linux: enable INIT_ON_ALLOC_DEFAULT_ON

Enabled in [Arch][1], [Debian][2]; not in Fedora. Recommended by [Kernel Self Protection Project][3]. This can still be disabled with `init_on_alloc=0` boot arg. As it is now in common-config, remove from hardened’s extra config. [1]: 6392fb2bed/config (L10859) [2]: 5f6aa5cb48/debian/config/config (L7718) [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
2024-12-13 01:03:25 +00:00 · 2024-04-01 11:37:34 -04:00 · 2024-04-01 11:37:34 -04:00 · b6c752bddb
commit b6c752bddb
parent b23e741b70
2 changed files with 3 additions and 2 deletions
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -723,6 +723,8 @@ let
      # Randomize page allocator when page_alloc.shuffle=1
      SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;

+      INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
+
      # Enable stack smashing protections in schedule()
      # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
      SCHED_STACK_END_CHECK            = yes;
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@ -53,8 +53,7 @@ assert (versionAtLeast version "4.9");
  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;

-  # Enable init_on_alloc and init_on_free by default
-  INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
+  # Enable init_on_free by default
  INIT_ON_FREE_DEFAULT_ON  = whenAtLeast "5.3" yes;

  # Wipe all caller-used registers on exit from a function