Merge pull request #66482 from flokli/systemd-sysctl

nixos/systemd: install sysctl snippets

7 files changed, 35 insertions, 94 deletions

diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix
index 0c6a7e2431aa..fb2b58eed720 100644
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@@ -42,22 +42,16 @@ in
 
   config = {
 
-    environment.etc."sysctl.d/nixos.conf".text =
+    environment.etc."sysctl.d/60-nixos.conf".text =
       concatStrings (mapAttrsToList (n: v:
         optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
       ) config.boot.kernel.sysctl);
 
     systemd.services.systemd-sysctl =
       { wantedBy = [ "multi-user.target" ];
-        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
+        restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
       };
 
-    # Enable hardlink and symlink restrictions.  See
-    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
-    # for details.
-    boot.kernel.sysctl."fs.protected_hardlinks" = true;
-    boot.kernel.sysctl."fs.protected_symlinks" = true;
-
     # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
     # users as these make it easier to exploit kernel vulnerabilities.
     boot.kernel.sysctl."kernel.kptr_restrict" = 1;
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index e5f29a4eb582..bcf1f38ac8d2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -863,7 +863,6 @@
   ./system/activation/activation-script.nix
   ./system/activation/top-level.nix
   ./system/boot/binfmt.nix
-  ./system/boot/coredump.nix
   ./system/boot/emergency-mode.nix
   ./system/boot/grow-partition.nix
   ./system/boot/initrd-network.nix
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 3ff9a2b4fde0..46417579352c 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -95,23 +95,17 @@ with lib;
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
 
-  # Enable reverse path filtering (that is, do not attempt to route packets
-  # that "obviously" do not belong to the iface's network; dropped packets are
-  # logged as martians).
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
   boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
   boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
   # Ignore broadcast ICMP (mitigate SMURF)
   boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
 
-  # Ignore route information from sender
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
-
   # Ignore incoming ICMP redirects (note: default is needed to ensure that the
   # setting is applied to interfaces added after the sysctls are set)
   boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 3ea139fc5ce4..e32fa6fded4a 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -226,6 +226,7 @@ with lib;
     (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
     (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
     (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
+    (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
 
     # ZSH
     (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix
deleted file mode 100644
index 30f367da7666..000000000000
--- a/nixos/modules/system/boot/coredump.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  options = {
-
-    systemd.coredump = {
-
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enables storing core dumps in systemd.
-          Note that this alone is not enough to enable core dumps. The maximum
-          file size for core dumps must be specified in limits.conf as well. See
-          <option>security.pam.loginLimits</option> and the limits.conf(5)
-          man page (these specify the core dump limits for user login sessions)
-          and <option>systemd.extraConfig</option> (where e.g.
-          <literal>DefaultLimitCORE=1000000</literal> can be specified to set
-          the core dump limit for systemd system-level services).
-        '';
-      };
-
-      extraConfig = mkOption {
-        default = "";
-        type = types.lines;
-        example = "Storage=journal";
-        description = ''
-          Extra config options for systemd-coredump. See coredump.conf(5) man page
-          for available options.
-        '';
-      };
-    };
-
-  };
-
-  config = mkMerge [
-    (mkIf config.systemd.coredump.enable {
-
-      systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
-
-      environment.etc."systemd/coredump.conf".text =
-        ''
-          [Coredump]
-          ${config.systemd.coredump.extraConfig}
-        '';
-
-      # Have the kernel pass core dumps to systemd's coredump helper binary.
-      # From systemd's 50-coredump.conf file. See:
-      # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
-      boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
-    })
-
-    (mkIf (!config.systemd.coredump.enable) {
-      boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
-
-      systemd.extraConfig =
-        ''
-          DefaultLimitCORE=0:infinity
-        '';
-    })
-  ];
-
-}
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 1914827d0e5d..23a2dd45d492 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -76,6 +76,10 @@ let
       "systemd-journald-dev-log.socket"
       "syslog.socket"
 
+      # Coredumps.
+      "systemd-coredump.socket"
+      "systemd-coredump@.service"
+
       # SysV init compatibility.
       "systemd-initctl.socket"
       "systemd-initctl.service"
@@ -540,6 +544,16 @@ in
       '';
     };
 
+    systemd.coredump.extraConfig = mkOption {
+      default = "";
+      type = types.lines;
+      example = "Storage=journal";
+      description = ''
+        Extra config options for systemd-coredump. See coredump.conf(5) man page
+        for available options.
+      '';
+    };
+
     systemd.extraConfig = mkOption {
       default = "";
       type = types.lines;
@@ -795,6 +809,7 @@ in
           DefaultMemoryAccounting=yes
           DefaultTasksAccounting=yes
         ''}
+        DefaultLimitCORE=infinity
         ${config.systemd.extraConfig}
       '';
 
@@ -818,6 +833,12 @@ in
         ${config.services.journald.extraConfig}
       '';
 
+      "systemd/coredump.conf".text =
+        ''
+          [Coredump]
+          ${config.systemd.coredump.extraConfig}
+        '';
+
       "systemd/logind.conf".text = ''
         [Login]
         KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"}
@@ -831,6 +852,10 @@ in
         [Sleep]
       '';
 
+      # install provided sysctl snippets
+      "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
+      "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
+
       "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
       "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";
 
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix
index 5c59188b68b2..79766970c757 100644
--- a/nixos/modules/virtualisation/google-compute-config.nix
+++ b/nixos/modules/virtualisation/google-compute-config.nix
@@ -159,12 +159,6 @@ in
     # functionality/features (e.g. TCP Window scaling).
     "net.ipv4.tcp_syncookies" = mkDefault "1";
 
-    # ignores source-routed packets
-    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
-
-    # ignores source-routed packets
-    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
-
     # ignores ICMP redirects
     "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
 
@@ -186,10 +180,10 @@ in
     # don't allow traffic between networks or act as a router
     "net.ipv4.conf.default.send_redirects" = mkDefault "0";
 
-    # reverse path filtering - IP spoofing protection
+    # strict reverse path filtering - IP spoofing protection
     "net.ipv4.conf.all.rp_filter" = mkDefault "1";
 
-    # reverse path filtering - IP spoofing protection
+    # strict path filtering - IP spoofing protection
     "net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
     # ignores ICMP broadcasts to avoid participating in Smurf attacks