Merge pull request #249 from raja-grewal/binfmt_misc

Disallow registering interpreters for miscellaneous binary formats

usr/lib/sysctl.d/990-security-misc.conf

@@ -214,6 +214,26 @@ fs.protected_regular=2
 ##
 vm.max_map_count=1048576
 
+## Disable the miscellaneous binary format virtual file system to prevent unintended code execution.
+## Prevents registering interpreters for various binary formats based on a magic number or their file extension.
+## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications.
+## These interpreters will then run with root permissions when a setuid binary is owned by root.
+## Can stop maliciously crafted files with specific file extensions from automatically executing.
+## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
+## https://salsa.debian.org/debian/binfmt-support
+## https://access.redhat.com/solutions/1985633
+## https://en.wikipedia.org/wiki/Binfmt_misc
+## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
+## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
+## https://github.com/Kicksecure/security-misc/pull/249
+##
+## KSPP=yes
+## KSPP does not set CONFIG_BINFMT_MISC.
+##
+fs.binfmt_misc.status=0
+
 ## 3. Core Dumps:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps