summary refs log tree commit diff
path: root/nixos/modules/services/web-servers
diff options
context:
space:
mode:
authorIzorkin <izorkin@elven.pw>2020-05-11 14:29:16 +0300
committerIzorkin <izorkin@elven.pw>2020-05-12 20:03:29 +0300
commitaa12fb8adb312943a0ce8a059ce47733249eb5fe (patch)
treea03800df12f4e553ac34b6326314213d54ec2934 /nixos/modules/services/web-servers
parentc7106610f14f0620f79758fe1d62cbbb8e989c84 (diff)
downloadnixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.gz
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.bz2
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.lz
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.xz
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.tar.zst
nixpkgs-aa12fb8adb312943a0ce8a059ce47733249eb5fe.zip
nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix2
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 16c56dc745f..75fe1df506b 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -724,7 +724,7 @@ in
         ProtectControlGroups = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
         LockPersonality = true;
-        MemoryDenyWriteExecute = mkDefault true;
+        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         PrivateMounts = true;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-28 03:50:15 +0000