path: root/sys-apps/gradm/files/grsecurity

# GR Security toggles.
#

# Files that we should remove PAGE_EXEC enforcement from
PAGE_EXEC_EXEMPT="/usr/X11R6/bin/XFree86 /usr/lib/wine/bin/wine"

# Files we should turn off trampoline emmulation for
TRAMPOLINE_EXEMPT=""

# Files we should not restrict mprotect on
MPROTECT_EXEMPT=""

# Files we should not randomize mmap for
MMAP_EXEMPT=""

# Files not to enforce segmentation based non-executable pages
SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}"

# 
# Check your running kernel for valid options.
# "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3  | awk '{print $1}'"
# 
# Some of the kernel options may be:
#
# allow_ptrace_group
# alt_ipc_perms
# altered_pings
# audit_chdir
# audit_gid
# audit_group
# audit_ipc
# audit_mount
# audit_ptrace
# chroot_caps
# chroot_deny_chdir
# chroot_deny_chmod
# chroot_deny_chroot
# chroot_deny_fchdir
# chroot_deny_mknod
# chroot_deny_mount
# chroot_deny_pivot
# chroot_deny_ptrace
# chroot_deny_shmat
# chroot_deny_sysctl
# chroot_deny_unix
# chroot_enforce_chdir
# chroot_execlog
# chroot_findtask
# chroot_restrict_nice
# chroot_restrict_sigs
# coredump
# deny_phys_root
# deny_pseudo_root
# deny_serial_root
# dmesg
# exec_logging
# execve_limiting
# fifo_restrictions
# fork_bomb_prot
# forkfail_logging
# grsec_lock
# linking_restrictions
# rand_ip_ids
# rand_isns
# rand_pids
# rand_rpc
# rand_tcp_src_ports
# rand_ttl
# restrict_ptrace
# secure_fds
# secure_kbmap
# signal_logging
# socket_all
# socket_client
# socket_server
# suid_logging
# suid_root_logging
# timechange_logging
# tpe
# tpe_glibc
# tpe_restrict_all

ENABLED=""

# Set when allow_ptrace_group is enabled
ptrace_gid=10

# Set when tpe is enabled
tpe_gid=1005

# Set when fork_bomb_prot is enabled
fork_bomb_gid=1006
fork_bomb_sec=40
fork_bomb_max=20

# Set when one of socket_* is enabled
socket_all_gid=1004
socket_client_gid=1003
socket_server_gid=1002

# Lock the above settings on boot
LOCK=0