Merge remote-tracking branch 'github-kicksecure/master'

README.md

@@ -36,7 +36,7 @@ Kernel space:
   can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 

usr/lib/sysctl.d/990-security-misc.conf

@@ -93,11 +93,20 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+## Uncomment the second sysctl to entirely disable user namespaces.
+## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
+## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
+## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
+## https://github.com/Kicksecure/security-misc/pull/263
+##
+## KSPP=partial
+## KSPP sets the stricter sysctl user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
+#user.max_user_namespaces=0
 
 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.