pyrox.dev
grsecurity docs: mention chromium setuid sandbox
+2
-2
nixos/doc/manual/configuration/grsecurity.xml
+2
-2
nixos/doc/manual/configuration/grsecurity.xml
···
267
<itemizedlist>
268
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
269
consequently, unprivileged namespaces are unsupported. Applications that
270
-
rely on namespaces for sandboxing (e.g., chromium) must use a privileged
271
-
helper.</para></listitem>
272
273
<listitem><para>Access to EFI runtime services is disabled by default:
274
this plugs a potential code injection attack vector; use
···
267
<itemizedlist>
268
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
269
consequently, unprivileged namespaces are unsupported. Applications that
270
+
rely on namespaces for sandboxing must use a privileged helper. For chromium
271
+
there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
272
273
<listitem><para>Access to EFI runtime services is disabled by default:
274
this plugs a potential code injection attack vector; use