summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Huddleston <eradicator@gentoo.org>2004-03-11 22:45:09 +0000
committerJeremy Huddleston <eradicator@gentoo.org>2004-03-11 22:45:09 +0000
commit583944bda5db94a13208a546108a2416e6433765 (patch)
tree80ababd3619a7b06042f3edff44dcb81a1ade419 /sys-apps/gradm
parentAdd note about not putting S=${WORKDIR}/${P} in ebuilds. (diff)
downloadhistorical-583944bda5db94a13208a546108a2416e6433765.tar.gz
historical-583944bda5db94a13208a546108a2416e6433765.tar.bz2
historical-583944bda5db94a13208a546108a2416e6433765.zip
Version bump, and fix the conf.d and init.d scripts to close bug #42750.
Diffstat (limited to 'sys-apps/gradm')
-rw-r--r--sys-apps/gradm/ChangeLog10
-rw-r--r--sys-apps/gradm/Manifest12
-rw-r--r--sys-apps/gradm/files/digest-gradm-1.9.141
-rw-r--r--sys-apps/gradm/files/grsecurity32
-rw-r--r--sys-apps/gradm/files/grsecurity.rc40
-rw-r--r--sys-apps/gradm/gradm-1.9.14.ebuild60
6 files changed, 111 insertions, 44 deletions
diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog
index 0b3a3f2801fa..a039547ccea2 100644
--- a/sys-apps/gradm/ChangeLog
+++ b/sys-apps/gradm/ChangeLog
@@ -1,8 +1,14 @@
# ChangeLog for sys-apps/gradm
# Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.27 2004/03/08 21:09:58 avenj Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.28 2004/03/11 22:45:07 eradicator Exp $
- 08 Mar 2004; Jon Portnoy <avenj@gentoo.org> gradm-1.9.13.ebuild :
+*gradm-1.9.14 (11 Mar 2004)
+
+ 11 Mar 2004; Jeremy Huddleston <eradicator@gentoo.org> files/grsecurity,
+ files/grsecurity.rc gradm-1.9.14.ebuild:
+ Version bump, and fix the conf.d and init.d scripts to close bug #42750.
+
+ 08 Mar 2004; Jon Portnoy <avenj@gentoo.org> gradm-1.9.13.ebuild:
Mark stable on AMD64 to make repoman happy.
02 Jan 2004; <solar@gentoo.org> gradm-1.9.11.ebuild, gradm-1.9.12.ebuild,
diff --git a/sys-apps/gradm/Manifest b/sys-apps/gradm/Manifest
index 31a0dda71234..622778955fc2 100644
--- a/sys-apps/gradm/Manifest
+++ b/sys-apps/gradm/Manifest
@@ -1,11 +1,13 @@
-MD5 551c99b5c7223b0e6aef7683f44b82a2 ChangeLog 3721
+MD5 5b699f43f556946512eaa60f1d825ec7 gradm-1.9.14.ebuild 1646
MD5 41971cfb8a30ffde8e5eda975ed7bba7 gradm-1.9.11.ebuild 992
-MD5 f72e0ee53027f8138ed5b629e6dc40ec gradm-1.9.12.ebuild 992
MD5 eb061ed8cafe91d8f497b743e42af4a3 gradm-1.9.13.ebuild 1637
+MD5 f72e0ee53027f8138ed5b629e6dc40ec gradm-1.9.12.ebuild 992
+MD5 8dea518573a97e13814c8bfe0a44c089 ChangeLog 3948
MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
+MD5 1f31101dab2d3a9deb64ea31bf7339e3 files/grsecurity.rc 1821
+MD5 36344ecbd7f54bdd4979c2fe6322c9c7 files/grsecurity 2325
+MD5 c2618fc7963e008681dfd08db6886058 files/gradm_parse.c-1.9.x.patch 524
MD5 056158b3d525f5c9408814b8de558aff files/digest-gradm-1.9.11 63
MD5 0e2f7f82f168a922e16d0c5312a44a93 files/digest-gradm-1.9.12 63
MD5 6f65d72fd28be60fec03949a96a0431b files/digest-gradm-1.9.13 63
-MD5 c2618fc7963e008681dfd08db6886058 files/gradm_parse.c-1.9.x.patch 524
-MD5 407eeba68c4cd90a492624f3be3f6367 files/grsecurity 1922
-MD5 747a58a4e9af5abd23b672e8cf417c08 files/grsecurity.rc 1741
+MD5 f008a8f1133ea0db35a4ee305d390c23 files/digest-gradm-1.9.14 63
diff --git a/sys-apps/gradm/files/digest-gradm-1.9.14 b/sys-apps/gradm/files/digest-gradm-1.9.14
new file mode 100644
index 000000000000..9a774cb0ae51
--- /dev/null
+++ b/sys-apps/gradm/files/digest-gradm-1.9.14
@@ -0,0 +1 @@
+MD5 64b4f00004d24eeca54ef7b6f0885ded gradm-1.9.14.tar.gz 32139
diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity
index 2352dfbe21bd..e746201aced4 100644
--- a/sys-apps/gradm/files/grsecurity
+++ b/sys-apps/gradm/files/grsecurity
@@ -1,22 +1,8 @@
# GR Security toggles.
#
+# Note: chpax support has been removed from this init script.
+# Configure /etc/conf.d/chpax instead
-# Files that we should remove PAGE_EXEC enforcement from
-PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86 /usr/lib/wine/bin/wine"
-
-# Files we should turn off trampoline emmulation for
-TRAMPOLINE_EXEMPT=""
-
-# Files we should not restrict mprotect on
-MPROTECT_EXEMPT=""
-
-# Files we should not randomize mmap for
-MMAP_EXEMPT=""
-
-# Files not to enforce segmentation based non-executable pages
-SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}"
-
-#
# Check your running kernel for valid options.
# "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'"
#
@@ -80,8 +66,22 @@ SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}"
# tpe_glibc
# tpe_restrict_all
+# Strict set with negligible performance impact:
+#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \
+# chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \
+# chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \
+# chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \
+# chroot_enforce_chdir chroot_execlog chroot_findtask \
+# chroot_restrict_nice dmesg exec_logging execve_limiting \
+# fifo_restrictions forkfail_logging linking_restrictions rand_isns \
+# rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \
+# socket_all socket_client socket_server timechange_logging tpe"
+
ENABLED=""
+# Set when audit_group is enabled
+audit_gid=1007
+
# Set when allow_ptrace_group is enabled
ptrace_gid=10
diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc
index b4a9ed4303ff..679100bd6dc5 100644
--- a/sys-apps/gradm/files/grsecurity.rc
+++ b/sys-apps/gradm/files/grsecurity.rc
@@ -1,12 +1,17 @@
#!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.7 2003/06/16 18:37:01 solar Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.8 2004/03/11 22:45:09 eradicator Exp $
+
+# Note: chpax support has been removed from this init script.
+# Configure /etc/conf.d/chpax and add chpax to your default runlevel instead
+
PROCDIR=/proc/sys/kernel/grsecurity
depend() {
need bootmisc localmount
+ after chpax
}
checkconfig() {
@@ -25,22 +30,35 @@ start() {
# [ -f ${PROCDIR}/${x} ] && continue
# einfo "\tEnabling kernel.grsecurity.${x}"
case "${x}" in
+ audit_group)
+ echo ${audit_gid} > ${PROCDIR}/audit_gid
+ echo 1 > ${PROCDIR}/${x}
+ ;;
+ tpe)
+ echo ${tpe_gid} > ${PROCDIR}/tpe_gid
+ echo 1 > ${PROCDIR}/${x}
+ ;;
allow_ptrace_group)
echo ${ptrace_gid} > ${PROCDIR}/ptrace_gid
+ echo 1 > ${PROCDIR}/${x}
;;
fork_bomb_prot)
echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid
echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec
echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max
+ echo 1 > ${PROCDIR}/${x}
;;
socket_all)
echo ${socket_all_gid} >${PROCDIR}/socket_all_gid
+ echo 1 > ${PROCDIR}/${x}
;;
socket_client)
echo ${socket_client_gid} >${PROCDIR}/socket_client_gid
+ echo 1 > ${PROCDIR}/${x}
;;
socket_server)
echo ${socket_server_gid} >${PROCDIR}/socket_server_gid
+ echo 1 > ${PROCDIR}/${x}
;;
*)
[ -f ${PROCDIR}/${x} ] && echo 1 >${PROCDIR}/${x}
@@ -48,26 +66,6 @@ start() {
esac
done
- for x in ${PAGE_EXEC_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -p ${x}
- done
-
- for x in ${TRAMPOLINE_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -e ${x}
- done
-
- for x in ${MPROTECT_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -m ${x}
- done
-
- for x in ${MMAP_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -r ${x}
- done
-
- for x in ${SEGMENTATION_EXEMPT} ; do
- [ -f ${x} ] && /sbin/chpax -s ${x}
- done
-
[ -f ${PROCDIR}/grsec_lock ] && echo ${LOCK} >${PROCDIR}/grsec_lock
eend ${?}
diff --git a/sys-apps/gradm/gradm-1.9.14.ebuild b/sys-apps/gradm/gradm-1.9.14.ebuild
new file mode 100644
index 000000000000..886d808dd9f8
--- /dev/null
+++ b/sys-apps/gradm/gradm-1.9.14.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.9.14.ebuild,v 1.1 2004/03/11 22:45:07 eradicator Exp $
+
+inherit gcc flag-o-matic
+
+DESCRIPTION="Administrative interface for grsecurity ${PV} access control lists"
+SRC_URI="http://www.grsecurity.net/${P}.tar.gz"
+HOMEPAGE="http://www.grsecurity.net/"
+
+LICENSE="GPL-2"
+KEYWORDS="~x86 ~amd64 ~sparc ~ppc ~hppa"
+SLOT="0"
+
+IUSE=""
+DEPEND="virtual/glibc
+ sys-devel/bison
+ sys-devel/flex
+ sys-apps/chpax"
+
+S="${WORKDIR}/${PN}"
+
+src_unpack() {
+ unpack ${A}
+ cd ${S}
+ epatch ${FILESDIR}/gradm_parse.c-1.9.x.patch
+
+ # (Jan 2 2004) - <solar@gentoo>
+ # static linking required for proper operation of gradm
+ # however ssp is known to break static linking when it's enabled
+ # in >=gcc-3.3.1 && <=gcc-3.3.2-r5 . So we strip ssp if needed.
+ gmicro=$(gcc-micro-version)
+ if [ "$(gcc-version)" == "3.3" -a -n "${gmicro}" -a ${gmicro} -le 2 ]; then
+ # extract out gentoo revision
+ gentoo_gcc_r=$($(gcc-getCC) -v 2>&1 | tail -n 1 | awk '{print $7}')
+ gentoo_gcc_r=${gentoo_gcc_r/,/}
+ gentoo_gcc_r=${gentoo_gcc_r/-/ }
+ gentoo_gcc_r=${gentoo_gcc_r:7}
+ [ -n "${gentoo_gcc_r}" -a ${gentoo_gcc_r} -le 5 ] && \
+ filter-flags -fstack-protector -fstack-protector-all
+ fi
+
+ sed -i -e "s|-O2|${CFLAGS}|" Makefile
+}
+
+src_compile() {
+ emake CC="$(gcc-getCC)" || die "compile problem"
+}
+
+src_install() {
+ doman gradm.8
+ dodoc acl
+ exeinto /etc/init.d
+ newexe ${FILESDIR}/grsecurity.rc grsecurity
+ insinto /etc/conf.d
+ doins ${FILESDIR}/grsecurity
+ into /
+ dosbin gradm
+ fperms 700 /sbin/gradm
+}