From 0c31286f753ce39bd73847811eb69e2136520d0f Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Fri, 3 Feb 2017 18:41:18 +0100 Subject: [PATCH] grsecurity docs: some polish Fix minor formatting issues, excessive punctuation, and also some improved wording. --- nixos/modules/security/grsecurity.xml | 38 ++++++++++++++------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index a7bcf4924f01..ef0aab4a3f13 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -7,21 +7,20 @@ Grsecurity/PaX - Grsecurity/PaX is a set of patches against the Linux kernel that make it - harder to exploit bugs. The patchset includes protections such as - enforcement of non-executable memory, address space layout randomization, - and chroot jail hardening. These and other + Grsecurity/PaX is a set of patches against the Linux kernel that + implements an extensive suite of features - render entire classes of exploits inert without additional efforts on the - part of the adversary. + designed to increase the difficulty of exploiting kernel and + application bugs. The NixOS grsecurity/PaX module is designed with casual users in mind and is - intended to be compatible with normal desktop usage, without unnecessarily - compromising security. The following sections describe the configuration - and administration of a grsecurity/PaX enabled NixOS system. For - more comprehensive coverage, please refer to the + intended to be compatible with normal desktop usage, without + unnecessarily compromising security. The + following sections describe the configuration and administration of + a grsecurity/PaX enabled NixOS system. For more comprehensive + coverage, please refer to the grsecurity wikibook and the Arch @@ -35,7 +34,7 @@ and each configuration requires quite a bit of testing to ensure that the resulting packages work as advertised. Defining additional package sets would likely result in a large number of functionally broken packages, to - nobody's benefit.. + nobody's benefit. Enabling grsecurity/PaX @@ -126,10 +125,10 @@ The NixOS kernel is built using upstream's recommended settings for a desktop deployment that generally favours security over performance. This section details deviations from upstream's recommendations that may - compromise operational security. + compromise security. There may be additional problems not covered here! - . + @@ -159,8 +158,8 @@ The NixOS module conditionally weakens chroot restrictions to accommodate NixOS lightweight containers and sandboxed Nix - builds. This is problematic if the deployment also runs a privileged - network facing process that relies on + builds. This can be problematic if the deployment also runs privileged + network facing processes that rely on chroot for isolation. @@ -221,15 +220,18 @@ - The wikibook provides an exhaustive listing of + The grsecurity/PaX wikibook provides an exhaustive listing of kernel configuration options. The NixOS module makes several assumptions about the kernel and so may be incompatible with your customised kernel. Currently, the only way - to work around incompatibilities is to eschew the NixOS module. + to work around these incompatibilities is to eschew the NixOS + module. + + If not using the NixOS module, a custom grsecurity package set can be specified inline instead, as in @@ -290,7 +292,7 @@ User initiated autoloading of modules (e.g., when using fuse or loop devices) is disallowed; either load requisite modules - as root or add them to. + as root or add them to . Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are