movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity

nixos/nginx: don't disable IPC

Browse source 
This also disables the memfd_create syscall which is required for
certain regex's when using pcre2.

see https://github.com/NixOS/nixpkgs/pull/355989#issuecomment-2506841275
This commit is contained in:
Sandro Jäckel 2024-11-29 00:40:33 +01:00
parent bfe7bb410f
commit 996f9e4f28
No known key found for this signature in database
GPG key ID: 3AF5A43A3EECC2E5
2 changed files with 1 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -1305,8 +1305,7 @@ in
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optional cfg.enableQuicBPF [ "bpf" ]
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
++ optional cfg.enableQuicBPF [ "bpf" ];
};
};

1
pkgs/servers/http/nginx/modules.nix
View file

@ -439,7 +439,6 @@ let self = {
};
inputs = [ curl geoip libmodsecurity libxml2 lmdb yajl ];
disableIPC = true;
meta = with lib; {
description = "Open source, cross platform web application firewall (WAF)";