diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-15 19:55:12 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-15 20:36:47 +0200 |
commit | 7fd99066c44c72c1b78d3bf6626bfffa96162902 (patch) | |
tree | 1339783b20be910aed0833b25b9af90a16b8c9c7 | |
parent | 9062c6791431b79640b55dcd84b95fedcd1dda60 (diff) | |
download | nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar.gz nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar.bz2 nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar.lz nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar.xz nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.tar.zst nixlib-7fd99066c44c72c1b78d3bf6626bfffa96162902.zip |
grsecurity module: permit chmod +s in sandboxed builds
While useless, some builds may dabble with setuid bits (e.g., util-linux), which breaks under grsec. In the interest of user friendliness, we once again compromise by disabling an otherwise useful feature ... Closes https://github.com/NixOS/nixpkgs/issues/17501
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 60e9058dd69e..5eb88917dd56 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -119,6 +119,7 @@ in "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; "kernel.grsecurity.chroot_deny_mount" = mkForce 0; "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; + "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; } // optionalAttrs containerSupportRequired { # chroot(2) restrictions that conflict with NixOS lightweight containers "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; |