From 6d211faf591608ea6e7f484e8bc69dd567877abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:04:54 +1000 Subject: [PATCH] Restrict unprivileged user namespaces --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b6aa965..b401517 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide the option to disable unprivileged user namespaces as they can lead to - substantial privilege escalation. +- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..ccb3dd3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -91,14 +91,12 @@ kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting is known to cause breakages across numerous software packages. +## Restricting may lead to breakages in numerous software packages. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## -## Unprivileged user namespaces are currently enabled. -## -#kernel.unprivileged_userns_clone=0 +kernel.unprivileged_userns_clone=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users.