public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/hardened: split description of allowUserNamespaces into paras

Browse Source
This commit is contained in:
Joachim Fasting 2019-04-21 11:50:52 +02:00
parent 97d35b251b
commit b33da46a8e
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294
1 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/modules/security/misc.nix
View File

@ -12,14 +12,24 @@ with lib;
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = ''
Whether to allow creation of user namespaces. A recurring problem Whether to allow creation of user namespaces.
with user namespaces is the presence of code paths where the kernel's </para>
permission checking logic fails to account for namespacing, instead
permitting a namespaced process to act outside the namespace with the <para>
same privileges as it would have inside it. This is particularly The motivation for disabling user namespaces is the potential
presence of code paths where the kernel's permission checking
logic fails to account for namespacing, instead permitting a
namespaced process to act outside the namespace with the same
privileges as it would have inside it. This is particularly
damaging in the common case of running as root within the namespace. damaging in the common case of running as root within the namespace.
When user namespace creation is disallowed, attempting to create </para>
a user namespace fails with "no space left on device" (ENOSPC).
<para>
When user namespace creation is disallowed, attempting to create a
user namespace fails with "no space left on device" (ENOSPC).
root may re-enable user namespace creation at runtime.
</para>
<para>
''; '';
}; };