Restrict Applications with grsecurity
Use Linux capabilities and grsecurity’s ACLs to restrict applications on your system.
Now that you have installed
the grsecurity patches, you’ll
probably want to make use of its flexible ACL system to further
restrict the privileged applications on your system, beyond what
grsecurity’s kernel security
features provide. If you’re just joining us and are
not familiar with grsecurity, read
[Hack #13]
first.
To restrict specific applications, you will need to make use of the
gradm
utility, which can be downloaded
from the main grsecurity site (http://www.grsecurity.net). You can compile
and install it in the usual way: unpack the source distribution,
change into the directory that it creates, and then run make && make install. This will install
gradm in /sbin, create the
/etc/grsec directory containing a default ACL,
and install the manpage.
After gradm has been installed, the first thing
you’ll want to do is create a password that
gradm will use to authenticate itself to the
kernel. You can do this by running gradm with the
-P option:
# gradm -P
Setting up grsecurity ACL password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.To enable grsecurity’s
ACL
system, use this command:
# /sbin/gradm -EOnce you’re finished setting up your ACLs,
you’ll probably want to add that command to the end
of your system startup. You can do this by adding it to the end of
/etc/rc.local or a similar script that is designated for customizing your system ...