nginxModules: add option disableIPC

The disableIPC option is required to checking enabled nginxModules
and disable the SystemCallFilter IPC filter.
This commit is contained in:
Izorkin 2022-03-07 23:28:43 +03:00
parent 031ab33274
commit b672e4dd2c
No known key found for this signature in database
GPG Key ID: 1436C1B3F3679F09
2 changed files with 3 additions and 1 deletions

View File

@ -924,7 +924,8 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
};
};

View File

@ -256,6 +256,7 @@ in
sha256 = "sha256-UXiitc3jZlgXlCsDPS+xEFLNRVgRbn8BCCXUEqAWlII=";
};
inputs = [ pkgs.curl pkgs.geoip pkgs.libmodsecurity pkgs.libxml2 pkgs.lmdb pkgs.yajl ];
disableIPC = true;
};
moreheaders = {