From: Peter Müller <peter.mueller@ipfire.org>
Date: Tue, 5 May 2020 20:19:36 +0000 (+0200)
Subject: sysctl.conf: Turn on hard- and symlink protection
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d673af27fc2105b72af6bef16a68de333aa0fa7;p=ipfire-3.x.git

sysctl.conf: Turn on hard- and symlink protection

This backports 29a8992b7228771fb2cfc68679596598fb01105a into IPFire 3.x

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/setup/setup.nm b/setup/setup.nm
index 09d94e23d..cc8454bfa 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 14
+release    = 15
 arch       = noarch
 
 groups     = Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 33e096c7c..d92485d61 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -7,3 +7,7 @@ kernel.dmesg_restrict = 1
 # Improve KASLR effectiveness for mmap.
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
+
+# Turn on hard- and symlink protection
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1