Practical usage of musl and busybox for enhanced security

Alpine Linux does this. I will try it out and see what breaks.

In general my knowledge is that glibc has way more attack surface for buffer overflows than musl.

Same for the gnu coreutils vs. busybox.

I am currently using Secureblue which uses hardned_malloc (which I also use daily on GrapheneOS without any problems)

The Fedora packages of those two things seem outdated, and generally the consensus is seems to fix coreutils and glibc instead of reducing features or even rewriting.

I also know of uutils, eza, bat, ripgrep etc. I suppose this would be the way to go in the future.

So in practice already using hardened_malloc causes some problems, actually everything works apart from Firefox. VMs, KDE, GNOME, Flatpaks, …

Secureblue also fixes flatpaks so they use hardened malloc too.

Then I imagine using musl and busybox would cause way more trouble. But still there are people daily driving Alpine.

Do the system packages need to be compiled specially?

For example using --disable-jemalloc during compilation may make Firefox use hardened_malloc and not break.

I think there is a list somewhere on how to compile packages for Fedora, and the special flags fedora uses. I do not know where that resides.

@ngompa might knows it, as the maintainer of the packages.

Busybox seams to be the stable version ( 19 May 2023 – BusyBox 1.36.1 (stable)) when you check on their website.

1 Like