mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-22 22:43:43 +07:00
Update presentation on user namespaces
This commit is contained in:
parent
0dff2cd28f
commit
3749f8ff09
@ -37,11 +37,11 @@ Kernel space:
|
||||
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
|
||||
- Optional - Disable all use of user namespaces.
|
||||
|
||||
- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
|
||||
privilege escalation.
|
||||
|
||||
- Optional - Disable all use of user namespaces.
|
||||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
|
||||
|
@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0
|
||||
##
|
||||
kernel.sysrq=0
|
||||
|
||||
## Restrict user namespaces to users with CAP_SYS_ADMIN.
|
||||
## Disable user namespaces entirely.
|
||||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
##
|
||||
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
|
||||
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
||||
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
|
||||
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
|
||||
##
|
||||
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
||||
## Disabling entirely is known to break the UPower systemd service.
|
||||
##
|
||||
## Also breaks (some?) AppImages.
|
||||
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
|
||||
##
|
||||
## Might also break evolution (e-mail client):
|
||||
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
|
||||
## Not recommended due to well-known breakages across numerous software packages.
|
||||
##
|
||||
## https://lwn.net/Articles/673597/
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
||||
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
||||
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
|
||||
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
||||
## https://github.com/Kicksecure/security-misc/pull/263
|
||||
## https://github.com/Kicksecure/security-misc/issues/274
|
||||
##
|
||||
## KSPP=no
|
||||
## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
|
||||
#kernel.unprivileged_userns_clone=0
|
||||
## Uncomment the following sysctl to entirely disable user namespaces.
|
||||
#user.max_user_namespaces=0
|
||||
|
||||
## Restrict user namespaces to users with CAP_SYS_ADMIN.
|
||||
## See the user.max_user_namespaces setting for more details.
|
||||
## This is a Debian-specific kernel feature, not a Linux mainline setting.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
|
||||
## Restricting is known to cause breakages in some AppImages and the Evolution Email Client.
|
||||
## Not recommended due to widespread breakages across many software packages.
|
||||
##
|
||||
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
|
||||
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
||||
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
||||
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
|
||||
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
|
||||
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
|
||||
## https://github.com/Kicksecure/security-misc/issues/274
|
||||
##
|
||||
#kernel.unprivileged_userns_clone=0
|
||||
|
||||
## Restricts kernel profiling to users with CAP_PERFMON.
|
||||
## The performance events system should not be accessible by unprivileged users.
|
||||
## Other distributions such as Ubuntu and Fedora may permit further restricting.
|
||||
|
Loading…
Reference in New Issue
Block a user