Merge branch 'master' into arraybolt3/emerg-shutdown

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -5,11 +5,17 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## Used for SSH client key management
+## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## Debian installs ssh-agent with setgid permissions (2755) and with
+## _ssh as the group to help mitigate ptrace attacks that could extract
+## private keys from the agent's memory.
+ssh-agent matchwhitelist
+
 ## Used only for SSH host-based authentication
 ## https://linux.die.net/man/8/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
-#ssh-agent matchwhitelist
 #ssh-keysign matchwhitelist
 #/usr/lib/openssh matchwhitelist

usr/lib/sysctl.d/990-security-misc.conf

@@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false
 ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
 ## Any process which has changed privilege levels or is execute-only will not be dumped.
 ##
+## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
+##
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
@@ -475,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1
 ## https://github.com/mullvad/mullvadvpn-app/pull/7141
 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
+## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`.
+## https://github.com/Kicksecure/security-misc/pull/290
+##
 net.ipv4.conf.*.arp_ignore=2
 
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.