grsecurity docs: some polish

Fix minor formatting issues, excessive punctuation, and also some improved wording.
2024-09-22 04:57:56 +03:00 · 2017-02-03 18:41:18 +01:00 · 2017-02-03 18:41:18 +01:00 · 0c31286f75
commit 0c31286f75
parent eb0eed4205
1 changed files with 20 additions and 18 deletions
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@ -7,21 +7,20 @@
  <title>Grsecurity/PaX</title>

  <para>
-    Grsecurity/PaX is a set of patches against the Linux kernel that make it
-    harder to exploit bugs.  The patchset includes protections such as
-    enforcement of non-executable memory, address space layout randomization,
-    and chroot jail hardening.  These and other
+    Grsecurity/PaX is a set of patches against the Linux kernel that
+    implements an extensive suite of
    <link xlink:href="https://grsecurity.net/features.php">features</link>
-    render entire classes of exploits inert without additional efforts on the
-    part of the adversary.
+    designed to increase the difficulty of exploiting kernel and
+    application bugs.
  </para>

  <para>
    The NixOS grsecurity/PaX module is designed with casual users in mind and is
-    intended to be compatible with normal desktop usage, without unnecessarily
-    compromising security.  The following sections describe the configuration
-    and administration of a grsecurity/PaX enabled NixOS system.  For
-    more comprehensive coverage, please refer to the
+    intended to be compatible with normal desktop usage, without
+    <emphasis>unnecessarily</emphasis> compromising security.  The
+    following sections describe the configuration and administration of
+    a grsecurity/PaX enabled NixOS system.  For more comprehensive
+    coverage, please refer to the
    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
    and the
    <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
@ -35,7 +34,7 @@
    and each configuration requires quite a bit of testing to ensure that the
    resulting packages work as advertised.  Defining additional package sets
    would likely result in a large number of functionally broken packages, to
-    nobody's benefit.</para></note>.
+    nobody's benefit.</para></note>
  </para>

  <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
@ -126,10 +125,10 @@
    The NixOS kernel is built using upstream's recommended settings for a
    desktop deployment that generally favours security over performance.  This
    section details deviations from upstream's recommendations that may
-    compromise operational security.
+    compromise security.

    <warning><para>There may be additional problems not covered here!</para>
-    </warning>.
+    </warning>
  </para>

  <itemizedlist>
@ -159,8 +158,8 @@
    <listitem><para>
      The NixOS module conditionally weakens <command>chroot</command>
      restrictions to accommodate NixOS lightweight containers and sandboxed Nix
-      builds.  This is problematic if the deployment also runs a privileged
-      network facing process that <emphasis>relies</emphasis> on
+      builds.  This can be problematic if the deployment also runs privileged
+      network facing processes that <emphasis>rely</emphasis> on
      <command>chroot</command> for isolation.
    </para></listitem>

@ -221,15 +220,18 @@
  </para>

  <para>
-    The wikibook provides an exhaustive listing of
+    The grsecurity/PaX wikibook provides an exhaustive listing of
    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
  </para>

  <para>
    The NixOS module makes several assumptions about the kernel and so
    may be incompatible with your customised kernel. Currently, the only way
-    to work around incompatibilities is to eschew the NixOS module.
+    to work around these incompatibilities is to eschew the NixOS
+    module.
+  </para>

+  <para>
    If not using the NixOS module, a custom grsecurity package set can
    be specified inline instead, as in
    <programlisting>
@ -290,7 +292,7 @@

    <listitem><para>User initiated autoloading of modules (e.g., when
    using fuse or loop devices) is disallowed; either load requisite modules
-    as root or add them to<option>boot.kernelModules</option>.</para></listitem>
+    as root or add them to <option>boot.kernelModules</option>.</para></listitem>

    <listitem><para>Virtualization: KVM is the preferred virtualization
    solution. Xen, Virtualbox, and VMWare are