linux/common-config: restrict access to dmesg

`SECURITY_DMESG_RESTRICT` is enabled by default by a lot of
other distributions for a quite a while now, NixOS is a bit of an outlier.
The main justification to enable it is that kernel log might leak kernel
pointers which can then be used by exploits to defeat KASLR (NixOS also
enables `kernel.kptr_restrict` by default since 2013).

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -262,6 +262,9 @@
   The derivation now installs "impl" headers selectively instead of by a wildcard.
   Use `imgui.src` if you just want to access the unpacked sources.
 
+- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
+  unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
+
 - The `i18n.inputMethod` module introduces two new properties:
   `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.
 

pkgs/os-specific/linux/kernel/common-config.nix

@@ -702,6 +702,8 @@ let
       SECURITY_APPARMOR                = yes;
       DEFAULT_SECURITY_APPARMOR        = yes;
 
+      SECURITY_DMESG_RESTRICT          = yes;
+
       RANDOM_TRUST_CPU                 = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
       RANDOM_TRUST_BOOTLOADER          = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG