Skip to content

Commit

Permalink
nixos/nginx: don't disable IPC
Browse files Browse the repository at this point in the history 
This also disables the memfd_create syscall which is required for
certain regex's when using pcre2.

see #355989 (comment)

(cherry picked from commit 996f9e4)
  • Loading branch information
@SuperSandro2000 @github-actions
SuperSandro2000 authored and github-actions[bot] committed Dec 9, 2024
1 parent ca1f3a4 commit 9e66870
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 3 deletions.
3 changes: 1 addition & 2 deletions nixos/modules/services/web-servers/nginx/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1305,8 +1305,7 @@ in
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optional cfg.enableQuicBPF [ "bpf" ]
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
++ optional cfg.enableQuicBPF [ "bpf" ];
};
};

Expand Down
1 change: 0 additions & 1 deletion pkgs/servers/http/nginx/modules.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,6 @@ let self = {
};

inputs = [ curl geoip libmodsecurity libxml2 lmdb yajl ];
disableIPC = true;

meta = with lib; {
description = "Open source, cross platform web application firewall (WAF)";
Expand Down

0 comments on commit 9e66870

Please sign in to comment.