From 5cb21d0d4d36fd516f17a9b5378443859f497027 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Wed, 12 Feb 2020 18:03:23 +0000
Subject: [PATCH 1/2] Prevent symlink/hardlink TOCTOU races

---
 etc/sysctl.d/30_security-misc.conf | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index ae374de..4c17bcb 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -5,21 +5,31 @@
 ## security-misc also disables coredumps in other ways.
 kernel.core_pattern=|/bin/false
 
-
 ## Restricts the kernel log to root only.
 kernel.dmesg_restrict=1
 
-
-## Makes some data spoofing attacks harder.
+## Don't allow writes to files that we don't own
+## in world writable sticky directories, unless
+## they are owned by the owner of the directory.
 fs.protected_fifos=2
 fs.protected_regular=2
 
+## Only allow symlinks to be followed when outside of
+## a world-writable sticky directory, or when the owner
+## of the symlink and follower match, or when the directory
+## owner matches the symlink's owner.
+##
+## Prevent hardlinks from being created by users that do not
+## have read/write access to the source file.
+##
+## These prevent many TOCTOU races.
+fs.protected_symlinks=1
+fs.protected_hardlinks=1
 
 ## Hardens the BPF JIT compiler and restricts it to root.
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 
-
 ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ##
 ## kexec_load_disabled:
@@ -29,19 +39,16 @@ net.core.bpf_jit_harden=2
 ## Disables kexec which can be used to replace the running kernel.
 kernel.kexec_load_disabled=1
 
-
 ## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
 
-
 ## Improves ASLR effectiveness for mmap.
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16
 
-
 ## Restricts the use of ptrace to root. This might break some programs running under WINE.
 ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
 ##
@@ -50,7 +57,6 @@ vm.mmap_rnd_compat_bits=16
 ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
 kernel.yama.ptrace_scope=2
 
-
 ## Prevent setuid processes from creating coredumps.
 fs.suid_dumpable=0
 

From 14f845837476810f1eb3038d9d41f9ad8088b916 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Wed, 12 Feb 2020 18:05:32 +0000
Subject: [PATCH 2/2] Update control

---
 debian/control | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 6a97d69..653f292 100644
--- a/debian/control
+++ b/debian/control
@@ -48,7 +48,9 @@ Description: enhances misc security settings
  attacks and enabling reverse path filtering to prevent IP spoofing and
  mitigate vulnerabilities such as CVE-2019-14899.
  .
-  * Some data spoofing attacks are made harder.
+  * Avoids unintentional writes to attacker-controlled files.
+ .
+  * Prevents symlink/hardlink TOCTOU races.
  .
   * SACK can be disabled as it is commonly exploited and is rarely used by
  uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.