diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/misc.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/misc.nix | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/nixpkgs/nixos/modules/security/misc.nix b/nixpkgs/nixos/modules/security/misc.nix index c20e067b8cc7..6833452a570e 100644 --- a/nixpkgs/nixos/modules/security/misc.nix +++ b/nixpkgs/nixos/modules/security/misc.nix @@ -15,7 +15,7 @@ with lib; security.allowUserNamespaces = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Whether to allow creation of user namespaces. The motivation for disabling user namespaces is the potential @@ -34,7 +34,7 @@ with lib; security.unprivilegedUsernsClone = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' When disabled, unprivileged users will not be able to create new namespaces. By default unprivileged user namespaces are disabled. This option only works in a hardened profile. @@ -44,7 +44,7 @@ with lib; security.protectKernelImage = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to prevent replacing the running kernel image. ''; }; @@ -52,7 +52,7 @@ with lib; security.allowSimultaneousMultithreading = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Whether to allow SMT/hyperthreading. Disabling SMT means that only physical CPU cores will be usable at runtime, potentially at significant performance cost. @@ -62,7 +62,7 @@ with lib; e.g., shared caches). This attack vector is unproven. Disabling SMT is a supplement to the L1 data cache flushing mitigation - (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) + (see [](#opt-security.virtualisation.flushL1DataCache)) versus malicious VM guests (SMT could "bring back" previously flushed data). ''; @@ -71,7 +71,7 @@ with lib; security.forcePageTableIsolation = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to force-enable the Page Table Isolation (PTI) Linux kernel feature even on CPU models that claim to be safe from Meltdown. |