release: Add several security-related sysctls

packages/kernel/config-thar

@@ -21,3 +21,6 @@ CONFIG_BLK_DEV_DM=y
 CONFIG_DAX=y
 CONFIG_DM_INIT=y
 CONFIG_DM_VERITY=y
+
+# yama LSM for ptrace restrictions
+CONFIG_SECURITY_YAMA=y

packages/release/release-sysctl.conf

@@ -25,3 +25,27 @@ net.ipv4.ip_local_port_range = 1025 65000
 # Connection tracking to prevent dropped connections
 net.netfilter.nf_conntrack_max = 1048576
 net.netfilter.nf_conntrack_generic_timeout = 120
+
+## Kernel hardening settings
+## Settings & descriptions sourced from the KSPP wiki, see
+## https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
+user.max_user_namespaces = 0
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2