public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/hardened profile: slab/slub hardening

Browse Source 
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
This commit is contained in:
Joachim Fasting 2019-01-05 13:47:25 +01:00
parent d62086e6fc
commit 3f1f443125
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/modules/profiles/hardened.nix
View File

@ -29,6 +29,12 @@ with lib;
security.apparmor.enable = mkDefault true; security.apparmor.enable = mkDefault true;
boot.kernelParams = [ boot.kernelParams = [
# Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP"
# Disable slab merging to make certain heap overflow attacks harder
"slab_nomerge"
# Overwrite free'd memory # Overwrite free'd memory
"page_poison=1" "page_poison=1"