public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

grsecurity: add option to disable chroot caps restriction

Browse Source 
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
This commit is contained in:
Joachim Fasting
2016-05-08 08:32:28 +02:00
parent 8ca190c496
commit d4d7bfe07b
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/build-support/grsecurity/default.nix
View File

@@ -8,6 +8,7 @@ let
config = {
mode = "auto";
sysctl = false;
denyChrootCaps = false;
denyChrootChmod = false;
denyUSB = false;
restrictProc = false;
@@ -112,6 +113,7 @@ let
}
GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps}
GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}