factory-default/sys-apps/baselayout: enable fs.protected_* sysctl

1 files changed, 18 insertions, 0 deletions

diff --git a/factory-default/sys-apps/baselayout/etc/sysctl.conf b/factory-default/sys-apps/baselayout/etc/sysctl.conf
index 9e2e1466..7e0d51fc 100644
--- a/factory-default/sys-apps/baselayout/etc/sysctl.conf
+++ b/factory-default/sys-apps/baselayout/etc/sysctl.conf
@@ -25,6 +25,24 @@ kernel.randomize_va_space = 2
 # with 0's unless the user has CAP_SYSLOG
 kernel.kptr_restrict = 1
 
+# Do not allow O_CREAT open on regular files that we don't own in world
+# writable sticky directories, unless they are owned by the owner of the
+# directory
+fs.protected_regular = 1
+
+# Do not allow O_CREAT open on FIFOs that we don't own in world writable
+# sticky directories, unless they are owned by the owner of the directory
+fs.protected_fifos = 1
+
+# Allow symlinks to be followed when outside a sticky world-writable
+# directory or when the uid of the symlink and follower match, or when the
+# directory owner matches the symlink's owner
+fs.protected_symlinks = 1
+
+# Allow hardlinks to be created if the user owns or has read/write access to
+# the source file
+fs.protected_hardlinks = 1
+
 # Uses a "never overcommit" policy that attempts to prevent any overcommit
 # of memory
 vm.overcommit_memory = 2