forked from mirrors/nixpkgs
grsecurity docs: some polish
Fix minor formatting issues, excessive punctuation, and also some improved wording.
This commit is contained in:
Joachim Fasting
parent
eb0eed4205
commit
0c31286f75
|
|
@ -7,21 +7,20 @@
|
|||
<title>Grsecurity/PaX</title>
|
||||
|
||||
<para>
|
||||
Grsecurity/PaX is a set of patches against the Linux kernel that make it
|
||||
harder to exploit bugs. The patchset includes protections such as
|
||||
enforcement of non-executable memory, address space layout randomization,
|
||||
and chroot jail hardening. These and other
|
||||
Grsecurity/PaX is a set of patches against the Linux kernel that
|
||||
implements an extensive suite of
|
||||
<link xlink:href="https://grsecurity.net/features.php">features</link>
|
||||
render entire classes of exploits inert without additional efforts on the
|
||||
part of the adversary.
|
||||
designed to increase the difficulty of exploiting kernel and
|
||||
application bugs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS grsecurity/PaX module is designed with casual users in mind and is
|
||||
intended to be compatible with normal desktop usage, without unnecessarily
|
||||
compromising security. The following sections describe the configuration
|
||||
and administration of a grsecurity/PaX enabled NixOS system. For
|
||||
more comprehensive coverage, please refer to the
|
||||
intended to be compatible with normal desktop usage, without
|
||||
<emphasis>unnecessarily</emphasis> compromising security. The
|
||||
following sections describe the configuration and administration of
|
||||
a grsecurity/PaX enabled NixOS system. For more comprehensive
|
||||
coverage, please refer to the
|
||||
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
|
||||
and the
|
||||
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
|
||||
|
|
@ -35,7 +34,7 @@
|
|||
and each configuration requires quite a bit of testing to ensure that the
|
||||
resulting packages work as advertised. Defining additional package sets
|
||||
would likely result in a large number of functionally broken packages, to
|
||||
nobody's benefit.</para></note>.
|
||||
nobody's benefit.</para></note>
|
||||
</para>
|
||||
|
||||
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
|
||||
|
|
@ -126,10 +125,10 @@
|
|||
The NixOS kernel is built using upstream's recommended settings for a
|
||||
desktop deployment that generally favours security over performance. This
|
||||
section details deviations from upstream's recommendations that may
|
||||
compromise operational security.
|
||||
compromise security.
|
||||
|
||||
<warning><para>There may be additional problems not covered here!</para>
|
||||
</warning>.
|
||||
</warning>
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
|
@ -159,8 +158,8 @@
|
|||
<listitem><para>
|
||||
The NixOS module conditionally weakens <command>chroot</command>
|
||||
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
|
||||
builds. This is problematic if the deployment also runs a privileged
|
||||
network facing process that <emphasis>relies</emphasis> on
|
||||
builds. This can be problematic if the deployment also runs privileged
|
||||
network facing processes that <emphasis>rely</emphasis> on
|
||||
<command>chroot</command> for isolation.
|
||||
</para></listitem>
|
||||
|
||||
|
|
@ -221,15 +220,18 @@
|
|||
</para>
|
||||
|
||||
<para>
|
||||
The wikibook provides an exhaustive listing of
|
||||
The grsecurity/PaX wikibook provides an exhaustive listing of
|
||||
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS module makes several assumptions about the kernel and so
|
||||
may be incompatible with your customised kernel. Currently, the only way
|
||||
to work around incompatibilities is to eschew the NixOS module.
|
||||
to work around these incompatibilities is to eschew the NixOS
|
||||
module.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If not using the NixOS module, a custom grsecurity package set can
|
||||
be specified inline instead, as in
|
||||
<programlisting>
|
||||
|
|
@ -290,7 +292,7 @@
|
|||
|
||||
<listitem><para>User initiated autoloading of modules (e.g., when
|
||||
using fuse or loop devices) is disallowed; either load requisite modules
|
||||
as root or add them to<option>boot.kernelModules</option>.</para></listitem>
|
||||
as root or add them to <option>boot.kernelModules</option>.</para></listitem>
|
||||
|
||||
<listitem><para>Virtualization: KVM is the preferred virtualization
|
||||
solution. Xen, Virtualbox, and VMWare are
|
||||
|
|
|
|||
Loading…
Reference in a new issue