From a3830db09e3f567237caefb687ef2da877573b03 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 9 Nov 2025 13:42:31 +0000
Subject: [PATCH] Update docs relating to panic on OOM

---
 README.md                                                  | 7 ++++---
 .../sysctl.d/990-security-misc.conf#security-misc-shared   | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 8111c5f..0acc17b 100644
--- a/README.md
+++ b/README.md
@@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
-- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen
-  locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts
-  running out of memory.
+- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting
+  will force an immediate system reboot as opposed to placing any reliance on the oom_killer
+  to avoid arbitrarily terminating security features based on their OOM score. Note this
+  creates the risk of userspace-based denial-of-service attacks that maliciously fill memory.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index 9f2220d..84c038d 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -204,13 +204,14 @@ kernel.perf_event_paranoid=3
 ## Note that this must be used with kernel.panic=-1 for it to be function as intended.
 ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated.
 ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory.
-## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer.
+## This forces immediate system reboot rather than placing any reliance on the oom_killer.
+## Known to cause extreme user experience problems with certain applications as the Tor Browser.
+## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users.
 ##
 ## https://en.wikipedia.org/wiki/Out_of_memory
 ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
 ## https://github.com/KSPP/kspp.github.io/issues/9
 ## https://github.com/Kicksecure/security-misc/issues/324
-## Needs more work.
 ##
 #vm.panic_on_oom=2