nixos/sysctl: Enable Yama by default

Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.

This was initially included in #14392 and disabled by default by
86721a5f78.

This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -285,6 +285,10 @@
 
 - Package `cloud-sql-proxy` was renamed to `google-cloud-sql-proxy` as it cannot be used with other cloud providers.;
 
+- The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes.
+  This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child).
+  Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.
+
 - Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative.
 
 - `security.sudo.extraRules` now includes `root`'s default rule, with ordering

nixos/modules/config/sysctl.nix

@@ -69,9 +69,6 @@ in
     # users as these make it easier to exploit kernel vulnerabilities.
     boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1;
 
-    # Disable YAMA by default to allow easy debugging.
-    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
-
     # Improve compatibility with applications that allocate
     # a lot of memory, like modern games
     boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576;

nixos/modules/profiles/hardened.nix

@@ -79,10 +79,6 @@ with lib;
     "ufs"
   ];
 
-  # Restrict ptrace() usage to processes with a pre-defined relationship
-  # (e.g., parent/child)
-  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
-
   # Hide kptrs even for processes with CAP_SYSLOG
   boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;