Enable regular file and FIFO protection
These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and we should enable them just like we enable the older hardlink/symlink protection since v199. Implements #11414.
This commit is contained in:
parent
850115b3a1
commit
2732587540
13
NEWS
13
NEWS
|
@ -29,6 +29,19 @@ CHANGES WITH 241 in spe:
|
||||||
-Db_pie=true option to meson to build position-independent
|
-Db_pie=true option to meson to build position-independent
|
||||||
executables. Note that the meson option is supported since meson-0.49.
|
executables. Note that the meson option is supported since meson-0.49.
|
||||||
|
|
||||||
|
* The fs.protected_regular and fs.protected_fifos sysctls, which were
|
||||||
|
added in Linux 4.19 to make some data spoofing attacks harder, are
|
||||||
|
now enabled by default. While this will hopefully improve the
|
||||||
|
security of most installations, it is technically a backwards
|
||||||
|
incompatible change; to disable these sysctls again, place the
|
||||||
|
following lines in /etc/sysctl.d/60-protected.conf or a similar file:
|
||||||
|
|
||||||
|
fs.protected_regular = 0
|
||||||
|
fs.protected_fifos = 0
|
||||||
|
|
||||||
|
Note that the similar hardlink and symlink protection has been
|
||||||
|
enabled since v199, and may be disabled likewise.
|
||||||
|
|
||||||
CHANGES WITH 240:
|
CHANGES WITH 240:
|
||||||
|
|
||||||
* NoNewPrivileges=yes has been set for all long-running services
|
* NoNewPrivileges=yes has been set for all long-running services
|
||||||
|
|
|
@ -36,3 +36,7 @@ net.core.default_qdisc = fq_codel
|
||||||
# Enable hard and soft link protection
|
# Enable hard and soft link protection
|
||||||
fs.protected_hardlinks = 1
|
fs.protected_hardlinks = 1
|
||||||
fs.protected_symlinks = 1
|
fs.protected_symlinks = 1
|
||||||
|
|
||||||
|
# Enable regular file and FIFO protection
|
||||||
|
fs.protected_regular = 1
|
||||||
|
fs.protected_fifos = 1
|
||||||
|
|
Loading…
Reference in New Issue