summary refs log tree commit diff
path: root/nixos/doc/manual/configuration
diff options
context:
space:
mode:
authorJoachim Fasting <joachifm@fastmail.fm>2016-08-05 17:39:47 +0200
committerJoachim Fasting <joachifm@fastmail.fm>2016-08-15 20:36:46 +0200
commit567640d80caeaa70abd95b9841111f31a5193685 (patch)
tree61c6c331199ed3492d9c7154bbba9f60287cb5f4 /nixos/doc/manual/configuration
parent65ed79a1e86cc0e48a6d2a5e08bb336551ee0337 (diff)
downloadnixlib-567640d80caeaa70abd95b9841111f31a5193685.tar
nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.gz
nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.bz2
nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.lz
nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.xz
nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.zst
nixlib-567640d80caeaa70abd95b9841111f31a5193685.zip
grsecurity docs: add note about user namespaces
Diffstat (limited to 'nixos/doc/manual/configuration')
-rw-r--r--nixos/doc/manual/configuration/grsecurity.xml5


1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml
index 3c17fc19397f..8387658f1e57 100644
--- a/nixos/doc/manual/configuration/grsecurity.xml
+++ b/nixos/doc/manual/configuration/grsecurity.xml
@@ -265,6 +265,11 @@
   <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
 
   <itemizedlist>
+    <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
+    consequently, unprivileged namespaces are unsupported. Applications that
+    rely on namespaces for sandboxing (e.g., chromium) must use a privileged
+    helper.</para></listitem>
+
     <listitem><para>Access to EFI runtime services is disabled by default:
     this plugs a potential code injection attack vector; use
     <option>security.grsecurity.disableEfiRuntimeServices</option> to override

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 12:46:58 +0000