diff options
author | Florian Klink <flokli@flokli.de> | 2019-08-11 13:32:24 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-08-18 17:54:26 +0200 |
commit | 9be0327a4975e219957d5108b3753a7640c4a9e0 (patch) | |
tree | f264e6c231f25fcf660af8997e665e78704fc3cb /nixos | |
parent | e5965bd4897310d1f99ad75f51ef99f1f0e2c274 (diff) | |
download | nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.gz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.bz2 nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.lz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.xz nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.zst nixlib-9be0327a4975e219957d5108b3753a7640c4a9e0.zip |
nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 24 | ||||
-rw-r--r-- | nixos/modules/config/sysctl.nix | 6 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 16 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 4 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 10 |
5 files changed, 35 insertions, 25 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 4fe82e10ae6d..e63a6d10a86a 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -444,6 +444,30 @@ two-digit number and a dash to simplify the ordering of the files. </para> </listitem> + <listitem> + <para> + We now install the sysctl snippets shipped with systemd. + <itemizedlist> + <para>This enables:</para> + <listitem> + <para>Loose reverse path filtering</para> + </listitem> + <listitem> + <para>Source route filtering</para> + </listitem> + <listitem> + <para> + <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat) + </para> + </listitem> + </itemizedlist> + + This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>. + These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>, + and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>). + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 112e5e744d4c..fb2b58eed720 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -52,12 +52,6 @@ in restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde0..46417579352c 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -95,23 +95,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 1914827d0e5d..e84b1ffbfc14 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -831,6 +831,10 @@ in [Sleep] ''; + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b2..79766970c757 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks |