I was looking for a workaround to only exclude Xorg from using HM Default. Nothing great yet. This was my idea:
File /usr/lib/systemd/system/lightdm.service.d/30_hardened-malloc-disable.conf
[Service]
InaccessiblePaths=-/etc/ld.so.preload
But that would make /etc/ld.so.preload
and therefore HM unused by all applications started lightdm which would include Xorg and all graphical applications.
pstree
|-lightdm-+-Xorg---{Xorg}
| |-lightdm-+-xfce4-session-+-Thunar---2*[{Thunar}]
| | | |-VirtualBox---8*[{VirtualBox}]
So wouldn’t be very helpful.
Maybe an AppArmor profile could be abused to prevent Xorg from reading /etc/ld.so.preload
? Or some better method?
raja
July 10, 2022, 9:40am
198
Kicksecure:master
← raja-grewal:master
opened 09:36AM - 10 Jul 22 UTC
Increased sysctl vm.max_map_count to the most up to date [recommendation](https:… //github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems).
- Negligible (if any) impact on CPU usage, and
- Applications that tend to consume superfluous amounts of memory such as certain web browsers could potentially see a noticeable rise in RAM.
Therefore while more RAM might need to be allocated to certain VMs dependant on use case, the benefits of being able to accommodate more guard pages by default likely outweigh the cons.
Should we increase vm.max_map_count = 524240 → 1048576?
1 Like
Thanks! Merged.
Your review all over the place is very much appreciated!
1 Like
Patrick
October 1, 2023, 2:40pm
205
This is now in the testers repository.
Patrick
Split this topic
January 15, 2024, 10:06am
207
Doesn’t this break sone flatpaks because they’re missing their specific /usr?
1 Like
Patrick
December 21, 2023, 1:31pm
224
Patrick
December 22, 2023, 6:49pm
228
Messages during upgrade looking like this:
ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc-light.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Can be safely ignored. These are fixed right after the upgrade.
This is unavoidable and happening due to above bugfix.
Patrick
December 25, 2023, 7:16pm
229
These errors are now resolved thanks to compatibility symlinks and lots of other maintenance fixes in git.
This is now in the testers repository.
Patrick
February 18, 2024, 10:31am
231
1 Like