mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
Merge pull request #243 from raja-grewal/namespaces
Restrict unprivileged user namespaces
This commit is contained in:
commit
725118c575
@ -36,8 +36,8 @@ space, user space, core dumps, and swap space.
|
||||
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
|
||||
- Provide the option to disable unprivileged user namespaces as they can lead to
|
||||
substantial privilege escalation.
|
||||
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
|
||||
privilege escalation.
|
||||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
|
@ -92,14 +92,12 @@ kernel.sysrq=0
|
||||
## Restrict user namespaces to users with CAP_SYS_ADMIN.
|
||||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting is known to cause breakages across numerous software packages.
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
||||
##
|
||||
## Unprivileged user namespaces are currently enabled.
|
||||
##
|
||||
#kernel.unprivileged_userns_clone=0
|
||||
kernel.unprivileged_userns_clone=0
|
||||
|
||||
## Restricts kernel profiling to users with CAP_PERFMON.
|
||||
## The performance events system should not be accessible by unprivileged users.
|
||||
|
Loading…
Reference in New Issue
Block a user