# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
-#
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
-#
# dev.tty.ldisc_autoload=0
# fs.protected_symlinks=1
# fs.protected_hardlinks=1
# fs.protected_regular=2
# fs.suid_dumpable=0
# kernel.modules_disabled=1
+# kernel.randomize_va_space = 2
# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
+ l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
# 'harden_userspace'
if arch in ('X86_64', 'ARM64', 'X86_32'):