Use GrapheneOS' hardened memory allocator

+ 16.0: some other misc hardening patches from GrapheneOS - always restrict access to Build.SERIAL - don't grant location permission to system browsers - fbe: pad filenames more + 16.0: Contacts: remove Privacy Policy and Terms of Service links
2025-05-02 14:36:17 -04:00 · 2019-04-04 00:31:47 -04:00 · 2019-04-04 00:31:47 -04:00 · 25cc717ec2
commit 25cc717ec2
parent 60cf364f19
17 changed files with 713 additions and 0 deletions
--- a/Patches/Common/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
+++ b/Patches/Common/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch
@ -0,0 +1,33 @@
+From 14800a3e7070240a314cbd695f71984a888cc90f Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Wed, 5 Dec 2018 09:29:25 -0500
+Subject: [PATCH] avoid setting RLIMIT_AS with hardened malloc
+
+This needs to be ported to a better mechanism like memory control groups
+in order to remain compatible with hardening mechanisms based on large
+PROT_NONE address space reservations.
+
+Change-Id: Ibfb7164d764fcb9244055953bedc9a1c424cedcb
+---
+ media/libmedia/MediaUtils.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libmedia/MediaUtils.cpp b/media/libmedia/MediaUtils.cpp
+index bcdc3bdcf..de217c70b 100644
+--- a/media/libmedia/MediaUtils.cpp
+++ b/media/libmedia/MediaUtils.cpp
+@@ -38,6 +38,14 @@ void limitProcessMemory(
+         return;
+     }
+ 
+#ifdef __LP64__
+    // This needs to be ported to a better mechanism like memory control groups
+    // in order to remain compatible with hardening mechanisms based on large
+    // PROT_NONE address space reservations.
+    ALOGW("Running with hardened malloc implementation, skip enforcing memory limitations.");
+    return;
+#endif
+
+     long pageSize = sysconf(_SC_PAGESIZE);
+     long numPages = sysconf(_SC_PHYS_PAGES);
+     size_t maxMem = SIZE_MAX;
--- a/Patches/Common/android_system_core/0001-HM-Increase_vm_mmc.patch
+++ b/Patches/Common/android_system_core/0001-HM-Increase_vm_mmc.patch
@ -0,0 +1,22 @@
+From 17d64eda868006dc8c5596d27299143af8e45485 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 13 Dec 2018 09:26:25 -0500
+Subject: [PATCH] increase max_map_count for hardened malloc
+
+---
+ rootdir/init.rc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rootdir/init.rc b/rootdir/init.rc
+index b9464e7fd8..2149abe2bd 100644
+--- a/rootdir/init.rc
+++ b/rootdir/init.rc
+@@ -597,6 +597,8 @@ on boot
+     chown root system /sys/module/lowmemorykiller/parameters/minfree
+     chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
+ 
+    write /proc/sys/vm/max_map_count 524240
+
+     # Tweak background writeout
+     write /proc/sys/vm/dirty_expire_centisecs 200
+     write /proc/sys/vm/dirty_background_ratio  5