When facing an OOM condition caused by userland-born allocations, Ironclad will just fail the syscalls issuing them.
When facing OOM conditions caused by kernel-born allocations, the kernel will panic. Process killing is the only alternative, which due to complexity, inherent non-determinism, and rarity of the scenario when compared with userland-born failures, the kernel does not implement.
For hardware failures, behaviour can be configured at failure_policy.