From 6b64b36b0190198f5edfda6c704a9efe3ea5b9a6 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 24 Feb 2020 18:23:15 +0000
Subject: [PATCH 1/2] Restrict the userfaultfd() syscall to root

---
 etc/sysctl.d/30_security-misc.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index d14b46d..e83df56 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -133,3 +133,9 @@ kernel.sysrq=132
 ##
 ## https://lkml.org/lkml/2019/4/15/890
 dev.tty.ldisc_autoload=0
+
+## Restrict the userfaultfd() syscall to root as it can make heap sprays
+## easier.
+##
+## https://duasynt.com/blog/linux-kernel-heap-spray
+vm.unprivileged_userfaultfd=0

From 60fbf8b0de8a631d8a63c64f7e8181fee501c237 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 24 Feb 2020 18:24:07 +0000
Subject: [PATCH 2/2] Update control

---
 debian/control | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/control b/debian/control
index be53466..09b34f4 100644
--- a/debian/control
+++ b/debian/control
@@ -124,6 +124,8 @@ Description: enhances misc security settings
   Secure Attention Key.
  .
   * Restricts loading line disciplines to CAP_SYS_MODULE.
+ .
+  * Restricts the `userfaultfd()` syscall to root.
  .
  Improve Entropy Collection
  .