Notes:
One page of the kernel's static data remains unprotected. Because of a difference between the timer handler and all other UML signal handlers, the data needed by the timer is not automatically write-enabled on kernel entry. So, two variables that are modified by the handler are left writeable. These will likely be protected in the future, but in the meantime, they don't seem exploitable.