From 4e75b2fc40c44c49152adb497660f6189261a929 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Tue, 8 Feb 2011 00:07:08 -0600 Subject: testing/gradm: move to main --- main/gradm/APKBUILD | 57 ++++++++++++ main/gradm/base.policyd | 133 ++++++++++++++++++++++++++++ main/gradm/grsec-rbac.initd | 14 +++ main/gradm/policy | 211 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 415 insertions(+) create mode 100644 main/gradm/APKBUILD create mode 100644 main/gradm/base.policyd create mode 100644 main/gradm/grsec-rbac.initd create mode 100644 main/gradm/policy (limited to 'main/gradm') diff --git a/main/gradm/APKBUILD b/main/gradm/APKBUILD new file mode 100644 index 000000000..08dbd3af0 --- /dev/null +++ b/main/gradm/APKBUILD @@ -0,0 +1,57 @@ +# Contributor: William Pitcock +# Maintainer: William Pitcock +pkgname=gradm +pkgver=2.2.0 +pkgrel=5 +pkgdesc="administrative utility for grsecurity kernels" +url="http://www.grsecurity.org/" +arch="all" +license="GPL" +makedepends="bison flex" +install="" +subpackages="$pkgname-doc" +source="http://grsecurity.net/stable/gradm-2.2.0-201011061849.tar.gz + policy + base.policyd + grsec-rbac.initd" + +_builddir="$srcdir/gradm2" +prepare() { + local i + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + make || return 1 +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir" install || return 1 + + # we don't want the grsecurity-recommended policy as it's old + # and non-modular. + rm "$pkgdir"/etc/grsec/policy + + # install the base policy file which pulls in everything else. + install -m644 "$srcdir"/policy "$pkgdir"/etc/grsec/policy + + # prepare and install base policy to /var/lib/grsec/policy.d + install -d -D "$pkgdir"/var/lib/grsec/policy.d + install -m644 "$srcdir"/base.policyd "$pkgdir"/var/lib/grsec/policy.d/00-base + + # install grsec-rbac into initd + install -d -D "$pkgdir"/etc/init.d + install -m755 "$srcdir"/grsec-rbac.initd "$pkgdir"/etc/init.d/grsec-rbac +} + +md5sums="081765637a407dd7e4cd07f95413d6b8 gradm-2.2.0-201011061849.tar.gz +38ee3aef884bdcfe6a5b925760f6220b policy +1d4a2c2e522b7124ad901ae102181e72 base.policyd +2fc5d055dd43a2d9e1bed378dcab8641 grsec-rbac.initd" diff --git a/main/gradm/base.policyd b/main/gradm/base.policyd new file mode 100644 index 000000000..cf66e7301 --- /dev/null +++ b/main/gradm/base.policyd @@ -0,0 +1,133 @@ +role admin sA +subject / rvka + / rwcdmlxi + +role default G +role_transitions admin +subject / dpo + / r + /opt rx + /home rwxcd + /mnt rw + /dev + /dev/grsec h + /dev/urandom r + /dev/random r + /dev/zero rw + /dev/input rw + /dev/psaux rw + /dev/null rw + /dev/tty? rw + /dev/hvc? rw + /dev/console rw + /dev/tty rw + /dev/pts rw + /dev/ptmx rw + /dev/dsp rw + /dev/mixer rw + /dev/initctl rw + /dev/fd0 r + /dev/cdrom r + /dev/mem h + /dev/kmem h + /dev/port h + /bin rx + /sbin rx + /lib rx + /usr rx + /etc rx + /proc rwx + /proc/slabinfo h + /proc/kcore h + /proc/kallsyms h + /proc/modules h + /proc/sys r + /root r + /tmp rwcd + /var rwxcd + /var/tmp rwcd + /var/log r + /boot h + /lib/modules h + /etc/grsec h + /var/lib/grsec h + + -CAP_KILL + -CAP_SYS_TTY_CONFIG + -CAP_LINUX_IMMUTABLE + -CAP_NET_RAW + -CAP_MKNOD + -CAP_SYS_ADMIN + -CAP_SYS_RAWIO + -CAP_SYS_MODULE + -CAP_SYS_PTRACE + -CAP_NET_ADMIN + -CAP_NET_BIND_SERVICE + -CAP_NET_RAW + -CAP_SYS_CHROOT + -CAP_SYS_BOOT + -CAP_SETFCAP + +# the d flag protects /proc fd and mem entries for sshd +# all daemons should have 'p' in their subject mode to prevent +# an attacker from killing the service (and restarting it with trojaned +# config file or taking the port it reserved to run a trojaned service) +subject /usr/sbin/sshd dpo + / h + /bin/sh x + /bin/bash x + /dev h + /dev/log rw + /dev/random r + /dev/urandom r + /dev/null rw + /dev/ptmx rw + /dev/pts rw + /dev/tty rw + /dev/tty? rw + /etc r + /etc/passwd r + /etc/shadow r + /etc/grsec h + /home rwcd + /lib rx + /root + /proc r + /proc/*/oom_adj w + /proc/kcore h + /proc/sys h + /usr/lib rx + /usr/share/zoneinfo r + /var/log + /var/mail + /var/log/lastlog rw + /var/log/wtmp w + /var/run/sshd + /var/run/utmp rw + /var/empty rw + + -CAP_ALL + +CAP_CHOWN + +CAP_SETGID + +CAP_SETUID + +CAP_SYS_CHROOT + +CAP_SYS_RESOURCE + +CAP_SYS_TTY_CONFIG + +subject /usr/bin/ssh + /etc/ssh/ssh_config r + +subject /bin/busybox + +CAP_SYS_ADMIN + +CAP_SYS_BOOT + /root/.ash_history rw + /dev/log rwc + /var/log rwc + /var/log/messages rwc + /var/log/wtmp w + /var/log/faillog rwcd + +subject /usr/bin/sudo + +CAP_SYS_ADMIN + /dev/log rw + diff --git a/main/gradm/grsec-rbac.initd b/main/gradm/grsec-rbac.initd new file mode 100644 index 000000000..fe0eec55c --- /dev/null +++ b/main/gradm/grsec-rbac.initd @@ -0,0 +1,14 @@ +#!/sbin/runscript + +start() { + ebegin "Enabling grsecurity RBAC policy" + gradm -E + eend $? +} + +stop() { + ebegin "Disabling grsecurity RBAC policy" + gradm -D + eend $? +} + diff --git a/main/gradm/policy b/main/gradm/policy new file mode 100644 index 000000000..e5a3df439 --- /dev/null +++ b/main/gradm/policy @@ -0,0 +1,211 @@ +# Base grsecurity policy for Alpine. +# +# If you want to use a custom policy, or add on local modifications to +# the system policy, edit below the include line or remove the include +# line to completely remove the system policy entirely from your setup. +# +# Documentation on the file format as provided in the sample policy file +# follow below for your reference: +## Role flags: +# A -> This role is an administrative role, thus it has special privilege normal +# roles do not have. In particular, this role bypasses the +# additional ptrace restrictions +# N -> Don't require authentication for this role. To access +# the role, use gradm -n +# s -> This role is a special role, meaning it does not belong to a +# user or group, and does not require an enforced secure policy +# base to be included in the ruleset +# u -> This role is a user role +# g -> This role is a group role +# G -> This role can use gradm to authenticate to the kernel +# A policy for gradm will automatically be added to the role +# T -> Enable TPE for this role +# l -> Enable learning for this role +# P -> Use PAM authentication for this role. +# +# a role can only be one of user, group, or special +# +# role_allow_ip IP/optional netmask +# eg: role_allow_ip 192.168.1.0/24 +# You can have as many of these per role as you want +# They restrict the use of a role to a list of IPs. If a user +# is on the system that would normally get the role does not +# belong to those lists of IPs, the system falls back through +# its method of determining a role for the user +# +# Role hierarchy +# user -> group -> default +# First a user role attempts to match, if one is not found, +# a group role attempts to match, if one is not found, +# the default role is used. +# +# role_transitions ... +# eg: role_transitions www_admin dns_admin +# +# role transitions specify which special roles a given role is allowed +# to authenticate to. This applies to special roles that do not +# require password authentication as well. If a user tries to +# authenticate to a role that is not within his transition table, he +# will receive a permission denied error +# +# Nested subjects +# subject /bin/su:/bin/bash:/bin/cat +# / rwx +# +CAP_ALL +# grant privilege to specific processes if they are executed +# within a trusted path. In this case, privilege is +# granted if /bin/cat is executed from /bin/bash, which is +# executed from /bin/su. +# +# Configuration inheritance on nested subjects +# nested subjects inherit rules from their parents. In the +# example above, the nested subject would inherit rules +# from the nested subject for /bin/su:/bin/bash, +# and the subject /bin/su +# View the 1.9.x documentation for more information on +# configuration inheritance +# +# new object modes: +# m -> allow creation of setuid/setgid files/directories +# and modification of files/directories to be setuid/setgid +# M -> audit the setuid/setgid creation/modification +# c -> allow creation of the file/directory +# C -> audit the creation +# d -> allow deletion of the file/directory +# D -> audit the deletion +# p -> reject all ptraces to this object +# l -> allow a hardlink at this path +# (hardlinking requires at a minimum c and l modes, and the target +# link cannot have any greater permission than the source file) +# L -> audit link creation +# new subject modes: +# O -> disable "writable library" restrictions for this task +# t -> allow this process to ptrace any process (use with caution) +# r -> relax ptrace restrictions (allows process to ptrace processes +# other than its own descendants) +# i -> enable inheritance-based learning for this subject, causing +# all accesses of this subject and anything it executes to be placed +# in this subject, and inheritance flags added to executable objects +# in this subject +# a -> allow this process to talk to the /dev/grsec device +# +# user/group transitions: +# You may now specify what users and groups a given subject can +# transition to. This can be done on an inclusive or exclusive basis. +# Omitting these rules allows a process with proper privilege granted by +# capabilities to transition to any user/group. +# +# Examples: +# subject /bin/su +# user_transition_allow root spender +# group_transition_allow root spender +# subject /bin/su +# user_transition_deny evilhacker +# subject /bin/su +# group_transition_deny evilhacker1 evilhacker2 +# +# Domains: +# With domains you can combine users that don't share a common +# GID as well as groups so that they share a single policy +# Domains work just like roles, with the only exception being that +# the line starting with "role" is replaced with one of the following: +# domain somedomainname u user1 user2 user3 user4 ... usern +# domain somedomainname g group1 group2 group3 group4 ... groupn +# +# Inverted socket policies: +# Rules such as +# connect ! www.google.com:80 stream tcp +# are now allowed, which allows you to specify that a process can connect to anything +# except to port 80 of www.google.com with a stream tcp socket +# the inverted socket matching also works on bind rules +# +# INADDR_ANY overriding +# You can now force a given subject to bind to a particular IP address on the machine +# This is useful for some chrooted environments, to ensure that the source IP they +# use is one of your choosing +# to use, add a line like: +# ip_override 192.168.0.1 +# +# Per-interface socket policies: +# Rules such as +# bind eth1:80 stream tcp +# bind eth0#1:22 stream tcp +# are now allowed, giving you the ability to tie specific socket rules +# to a single interface (or by using the inverted rules, all but one +# interface). Virtual interfaces are specified by the # +# syntax. If an interface is specified, no IP/netmask or host may be +# specified for the rule. +# +# New learning system: +# To learn on a given subject: add l (the letter l, not the number 1) +# to the subject mode +# If you want to learn with the most restrictive policy, use the +# following: +# subject /path/to/bin lo +# / h +# -CAP_ALL +# connect disabled +# bind disabled +# Resource learning is also supported, so lines like +# RES_AS 0 0 +# can be used to learn a particular resource +# +# To learn on a given role, add l to the role mode +# For both of these, to enable learning, enable the system like: +# gradm -L /etc/grsec/learning.logs -E +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy +# To use full system learning, enable the system like: +# gradm -F -L /etc/grsec/learning.logs +# and then generate the rules after disabling the system after the +# learning phase with: +# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy +# +# New PaX flag format (replaces PaX subject flags): +# PaX flags can be forced on or off, regardless of the flags on the +# binary, by using + or - before the following PaX flag names: +# PAX_SEGMEXEC +# PAX_PAGEEXEC +# PAX_MPROTECT +# PAX_RANDMMAP +# PAX_EMUTRAMP +# +# New feature for easier policy maintenance: +# replace +# e.g.: +# replace CVSROOT /home/cvs +# now $(CVSROOT) can be used in any subject or object pathname, like: +# $(CVSROOT)/grsecurity r +# This will translate to /home/cvs/grsecurity r +# This feature makes it easier to update policies by naming specific +# paths by their function, then only having to update those paths once +# to have it affect a large number of subjects/objects. +# +# capability auditing / log suppression +# use of a capability can be audited by adding "audit" to the line, eg: +# +CAP_SYS_RAWIO audit +# log suppression for denial of a capbility can be done by adding "suppress": +# -CAP_SYS_RAWIO suppress +# +# Note that the omission of any feature of a role or subject +# results in a default-allow +# For instance, if no capability rules are added, an implicit +CAP_ALL is used +# + +# +# Default security policy provided by packages in Alpine are installed into +# /var/lib/grsec/policy.d as /var/lib/grsec/policy.d/$pkgname where $pkgname +# is the package name. It is not recommended that you edit those definitions +# unless you know what you're doing, as the Alpine system may depend on the +# presence of those definitions. +# + +include + +# +# If you wish to add any additions to the system policy, you may do so below +# this line. As the configuration is read top-to-bottom, any changes you make +# here may override the default security policy. +# + -- cgit v1.2.3