name = generic
include = perf-generic, kexec-generic, kernel-alerts-generic, line-disciplines-generic, bpf-generic

[sysctl]
net.core.bpf_jit_harden = 2
kernel.unprivileged_bpf_disabled = 1
kernel.dmesg_restrict = 1
vm.unprivileged_userfaultfd = 0
vm.mmap_min_addr = 65536
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_regular = 0
fs.suid_dumpable = 0
vm.mmap_rnd_bits = 32
kernel.modules_disabled = 0
kernel.randomize_va_space = 2
kernel.io_uring_disabled = 0
fs.protected_fifos = 1
kernel.kptr_restrict = 1

[grub]
proc_mem.force_override = always
init_on_alloc = 1
init_on_free = 1
randomize_kstack_offset = 1
mitigations = auto
tsx = off
pti = on
