Disable unprivileged userfaultfd
Originally created by @cypherpunks on #17196 (Redmine)
The userfaultfd()
syscall has had numerous security issues ever since
it was released. It is of no use to Tails, so it should be disabled for
security. Linux recently provided the option to restrict this syscall to
the root user to mitigate the security issues. This can be done by
setting the sysctl vm.unprivileged_userfaultfd
to 0. This feature
request is similar to related sysctl hardening tickets like #11827 (closed),
#11840 (closed), #11421 (closed), and #12025 (closed).
Feature Branch: feature/17196-disable-unprivileged-userfaultfd+force-all-tests
Edited by cypherpunks