diff options
Diffstat (limited to 'kernels/gradm/usr.patch')
| -rw-r--r-- | kernels/gradm/usr.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/kernels/gradm/usr.patch b/kernels/gradm/usr.patch new file mode 100644 index 000000000..b3e5e77ab --- /dev/null +++ b/kernels/gradm/usr.patch @@ -0,0 +1,115 @@ +diff --git a/gradm_adm.c b/gradm_adm.c +index bdcfd7d..9681b3c 100644 +--- a/gradm_adm.c ++++ b/gradm_adm.c +@@ -72,12 +72,13 @@ add_gradm_acl(struct role_acl *role) + + gradm_name = gr_strdup(gradm_realpath); + if (gr_enable && strcmp(gradm_name, GRADM_PATH)) { +- printf("You are attempting to use a gradm binary other " +- "than the installed version. Depending on your " ++ printf("You are attempting to use a gradm binary (%s) other " ++ "than the installed version (%s). Depending on your " + "policy, you could be locking yourself out of " + "your machine by enabling the RBAC system with " + "this binary. Press \'y\' if you wish to ignore " +- "this warning, or any other key to cancel.\n>"); ++ "this warning, or any other key to cancel.\n>", ++ gradm_name, GRADM_PATH); + if (getchar() != 'y') + exit(EXIT_FAILURE); + } +@@ -259,11 +260,6 @@ static void add_fulllearn_shutdown_acl(void) + ADD_OBJ("/dev/urandom", "r"); + ADD_OBJ("/dev/random", "r"); + ADD_OBJ("/etc", "r"); +- ADD_OBJ("/bin", "rx"); +- ADD_OBJ("/sbin", "rx"); +- ADD_OBJ("/lib", "rx"); +- ADD_OBJ("/lib32", "rx"); +- ADD_OBJ("/lib64", "rx"); + ADD_OBJ("/usr", "rx"); + ADD_OBJ("/proc", "r"); + ADD_OBJ("/boot", "h"); +@@ -276,9 +272,9 @@ static void add_fulllearn_shutdown_acl(void) + ADD_OBJ("/proc/slabinfo", "h"); + ADD_OBJ("/proc/modules", "h"); + ADD_OBJ("/proc/kallsyms", "h"); +- ADD_OBJ("/lib/modules", "hs"); +- ADD_OBJ("/lib32/modules", "hs"); +- ADD_OBJ("/lib64/modules", "hs"); ++ ADD_OBJ("/usr/lib/modules", "hs"); ++ ADD_OBJ("/usr/lib32/modules", "hs"); ++ ADD_OBJ("/usr/lib64/modules", "hs"); + ADD_OBJ("/etc/ssh", "h"); + add_cap_acl(current_subject, "-CAP_ALL", NULL); + +diff --git a/gradm_analyze.c b/gradm_analyze.c +index 74ec86f..da365a4 100644 +--- a/gradm_analyze.c ++++ b/gradm_analyze.c +@@ -778,17 +778,17 @@ analyze_acls(void) + errs_found++; + } + +- if (!stat("/lib/modules", &fstat) && !check_permission(role, def_acl, "/lib/modules", &chk)) { ++ if (!stat("/usr/lib/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib/modules", &chk)) { + fprintf(stderr, +- "Writing access is allowed by role %s to /lib/modules, the directory which " ++ "Writing access is allowed by role %s to /usr/lib/modules, the directory which " + "holds kernel modules.\n\n", + role->rolename); + errs_found++; + } + +- if (!stat("/lib64/modules", &fstat) && !check_permission(role, def_acl, "/lib64/modules", &chk)) { ++ if (!stat("/usr/lib64/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib64/modules", &chk)) { + fprintf(stderr, +- "Writing access is allowed by role %s to /lib64/modules, the directory which " ++ "Writing access is allowed by role %s to /usr/lib64/modules, the directory which " + "holds kernel modules.\n\n", + role->rolename); + errs_found++; +diff --git a/gradm_defs.h b/gradm_defs.h +index 961a7b9..56d6378 100644 +--- a/gradm_defs.h ++++ b/gradm_defs.h +@@ -4,9 +4,9 @@ + #ifndef GRSEC_DIR + #define GRSEC_DIR "/etc/grsec" + #endif +-#define GRLEARN_PATH "/sbin/grlearn" +-#define GRADM_PATH "/sbin/gradm" +-#define GRPAM_PATH "/sbin/gradm_pam" ++#define GRLEARN_PATH "/usr/bin/grlearn" ++#define GRADM_PATH "/usr/bin/gradm" ++#define GRPAM_PATH "/usr/bin/gradm_pam" + #define GRDEV_PATH "/dev/grsec" + #define GR_POLICY_PATH GRSEC_DIR "/policy" + #define GR_PW_PATH GRSEC_DIR "/pw" +diff --git a/gradm_fulllearn.c b/gradm_fulllearn.c +index 4d10060..6ce744d 100644 +--- a/gradm_fulllearn.c ++++ b/gradm_fulllearn.c +@@ -449,8 +449,8 @@ static const char *initial_roles_str = + "\t/proc/slabinfo\th\n" + "\t/proc/modules\th\n" + "\t/proc/kallsyms\th\n" +-"\t/lib/modules\ths\n" +-"\t/lib64/modules\ths\n" ++"\t/usr/lib/modules\ths\n" ++"\t/usr/lib64/modules\ths\n" + "\t/etc/ssh\th\n" + "}\n\n" + "role admin sA\n" +@@ -463,10 +463,6 @@ static const char *initial_roles_str = + "\t/dev/urandom r\n" + "\t/dev/random r\n" + "\t/etc r\n" +-"\t/bin rx\n" +-"\t/sbin rx\n" +-"\t/lib rx\n" +-"\t/lib64 rx\n" + "\t/usr rx\n" + "\t/proc r\n" + "\t$grsec_denied\n" |