diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-21 11:50:52 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-21 13:11:25 +0200 |
commit | b33da46a8e757740d1b555c12162a1516396d646 (patch) | |
tree | f6a8f4ab58e7026f7078cf84bddb218ef4c755e1 /nixos | |
parent | 97d35b251b2547dc7196193afb63c643717220d0 (diff) |
nixos/hardened: split description of allowUserNamespaces into paras
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/misc.nix | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 4506a67487d4..ecf22bf81c59 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -12,14 +12,24 @@ with lib; type = types.bool; default = true; description = '' - Whether to allow creation of user namespaces. A recurring problem - with user namespaces is the presence of code paths where the kernel's - permission checking logic fails to account for namespacing, instead - permitting a namespaced process to act outside the namespace with the - same privileges as it would have inside it. This is particularly + Whether to allow creation of user namespaces. + </para> + + <para> + The motivation for disabling user namespaces is the potential + presence of code paths where the kernel's permission checking + logic fails to account for namespacing, instead permitting a + namespaced process to act outside the namespace with the same + privileges as it would have inside it. This is particularly damaging in the common case of running as root within the namespace. - When user namespace creation is disallowed, attempting to create - a user namespace fails with "no space left on device" (ENOSPC). + </para> + + <para> + When user namespace creation is disallowed, attempting to create a + user namespace fails with "no space left on device" (ENOSPC). + root may re-enable user namespace creation at runtime. + </para> + <para> ''; }; |