diff options
| author | Joachim F <joachifm@users.noreply.github.com> | 2024-01-28 20:25:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-28 20:25:27 +0100 |
| commit | 6dd56e1483bb1a4313a0d97a8884b2f9755e4f49 (patch) | |
| tree | 754c7f76928601315397553faa602147d08b5339 /nixos | |
| parent | f271ce7c25c4fcf20ddfb28aa9cc841e4a7d5fb7 (diff) | |
| parent | b80c3284d5d2a7282272e764e3c48bccccdbadcb (diff) | |
Merge pull request #275579 from tamara-schmitz/master
update hardened profile to new recommendations
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 74dc2cb1b9aa4..b85a2ac7e69d2 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -39,14 +39,17 @@ with lib; security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ - # Slab/slub sanity checks, redzoning, and poisoning - "slub_debug=FZP" + # Don't merge slabs + "slab_nomerge" - # Overwrite free'd memory + # Overwrite free'd pages "page_poison=1" # Enable page allocator randomization "page_alloc.shuffle=1" + + # Disable debugfs + "debugfs=off" ]; boot.blacklistedKernelModules = [ |