mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:03:35 +07:00
Code Issues Packages Projects Releases Wiki Activity

expand documentation on kernel.unprivileged_userns_clone=0 sysctl

Browse Source 
https://github.com/Kicksecure/security-misc/issues/274
This commit is contained in:
Patrick Schleizer 2024-10-03 02:44:06 -04:00
parent 5572eb897a
commit f401d94d5e
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -119,22 +119,34 @@ kernel.sysrq=0
## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks. ## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting may lead to breakages in numerous software packages. ## Restricting may lead to breakages in numerous software packages.
##
## Flatpak requires unprivileged users to create new user namespaces for sandboxing. ## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
## Uncomment the second sysctl to entirely disable user namespaces. ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
##
## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely will reduce compatibility with some AppArmor profiles.
## Disabling entirely is known to break the UPower systemd service. ## Disabling entirely is known to break the UPower systemd service.
## ##
## Also breaks (some?) AppImages.
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
##
## Might also break evolution (e-mail client):
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
##
## https://lwn.net/Articles/673597/ ## https://lwn.net/Articles/673597/
## https://madaidans-insecurities.github.io/linux.html#kernel ## https://madaidans-insecurities.github.io/linux.html#kernel
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://github.com/Kicksecure/security-misc/pull/263 ## https://github.com/Kicksecure/security-misc/pull/263
## https://github.com/Kicksecure/security-misc/issues/274
## ##
## KSPP=partial ## KSPP=partial
## KSPP sets the stricter sysctl user.max_user_namespaces=0. ## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0.
## ##
kernel.unprivileged_userns_clone=0 kernel.unprivileged_userns_clone=0
## Uncomment the following sysctl to entirely disable user namespaces.
#user.max_user_namespaces=0 #user.max_user_namespaces=0
## Restricts kernel profiling to users with CAP_PERFMON. ## Restricts kernel profiling to users with CAP_PERFMON.