From 1ee5a5b6ed5d1ea9226bf32fdd2af276ae475baa Mon Sep 17 00:00:00 2001
From: Niklas Sombert <niklas@ytvwld.de>
Date: Tue, 19 Sep 2023 18:21:18 +0200
Subject: nixos/sysctl: Enable Yama by default

Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.

This was initially included in #14392 and disabled by default by
86721a5f78718caf10c578e9501f8b4d19c0eb44.

This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.
---
 nixos/modules/profiles/hardened.nix | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'nixos/modules/profiles')

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 856ee480fc0b6..74dc2cb1b9aa4 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -79,10 +79,6 @@ with lib;
     "ufs"
   ];
 
-  # Restrict ptrace() usage to processes with a pre-defined relationship
-  # (e.g., parent/child)
-  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
-
   # Hide kptrs even for processes with CAP_SYSLOG
   boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
 
-- 
cgit 1.4.1