implement hardened-malloc-kicksecure-enable package

https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/82
Kicksecure · Oct 8, 2020 · 82ea528 · 82ea528
1 parent 310e270
commit 82ea528
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 0 deletions.
diff --git a/debian/control b/debian/control
@@ -26,3 +26,30 @@ Description: security-focused general purpose memory allocator
  divided up per size class.
  .
  It can be added as a preloaded library using /etc/ld.so.preload.
+ .
+ Ships two files:
+ .
+  * [1] /usr/lib/libhardened_malloc.so/libhardened_malloc.so
+  * [2] /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so
+ .
+ [1] Is was compiled with Hardened Malloc compilation parameters.
+ .
+ [2] Uses a modified configuration that aims to be suitable to be enabled by
+ default in Whonix and Kicksecure. It is a lightweight fork of Hardened
+ Malloc by Kicksecure developers with no other changes than compilation
+ parameters.
+
+Package: hardened-malloc-kicksecure-enable
+## Actually is 'Architecture: all' but genmkfile cannot handle that a package
+## being a mix of 'Architecture: any' and 'Architecture: all' yet.
+Architecture: any
+Depends: hardened-malloc, helper-scripts, ${shlibs:Depends}, ${misc:Depends}
+Description: enables Hardened Malloc
+ Adds /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so to
+ /etc/ld.so.preload systemd wide configuration file.
+ .
+ Does this only once per installation. The user is free to undo changes to
+ /etc/ld.so.preload. Once this package is purged and re-installed it will
+ re-enable the lightweight fork of Hardened Malloc by Kicksecure developers.
+ .
+ Other than doing that this is an empty package.
diff --git a/debian/hardened-malloc-kicksecure-enable.postinst b/debian/hardened-malloc-kicksecure-enable.postinst
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
+   source /usr/lib/helper-scripts/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## feature request: /etc/ld.so.preload.d drop-in configuration folder support
+## https://sourceware.org/bugzilla/show_bug.cgi?id=24913
+
+create_hardened_malloc_kicksecure_enabled_status_file() {
+   mkdir --parents /var/lib/hardened-malloc-kicksecure-enable
+   touch /var/lib/hardened-malloc-kicksecure-enable/enabled
+}
+
+if test -r /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so ; then
+   if grep -q /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so /etc/ld.so.preload ; then
+      echo "INFO: $0: /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so already enabled in /etc/ld.so.preload, OK."
+      create_hardened_malloc_kicksecure_enabled_status_file
+   else
+      if test -f /var/lib/hardened-malloc-kicksecure-enable/enabled ; then
+         echo "INFO: $0: /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so was already previously enabled by this package, but currently is disabled. Leaving it as is, OK."
+      elif echo "/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so" | tee "/etc/ld.so.preload" >/dev/null ; then
+         echo "INFO: $0: enabled /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so in /etc/ld.so.preload, OK."
+         create_hardened_malloc_kicksecure_enabled_status_file
+      else
+         echo "ERROR: $0: could not write /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so to /etc/ld.so.preload." >&2
+      fi
+   fi
+else
+   echo "ERROR: $0: file /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so does not exist." >&2
+fi
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0
diff --git a/debian/hardened-malloc-kicksecure-enable.prerm b/debian/hardened-malloc-kicksecure-enable.prerm
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
+   source /usr/lib/helper-scripts/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## feature request: /etc/ld.so.preload.d drop-in configuration folder support
+## https://sourceware.org/bugzilla/show_bug.cgi?id=24913
+
+if [ "$1" = "purge" ] || [ "$1" = "remove" ]; then
+   if test -r /etc/ld.so.preload ; then
+      if grep -q /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so /etc/ld.so.preload ; then
+         if str_replace /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so "" /etc/ld.so.preload >/dev/null ; then
+            echo "INFO: $0: Removed /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so from /etc/ld.so.preload, OK."
+         else
+            echo "ERROR: $0: Removal of /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so from /etc/ld.so.preload failed." >&2
+         fi
+      else
+         echo "INFO: $0: /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so was already removed from /etc/ld.so.preload, OK."
+      fi
+   else
+      echo "INFO: $0: /etc/ld.so.preload does not exist, therefore no need to remove /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so, OK."
+   fi
+
+   rm -f /var/lib/hardened-malloc-kicksecure-enable/enabled
+fi
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0