nixpkgs icon indicating copy to clipboard operation
nixpkgs copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Hardened.nix crashes firefox

Open CamoCatX opened this issue 1 year ago • 4 comments

Describe the bug

Using the hardened.nix profile, my firefox (developer edition) crashes, but what is strange is, when I start it in safe mode, it works fine.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Use hardened.nix profile
  2. Use i3 (probably is not the issue, but why not)
  3. Try to start up firefox developer edition

Expected behavior

I expected that hardened.nix may slow down my performance, and some minor inconveniences in development, but not something such as firefox crashing.

Screenshots

image

Additional context

I have used Nix/NixOS for about a month, and I am still grappling to understand the programming language. I am also a lover of security, and so I am trying to implement many security features on this distro.

Notify maintainers

@joachifm @talyz

Metadata

  • system: "x86_64-linux"
  • host os: Linux 6.1.38-hardened1, NixOS, 23.05 (Stoat), 23.05.1935.98da3dd0de6
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.13.3
  • channels(root): "nixos-23.05, nixos-unstable"
  • channels(jabbu): ""
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos 

jabbu@tattooine:~/ > nix-shell -p nix-info --run "nix-info -m"
these 11 paths will be fetched (53.19 MiB download, 241.63 MiB unpacked):
  /nix/store/2fr6714pqybnns0sfm9swa4dlaxg8sjz-binutils-wrapper-2.40
  /nix/store/3w02zcld9m60jkjvwmrs2c5g330qrvjq-binutils-2.40-lib
  /nix/store/5wdlffjhcr4i43sfajxcvx3lvnkryh5y-stdenv-linux
  /nix/store/88dbrfrmj0lqxwyk4q6h7w5glkgkfvmn-mpfr-4.2.0
  /nix/store/d2skw3y1jcg27ml4rgz38lrn18q0wrs1-gmp-6.2.1
  /nix/store/d9fndiing52fkalp5knfalrvlb3isi6w-gcc-wrapper-12.2.0
  /nix/store/dg38bhsf0pl4m7qp65cf3aw7xyyw5g8d-libmpc-1.3.1
  /nix/store/dx8hynidprz3kf4ngcjipnwaxp6h229f-binutils-2.40
  /nix/store/f2z9hlzn0ajm4i296r77v3ihcfi77ld8-isl-0.20
  /nix/store/hqbh8ibqaq8x6riwz48xvyx4dvvldd9f-gcc-12.2.0
  /nix/store/kv5bkjsxp75dvz31bvb4gmamycxyz959-expand-response-params
copying path '/nix/store/kv5bkjsxp75dvz31bvb4gmamycxyz959-expand-response-params' from 'https://cache.nixos.org'...
copying path '/nix/store/d2skw3y1jcg27ml4rgz38lrn18q0wrs1-gmp-6.2.1' from 'https://cache.nixos.org'...
copying path '/nix/store/3w02zcld9m60jkjvwmrs2c5g330qrvjq-binutils-2.40-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/f2z9hlzn0ajm4i296r77v3ihcfi77ld8-isl-0.20' from 'https://cache.nixos.org'...
copying path '/nix/store/88dbrfrmj0lqxwyk4q6h7w5glkgkfvmn-mpfr-4.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/dx8hynidprz3kf4ngcjipnwaxp6h229f-binutils-2.40' from 'https://cache.nixos.org'...
copying path '/nix/store/dg38bhsf0pl4m7qp65cf3aw7xyyw5g8d-libmpc-1.3.1' from 'https://cache.nixos.org'...
copying path '/nix/store/hqbh8ibqaq8x6riwz48xvyx4dvvldd9f-gcc-12.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/2fr6714pqybnns0sfm9swa4dlaxg8sjz-binutils-wrapper-2.40' from 'https://cache.nixos.org'...
copying path '/nix/store/d9fndiing52fkalp5knfalrvlb3isi6w-gcc-wrapper-12.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/5wdlffjhcr4i43sfajxcvx3lvnkryh5y-stdenv-linux' from 'https://cache.nixos.org'...
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.38-hardened1, NixOS, 23.05 (Stoat), 23.05.1935.98da3dd0de6`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"nixos-23.05, nixos-unstable"`
 - channels(jabbu): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

CamoCatX avatar Jul 14 '23 23:07 CamoCatX

Try a different environment.memoryAllocator.provider like libc https://search.nixos.org/options?channel=23.05&show=environment.memoryAllocator.provider&from=0&size=50&sort=relevance&type=packages&query=environment.memoryAllocator.provider

https://github.com/NixOS/nixpkgs/blob/6e14bcc2d749af230a8b8c5abdba2fb82e42dcb3/nixos/modules/profiles/hardened.nix#L22 Usually that's the part that causes issues AFAIK

Artturin avatar Jul 15 '23 02:07 Artturin

@joachifm @emilazy

Artturin avatar Jul 15 '23 02:07 Artturin

Yeah it's probably the allocator.

I had great plans to make the hardened profile more secure and more usable a few years ago but it fell by the wayside, sorry. Hopefully some day. As it stands you probably want to read it carefully and know what to override to use it, especially for desktop use. For instance turning off unprivileged user namespaces might be a net security regression on desktop because it can make browsers disable their sandbox.

emilazy avatar Jul 15 '23 03:07 emilazy

Alternatively, build Firefox with jemallocSupport = false or try out --enable-replace-malloc. I have done the former, and it works, although I have not tried running Firefox with a hardened allocator. As for the latter, if someone tries it, and it works, it might be worth creating an issue and gathering input to see if it can be added to the default flags since if I recall correctly it just exploits linking tricks to make LD_PRELOAD work for replacing the allocator.

S-NA avatar Jul 20 '23 09:07 S-NA