From 0bf9c41c51d297b733cfb53cf8f7d9d993ef28c8 Mon Sep 17 00:00:00 2001 From: librelad Date: Sat, 23 May 2026 22:59:18 +0100 Subject: [PATCH] harden(rootless): offset userns surface with kptr/ptrace/bpf-jit sysctls Enabling unprivileged user namespaces for rootless widens the kernel attack surface reachable by unprivileged users (a known source of LPE CVEs). Pair it with three distro-portable, low-impact sysctls that close the surfaces those exploit chains rely on: kernel.kptr_restrict=2 (hide kernel pointers), kernel.yama.ptrace_scope=1 (block cross-process ptrace), net.core.bpf_jit_harden=2 (harden the JIT). Added as a separate guarded LIBREPORTAL KERNEL HARDENING block so it's clearly deliberate and independently idempotent. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../install/rootless/rootless_docker.sh | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/scripts/docker/install/rootless/rootless_docker.sh b/scripts/docker/install/rootless/rootless_docker.sh index 0f1c3de..a44cb29 100755 --- a/scripts/docker/install/rootless/rootless_docker.sh +++ b/scripts/docker/install/rootless/rootless_docker.sh @@ -209,6 +209,33 @@ EOL" isSuccessful "Updated the sysctl with Docker Rootless configuration" fi + # Enabling unprivileged user namespaces (needed for rootless) widens the + # kernel attack surface reachable by unprivileged users. Offset that by + # closing the surfaces that local-privilege-escalation chains lean on: + # kptr_restrict hides kernel pointers (defeats info-leak primitives), + # ptrace_scope blocks cross-process ptrace (limits credential theft after + # a compromise), and bpf_jit_harden hardens the JIT against spraying. + # All three are distro-portable and have negligible runtime impact. + if ! grep -qF "# LIBREPORTAL KERNEL HARDENING START" "$sysctl"; then + + local result=$(echo '# LIBREPORTAL KERNEL HARDENING START' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Adding kernel hardening header to sysctl" + + local result=$(echo 'kernel.kptr_restrict=2' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Restricting kernel pointer exposure (kptr_restrict)" + + local result=$(echo 'kernel.yama.ptrace_scope=1' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Restricting cross-process ptrace (yama.ptrace_scope)" + + local result=$(echo 'net.core.bpf_jit_harden=2' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Hardening the BPF JIT (bpf_jit_harden)" + + local result=$(echo '# LIBREPORTAL KERNEL HARDENING END' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Adding kernel hardening end to sysctl" + + isSuccessful "Applied kernel LPE-surface hardening" + fi + local result=$(sudo sysctl --system) checkSuccess "Applying changes to sysctl"