Provide option to disable user namespaces

2024-12-23 01:13:40 +07:00 · 2024-08-16 22:54:57 +10:00 · 2024-08-16 22:54:57 +10:00 · 759aee8150
commit 759aee8150
parent e962153f84
2 changed files with 6 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -37,7 +37,7 @@ space, user space, core dumps, and swap space.
  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).

 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.

 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -93,11 +93,16 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+## Uncomment the second sysctl to entirely disable user namespaces.
 ##
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ##
+## KSPP=partial
+## KSPP sets the stricter sysctl user.max_user_namespaces=0.
+##
 kernel.unprivileged_userns_clone=0
+#user.max_user_namespaces=0

 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.