diff options
author | Izorkin <izorkin@elven.pw> | 2020-05-11 14:29:16 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2020-05-12 20:03:29 +0300 |
commit | aa12fb8adb312943a0ce8a059ce47733249eb5fe (patch) | |
tree | a03800df12f4e553ac34b6326314213d54ec2934 /nixos/modules | |
parent | c7106610f14f0620f79758fe1d62cbbb8e989c84 (diff) | |
download | nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.gz nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.bz2 nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.lz nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.xz nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.zst nixlib-aa12fb8adb312943a0ce8a059ce47733249eb5fe.zip |
nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules and disable the nginx sandbox mode MemoryDenyWriteExecute.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 16c56dc745f9..75fe1df506b3 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -724,7 +724,7 @@ in ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; - MemoryDenyWriteExecute = mkDefault true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); RestrictRealtime = true; RestrictSUIDSGID = true; PrivateMounts = true; |