From da577cbec528fab5229036ee820492120053acb0 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 24 Jul 2023 00:23:38 +0300
Subject: [PATCH] Check the user.max_user_namespaces sysctl

---
 kconfig_hardened_check/checks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index bffc68c..e06146a 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -578,7 +578,6 @@ def add_sysctl_checks(l, arch):
 # TODO: draft of security hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.yama.ptrace_scope=3
-#    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    vm.unprivileged_userfaultfd=0
@@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
-- 
2.31.1