public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

grsecurity docs: some polish

Browse Source 
Fix minor formatting issues, excessive punctuation, and also some
improved wording.
This commit is contained in:
Joachim Fasting 2017-02-03 18:41:18 +01:00
parent eb0eed4205
commit 0c31286f75
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
1 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
nixos/modules/security/grsecurity.xml
View File

@ -7,21 +7,20 @@
<title>Grsecurity/PaX</title> <title>Grsecurity/PaX</title>
<para> <para>
Grsecurity/PaX is a set of patches against the Linux kernel that make it Grsecurity/PaX is a set of patches against the Linux kernel that
harder to exploit bugs. The patchset includes protections such as implements an extensive suite of
enforcement of non-executable memory, address space layout randomization,
and chroot jail hardening. These and other
<link xlink:href="https://grsecurity.net/features.php">features</link> <link xlink:href="https://grsecurity.net/features.php">features</link>
render entire classes of exploits inert without additional efforts on the designed to increase the difficulty of exploiting kernel and
part of the adversary. application bugs.
</para> </para>
<para> <para>
The NixOS grsecurity/PaX module is designed with casual users in mind and is The NixOS grsecurity/PaX module is designed with casual users in mind and is
intended to be compatible with normal desktop usage, without unnecessarily intended to be compatible with normal desktop usage, without
compromising security. The following sections describe the configuration <emphasis>unnecessarily</emphasis> compromising security. The
and administration of a grsecurity/PaX enabled NixOS system. For following sections describe the configuration and administration of
more comprehensive coverage, please refer to the a grsecurity/PaX enabled NixOS system. For more comprehensive
coverage, please refer to the
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link> <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
and the and the
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
@ -35,7 +34,7 @@
and each configuration requires quite a bit of testing to ensure that the and each configuration requires quite a bit of testing to ensure that the
resulting packages work as advertised. Defining additional package sets resulting packages work as advertised. Defining additional package sets
would likely result in a large number of functionally broken packages, to would likely result in a large number of functionally broken packages, to
nobody's benefit.</para></note>. nobody's benefit.</para></note>
</para> </para>
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title> <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
@ -126,10 +125,10 @@
The NixOS kernel is built using upstream's recommended settings for a The NixOS kernel is built using upstream's recommended settings for a
desktop deployment that generally favours security over performance. This desktop deployment that generally favours security over performance. This
section details deviations from upstream's recommendations that may section details deviations from upstream's recommendations that may
compromise operational security. compromise security.
<warning><para>There may be additional problems not covered here!</para> <warning><para>There may be additional problems not covered here!</para>
</warning>. </warning>
</para> </para>
<itemizedlist> <itemizedlist>
@ -159,8 +158,8 @@
<listitem><para> <listitem><para>
The NixOS module conditionally weakens <command>chroot</command> The NixOS module conditionally weakens <command>chroot</command>
restrictions to accommodate NixOS lightweight containers and sandboxed Nix restrictions to accommodate NixOS lightweight containers and sandboxed Nix
builds. This is problematic if the deployment also runs a privileged builds. This can be problematic if the deployment also runs privileged
network facing process that <emphasis>relies</emphasis> on network facing processes that <emphasis>rely</emphasis> on
<command>chroot</command> for isolation. <command>chroot</command> for isolation.
</para></listitem> </para></listitem>
@ -221,15 +220,18 @@
</para> </para>
<para> <para>
The wikibook provides an exhaustive listing of The grsecurity/PaX wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>. <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para> </para>
<para> <para>
The NixOS module makes several assumptions about the kernel and so The NixOS module makes several assumptions about the kernel and so
may be incompatible with your customised kernel. Currently, the only way may be incompatible with your customised kernel. Currently, the only way
to work around incompatibilities is to eschew the NixOS module. to work around these incompatibilities is to eschew the NixOS
module.
</para>
<para>
If not using the NixOS module, a custom grsecurity package set can If not using the NixOS module, a custom grsecurity package set can
be specified inline instead, as in be specified inline instead, as in
<programlisting> <programlisting>
@ -290,7 +292,7 @@
<listitem><para>User initiated autoloading of modules (e.g., when <listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to<option>boot.kernelModules</option>.</para></listitem> as root or add them to <option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization <listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are solution. Xen, Virtualbox, and VMWare are