From 7fd99066c44c72c1b78d3bf6626bfffa96162902 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Mon, 15 Aug 2016 19:55:12 +0200
Subject: grsecurity module: permit chmod +s in sandboxed builds

While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec.  In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...

Closes https://github.com/NixOS/nixpkgs/issues/17501
---
 nixos/modules/security/grsecurity.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 60e9058dd69e..5eb88917dd56 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -119,6 +119,7 @@ in
       "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
       "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
       "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
+      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
     } // optionalAttrs containerSupportRequired {
       # chroot(2) restrictions that conflict with NixOS lightweight containers
       "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
-- 
cgit 1.4.1