diff options
Diffstat (limited to 'sysctl.d')
-rw-r--r-- | sysctl.d/50-coredump.conf.in | 37 | ||||
-rw-r--r-- | sysctl.d/50-default.conf | 56 | ||||
-rw-r--r-- | sysctl.d/50-pid-max.conf | 16 | ||||
-rw-r--r-- | sysctl.d/README | 8 | ||||
-rw-r--r-- | sysctl.d/meson.build | 25 |
5 files changed, 142 insertions, 0 deletions
diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in new file mode 100644 index 0000000..90c080b --- /dev/null +++ b/sysctl.d/50-coredump.conf.in @@ -0,0 +1,37 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) for the description of the files in this directory. + +# Pipe the core file to systemd-coredump. The systemd-coredump process spawned +# by the kernel will start a second copy of itself as the +# systemd-coredump@.service, which will do the actual processing and storing of +# the core dump. +# +# See systemd-coredump(8) and core(5). +kernel.core_pattern=|{{LIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h + +# Allow 16 coredumps to be dispatched in parallel by the kernel. +# We collect metadata from /proc/%P/, and thus need to make sure the crashed +# processes are not reaped until we have finished collecting what we need. The +# kernel default for this sysctl is "0" which means the kernel doesn't wait for +# userspace to finish processing before reaping the crashed processes. With a +# higher setting the kernel will delay reaping until we are done, but only for +# the specified number of crashes in parallel. The value of 16 is chosen to +# match systemd-coredump.socket's MaxConnections= value. +kernel.core_pipe_limit=16 + +# Also dump processes executing a set-user-ID/set-group-ID program that is +# owned by a user/group other than the real user/group ID of the process, or +# a program that has file capabilities. ("2" is called "suidsafe" in core(5)). +# +# systemd-coredump will store the core file owned by the effective uid and gid +# of the running process (and not the filesystem-user-ID which the kernel uses +# when saving a core dump). +# +# See proc(5), setuid(2), capabilities(7). +fs.suid_dumpable=2 diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf new file mode 100644 index 0000000..69de91a --- /dev/null +++ b/sysctl.d/50-default.conf @@ -0,0 +1,56 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) and core(5) for documentation. + +# To override settings in this file, create a local file in /etc +# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments +# there. + +# System Request functionality of the kernel (SYNC) +# +# Use kernel.sysrq = 1 to allow all keys. +# See https://docs.kernel.org/admin-guide/sysrq.html for a list +# of values and keys. +kernel.sysrq = 16 + +# Append the PID to the core filename +kernel.core_uses_pid = 1 + +# Source route verification +net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.*.rp_filter = 2 +-net.ipv4.conf.all.rp_filter + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.*.accept_source_route = 0 +-net.ipv4.conf.all.accept_source_route + +# Promote secondary addresses when the primary address is removed +net.ipv4.conf.default.promote_secondaries = 1 +net.ipv4.conf.*.promote_secondaries = 1 +-net.ipv4.conf.all.promote_secondaries + +# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW +# The upper limit is set to 2^31-1. Values greater than that get rejected by +# the kernel because of this definition in linux/include/net/ping.h: +# #define GID_T_MAX (((gid_t)~0U) >> 1) +# That's not so bad because values between 2^31 and 2^32-1 are reserved on +# systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary +-net.ipv4.ping_group_range = 0 2147483647 + +# Fair Queue CoDel packet scheduler to fight bufferbloat +-net.core.default_qdisc = fq_codel + +# Enable hard and soft link protection +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 + +# Enable regular file and FIFO protection +fs.protected_regular = 1 +fs.protected_fifos = 1 diff --git a/sysctl.d/50-pid-max.conf b/sysctl.d/50-pid-max.conf new file mode 100644 index 0000000..2beaf48 --- /dev/null +++ b/sysctl.d/50-pid-max.conf @@ -0,0 +1,16 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) and core(5) for documentation. + +# To override settings in this file, create a local file in /etc +# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments +# there. + +# Bump the numeric PID range to make PID collisions less likely. +# 2^22 and 2^15 is possible maximum of 64bit and 32bit kernels respectively. +kernel.pid_max = 4194304 diff --git a/sysctl.d/README b/sysctl.d/README new file mode 100644 index 0000000..ab216b1 --- /dev/null +++ b/sysctl.d/README @@ -0,0 +1,8 @@ +Files in this directory contain configuration for systemd-sysctl.service, a +service to configure sysctl kernel parameters. + +See man:sysctl.d(5) for explanation of the configuration file format, and +man:sysctl(8) and man:systemd-sysctl.service(8) for a description of when and +how this configuration is applied. + +Use 'systemd-analyze cat-config sysctl.d' to display the effective config. diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build new file mode 100644 index 0000000..909baa2 --- /dev/null +++ b/sysctl.d/meson.build @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +install_data( + 'README', + '50-default.conf', + install_dir : sysctldir) + +# Kernel determines PID_MAX_LIMIT by +# #define PID_MAX_LIMIT (CONFIG_BASE_SMALL ? PAGE_SIZE * 8 : \ +# (sizeof(long) > 4 ? 4 * 1024 * 1024 : PID_MAX_DEFAULT)) +if cc.sizeof('long') > 4 + install_data('50-pid-max.conf', install_dir : sysctldir) +endif + +custom_target( + '50-coredump.conf', + input : '50-coredump.conf.in', + output : '50-coredump.conf', + command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'], + install : conf.get('ENABLE_COREDUMP') == 1, + install_dir : sysctldir) + +if install_sysconfdir + install_emptydir(sysconfdir / 'sysctl.d') +endif |