2 files changed, 39 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 4a3f28d2ca65..ea3b7b6191c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1456,6 +1456,27 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 }
 /**
+ * audit_log_link_denied - report a link restriction denial
+ * @operation: specific link opreation
+ * @link: the path that triggered the restriction
+ */
+void audit_log_link_denied(const char *operation, struct path *link)
+{
+        struct audit_buffer *ab;
+        ab = audit_log_start(current->audit_context, GFP_KERNEL,
+                             AUDIT_ANOM_LINK);
+        audit_log_format(ab, "op=%s action=denied", operation);
+        audit_log_format(ab, " pid=%d comm=", current->pid);
+        audit_log_untrustedstring(ab, current->comm);
+        audit_log_d_path(ab, " path=", link);
+        audit_log_format(ab, " dev=");
+        audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
+        audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
+        audit_log_end(ab);
+}
+/**
 * audit_log_end - end one audit record
 * @ab: the audit_buffer
 *
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6502d35a25ba..87174ef59161 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1498,6 +1498,24 @@ static struct ctl_table fs_table[] = {
 #endif
 #endif
        {
+                .procname       = "protected_symlinks",
+                .data           = &sysctl_protected_symlinks,
+                .maxlen         = sizeof(int),
+                .mode           = 0600,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
+                .extra2         = &one,
+        },
+        {
+                .procname       = "protected_hardlinks",
+                .data           = &sysctl_protected_hardlinks,
+                .maxlen         = sizeof(int),
+                .mode           = 0600,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
+                .extra2         = &one,
+        },
+        {
                .procname       = "suid_dumpable",
                .data           = &suid_dumpable,
                .maxlen         = sizeof(int),

diff --git a/kernel/audit.c b/kernel/audit.c index 4a3f28d2ca65..ea3b7b6191c7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1456,6 +1456,27 @@ void audit_log_key(struct audit_buffer ab, char key)
1456	}	1456	}
1457		1457
1458	/**	1458	/**
		1459	* audit_log_link_denied - report a link restriction denial
		1460	* @operation: specific link opreation
		1461	* @link: the path that triggered the restriction
		1462	*/
		1463	void audit_log_link_denied(const char operation, struct path link)
		1464	{
		1465	struct audit_buffer *ab;
		1466
		1467	ab = audit_log_start(current->audit_context, GFP_KERNEL,
		1468	AUDIT_ANOM_LINK);
		1469	audit_log_format(ab, "op=%s action=denied", operation);
		1470	audit_log_format(ab, " pid=%d comm=", current->pid);
		1471	audit_log_untrustedstring(ab, current->comm);
		1472	audit_log_d_path(ab, " path=", link);
		1473	audit_log_format(ab, " dev=");
		1474	audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
		1475	audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
		1476	audit_log_end(ab);
		1477	}
		1478
		1479	/**
1459	* audit_log_end - end one audit record	1480	* audit_log_end - end one audit record
1460	* @ab: the audit_buffer	1481	* @ab: the audit_buffer
1461	*	1482	*


diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 6502d35a25ba..87174ef59161 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c
@@ -1498,6 +1498,24 @@ static struct ctl_table fs_table[] = {
1498	#endif	1498	#endif
1499	#endif	1499	#endif
1500	{	1500	{
		1501	.procname = "protected_symlinks",
		1502	.data = &sysctl_protected_symlinks,
		1503	.maxlen = sizeof(int),
		1504	.mode = 0600,
		1505	.proc_handler = proc_dointvec_minmax,
		1506	.extra1 = &zero,
		1507	.extra2 = &one,
		1508	},
		1509	{
		1510	.procname = "protected_hardlinks",
		1511	.data = &sysctl_protected_hardlinks,
		1512	.maxlen = sizeof(int),
		1513	.mode = 0600,
		1514	.proc_handler = proc_dointvec_minmax,
		1515	.extra1 = &zero,
		1516	.extra2 = &one,
		1517	},
		1518	{
1501	.procname = "suid_dumpable",	1519	.procname = "suid_dumpable",
1502	.data = &suid_dumpable,	1520	.data = &suid_dumpable,
1503	.maxlen = sizeof(int),	1521	.maxlen = sizeof(int),