2024-05-16 18:18:38 +03:00
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
2024-06-04 16:25:03 +03:00
set -o nounset
2024-05-16 18:18:38 +03:00
2024-07-12 16:33:49 +03:00
LIBSYSTEMD="$(mkosi-chroot ldconfig -p | grep libsystemd.so.0 | sed 's/[^/]*\//\//')"
if [[ ! -f "$BUILDROOT/$LIBSYSTEMD" ]]; then
2024-05-16 18:18:38 +03:00
exit 0
fi
# ASAN and syscall filters aren't compatible with each other.
2024-07-12 16:33:49 +03:00
find "$BUILDROOT"/usr "$BUILDROOT"/etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
2024-05-16 18:18:38 +03:00
2024-06-04 16:25:03 +03:00
# 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default.
2024-07-12 16:33:49 +03:00
systemctl --root="$BUILDROOT" mask systemd-hwdb-update.service
2024-05-16 18:18:38 +03:00
2024-07-12 16:33:49 +03:00
ASAN_RT_PATH="$(grep libasan.so < <(mkosi-chroot ldd "$LIBSYSTEMD") | cut -d ' ' -f 3)"
2024-05-16 18:18:38 +03:00
if [[ -z "$ASAN_RT_PATH" ]]; then
2024-07-12 16:33:49 +03:00
ASAN_RT_PATH="$(grep libclang_rt.asan < <(mkosi-chroot ldd "$LIBSYSTEMD") | cut -d ' ' -f 3)"
2024-05-16 18:18:38 +03:00
2024-06-03 13:57:57 +03:00
# As clang's ASan DSO is usually in a non-standard path, let's check if the RUNPATH is set accordingly.
2024-07-12 16:33:49 +03:00
if mkosi-chroot ldd "$LIBSYSTEMD" | grep -q "libclang_rt.asan.*not found"; then
2024-05-16 18:18:38 +03:00
echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path"
exit 1
fi
fi
if [[ -z "$ASAN_RT_PATH" ]]; then
echo >&2 "systemd is not linked against the ASan DSO"
echo >&2 "gcc does this by default, for clang compile with -shared-libasan"
exit 1
fi
wrap=(
/usr/lib/polkit-1/polkitd
/usr/libexec/polkit-1/polkitd
agetty
btrfs
capsh
chgrp
chown
cryptsetup
curl
dbus-broker-launch
dbus-daemon
delv
dhcpd
dig
2024-11-24 02:03:50 +03:00
dnf
dnf5
2024-05-16 18:18:38 +03:00
dmsetup
dnsmasq
findmnt
getent
getfacl
id
integritysetup
iscsid
kpartx
logger
login
ls
lsblk
lvm
mdadm
mkfs.btrfs
mksquashfs
multipath
multipathd
nvme
p11-kit
pkill
ps
setfacl
setpriv
sshd
stat
su
tar
tgtd
useradd
userdel
veritysetup
)
for bin in "${wrap[@]}"; do
2024-11-24 00:29:56 +03:00
if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then
2024-05-16 18:18:38 +03:00
continue
fi
if [[ "$bin" == getent ]]; then
enable_lsan=1
else
enable_lsan=0
fi
2024-11-24 00:29:56 +03:00
target="$(mkosi-chroot bash -c "command -v $bin")"
2024-05-16 18:18:38 +03:00
2024-07-12 16:33:49 +03:00
mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"
2024-05-16 18:18:38 +03:00
2024-07-12 16:33:49 +03:00
cat >"$BUILDROOT/$target" <<EOF
2024-05-16 18:18:38 +03:00
#!/bin/bash
# Preload the ASan runtime DSO, otherwise ASAn will complain
export LD_PRELOAD="$ASAN_RT_PATH"
# Disable LSan to speed things up, since we don't care about leak reports
# from 'external' binaries
export ASAN_OPTIONS=detect_leaks=$enable_lsan
# Set argv[0] to the original binary name without the ".orig" suffix
exec -a "\$0" -- "${target}.orig" "\$@"
EOF
2024-07-12 16:33:49 +03:00
chmod +x "$BUILDROOT/$target"
2024-05-16 18:18:38 +03:00
done
2024-07-12 16:33:49 +03:00
cat >"$BUILDROOT"/usr/lib/systemd/systemd-asan-env <<EOF
2024-05-16 18:18:38 +03:00
LD_PRELOAD=$ASAN_RT_PATH
LSAN_OPTIONS=detect_leaks=0
EOF