From: Lucas Werkmeister <mail@lucaswerkmeister.de>
Date: Tue, 15 Jan 2019 23:16:10 +0000 (+0100)
Subject: Enable regular file and FIFO protection
X-Git-Tag: v241-rc1~64
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2732587540035227fe59e4b64b60127352611b35;p=thirdparty%2Fsystemd.git

Enable regular file and FIFO protection

These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and
we should enable them just like we enable the older hardlink/symlink
protection since v199. Implements #11414.
---

diff --git a/NEWS b/NEWS
index ee926a12033..c64ef5871b4 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,19 @@ CHANGES WITH 241 in spe:
           -Db_pie=true option to meson to build position-independent
           executables. Note that the meson option is supported since meson-0.49.
 
+        * The fs.protected_regular and fs.protected_fifos sysctls, which were
+          added in Linux 4.19 to make some data spoofing attacks harder, are
+          now enabled by default. While this will hopefully improve the
+          security of most installations, it is technically a backwards
+          incompatible change; to disable these sysctls again, place the
+          following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+              fs.protected_regular = 0
+              fs.protected_fifos = 0
+
+          Note that the similar hardlink and symlink protection has been
+          enabled since v199, and may be disabled likewise.
+
 CHANGES WITH 240:
 
         * NoNewPrivileges=yes has been set for all long-running services
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index b0645f33e7f..27084f62424 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -36,3 +36,7 @@ net.core.default_qdisc = fq_codel
 # Enable hard and soft link protection
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1
+
+# Enable regular file and FIFO protection
+fs.protected_regular = 1
+fs.protected_fifos = 1