From 8517c86560e5729e73d8014da530b45f720f0c31 Mon Sep 17 00:00:00 2001
From: Craig Small <csmall@enc.com.au>
Date: Sat, 3 Mar 2018 18:56:20 +1100
Subject: [PATCH] misc: Add link protection examples to sysctl.conf

Adds both examples to the sample sysctl.conf configuration file
to enable link protection for both hard and soft links.

Most kernels probably have this enabled anyhow.

References:
 https://bugs.debian.org/889098
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078
 https://github.com/torvalds/linux/commit/561ec64ae67ef25cac8d72bb9c4bfc955edfd415
---
 sysctl.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysctl.conf b/sysctl.conf
index 6559310a..e846a57d 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -57,3 +57,8 @@ net/ipv4/icmp_echo_ignore_broadcasts =1
 # This limits PID values to 4 digits, which allows tools like ps
 # to save screen space.
 kernel/pid_max=10000
+
+# Protects against creating or following links under certain conditions
+# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+#fs.protected_hardlinks = 1
+#fs.protected_symlinks = 1