Set kernel.kptr_restrict = 2

[andrewrynhard]

The KSPP guidelines suggest using kernel.kptr_restrict = 2. Looks like we use kernel.kptr_restrict = 1.

I'm not sure what the implications are here just yet but wanted to point this out as we claim to adhere to KSPP guidelines but this one is wrong.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings.

[steverfrancis]

Sysctls that changed
kernel.kptr_restrict = 2 (talos is set to 1)
kernel.yama.ptrace_scope = 3 (Talos is set to 1)

We do not set:
kernel.disable_modules = 1
kernel.kexec_load_disabled = 1 (I presume we do not want to, due to the special way we handle kexec, but we should document the exception)
kernel.randomize_va_space = 2
dev.tty.ldisc_autoload = 0
dev.tty.legacy_tiocsti = 0
kernel/warn_limit = 1 kernel/oops_limit = 1
vm.unprivileged_userfaultfd = 0

fs.protected_symlinks = 1
fs.protected_hardlinks = 1

fs.protected_fifos = 2
fs.protected_regular = 2

fs.suid_dumpable = 0

[steverfrancis]

Should go through all the other KSPP kernel and other settings too, to see if they need updating.