Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-04 20:44:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #249 from raja-grewal/binfmt_misc

Browse source 
Disallow registering interpreters for miscellaneous binary formats
This commit is contained in:
Patrick Schleizer 2024-08-16 02:43:57 -04:00 committed by GitHub
commit ef60c5b153
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -63,6 +63,9 @@ space, user space, core dumps, and swap space.
- Increase the maximum number of memory map areas a process is able to utilize. - Increase the maximum number of memory map areas a process is able to utilize.
- Disallow registering interpreters for various (miscellaneous) binary formats based
on a magic number or their file extension to prevent unintended code execution.
- Disable core dump files and prevent their creation. If core dump files are - Disable core dump files and prevent their creation. If core dump files are
enabled, they will be named based on `core.PID` instead of the default `core`. enabled, they will be named based on `core.PID` instead of the default `core`.

20
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -214,6 +214,26 @@ fs.protected_regular=2
## ##
vm.max_map_count=1048576 vm.max_map_count=1048576
## Disable the miscellaneous binary format virtual file system to prevent unintended code execution.
## Prevents registering interpreters for various binary formats based on a magic number or their file extension.
## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications.
## These interpreters will then run with root permissions when a setuid binary is owned by root.
## Can stop maliciously crafted files with specific file extensions from automatically executing.
## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
##
## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
## https://salsa.debian.org/debian/binfmt-support
## https://access.redhat.com/solutions/1985633
## https://en.wikipedia.org/wiki/Binfmt_misc
## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
## https://github.com/Kicksecure/security-misc/pull/249
##
## KSPP=yes
## KSPP does not set CONFIG_BINFMT_MISC.
##
fs.binfmt_misc.status=0
## 3. Core Dumps: ## 3. Core Dumps:
## ##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps