diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2019-07-18 14:00:28 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-08-15 18:43:34 +0200 |
| commit | da0b67c94650b4fc934316f958ddcc4e95d774bd (patch) | |
| tree | 2e9472f45477e6e76bda96555f350588f3b82864 /nixos/modules/profiles | |
| parent | 4b21d1ac8ca5f38a7c05d8f79418858afe628933 (diff) | |
nixos-hardened: disable unprivileged userfaultfd syscalls
New in 5.2 [1]
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
Diffstat (limited to 'nixos/modules/profiles')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 139ced1e53b..3ff9a2b4fde 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -124,4 +124,7 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; + + # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability + boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } |