depot/third_party/nixpkgs/nixos/modules/config/malloc.nix
Default email d5f4a57cbf Project import generated by Copybara.
GitOrigin-RevId: ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e
2023-08-10 09:59:29 +02:00

114 lines
3.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.environment.memoryAllocator;
# The set of alternative malloc(3) providers.
providers = {
graphene-hardened = {
libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
description = ''
An allocator designed to mitigate memory corruption attacks, such as
those caused by use-after-free bugs.
'';
};
jemalloc = {
libPath = "${pkgs.jemalloc}/lib/libjemalloc.so";
description = ''
A general purpose allocator that emphasizes fragmentation avoidance
and scalable concurrency support.
'';
};
scudo = let
platformMap = {
aarch64-linux = "aarch64";
x86_64-linux = "x86_64";
};
systemPlatform = platformMap.${pkgs.stdenv.hostPlatform.system} or (throw "scudo not supported on ${pkgs.stdenv.hostPlatform.system}");
in {
libPath = "${pkgs.llvmPackages_14.compiler-rt}/lib/linux/libclang_rt.scudo-${systemPlatform}.so";
description = ''
A user-mode allocator based on LLVM Sanitizers CombinedAllocator,
which aims at providing additional mitigations against heap based
vulnerabilities, while maintaining good performance.
'';
};
mimalloc = {
libPath = "${pkgs.mimalloc}/lib/libmimalloc.so";
description = ''
A compact and fast general purpose allocator, which may
optionally be built with mitigations against various heap
vulnerabilities.
'';
};
};
providerConf = providers.${cfg.provider};
# An output that contains only the shared library, to avoid
# needlessly bloating the system closure
mallocLib = pkgs.runCommand "malloc-provider-${cfg.provider}"
rec {
preferLocalBuild = true;
allowSubstitutes = false;
origLibPath = providerConf.libPath;
libName = baseNameOf origLibPath;
}
''
mkdir -p $out/lib
cp -L $origLibPath $out/lib/$libName
'';
# The full path to the selected provider shlib.
providerLibPath = "${mallocLib}/lib/${mallocLib.libName}";
in
{
meta = {
maintainers = [ maintainers.joachifm ];
};
options = {
environment.memoryAllocator.provider = mkOption {
type = types.enum ([ "libc" ] ++ attrNames providers);
default = "libc";
description = lib.mdDoc ''
The system-wide memory allocator.
Briefly, the system-wide memory allocator providers are:
- `libc`: the standard allocator provided by libc
${concatStringsSep "\n" (mapAttrsToList
(name: value: "- `${name}`: ${replaceStrings [ "\n" ] [ " " ] value.description}")
providers)}
::: {.warning}
Selecting an alternative allocator (i.e., anything other than
`libc`) may result in instability, data loss,
and/or service failure.
:::
'';
};
};
config = mkIf (cfg.provider != "libc") {
environment.etc."ld-nix.so.preload".text = ''
${providerLibPath}
'';
security.apparmor.includes = {
"abstractions/base" = ''
r /etc/ld-nix.so.preload,
r ${config.environment.etc."ld-nix.so.preload".source},
include "${pkgs.apparmorRulesFromClosure {
name = "mallocLib";
baseRules = ["mr $path/lib/**.so*"];
} [ mallocLib ] }"
'';
};
};
}