DefaultEnvironment= is “not really global”. It’s “pretty good but not perfect”.
DefaultEnvironment= sets environment variables it for all systemd units [1] [2], virtual consoles but not for graphical X sessions. I don’t know why yet. This may or may not be fault of systemd. The login manager or X might unset environment variables.
It can be viewed using:
systemctl show-environment
I don’t know yet a (full) list of exceptions where DefaultEnvironment= is effectively, eventually ignored due to whatever cause.
However, DefaultEnvironment= might be be good enough for MAN_DISABLE_SECCOMP=1manseccomp workaround. Implementing now.
[1] To add more potential exceptions… Individual systemd units using Environment= or EnvironmentFile= may or may not change this. Untested.
[2] Good enough for our use case as long as no APT related systemd units do this.
I guess this is happening because lintian implicitly unsets MAN_DISABLE_SECCOMP environment variable. (It only sets LC_ALL.)
delete local $ENV{$_}
for grep { $_ ne 'PATH' && $_ ne 'TMPDIR' } keys %ENV;
local $ENV{LC_ALL} = 'C.UTF-8';
my @command = ('lexgrog', $file->unpacked_path);
Btw MAN_DISABLE_SECCOMP=0 does not really work to re-enable man seccomp for tesging purposes but MAN_DISABLE_SECCOMP= does.
Run a shell for debugging purposes inside flatpak.
flatpak run --command=bash org.chromium.Chromium
See if hardend malloc Kcksecure is loaded.
cat /proc/$$/maps | grep malloc
No, it’s not.
Trying to ld preload hardened malloc Kicksecure using environment variable inside flatpak.
flatpak run --env=LD_PRELOAD=/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so org.chromium.Chromium
ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
Any ideas?
Not sure that makes sense for Chromium. Which allocator is more secure, Chromium’s built-in or Hardened Malloc (Kicksecure)?
But even if it doesn’t make sense for Chromium, would be useful to know generally for other applications from flatpak.
The file /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so is likely not available from within the Flatpak sandbox.
hardened_malloc is more secure but you can’t just switch allocators with LD_PRELOAD since Chromium uses PartitionAlloc internally anyway, similar to Firefox with mozjemalloc.
I can’t reproduce this. At exactly which point does this happen? Immediately upon start of the app or when doing something (e.g. logging in, clicking on a chat, etc.)?