From 7f7e18cfce8e77f45b4024c979951b97a882e14e Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sat, 2 Mar 2013 19:57:55 +0100
Subject: [PATCH] Enable hardlink and symlink restrictions

This prevents many time-of-check-time-of-use security bugs.  Ubuntu
enables these by default as well so they shouldn't cause many
problems.
---
 modules/config/sysctl.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/config/sysctl.nix b/modules/config/sysctl.nix
index c3d5b8d223b..f3cc2130768 100644
--- a/modules/config/sysctl.nix
+++ b/modules/config/sysctl.nix
@@ -53,6 +53,12 @@ in
         };
       };
 
+    # Enable hardlink and symlink restrictions.  See
+    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
+    # for details.
+    boot.kernel.sysctl."fs.protected_hardlinks" = true;
+    boot.kernel.sysctl."fs.protected_symlinks" = true;
+
   };
 
 }