Enable regular file and FIFO protection

These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and we should enable them just like we enable the older hardlink/symlink protection since v199. Implements #11414.
2019-01-16 00:16:10 +01:00 · 2019-01-16 00:16:10 +01:00 · 2732587540
parent 850115b3a1
commit 2732587540
2 changed files with 17 additions and 0 deletions
--- a/13
+++ b/13
@ -29,6 +29,19 @@ CHANGES WITH 241 in spe:
          -Db_pie=true option to meson to build position-independent
          executables. Note that the meson option is supported since meson-0.49.

+        * The fs.protected_regular and fs.protected_fifos sysctls, which were
+          added in Linux 4.19 to make some data spoofing attacks harder, are
+          now enabled by default. While this will hopefully improve the
+          security of most installations, it is technically a backwards
+          incompatible change; to disable these sysctls again, place the
+          following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+              fs.protected_regular = 0
+              fs.protected_fifos = 0
+
+          Note that the similar hardlink and symlink protection has been
+          enabled since v199, and may be disabled likewise.
+
 CHANGES WITH 240:

        * NoNewPrivileges=yes has been set for all long-running services
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@ -36,3 +36,7 @@ net.core.default_qdisc = fq_codel
 # Enable hard and soft link protection
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1
+
+# Enable regular file and FIFO protection
+fs.protected_regular = 1
+fs.protected_fifos = 1