public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/security/misc: use mkMerge for easier extension

This commit is contained in:
Joachim Fasting 2018-11-24 18:37:46 +01:00
parent 2534dddaa9
commit 9db84f6fcd
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/modules/security/misc.nix
View File

@ -24,16 +24,18 @@ with lib;
}; };
}; };
config = mkIf (!config.security.allowUserNamespaces) { config = mkMerge [
# Setting the number of allowed user namespaces to 0 effectively disables (mkIf (!config.security.allowUserNamespaces) {
# the feature at runtime. Note that root may raise the limit again # Setting the number of allowed user namespaces to 0 effectively disables
# at any time. # the feature at runtime. Note that root may raise the limit again
boot.kernel.sysctl."user.max_user_namespaces" = 0; # at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;
assertions = [ assertions = [
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
} }
]; ];
}; })
];
} }