Todd C. Miller <todd.mil...@millert.dev> wrote: > On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote: > > > During this mimmmutable and xonly work, I keep finding test machines where > > I enabled kern.allowkmem, and have to disable it. Sometimes weeks later. > > Both kern.allowkmem and securelevel disabling are dangerous, especially in > > our world where so much other dangerous stuff has been stopped. > > I wonder if it makes sense to have a version of sysctl.conf that > only gets used for the next reboot and then is removed, kind of > like /etc/rc.firsttime. Maybe call it /etc/sysctl.once.
Well you are shown the change at boot, and it is visible in dmesg -s, which should be good enough. I guess I'm saying if I am sloppy, others will also be sloppy.