Deployed 9b24cfd with MkDocs version: 1.5.3

This commit is contained in:
2023-11-15 18:48:47 +00:00
parent f016aa5e76
commit 8a09069bb3
4 changed files with 18 additions and 12 deletions

View file

@ -499,7 +499,7 @@
<h1 id="extra-package-hardened_malloc">Extra package: hardened_malloc<a class="headerlink" href="#extra-package-hardened_malloc" title="Permanent link">&para;</a></h1>
<h2 id="el9">EL9<a class="headerlink" href="#el9" title="Permanent link">&para;</a></h2>
<ul>
<li>Version <code>hardened_malloc-12-2.el9_2.security.x86_64</code></li>
<li>Version <code>hardened_malloc-12-3.el9_2.security</code></li>
<li>Based on upstream version <code>12</code></li>
<li>No plans to support older Rocky Linux versions due to glibc being too old</li>
</ul>
@ -507,10 +507,12 @@
<p>This package ships the "normal" and "light" configurations of the <a href="https://grapheneos.org">GrapheneOS</a> <a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a> project. The official README.md in the upstream project documents security properties and explains the differences between the regular and light variants.</p>
<h3 id="usage-in-rocky-linux">Usage in Rocky Linux<a class="headerlink" href="#usage-in-rocky-linux" title="Permanent link">&para;</a></h3>
<p>It is strongly reccomended to read all documentation here before deploying this package on your infrastructure.</p>
<p>In order to support the large amount of mappings caused by guard slabs and large allocation guard guard regions, the <code>vm.max_map_count</code> sysctl is increased as part of package installation to <code>1048576</code> in <code>/etc/sysctl.d/hardened_malloc.conf</code>. The package ships 2 builds of hardened_malloc, the regular variant, which is located at <code>/usr/lib64/libhardened_malloc.so</code> and can be preloaded using the <code>hardened_malloc_preload.sh</code> script, and the light variant, which is located at <code>/usr/lib64/libhardened_malloc-light.so</code> and can be preloaded using the <code>hardened_malloc_light_preload.sh</code> script. The preload scripts adds the relevant library to <code>LD_PRELOAD</code> and then loads the desired binary, as shown in the following example: <code>hardened_malloc_preload.sh uname</code>. Users may choose to set an OS-wide <code>LD_PRELOAD</code> with hardened_malloc. This can be done by adding the desired library, for example, <code>/usr/lib64/libhardened_malloc.so</code>, into your <code>/etc/ld.so.preload</code>. Be aware that applications where <code>AT_SECURE</code> is set, this approach will not work. </p>
<p>It is suggested that if you wish to deploy hardened_malloc systemwide, that you deploy it in your <code>LD_PRELOAD</code> with the normal variant globally, and then for applications which are peformance sensitive, or which do not work, try them individually with the light variant using the preload script or by setting <code>LD_PRELOAD</code> within a systemd service namespace, and then if that does not resolve your issue, disabling it by running the program in it's own systemd service namespace.</p>
<p>In order to support the large amount of mappings caused by guard slabs and large allocation guard regions, the <code>vm.max_map_count</code> sysctl is increased as part of package installation to <code>1048576</code> in <code>/etc/sysctl.d/hardened_malloc.conf</code>. You'll need to run <code>sysctl -p /etc/sysctl.d/hardened_malloc.conf</code> for this change to take effect without a reboot. Incidentally, <a href="https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount">Fedora 39 made the same change</a>, so it's not an exotic configuration.</p>
<p>The package ships 2 builds of <code>hardened_malloc</code>, the regular variant, which is located at <code>/usr/lib64/libhardened_malloc.so</code> and can be preloaded using the <code>hardened_malloc_preload.sh</code> script, and the light variant, which is located at <code>/usr/lib64/libhardened_malloc-light.so</code> and can be preloaded using the <code>hardened_malloc_light_preload.sh</code> script. The preload scripts add the relevant library to <code>LD_PRELOAD</code> and then load the desired binary, as shown in the following example: <code>hardened_malloc_preload.sh cat /proc/self/maps</code>.</p>
<p>Users may choose to set an OS-wide <code>LD_PRELOAD</code> with <code>hardened_malloc</code>. This can be done by adding the desired library, for example, <code>/usr/lib64/libhardened_malloc.so</code>, into your <code>/etc/ld.so.preload</code>. Be aware that for applications where <code>AT_SECURE</code> is set, this approach will not work.</p>
<p>It is suggested that if you wish to deploy <code>hardened_malloc</code> systemwide, that you deploy it in your <code>LD_PRELOAD</code> with the normal variant globally, and then for applications which are performance sensitive, or which fail with the normal variant, try them individually with the light variant using the preload script or by setting <code>LD_PRELOAD</code> within a systemd service namespace. If that does not resolve your issue, try disabling <code>hardened_malloc</code> by running the program in its own systemd service namespace.</p>
<h3 id="bugs-uncovered-by-hardened_malloc">Bugs uncovered by hardened_malloc<a class="headerlink" href="#bugs-uncovered-by-hardened_malloc" title="Permanent link">&para;</a></h3>
<p>As with all infrastructure changes, ensure you test in your staging environment extensively before deploying into production. Many packages and projects suffer from memory corruption bugs, which hardened_malloc uncovers, which when running under glibc, are not encountered during operation. Some applications may crash during usage, completely break, or break when running with certain configurations. Bugs in packages are typically the result of upstream project bugs, and should be reported there. In some cases these bugs are fixed in later versions in the upstream project, in which case the bug is an issue with Rocky Linux, and should be reported to Rocky Linux, so that the patch may be included.</p>
<p>As with all infrastructure changes, ensure you test in your staging environment extensively before deploying into production. Many packages and projects suffer from memory corruption bugs, which when running under glibc are not encountered during operation, but which <code>hardened_malloc</code> uncovers. Some applications may crash during usage, completely break, or break when running with certain configurations. Bugs in packages are typically a result of upstream project bugs, and should be reported there. In some cases these bugs are fixed in later versions in the upstream project, in which case the bug is an issue with Rocky Linux, and should be reported to Rocky Linux and its upstream distribution, so that the patch may be included.</p>
<table>
<thead>
<tr>
@ -542,9 +544,13 @@
</tbody>
</table>
<h3 id="potential-for-issues-with-edr">Potential for issues with EDR<a class="headerlink" href="#potential-for-issues-with-edr" title="Permanent link">&para;</a></h3>
<p>By nature of relying on <code>LD_PRELOAD</code>, if you have EDR software on your server, it may falsely send alerts when using hardened_malloc. If it doesn't, your EDR is probably terrible or misconfigured.</p>
<p>By nature of relying on <code>LD_PRELOAD</code>, if you have EDR software on your server, it may falsely send alerts when using <code>hardened_malloc</code>. If it doesn't, your EDR is probably terrible or misconfigured.</p>
<h3 id="change-log">Change log<a class="headerlink" href="#change-log" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code>* Wed Nov 8 2023 flawedworld &lt;flawedworld@flawed.world&gt; 12-2
<div class="highlight"><pre><span></span><code>* Tue Nov 14 2023 Solar Designer &lt;solar@openwall.com&gt; 12-3
- Package hardened_malloc_light_preload.sh
- Disable arm64 building for now (fix didn&#39;t work)
* Wed Nov 8 2023 flawedworld &lt;flawedworld@flawed.world&gt; 12-2
- Set CONFIG_NATIVE to false
- Mark libraries as executable (change to 755 permissions)
- Add hardened_malloc_light_preload.sh
@ -560,7 +566,7 @@
<small>
Last update:
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 8, 2023</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 15, 2023</span>
</small>

File diff suppressed because one or more lines are too long

View file

@ -2,22 +2,22 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://sig-security.rocky.page/</loc>
<lastmod>2023-11-14</lastmod>
<lastmod>2023-11-15</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/glibc/</loc>
<lastmod>2023-11-14</lastmod>
<lastmod>2023-11-15</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/hardened_malloc/</loc>
<lastmod>2023-11-14</lastmod>
<lastmod>2023-11-15</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/openssh/</loc>
<lastmod>2023-11-14</lastmod>
<lastmod>2023-11-15</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

Binary file not shown.