Enable regular file and FIFO protection

These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and
we should enable them just like we enable the older hardlink/symlink
protection since v199. Implements #11414.

diff --git a/NEWS b/NEWS
index ee926a120337c6e7a152f1845bff88b1fdda6f20..c64ef5871b46bc755b4ed13dd2c456f8698d23cd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,19 @@ CHANGES WITH 241 in spe:
           -Db_pie=true option to meson to build position-independent
           executables. Note that the meson option is supported since meson-0.49.
 
+        * The fs.protected_regular and fs.protected_fifos sysctls, which were
+          added in Linux 4.19 to make some data spoofing attacks harder, are
+          now enabled by default. While this will hopefully improve the
+          security of most installations, it is technically a backwards
+          incompatible change; to disable these sysctls again, place the
+          following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+              fs.protected_regular = 0
+              fs.protected_fifos = 0
+
+          Note that the similar hardlink and symlink protection has been
+          enabled since v199, and may be disabled likewise.
+
 CHANGES WITH 240:
 
         * NoNewPrivileges=yes has been set for all long-running services

diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index b0645f33e7fea5d871af3c39339eabbb231d44be..27084f62424bf2cf3407c7a1a6bcc6bed2aa15b9 100644 (file)
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -36,3 +36,7 @@ net.core.default_qdisc = fq_codel
 # Enable hard and soft link protection
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1
+
+# Enable regular file and FIFO protection
+fs.protected_regular = 1
+fs.protected_fifos = 1