Merge pull request #266540 from surfaceflinger/hardened-malloc-light

graphene-hardened-malloc: migrate to by-name, build light variant

nixos/modules/config/malloc.nix

@@ -9,8 +9,23 @@ let
     graphene-hardened = {
       libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
       description = ''
-        An allocator designed to mitigate memory corruption attacks, such as
-        those caused by use-after-free bugs.
+        Hardened memory allocator coming from GrapheneOS project.
+        The default configuration template has all normal optional security
+        features enabled and is quite aggressive in terms of sacrificing
+        performance and memory usage for security.
+      '';
+    };
+
+    graphene-hardened-light = {
+      libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so";
+      description = ''
+        Hardened memory allocator coming from GrapheneOS project.
+        The light configuration template disables the slab quarantines,
+        write after free check, slot randomization and raises the guard
+        slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled.
+        The light configuration has solid performance and memory usage while still
+        being far more secure than mainstream allocators with much better security
+        properties.
       '';
     };
 

pkgs/by-name/gr/graphene-hardened-malloc/package.nix

@@ -1,35 +1,47 @@
-{ lib
-, stdenv
-, fetchFromGitHub
+{ fetchFromGitHub
+, lib
+, makeWrapper
 , python3
 , runCommand
-, makeWrapper
+, stdenv
 , stress-ng
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "graphene-hardened-malloc";
-  version = "12";
+  version = "2024040900";
 
   src = fetchFromGitHub {
     owner = "GrapheneOS";
     repo = "hardened_malloc";
     rev = finalAttrs.version;
-    sha256 = "sha256-ujwzr4njNsf/VTyEq7zKHWxoivU3feavSTx+MLIj1ZM=";
+    sha256 = "sha256-1j7xzhuhK8ZRAJm9dJ95xiTIla7lh3LBiWc/+x/kjp0=";
   };
 
-  doCheck = true;
   nativeCheckInputs = [ python3 ];
   # these tests cover use as a build-time-linked library
   checkTarget = "test";
+  doCheck = true;
+
+  buildPhase = ''
+    runHook preBuild
+
+    for VARIANT in default light; do make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} VARIANT=$VARIANT; done
+
+    runHook postBuild
+  '';
 
   installPhase = ''
+    runHook preInstall
+
     install -Dm444 -t $out/include include/*
-    install -Dm444 -t $out/lib out/libhardened_malloc.so
+    install -Dm444 -t $out/lib out/libhardened_malloc.so out-light/libhardened_malloc-light.so
 
     mkdir -p $out/bin
     substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
     chmod 0555 $out/bin/preload-hardened-malloc
+
+    runHook postInstall
   '';
 
   separateDebugInfo = true;

pkgs/top-level/all-packages.nix

@@ -18938,8 +18938,6 @@ with pkgs;
 
   grail = callPackage ../development/libraries/grail { };
 
-  graphene-hardened-malloc = callPackage ../development/libraries/graphene-hardened-malloc { };
-
   graphene = callPackage ../development/libraries/graphene { };
 
   griffe = with python3Packages; toPythonApplication griffe;