Add protection for latest CVE in linux kernel

[perso/Immae/Config/Nix.git] / modules / private / system / eldiron.nix

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 48cba0c42fea533327cd38cfffbcd124d03e7b39..df4018768bdd59ec64206ecdf50d85ca4e871865 100644 (file)
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -17,6 +17,10 @@
 
   imports = builtins.attrValues (import ../..);
 
+  boot.kernel.sysctl = {
+    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    "net.ipv4.tcp_sack" = 0;
+  };
   myServices.buildbot.enable = true;
   myServices.databases.enable = true;
   myServices.gitolite.enable = true;