security-wrapper: Wrap <para> tags in a <note> tag

7 years ago · 1f83f1c878
parent c34a52bf5d
commit 1f83f1c878
1 changed files with 23 additions and 21 deletions
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@ -109,27 +109,29 @@ in
        };
      };
      description = ''
-        <para>This option allows the ownership and permissions on the
-        setuid wrappers for specific programs to be overridden from
-        the default (setuid root, but not setgid root).</para>
-
-        <para>Additionally, this option can set capabilities on a
-        wrapper program that propagates those capabilities down to the
-        wrapped, real program.</para>
-
-        <para>The <literal>program</literal> attribute is the name of
-        the program to be wrapped. If no <literal>source</literal>
-        attribute is provided, specifying the absolute path to the
-        program, then the program will be searched for in the path
-        environment variable.</para>
-
-        <para>NOTE: cap_setpcap, which is required for the wrapper
-        program to be able to raise caps into the Ambient set is NOT
-        raised to the Ambient set so that the real program cannot
-        modify its own capabilities!! This may be too restrictive for
-        cases in which the real program needs cap_setpcap but it at
-        least leans on the side security paranoid vs. too
-        relaxed.</para>
+        This option allows the ownership and permissions on the setuid
+        wrappers for specific programs to be overridden from the
+        default (setuid root, but not setgid root).
+
+        <note>
+          <para>Additionally, this option can set capabilities on a
+          wrapper program that propagates those capabilities down to the
+          wrapped, real program.</para>
+
+          <para>The <literal>program</literal> attribute is the name of
+          the program to be wrapped. If no <literal>source</literal>
+          attribute is provided, specifying the absolute path to the
+          program, then the program will be searched for in the path
+          environment variable.</para>
+
+          <para>NOTE: cap_setpcap, which is required for the wrapper
+          program to be able to raise caps into the Ambient set is NOT
+          raised to the Ambient set so that the real program cannot
+          modify its own capabilities!! This may be too restrictive for
+          cases in which the real program needs cap_setpcap but it at
+          least leans on the side security paranoid vs. too
+          relaxed.</para>
+        </note>
      '';
    };