diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml')
| -rw-r--r-- | nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml b/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml new file mode 100644 index 000000000000..dc83fc837e2a --- /dev/null +++ b/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml @@ -0,0 +1,24 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-profile-hardened"> + <title>Hardened</title> + + <para> + A profile with most (vanilla) hardening options enabled by default, + potentially at the cost of features and performance. + </para> + + <para> + This includes a hardened kernel, and limiting the system information + available to processes through the <filename>/sys</filename> and + <filename>/proc</filename> filesystems. It also disables the User Namespaces + feature of the kernel, which stops Nix from being able to build anything + (this particular setting can be overriden via + <xref linkend="opt-security.allowUserNamespaces"/>). See the + <literal + xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix"> + profile source</literal> for further detail on which settings are altered. + </para> +</section> |