diff options
| author |   Jeremy Huddleston <eradicator@gentoo.org> | 2004-03-11 22:45:09 +0000 |
|---|---|---|
| committer | Jeremy Huddleston <eradicator@gentoo.org> | 2004-03-11 22:45:09 +0000 |
| commit | 82be118713a3f142c3864b3cdf7cc61022ffae3b (patch) | |
| tree | 54fbe2b691f7a290133dcc6c799991a070e9daf3 /sys-apps | |
| parent | Add note about not putting S=${WORKDIR}/${P} in ebuilds. (diff) | |
| download | gentoo-2-82be118713a3f142c3864b3cdf7cc61022ffae3b.tar.gz gentoo-2-82be118713a3f142c3864b3cdf7cc61022ffae3b.tar.bz2 gentoo-2-82be118713a3f142c3864b3cdf7cc61022ffae3b.zip | |
Version bump, and fix the conf.d and init.d scripts to close bug #42750.
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/gradm/ChangeLog | 10 | ||||
| -rw-r--r-- | sys-apps/gradm/Manifest | 12 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.9.14 | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/grsecurity | 32 | ||||
| -rw-r--r-- | sys-apps/gradm/files/grsecurity.rc | 40 | ||||
| -rw-r--r-- | sys-apps/gradm/gradm-1.9.14.ebuild | 60 |
6 files changed, 111 insertions, 44 deletions
diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog index 0b3a3f2801fa..a039547ccea2 100644 --- a/sys-apps/gradm/ChangeLog +++ b/sys-apps/gradm/ChangeLog @@ -1,8 +1,14 @@ # ChangeLog for sys-apps/gradm # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.27 2004/03/08 21:09:58 avenj Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.28 2004/03/11 22:45:07 eradicator Exp $ - 08 Mar 2004; Jon Portnoy <avenj@gentoo.org> gradm-1.9.13.ebuild : +*gradm-1.9.14 (11 Mar 2004) + + 11 Mar 2004; Jeremy Huddleston <eradicator@gentoo.org> files/grsecurity, + files/grsecurity.rc gradm-1.9.14.ebuild: + Version bump, and fix the conf.d and init.d scripts to close bug #42750. + + 08 Mar 2004; Jon Portnoy <avenj@gentoo.org> gradm-1.9.13.ebuild: Mark stable on AMD64 to make repoman happy. 02 Jan 2004; <solar@gentoo.org> gradm-1.9.11.ebuild, gradm-1.9.12.ebuild, diff --git a/sys-apps/gradm/Manifest b/sys-apps/gradm/Manifest index 31a0dda71234..cb69c74e7058 100644 --- a/sys-apps/gradm/Manifest +++ b/sys-apps/gradm/Manifest @@ -1,11 +1,13 @@ -MD5 551c99b5c7223b0e6aef7683f44b82a2 ChangeLog 3721 +MD5 eb061ed8cafe91d8f497b743e42af4a3 gradm-1.9.14.ebuild 1637 MD5 41971cfb8a30ffde8e5eda975ed7bba7 gradm-1.9.11.ebuild 992 -MD5 f72e0ee53027f8138ed5b629e6dc40ec gradm-1.9.12.ebuild 992 MD5 eb061ed8cafe91d8f497b743e42af4a3 gradm-1.9.13.ebuild 1637 +MD5 f72e0ee53027f8138ed5b629e6dc40ec gradm-1.9.12.ebuild 992 +MD5 551c99b5c7223b0e6aef7683f44b82a2 ChangeLog 3721 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164 +MD5 747a58a4e9af5abd23b672e8cf417c08 files/grsecurity.rc 1741 +MD5 407eeba68c4cd90a492624f3be3f6367 files/grsecurity 1922 +MD5 c2618fc7963e008681dfd08db6886058 files/gradm_parse.c-1.9.x.patch 524 MD5 056158b3d525f5c9408814b8de558aff files/digest-gradm-1.9.11 63 MD5 0e2f7f82f168a922e16d0c5312a44a93 files/digest-gradm-1.9.12 63 MD5 6f65d72fd28be60fec03949a96a0431b files/digest-gradm-1.9.13 63 -MD5 c2618fc7963e008681dfd08db6886058 files/gradm_parse.c-1.9.x.patch 524 -MD5 407eeba68c4cd90a492624f3be3f6367 files/grsecurity 1922 -MD5 747a58a4e9af5abd23b672e8cf417c08 files/grsecurity.rc 1741 +MD5 f008a8f1133ea0db35a4ee305d390c23 files/digest-gradm-1.9.14 63 diff --git a/sys-apps/gradm/files/digest-gradm-1.9.14 b/sys-apps/gradm/files/digest-gradm-1.9.14 new file mode 100644 index 000000000000..9a774cb0ae51 --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-1.9.14 @@ -0,0 +1 @@ +MD5 64b4f00004d24eeca54ef7b6f0885ded gradm-1.9.14.tar.gz 32139 diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity index 2352dfbe21bd..e746201aced4 100644 --- a/sys-apps/gradm/files/grsecurity +++ b/sys-apps/gradm/files/grsecurity @@ -1,22 +1,8 @@ # GR Security toggles. # +# Note: chpax support has been removed from this init script. +# Configure /etc/conf.d/chpax instead -# Files that we should remove PAGE_EXEC enforcement from -PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86 /usr/lib/wine/bin/wine" - -# Files we should turn off trampoline emmulation for -TRAMPOLINE_EXEMPT="" - -# Files we should not restrict mprotect on -MPROTECT_EXEMPT="" - -# Files we should not randomize mmap for -MMAP_EXEMPT="" - -# Files not to enforce segmentation based non-executable pages -SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}" - -# # Check your running kernel for valid options. # "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'" # @@ -80,8 +66,22 @@ SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}" # tpe_glibc # tpe_restrict_all +# Strict set with negligible performance impact: +#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \ +# chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \ +# chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \ +# chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \ +# chroot_enforce_chdir chroot_execlog chroot_findtask \ +# chroot_restrict_nice dmesg exec_logging execve_limiting \ +# fifo_restrictions forkfail_logging linking_restrictions rand_isns \ +# rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \ +# socket_all socket_client socket_server timechange_logging tpe" + ENABLED="" +# Set when audit_group is enabled +audit_gid=1007 + # Set when allow_ptrace_group is enabled ptrace_gid=10 diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc index b4a9ed4303ff..679100bd6dc5 100644 --- a/sys-apps/gradm/files/grsecurity.rc +++ b/sys-apps/gradm/files/grsecurity.rc @@ -1,12 +1,17 @@ #!/sbin/runscript # Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.7 2003/06/16 18:37:01 solar Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.8 2004/03/11 22:45:09 eradicator Exp $ + +# Note: chpax support has been removed from this init script. +# Configure /etc/conf.d/chpax and add chpax to your default runlevel instead + PROCDIR=/proc/sys/kernel/grsecurity depend() { need bootmisc localmount + after chpax } checkconfig() { @@ -25,22 +30,35 @@ start() { # [ -f ${PROCDIR}/${x} ] && continue # einfo "\tEnabling kernel.grsecurity.${x}" case "${x}" in + audit_group) + echo ${audit_gid} > ${PROCDIR}/audit_gid + echo 1 > ${PROCDIR}/${x} + ;; + tpe) + echo ${tpe_gid} > ${PROCDIR}/tpe_gid + echo 1 > ${PROCDIR}/${x} + ;; allow_ptrace_group) echo ${ptrace_gid} > ${PROCDIR}/ptrace_gid + echo 1 > ${PROCDIR}/${x} ;; fork_bomb_prot) echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max + echo 1 > ${PROCDIR}/${x} ;; socket_all) echo ${socket_all_gid} >${PROCDIR}/socket_all_gid + echo 1 > ${PROCDIR}/${x} ;; socket_client) echo ${socket_client_gid} >${PROCDIR}/socket_client_gid + echo 1 > ${PROCDIR}/${x} ;; socket_server) echo ${socket_server_gid} >${PROCDIR}/socket_server_gid + echo 1 > ${PROCDIR}/${x} ;; *) [ -f ${PROCDIR}/${x} ] && echo 1 >${PROCDIR}/${x} @@ -48,26 +66,6 @@ start() { esac done - for x in ${PAGE_EXEC_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -p ${x} - done - - for x in ${TRAMPOLINE_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -e ${x} - done - - for x in ${MPROTECT_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -m ${x} - done - - for x in ${MMAP_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -r ${x} - done - - for x in ${SEGMENTATION_EXEMPT} ; do - [ -f ${x} ] && /sbin/chpax -s ${x} - done - [ -f ${PROCDIR}/grsec_lock ] && echo ${LOCK} >${PROCDIR}/grsec_lock eend ${?} diff --git a/sys-apps/gradm/gradm-1.9.14.ebuild b/sys-apps/gradm/gradm-1.9.14.ebuild new file mode 100644 index 000000000000..886d808dd9f8 --- /dev/null +++ b/sys-apps/gradm/gradm-1.9.14.ebuild @@ -0,0 +1,60 @@ +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.9.14.ebuild,v 1.1 2004/03/11 22:45:07 eradicator Exp $ + +inherit gcc flag-o-matic + +DESCRIPTION="Administrative interface for grsecurity ${PV} access control lists" +SRC_URI="http://www.grsecurity.net/${P}.tar.gz" +HOMEPAGE="http://www.grsecurity.net/" + +LICENSE="GPL-2" +KEYWORDS="~x86 ~amd64 ~sparc ~ppc ~hppa" +SLOT="0" + +IUSE="" +DEPEND="virtual/glibc + sys-devel/bison + sys-devel/flex + sys-apps/chpax" + +S="${WORKDIR}/${PN}" + +src_unpack() { + unpack ${A} + cd ${S} + epatch ${FILESDIR}/gradm_parse.c-1.9.x.patch + + # (Jan 2 2004) - <solar@gentoo> + # static linking required for proper operation of gradm + # however ssp is known to break static linking when it's enabled + # in >=gcc-3.3.1 && <=gcc-3.3.2-r5 . So we strip ssp if needed. + gmicro=$(gcc-micro-version) + if [ "$(gcc-version)" == "3.3" -a -n "${gmicro}" -a ${gmicro} -le 2 ]; then + # extract out gentoo revision + gentoo_gcc_r=$($(gcc-getCC) -v 2>&1 | tail -n 1 | awk '{print $7}') + gentoo_gcc_r=${gentoo_gcc_r/,/} + gentoo_gcc_r=${gentoo_gcc_r/-/ } + gentoo_gcc_r=${gentoo_gcc_r:7} + [ -n "${gentoo_gcc_r}" -a ${gentoo_gcc_r} -le 5 ] && \ + filter-flags -fstack-protector -fstack-protector-all + fi + + sed -i -e "s|-O2|${CFLAGS}|" Makefile +} + +src_compile() { + emake CC="$(gcc-getCC)" || die "compile problem" +} + +src_install() { + doman gradm.8 + dodoc acl + exeinto /etc/init.d + newexe ${FILESDIR}/grsecurity.rc grsecurity + insinto /etc/conf.d + doins ${FILESDIR}/grsecurity + into / + dosbin gradm + fperms 700 /sbin/gradm +} |