Set sysctl fs.binfmt_misc.status=0

README.md

@@ -57,6 +57,9 @@ space, user space, core dumps, and swap space.
 
 - Increase the maximum number of memory map areas a process is able to utilize.
 
+- Disallow registering interpreters for various (miscellaneous) binary formats based
+  on a magic number or their file extension to prevent unintended code execution.
+
 - Disable core dump files and prevent their creation. If core dump files are
   enabled, they will be named based on `core.PID` instead of the default `core`.
 

usr/lib/sysctl.d/990-security-misc.conf

@@ -193,6 +193,22 @@ fs.protected_regular=2
 ##
 vm.max_map_count=1048576
 
+## Disable the miscellaneous binary format virtual file system to prevent unintended code execution.
+## Prevents registering interpreters for various binary formats based on a magic number or their file extension.
+## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications.
+## These interpreters will run with root permissions when a setuid binary is owned by root.
+## Can stop maliciously crafted files with specific file extensions from automatically executing.
+## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
+## https://salsa.debian.org/debian/binfmt-support
+## https://access.redhat.com/solutions/1985633
+## https://en.wikipedia.org/wiki/Binfmt_misc
+## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
+## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
+##
+fs.binfmt_misc.status=0
+
 ## 3. Core Dumps:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps