pyrox.dev
Merge pull request #7149 from joachifm/grsec-gradm-optional
grsecurity module: configure gradm iff RBAC is enabled
+12
-13
nixos/modules/security/grsecurity.nix
+12
-13
nixos/modules/security/grsecurity.nix
···
276
276
# };
277
277
# };
278
278
279
-
system.activationScripts.grsec =
280
-
''
281
-
mkdir -p /etc/grsec
282
-
if [ ! -f /etc/grsec/learn_config ]; then
283
-
cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
284
-
fi
285
-
if [ ! -f /etc/grsec/policy ]; then
286
-
cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
287
-
fi
288
-
chmod -R 0600 /etc/grsec
289
-
'';
279
+
system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = ''
280
+
mkdir -p /etc/grsec
281
+
if [ ! -f /etc/grsec/learn_config ]; then
282
+
cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
283
+
fi
284
+
if [ ! -f /etc/grsec/policy ]; then
285
+
cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
286
+
fi
287
+
chmod -R 0600 /etc/grsec
288
+
''; };
290
289
291
290
# Enable AppArmor, gradm udev rules, and utilities
292
291
security.apparmor.enable = true;
293
292
boot.kernelPackages = customGrsecPkg;
294
-
services.udev.packages = [ pkgs.gradm ];
295
-
environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ];
293
+
services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
294
+
environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
296
295
};
297
296
}