diff options
author | Niklas Sombert <niklas@ytvwld.de> | 2023-09-19 18:21:18 +0200 |
---|---|---|
committer | Niklas Sombert <niklas@ytvwld.de> | 2023-10-19 21:44:12 +0200 |
commit | 1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa (patch) | |
tree | 46e59fc4126e136b5d35220540cc18ef9747adbb | |
parent | 2e7758c1187c4afc7a90332ff6a396555c276f3b (diff) | |
download | nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.gz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.bz2 nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.lz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.xz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.zst nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.zip |
nixos/sysctl: Enable Yama by default
Yama is a LSM which restricts debugging. This prevents processes from snooping on another. It can be easily disabled with sysctl. This was initially included in #14392 and disabled by default by 86721a5f78718caf10c578e9501f8b4d19c0eb44. This has been part of the hardened configuration, but many other distros ship this for quite some time (Ubuntu for about ten years), so I'd say it might make sense to enable this per default.
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 4 | ||||
-rw-r--r-- | nixos/modules/config/sysctl.nix | 3 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 4 |
3 files changed, 4 insertions, 7 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 9a682077230c..5dec5f54cd06 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -285,6 +285,10 @@ - Package `cloud-sql-proxy` was renamed to `google-cloud-sql-proxy` as it cannot be used with other cloud providers.; +- The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. + This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). + Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. + - Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative. - `security.sudo.extraRules` now includes `root`'s default rule, with ordering diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0bc7ab9667f9..452c050b6dda 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -69,9 +69,6 @@ in # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1; - # Disable YAMA by default to allow easy debugging. - boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; - # Improve compatibility with applications that allocate # a lot of memory, like modern games boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576; diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 856ee480fc0b..74dc2cb1b9aa 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -79,10 +79,6 @@ with lib; "ufs" ]; - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; |