public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

grsecurity docs: add note about user namespaces

This commit is contained in:
Joachim Fasting 2016-08-05 17:39:47 +02:00
parent 65ed79a1e8
commit 567640d80c
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/doc/manual/configuration/grsecurity.xml
View File

@ -265,6 +265,11 @@
<sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
<itemizedlist> <itemizedlist>
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
consequently, unprivileged namespaces are unsupported. Applications that
rely on namespaces for sandboxing (e.g., chromium) must use a privileged
helper.</para></listitem>
<listitem><para>Access to EFI runtime services is disabled by default: <listitem><para>Access to EFI runtime services is disabled by default:
this plugs a potential code injection attack vector; use this plugs a potential code injection attack vector; use
<option>security.grsecurity.disableEfiRuntimeServices</option> to override <option>security.grsecurity.disableEfiRuntimeServices</option> to override