diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2019-01-05 13:47:25 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-01-05 14:07:37 +0100 |
| commit | 3f1f44312536ef93b3591cabe141166cac23b8db (patch) | |
| tree | 24a57874179cc7c67324b38a3e35d021291a0745 /nixos/modules/profiles | |
| parent | d62086e6fc2fdf8d5f5d45e697edac418e6bad0f (diff) | |
| download | nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar.gz nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar.bz2 nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar.lz nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar.xz nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.tar.zst nixpkgs-3f1f44312536ef93b3591cabe141166cac23b8db.zip | |
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat slub_debug is used to enable additional sanity checks and "red zones" around allocations to detect read/writes beyond the allocated area, as well as poisoning to overwrite free'd data. The cost is yet more memory fragmentation ...
Diffstat (limited to 'nixos/modules/profiles')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index a588943fe71..aa9ea2c9a35 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -29,6 +29,12 @@ with lib; security.apparmor.enable = mkDefault true; boot.kernelParams = [ + # Slab/slub sanity checks, redzoning, and poisoning + "slub_debug=FZP" + + # Disable slab merging to make certain heap overflow attacks harder + "slab_nomerge" + # Overwrite free'd memory "page_poison=1" |