no longer set kernel.unprivileged_userns_clone=0

because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274
2024-12-22 20:33:35 +07:00 · 2024-10-03 02:58:58 -04:00 · 2024-10-03 02:58:58 -04:00 · 0e3ffa3f11
commit 0e3ffa3f11
parent f401d94d5e
2 changed files with 11 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -38,8 +38,10 @@ Kernel space:
 - Entirely disable the SysRq key so that the Secure Attention Key (SAK)
  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).

- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation. Optional - Disable all use of user namespaces.
+- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
+  privilege escalation.
+
+- Optional - Disable all use of user namespaces.

 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

@ -200,7 +202,7 @@ Networking:
  out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
  that the kernel was built with), therefore improving its effectiveness.
-  
+
 ## Kernel Self Protection Project (KSPP) Compliance Status

 **Summary:**
@ -228,14 +230,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead
 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)

+**Non-compliance:**
+
 3. `sysctl user.max_user_namespaces=0`

 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.

 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)

-**Non-compliance:**
-
 4. `sysctl fs.binfmt_misc.status=0`

 Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -142,10 +142,11 @@ kernel.sysrq=0
 ## https://github.com/Kicksecure/security-misc/pull/263
 ## https://github.com/Kicksecure/security-misc/issues/274
 ##
-## KSPP=partial
-## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0.
+## KSPP=no
+## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
 ##
-kernel.unprivileged_userns_clone=0
+## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
+#kernel.unprivileged_userns_clone=0
 ## Uncomment the following sysctl to entirely disable user namespaces.
 #user.max_user_namespaces=0