From 3f1f44312536ef93b3591cabe141166cac23b8db Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 5 Jan 2019 13:47:25 +0100 Subject: [PATCH] nixos/hardened profile: slab/slub hardening slab_nomerge may reduce surface somewhat slub_debug is used to enable additional sanity checks and "red zones" around allocations to detect read/writes beyond the allocated area, as well as poisoning to overwrite free'd data. The cost is yet more memory fragmentation ... --- nixos/modules/profiles/hardened.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index a588943fe71..aa9ea2c9a35 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -29,6 +29,12 @@ with lib; security.apparmor.enable = mkDefault true; boot.kernelParams = [ + # Slab/slub sanity checks, redzoning, and poisoning + "slub_debug=FZP" + + # Disable slab merging to make certain heap overflow attacks harder + "slab_nomerge" + # Overwrite free'd memory "page_poison=1"