64efd184ed
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit too strict. It doesn't allow a special group (e.g. the grsecurity group users) to access /proc information - this requires GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive. This was also not in line with the default automatic grsecurity configuration - it actually defaults to USERGROUP (although it has a default GID of 1001 instead of ours), not USER. This introduces a new option restrictProcWithGroup - enabled by default - which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off restrictProc by default and makes sure both cannot be enabled. Signed-off-by: Austin Seipp <aseipp@pobox.com> |
||
|---|---|---|
| .. | ||
| apparmor-suid.nix | ||
| apparmor.nix | ||
| ca.nix | ||
| duosec.nix | ||
| grsecurity.nix | ||
| pam.nix | ||
| pam_usb.nix | ||
| polkit.nix | ||
| prey.nix | ||
| rngd.nix | ||
| rtkit.nix | ||
| setuid-wrapper.c | ||
| setuid-wrappers.nix | ||
| sudo.nix | ||