From f401d94d5e0d0f26e93be55deda440fe565a6b22 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 3 Oct 2024 02:44:06 -0400
Subject: [PATCH] expand documentation on `kernel.unprivileged_userns_clone=0`
 sysctl

https://github.com/Kicksecure/security-misc/issues/274
---
 usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index e633df1..897ba59 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -119,22 +119,34 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+##
 ## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
-## Uncomment the second sysctl to entirely disable user namespaces.
+## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
+## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
+## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
+##
 ## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ## Disabling entirely is known to break the UPower systemd service.
 ##
+## Also breaks (some?) AppImages.
+## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
+##
+## Might also break evolution (e-mail client):
+## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
+##
 ## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
 ## https://github.com/Kicksecure/security-misc/pull/263
+## https://github.com/Kicksecure/security-misc/issues/274
 ##
 ## KSPP=partial
-## KSPP sets the stricter sysctl user.max_user_namespaces=0.
+## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
+## Uncomment the following sysctl to entirely disable user namespaces.
 #user.max_user_namespaces=0
 
 ## Restricts kernel profiling to users with CAP_PERFMON.