Still not solution for swap-file-creator on the horizon.
That fixes it but would add the ERROR: ld.so: object '/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. message to the boot process. Well, we could hide that, but then legitimate error which might happen in future (for some users) would be hidden from our view and fixing too.
Also cryptsetup luksFormat got slower by approximately factor 7.
(5 seconds without; 35 seconds with.)
Though, no errors reported with, except the performance regression.
Worth reporting upstream or to be expected?
Wondering about other solutions…
To enable hardened malloc globally is there any other option than editing /etc/ld.so.preload?
Can systemd somehow ignore contents of /etc/ld.so.preload? Then that could fix swap-file-creator.
The man / mandb issue is currently breaking the package build. It somehow messes the man pages up a bit. Lintian will complain.
Try disabling CONFIG_WRITE_AFTER_FREE_CHECK, CONFIG_SLOT_RANDOMIZE, etc. and check if performance changes at all. See if you can narrow it down a bit.
Keep our custom config options though. Just append these ones to it.
We could build it into glibc but that would require maintaining a Whonix fork.
Side note: musl is developing another hardened malloc implementation inspired by hardened_malloc that will be built into it by default (although it’s not as hardened as hardened_malloc).
That still wouldn’t give us a way to disable hardened malloc on a per application basis without extraneous stderr error message?
( ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.)
adding hardened-malloc-disable not appropriate as this would inject stderr output ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. during early boot process (swap-file-creator) and not appropriate to silence stderr either as this would hide legitimate error messages too.
That would be an ld-system-preload-disable tool.
(But not a global ld-disable-tool because it would not modify LD_PRELOAD environment variable. We could invent such a tool easily too if needed.)
That would be good enough?
It would not be an hardened-malloc-disable tool because other entries (unrelated user specific preloads) in /etc/ld.so.preload configuration file would be excluded too. A hardened-malloc-disable could copy /etc/ld.so.preload to a (temporary?) file, use
and then use brwap to point the application to that file instead.
Should could added to helper-scripts package. (Previously my mistake directing hardened-malloc-disable at usablity-misc package.) Is an hardened-malloc-disable tool worth the effort or is ld-system-preload-disable tool sufficient?
Is it a security issue that users (non-root) can disable /etc/ld.so.preload? Is that something only root should be able to configure?
Yes, that would be great. Verified with /proc/self/maps that hardened_malloc is not loaded.
ld-system-preload-disable should be sufficient for now.
No. An attacker can only disable it for new processes that they create which there isn’t any point in. They can’t disable it for already existing processes. E.g. a malicious site can’t just disable hardened_malloc for Firefox and exploit it.
I tried Chromium from Debian backports and still got the same error so the error could be from Debian’s patches or the backport isn’t a recent enough version.
I’ll look over the patches and see if I can find anything. Looking at these has also made me realize just how terrible the Debian Chromium package is (they disable important mitigations like CFI, automatic variable initialization, etc.)
I just tried the same version of Chromium as in the Debian repos but on a different distro (Arch) and the error wasn’t there. It’s most likely Debian’s patches.
This fails if file /etc/ld.so.preload does not exists.
bwrap: Can’t create file at /etc/ld.so.preload: Permission denied
Can this be fixed at bwrap level? Or must I make sure at packaging level that file /etc/ld.so.preload always exists?
(That is for systems with hardened-malloc-kicksecure-enable not installed.)
Could you please report your chromium related findings to Debian? I guess replying again to https://bugs.debian.org/971876 for the hardened malloc issue? (i.e. Debian patches are probably responsible for introducing the issue.)
The hardened-malloc package can simply create /etc/X11/Xsession.d/50hardened-malloc with contents:
#!/bin/sh
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
export MAN_DISABLE_SECCOMP=1
I doubt there will be any practical security disadvantages with this. Man pages aren’t exactly untrusted input and a seccomp filter is not a complete sandbox by itself anyway (e.g. it’s not like it can provide proper filesystem restrictions).
Much better solution than config-package-dev wrappers. Btw…
Fixed in man upstream. Fix will probably arrive and can be removed in Debian bullseye and above.
Not yet tested…
All untested… Another major issue. Breaks sshd.
Also fixed upstream in sshd, but Debian buster version still has this issue. Killing sshd on servers is a very high impact issue. Also probably fixed in Debian bullseye. This speaks against installation by default before Debian bullseye. Got any workaround for that?