From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Sun, 23 Jun 2019 19:06:04 +0000 (+0200)
Subject: Add protection for latest CVE in linux kernel
X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=63cd475c66bc1021587660915b2c2a65520cc624

Add protection for latest CVE in linux kernel
---

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 48cba0c..df40187 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -17,6 +17,10 @@
 
   imports = builtins.attrValues (import ../..);
 
+  boot.kernel.sysctl = {
+    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    "net.ipv4.tcp_sack" = 0;
+  };
   myServices.buildbot.enable = true;
   myServices.databases.enable = true;
   myServices.gitolite.enable = true;