diff --git a/README.md b/README.md index d746f59..e55a1ec 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ User space: enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. -- Maximize the bits of entropy used for mmap ASLR across all architectures. +- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -194,6 +194,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR for all CPU architectures are maxed + out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ## Kernel Self Protection Project (KSPP) Compliance Status **Summary:** @@ -236,13 +243,6 @@ Disables the registration of interpreters for miscellaneous binary formats. Curr * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Kernel Modules #### Kernel Module Signature Verification diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7329e77..e633df1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,6 +119,7 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. @@ -127,6 +128,7 @@ kernel.sysrq=0 ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial