pyrox.dev / nixpkgs
lol
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

grsecurity docs: some polish

Fix minor formatting issues, excessive punctuation, and also some
improved wording.

Joachim Fasting 0c31286f eb0eed42

+20 -18
+20 -18
nixos/modules/security/grsecurity.xml
··· 7 7 <title>Grsecurity/PaX</title> 8 8 9 9 <para> 10 - Grsecurity/PaX is a set of patches against the Linux kernel that make it 11 - harder to exploit bugs. The patchset includes protections such as 12 - enforcement of non-executable memory, address space layout randomization, 13 - and chroot jail hardening. These and other 10 + Grsecurity/PaX is a set of patches against the Linux kernel that 11 + implements an extensive suite of 14 12 <link xlink:href="https://grsecurity.net/features.php">features</link> 15 - render entire classes of exploits inert without additional efforts on the 16 - part of the adversary. 13 + designed to increase the difficulty of exploiting kernel and 14 + application bugs. 17 15 </para> 18 16 19 17 <para> 20 18 The NixOS grsecurity/PaX module is designed with casual users in mind and is 21 - intended to be compatible with normal desktop usage, without unnecessarily 22 - compromising security. The following sections describe the configuration 23 - and administration of a grsecurity/PaX enabled NixOS system. For 24 - more comprehensive coverage, please refer to the 19 + intended to be compatible with normal desktop usage, without 20 + <emphasis>unnecessarily</emphasis> compromising security. The 21 + following sections describe the configuration and administration of 22 + a grsecurity/PaX enabled NixOS system. For more comprehensive 23 + coverage, please refer to the 25 24 <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link> 26 25 and the 27 26 <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch ··· 35 34 and each configuration requires quite a bit of testing to ensure that the 36 35 resulting packages work as advertised. Defining additional package sets 37 36 would likely result in a large number of functionally broken packages, to 38 - nobody's benefit.</para></note>. 37 + nobody's benefit.</para></note> 39 38 </para> 40 39 41 40 <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title> ··· 126 125 The NixOS kernel is built using upstream's recommended settings for a 127 126 desktop deployment that generally favours security over performance. This 128 127 section details deviations from upstream's recommendations that may 129 - compromise operational security. 128 + compromise security. 130 129 131 130 <warning><para>There may be additional problems not covered here!</para> 132 - </warning>. 131 + </warning> 133 132 </para> 134 133 135 134 <itemizedlist> ··· 159 158 <listitem><para> 160 159 The NixOS module conditionally weakens <command>chroot</command> 161 160 restrictions to accommodate NixOS lightweight containers and sandboxed Nix 162 - builds. This is problematic if the deployment also runs a privileged 163 - network facing process that <emphasis>relies</emphasis> on 161 + builds. This can be problematic if the deployment also runs privileged 162 + network facing processes that <emphasis>rely</emphasis> on 164 163 <command>chroot</command> for isolation. 165 164 </para></listitem> 166 165 ··· 221 220 </para> 222 221 223 222 <para> 224 - The wikibook provides an exhaustive listing of 223 + The grsecurity/PaX wikibook provides an exhaustive listing of 225 224 <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>. 226 225 </para> 227 226 228 227 <para> 229 228 The NixOS module makes several assumptions about the kernel and so 230 229 may be incompatible with your customised kernel. Currently, the only way 231 - to work around incompatibilities is to eschew the NixOS module. 230 + to work around these incompatibilities is to eschew the NixOS 231 + module. 232 + </para> 232 233 234 + <para> 233 235 If not using the NixOS module, a custom grsecurity package set can 234 236 be specified inline instead, as in 235 237 <programlisting> ··· 290 292 291 293 <listitem><para>User initiated autoloading of modules (e.g., when 292 294 using fuse or loop devices) is disallowed; either load requisite modules 293 - as root or add them to<option>boot.kernelModules</option>.</para></listitem> 295 + as root or add them to <option>boot.kernelModules</option>.</para></listitem> 294 296 295 297 <listitem><para>Virtualization: KVM is the preferred virtualization 296 298 solution. Xen, Virtualbox, and VMWare are