From 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Sun, 18 Aug 2024 13:53:11 +1000
Subject: [PATCH] Add details on user namespaces

---
 usr/lib/sysctl.d/990-security-misc.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index f576dbc..ad049b2 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -94,9 +94,13 @@ kernel.sysrq=0
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
 ## Uncomment the second sysctl to entirely disable user namespaces.
+## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
+## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
+## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
+## https://github.com/Kicksecure/security-misc/pull/263
 ##
 ## KSPP=partial
 ## KSPP sets the stricter sysctl user.max_user_namespaces=0.