README: Update KSSP compliance status

2025-11-27 05:56:41 -05:00 · 2025-10-13 01:01:14 +00:00 · 2025-10-13 01:01:14 +00:00 · 9db63d9777
commit 9db63d9777
parent 6cc1c27fb3
1 changed files with 10 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -279,23 +279,15 @@ there are a few cases of partial or non-compliance due to technical limitations.
 More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
 the KSPP's recommendations.

-**Partial compliance:**
-
-1. `sysctl kernel.yama.ptrace_scope=3`
-
-Completely disables `ptrace()`. Can be enabled easily if needed.
-
-* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
-
 **Non-compliance:**

-2. `sysctl user.max_user_namespaces=0`
+1. `sysctl user.max_user_namespaces=0`

 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.

 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)

-3. `sysctl fs.binfmt_misc.status=0`
+2. `sysctl fs.binfmt_misc.status=0`

 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.
@ -303,6 +295,14 @@ feasible due to compatibility issues with Firefox.
 * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
 * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)

+3. Kernel boot parameter `hash_pointers=always`
+
+Forces all exposed pointers to be hashed and must be used in combination with already enabled
+kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17.
+
+* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253)
+* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325)
+
 ### Kernel Modules

 #### Kernel Module Signature Verification