MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-19 00:08:32 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

nginxModules: add option disableIPC

Browse source 
The disableIPC option is required to checking enabled nginxModules
and disable the SystemCallFilter IPC filter.
This commit is contained in:
Izorkin 2022-03-07 23:28:43 +03:00
parent 031ab33274
commit b672e4dd2c
No known key found for this signature in database
GPG key ID: 1436C1B3F3679F09
2 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -924,7 +924,8 @@ in
PrivateMounts = true; PrivateMounts = true;
# System Call Filtering # System Call Filtering
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
}; };
}; };

1
pkgs/servers/http/nginx/modules.nix
View file

@ -256,6 +256,7 @@ in
sha256 = "sha256-UXiitc3jZlgXlCsDPS+xEFLNRVgRbn8BCCXUEqAWlII="; sha256 = "sha256-UXiitc3jZlgXlCsDPS+xEFLNRVgRbn8BCCXUEqAWlII=";
}; };
inputs = [ pkgs.curl pkgs.geoip pkgs.libmodsecurity pkgs.libxml2 pkgs.lmdb pkgs.yajl ]; inputs = [ pkgs.curl pkgs.geoip pkgs.libmodsecurity pkgs.libxml2 pkgs.lmdb pkgs.yajl ];
disableIPC = true;
}; };
moreheaders = { moreheaders = {