From 759aee8150a2d1258d73217c071b25432d47496f Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 22:54:57 +1000
Subject: [PATCH 1/2] Provide option to disable user namespaces

---
 README.md                               | 2 +-
 usr/lib/sysctl.d/990-security-misc.conf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index da9254a..4644c6a 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ space, user space, core dumps, and swap space.
   can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 9836bc2..f576dbc 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -93,11 +93,16 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+## Uncomment the second sysctl to entirely disable user namespaces.
 ##
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ##
+## KSPP=partial
+## KSPP sets the stricter sysctl user.max_user_namespaces=0.
+##
 kernel.unprivileged_userns_clone=0
+#user.max_user_namespaces=0
 
 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.

From 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Sun, 18 Aug 2024 13:53:11 +1000
Subject: [PATCH 2/2] Add details on user namespaces

---
 usr/lib/sysctl.d/990-security-misc.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index f576dbc..ad049b2 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -94,9 +94,13 @@ kernel.sysrq=0
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
 ## Uncomment the second sysctl to entirely disable user namespaces.
+## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
+## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
+## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
+## https://github.com/Kicksecure/security-misc/pull/263
 ##
 ## KSPP=partial
 ## KSPP sets the stricter sysctl user.max_user_namespaces=0.