fix: allow hardened malloc to be used by setuid programs

- no longer use full path names to hardened malloc library
- `set-user-id` hardened malloc library (`setuid`)

credit to @SkewedZeppelin for research:
https://gist.github.com/SkewedZeppelin/7f293d64c1c651bdc21526519d9e192b

https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/224

debian/hardened-malloc-light-enable.postinst

@@ -25,28 +25,41 @@ create_hardened_malloc_light_enabled_status_file() {
 
 ## legacy
 if test -f /etc/ld.so.preload ; then
+   ## forked libhardened_malloc_kicksecure.so was renamed to
+   ## original (unforked) upstream provided libhardened_malloc-light.so
    search="/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so"
    replace="/usr/lib/libhardened_malloc.so/libhardened_malloc-light.so"
    file_name="/etc/ld.so.preload"
    LANG=C str_replace "$search" "$replace" "$file_name" || true
+
+   ## Should not use full path.
+   ## https://gist.github.com/SkewedZeppelin/7f293d64c1c651bdc21526519d9e192b
+   search="/usr/lib/libhardened_malloc.so/libhardened_malloc-light.so"
+   replace="libhardened_malloc-light.so"
+   file_name="/etc/ld.so.preload"
+   LANG=C str_replace "$search" "$replace" "$file_name" || true
+   search="/usr/lib/libhardened_malloc.so/libhardened_malloc.so"
+   replace="libhardened_malloc.so"
+   file_name="/etc/ld.so.preload"
+   LANG=C str_replace "$search" "$replace" "$file_name" || true
 fi
 
-if test -r /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so ; then
-   if grep -q /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so /etc/ld.so.preload ; then
-      echo "INFO: $0: /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so already enabled in /etc/ld.so.preload, OK."
+if test -r /lib/x86_64-linux-gnu/libhardened_malloc-light.so ; then
+   if grep -q libhardened_malloc-light.so /etc/ld.so.preload ; then
+      echo "INFO: $0: libhardened_malloc-light.so already enabled in /etc/ld.so.preload, OK."
       create_hardened_malloc_light_enabled_status_file
    else
       if test -f /var/lib/hardened-malloc-kicksecure-enable/enabled ; then
-         echo "INFO: $0: /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so was already previously enabled by this package, but currently is disabled. Leaving it as is, OK."
-      elif echo "/usr/lib/libhardened_malloc.so/libhardened_malloc-light.so" | tee "/etc/ld.so.preload" >/dev/null ; then
-         echo "INFO: $0: enabled /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so in /etc/ld.so.preload, OK."
+         echo "INFO: $0: libhardened_malloc-light.so was already previously enabled by this package, but currently is disabled. Leaving it as is, OK."
+      elif echo "libhardened_malloc-light.so" | tee "/etc/ld.so.preload" >/dev/null ; then
+         echo "INFO: $0: enabled libhardened_malloc-light.so in /etc/ld.so.preload, OK."
          create_hardened_malloc_light_enabled_status_file
       else
-         echo "ERROR: $0: could not write /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so to /etc/ld.so.preload." >&2
+         echo "ERROR: $0: could not write libhardened_malloc-light.so to /etc/ld.so.preload." >&2
       fi
    fi
 else
-   echo "ERROR: $0: file /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so does not exist." >&2
+   echo "ERROR: $0: file /lib/x86_64-linux-gnu/libhardened_malloc-light.so does not exist." >&2
 fi
 
 true "INFO: debhelper beginning here."

debian/hardened-malloc.install

@@ -3,5 +3,5 @@
 ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-out/libhardened_malloc.so => /usr/lib/libhardened_malloc.so/libhardened_malloc.so
-out-light/libhardened_malloc-light.so => /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so
+out/libhardened_malloc.so => /lib/x86_64-linux-gnu/libhardened_malloc.so
+out-light/libhardened_malloc-light.so => /lib/x86_64-linux-gnu/libhardened_malloc-light.so

debian/hardened-malloc.postinst

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+chmod u+s /lib/x86_64-linux-gnu/libhardened_malloc.so
+chmod u+s /lib/x86_64-linux-gnu/libhardened_malloc-light.so
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/make-helper-overrides.bsh

@@ -5,9 +5,20 @@
 
 version_numbers_by_upstream=true
 
+## https://github.com/GrapheneOS/hardened_malloc/issues/86
+genmkfile_lintian_post_opts+=" --suppress-tags sharedobject-in-library-directory-missing-soname"
+
+genmkfile_file_has_been_copied=true
+
+## This is only used when manually compiling and installing.
 make_install_hook_post() {
    if [ ! -d "$DESTDIR/usr/lib" ]; then
-      mkdir --parents "$DESTDIR/usr/lib/libhardened_malloc.so"
+      mkdir --parents "$DESTDIR/lib/x86_64-linux-gnu"
    fi
-   cp libhardened_malloc.so "$DESTDIR/usr/lib/libhardened_malloc.so/libhardened_malloc.so"
+
+   cp libhardened_malloc.so "$DESTDIR/lib/x86_64-linux-gnu/libhardened_malloc.so"
+   chmod u+s "$DESTDIR/lib/x86_64-linux-gnu/libhardened_malloc.so"
+
+   cp libhardened_malloc-light.so "$DESTDIR/lib/x86_64-linux-gnu/libhardened_malloc-light.so"
+   chmod u+s "$DESTDIR/lib/x86_64-linux-gnu/libhardened_malloc-light.so"
 }