From b7b65e736e42be7e7988c4c3efe67ca0f2a05057 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Mon, 5 Oct 2020 14:12:18 +0000 Subject: [PATCH] sysctl.conf: prevent unintentional writes into attacker-controlled files and FIFOs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Similar to hard- and symlink protection introduced a while ago, this patch enables protections against unintentional writes into attacker-controlled regular files or FIFOs, where a program expected to create new ones. This makes exploiting TOCTOU flaws harder. See also: https://www.kernel.org/doc/Documentation/sysctl/fs.txt Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/etc/sysctl.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e2..be7c07c857 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,11 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1 +# Don't allow writes to files and FIFOs that we don't own in world writable sticky +# directories, unless they are owned by the owner of the directory. +fs.protected_fifos = 2 +fs.protected_regular = 2 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000 -- 2.39.5