diff options
84 files changed, 1326 insertions, 639 deletions
diff --git a/Documentation/filesystems/Locking b/Documentation/filesystems/Locking index 7f647e17830c..0f103e39b4f6 100644 --- a/Documentation/filesystems/Locking +++ b/Documentation/filesystems/Locking | |||
| @@ -138,8 +138,8 @@ evict_inode: | |||
| 138 | put_super: write | 138 | put_super: write |
| 139 | write_super: read | 139 | write_super: read |
| 140 | sync_fs: read | 140 | sync_fs: read |
| 141 | freeze_fs: read | 141 | freeze_fs: write |
| 142 | unfreeze_fs: read | 142 | unfreeze_fs: write |
| 143 | statfs: maybe(read) (see below) | 143 | statfs: maybe(read) (see below) |
| 144 | remount_fs: write | 144 | remount_fs: write |
| 145 | umount_begin: no | 145 | umount_begin: no |
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 8c235b6e4246..88152f214f48 100644 --- a/Documentation/sysctl/fs.txt +++ b/Documentation/sysctl/fs.txt | |||
| @@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: | |||
| 32 | - nr_open | 32 | - nr_open |
| 33 | - overflowuid | 33 | - overflowuid |
| 34 | - overflowgid | 34 | - overflowgid |
| 35 | - protected_hardlinks | ||
| 36 | - protected_symlinks | ||
| 35 | - suid_dumpable | 37 | - suid_dumpable |
| 36 | - super-max | 38 | - super-max |
| 37 | - super-nr | 39 | - super-nr |
| @@ -157,6 +159,46 @@ The default is 65534. | |||
| 157 | 159 | ||
| 158 | ============================================================== | 160 | ============================================================== |
| 159 | 161 | ||
| 162 | protected_hardlinks: | ||
| 163 | |||
| 164 | A long-standing class of security issues is the hardlink-based | ||
| 165 | time-of-check-time-of-use race, most commonly seen in world-writable | ||
| 166 | directories like /tmp. The common method of exploitation of this flaw | ||
| 167 | is to cross privilege boundaries when following a given hardlink (i.e. a | ||
| 168 | root process follows a hardlink created by another user). Additionally, | ||
| 169 | on systems without separated partitions, this stops unauthorized users | ||
| 170 | from "pinning" vulnerable setuid/setgid files against being upgraded by | ||
| 171 | the administrator, or linking to special files. | ||
| 172 | |||
| 173 | When set to "0", hardlink creation behavior is unrestricted. | ||
| 174 | |||
| 175 | When set to "1" hardlinks cannot be created by users if they do not | ||
| 176 | already own the source file, or do not have read/write access to it. | ||
| 177 | |||
| 178 | This protection is based on the restrictions in Openwall and grsecurity. | ||
| 179 | |||
| 180 | ============================================================== | ||
| 181 | |||
| 182 | protected_symlinks: | ||
| 183 | |||
| 184 | A long-standing class of security issues is the symlink-based | ||
| 185 | time-of-check-time-of-use race, most commonly seen in world-writable | ||
| 186 | directories like /tmp. The common method of exploitation of this flaw | ||
| 187 | is to cross privilege boundaries when following a given symlink (i.e. a | ||
| 188 | root process follows a symlink belonging to another user). For a likely | ||
| 189 | incomplete list of hundreds of examples across the years, please see: | ||
| 190 | http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp | ||
| 191 | |||
| 192 | When set to "0", symlink following behavior is unrestricted. | ||
| 193 | |||
| 194 | When set to "1" symlinks are permitted to be followed only when outside | ||
| 195 | a sticky world-writable directory, or when the uid of the symlink and | ||
| 196 | follower match, or when the directory owner matches the symlink's owner. | ||
| 197 | |||
| 198 | This protection is based on the restrictions in Openwall and grsecurity. | ||
| 199 | |||
| 200 | ============================================================== | ||
