Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 09:06:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into text_2

Browse Source
This commit is contained in:
raja-grewal 2024-10-06 10:48:52 +00:00 committed by GitHub
commit 0c0774f6c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 53 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -37,8 +37,10 @@ Kernel space:
- Entirely disable the SysRq key so that the Secure Attention Key (SAK) - Entirely disable the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
privilege escalation. Optional - Disable all use of user namespaces. privilege escalation.
- Optional - Disable all use of user namespaces.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
@ -227,14 +229,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
**Non-compliance:**
3. `sysctl user.max_user_namespaces=0` 3. `sysctl user.max_user_namespaces=0`
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
**Non-compliance:**
4. `sysctl fs.binfmt_misc.status=0` 4. `sysctl fs.binfmt_misc.status=0`
Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.

24
changelog.upstream
View File

@ -1,3 +1,27 @@
commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Oct 3 02:58:58 2024 -0400
no longer set `kernel.unprivileged_userns_clone=0`
because it breaks too much
fixes https://github.com/Kicksecure/security-misc/issues/274
commit f401d94d5e0d0f26e93be55deda440fe565a6b22
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Oct 3 02:44:06 2024 -0400
expand documentation on `kernel.unprivileged_userns_clone=0` sysctl
https://github.com/Kicksecure/security-misc/issues/274
commit 5572eb897a10455041df8abec6b6be6de29431a0
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Sep 25 01:03:42 2024 +0000
bumped changelog version
commit e04f9cd4c17305d5201aa973c34778e81508734b commit e04f9cd4c17305d5201aa973c34778e81508734b
Merge: 18d426f 65aa910 Merge: 18d426f 65aa910
Author: Patrick Schleizer <adrelanos@whonix.org> Author: Patrick Schleizer <adrelanos@whonix.org>

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
security-misc (3:39.9-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 03 Oct 2024 07:22:23 +0000
security-misc (3:39.8-1) unstable; urgency=medium security-misc (3:39.8-1) unstable; urgency=medium
* New upstream version (local package). * New upstream version (local package).

21
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -120,11 +120,21 @@ kernel.sysrq=0
## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks. ## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting may lead to breakages in numerous software packages. ## Restricting may lead to breakages in numerous software packages.
##
## Flatpak requires unprivileged users to create new user namespaces for sandboxing. ## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
## Uncomment the second sysctl to entirely disable user namespaces. ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
##
## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely will reduce compatibility with some AppArmor profiles.
## Disabling entirely is known to break the UPower systemd service. ## Disabling entirely is known to break the UPower systemd service.
## ##
## Also breaks (some?) AppImages.
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
##
## Might also break evolution (e-mail client):
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
##
## https://lwn.net/Articles/673597/ ## https://lwn.net/Articles/673597/
## https://madaidans-insecurities.github.io/linux.html#kernel ## https://madaidans-insecurities.github.io/linux.html#kernel
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
@ -132,11 +142,14 @@ kernel.sysrq=0
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://github.com/Kicksecure/security-misc/pull/263 ## https://github.com/Kicksecure/security-misc/pull/263
## https://github.com/Kicksecure/security-misc/issues/274
## ##
## KSPP=partial ## KSPP=no
## KSPP sets the stricter sysctl user.max_user_namespaces=0. ## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
## ##
kernel.unprivileged_userns_clone=0 ## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
#kernel.unprivileged_userns_clone=0
## Uncomment the following sysctl to entirely disable user namespaces.
#user.max_user_namespaces=0 #user.max_user_namespaces=0
## Restricts kernel profiling to users with CAP_PERFMON. ## Restricts kernel profiling to users with CAP_PERFMON.