From 94824303be3093fa105b6e50ba5497cbc7318f6e Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Thu, 14 Jul 2016 16:00:17 +0200
Subject: [PATCH] grsecurity module: smarter container support

Only set tunables required for container support if there are any containers.
---
 nixos/modules/security/grsecurity.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index ee5881d2872..2b00c8954a8 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -13,6 +13,10 @@ let
           || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
           && fs.fsType == "zfs")
     (attrValues config.fileSystems) != [];
+
+  # Ascertain whether NixOS container support is required
+  containerSupportRequired =
+    config.boot.enableContainers && config.containers != {};
 in
 
 {
@@ -101,7 +105,7 @@ in
       "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
       "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
       "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
-    } // optionalAttrs config.boot.enableContainers {
+    } // optionalAttrs containerSupportRequired {
       # chroot(2) restrictions that conflict with NixOS lightweight containers
       "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
       "kernel.grsecurity.chroot_deny_mount" = mkForce 0;