From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 4 Feb 2009 15:40:44 +0000 (+0100)
Subject: Added sysctl settings for grsec.
X-Git-Tag: v3.0-alpha1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b48ba102038598d0ad730132073902e66f6b754f;p=ipfire-3.x.git

Added sysctl settings for grsec.
---

diff --git a/config/grsecurity/sysctl.conf b/config/grsecurity/sysctl.conf
new file mode 100644
index 000000000..a9780214c
--- /dev/null
+++ b/config/grsecurity/sysctl.conf
@@ -0,0 +1,6 @@
+# Begin /etc/grsec/sysctl.conf
+
+# Locking all settings - must be the last line
+kernel.grsecurity.grsec_lock = 1
+
+# End /etc/grsec/sysctl.conf
diff --git a/lfs/stage2 b/lfs/stage2
index 12f0c3d88..3e4d4ea62 100644
--- a/lfs/stage2
+++ b/lfs/stage2
@@ -47,7 +47,7 @@ $(OBJECT) :
 	@$(PREBUILD)
 
 	# Create directories
-	-mkdir -pv /{bin,boot,etc/{opt,sysconfig},home,lib,mnt,opt}
+	-mkdir -pv /{bin,boot,etc/{grsec,opt,sysconfig},home,lib,mnt,opt}
 	-mkdir -pv /{media/{floppy,cdrom},sbin,srv,var}
 	-install -dv -m 0750 /root
 	-install -dv -m 1777 /tmp /var/tmp
@@ -85,6 +85,9 @@ $(OBJECT) :
 	for i in $$(find $(DIR_CONFIG)/root/ -type f); do \
 		cp -vf $$i /root; \
 	done
+	for i in $$(find $(DIR_SRC)/config/grsecurity/ -type f); do \
+		cp -vf $$i /etc/grsec; \
+	done
 	-mkdir -pv /etc/modprobe.d
 	cp -av $(DIR_CONF)/modprobe.d/* /etc/modprobe.d/
 
diff --git a/src/initscripts/core/sysctl b/src/initscripts/core/sysctl
index cbae2408b..b0867cf16 100644
--- a/src/initscripts/core/sysctl
+++ b/src/initscripts/core/sysctl
@@ -26,6 +26,12 @@ case "${1}" in
             sysctl -q -p
             evaluate_retval standard
         fi
+        if [ -d "/proc/sys/kernel/grsecurity" -a \
+             -f "/etc/grsec/sysctl.conf" ]; then
+            message="Setting grsecurity parameters..."
+            sysctl -q -p /etc/grsec/sysctl.conf
+            evaluate_retval standard
+        fi
         ;;
 
     status)
diff --git a/src/install/etc/grsec/sysctl.conf b/src/install/etc/grsec/sysctl.conf
new file mode 100644
index 000000000..808d83095
--- /dev/null
+++ b/src/install/etc/grsec/sysctl.conf
@@ -0,0 +1,9 @@
+# Begin /etc/grsec/sysctl.conf
+
+# Disable chroot caps
+kernel.grsecurity.chroot_caps = 0
+
+# Locking all settings - must be the last line
+kernel.grsecurity.grsec_lock = 1
+
+# End /etc/grsec/sysctl.conf