nixos: make the grsec-lock unit depend on the path it writes to

The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
This commit is contained in:
Joachim Fasting 2015-03-01 22:46:56 +01:00
parent a869c8351c
commit ccd6f5a313

View File

@ -290,6 +290,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = "yes";
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock";
script = ''
locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
if [ "$locked" == "0" ]; then