diff options
author | c74d <8573dd@gmail.com> | 2017-03-24 01:27:49 +0000 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-03-26 21:09:58 +0200 |
commit | a4ac5506f57f767fd53aebd0eeea8db4c911f83f (patch) | |
tree | 50f6a6b7f5b15b295cfae44b0f6be871c25a706c | |
parent | 7eb867794e05f861c439754c6f75a1c10d8382f0 (diff) | |
download | nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar.gz nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar.bz2 nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar.lz nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar.xz nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.tar.zst nixlib-a4ac5506f57f767fd53aebd0eeea8db4c911f83f.zip |
google-compute-image: fix Yama LSM option conflict
Having fixed the Google Compute Engine image build process's copying of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`... and the GCE image broke again, because it sets the NixOS configuration option for the sysctl variable `kernel.yama.ptrace_scope` to `mkDefault "1"`, i.e., with override priority 1000, and now the `sysctl` module sets the same option to `mkDefault "0"` (this was changed in commit 86721a5f78718caf10c578e9501f8b4d19c0eb44). This patch raises the override priority of the Google Compute Engine image configuration's definition of the Yama sysctl option to 500 (still lower than the priority of an unmodified option definition). I have tested that this patch allows the Google Compute Engine image to again build successfully for me.
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index a03c45bfeff0..a3dd3bd55d14 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -261,7 +261,7 @@ in "kernel.kptr_restrict" = mkDefault "1"; # set ptrace protections - "kernel.yama.ptrace_scope" = mkDefault "1"; + "kernel.yama.ptrace_scope" = mkOverride 500 "1"; # set perf only available to root "kernel.perf_event_paranoid" = mkDefault "2"; |