summaryrefslogtreecommitdiffstats
path: root/sysctl.d
diff options
context:
space:
mode:
Diffstat (limited to 'sysctl.d')
-rw-r--r--sysctl.d/50-coredump.conf.in37
-rw-r--r--sysctl.d/50-default.conf56
-rw-r--r--sysctl.d/50-pid-max.conf16
-rw-r--r--sysctl.d/README8
-rw-r--r--sysctl.d/meson.build25
5 files changed, 142 insertions, 0 deletions
diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in
new file mode 100644
index 0000000..90c080b
--- /dev/null
+++ b/sysctl.d/50-coredump.conf.in
@@ -0,0 +1,37 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) for the description of the files in this directory.
+
+# Pipe the core file to systemd-coredump. The systemd-coredump process spawned
+# by the kernel will start a second copy of itself as the
+# systemd-coredump@.service, which will do the actual processing and storing of
+# the core dump.
+#
+# See systemd-coredump(8) and core(5).
+kernel.core_pattern=|{{LIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h
+
+# Allow 16 coredumps to be dispatched in parallel by the kernel.
+# We collect metadata from /proc/%P/, and thus need to make sure the crashed
+# processes are not reaped until we have finished collecting what we need. The
+# kernel default for this sysctl is "0" which means the kernel doesn't wait for
+# userspace to finish processing before reaping the crashed processes. With a
+# higher setting the kernel will delay reaping until we are done, but only for
+# the specified number of crashes in parallel. The value of 16 is chosen to
+# match systemd-coredump.socket's MaxConnections= value.
+kernel.core_pipe_limit=16
+
+# Also dump processes executing a set-user-ID/set-group-ID program that is
+# owned by a user/group other than the real user/group ID of the process, or
+# a program that has file capabilities. ("2" is called "suidsafe" in core(5)).
+#
+# systemd-coredump will store the core file owned by the effective uid and gid
+# of the running process (and not the filesystem-user-ID which the kernel uses
+# when saving a core dump).
+#
+# See proc(5), setuid(2), capabilities(7).
+fs.suid_dumpable=2
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
new file mode 100644
index 0000000..69de91a
--- /dev/null
+++ b/sysctl.d/50-default.conf
@@ -0,0 +1,56 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for documentation.
+
+# To override settings in this file, create a local file in /etc
+# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
+# there.
+
+# System Request functionality of the kernel (SYNC)
+#
+# Use kernel.sysrq = 1 to allow all keys.
+# See https://docs.kernel.org/admin-guide/sysrq.html for a list
+# of values and keys.
+kernel.sysrq = 16
+
+# Append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Source route verification
+net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.*.rp_filter = 2
+-net.ipv4.conf.all.rp_filter
+
+# Do not accept source routing
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.*.accept_source_route = 0
+-net.ipv4.conf.all.accept_source_route
+
+# Promote secondary addresses when the primary address is removed
+net.ipv4.conf.default.promote_secondaries = 1
+net.ipv4.conf.*.promote_secondaries = 1
+-net.ipv4.conf.all.promote_secondaries
+
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+# #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary
+-net.ipv4.ping_group_range = 0 2147483647
+
+# Fair Queue CoDel packet scheduler to fight bufferbloat
+-net.core.default_qdisc = fq_codel
+
+# Enable hard and soft link protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Enable regular file and FIFO protection
+fs.protected_regular = 1
+fs.protected_fifos = 1
diff --git a/sysctl.d/50-pid-max.conf b/sysctl.d/50-pid-max.conf
new file mode 100644
index 0000000..2beaf48
--- /dev/null
+++ b/sysctl.d/50-pid-max.conf
@@ -0,0 +1,16 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for documentation.
+
+# To override settings in this file, create a local file in /etc
+# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
+# there.
+
+# Bump the numeric PID range to make PID collisions less likely.
+# 2^22 and 2^15 is possible maximum of 64bit and 32bit kernels respectively.
+kernel.pid_max = 4194304
diff --git a/sysctl.d/README b/sysctl.d/README
new file mode 100644
index 0000000..ab216b1
--- /dev/null
+++ b/sysctl.d/README
@@ -0,0 +1,8 @@
+Files in this directory contain configuration for systemd-sysctl.service, a
+service to configure sysctl kernel parameters.
+
+See man:sysctl.d(5) for explanation of the configuration file format, and
+man:sysctl(8) and man:systemd-sysctl.service(8) for a description of when and
+how this configuration is applied.
+
+Use 'systemd-analyze cat-config sysctl.d' to display the effective config.
diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build
new file mode 100644
index 0000000..909baa2
--- /dev/null
+++ b/sysctl.d/meson.build
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+install_data(
+ 'README',
+ '50-default.conf',
+ install_dir : sysctldir)
+
+# Kernel determines PID_MAX_LIMIT by
+# #define PID_MAX_LIMIT (CONFIG_BASE_SMALL ? PAGE_SIZE * 8 : \
+# (sizeof(long) > 4 ? 4 * 1024 * 1024 : PID_MAX_DEFAULT))
+if cc.sizeof('long') > 4
+ install_data('50-pid-max.conf', install_dir : sysctldir)
+endif
+
+custom_target(
+ '50-coredump.conf',
+ input : '50-coredump.conf.in',
+ output : '50-coredump.conf',
+ command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
+ install : conf.get('ENABLE_COREDUMP') == 1,
+ install_dir : sysctldir)
+
+if install_sysconfdir
+ install_emptydir(sysconfdir / 'sysctl.d')
+endif