Hardened Malloc - Hardened Memory Allocator

raja · July 10, 2022, 9:40am

Raised maximum number of memory-mapped areas

Kicksecure:master ← raja-grewal:master

opened 09:36AM - 10 Jul 22 UTC

Increased sysctl vm.max_map_count to the most up to date [recommendation](https:…//github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems). - Negligible (if any) impact on CPU usage, and - Applications that tend to consume superfluous amounts of memory such as certain web browsers could potentially see a noticeable rise in RAM. Therefore while more RAM might need to be allocated to certain VMs dependant on use case, the benefits of being able to accommodate more guard pages by default likely outweigh the cons.

Should we increase vm.max_map_count = 524240 → 1048576?

Patrick · July 10, 2022, 10:57am

Thanks! Merged.

Your review all over the place is very much appreciated!

Patrick · June 12, 2023, 4:52pm

Patrick · June 12, 2023, 5:14pm

nurmagoz · September 19, 2023, 2:44pm

Patrick · September 19, 2023, 2:54pm

Patrick · October 1, 2023, 2:36pm

Patrick · October 1, 2023, 2:40pm

This is now in the testers repository.

Patrick · November 10, 2023, 7:33pm

qoijjj · November 29, 2023, 12:26am

But even if it doesn’t make sense for Chromium, would be useful to know generally for other applications from flatpak.

Hi folks, has anyone brainstormed this further or gotten flatpak working with hardened malloc in any capacity? I’m aiming to include this functionality in my security-focused image (github - /secureblue/secureblue) based on immutable fedora, and if someone’s already figured out how to do this I want to avoid reinventing the wheel. We have an ongoing thread there as well but I can’t link it here so I figured I’d ask.

Patrick · November 29, 2023, 3:51am

No progress. And none should be expected. If there was progress, it would be posted here.

34n0 · November 29, 2023, 2:00pm

Hello

While experimenting on a Fedora Silverblue VM I’ve found:

You can override the /usr in the runtime with the hosts /usr with the following flag:

--usr-path=/usr

And then successfully preload the library:

flatpak run --usr-path=/usr --env=LD_PRELOAD=/usr/lib64/libhardened_malloc.so org.gnome.Calculator

extraextra · November 30, 2023, 6:07am

Doesn’t this break sone flatpaks because they’re missing their specific /usr?

qoijjj · December 1, 2023, 5:19am

Over at secureblue we have since found a way to get this working, thanks to @34n0

Instead of using usr path, we have a short script that copies libhardened_malloc.so into ~/.local, and then override permissions for all flatpaks to grant them read only access specifically to that file only. They then use it when passed in the LD_PRELOAD environment variable, confirmed for several apps in /proc/$PID/maps.

A handful of apps still ignore it, notably steam, vscodium, and discord. But most apps I’ve tested so far don’t ignore it and do load it.

Patrick · December 1, 2023, 5:44am

Following here:

Patrick · December 1, 2023, 5:45am

Interesting! Thanks for sharing!

(Upgraded your account just now. You can post links normally now.)

34n0 · December 1, 2023, 9:16am

I think so yes. If the runtime’s /usr contains libraries which do not exist on the host. This method is flawed in other ways too… At least it proved a flatpak process can preload the library.

qoijjj · December 1, 2023, 8:04pm

Thanks, here’s the PR to add this functionality:

If folks here have any additional input on the approach, it would be greatly appreciated.

Patrick · December 2, 2023, 5:11am

Left some comments there.

qoijjj · December 2, 2023, 8:40pm

Thanks, I’ve come up with a new solution I posted there. In short, we can directly reference

 --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

The only downside is that this requires

--filesystem=host-os:ro

Which gives all flatpaks readonly access to all of /usr.

So now the question is whether this is a desirable tradeoff in favor of letting flatpaks use hardened_malloc.