From 2df126c3ddd251ab9207b0a021fba18c63451866 Mon Sep 17 00:00:00 2001 From: nat Date: Sat, 11 Nov 2023 17:50:39 +0100 Subject: [PATCH 1/3] graphene-hardened-malloc: migrate to by-name, build light variant --- .../gr/graphene-hardened-malloc/package.nix} | 24 ++++++++++++++----- pkgs/top-level/all-packages.nix | 2 -- 2 files changed, 18 insertions(+), 8 deletions(-) rename pkgs/{development/libraries/graphene-hardened-malloc/default.nix => by-name/gr/graphene-hardened-malloc/package.nix} (89%) diff --git a/pkgs/development/libraries/graphene-hardened-malloc/default.nix b/pkgs/by-name/gr/graphene-hardened-malloc/package.nix similarity index 89% rename from pkgs/development/libraries/graphene-hardened-malloc/default.nix rename to pkgs/by-name/gr/graphene-hardened-malloc/package.nix index 48df439a1efb..50390917b816 100644 --- a/pkgs/development/libraries/graphene-hardened-malloc/default.nix +++ b/pkgs/by-name/gr/graphene-hardened-malloc/package.nix @@ -1,9 +1,9 @@ -{ lib -, stdenv -, fetchFromGitHub +{ fetchFromGitHub +, lib +, makeWrapper , python3 , runCommand -, makeWrapper +, stdenv , stress-ng }: @@ -18,18 +18,30 @@ stdenv.mkDerivation (finalAttrs: { sha256 = "sha256-ujwzr4njNsf/VTyEq7zKHWxoivU3feavSTx+MLIj1ZM="; }; - doCheck = true; nativeCheckInputs = [ python3 ]; # these tests cover use as a build-time-linked library checkTarget = "test"; + doCheck = true; + + buildPhase = '' + runHook preBuild + + for VARIANT in default light; do make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} VARIANT=$VARIANT; done + + runHook postBuild + ''; installPhase = '' + runHook preInstall + install -Dm444 -t $out/include include/* - install -Dm444 -t $out/lib out/libhardened_malloc.so + install -Dm444 -t $out/lib out/libhardened_malloc.so out-light/libhardened_malloc-light.so mkdir -p $out/bin substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib chmod 0555 $out/bin/preload-hardened-malloc + + runHook postInstall ''; separateDebugInfo = true; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 68255c9fa231..920d6c601fce 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -18977,8 +18977,6 @@ with pkgs; grail = callPackage ../development/libraries/grail { }; - graphene-hardened-malloc = callPackage ../development/libraries/graphene-hardened-malloc { }; - graphene = callPackage ../development/libraries/graphene { }; griffe = with python3Packages; toPythonApplication griffe; From b1e8c3bdeaa2b32bda121cd0e5b2058051afbec0 Mon Sep 17 00:00:00 2001 From: nat Date: Thu, 18 Apr 2024 23:18:41 +0200 Subject: [PATCH 2/3] graphene-hardened-malloc: 12 -> 2024040900 --- pkgs/by-name/gr/graphene-hardened-malloc/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/gr/graphene-hardened-malloc/package.nix b/pkgs/by-name/gr/graphene-hardened-malloc/package.nix index 50390917b816..c92fc2c398cf 100644 --- a/pkgs/by-name/gr/graphene-hardened-malloc/package.nix +++ b/pkgs/by-name/gr/graphene-hardened-malloc/package.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "graphene-hardened-malloc"; - version = "12"; + version = "2024040900"; src = fetchFromGitHub { owner = "GrapheneOS"; repo = "hardened_malloc"; rev = finalAttrs.version; - sha256 = "sha256-ujwzr4njNsf/VTyEq7zKHWxoivU3feavSTx+MLIj1ZM="; + sha256 = "sha256-1j7xzhuhK8ZRAJm9dJ95xiTIla7lh3LBiWc/+x/kjp0="; }; nativeCheckInputs = [ python3 ]; From af65b87b2346d608d90654b09050a40ee1e565b4 Mon Sep 17 00:00:00 2001 From: nat Date: Thu, 18 Apr 2024 23:19:46 +0200 Subject: [PATCH 3/3] nixos/malloc: add graphene-hardened-light --- nixos/modules/config/malloc.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 4214ae598315..e414970b0be5 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -9,8 +9,23 @@ let graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' - An allocator designed to mitigate memory corruption attacks, such as - those caused by use-after-free bugs. + Hardened memory allocator coming from GrapheneOS project. + The default configuration template has all normal optional security + features enabled and is quite aggressive in terms of sacrificing + performance and memory usage for security. + ''; + }; + + graphene-hardened-light = { + libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so"; + description = '' + Hardened memory allocator coming from GrapheneOS project. + The light configuration template disables the slab quarantines, + write after free check, slot randomization and raises the guard + slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. + The light configuration has solid performance and memory usage while still + being far more secure than mainstream allocators with much better security + properties. ''; };