diff options
Diffstat (limited to 'sysctl.d')
| -rw-r--r-- | sysctl.d/50-coredump.conf.in | 38 | ||||
| -rw-r--r-- | sysctl.d/50-default.conf | 56 | ||||
| -rw-r--r-- | sysctl.d/50-pid-max.conf | 16 | ||||
| -rw-r--r-- | sysctl.d/meson.build | 32 |
4 files changed, 142 insertions, 0 deletions
diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in new file mode 100644 index 0000000..4338756 --- /dev/null +++ b/sysctl.d/50-coredump.conf.in @@ -0,0 +1,38 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) for the description of the files in this directory. + +# Pipe the core file to systemd-coredump. The systemd-coredump process spawned +# by the kernel will start a second copy of itself as the +# systemd-coredump@.service, which will do the actual processing and storing of +# the core dump. +# +# See systemd-coredump(8) and core(5). +kernel.core_pattern=|@rootlibexecdir@/systemd-coredump %P %u %g %s %t %c %h + +# Allow that 16 coredumps are dispatched in parallel by the kernel. We want to +# be able to collect process metadata from /proc/%P/ while processing +# coredumps, and thus need to make sure the crashed processes are not reaped +# until we finished collecting what we need. The kernel default for this sysctl +# is "0" which means the kernel doesn't wait for userspace processes to finish +# processing before reaping the crashed processes — by setting this higher the +# kernel will delay reaping until we are done, but only for the specified +# number of crashes in parallel. The value of 16 is chosen to match +# systemd-coredump.socket's MaxConnections= value. +kernel.core_pipe_limit=16 + +# Also dump processes executing a set-user-ID/set-group-ID program that is +# owned by a user/group other than the real user/group ID of the process, or +# a program that has file capabilities. ("2" is called "suidsafe" in core(5)). +# +# systemd-coredump will store the core file owned by the effective uid and gid +# of the running process (and not the filesystem-user-ID which the kernel uses +# when saving a core dump). +# +# See proc(5), setuid(2), capabilities(7). +fs.suid_dumpable=2 diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf new file mode 100644 index 0000000..14378b2 --- /dev/null +++ b/sysctl.d/50-default.conf @@ -0,0 +1,56 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) and core(5) for documentation. + +# To override settings in this file, create a local file in /etc +# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments +# there. + +# System Request functionality of the kernel (SYNC) +# +# Use kernel.sysrq = 1 to allow all keys. +# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list +# of values and keys. +kernel.sysrq = 16 + +# Append the PID to the core filename +kernel.core_uses_pid = 1 + +# Source route verification +net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.*.rp_filter = 2 +-net.ipv4.conf.all.rp_filter + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.*.accept_source_route = 0 +-net.ipv4.conf.all.accept_source_route + +# Promote secondary addresses when the primary address is removed +net.ipv4.conf.default.promote_secondaries = 1 +net.ipv4.conf.*.promote_secondaries = 1 +-net.ipv4.conf.all.promote_secondaries + +# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW +# The upper limit is set to 2^31-1. Values greater than that get rejected by +# the kernel because of this definition in linux/include/net/ping.h: +# #define GID_T_MAX (((gid_t)~0U) >> 1) +# That's not so bad because values between 2^31 and 2^32-1 are reserved on +# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary +-net.ipv4.ping_group_range = 0 2147483647 + +# Fair Queue CoDel packet scheduler to fight bufferbloat +net.core.default_qdisc = fq_codel + +# Enable hard and soft link protection +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 + +# Enable regular file and FIFO protection +fs.protected_regular = 1 +fs.protected_fifos = 1 diff --git a/sysctl.d/50-pid-max.conf b/sysctl.d/50-pid-max.conf new file mode 100644 index 0000000..1eff2d7 --- /dev/null +++ b/sysctl.d/50-pid-max.conf @@ -0,0 +1,16 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) and core(5) for documentation. + +# To override settings in this file, create a local file in /etc +# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments +# there. + +# Bump the numeric PID range to its maximum of 2^22 (from the in-kernel default +# of 2^16), to make PID collisions less likely. +kernel.pid_max = 4194304 diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build new file mode 100644 index 0000000..e8d8fc8 --- /dev/null +++ b/sysctl.d/meson.build @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +install_data( + '50-default.conf', + install_dir : sysctldir) + +in_files = [] + +# Kernel determines PID_MAX_LIMIT by +# #define PID_MAX_LIMIT (CONFIG_BASE_SMALL ? PAGE_SIZE * 8 : \ +# (sizeof(long) > 4 ? 4 * 1024 * 1024 : PID_MAX_DEFAULT)) +if cc.sizeof('long') > 4 + install_data('50-pid-max.conf', install_dir : sysctldir) +endif + +if conf.get('ENABLE_COREDUMP') == 1 + in_files += ['50-coredump.conf'] +endif + +foreach file : in_files + gen = configure_file( + input : file + '.in', + output : file, + configuration : substs) + install_data(gen, + install_dir : sysctldir) +endforeach + +if install_sysconfdir + meson.add_install_script('sh', '-c', + mkdir_p.format(join_paths(sysconfdir, 'sysctl.d'))) +endif |