There is a related issue about Xorg and man.
It seems some syscalls just need to be added to the whitelist.
There is a related issue about Xorg and man.
It seems some syscalls just need to be added to the whitelist.
I’m not against it if this if you will be available to maintain it/deal with breakage and if it is simple to reverse it via an apt update to the default malloc until the breakage is fixed.
It’d probably be best to use it just for high-risk applications like the Tor Browser. I’d imagine using it system-wide would cause a lot of problems.
Agreed. That’s what my comments apply to.
I’ve just tested hardened_malloc with the Tor Browser on the Workstation and it works flawlessly.
There was just a compilation error due to Debian using an outdated GCC that is now resolved as I raised an issue on the github repo.
General system hardening guide?
It can be useful for SecBrowser and even Tor on the GW if we test for breakage. Perhaps assigned for bash instances if it detects it is installed. While we can’t/shouldn’t switch the entire system to it we can do this on a per process basis.
That sounds like a good idea although how would we get programs to use it by default? Would it need a bunch of wrappers?
Hopefully not.
Issue: there are no stackable wrappers, see ⚓ T634 write draft for stackable wrappers on debian-devel
Old, working for its purpose, covering much of user applications but not system applications:
Maybe /usr/lib/environment.d/*.conf
would come to rescue (much better than above) as per environment.d?
Wondering if there is a systemd feature “set this environment variable for all systemd units”? Ask upstream systemd about it?
Or can we replace system default malloc?
Ask hardened malloc developer how to apply to everything or as much as possible?
That would set it system-wide which we probably don’t want as it’ll break a lot of things.
Yes. You could add
Environment="LD_PRELOAD='/usr/lib/libhardened_malloc.so'"
See systemd.exec
You can do that but that will break a lot of things.
Version 1
was released.
Considering packaging for Whonix.
I didn’t realy dive into it but setting sys-wide broke Tor Browser for me.
Does starting it directly by running /home/user/.tb/Browser/start-tor-browser
break it?
It probably broke something that /usr/bin/torbrowser
does.
Reconfigred sys-wide malloc
in a whonix-ws-15 TemplateVM and Tor Browser worked as expected. The previous issue was with a whonix-ws-14 based AppVM which had a “memory error” when starting Tor Browser (would not start) just after configuring hardened_malloc. I could always restore Whonix 14 templates from backup if you’d like.
Package hardened-malloc
is now available from Whonix testers repository. Will move to stable-proposed-updates and stable repository over time.
It installs its file to /usr/lib/libhardened_malloc.so/libhardened_malloc.so
.
Package hardened-malloc
will be installed by default in Whonix but not used by default for anything in Whonix (yet) since installation by default simplifies things but does not break things.