feat: enable userns by default and disable TIOCSTI

Signed-off-by: k4yt3x <i@k4yt3x.com>

sysctl.conf

@@ -4,7 +4,7 @@
 # Contributor: HorlogeSkynet
 # Contributor: shenzhui007
 # Date Created: October 5, 2020
-# Last Updated: September 7, 2025
+# Last Updated: October 19, 2025
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -59,8 +59,10 @@ kernel.unprivileged_bpf_disabled = 1
 # disables kexec as it can be used to livepatch the running kernel
 kernel.kexec_load_disabled = 1
 
-# disable unprivileged user namespaces to decrease attack surface
-kernel.unprivileged_userns_clone = 0
+# disable unprivileged user namespaces to reduce attack surface
+# breaks unprivileged containers and sandboxing applications (e.g., Firefox and Docker)
+#kernel.unprivileged_userns_clone = 0
+#user.max_user_namespaces = 0
 
 # disable the loading of kernel modules
 # this can be used to prevent runtime insertion of malicious modules
@@ -78,6 +80,10 @@ kernel.pid_max = 4194304
 # reboot machine after kernel panic
 #kernel.panic = 10
 
+# reboot after just one kernel warning/oops
+#kernel.warn_limit = 1
+#kernel.oops_limit = 1
+
 # restrict perf subsystem usage
 kernel.perf_event_paranoid = 3
 kernel.perf_cpu_time_max_percent = 1
@@ -86,6 +92,10 @@ kernel.perf_event_max_sample_rate = 1
 # prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
 dev.tty.ldisc_autoload = 0
 
+# disable TIOCSTI which can be used to inject keypresses
+# breaks screen readers
+dev.tty.legacy_tiocsti = 0
+
 ########## File System ##########
 
 # disallow core dumping by SUID/SGID programs