From: Peter Müller <peter.mueller@ipfire.org>
Date: Thu, 23 Jan 2020 21:28:00 +0000 (+0000)
Subject: sysctl.conf: Turn on hard- and symlink protection
X-Git-Tag: v2.25-core143~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29a8992b7228771fb2cfc68679596598fb01105a;p=ipfire-2.x.git

sysctl.conf: Turn on hard- and symlink protection

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index d11e53c88d..7e7ebee44c 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
 
+# Turn on hard- and symlink protection
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
 # Minimal preemption granularity for CPU-bound tasks:
 # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
 kernel.sched_min_granularity_ns = 10000000