diff --git a/README.md b/README.md index c23d261..d032762 100644 --- a/README.md +++ b/README.md @@ -37,11 +37,11 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Optional - Disable all use of user namespaces. + - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial privilege escalation. -- Optional - Disable all use of user namespaces. - - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on both "oopses", which can potentially indicate and thwart diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 81e40a2..10f7a12 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to users with CAP_SYS_ADMIN. +## Disable user namespaces entirely. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting may lead to breakages in numerous software packages. -## -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. -## -## Also breaks (some?) AppImages. -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## -## Might also break evolution (e-mail client): -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## Not recommended due to well-known breakages across numerous software packages. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 -## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=no -## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. +## KSPP sets the sysctl. ## -## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. -#kernel.unprivileged_userns_clone=0 -## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting.