Add the 'fs.protected_regular' check

[kconfig-hardened-check.git] / kernel_hardening_checker / checks.py

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index cb509089129a61e50c45615de8f7b1bb9ba27da6..84c5c1974632a0dc12fff2a63951c4fd536e84f4 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -580,9 +580,6 @@ def normalize_cmdline_options(option, value):
 # TODO: draft of security hardening sysctls:
 #    what about bpf_jit_enable?
 #    vm.mmap_min_addr has a good value
-#    fs.protected_hardlinks=1
-#    fs.protected_fifos=2
-#    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
 #    kernel.randomize_va_space=2
@@ -616,3 +613,6 @@ def add_sysctl_checks(l, arch):
           # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
 
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]