mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-22 20:53:36 +07:00
Merge branch 'master' into text_2
This commit is contained in:
raja-grewal
GitHub
commit
0c0774f6c0
10
README.md
10
README.md
@ -37,8 +37,10 @@ Kernel space:
|
||||
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
|
||||
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
|
||||
privilege escalation. Optional - Disable all use of user namespaces.
|
||||
- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
|
||||
privilege escalation.
|
||||
|
||||
- Optional - Disable all use of user namespaces.
|
||||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
@ -227,14 +229,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead
|
||||
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
|
||||
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
|
||||
|
||||
**Non-compliance:**
|
||||
|
||||
3. `sysctl user.max_user_namespaces=0`
|
||||
|
||||
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
|
||||
|
||||
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
|
||||
|
||||
**Non-compliance:**
|
||||
|
||||
4. `sysctl fs.binfmt_misc.status=0`
|
||||
|
||||
Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.
|
||||
|
||||
@ -1,3 +1,27 @@
|
||||
commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Oct 3 02:58:58 2024 -0400
|
||||
|
||||
no longer set `kernel.unprivileged_userns_clone=0`
|
||||
|
||||
because it breaks too much
|
||||
|
||||
fixes https://github.com/Kicksecure/security-misc/issues/274
|
||||
|
||||
commit f401d94d5e0d0f26e93be55deda440fe565a6b22
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Oct 3 02:44:06 2024 -0400
|
||||
|
||||
expand documentation on `kernel.unprivileged_userns_clone=0` sysctl
|
||||
|
||||
https://github.com/Kicksecure/security-misc/issues/274
|
||||
|
||||
commit 5572eb897a10455041df8abec6b6be6de29431a0
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Sep 25 01:03:42 2024 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit e04f9cd4c17305d5201aa973c34778e81508734b
|
||||
Merge: 18d426f 65aa910
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
|
||||
6
debian/changelog
vendored
6
debian/changelog
vendored
@ -1,3 +1,9 @@
|
||||
security-misc (3:39.9-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 03 Oct 2024 07:22:23 +0000
|
||||
|
||||
security-misc (3:39.8-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
@ -120,11 +120,21 @@ kernel.sysrq=0
|
||||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
##
|
||||
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
|
||||
## Uncomment the second sysctl to entirely disable user namespaces.
|
||||
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
||||
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
|
||||
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
|
||||
##
|
||||
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
||||
## Disabling entirely is known to break the UPower systemd service.
|
||||
##
|
||||
## Also breaks (some?) AppImages.
|
||||
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
|
||||
##
|
||||
## Might also break evolution (e-mail client):
|
||||
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
|
||||
##
|
||||
## https://lwn.net/Articles/673597/
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
||||
@ -132,11 +142,14 @@ kernel.sysrq=0
|
||||
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
|
||||
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
||||
## https://github.com/Kicksecure/security-misc/pull/263
|
||||
## https://github.com/Kicksecure/security-misc/issues/274
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the stricter sysctl user.max_user_namespaces=0.
|
||||
## KSPP=no
|
||||
## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
|
||||
##
|
||||
kernel.unprivileged_userns_clone=0
|
||||
## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
|
||||
#kernel.unprivileged_userns_clone=0
|
||||
## Uncomment the following sysctl to entirely disable user namespaces.
|
||||
#user.max_user_namespaces=0
|
||||
|
||||
## Restricts kernel profiling to users with CAP_PERFMON.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user