From 8609e61da0e919103cf126b26370875d41c468c4 Mon Sep 17 00:00:00 2001
From: Isaac True <isaac.true@canonical.com>
Date: Mon, 11 Sep 2023 12:36:00 +0200
Subject: [PATCH 1/5] ERL-381: spread: add test for verifying sysctl parameters

Signed-off-by: Isaac True <isaac.true@canonical.com>
---
 tests/spread/sysctl/task.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 tests/spread/sysctl/task.yaml

diff --git a/tests/spread/sysctl/task.yaml b/tests/spread/sysctl/task.yaml
new file mode 100644
index 0000000..8f72b6e
--- /dev/null
+++ b/tests/spread/sysctl/task.yaml
@@ -0,0 +1,12 @@
+---
+
+summary: "Verify sysctl parameters"
+
+systems:
+  - "nemos-image-*"
+
+execute: |
+  test $(sysctl -n vm.overcommit_memory) = 2
+  test $(sysctl -n kernel.randomize_va_space) = 2
+  test $(sysctl -n kernel.kptr_restrict) = 1
+  test $(sysctl -n kernel.yama.ptrace_scope) = 1

From 94b7b2c9630c4dc077bb19870219d72af1c57414 Mon Sep 17 00:00:00 2001
From: Isaac True <isaac.true@canonical.com>
Date: Mon, 11 Sep 2023 12:18:11 +0200
Subject: [PATCH 2/5] ERL-375: nemos-images-*: *: set sysctl
 kernel.yama.ptrace_scope=1

This enables restricted ptrace access, meaning a process must have a
predefined relationship with the inferior it wants to call PTRACE_ATTACH on.

Signed-off-by: Isaac True <isaac.true@canonical.com>
---
 .../qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf     | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf     | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf     | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf       | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf     | 1 +
 12 files changed, 12 insertions(+)
 create mode 100644 nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
 create mode 100644 nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf

diff --git a/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1
diff --git a/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
new file mode 100644
index 0000000..3ff63dc
--- /dev/null
+++ b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-yama-ptrace-scope.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope=1

From e345b06b70677411944a5c104b00ffdef61b25ac Mon Sep 17 00:00:00 2001
From: Isaac True <isaac.true@canonical.com>
Date: Mon, 11 Sep 2023 12:23:36 +0200
Subject: [PATCH 3/5] ERL-376: nemos-images-*: *: set sysctl
 kernel.kptr_restrict=1

This setting only allows privileged users to view the kernel memory addresses.

Signed-off-by: Isaac True <isaac.true@canonical.com>
---
 .../qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf  | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf  | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf  | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf    | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf  | 1 +
 12 files changed, 12 insertions(+)
 create mode 100644 nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
 create mode 100644 nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf

diff --git a/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1
diff --git a/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
new file mode 100644
index 0000000..5f3e130
--- /dev/null
+++ b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-kernel-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict=1

From 60f3149eb264181acd9c1eb94bf6cb594d4830b2 Mon Sep 17 00:00:00 2001
From: Isaac True <isaac.true@canonical.com>
Date: Mon, 11 Sep 2023 12:24:45 +0200
Subject: [PATCH 4/5] ERL-378: nemos-images-*: *: set sysctl
 kernel.randomize_va_space=2

This enables all kernel address space randomisation features.

Signed-off-by: Isaac True <isaac.true@canonical.com>
---
 .../qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf    | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf    | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf    | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf      | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf    | 1 +
 12 files changed, 12 insertions(+)
 create mode 100644 nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
 create mode 100644 nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf

diff --git a/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2
diff --git a/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
new file mode 100644
index 0000000..2be8d37
--- /dev/null
+++ b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-randomize-va-space.conf
@@ -0,0 +1 @@
+kernel.randomize_va_space=2

From 266b37bdaf0430bac4667892eee1ad64d5afdc14 Mon Sep 17 00:00:00 2001
From: Isaac True <isaac.true@canonical.com>
Date: Mon, 11 Sep 2023 12:25:46 +0200
Subject: [PATCH 5/5] ERL-379: nemos-images-*: *: set sysctl
 vm.overcommit_memory=2

This setting disables memory overcommit.

Signed-off-by: Isaac True <isaac.true@canonical.com>
---
 .../qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf         | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf         | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf         | 1 +
 .../qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf           | 1 +
 .../s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf         | 1 +
 12 files changed, 12 insertions(+)
 create mode 100644 nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
 create mode 100644 nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf

diff --git a/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-minimal-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-lunar/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-lunar/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-amd64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-mantic/qemu-arm64/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2
diff --git a/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
new file mode 100644
index 0000000..47a75c8
--- /dev/null
+++ b/nemos-images-reference-mantic/s32g274ardb2/root/etc/sysctl.d/50-vm-overcommit.conf
@@ -0,0 +1 @@
+vm.overcommit_memory=2