Move kernel.panic=-1 setting to sysctl, allow turning panic-on-oops off with systemctl

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -196,9 +196,7 @@ kernel.perf_event_paranoid=3
 ## KSPP=yes
 ## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
 ##
-## See /usr/libexec/security-misc/panic-on-oops for implementation.
-##
-#kernel.panic=-1
+kernel.panic=-1
 
 ## Force immediate kernel panic on OOM (out of memory) scenarios.
 ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.

usr/lib/systemd/system/panic-on-oops.service#security-misc-shared

@@ -14,7 +14,8 @@ After=getty.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/libexec/security-misc/panic-on-oops
+ExecStart=/usr/libexec/security-misc/panic-on-oops enable
+ExecStop=/usr/libexec/security-misc/panic-on-oops disable
 
 [Install]
 WantedBy=multi-user.target

usr/libexec/security-misc/panic-on-oops#security-misc-shared

@@ -12,20 +12,23 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
-## Makes the kernel immediately panic on both oopses and warnings.
-## These settings force a full system crash rather than continuing
-## to run after an inconsistent state is triggered by a potentially
-## flawed processes. The reasons for the errors could be kernel
-## exploit attempts but may also simply be general software bugs.
-##
-## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
-sysctl kernel.oops_limit=1
-## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
-sysctl kernel.warn_limit=1
+action="${1:-}"
 
-## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This reduces the risk and impact of denial-of-service
-## attacks and both cold and warm boot attacks.
-##
-## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
-sysctl kernel.panic=-1
+if [ "${action}" = 'enable' ]; then
+   ## Makes the kernel immediately panic on both oopses and warnings.
+   ## These settings force a full system crash rather than continuing
+   ## to run after an inconsistent state is triggered by a potentially
+   ## flawed processes. The reasons for the errors could be kernel
+   ## exploit attempts but may also simply be general software bugs.
+   ##
+   ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
+   sysctl kernel.oops_limit=1
+   ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
+   sysctl kernel.warn_limit=1
+elif [ "${action}" = 'disable' ]; then
+   sysctl kernel.oops_limit=0
+   sysctl kernel.warn_limit=0
+else
+   printf '%s\n' "ERROR: Unrecognized action '${action}'!"
+   exit 1
+fi