Security: excluding programs from hardened-malloc

The security options are really cool!

environment.memoryAllocator.provider = "graphene-hardened";

Enabling this breaks some programs, most known Firefox (and Thunderbird, Torbrowser, Zenbrowser, Librewolf, Floorp etc.). Also some Electron apps might misbehave (because Electron is crap).

How is that memory allocator enabled, and how can we exclude certain programs from using it?

Firefox has it’s own mozjemalloc, so while it is possible to use with hardened-malloc (Torbrowser discussion) it might not be useful or a security benefit.

GrapheneOS has a toggle to disable hardened-malloc, which I never needed, but it is really useful for usability.

The implementation is trivial: nixpkgs/nixos/modules/config/malloc.nix at 26d499fc9f1d567283d5d56fcf367edd815dba1d · NixOS/nixpkgs · GitHub, so I am guessing you could make wrappers for programs that this breaks that restores the malloc they’d like using LD_PRELOAD but I haven’t tested that, so take that for what you will. I guess it’s worth noting that /etc/ld.so.preload is what is what the file is usually called.