commit 7fd99066c44c72c1b78d3bf6626bfffa96162902

pyrox.dev / nixpkgs

lol

grsecurity module: permit chmod +s in sandboxed builds

While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec. In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...

Closes https://github.com/NixOS/nixpkgs/issues/17501

Joachim Fasting 9 years ago 7fd99066 9062c679

1 changed file

expand all

unified split

nixos

modules

security

grsecurity.nix

nixos/modules/security/grsecurity.nix

··· 119 119 "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; 120 120 "kernel.grsecurity.chroot_deny_mount" = mkForce 0; 121 121 "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; 122 + "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; 122 123 } // optionalAttrs containerSupportRequired { 123 124 # chroot(2) restrictions that conflict with NixOS lightweight containers 124 125 "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;