public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed

Browse Source 
The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).

Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
This commit is contained in:
Matthias Treydte
2021-01-28 13:05:53 +01:00
parent 6a1bee335e
commit 7d2829c0a0
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/web-servers/nginx/default.nix
View File

@@ -801,7 +801,7 @@ in
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;