Hardened Malloc - Hardened Memory Allocator

Patrick · April 19, 2022, 2:53pm

I was looking for a workaround to only exclude Xorg from using HM Default. Nothing great yet. This was my idea:

File /usr/lib/systemd/system/lightdm.service.d/30_hardened-malloc-disable.conf

[Service]
InaccessiblePaths=-/etc/ld.so.preload

But that would make /etc/ld.so.preload and therefore HM unused by all applications started lightdm which would include Xorg and all graphical applications.

pstree

        |-lightdm-+-Xorg---{Xorg}
        |         |-lightdm-+-xfce4-session-+-Thunar---2*[{Thunar}]
        |         |         |               |-VirtualBox---8*[{VirtualBox}]

So wouldn’t be very helpful.

Maybe an AppArmor profile could be abused to prevent Xorg from reading /etc/ld.so.preload? Or some better method?

raja · July 10, 2022, 9:40am

github.com/Kicksecure/hardened_malloc

Raised maximum number of memory-mapped areas

Kicksecure:master ← raja-grewal:master

opened 09:36AM - 10 Jul 22 UTC

raja-grewal

+1 -1

Increased sysctl vm.max_map_count to the most up to date [recommendation](https:…//github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems). - Negligible (if any) impact on CPU usage, and - Applications that tend to consume superfluous amounts of memory such as certain web browsers could potentially see a noticeable rise in RAM. Therefore while more RAM might need to be allocated to certain VMs dependant on use case, the benefits of being able to accommodate more guard pages by default likely outweigh the cons.

Should we increase vm.max_map_count = 524240 → 1048576?

Patrick · July 10, 2022, 10:57am

Thanks! Merged.

Your review all over the place is very much appreciated!

Patrick · June 12, 2023, 4:52pm

Patrick · June 12, 2023, 5:14pm

nurmagoz · September 19, 2023, 2:44pm

Patrick · September 19, 2023, 2:54pm

Patrick · October 1, 2023, 2:36pm

Patrick · October 1, 2023, 2:40pm

This is now in the testers repository.

Patrick · November 10, 2023, 7:33pm

Patrick · January 15, 2024, 10:06am

16 posts were split to a new topic: Bug: Hardened Malloc Ignored by Flatpaks

extraextra · November 30, 2023, 6:07am

Doesn’t this break sone flatpaks because they’re missing their specific /usr?

Patrick · December 21, 2023, 1:31pm

https://gist.github.com/SkewedZeppelin/7f293d64c1c651bdc21526519d9e192b

archived:

Patrick · December 21, 2023, 1:51pm

Patrick · December 22, 2023, 1:25pm

Fixed:

Patrick · December 22, 2023, 1:34pm

Done.

Patrick · December 22, 2023, 6:49pm

Messages during upgrade looking like this:

ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc-light.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

Can be safely ignored. These are fixed right after the upgrade.

This is unavoidable and happening due to above bugfix.

Patrick · December 25, 2023, 7:16pm

These errors are now resolved thanks to compatibility symlinks and lots of other maintenance fixes in git.

This is now in the testers repository.

Patrick · January 15, 2024, 10:07am

Patrick · February 18, 2024, 10:31am

news, see this link for more information:
Hardened Malloc (HM) Deprecation in Kicksecure