From 1f83f1c8789e4ad30f0242d4a8896324b8f9e89a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 21:30:04 -0600
Subject: [PATCH] security-wrapper: Wrap <para> tags in a <note> tag

---
 nixos/modules/security/wrappers/default.nix | 38 +++++++++++----------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index c5b99c0c801..9e4f3fdaa01 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -109,27 +109,29 @@ in
         };
       };
       description = ''
-        <para>This option allows the ownership and permissions on the
-        setuid wrappers for specific programs to be overridden from
-        the default (setuid root, but not setgid root).</para>
+        This option allows the ownership and permissions on the setuid
+        wrappers for specific programs to be overridden from the
+        default (setuid root, but not setgid root).
 
-        <para>Additionally, this option can set capabilities on a
-        wrapper program that propagates those capabilities down to the
-        wrapped, real program.</para>
+        <note>
+          <para>Additionally, this option can set capabilities on a
+          wrapper program that propagates those capabilities down to the
+          wrapped, real program.</para>
 
-        <para>The <literal>program</literal> attribute is the name of
-        the program to be wrapped. If no <literal>source</literal>
-        attribute is provided, specifying the absolute path to the
-        program, then the program will be searched for in the path
-        environment variable.</para>
+          <para>The <literal>program</literal> attribute is the name of
+          the program to be wrapped. If no <literal>source</literal>
+          attribute is provided, specifying the absolute path to the
+          program, then the program will be searched for in the path
+          environment variable.</para>
 
-        <para>NOTE: cap_setpcap, which is required for the wrapper
-        program to be able to raise caps into the Ambient set is NOT
-        raised to the Ambient set so that the real program cannot
-        modify its own capabilities!! This may be too restrictive for
-        cases in which the real program needs cap_setpcap but it at
-        least leans on the side security paranoid vs. too
-        relaxed.</para>
+          <para>NOTE: cap_setpcap, which is required for the wrapper
+          program to be able to raise caps into the Ambient set is NOT
+          raised to the Ambient set so that the real program cannot
+          modify its own capabilities!! This may be too restrictive for
+          cases in which the real program needs cap_setpcap but it at
+          least leans on the side security paranoid vs. too
+          relaxed.</para>
+        </note>
       '';
     };