On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote: > During this mimmmutable and xonly work, I keep finding test machines where > I enabled kern.allowkmem, and have to disable it. Sometimes weeks later. > Both kern.allowkmem and securelevel disabling are dangerous, especially in > our world where so much other dangerous stuff has been stopped.
I wonder if it makes sense to have a version of sysctl.conf that only gets used for the next reboot and then is removed, kind of like /etc/rc.firsttime. Maybe call it /etc/sysctl.once. - todd
