Provide optional sysctl fs.binfmt_misc.status=0

README.md

@@ -57,8 +57,9 @@ space, user space, core dumps, and swap space.
 
 - Increase the maximum number of memory map areas a process is able to utilize.
 
-- Disallow registering interpreters for various (miscellaneous) binary formats based
-  on a magic number or their file extension to prevent unintended code execution.
+- Provide the option to disallow registering interpreters for various (miscellaneous)
+  binary formats based on a magic number or their file extension to prevent
+  unintended code execution.
 
 - Disable core dump files and prevent their creation. If core dump files are
   enabled, they will be named based on `core.PID` instead of the default `core`.

usr/lib/sysctl.d/990-security-misc.conf

@@ -206,8 +206,11 @@ vm.max_map_count=1048576
 ## https://en.wikipedia.org/wiki/Binfmt_misc
 ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
 ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
+## https://github.com/Kicksecure/security-misc/pull/249
 ##
-fs.binfmt_misc.status=0
+## The default kernel setting will be utilized until provided sufficient evidence to modify.
+##
+#fs.binfmt_misc.status=0
 
 ## 3. Core Dumps:
 ##