fix(hardened): restore podman compatibility on linux-hardened

Two breakages observed on first linux-hardened boot:

1. `podman run` failed because linux-hardened sets
   kernel.unprivileged_userns_clone=0 by default (stock linux: 1).
   Rootless podman requires unprivileged user namespaces. Restoring
   the stock-kernel default via sysctl — this is a documented hardened
   knob meant to be flipped back if you actually use rootless
   containers. No-op on stock kernel.

2. "kernel does not support overlay fs: 'overlay' is not supported over
   btrfs". Kernel overlayfs cannot use a btrfs subvolume as lowerdir;
   podman needs fuse-overlayfs as the user-mode shim. ~10-30% slower
   I/O than native overlay but works correctly and is the upstream
   recommendation for btrfs-backed rootless storage.

1 files changed, 4 insertions, 0 deletions

diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
index 3a43da9..d20197e 100644
--- a/etc/sysctl.d/99-sysctl.conf
+++ b/etc/sysctl.d/99-sysctl.conf
@@ -3,12 +3,16 @@
 #   kernel.dmesg_restrict=0 — read dmesg as user during driver/kernel debug.
 #   kernel.perf_event_paranoid=-1 — `perf record` on own user-space binaries
 #     without sudo. Kernel-space tracepoints still need root.
+#   kernel.unprivileged_userns_clone=1 — required by rootless podman.
+#     linux-hardened defaults this to 0; stock linux defaults it to 1.
+#     Restoring the stock default here. No-op on stock kernel.
 # kernel.yama.ptrace_scope is left at the kernel default (1, parent-only),
 # which keeps `gdb ./a.out`, `lldb -- ./bin`, `rust-gdb target/...` working;
 # attach-by-PID (`gdb -p`) requires sudo.
 kernel.sysrq = 1
 kernel.dmesg_restrict = 0
 kernel.perf_event_paranoid = -1
+kernel.unprivileged_userns_clone = 1
 net.core.netdev_max_backlog = 16384
 net.core.somaxconn = 8192
 net.ipv4.tcp_fastopen = 3