feat(sysctl): kernel info-disclosure + ICMP/IPv6 RA hardening

Adds standard KSPP-style sysctl hardening that does not interfere with
the existing dev workflow:

- kptr_restrict=2, unprivileged_bpf_disabled=1, bpf_jit_harden=2
- kexec_load_disabled=1 (no kexec in use)
- fs.suid_dumpable=0
- ICMP broadcast/bogus-error ignores
- tcp_timestamps=0 (BBR+cake do not need RFC1323 timestamps)
- IPv6 RA disabled at kernel layer (systemd-networkd is authoritative)
- explicit tcp_syncookies=1

Drops 'kernel.yama.ptrace_scope = 0' so the kernel default 1 (parent
only) applies. Debugging own builds via 'gdb ./a.out', 'lldb -- ./bin',
'rust-gdb' still works; only attach-by-PID now needs sudo, accepted
trade-off.

Intentionally kept dev-permissive:
  kernel.sysrq=1, kernel.dmesg_restrict=0, kernel.perf_event_paranoid=-1

0 files changed, 0 insertions, 0 deletions