summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLassulus <github@lassul.us>2022-04-20 13:57:59 +0100
committerGitHub <noreply@github.com>2022-04-20 13:57:59 +0100
commitc5076b5a06fe94f6c384514de92b48c72aebfad0 (patch)
tree522f8736c40a2048bf584ad66434758b762237a1
parentMerge pull request #169211 from Ma27/mautrix-whatsapp-backport (diff)
parentnginxModules: add option disableIPC (diff)
downloadnixpkgs-c5076b5a06fe94f6c384514de92b48c72aebfad0.tar.gz
Merge pull request #163319 from Izorkin/backport-fix-nginx
[Backport release-21.11] nixos/nginx: update SystemCallFilter
Diffstat
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix3
-rw-r--r--pkgs/servers/http/nginx/modules.nix1
2 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 3c927246b2c4..1de8665c65b7 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -907,7 +907,8 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
- SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid";
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
+ ++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
};
};
diff --git a/pkgs/servers/http/nginx/modules.nix b/pkgs/servers/http/nginx/modules.nix
index 3a234009f3e2..b4f0fe1a5a41 100644
--- a/pkgs/servers/http/nginx/modules.nix
+++ b/pkgs/servers/http/nginx/modules.nix
@@ -213,6 +213,7 @@ in
sha256 = "sha256-UXiitc3jZlgXlCsDPS+xEFLNRVgRbn8BCCXUEqAWlII=";
};
inputs = [ pkgs.curl pkgs.geoip pkgs.libmodsecurity pkgs.libxml2 pkgs.lmdb pkgs.yajl ];
+ disableIPC = true;
};
moreheaders = {
generated by cgit v1.2.3 (git 2.52.0) at 2026-01-17 06:05:39 +0000