Merge pull request #266540 from surfaceflinger/hardened-malloc-light

graphene-hardened-malloc: migrate to by-name, build light variant
2024-04-26 15:05:09 +02:00 · 2024-04-26 15:05:09 +02:00 · 01a730b41e
parent 6abf787605 af65b87b23
commit 01a730b41e
3 changed files with 37 additions and 12 deletions
--- a/nixos/modules/config/malloc.nix
+++ b/nixos/modules/config/malloc.nix
@ -9,8 +9,23 @@ let
    graphene-hardened = {
      libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
      description = ''
-        An allocator designed to mitigate memory corruption attacks, such as
-        those caused by use-after-free bugs.
+        Hardened memory allocator coming from GrapheneOS project.
+        The default configuration template has all normal optional security
+        features enabled and is quite aggressive in terms of sacrificing
+        performance and memory usage for security.
+      '';
+    };
+
+    graphene-hardened-light = {
+      libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so";
+      description = ''
+        Hardened memory allocator coming from GrapheneOS project.
+        The light configuration template disables the slab quarantines,
+        write after free check, slot randomization and raises the guard
+        slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled.
+        The light configuration has solid performance and memory usage while still
+        being far more secure than mainstream allocators with much better security
+        properties.
      '';
    };

--- a/pkgs/development/libraries/graphene-hardened-malloc/default.nix
+++ b/pkgs/development/libraries/graphene-hardened-malloc/default.nix
@ -1,35 +1,47 @@
-{ lib
-, stdenv
-, fetchFromGitHub
+{ fetchFromGitHub
+, lib
+, makeWrapper
 , python3
 , runCommand
-, makeWrapper
+, stdenv
 , stress-ng
 }:

 stdenv.mkDerivation (finalAttrs: {
  pname = "graphene-hardened-malloc";
-  version = "12";
+  version = "2024040900";

  src = fetchFromGitHub {
    owner = "GrapheneOS";
    repo = "hardened_malloc";
    rev = finalAttrs.version;
-    sha256 = "sha256-ujwzr4njNsf/VTyEq7zKHWxoivU3feavSTx+MLIj1ZM=";
+    sha256 = "sha256-1j7xzhuhK8ZRAJm9dJ95xiTIla7lh3LBiWc/+x/kjp0=";
  };

-  doCheck = true;
  nativeCheckInputs = [ python3 ];
  # these tests cover use as a build-time-linked library
  checkTarget = "test";
+  doCheck = true;
+
+  buildPhase = ''
+    runHook preBuild
+
+    for VARIANT in default light; do make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} VARIANT=$VARIANT; done
+
+    runHook postBuild
+  '';

  installPhase = ''
+    runHook preInstall
+
    install -Dm444 -t $out/include include/*
-    install -Dm444 -t $out/lib out/libhardened_malloc.so
+    install -Dm444 -t $out/lib out/libhardened_malloc.so out-light/libhardened_malloc-light.so

    mkdir -p $out/bin
    substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
    chmod 0555 $out/bin/preload-hardened-malloc
+
+    runHook postInstall
  '';

  separateDebugInfo = true;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -18938,8 +18938,6 @@ with pkgs;

  grail = callPackage ../development/libraries/grail { };

-  graphene-hardened-malloc = callPackage ../development/libraries/graphene-hardened-malloc { };
-
  graphene = callPackage ../development/libraries/graphene { };

  griffe = with python3Packages; toPythonApplication griffe;