420f89ceb2
This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f. I really hope this finally fixes #99236: evaluation on Hydra. This time I really did check basically the same commit on Hydra: https://hydra.nixos.org/eval/1618011 Right now I don't have energy to find what exactly is wrong in the commit, and it doesn't seem important in comparison to nixos-unstable channel being stuck on a commit over one week old.
92 lines
2.6 KiB
Nix
92 lines
2.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
with lib;
|
||
|
||
let
|
||
cfg = config.environment.memoryAllocator;
|
||
|
||
# The set of alternative malloc(3) providers.
|
||
providers = {
|
||
graphene-hardened = {
|
||
libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
|
||
description = ''
|
||
An allocator designed to mitigate memory corruption attacks, such as
|
||
those caused by use-after-free bugs.
|
||
'';
|
||
};
|
||
|
||
jemalloc = {
|
||
libPath = "${pkgs.jemalloc}/lib/libjemalloc.so";
|
||
description = ''
|
||
A general purpose allocator that emphasizes fragmentation avoidance
|
||
and scalable concurrency support.
|
||
'';
|
||
};
|
||
|
||
scudo = {
|
||
libPath = "${pkgs.llvmPackages.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so";
|
||
description = ''
|
||
A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator,
|
||
which aims at providing additional mitigations against heap based
|
||
vulnerabilities, while maintaining good performance.
|
||
'';
|
||
};
|
||
};
|
||
|
||
providerConf = providers.${cfg.provider};
|
||
|
||
# An output that contains only the shared library, to avoid
|
||
# needlessly bloating the system closure
|
||
mallocLib = pkgs.runCommand "malloc-provider-${cfg.provider}"
|
||
rec {
|
||
preferLocalBuild = true;
|
||
allowSubstitutes = false;
|
||
origLibPath = providerConf.libPath;
|
||
libName = baseNameOf origLibPath;
|
||
}
|
||
''
|
||
mkdir -p $out/lib
|
||
cp -L $origLibPath $out/lib/$libName
|
||
'';
|
||
|
||
# The full path to the selected provider shlib.
|
||
providerLibPath = "${mallocLib}/lib/${mallocLib.libName}";
|
||
in
|
||
|
||
{
|
||
meta = {
|
||
maintainers = [ maintainers.joachifm ];
|
||
};
|
||
|
||
options = {
|
||
environment.memoryAllocator.provider = mkOption {
|
||
type = types.enum ([ "libc" ] ++ attrNames providers);
|
||
default = "libc";
|
||
description = ''
|
||
The system-wide memory allocator.
|
||
|
||
Briefly, the system-wide memory allocator providers are:
|
||
<itemizedlist>
|
||
<listitem><para><literal>libc</literal>: the standard allocator provided by libc</para></listitem>
|
||
${toString (mapAttrsToList
|
||
(name: value: "<listitem><para><literal>${name}</literal>: ${value.description}</para></listitem>")
|
||
providers)}
|
||
</itemizedlist>
|
||
|
||
<warning>
|
||
<para>
|
||
Selecting an alternative allocator (i.e., anything other than
|
||
<literal>libc</literal>) may result in instability, data loss,
|
||
and/or service failure.
|
||
</para>
|
||
</warning>
|
||
'';
|
||
};
|
||
};
|
||
|
||
config = mkIf (cfg.provider != "libc") {
|
||
environment.etc."ld-nix.so.preload".text = ''
|
||
${providerLibPath}
|
||
'';
|
||
};
|
||
}
|