From efb2683cfc168c3b110c6664ee61eabcf85f3f30 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 8 Mar 2020 17:49:12 +0000
Subject: [PATCH 1/2] Hide unprivileged_userfaultfd error

---
 etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
index 71e82f4..6912637 100755
--- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
+++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
@@ -15,7 +15,8 @@ prereqs)
         ;;
 esac
 
-sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null
-sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null
+sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log
+sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log
+grep -v "unprivileged_userfaultfd" /var/log/sysctl-initramfs-error.log
 
 true

From 4d0de87f799d8032731140e9a5815d4773d91baa Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 8 Mar 2020 17:49:49 +0000
Subject: [PATCH 2/2] Disable unprivileged userfaultfd use again

---
 etc/sysctl.d/30_security-misc.conf | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index ed0bd49..e83df56 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -134,10 +134,8 @@ kernel.sysrq=132
 ## https://lkml.org/lkml/2019/4/15/890
 dev.tty.ldisc_autoload=0
 
-## Disable for now.
-## https://forums.whonix.org/t/kernel-hardening/7296/406
 ## Restrict the userfaultfd() syscall to root as it can make heap sprays
 ## easier.
 ##
 ## https://duasynt.com/blog/linux-kernel-heap-spray
-#vm.unprivileged_userfaultfd=0
+vm.unprivileged_userfaultfd=0