GrapheneOS v2023112600 Released
"In the latest release of GrapheneOS, you can now enable hardware memory tagging for all user installed apps on the Pixel 8 and Pixel 8 Pro to make them substantially harder to exploit. This is particularly useful for apps like Signal and WhatsApp."
- "Everyone on GrapheneOS has hardened_malloc and our other baseline exploit protections. hardened_malloc has great support for hardware memory tagging to provide a form of memory safety for memory unsafe code with a mix of deterministic guarantees and randomized general protection."
- "We've also replaced the Linux kernel version on the Pixel 8 and Pixel 8 Pro. AOSP and the stock Pixel OS use 5.15.110 while GrapheneOS is now using 5.15.137 and will be closely following along with http://kernel.org LTS releases after they go through appropriate testing."
"We mentioned Signal/WhatsApp because despite having end-to-end encryption, they both have a massive amount of remote attack surface, use tons of memory unsafe code for handling media, voice/video calls, etc. along with not using sandboxing. E2EE does no good if app is exploited."
- "GrapheneOS now has near full coverage for using memory tagging to defend against heap memory corruption outside the Linux kernel."
- "Future work will be converting Linux kernel's MTE-based debugging into hardening and enabling Clang stack allocation tagging for userspace/kernel."
What's changed
Changes since the 2023111500 release:
- improve existing infrastructure and settings for per-app hardening control
- add new infrastructure for dynamic SELinux flags for apps
- replace static SELinux policy disabling dynamic native code generation for base system apps with dynamic SELinux flag
- replace YAMA LSM with dynamic SELinux flag for ptrace access
- add per-app toggle for native debugging
- add global toggle to disable native debugging for user installed apps by default
- add per-app memory tagging toggle for user installed apps
- add global toggle to enable memory tagging for user installed apps by default
- add logging infrastructure for dynamic GrapheneOS SELinux flags
- raise post-boot audit message rate limit from 5 to 50 per second
- add more infrastructure and tests for per-app hardening control
- fix Android bug with rate limiting for non-app tombstones (crash info for reporting bugs)
- notify the user about notable system journal entries including kernel crash, file system check error, system_server crash, system app native crash and non-app process native crash
- notify the user after memory tagging detects memory corruption in an app
- notify the user after an app is blocked from accessing ptrace by the native debugging toggle
- Pixel 8, Pixel 8 Pro: migrate to using our standard 5.15.137 GKI LTS kernel as the base with reverts for changes that are not compatible with the driver tree yet
- include more info about Java and native crashes, ANRs, low memory conditions. kernel crash logs and filesystem check errors in bug report zips manually captured by users which on the stock OS is uploaded by Play services
- Sandboxed Google Play compatibility layer: allow compatibility layer to show the error report UI
- GmsCompatConfig: update to version 84
- Vanadium: update to version 119.0.6045.163.2