diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2015-03-01 22:46:56 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2015-03-02 18:39:01 +0100 |
commit | ccd6f5a3133d5b67f79242f129e1adc901578499 (patch) | |
tree | cc52cc5ebba64c094ffaf288fa0d3a576f8fde8a /nixos/modules | |
parent | a869c8351cfcd6ec42147e7f1c8f4f14ac20e587 (diff) | |
download | nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar.gz nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar.bz2 nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar.lz nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar.xz nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.tar.zst nixlib-ccd6f5a3133d5b67f79242f129e1adc901578499.zip |
nixos: make the grsec-lock unit depend on the path it writes to
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock exists and so prevents switching into a new configuration after enabling grsecurity.sysctl.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index d0c7fa6ec288..8775893f531a 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -290,6 +290,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = "yes"; + unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock"; script = '' locked=`cat /proc/sys/kernel/grsecurity/grsec_lock` if [ "$locked" == "0" ]; then |