diff options
Diffstat (limited to 'nixos/doc/manual/configuration')
-rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 3c17fc19397f..8387658f1e57 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>: + consequently, unprivileged namespaces are unsupported. Applications that + rely on namespaces for sandboxing (e.g., chromium) must use a privileged + helper.</para></listitem> + <listitem><para>Access to EFI runtime services is disabled by default: this plugs a potential code injection attack vector; use <option>security.grsecurity.disableEfiRuntimeServices</option> to override |