From 4eba42627070c7e12358d726a9a6fa0ad5a37147 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <dev@samuel.domains>
Date: Sun, 6 Jun 2021 14:08:57 +0200
Subject: [PATCH 1/2] added recommendations from ANSSI (perf subsystem + vm low
 addr mapping)

> https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf#section.6.2
---
 sysctl.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sysctl.conf b/sysctl.conf
index fbe5eaa..a4a5c97 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -63,6 +63,11 @@ kernel.pid_max = 4194304
 # reboot machine after kernel panic
 #kernel.panic = 10
 
+# restrict perf subsystem usage
+kernel.perf_event_paranoid = 2
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
 ########## File System ##########
 
 # disallow core dumping by SUID/SGID programs
@@ -101,6 +106,9 @@ fs.inotify.max_user_watches = 524288
 
 ########## Virtualization ##########
 
+# do not allow mmap in lower addresses
+vm.mmap_min_addr = 65536
+
 # improve mmap ASLR effectness
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16

From 9a3fd6cf9c8fff1a10d989cd979a9717bd1ed082 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <HorlogeSkynet@users.noreply.github.com>
Date: Mon, 7 Jun 2021 08:21:17 +0000
Subject: [PATCH 2/2] Fixed variables processing order issue related to perf
 subsystem

> https://bbs.archlinux.org/viewtopic.php?id=248926
---
 sysctl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysctl.conf b/sysctl.conf
index a4a5c97..d88b33a 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -65,8 +65,8 @@ kernel.pid_max = 4194304
 
 # restrict perf subsystem usage
 kernel.perf_event_paranoid = 2
-kernel.perf_event_max_sample_rate = 1
 kernel.perf_cpu_time_max_percent = 1
+kernel.perf_event_max_sample_rate = 1
 
 ########## File System ##########