmp		rw
	/var/empty		rw

	-CAP_ALL
	+CAP_CHOWN
	+CAP_SETGID
	+CAP_SETUID
	+CAP_SYS_CHROOT
	+CAP_SYS_RESOURCE
	+CAP_SYS_TTY_CONFIG

subject /usr/bin/ssh
	/etc/ssh/ssh_config r

subject /bin/busybox
	+CAP_SYS_ADMIN
	/root/.ash_history rw
	/dev/log rwc
	/var/log rwc
	/var/log/messages rwc
	/var/log/wtmp w
	/var/log/faillog rwcd

subject /usr/bin/sudo
	+CAP_SYS_ADMIN
	/dev/log rw