Added gradm, and appropriate init scripts to handle grsecurity.

5 files changed, 209 insertions, 0 deletions

diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog
new file mode 100644
index 000000000000..7dab3d08c6de
--- /dev/null
+++ b/sys-apps/gradm/ChangeLog
@@ -0,0 +1,9 @@
+# ChangeLog for media-gfx/scrot
+# Copyright 2002 Gentoo Technologies, Inc.; Distributed under the GPL
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.1 2002/05/01 17:39:37 prez Exp $
+
+*gradm-1.2.1 (1 May 2002)
+
+  1 May 2002; Preston A. Elder <prez@gentoo.org> ChangeLog :
+  
+  Initial ebuild... Enjoy..
diff --git a/sys-apps/gradm/files/digest-gradm-1.2.1 b/sys-apps/gradm/files/digest-gradm-1.2.1
new file mode 100644
index 000000000000..708b71ab7204
--- /dev/null
+++ b/sys-apps/gradm/files/digest-gradm-1.2.1
@@ -0,0 +1,2 @@
+MD5 c01a10eecf430eb4a58180900b37903a gradm-1.2.1.tar.gz 41602
+MD5 618ddb3d563f4e3cbfb13c9c770dd99c chpax.c 4776
diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity
new file mode 100644
index 000000000000..59e746042c6e
--- /dev/null
+++ b/sys-apps/gradm/files/grsecurity
@@ -0,0 +1,84 @@
+# GR Security toggles.
+#
+
+# Files that we should remove PAGE_EXEC enforcement from
+PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86"
+
+# Files we should turn off trampoline emmulation for
+TRAMPOLINE_EXEMPT=""
+
+# Files we should not restrict mprotect on
+MPROTECT_EXEMPT=""
+
+# Files we should not randomize mmap for
+MMAP_EXEMPT=""
+
+# Kernel options are:
+#
+# allow_ptrace_group
+# alt_ipc_perms
+# altered_pings
+# audit_chdir
+# audit_group
+# audit_ipc
+# audit_mount
+# audit_ptrace
+# chroot_caps
+# chroot_deny_chdir
+# chroot_deny_chmod
+# chroot_deny_chroot
+# chroot_deny_mknod
+# chroot_deny_mount
+# chroot_deny_ptrace
+# chroot_execlog
+# chroot_restrict_nice
+# chroot_restrict_sigs
+# coredump
+# deny_phys_root
+# deny_serial_root
+# deny_pseudo_root
+# dmesg
+# exec_logging
+# execve_limiting
+# fifo_restrictions
+# fork_bomb_prot
+# forkfail_logging
+# linking_restrictions
+# rand_ip_ids
+# rand_pids
+# rand_rpc
+# rand_tcp_src_ports
+# rand_ttl
+# restrict_ptrace
+# secure_fds
+# secure_kbmap
+# signal_logging
+# socket_all
+# socket_client
+# socket_server
+# suid_logging
+# suid_root_logging
+# timechange_logging
+# tpe
+# tpe_glibc
+# tpe_restrict_all
+ENABLED=""
+
+# Set when allow_ptrace_group is enabled
+ptrace_gid=10
+
+# Set when tpe is enabled
+tpe_gid=1005
+
+# Set when fork_bomb_prot is enabled
+fork_bomb_gid=1006
+fork_bomb_sec=40
+fork_bomb_max=20
+
+# Set when one of socket_* is enabled
+socket_all_gid=1004
+socket_cilent_gid=1003
+socket_server_gid=1002
+
+# Lock the above settings on boot
+LOCK=0
diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc
new file mode 100644
index 000000000000..25a93545382c
--- /dev/null
+++ b/sys-apps/gradm/files/grsecurity.rc
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2002 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License, v2 or later
+# /space/gentoo/cvsroot/gentoo-x86/sys-libs/gpm/files/gpm.rc6,v 1.7 2002/01/20 10:00:55 azarah Exp
+
+#NB: Config is in /etc/conf.d/gpm
+
+PROCDIR=/proc/sys/kernel/grsecurity
+
+depend() {
+	need bootmisc localmount
+}
+
+checkconfig() {
+	if [ ! -d ${PROCDIR} ] ; then
+		eerror "You must have GR security turned on in your kernel."
+		return 1
+	fi
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting grsecurity"
+
+	for x in ${ENABLED} ; do
+		if [ -f ${PROCDIR}/${x} ]; then
+			echo 1 >${PROCDIR}/${x}
+		fi
+		case "${x}" in
+		allow_ptrace_group)
+			echo ${ptrace_gid} >${PROCDIR}/ptrace_gid
+			;;
+		fork_bomb_prot)
+			echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid
+			echo ${fork_bomb_sec} >${PROCDIR}/fork_bomb_sec
+			echo ${fork_bomb_max} >${PROCDIR}/fork_bomb_max
+			;;
+		socket_all)
+			echo ${socket_all_gid} >${PROCDIR}/socket_all_gid
+			;;
+		socket_client)
+			echo ${socket_client_gid} >${PROCDIR}/socket_client_gid
+			;;
+		socket_server)
+			echo ${socket_server_gid} >${PROCDIR}/socket_server_gid
+			;;
+		esac
+	done
+
+	for x in ${PAGE_EXEC_EXEMPT} ; do
+		/sbin/chpax -p ${x}
+	done
+
+	for x in ${TRAMPOLINE_EXEMPT} ; do
+		/sbin/chpax -e ${x}
+	done
+
+	for x in ${MPROTECT_EXEMPT} ; do
+		/sbin/chpax -m ${x}
+	done
+
+	for x in ${MMAP_EXEMPT} ; do
+		/sbin/chpax -r ${x}
+	done
+
+	if [ -d ${PROCDIR}/grsec_lock ] ; then
+		echo ${LOCK} >${PROCDIR}/grsec_lock
+	fi
+
+	eend ${?}
+}
+
+#stop() {
+#	ebegin "Stopping grsecurity"
+#	eend ${?}
+#}
diff --git a/sys-apps/gradm/gradm-1.2.1.ebuild b/sys-apps/gradm/gradm-1.2.1.ebuild
new file mode 100644
index 000000000000..c93931224262
--- /dev/null
+++ b/sys-apps/gradm/gradm-1.2.1.ebuild
@@ -0,0 +1,37 @@
+# Copyright 1999-2001 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License, v2 or later
+# Author Preston A. Elder <prez@goth.net>
+
+DESCRIPTION="Administratinve interface to grsecurity"
+SRC_URI="http://www.grsecurity.net/gradm-1.2.1.tar.gz
+	http://pageexec.virtualave.net/chpax.c"
+HOMEPAGE="http://www.grsecurity.net"
+#DEPEND=""
+
+src_unpack() {
+	unpack ${P}.tar.gz
+	cd ${S}
+	cp ${DISTDIR}/chpax.c .
+}
+
+src_compile() {
+	./configure || die
+	emake || die
+	emake chpax || die
+}
+
+src_install() {
+	dodir /sbin /etc/grsec /etc/init.d /etc/conf.d /usr/share/man/man8
+
+	cp gradm ${D}/sbin
+	gzip -9 gradm.8
+	cp gradm.8.gz ${D}/usr/share/man/man8
+	cp chpax ${D}/sbin
+	chmod 0700 ${D}/sbin/*
+	cp ${FILESDIR}/grsecurity.rc ${D}/etc/init.d/grsecurity
+	chmod 755 ${D}/etc/init.d/*
+	cp ${FILESDIR}/grsecurity ${D}/etc/conf.d/grsecurity
+	chmod 644 ${D}/etc/conf.d/*
+
+	dodoc ChangeLog* INSTALL COPYING
+}