path: root/kernels/gradm/policy

#sample default policy for grsecurity
#
# Role flags:
# A -> This role is an administrative role, thus it has special privilege normal
#      roles do not have.  In particular, this role bypasses the 
#      additional ptrace restrictions
# N -> Don't require authentication for this role.  To access
#      the role, use gradm -n <rolename>
# s -> This role is a special role, meaning it does not belong to a
#      user or group, and does not require an enforced secure policy
#      base to be included in the ruleset
# u -> This role is a user role
# g -> This role is a group role
# G -> This role can use gradm to authenticate to the kernel
#      A policy for gradm will automatically be added to the role
# T -> Enable TPE for this role
# l -> Enable learning for this role
# P -> Use PAM authentication for this role.
# R -> Enable persistence of special role.  Normal special roles will
#      be removed upon exit of the process that entered the role, or
#      upon unauth (this is what changes the apache process' role back 
#      to its normal role after being restarted from the admin role, for
#      instance).  Role persistence allows a special role to be used for
#      system shutdown, as the point at which the admin's shell/SSH 
#      session is terminated won't cause the rest of the shutdown 
#      sequence to execute with reduced privilege.  Do *NOT* use this 
#      flag with any role that does anything but shut the system down.
#      This role will also be transferred to the init process upon
#      writing to /dev/initctl.  This allows init to execute the rc 
#      scripts for shutdown with the necessary privilege.
#      For usability reasons, we allow the removal of persistence through
#      the normal unauth process (so persistence only survives exit).
#
# a role can only be one of user, group, or special
#
# role_allow_ip IP/optional netmask
# eg: role_allow_ip 192.168.1.0/24
# You can have as many of these per role as you want
# They restrict the use of a role to a list of IPs.  If a user
# is on the system that would normally get the role does not
# belong to those lists of IPs, the system falls back through
# its method of determining a role for the user
#
# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.
#
# role_transitions <special role 1> <special role 2> ... <special role n>
# eg: role_transitions www_admin dns_admin
#
# role transitions specify which special roles a given role is allowed
# to authenticate to.  This applies to special roles that do not
# require password authentication as well.  If a user tries to
# authenticate to a role that is not within his transition table, he
# will receive a permission denied error
#
# Nested subjects
# subject /bin/su:/bin/bash:/bin/cat
#	  / rwx
#	  +CAP_ALL
# grant privilege to specific processes if they are executed
# within a trusted path.  In this case, privilege is
# granted if /bin/cat is executed from /bin/bash, which is
# executed from /bin/su.
#
# Configuration inheritance on nested subjects
# nested subjects inherit rules from their parents.  In the
# example above, the nested subject would inherit rules
# from the nested subject for /bin/su:/bin/bash,
# and the subject /bin/su
# View the 1.9.x documentation for more information on
# configuration inheritance
#
# new object modes:
# m -> allow creation of setuid/setgid files/directories
#      and modification of files/directories to be setuid/setgid
# M -> audit the setuid/setgid creation/modification
# c -> allow creation of the file/directory
# C -> audit the creation
# d -> allow deletion of the file/directory
# D -> audit the deletion
# p -> reject all ptraces to this object
# l -> allow a hardlink at this path
#	(hardlinking requires at a minimum c and l modes, and the target
#	 link cannot have any greater permission than the source file)
# L -> audit link creation
# f -> needed to mark the pipe used for communication with init
#      to transfer the privilege of the persistent role; only valid
#      within a persistent role.  Transfer only occurs when the file is 
#      opened for writing
#
# new subject modes:
# O -> disable "writable library" restrictions for this task
# t -> allow this process to ptrace any process (use with caution)
# r -> relax ptrace restrictions (allows process to ptrace processes
#      other than its own descendants)
# i -> enable inheritance-based learning for this subject, causing
#      all accesses of this subject and anything it executes to be placed
#      in this subject, and inheritance flags added to executable objects
#      in this subject
# a -> allow this process to talk to the /dev/grsec device
# s -> enable AT_SECURE when entering this subject
#      (enables the same environment sanitization that occurs in glibc
#	upon execution of a suid binary)
# x -> allows executable anonymous shared memory for this subject
#
# user/group transitions:
# You may now specify what users and groups a given subject can
# transition to.  This can be done on an inclusive or exclusive basis.
# Omitting these rules allows a process with proper privilege granted by
# capabilities to transition to any user/group.
#
# Examples:
# subject /bin/su
# user_transition_allow root spender
# group_transition_allow root spender
# subject /bin/su
# user_transition_deny evilhacker
# subject /bin/su
# group_transition_deny evilhacker1 evilhacker2
#
# Domains:
# With domains you can combine users that don't share a common
# GID as well as groups so that they share a single policy
# Domains work just like roles, with the only exception being that
# the line starting with "role" is replaced with one of the following:
# domain somedomainname u user1 user2 user3 user4 ... usern
# domain somedomainname g group1 group2 group3 group4 ... groupn
#
# Inverted socket policies:
# Rules such as
# connect ! www.google.com:80 stream tcp
# are now allowed, which allows you to specify that a process can connect to anything
# except to port 80 of www.google.com with a stream tcp socket
# the inverted socket matching also works on bind rules
#
# INADDR_ANY overriding
# You can now force a given subject to bind to a particular IP address on the machine
# This is useful for some chrooted environments, to ensure that the source IP they
# use is one of your choosing
# to use, add a line like:
# ip_override 192.168.0.1
#
# Per-interface socket policies:
# Rules such as
# bind eth1:80 stream tcp
# bind eth0#1:22 stream tcp
# are now allowed, giving you the ability to tie specific socket rules 
# to a single interface (or by using the inverted rules, all but one 
# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
# syntax.  If an interface is specified, no IP/netmask or host may be
# specified for the rule.
#
# Allowing additional socket families:
# Before v2.2.1 of the RBAC system, a subject that specified
# connect/bind rules limited only the socket usage of IPv4, allowing
# any other socket families to be used.  Starting with v2.2.1 of the 
# RBAC system, when connect/bind rules are used, additional rules
# will be required to unlock the use of additional socket families 
# (outside of the common unix family).  Multiple families can be
# specified per line.
# To enable use of IPv6, add the line:
# sock_allow_family ipv6
# To enable use of netlink, add the line:
# sock_allow_family netlink
# To enable all other families, add the line:
# sock_allow_family all
#
# New learning system:
# To learn on a given subject: add l (the letter l, not the number 1)
# to the subject mode
# If you want to learn with the most restrictive policy, use the 
# following:
# subject /path/to/bin lo
#    / h
#    -CAP_ALL
#    connect disabled
#    bind disabled
# Resource learning is also supported, so lines like
#    RES_AS 0 0
# can be used to learn a particular resource
#
# To learn on a given role, add l to the role mode
# For both of these, to enable learning, enable the system like:
# gradm -L /etc/grsec/learning.logs -E
# and then generate the rules after disabling the system after the 
# learning phase with:
# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
# To use full system learning, enable the system like:
# gradm -F -L /etc/grsec/learning.logs
# and then generate the rules after disabling the system after the 
# learning phase with:
# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
#
# New PaX flag format (replaces PaX subject flags):
# PaX flags can be forced on or off, regardless of the flags on the 
# binary, by using + or - before the following PaX flag names:
# PAX_SEGMEXEC
# PAX_PAGEEXEC
# PAX_MPROTECT
# PAX_RANDMMAP
# PAX_EMUTRAMP
#
# New feature for easier policy maintenance:
# replace <variable name> <replace string>
# e.g.:
# replace CVSROOT /home/cvs
# now $(CVSROOT) can be used in any subject or object pathname, like:
# $(CVSROOT)/grsecurity r
# This will translate to /home/cvs/grsecurity r
# This feature makes it easier to update policies by naming specific
# paths by their function, then only having to update those paths once
# to have it affect a large number of subjects/objects.
#
# capability auditing / log suppression
# use of a capability can be audited by adding "audit" to the line, eg:
# +CAP_SYS_RAWIO audit
# log suppression for denial of a capbility can be done by adding "suppress":
# -CAP_SYS_RAWIO suppress
#
# Per-role umask enforcement:
# If you have a user that you want to be assured cannot accidentally
# create a file that others can read (a confidentiality issue)
# add the following under the role declaration:
# role_umask 077
# any normal octal umask may be specified
# Note that unlike the normal umask, this umask will also apply
# to the permissions one can chmod/fchmod a file to
#
# Note that the omission of any feature of a role or subject
# results in a default-allow
# For instance, if no capability rules are added, an implicit +CAP_ALL is used
#
# Commonly-used objects can be defined and used in multiple subjects
# As an example, we'll create a variable out of a list of objects
# and their associated permissions that RBAC enforces
define grsec_denied {
	/boot				h
	/dev/grsec			h
	/dev/kmem			h
	/dev/mem			h
	/dev/port			h
	/etc/grsec			h
	/proc/kcore			h
	/proc/slabinfo		h
	/proc/modules		h
	/proc/kallsyms		h
	# hide and suppress logs about accessing this path
	/usr/lib/modules 	hs
	/etc/ssh			h
}
# usage:
# $grsec_denied

role shutdown sARG
subject / rvka
	/
	/dev
	/dev/urandom	r
	/dev/random		r
	/etc			r
	/usr			rx
	/proc			r
	$grsec_denied
	-CAP_ALL
	connect disabled
	bind disabled

subject /usr/lib/systemd/systemd rvkao
	/ rwcdmlxi
subject /usr/bin/systemctl rvkao
	/ rwcdmlxi
	/dev/initctl rwf
	/run/initctl rwf

# Make sure to unauthenticate with gradm -u from
# the admin role after restarting a service
# The service started will run with admin
# privileges until you run gradm -u or your shell exits

role admin sA
subject / rvka
	/ rwcdmlxi

role default G
role_transitions admin shutdown
subject /
	/		r
	/opt		rx
	/home		rwxcd
	/mnt		rw
	/dev
	/dev/urandom	r
	/dev/random	r
	/dev/zero	rw
	/dev/input	rw
	/dev/psaux	rw
	/dev/null	rw
	/dev/tty?	rw
	/dev/console	rw
	/dev/tty	rw
	/dev/pts	rw
	/dev/ptmx	rw
	/dev/dsp	rw
	/dev/mixer	rw
	/dev/initctl	rw
	/dev/fd0	r
	/dev/cdrom	r
	/usr		rx
# compilation of kernel code should be done within the admin role	
	/usr/src	h
	/etc		rx
	/proc		rwx
	/proc/sys	r
	/sys		h
	/root		r
	/run		r
	/tmp		rwcd
	/var		rwxcd
	/var/tmp	rwcd
	/var/log	r
# hide the kernel images and modules
	$grsec_denied

# if sshd needs to be restarted, it can be done through the admin role
# restarting sshd should be followed immediately by a gradm -u
	/usr/sbin/sshd

	/home/*/.gem/ruby/2.0.0/bin		rx
	/home/*/.rbenv/shims			rx
	/home/*/.rbenv/versions*/bin	rx
	/home/*/.cabal/bin				rx
	/home/*/dev/env					rx

	-CAP_KILL
	-CAP_SYS_TTY_CONFIG
	-CAP_LINUX_IMMUTABLE
	-CAP_NET_RAW
	-CAP_MKNOD
	-CAP_SYS_ADMIN
	-CAP_SYS_RAWIO
	-CAP_SYS_MODULE
	-CAP_SYS_PTRACE
	-CAP_NET_ADMIN
	-CAP_NET_BIND_SERVICE
	-CAP_NET_RAW
	-CAP_SYS_CHROOT
	-CAP_SYS_BOOT
	-CAP_SETFCAP
	-CAP_SYSLOG

#	RES_AS 100M 100M

#	connect 192.168.1.0/24:22 stream tcp
#	bind	0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo
	/
	/*		h
	/bin/bash	x
	/dev		h
	/dev/log	rw
	/dev/random	r
	/dev/urandom	r
	/dev/null	rw
	/dev/ptmx	rw
	/dev/pts	rw
	/dev/tty	rw
	/dev/tty?	rw
	/etc		r
	/etc/grsec	h
	/home
	/home/*/.ssh/authorized_keys r
	/root
	/proc		r
	/proc/*/oom_adj rw
	/proc/kcore	h
	/proc/sys	h
	/proc/sys/kernel/ngroups_max r
	/selinux	r
	/usr/lib	rx
	/usr/share/zoneinfo r
	/var/log
	/var/mail
	/var/log/lastlog	rw
	/var/log/wtmp		w
	/var/run
	/run
	/var/run/sshd
	/var/run/utmp		rw
	/var/run/utmpx		rw
	/var/run/.nscd_socket	rw

	-CAP_ALL
	+CAP_CHOWN
	+CAP_SETGID
	+CAP_SETUID
	+CAP_SYS_CHROOT
	+CAP_SYS_RESOURCE
	+CAP_SYS_TTY_CONFIG
	+CAP_AUDIT_WRITE
	# to access user keys
	+CAP_DAC_OVERRIDE

subject /usr/bin/Xorg
	/dev/mem	rw

	+CAP_SYS_ADMIN
	+CAP_SYS_TTY_CONFIG
	+CAP_SYS_RAWIO

subject /usr/bin/ssh
	/etc/ssh/ssh_config r

subject /usr/bin/postgres
	/dev/log rw

subject /usr/bin/exim
	/dev/log rw

subject /usr/sbin/syslog-ng
	+CAP_SYS_ADMIN

subject /usr/sbin/rsyslogd
	+CAP_SYS_ADMIN

subject /usr/sbin/cron
	/dev/log rw

subject /usr/sbin/crond
	/dev/log rw

subject /bin/login
	/dev/log rw
	/var/log/wtmp w
	/var/log/faillog rwcd

subject /bin/su
	/dev/log rw

subject /usr/bin/sudo
	/dev/log rw

subject /sbin/agetty
	/var/log/wtmp w

subject /sbin/init
	/var/log/wtmp w

subject /usr/bin/xauth
	/home r
	/home/*/.Xauthority-* rwcdl

# prevent ld.so breakouts of subjects with /lib rx

# many distros clutter up /lib with shell scripts
# that can be easily hijacked for malicious purposes
subject /usr/lib o
	/ h
	-CAP_ALL
	connect disabled
	bind disabled

subject /usr/lib32 o
	/ h
	-CAP_ALL
	connect disabled
	bind disabled

subject /usr/lib/ld-linux.so.2 o
	/ h
	-CAP_ALL
	connect disabled
	bind disabled

subject /usr/lib/ld-linux-x86-64.so.2 o
	/ h
	-CAP_ALL
	connect disabled
	bind disabled