diff options
author | David Izquierdo <david@izquierdofernandez.com> | 2018-10-25 10:20:34 +0200 |
---|---|---|
committer | David Izquierdo <david@izquierdofernandez.com> | 2018-11-06 12:57:50 +0100 |
commit | 614ea404433a8fd743171a020436b0a586ed4e8d (patch) | |
tree | 9f67b174dc97096330e9389f729ae3d5820cf212 | |
parent | b10d669919c8665d1c81305b9610e9e338656e51 (diff) | |
download | nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar.gz nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar.bz2 nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar.lz nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar.xz nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.tar.zst nixpkgs-614ea404433a8fd743171a020436b0a586ed4e8d.zip |
Docs: init section Hardened in chapter Profiles
-rw-r--r-- | nixos/doc/manual/configuration/profiles.xml | 1 | ||||
-rw-r--r-- | nixos/doc/manual/configuration/profiles/hardened.xml | 22 |
2 files changed, 23 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/profiles.xml b/nixos/doc/manual/configuration/profiles.xml index 2f306f584de..db73445ef02 100644 --- a/nixos/doc/manual/configuration/profiles.xml +++ b/nixos/doc/manual/configuration/profiles.xml @@ -31,4 +31,5 @@ <xi:include href="profiles/demo.xml" /> <xi:include href="profiles/docker-container.xml" /> <xi:include href="profiles/graphical.xml" /> + <xi:include href="profiles/hardened.xml" /> </chapter> diff --git a/nixos/doc/manual/configuration/profiles/hardened.xml b/nixos/doc/manual/configuration/profiles/hardened.xml new file mode 100644 index 00000000000..3f4b9242461 --- /dev/null +++ b/nixos/doc/manual/configuration/profiles/hardened.xml @@ -0,0 +1,22 @@ + +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-profile-hardened"> + <title>Hardened</title> + <para> + A profile with most (vanilla) hardening options enabled by default, + potentially at the cost of features and performance. + </para> + <para> + This includes a hardened kernel, and limiting the system information + available to procesess via de <filename>/sys</filename> and + <filename>/proc</filename> filesystems. It also disables the User Namespaces + feature of the kernel, which stops Nix from being able to build anything + (this particular setting can be overriden via + <xref linkend="opt-security.allowUserNamespaces"/>). See the <literal + xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix"> + profile source</literal> for further detail on which settings are altered. + </para> +</section> |