Add protection for latest CVE in linux kernel

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-23 21:06:04 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-23 21:06:35 +0200
commit: 63cd475c66bc1021587660915b2c2a65520cc624 (patch)
tree: 5e588007f624aa0cd5d76be3d2b77bbfef377f57 /modules/private/system
parent: af3aeef298d176c4f01ef341bf9662dd362834e5 (diff)
download: Nix-63cd475c66bc1021587660915b2c2a65520cc624.tar.gz
Nix-63cd475c66bc1021587660915b2c2a65520cc624.tar.zst
Nix-63cd475c66bc1021587660915b2c2a65520cc624.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 48cba0c..df40187 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -17,6 +17,10 @@
  imports = builtins.attrValues (import ../..);
+  boot.kernel.sysctl = {
+    # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    "net.ipv4.tcp_sack" = 0;
+  };
  myServices.buildbot.enable = true;
  myServices.databases.enable = true;
  myServices.gitolite.enable = true;
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-23 21:06:04 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-23 21:06:35 +0200
commit	63cd475c66bc1021587660915b2c2a65520cc624 (patch)
tree	5e588007f624aa0cd5d76be3d2b77bbfef377f57 /modules/private/system
parent	af3aeef298d176c4f01ef341bf9662dd362834e5 (diff)
download	Nix-63cd475c66bc1021587660915b2c2a65520cc624.tar.gz Nix-63cd475c66bc1021587660915b2c2a65520cc624.tar.zst Nix-63cd475c66bc1021587660915b2c2a65520cc624.zip