Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-07 17:52:41 -04:00
Code Issues Projects Releases Packages Wiki Activity

no longer set kernel.unprivileged_userns_clone=0

Browse source 
because it breaks too much

fixes https://github.com/Kicksecure/security-misc/issues/274
This commit is contained in:
Patrick Schleizer 2024-10-03 02:58:58 -04:00
parent f401d94d5e
commit 0e3ffa3f11
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
2 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -38,8 +38,10 @@ Kernel space:
- Entirely disable the SysRq key so that the Secure Attention Key (SAK) - Entirely disable the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
privilege escalation. Optional - Disable all use of user namespaces. privilege escalation.
- Optional - Disable all use of user namespaces.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
@ -228,14 +230,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
**Non-compliance:**
3. `sysctl user.max_user_namespaces=0` 3. `sysctl user.max_user_namespaces=0`
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
**Non-compliance:**
4. `sysctl fs.binfmt_misc.status=0` 4. `sysctl fs.binfmt_misc.status=0`
Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.

7
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -142,10 +142,11 @@ kernel.sysrq=0
## https://github.com/Kicksecure/security-misc/pull/263 ## https://github.com/Kicksecure/security-misc/pull/263
## https://github.com/Kicksecure/security-misc/issues/274 ## https://github.com/Kicksecure/security-misc/issues/274
## ##
## KSPP=partial ## KSPP=no
## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0. ## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
## ##
kernel.unprivileged_userns_clone=0 ## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
#kernel.unprivileged_userns_clone=0
## Uncomment the following sysctl to entirely disable user namespaces. ## Uncomment the following sysctl to entirely disable user namespaces.
#user.max_user_namespaces=0 #user.max_user_namespaces=0