Message ID | 9cccdcf4-463e-306b-a535-3a8e9a88f46e@ipfire.org |
---|---|
State | Accepted |
Commit | 29a8992b7228771fb2cfc68679596598fb01105a |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 483b3r3N2Nz3xYC for <patchwork@web04.haj.ipfire.org>; Thu, 23 Jan 2020 21:28:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 483b3p2Hqcz6Py; Thu, 23 Jan 2020 21:28:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1579814903; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=qVMCHTsv/VyBKRURkQlX6yFYG2wxS6XRUNQZx8Ik2fI=; b=njC1gPLBnH/t33RVCDIDDVbStlZH0ShanNeynHebtHhMinxTgzSdTD9IJSYwtKH5GaekT4 rJ/pkUarUC6vy+Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1579814903; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=qVMCHTsv/VyBKRURkQlX6yFYG2wxS6XRUNQZx8Ik2fI=; b=TFTdt9rXng0qE/+yHnn1x0MhrsD/fP0wguGOGSQ+28axWnSs9llrA9vczdK9EzakzL9NgL 1I29PTI1sDA4Q2P7EdftatpUF/qcJ/NfovUExgiyTC9eWVbekVRAdElgzW8pw3AXdd2DIr qiU7Vxr3FdJZloCW/qcrGq7NEKB2euTakfWmp/W/0YdTirMBzlYU4fG1GM1fc02e0YiVFY 52x6MxAGFeYmqmlv3ndmlknEY7HBvWD34c63RBeXAdVfr7mxcz/tJAaDm6AobNyw3s+g8j q9JK6axoGXekyvXSBAQyK4879C392gg1exChXThasAms+6PBH/t3531RBQXi9Q== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 483b3n66xQz2yHm; Thu, 23 Jan 2020 21:28:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 483b3m2Lghz2xnF for <development@lists.ipfire.org>; Thu, 23 Jan 2020 21:28:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 483b3l59nxz2L4 for <development@lists.ipfire.org>; Thu, 23 Jan 2020 21:28:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1579814900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qVMCHTsv/VyBKRURkQlX6yFYG2wxS6XRUNQZx8Ik2fI=; b=0kha5B+r1qS9Bjy+SaH+L1qQF7HtZa2GqxW/Z1heunI6zfphej/WdtCLeaRxNHiREpqn03 1xchv/q+rUw2DFAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1579814900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qVMCHTsv/VyBKRURkQlX6yFYG2wxS6XRUNQZx8Ik2fI=; b=FUPBo3vwuzWGB3Cro65XOhv6hBhVJ5BErtCkQvSGdz/1m4rZCZRSbfrnnD3InZrpcVMUSN XjLj9x9PQLUVmKJz0WGin48qGVYmbVkeflnYA8Y/corJagTJiRYdjWiy16pieBE4PXPEzK RRd0R5z4YyjCKZ4fjKQlY/NSldMmsZRao5+1AGGhdwCyPSkYab+tpiAAr2m5o0PS7XpPV/ hXNIm+QOenceQhxe0xLJ50xhjApkhf6fA/5xTqX82QPHpkZT5JoLMQf3S543EBmnc4bZhx TrpqUmMlfEB6Sq92Jn5hjFtEbec+eKqDhWXpKAns/DebvJw0MNpEwE63Mh8/Tw== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] sysctl.conf: Turn on hard- and symlink protection Message-ID: <9cccdcf4-463e-306b-a535-3a8e9a88f46e@ipfire.org> Date: Thu, 23 Jan 2020 21:28:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
sysctl.conf: Turn on hard- and symlink protection
|
|
Commit Message
Peter Müller
Jan. 23, 2020, 9:28 p.m. UTC
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
Comments
Acked-by: Michael Tremer <michael.tremer@ipfire.org> > On 23 Jan 2020, at 21:28, Peter Müller <peter.mueller@ipfire.org> wrote: > > Cc: Michael Tremer <michael.tremer@ipfire.org> > Cc: Arne Fitzenreiter <arne_f@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index d11e53c88..7e7ebee44 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 > # Avoid kernel memory address exposures via dmesg. > kernel.dmesg_restrict = 1 > > +# Turn on hard- and symlink protection > +fs.protected_symlinks = 1 > +fs.protected_hardlinks = 1 > + > # Minimal preemption granularity for CPU-bound tasks: > # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) > kernel.sched_min_granularity_ns = 10000000 > -- > 2.16.4
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d11e53c88..7e7ebee44 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 +# Turn on hard- and symlink protection +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000