Commit 1ee5a5b6 authored Sep 19, 2023 by Niklas Sombert

nixos/sysctl: Enable Yama by default

Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.

This was initially included in #14392 and disabled by default by
86721a5f.

This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.

parent 2e7758c1

nixos/doc/manual/release-notes/rl-2311.section.md

+4 −0

Original line number	Diff line number	Diff line
		@@ -285,6 +285,10 @@

		- Package `cloud-sql-proxy` was renamed to `google-cloud-sql-proxy` as it cannot be used with other cloud providers.;

		- The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes.
		This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child).
		Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.

		- Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative.

		- `security.sudo.extraRules` now includes `root`'s default rule, with ordering

nixos/modules/config/sysctl.nix

+0 −3

Original line number	Diff line number	Diff line
		@@ -69,9 +69,6 @@ in
		# users as these make it easier to exploit kernel vulnerabilities.
		boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1;

		# Disable YAMA by default to allow easy debugging.
		boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;

		# Improve compatibility with applications that allocate
		# a lot of memory, like modern games
		boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576;

nixos/modules/profiles/hardened.nix

+0 −4

Original line number	Diff line number	Diff line
		@@ -79,10 +79,6 @@ with lib;
		"ufs"
		];

		# Restrict ptrace() usage to processes with a pre-defined relationship
		# (e.g., parent/child)
		boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

		# Hide kptrs even for processes with CAP_SYSLOG
		boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;