diff options
| author | Niklas Sombert <niklas@ytvwld.de> | 2023-09-19 18:21:18 +0200 |
|---|---|---|
| committer | Niklas Sombert <niklas@ytvwld.de> | 2023-10-19 21:44:12 +0200 |
| commit | 1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa (patch) | |
| tree | 46e59fc4126e136b5d35220540cc18ef9747adbb /nixos/modules/config | |
| parent | 2e7758c1187c4afc7a90332ff6a396555c276f3b (diff) | |
| download | nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.gz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.bz2 nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.lz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.xz nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.tar.zst nixlib-1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa.zip | |
nixos/sysctl: Enable Yama by default
Yama is a LSM which restricts debugging. This prevents processes from snooping on another. It can be easily disabled with sysctl. This was initially included in #14392 and disabled by default by 86721a5f78718caf10c578e9501f8b4d19c0eb44. This has been part of the hardened configuration, but many other distros ship this for quite some time (Ubuntu for about ten years), so I'd say it might make sense to enable this per default.
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/sysctl.nix | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0bc7ab9667f9..452c050b6dda 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -69,9 +69,6 @@ in # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1; - # Disable YAMA by default to allow easy debugging. - boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; - # Improve compatibility with applications that allocate # a lot of memory, like modern games boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576; |