3
0
Fork 0
forked from mirrors/nixpkgs

grsecurity docs: some polish

Fix minor formatting issues, excessive punctuation, and also some
improved wording.
This commit is contained in:
Joachim Fasting 2017-02-03 18:41:18 +01:00
parent eb0eed4205
commit 0c31286f75
No known key found for this signature in database
GPG key ID: 7544761007FE4E08

View file

@ -7,21 +7,20 @@
<title>Grsecurity/PaX</title>
<para>
Grsecurity/PaX is a set of patches against the Linux kernel that make it
harder to exploit bugs. The patchset includes protections such as
enforcement of non-executable memory, address space layout randomization,
and chroot jail hardening. These and other
Grsecurity/PaX is a set of patches against the Linux kernel that
implements an extensive suite of
<link xlink:href="https://grsecurity.net/features.php">features</link>
render entire classes of exploits inert without additional efforts on the
part of the adversary.
designed to increase the difficulty of exploiting kernel and
application bugs.
</para>
<para>
The NixOS grsecurity/PaX module is designed with casual users in mind and is
intended to be compatible with normal desktop usage, without unnecessarily
compromising security. The following sections describe the configuration
and administration of a grsecurity/PaX enabled NixOS system. For
more comprehensive coverage, please refer to the
intended to be compatible with normal desktop usage, without
<emphasis>unnecessarily</emphasis> compromising security. The
following sections describe the configuration and administration of
a grsecurity/PaX enabled NixOS system. For more comprehensive
coverage, please refer to the
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
and the
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
@ -35,7 +34,7 @@
and each configuration requires quite a bit of testing to ensure that the
resulting packages work as advertised. Defining additional package sets
would likely result in a large number of functionally broken packages, to
nobody's benefit.</para></note>.
nobody's benefit.</para></note>
</para>
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
@ -126,10 +125,10 @@
The NixOS kernel is built using upstream's recommended settings for a
desktop deployment that generally favours security over performance. This
section details deviations from upstream's recommendations that may
compromise operational security.
compromise security.
<warning><para>There may be additional problems not covered here!</para>
</warning>.
</warning>
</para>
<itemizedlist>
@ -159,8 +158,8 @@
<listitem><para>
The NixOS module conditionally weakens <command>chroot</command>
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
builds. This is problematic if the deployment also runs a privileged
network facing process that <emphasis>relies</emphasis> on
builds. This can be problematic if the deployment also runs privileged
network facing processes that <emphasis>rely</emphasis> on
<command>chroot</command> for isolation.
</para></listitem>
@ -221,15 +220,18 @@
</para>
<para>
The wikibook provides an exhaustive listing of
The grsecurity/PaX wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para>
<para>
The NixOS module makes several assumptions about the kernel and so
may be incompatible with your customised kernel. Currently, the only way
to work around incompatibilities is to eschew the NixOS module.
to work around these incompatibilities is to eschew the NixOS
module.
</para>
<para>
If not using the NixOS module, a custom grsecurity package set can
be specified inline instead, as in
<programlisting>
@ -290,7 +292,7 @@
<listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to<option>boot.kernelModules</option>.</para></listitem>
as root or add them to <option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are