diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2016-07-14 16:00:17 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-07-16 11:11:35 +0200 |
| commit | 94824303be3093fa105b6e50ba5497cbc7318f6e (patch) | |
| tree | 602b05caddf1c839f17776dd35a0ec478888063e /nixos | |
| parent | c606b9876fbcbfa2aa8360a5a2d808c80d3a2759 (diff) | |
| download | nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar.gz nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar.bz2 nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar.lz nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar.xz nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.tar.zst nixlib-94824303be3093fa105b6e50ba5497cbc7318f6e.zip | |
grsecurity module: smarter container support
Only set tunables required for container support if there are any containers.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/grsecurity.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index ee5881d28726..2b00c8954a8b 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -13,6 +13,10 @@ let || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]) && fs.fsType == "zfs") (attrValues config.fileSystems) != []; + + # Ascertain whether NixOS container support is required + containerSupportRequired = + config.boot.enableContainers && config.containers != {}; in { @@ -101,7 +105,7 @@ in "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; "kernel.grsecurity.chroot_deny_mount" = mkForce 0; "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; - } // optionalAttrs config.boot.enableContainers { + } // optionalAttrs containerSupportRequired { # chroot(2) restrictions that conflict with NixOS lightweight containers "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; "kernel.grsecurity.chroot_deny_mount" = mkForce 0; |