diff options
author | Izorkin <izorkin@elven.pw> | 2020-05-11 14:29:16 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2020-05-12 20:03:29 +0300 |
commit | aa12fb8adb312943a0ce8a059ce47733249eb5fe (patch) | |
tree | a03800df12f4e553ac34b6326314213d54ec2934 | |
parent | c7106610f14f0620f79758fe1d62cbbb8e989c84 (diff) | |
download | nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.gz nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.bz2 nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.lz nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.xz nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.zst nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.zip |
nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules and disable the nginx sandbox mode MemoryDenyWriteExecute.
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 2 | ||||
-rw-r--r-- | pkgs/servers/http/nginx/modules.nix | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 16c56dc745f..75fe1df506b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -724,7 +724,7 @@ in ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; - MemoryDenyWriteExecute = mkDefault true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); RestrictRealtime = true; RestrictSUIDSGID = true; PrivateMounts = true; diff --git a/pkgs/servers/http/nginx/modules.nix b/pkgs/servers/http/nginx/modules.nix index 16782966944..1111990435a 100644 --- a/pkgs/servers/http/nginx/modules.nix +++ b/pkgs/servers/http/nginx/modules.nix @@ -140,6 +140,7 @@ in export LUAJIT_LIB="${pkgs.luajit}/lib" export LUAJIT_INC="${pkgs.luajit}/include/luajit-2.0" ''; + allowMemoryWriteExecute = true; }; lua-upstream = { @@ -150,6 +151,7 @@ in sha256 = "1gqccg8airli3i9103zv1zfwbjm27h235qjabfbfqk503rjamkpk"; }; inputs = [ pkgs.luajit ]; + allowMemoryWriteExecute = true; }; modsecurity = { @@ -246,6 +248,7 @@ in in { src = ngx_pagespeed; inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps + allowMemoryWriteExecute = true; }; pam = { |