From f401d94d5e0d0f26e93be55deda440fe565a6b22 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 3 Oct 2024 02:44:06 -0400
Subject: [PATCH 1/3] expand documentation on
 `kernel.unprivileged_userns_clone=0` sysctl

https://github.com/Kicksecure/security-misc/issues/274
---
 usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index e633df1..897ba59 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -119,22 +119,34 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+##
 ## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
-## Uncomment the second sysctl to entirely disable user namespaces.
+## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
+## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
+## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
+##
 ## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ## Disabling entirely is known to break the UPower systemd service.
 ##
+## Also breaks (some?) AppImages.
+## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
+##
+## Might also break evolution (e-mail client):
+## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
+##
 ## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
 ## https://github.com/Kicksecure/security-misc/pull/263
+## https://github.com/Kicksecure/security-misc/issues/274
 ##
 ## KSPP=partial
-## KSPP sets the stricter sysctl user.max_user_namespaces=0.
+## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
+## Uncomment the following sysctl to entirely disable user namespaces.
 #user.max_user_namespaces=0
 
 ## Restricts kernel profiling to users with CAP_PERFMON.

From 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 3 Oct 2024 02:58:58 -0400
Subject: [PATCH 2/3] no longer set `kernel.unprivileged_userns_clone=0`

because it breaks too much

fixes https://github.com/Kicksecure/security-misc/issues/274
---
 README.md                               | 12 +++++++-----
 usr/lib/sysctl.d/990-security-misc.conf |  7 ++++---
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index e55a1ec..bc43280 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,10 @@ Kernel space:
 - Entirely disable the SysRq key so that the Secure Attention Key (SAK)
   can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
-- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation. Optional - Disable all use of user namespaces.
+- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
+  privilege escalation.
+
+- Optional - Disable all use of user namespaces.
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
@@ -200,7 +202,7 @@ Networking:
   out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
   `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
   that the kernel was built with), therefore improving its effectiveness.
-  
+
 ## Kernel Self Protection Project (KSPP) Compliance Status
 
 **Summary:**
@@ -228,14 +230,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead
 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
 
+**Non-compliance:**
+
 3. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-**Non-compliance:**
-
 4. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 897ba59..f7763b1 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -142,10 +142,11 @@ kernel.sysrq=0
 ## https://github.com/Kicksecure/security-misc/pull/263
 ## https://github.com/Kicksecure/security-misc/issues/274
 ##
-## KSPP=partial
-## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0.
+## KSPP=no
+## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
 ##
-kernel.unprivileged_userns_clone=0
+## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
+#kernel.unprivileged_userns_clone=0
 ## Uncomment the following sysctl to entirely disable user namespaces.
 #user.max_user_namespaces=0
 

From 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 3 Oct 2024 07:22:23 +0000
Subject: [PATCH 3/3] bumped changelog version

---
 changelog.upstream | 24 ++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 30 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index d4a84ed..f86e577 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,27 @@
+commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Oct 3 02:58:58 2024 -0400
+
+    no longer set `kernel.unprivileged_userns_clone=0`
+    
+    because it breaks too much
+    
+    fixes https://github.com/Kicksecure/security-misc/issues/274
+
+commit f401d94d5e0d0f26e93be55deda440fe565a6b22
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Oct 3 02:44:06 2024 -0400
+
+    expand documentation on `kernel.unprivileged_userns_clone=0` sysctl
+    
+    https://github.com/Kicksecure/security-misc/issues/274
+
+commit 5572eb897a10455041df8abec6b6be6de29431a0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Sep 25 01:03:42 2024 +0000
+
+    bumped changelog version
+
 commit e04f9cd4c17305d5201aa973c34778e81508734b
 Merge: 18d426f 65aa910
 Author: Patrick Schleizer <adrelanos@whonix.org>
diff --git a/debian/changelog b/debian/changelog
index 57ee04b..dc8edc6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:39.9-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 03 Oct 2024 07:22:23 +0000
+
 security-misc (3:39.8-1) unstable; urgency=medium
 
   * New upstream version (local package).