But even if it doesn’t make sense for Chromium, would be useful to know generally for other applications from flatpak.
Hi folks, has anyone brainstormed this further or gotten flatpak working with hardened malloc in any capacity? I’m aiming to include this functionality in my security-focused image (github - /secureblue/secureblue) based on immutable fedora, and if someone’s already figured out how to do this I want to avoid reinventing the wheel. We have an ongoing thread there as well but I can’t link it here so I figured I’d ask.
Over at secureblue we have since found a way to get this working, thanks to @34n0
Instead of using usr path, we have a short script that copies libhardened_malloc.so into ~/.local, and then override permissions for all flatpaks to grant them read only access specifically to that file only. They then use it when passed in the LD_PRELOAD environment variable, confirmed for several apps in /proc/$PID/maps.
A handful of apps still ignore it, notably steam, vscodium, and discord. But most apps I’ve tested so far don’t ignore it and do load it.
I think so yes. If the runtime’s /usr contains libraries which do not exist on the host. This method is flawed in other ways too… At least it proved a flatpak process can preload the library.
Before applying more complex workarounds, hacks, it’s best to contact upstream (flatpak) first. They either might have a solution or then there’s at least a ticket which explains the issue which might get fixed one day. Then no complex workarounds, hacks are needed.
Piling these up without proper documentation (which is done by reporting these upstream) makes a project difficult to maintain in the future.
