From dd58d51156383a6e1d7279f1d5c3e5f185e878a3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 7 Oct 2023 09:35:53 +0200 Subject: [PATCH] change the logic as discussed --- core/base/Dockerfile | 1 - core/base/libs/socrate/socrate/system.py | 5 ++--- docs/compose/.env | 5 +++++ docs/compose/setup.rst | 8 ++++++++ towncrier/newsfragments/2959.bugfix | 4 ++-- 5 files changed, 17 insertions(+), 6 deletions(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 68febcd6..55284b4f 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -79,7 +79,6 @@ COPY --chown=root:root --from=build /app/snuffleupagus.so /usr/lib/php81/modules ENV \ VIRTUAL_ENV=/app/venv \ PATH="/app/venv/bin:${PATH}" \ - LD_PRELOAD="/usr/lib/libhardened_malloc.so" \ ADMIN_ADDRESS="admin" \ FRONT_ADDRESS="front" \ SMTP_ADDRESS="smtp" \ diff --git a/core/base/libs/socrate/socrate/system.py b/core/base/libs/socrate/socrate/system.py index db8944e6..6cb5bb7c 100644 --- a/core/base/libs/socrate/socrate/system.py +++ b/core/base/libs/socrate/socrate/system.py @@ -80,9 +80,8 @@ def set_env(required_secrets=[], log_filters=[], log_file=None): sys.stderr = LogFilter(sys.stderr, log_filters, log_file) log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", 'WARNING')) - if 'LD_PRELOAD' in os.environ and not _is_compatible_with_hardened_malloc(): - log.warning('Disabling hardened-malloc on this CPU: it requires Advanced Vector Extensions.') - del os.environ['LD_PRELOAD'] + if not 'LD_PRELOAD' in os.environ and _is_compatible_with_hardened_malloc(): + log.warning('Your CPU has Advanced Vector Extensions available, we recommend you enable hardened-malloc by adding LD_PRELOAD=/usr/lib/libhardened_malloc.so to your mailu.env') """ This will set all the environment variables and retains only the secrets we need """ if 'SECRET_KEY_FILE' in os.environ: diff --git a/docs/compose/.env b/docs/compose/.env index 62e767cf..1d943d2a 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -152,3 +152,8 @@ REJECT_UNLISTED_RECIPIENT= # Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET) LOG_LEVEL=WARNING + +# If your CPU supports Advanced Vector Extensions +# (AVX2 on x86_64, lrcpc on ARM64), you should consider enabling +# hardened-malloc by uncommenting this +# LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/docs/compose/setup.rst b/docs/compose/setup.rst index f4c9c574..9b0545be 100644 --- a/docs/compose/setup.rst +++ b/docs/compose/setup.rst @@ -76,6 +76,14 @@ Review configuration variables After downloading the files, open ``mailu.env`` and review the variable settings. Make sure to read the comments in the file and instructions from the :ref:`common_cfg` page. +If your CPU supports Advanced Vector Extensions (AVX2 on x86_64, lrcpc on ARM64), you should +consider enabling hardened-malloc by adding the following to your mailu.env: + +.. code-block:: bash + + LD_PRELOAD=/usr/lib/libhardened_malloc.so + + Finish setting up TLS --------------------- diff --git a/towncrier/newsfragments/2959.bugfix b/towncrier/newsfragments/2959.bugfix index 8427d876..0c7bf28e 100644 --- a/towncrier/newsfragments/2959.bugfix +++ b/towncrier/newsfragments/2959.bugfix @@ -1,2 +1,2 @@ -Hardened malloc was not disabled for oletools when CPU misses required flags. -Updated hardened malloc test that AVX2 is also required now. \ No newline at end of file +Update hardened malloc as the original package is not available from alpine anymore. +The newer version of hardened malloc requires AVX2: Disable it by default and hint in the logs when it should be enabled instead.