update pkg

debian/changelog

@@ -1,3 +1,16 @@
+nx-desktop-settings-legacy (5.5.6)  nitrux; urgency=medium
+
+  * Increase Linux autotuning TCP buffer limits.
+  * Increases the maximum number of packets queued for processing before they are dropped.
+  * Reuses Time-Wait TCP connections to reduce the number of open TCP connections.
+  * Enable Reverse Path Filtering.
+  * Disable Source Routing.
+  * Restricts access to kernel pointer addresses.
+  * Disables the SysRq key.
+  * Disables timer migration across CPUs.
+
+ -- Uri Herrera <uri_herrera@nxos.org>  Mon, 21 Oct 2024 02:18:00 -0500
+
 nx-desktop-settings-legacy (5.5.5)  nitrux; urgency=medium
 
   * Enable wordwrap by default in micro.

etc/sysctl.d/10-nx-sysctl-overrides.conf

@@ -12,126 +12,113 @@
 #   AND PLEASE PUT A DESC. OF WHAT YOU CHANGE!             #
 ############################################################
 
+#####################################
+#   MEMORY MANAGEMENT AND CACHING   #
+#####################################
+
 # Discourage Linux from swapping idle processes to disk (default = 60).
-# This control is used to define how aggressively the kernel swaps out anonymous memory relative to pagecache and other caches.
+# This control defines how aggressively the kernel swaps out anonymous memory relative to pagecache and other caches.
 # Increasing the value increases the amount of swapping. 
 vm.swappiness = 10
 
-# vfs_cache_pressure this variable controls the tendency of the kernel to reclaim the memory which is used for caching of VFS caches, versus pagecache and swap. 
+# Controls the tendency of the kernel to reclaim the memory used for caching VFS caches versus pagecache and swap. 
 # Increasing this value increases the rate at which VFS caches are reclaimed.
 vm.vfs_cache_pressure = 50
 
-# Asynchronous non-blocking I/O (AIO) is a feature that allows a process to initiate multiple I/O operations simultaneously without having to wait for any of them to complete.
-# This helps boost performance for applications that are able to overlap processing and I/O.
+# Controls how aggressively the kernel performs memory compaction, rearranging memory pages to create larger contiguous blocks of free memory.
+# Increasing the proactiveness of memory compaction can help reduce fragmentation and improve the availability of large contiguous blocks of memory, which is beneficial for allocating huge pages and avoiding out-of-memory situations. However, more frequent compaction activities can also increase CPU overhead.
+vm.compaction_proactiveness = 0
+
+# Control the "unfairness" of page locking, affecting how the kernel manages contention for memory pages that multiple processes try to lock.
+# Enabling page lock unfairness can improve the performance of some workloads by allowing more aggressive locking behavior. Still, it can also lead to increased contention and potential performance degradation in other workloads. Disabling it provides more predictable and fair behavior at the cost of potentially reduced performance in some scenarios.
+vm.page_lock_unfairness = 1
+
+# This kernel parameter sets the maximum percentage of total system memory that can contain dirty data (modified data not yet written to disk). Once this threshold is reached, the kernel will start writing dirty pages to disk to free up memory.
+vm.dirty_ratio = 30
+
+# This parameter sets the percentage of total system memory that can contain dirty data before the kernel starts writing it to disk in the background.
+vm.dirty_background_ratio = 10
+
+# Write back dirty pages to disk every 15 seconds, and any page that has been dirty for at least 15 seconds will be considered for writeback. This configuration can help balance system performance (keeping data in memory longer) and data integrity (ensuring data is not kept in memory too long without being written to disk).
+vm.dirty_writeback_centisecs = 1500
+vm.dirty_expire_centisecs = 1500
+
+#################################
+#   FILESYSTEM AND I/O SETTINGS #
+#################################
+
+# Asynchronous non-blocking I/O (AIO) is a feature that allows a process to initiate multiple I/O operations simultaneously without waiting for any of them to complete.
+# This helps boost performance for applications that can overlap processing and I/O.
 # Increasing this value increases the random IO performance. 
 fs.aio-max-nr = 1048576
 
+# Disable core dumps in Linux for processes that have elevated privileges via setuid, setgid, or capabilities.
+fs.suid_dumpable = 0
+
+# This setting increases the maximum number of file watches that the inotify system can use. 
+fs.inotify.max_user_watches = 524288
+
+#####################################
+#   SECURITY AND KERNEL SETTINGS    #
+#####################################
+
+# Restricts access to kernel pointer addresses, improving security by preventing information leaks.
+kernel.kptr_restrict = 1
+
+# Disables the SysRq key for security reasons.
+kernel.sysrq = 0
+
+# Disables timer migration across CPUs. This can improve the consistency of CPU scheduling for real-time or latency-sensitive applications.
+kernel.timer_migration = 0
+
+# Disables the creation of core dump files for all processes on the system.
+kernel.core_pattern = |/bin/false
+
+# The NMI watchdog is a debugging feature that catches hardware hangs that cause a kernel panic. On some systems, it can generate a lot of interrupts, causing a noticeable increase in power usage.
+nmi_watchdog = 0
+
 #########################################################################
 #   DISABLING UNPRIVILEGED USER NAMESPACES WILL BRAKE THE FOLLOWING:    #
 #   WEB BROWSERS, WEBKITGTK, FLATPAK and GNOME THUMBNAILING.            #
 #   ENABLED BY DEFAULT. DISABLE AT YOUR OWN RISK.                       #
 #########################################################################
 
 # Disable unprivileged user namespaces. Unprivileged user namespaces can make severe vulnerabilities in the Linux kernel much more easily exploitable.
-# Numerous vulnerabilities that are found regularly are often only exploitable by unprivileged users if unprivileged user namespaces are supported and enabled by the kernel. Unprivileged user namespaces make it possible for unprivileged users to access exploit security bugs.
+# Numerous vulnerabilities that are found regularly are often only exploitable by unprivileged users if unprivileged user namespaces are supported and enabled by the kernel. Unprivileged user namespaces allow unprivileged users to access and exploit security bugs.
 # user.max_user_namespaces = 0
 
-# Disable core dumps in Linux. Core dumps are created for diagnosing and debugging errors in Linux applications. They are also known as memory dump, crash dump, system dump, or ABEND dump.
-# However, core dumps may contain sensitive info, such as passwords and user data, such as PAN, SSN, or encryption keys. Also, they take up a large amount of disk space too.
-fs.suid_dumpable = 0
-kernel.core_pattern = |/bin/false
+#####################################
+#   NETWORKING PERFORMANCE TUNING   #
+#####################################
 
-# Turn on BPF JIT hardening, if the JIT is enabled.
+# Turn on BPF JIT hardening if the JIT is enabled.
 # Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
 net.core.bpf_jit_harden = 2
 
-# How aggressively the kernel performs memory compaction, which is the process of rearranging memory pages to create larger contiguous blocks of free memory.
-# Increasing the proactiveness of memory compaction can help to reduce fragmentation and improve the availability of large contiguous blocks of memory, which is beneficial for allocating huge pages and avoiding out-of-memory situations. However, it can also increase CPU overhead due to more frequent compaction activities.
-vm.compaction_proactiveness = 0
-
-# Control the "unfairness" of page locking, which affects how the kernel manages contention for memory pages that multiple processes are trying to lock.
-# Enabling page lock unfairness can improve the performance of some workloads by allowing more aggressive locking behavior, but it can also lead to increased contention and potential performance degradation in other workloads. Disabling it provides more predictable and fair behavior at the cost of potentially reduced performance in some scenarios.
-vm.page_lock_unfairness = 1
-
-# The NMI watchdog is a debugging feature to catch hardware hangs that cause a kernel panic. On some systems it can generate a lot of interrupts, causing a noticeable increase in power usage.
-nmi_watchdog = 0
-
-# This is a kernel parameter that sets the maximum percentage of total system memory that can contain dirty data (modified data not yet written to disk). Once this threshold is reached, the kernel will start writing dirty pages to disk to free up memory.
-vm.dirty_ratio = 30
-
-# This parameter sets the percentage of total system memory that can contain dirty data before the kernel starts writing the dirty data to disk in the background.
-vm.dirty_background_ratio = 10
-
-# Write back dirty pages to disk every 15 seconds, and any page that has been dirty for at least 15 seconds will be considered for writeback. This configuration can help balance between system performance (by keeping data in memory longer) and data integrity (by ensuring data is not kept in memory too long without being written to disk).
-vm.dirty_writeback_centisecs = 1500
-vm.dirty_expire_centisecs = 1500
+# Increases the maximum number of packets queued for processing before they are dropped.
+net.core.netdev_max_backlog = 16384
 
-#####################################################################################
-#   ADJUSTING THE SETTINGS BELOW MAY IMPROVE NETWORK SECURITY.                      #
-#   HOWEVER, THESE IMPROVEMENTS WILL COME AT THE EXPENSE OF NETWORK PERFORMANCE.    #
-#   DISABLED BY DEFAULT. ENABLE AT YOUR OWN RISK.                                   #
-#####################################################################################
+# Reuses Time-Wait TCP connections to reduce the number of open TCP connections and free up resources, improving system performance.
+net.ipv4.tcp_tw_reuse = 1
 
 # Increase Linux autotuning TCP buffer limits.
 # Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE.
 # Don't set tcp_mem itself! Let the kernel scale it based on RAM.
-#net.core.rmem_max = 16777216
-#net.core.wmem_max = 16777216
-#net.core.rmem_default = 16777216
-#net.core.wmem_default = 16777216
-#net.core.optmem_max = 40960
-#net.ipv4.tcp_rmem = 4096 87380 16777216
-#net.ipv4.tcp_wmem = 4096 65536 16777216
-
-# Log packets with impossible addresses for security.
-#net.ipv4.conf.all.log_martians = 1
-
-# This setting enables the IPv4 reverse path filter in strict mode.
-# The setting prevents certain kinds of IP spoofing attacks that are, for example, used for distributed denial-of-service (DDoS) attacks.
-#net.ipv4.conf.default.rp_filter = 1
-#net.ipv4.conf.all.rp_filter = 1
-
-# This setting disables the acceptance of packets with the SSR option set in the IPv4 packet header.
-# This prevents IP packet redirection, that is redirection to a host behind a firewall, that is not directly reachable otherwise. 
-#net.ipv4.conf.default.accept_source_route = 0
-#net.ipv4.conf.all.accept_source_route = 0
-
-# This enables TCP SYN Cookie Protection for IPv4 and IPv6. It addresses a specific denial-of-service attack on the TCP protocol level. 
-#net.ipv4.tcp_syncookies = 1
-
-# The TCP SYN backlog defines the number of SYN packets that are queued for further processing.
-# Increasing this value improves the protection against TCP SYN flood attacks. 
-#net.ipv4.tcp_max_syn_backlog = 4096
-
-# ICMP echo requests (ping) can be sent to an IPv4 broadcast address in order to scan a network for existing hosts / IP addresses or to perform an ICMP flood within a network segment.
-# This setting causes the networking stack to ignore ICMP echo packets sent to a broadcast address. 
-#net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+net.core.rmem_default = 16777216
+net.core.wmem_default = 16777216
+net.core.optmem_max = 40960
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
 
-# This setting avoids filling up log files with unnecessary error messages coming from invalid responses to broadcast frames.
-#net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-# Disables the acceptance of ICMP redirect messages. These messages are usually sent by gateways to inform a host about a better route to an outside network.
-# These redirects can be misused for man-in-the-middle attacks.
-#net.ipv4.conf.default.accept_redirects = 0
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.default.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-
-# Accepting 'secure' ICMP redirects (from those gateways listed as default gateways) has few legitimate uses.
-# It should be disabled unless it is absolutely required. 
-#net.ipv4.conf.default.secure_redirects = 0
-#net.ipv4.conf.all.secure_redirects = 0
-
-# A node should not send out IPv4 ICMP redirects, unless it acts as a router. 
-#net.ipv4.conf.default.send_redirects = 0
-#net.ipv4.conf.all.send_redirects = 0
-
-# IP forwarding should only be enabled on systems acting as routers. 
-#net.ipv4.ip_forward = 0
-#net.ipv6.conf.all.forwarding = 0
-#net.ipv6.conf.default.forwarding = 0
+# The setting prevents certain kinds of IP spoofing attacks that are, for example, used for distributed denial-of-service (DDoS) attacks.
+net.ipv4.conf.all.rp_filter = 1
 
 # Enable IPv6 Privacy Extensions.
 net.ipv6.conf.all.use_tempaddr = 2
 net.ipv6.conf.default.use_tempaddr = 2
 net.ipv6.conf.nic.use_tempaddr = 2
+
+# Prevents IP spoofing and bypassing security controls by disabling source routing.
+net.ipv4.conf.default.accept_source_route = 0