projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
34d7e42
)
Add the 'fs.protected_symlinks' check
author
Alexander Popov
<alex.popov@linux.com>
Tue, 17 Oct 2023 16:07:00 +0000
(19:07 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Tue, 17 Oct 2023 16:07:00 +0000
(19:07 +0300)
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index b501049d44c813e6ce6d935e59a3785d35d6a6ae..cb509089129a61e50c45615de8f7b1bb9ba27da6 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-580,7
+580,6
@@
def normalize_cmdline_options(option, value):
# TODO: draft of security hardening sysctls:
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
# TODO: draft of security hardening sysctls:
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
-# fs.protected_symlinks=1
# fs.protected_hardlinks=1
# fs.protected_fifos=2
# fs.protected_regular=2
# fs.protected_hardlinks=1
# fs.protected_fifos=2
# fs.protected_regular=2
@@
-615,3
+614,5
@@
def add_sysctl_checks(l, arch):
l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]