From f699eb02a27ef54b9ced5866447b63152984af66 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:11:33 +1000 Subject: [PATCH 1/7] Set `sysctl fs.binfmt_misc.status=0` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/README.md b/README.md index 5e029c8..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..334fb68 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -193,6 +193,22 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. +## These interpreters will run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## +fs.binfmt_misc.status=0 + ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps From 9fbee9fc82768c3b436307459d174378ee471335 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 21:57:25 +1000 Subject: [PATCH 2/7] Clarify --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 334fb68..9b350d3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -195,8 +195,8 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. -## These interpreters will run with root permissions when a setuid binary is owned by root. +## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. +## These interpreters will the run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:03:33 +1000 Subject: [PATCH 3/7] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9b350d3..adb80c7 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will the run with root permissions when a setuid binary is owned by root. +## These interpreters will thn run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:04:30 +1000 Subject: [PATCH 4/7] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index adb80c7..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will thn run with root permissions when a setuid binary is owned by root. +## These interpreters will then run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From debd7a7b7ae8b03e04d2c8597bcccf2c79000570 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:33:44 +1000 Subject: [PATCH 5/7] Provide optional `sysctl fs.binfmt_misc.status=0` --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d4dd706..96f8b14 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. +- Provide the option to disallow registering interpreters for various (miscellaneous) + binary formats based on a magic number or their file extension to prevent + unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..4de859c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,8 +206,11 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 ## -fs.binfmt_misc.status=0 +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## +#fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From 326d82a9beee130956dd817812016a6ee16fccbc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:46:56 +1000 Subject: [PATCH 6/7] Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 5 +---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 96f8b14..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,9 +57,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Provide the option to disallow registering interpreters for various (miscellaneous) - binary formats based on a magic number or their file extension to prevent - unintended code execution. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4de859c..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,11 +206,8 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## -#fs.binfmt_misc.status=0 +fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:54:21 +1000 Subject: [PATCH 7/7] Add references on `fs.binfmt_misc.status` --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..7df6f03 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,6 +206,10 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 +## +## KSPP=yes +## KSPP does not set CONFIG_BINFMT_MISC. ## fs.binfmt_misc.status=0