Tonight I implemented a “lock” sysctl feature for tpe-lkm. When enabled, the sysctl entries for the tpe module can’t be changed. It’s only real useful if also combined with the modules_disabled option.
Seems kind of pointless to me, as an attacker who got root access wouldn’t have to disable the TPE module anyway. It was mostly an exercise in “could I do it?”. Hey, maybe I’ll reuse this code elsewhere in the future.
Enjoy the features I’ve been adding!