Enable regular file and FIFO protection

These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and we should enable them just like we enable the older hardlink/symlink protection since v199. Implements #11414.
systemd · Jan 16, 2019 · 2732587 · 2732587
1 parent 850115b
commit 2732587
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -29,6 +29,19 @@ CHANGES WITH 241 in spe:
           -Db_pie=true option to meson to build position-independent
           executables. Note that the meson option is supported since meson-0.49.
 
+        * The fs.protected_regular and fs.protected_fifos sysctls, which were
+          added in Linux 4.19 to make some data spoofing attacks harder, are
+          now enabled by default. While this will hopefully improve the
+          security of most installations, it is technically a backwards
+          incompatible change; to disable these sysctls again, place the
+          following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+              fs.protected_regular = 0
+              fs.protected_fifos = 0
+
+          Note that the similar hardlink and symlink protection has been
+          enabled since v199, and may be disabled likewise.
+
 CHANGES WITH 240:
 
         * NoNewPrivileges=yes has been set for all long-running services

diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
@@ -36,3 +36,7 @@ net.core.default_qdisc = fq_codel
 # Enable hard and soft link protection
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1
+
+# Enable regular file and FIFO protection
+fs.protected_regular = 1
+fs.protected_fifos = 1