pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #111011 from waldheinz/nginx-mem-write-exec

nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed

Aaron Andersen 9798ed1a 09ed39bf

options
unified split
Changed files
+1 -1
nixos
modules
services
web-servers
nginx
default.nix
+1 -1
nixos/modules/services/web-servers/nginx/default.nix 
···

       
804

       
804

       
 

       
        ProtectControlGroups = true;


     

       
805

       
805

       
 

       
        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];


     

       
806

       
806

       
 

       
        LockPersonality = true;


     

       
807

       

       
-

       
        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);


     

       

       
807

       
+

       
        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);


     

       
808

       
808

       
 

       
        RestrictRealtime = true;


     

       
809

       
809

       
 

       
        RestrictSUIDSGID = true;


     

       
810

       
810

       
 

       
        PrivateMounts = true;