Add the 'fs.protected_symlinks' check

author Alexander Popov <alex.popov@linux.com>

Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)

committer Alexander Popov <alex.popov@linux.com>

Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)
author Alexander Popov <alex.popov@linux.com>
Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)
committer Alexander Popov <alex.popov@linux.com>
Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index b501049d44c813e6ce6d935e59a3785d35d6a6ae..cb509089129a61e50c45615de8f7b1bb9ba27da6 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -580,7 +580,6 @@ def normalize_cmdline_options(option, value):
  # TODO: draft of security hardening sysctls:
  #    what about bpf_jit_enable?
  #    vm.mmap_min_addr has a good value
-#    fs.protected_symlinks=1
  #    fs.protected_hardlinks=1
  #    fs.protected_fifos=2
  #    fs.protected_regular=2
@@ -615,3 +614,5 @@ def add_sysctl_checks(l, arch):
      l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
            # At first, it disabled unprivileged userfaultfd,
            # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
author	Alexander Popov <alex.popov@linux.com>
	Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)