Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-02 12:46:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into text_2

Browse source
This commit is contained in:
raja-grewal 2024-10-06 10:48:52 +00:00 committed by GitHub
commit 0c0774f6c0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 53 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

21
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -120,11 +120,21 @@ kernel.sysrq=0
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting may lead to breakages in numerous software packages.
##
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
## Uncomment the second sysctl to entirely disable user namespaces.
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
##
## Disabling entirely will reduce compatibility with some AppArmor profiles.
## Disabling entirely is known to break the UPower systemd service.
##
## Also breaks (some?) AppImages.
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
##
## Might also break evolution (e-mail client):
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
##
## https://lwn.net/Articles/673597/
## https://madaidans-insecurities.github.io/linux.html#kernel
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
@ -132,11 +142,14 @@ kernel.sysrq=0
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://github.com/Kicksecure/security-misc/pull/263
## https://github.com/Kicksecure/security-misc/issues/274
##
## KSPP=partial
## KSPP sets the stricter sysctl user.max_user_namespaces=0.
## KSPP=no
## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
##
kernel.unprivileged_userns_clone=0
## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
#kernel.unprivileged_userns_clone=0
## Uncomment the following sysctl to entirely disable user namespaces.
#user.max_user_namespaces=0
## Restricts kernel profiling to users with CAP_PERFMON.