Merge pull request #7149 from joachifm/grsec-gradm-optional

grsecurity module: configure gradm iff RBAC is enabled
2024-11-01 15:11:25 +00:00 · 2015-04-13 17:11:29 -05:00 · 2015-04-13 17:11:29 -05:00 · 8d3b8d0dc8
commit 8d3b8d0dc8
parent b86f6a3ed6 3e847d512d
1 changed files with 12 additions and 13 deletions
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -276,22 +276,21 @@ in
 #     };
 #   };

-    system.activationScripts.grsec =
-      ''
-        mkdir -p /etc/grsec
-        if [ ! -f /etc/grsec/learn_config ]; then
-          cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
-        fi
-        if [ ! -f /etc/grsec/policy ]; then
-          cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
-        fi
-        chmod -R 0600 /etc/grsec
-      '';
+    system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = ''
+      mkdir -p /etc/grsec
+      if [ ! -f /etc/grsec/learn_config ]; then
+        cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
+      fi
+      if [ ! -f /etc/grsec/policy ]; then
+        cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
+      fi
+      chmod -R 0600 /etc/grsec
+    ''; };

    # Enable AppArmor, gradm udev rules, and utilities
    security.apparmor.enable   = true;
    boot.kernelPackages        = customGrsecPkg;
-    services.udev.packages     = [ pkgs.gradm ];
-    environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ];
+    services.udev.packages     = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
+    environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
  };
 }