refactor: split sysctl file

2024-02-04 12:52:08 -05:00 · 2024-02-04 12:52:08 -05:00 · 1b98ea698d
commit 1b98ea698d
parent f0d2e555ac
13 changed files with 346 additions and 127 deletions
--- a/common/nixos/sysctl/virtualization.nix
+++ b/common/nixos/sysctl/virtualization.nix
@ -0,0 +1,18 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # do not allow mmap in lower addresses
+    "vm.mmap_min_addr" = 65536;
+
+    # improve mmap ASLR effectiveness
+    "vm.mmap_rnd_bits" = 32;
+    "vm.mmap_rnd_compat_bits" = 16;
+
+    # prevent unprivileged users from accessing userfaultfd
+    # restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
+    "vm.unprivileged_userfaultfd" = 0;
+  };
+}