Change kernel.perf_event_paranoid sysctl to 2

From the kernel documentation on core kernel sysctls:

perf_event_paranoid:

Controls use of the performance events system by unprivileged
users (without CAP_SYS_ADMIN).  The default value is 1.

 -1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

The current default value for the Tails kernel.perf_event_paranoid sysctl is 1 (the Debian default). This means that kernel profiling is enabled for all users, even without CAP_SYS_ADMIN. The perf subsystem has a huge history of privesc vunerabilities. I propose we change this sysctl to 2, as Tails users do not need to do kernel profiling as a the amnesia user. This will be as simple as creating a file, /etc/sysctl.d/perf_event_paranoid.conf, containing the value kernel.perf_event_paranoid=2.

Feature Branch: feature/11421-Change-kernel.perf_event_paranoid-sysctl-2

Related issues

Related to #11511 (closed)

Original created by @cypherpunks on 11421 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information