linux: Enable SLAB_FREELIST_HARDENED, SLAB_FREELIST_RANDOM

Enabled in [Arch][1], [Debian][2], [Fedora][3]; no others checked.
Recommended by [Kernel Self Protection Project][4]. This should also
implicitly enable SHUFFLE_PAGE_ALLOCATOR.

Performance impact per upstream:

For _HARDENED:
> The difference gets lost in the noise, but if the above is to be taken
> literally, using CONFIG_FREELIST_HARDENED is 0.07% slower.

For _RANDOM:
> Performance results highlighted no major changes

[1]: https://github.com/archlinux/svntogit-packages/blob/66d72ee54afc604391b618fc3eecc43f29e479e8/trunk/config#L1037-L1038
[2]: https://salsa.debian.org/kernel-team/linux/-/blob/07731f5956cf29876a7abc13f4ecbdf4d9459592/debian/config/config#L6742-6743
[3]: https://src.fedoraproject.org/rpms/kernel/blob/6d6ad72f0ccfe72146f2876f90fe609548caa349/f/kernel-x86_64-fedora.config#_6079
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

1 files changed, 3 insertions, 0 deletions

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 012b5811f7c..8211860b62f 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -878,6 +878,9 @@ let
       SCSI_LOGGING = yes; # SCSI logging facility
       SERIAL_8250  = yes; # 8250/16550 and compatible serial support
 
+      SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
+      SLAB_FREELIST_RANDOM   = whenAtLeast "4.10" yes;
+
       SLIP_COMPRESSED = yes; # CSLIP compressed headers
       SLIP_SMART      = yes;