42 lines
1.5 KiB
Nix
42 lines
1.5 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
boot.kernel.sysctl = {
|
|
# disallow core dumping by SUID/SGID programs
|
|
"fs.suid_dumpable" = 0;
|
|
|
|
# protect the creation of hard links
|
|
# one of the following conditions must be fulfilled
|
|
# - the user can only link to files that he or she owns
|
|
# - the user must first have read and write access to a file, that he/she wants to link to
|
|
"fs.protected_hardlinks" = 1;
|
|
|
|
# protect the creation of symbolic links
|
|
# one of the following conditions must be fulfilled
|
|
# - the process following the symbolic link is the owner of the symbolic link
|
|
# - the owner of the directory is also the owner of the symbolic link
|
|
"fs.protected_symlinks" = 1;
|
|
|
|
# enable extended FIFO protection
|
|
"fs.protected_fifos" = 2;
|
|
|
|
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
|
|
"fs.protected_regular" = 2;
|
|
|
|
# increase system file descriptor limit
|
|
# this value can be up to:
|
|
# - 2147483647 (0x7fffffff) on a 32-bit system
|
|
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
|
|
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
|
|
# larger than this value
|
|
"fs.file-max" = 9223372036854775807;
|
|
|
|
# increase the amount of files that can be watched
|
|
# each file watch handle takes 1080 bytes
|
|
# up to 540 MiB of memory will be consumed if all 524288 handles are used
|
|
"fs.inotify.max_user_watches" = 524288;
|
|
};
|
|
}
|