Merge pull request #287 from raja-grewal/patch

Refactor and add two CPU mitigations

usr/lib/sysctl.d/990-security-misc.conf

@@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0
 ##
 kernel.sysrq=0
 
-## Restrict user namespaces to users with CAP_SYS_ADMIN.
+## Disable user namespaces entirely.
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
-## Unprivileged user namespaces pose substantial privilege escalation risks.
-## Restricting may lead to breakages in numerous software packages.
-##
-## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
-## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
-## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
-## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
-##
 ## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ## Disabling entirely is known to break the UPower systemd service.
-##
-## Also breaks (some?) AppImages.
-## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
-##
-## Might also break evolution (e-mail client):
-## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
+## Not recommended due to well-known breakages across numerous software packages.
 ##
 ## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
-## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
-## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
 ## https://github.com/Kicksecure/security-misc/pull/263
-## https://github.com/Kicksecure/security-misc/issues/274
 ##
 ## KSPP=no
-## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
+## KSPP sets the sysctl.
 ##
-## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
-#kernel.unprivileged_userns_clone=0
-## Uncomment the following sysctl to entirely disable user namespaces.
 #user.max_user_namespaces=0
 
+## Restrict user namespaces to users with CAP_SYS_ADMIN.
+## See the user.max_user_namespaces setting for more details.
+## This is a Debian-specific kernel feature, not a Linux mainline setting.
+## Unprivileged user namespaces pose substantial privilege escalation risks.
+## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
+## Restricting is known to cause breakages in some AppImages and the Evolution Email Client.
+## Not recommended due to widespread breakages across many software packages.
+##
+## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
+## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
+## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
+## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
+## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
+## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
+## https://github.com/Kicksecure/security-misc/issues/274
+##
+#kernel.unprivileged_userns_clone=0
+
 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.
 ## Other distributions such as Ubuntu and Fedora may permit further restricting.
@@ -281,7 +280,7 @@ fs.protected_fifos=2
 fs.protected_regular=2
 
 ## Enable ASLR for mmap base, stack, VDSO pages, and heap.
-## Forces shared libraries to be loaded to random addresses
+## Forces shared libraries to be loaded to random addresses.
 ## Start location of PIE-linked binaries is randomized.
 ## Heap randomization can lead to breakages with legacy applications.
 ##