diff options
| author | Peder Bergebakken Sundt <pbsds@hotmail.com> | 2024-04-26 15:05:09 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-26 15:05:09 +0200 |
| commit | 01a730b41edd5c255729801f52bec487dfe13991 (patch) | |
| tree | 8ad527761470371167d95b02b21a57e4edce8444 /nixos/modules/config | |
| parent | 6abf787605dc7f50721efa3605d51397e382bb21 (diff) | |
| parent | af65b87b2346d608d90654b09050a40ee1e565b4 (diff) | |
Merge pull request #266540 from surfaceflinger/hardened-malloc-light
graphene-hardened-malloc: migrate to by-name, build light variant
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/malloc.nix | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 4214ae5983156..e414970b0be5a 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -9,8 +9,23 @@ let graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' - An allocator designed to mitigate memory corruption attacks, such as - those caused by use-after-free bugs. + Hardened memory allocator coming from GrapheneOS project. + The default configuration template has all normal optional security + features enabled and is quite aggressive in terms of sacrificing + performance and memory usage for security. + ''; + }; + + graphene-hardened-light = { + libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so"; + description = '' + Hardened memory allocator coming from GrapheneOS project. + The light configuration template disables the slab quarantines, + write after free check, slot randomization and raises the guard + slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. + The light configuration has solid performance and memory usage while still + being far more secure than mainstream allocators with much better security + properties. ''; }; |