There are situations where devices running without initrds may need
very early protection from link vulnerabilities, so make these sysctls
configurable at build time, since 561ec64ae67e ("VFS: don't do protected
{sym,hard}links by default") has disabled the protections by default.
Cc: Alexander Viro <v...@zeniv.linux.org.uk>
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/Kconfig | 39 +++++++++++++++++++++++++++++++++++++++
fs/namei.c | 6 ++++--
2 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/fs/Kconfig b/fs/Kconfig
index f95ae3a..46ae2dc 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -276,4 +276,43 @@ endif # NETWORK_FILESYSTEMS
source "fs/nls/Kconfig"
source "fs/dlm/Kconfig"
+config PROTECTED_SYMLINKS
+ bool "Protect symlink following in sticky world-writable dirs"
+ default n
+ help
+ Solve the class of ToCToU symlink race vulnerabilities by
+ permitting symlinks to be followed only when outside a sticky
+ world-writable directory, or when the uid of the symlink and
+ follower match, or when the directory and symlink owners match.
+
+ When PROC_SYSCTL is enabled, this setting can also be controlled
+ via /proc/sys/kernel/protected_symlinks.
+
+ See Documentation/sysctl/fs.txt for details.
+
+config PROTECTED_SYMLINKS_SYSCTL
+ int
+ default "1" if PROTECTED_SYMLINKS
+ default "0"
+
+config PROTECTED_HARDLINKS
+ bool "Protect hardlink creation to non-accessible files"
+ default n
+ help
+ Solve the class of ToCToU hardlink race vulnerabilities by
+ permitting hardlinks to be created only when to a regular file
+ that is owned by the user, or is readable and writable by the
+ user. Also blocks users from "pinning" vulnerable setuid/setgid
+ programs from being upgraded by the administrator.
+
+ When PROC_SYSCTL is enabled, this setting can also be controlled
+ via /proc/sys/kernel/protected_hardlinks.
+
+ See Documentation/sysctl/fs.txt for details.
+
+config PROTECTED_HARDLINKS_SYSCTL
+ int
+ default "1" if PROTECTED_HARDLINKS
+ default "0"
+
endmenu
diff --git a/fs/namei.c b/fs/namei.c
index 937f9d5..21854df 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -705,8 +705,10 @@ static inline void put_link(struct nameidata *nd, struct
path *link, void *cooki
path_put(link);
}
-int sysctl_protected_symlinks __read_mostly = 0;
-int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_symlinks __read_mostly =
+ CONFIG_PROTECTED_SYMLINKS_SYSCTL;
+int sysctl_protected_hardlinks __read_mostly =
+ CONFIG_PROTECTED_HARDLINKS_SYSCTL;
/**
* may_follow_link - Check symlink following for unsafe situations
--
1.7.9.5
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
