# Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 # $Header: $ #sample default process acl for grsecurity # Role flags: # A -> This role is a "god" role, thus it has special privilege normal # roles do not have. In particular, this role bypasses the # additional ptrace restrictions # N -> Don't require authentication for this role. To access # the role, use gradm -n # s -> This role is a special role, meaning it does not belong to a # user or group, and does not fall under ACL enforcement # u -> This role is a user role # g -> This role is a group role # G -> This role can use gradm to authenticate to the kernel # An ACL for gradm will automatically be added to the role # # a role can only be one of user, group, or special # # role_allow_ip IP/optional netmask # eg: role_allow_ip 192.168.1.0/24 # You can have as many of these per role as you want # They restrict the use of a role to a list of IPs. If a user # is on the system that would normally get the role does not # belong to those lists of IPs, the system falls back through # its method of determining a role for the user # # Role hierarchy # user -> group -> default # First a user role attempts to match, if one is not found, # a group role attempts to match, if one is not found, # the default role is used. # # role_transitions ... # eg: role_transitions www_admin dns_admin # # role transitions specify which special roles a given role is allowed # to authenticate to. This applies to special roles that do not # require password authentication as well. If a user tries to # authenticate to a role that is not within his transition table, he # will receive a permission denied error # # Nested subjects # subject /bin/su:/bin/bash:/bin/cat # / rwx # +CAP_ALL # grant privilege to specific processes if they are executed # within a trusted path. In this case, privilege is # granted if /bin/cat is executed from /bin/bash, which is # executed from /bin/su. # # Configuration inheritance on nested subjects # nested subjects inherit rules from their parents. In the # example above, the nested subject would inherit rules # from the nested subject for /bin/su:/bin/bash, # and the subject /bin/su # View the 1.9.x documentation for more information on # configuration inheritance role admin sA subject / / rwxi role default G role_transitions admin subject / / r /opt rx /home rwx /mnt rw /dev /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/vc rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx /lib rx /usr rx /etc rx /proc rwx /proc/kcore h /proc/sys r /root r /tmp rw /var rwx /var/tmp rw /var/log r /boot r /etc/grsec2 h /dev/grsec h /proc/mounts h # -CAP_ALL -CAP_SYS_PTRACE -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_RAWIO -CAP_SYS_MODULE # RES_AS 100M 100M # connect 0.0.0.0.0/24:22 stream tcp # bind 0.0.0.0 stream dgram tcp udp