Kicksecure · adrelanos · Aug 25, 2024 · Aug 16, 2024 · Aug 18, 2024
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ space, user space, core dumps, and swap space.
   can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
@@ -93,11 +93,20 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+## Uncomment the second sysctl to entirely disable user namespaces.
+## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
+## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
+## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
+## https://github.com/Kicksecure/security-misc/pull/263
+##
+## KSPP=partial
+## KSPP sets the stricter sysctl user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
+#user.max_user_namespaces=0
 
 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.