diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-05 17:39:47 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-15 20:36:46 +0200 |
commit | 567640d80caeaa70abd95b9841111f31a5193685 (patch) | |
tree | 61c6c331199ed3492d9c7154bbba9f60287cb5f4 /nixos/doc/manual/configuration | |
parent | 65ed79a1e86cc0e48a6d2a5e08bb336551ee0337 (diff) | |
download | nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.gz nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.bz2 nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.lz nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.xz nixlib-567640d80caeaa70abd95b9841111f31a5193685.tar.zst nixlib-567640d80caeaa70abd95b9841111f31a5193685.zip |
grsecurity docs: add note about user namespaces
Diffstat (limited to 'nixos/doc/manual/configuration')
-rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 3c17fc19397f..8387658f1e57 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>: + consequently, unprivileged namespaces are unsupported. Applications that + rely on namespaces for sandboxing (e.g., chromium) must use a privileged + helper.</para></listitem> + <listitem><para>Access to EFI runtime services is disabled by default: this plugs a potential code injection attack vector; use <option>security.grsecurity.disableEfiRuntimeServices</option> to override |