From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] sysctl.conf: Turn on hard- and symlink protection
Date: Thu, 23 Jan 2020 22:27:33 +0000
Message-ID: <DDC6E406-2418-4D4E-9EE9-79C19262D150@ipfire.org>
In-Reply-To: <9cccdcf4-463e-306b-a535-3a8e9a88f46e@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8068284508198037881=="
List-Id: <development.lists.ipfire.org>

--===============8068284508198037881==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 23 Jan 2020, at 21:28, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: Arne Fitzenreiter <arne_f(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/etc/sysctl.conf | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index d11e53c88..7e7ebee44 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
> # Avoid kernel memory address exposures via dmesg.
> kernel.dmesg_restrict = 1
> 
> +# Turn on hard- and symlink protection
> +fs.protected_symlinks = 1
> +fs.protected_hardlinks = 1
> +
> # Minimal preemption granularity for CPU-bound tasks:
> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
> kernel.sched_min_granularity_ns = 10000000
> -- 
> 2.16.4


--===============8068284508198037881==--