From ccd6f5a3133d5b67f79242f129e1adc901578499 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 1 Mar 2015 22:46:56 +0100 Subject: [PATCH 1/2] nixos: make the grsec-lock unit depend on the path it writes to The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock exists and so prevents switching into a new configuration after enabling grsecurity.sysctl. --- nixos/modules/security/grsecurity.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index d0c7fa6ec28..8775893f531 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -290,6 +290,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = "yes"; + unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock"; script = '' locked=`cat /proc/sys/kernel/grsecurity/grsec_lock` if [ "$locked" == "0" ]; then From 18320d3b219a35a2f4c032aa4b16ec89db692901 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 2 Mar 2015 07:20:45 +0100 Subject: [PATCH 2/2] nixos: fix grsec-lock requires --- nixos/modules/security/grsecurity.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 8775893f531..66eeab7503d 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -286,7 +286,7 @@ in systemd.services.grsec-lock = mkIf cfg.config.sysctl { description = "grsecurity sysctl-lock Service"; - requires = [ "sysctl.service" ]; + requires = [ "systemd-sysctl.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = "yes";