Add protection for latest CVE in linux kernel

author Ismaël Bouya <ismael.bouya@normalesup.org>

Sun, 23 Jun 2019 19:06:04 +0000 (21:06 +0200)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Sun, 23 Jun 2019 19:06:35 +0000 (21:06 +0200)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Sun, 23 Jun 2019 19:06:04 +0000 (21:06 +0200)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Sun, 23 Jun 2019 19:06:35 +0000 (21:06 +0200)
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix

index 48cba0c42fea533327cd38cfffbcd124d03e7b39..df4018768bdd59ec64206ecdf50d85ca4e871865 100644 (file)
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -17,6 +17,10 @@
  
    imports = builtins.attrValues (import ../..);
  
+  boot.kernel.sysctl = {
+    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    "net.ipv4.tcp_sack" = 0;
+  };
    myServices.buildbot.enable = true;
    myServices.databases.enable = true;
    myServices.gitolite.enable = true;
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sun, 23 Jun 2019 19:06:04 +0000 (21:06 +0200)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sun, 23 Jun 2019 19:06:35 +0000 (21:06 +0200)