Merge pull request #138516 from rnhmjoj/lock-kernel-fix

nixos/lock-kernel-modules: reorder before/after
2021-09-20 15:13:12 +02:00 · 2021-09-20 15:13:12 +02:00 · ea1eae5b47
parent 23acc562d2 1bd7260adb
commit ea1eae5b47
2 changed files with 2 additions and 1 deletions
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@ -35,10 +35,10 @@ with lib;
      wants = [ "systemd-udevd.service" ];
      wantedBy = [ config.systemd.defaultUnit ];

-      before = [ config.systemd.defaultUnit ];
      after =
        [ "firewall.service"
          "systemd-modules-load.service"
+           config.systemd.defaultUnit
        ];

      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@ -57,6 +57,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
      # Test kernel module hardening
      with subtest("No more kernel modules can be loaded"):
          # note: this better a be module we normally wouldn't load ...
+          machine.wait_for_unit("disable-kernel-module-loading.service")
          machine.fail("modprobe dccp")