Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.
As long as documented then at least they will have a clue what needs to be done.
This one is fine. kernel.perf_event_paranoid=3 requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.
Related to Linux kernel user namespaces:
Debian package bubblewrapwill set kernel.unprivileged_userns_clone=1 in Debian bullseye and above. bubblewrap will be no longer suid by default.
@madaidan GCC 12 just added a security compile time option to auto initialize auto variables. Don’t know if this is a problem in the kernel code these days anymore. Also have no idea how this can affect areas of the code related to rngs. Might be useful for other binaries we compile however.
Now that Debian and other distributions like Arch Linux are starting to relax their user namespace restrictions (but still keeping the sysctl for users to manually configure), we should preserve them in security-misc by setting kernel.unprivileged_userns_clone=0. User namespaces are still a huge risk and a minimal setuid binary where we can tightly control the attack surface exposed is superior by far. Unfortunately, upstream doesn’t seem to care.
However, we will need to make bubblewrap setuid ourselves since the package is not setting it anymore (at least in Debian). Should we just add chmod u+s "$(which bwrap)" in the postinst script and add some details in the readme?
There is also an issue when running Chromium in sandbox-app-launcher since no_new_privs will disable the setuid fallback. Ideally, we could probably add a way to whitelist which binaries are permitted to use unprivileged user namespaces (maybe contribute to linux-hardened). Firefox is also affected, but instead, its sandbox silently fails without crashing and lies to the user about the status of the sandbox because Firefox is terrible.
I wanted to port this to dracut (replacing initramfs-tools with dracut) but it seems it’s not needed. Seems like dracut has early sysctl settings by default.
Some new things grsecurity/PaX has been doing in kernel hardening since they went private:
GRKERNSEC_SUID_NO_UNPRIV_EXEC — prevent SUID root applications from mmaping/execing files world-writable or not owned by root.
AUTOSLAB — conversion of k*alloc allocations into their own caches
PAX_PRIVATE_KSTACKS — I have no idea
It’s worth noting that GRKERNSEC_SUID_NO_UNPRIV_EXEC prevented exploitation of CVE-2021-4034, but it really isn’t as important as something like AUTOSLAB.