1. 10
    1. 2

      We hardened the kenv(2) syscall. Unprivileged […] should not be able to inspect the kernel environment

      Now libinput (when running in a compositor launched with e.g. seatd) won’t be able to read the SMBIOS data, so laptop model based input device quirks won’t apply. ;)

      1. 1

        I wonder, then, if I should change the kenv(2) hardening to only include known-safe entries (an allow list). And, for those entries that are allowed, scrub them for sensitive data.