Merge pull request #32866 from DaanDeMeyer/sanitizers

mkosi: Sanitizers

.github/workflows/mkosi.yml

@@ -117,12 +117,14 @@ jobs:
                 WITH_DEBUG=1
                 # Enabling optimizations significantly speeds up integration tests.
                 OPTIMIZATION=g
+                SANITIZERS=address,undefined
 
         [Host]
         ToolsTree=default
         ToolsTreeDistribution=fedora
         # TODO: Drop once https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed in Github Actions
         QemuFirmware=uefi
+        QemuMem=4G
         # We build with debuginfo so there's no point in mounting the sources into the machine.
         RuntimeBuildSources=no
         EOF

mkosi.conf

@@ -10,13 +10,9 @@ MinimumVersion=23~devel
 @CacheDirectory=build/mkosi.cache
 
 [Content]
-# Prevent ASAN warnings when building the image and ship the real ASAN options prefixed with MKOSI_.
-Environment=ASAN_OPTIONS=verify_asan_link_order=false
-            MKOSI_ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
-            MKOSI_UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
-            # The kernel versions in CentOS Stream 9 and Ubuntu 22.04 don't support orphan_file, but later
-            # versions of mkfs.ext4 enabled it by default, so we disable it explicitly.
-            SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+# The kernel versions in CentOS Stream 9 and Ubuntu 22.04 don't support orphan_file, but later
+# versions of mkfs.ext4 enabled it by default, so we disable it explicitly.
+Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
 @SELinuxRelabel=no
 BuildSourcesEphemeral=yes
 

mkosi.conf.d/20-sanitizers.conf

@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=SANITIZERS
+
+[Content]
+# Set verify_asan_link_order=0 to prevent ASAN warnings when building the image and make sure the real ASAN
+# options are set when booting the image.
+# Set intercept_tls_get_addr=0 to work around leak sanitizer segmentation fault in test-dlopen-so on CentOS
+# Stream 9.
+# TODO: Drop intercept_tls_get_addr=0 when we remove CentOS Stream 9 builds.
+Environment=ASAN_OPTIONS=verify_asan_link_order=0:intercept_tls_get_addr=0
+KernelCommandLine=
+        ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
+        systemd.setenv=ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
+        UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+        systemd.setenv=UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+        LSAN_OPTIONS=suppressions=/usr/lib/systemd/leak-sanitizer-suppressions
+        systemd.setenv=LSAN_OPTIONS=suppressions=/usr/lib/systemd/leak-sanitizer-suppressions

mkosi.images/exitrd/mkosi.conf.d/10-arch.conf

@@ -15,11 +15,6 @@ RemoveFiles=
         /usr/lib/libgomp.so*
         /usr/lib/libgphobos.so*
         /usr/lib/libobjc.so*
-        /usr/lib/libasan.so*
-        /usr/lib/libtsan.so*
-        /usr/lib/liblsan.so*
-        /usr/lib/libubsan.so*
-        /usr/lib/libstdc++.so*
         /usr/lib/libgdruntime.so*
 
         # Remove all files that are only required for development.

mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf

@@ -17,11 +17,6 @@ RemoveFiles=
         /usr/lib/libgomp.so*
         /usr/lib/libgphobos.so*
         /usr/lib/libobjc.so*
-        /usr/lib/libasan.so*
-        /usr/lib/libtsan.so*
-        /usr/lib/liblsan.so*
-        /usr/lib/libubsan.so*
-        /usr/lib/libstdc++.so*
         /usr/lib/libgdruntime.so*
 
         # Remove all files that are only required for development.

mkosi.images/system/initrd/mkosi.conf

@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Content]
+PostInstallationScripts=../mkosi.sanitizers.chroot

mkosi.images/system/mkosi.conf

@@ -27,10 +27,18 @@ ExtraTrees=
         %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
         %O/exitrd:/exitrd
 
+PostInstallationScripts=mkosi.sanitizers.chroot
+
+InitrdPackages=
+        findutils
+        grep
+        sed
+
 Packages=
         acl
         attr
         bash-completion
+        bpftrace
         coreutils
         curl
         diffutils

mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot

@@ -49,6 +49,8 @@ build() {
     IFS=
     # TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once
     # https://github.com/mesonbuild/meson/pull/12835 is available.
+    # TODO: Replace __meson_auto_features override with meson_extra_configure_options once the suse spec
+    # starts to use it.
     # shellcheck disable=SC2046
     rpmbuild \
         -bb \
@@ -69,7 +71,7 @@ build() {
         --define "build_cflags $(rpm --eval %build_cflags) $EXTRA_CFLAGS" \
         --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} %{nil}}" \
         --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \
-        --define "meson_extra_configure_options -D mode=developer -D b_sanitize=${SANITIZERS:-none}" \
+        --define "__meson_auto_features auto -D mode=developer -D b_sanitize=${SANITIZERS:-none}" \
         --define "__os_install_post /usr/lib/rpm/brp-suse %{nil}" \
         --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
         --define "__script_requires %{nil}" \

mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf

@@ -29,7 +29,6 @@ Packages=
         bpftool
         btrfs-progs
         cryptsetup
-        dbus-broker
         device-mapper
         dhcp-server
         docbook-xsl-stylesheets

mkosi.images/system/mkosi.extra/usr/lib/systemd/leak-sanitizer-suppressions

@@ -0,0 +1 @@
+leak:libselinux

mkosi.images/system/mkosi.extra/usr/lib/systemd/system/iscsi-init.service.d/asan.conf

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# The iscsi-init.service calls `sh` which might, in certain circumstances, pull in instrumented systemd NSS
+# modules causing `sh` to fail. Avoid the issue by setting LD_PRELOAD to load the sanitizer libraries if
+# needed.
+[Service]
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

mkosi.images/system/mkosi.postinst.chroot

@@ -2,48 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
-if [ -n "$SANITIZERS" ]; then
-    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
-
-    mkdir -p /etc/systemd/system.conf.d
-
-    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-EOF
-
-    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
-    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
-    # sanitizer failures appear directly on the user's console.
-    mkdir -p /etc/systemd/system/systemd-journald.service.d
-    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
-    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
-    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
-    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
-    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
-    mkdir -p /etc/systemd/system/console-getty.service.d
-    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
-    # ASAN and syscall filters aren't compatible with each other.
-    find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
-    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
-    systemctl mask systemd-hwdb-update.service
-fi
-
 if command -v authselect >/dev/null; then
     # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
     # let's use the new name if it exists.

mkosi.images/system/mkosi.sanitizers.chroot

@@ -0,0 +1,130 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [[ -z "$SANITIZERS" ]]; then
+    exit 0
+fi
+
+# Sanitizers log to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+# all the sanitizer logs. To rectify that, let's connect journald's stdout to kmsg so that the sanitizer
+# failures end up in the journal.
+mkdir -p /etc/systemd/system/systemd-journald.service.d
+cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=kmsg
+EOF
+
+# ASAN and syscall filters aren't compatible with each other.
+find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+# `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+systemctl mask systemd-hwdb-update.service
+
+ASAN_RT_PATH="$(grep libasan.so < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
+if [[ -z "$ASAN_RT_PATH" ]]; then
+    ASAN_RT_PATH="$(grep libclang_rt.asan < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
+
+    # As clang's ASan DSO is usually in a non-standard path, let's check if
+    # the environment is set accordingly. If not, warn the user and exit.
+    # We're not setting the LD_LIBRARY_PATH automagically here, because
+    # user should encounter (and fix) the same issue when running the unit
+    # tests (meson test)
+    if ldd /usr/lib/systemd/systemd | grep -q "libclang_rt.asan.*not found"; then
+        echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path"
+        exit 1
+    fi
+fi
+if [[ -z "$ASAN_RT_PATH" ]]; then
+    echo >&2 "systemd is not linked against the ASan DSO"
+    echo >&2 "gcc does this by default, for clang compile with -shared-libasan"
+    exit 1
+fi
+
+wrap=(
+    /usr/lib/polkit-1/polkitd
+    /usr/libexec/polkit-1/polkitd
+    agetty
+    btrfs
+    capsh
+    chgrp
+    chown
+    cryptsetup
+    curl
+    dbus-broker-launch
+    dbus-daemon
+    delv
+    dhcpd
+    dig
+    dmsetup
+    dnsmasq
+    findmnt
+    getent
+    getfacl
+    id
+    integritysetup
+    iscsid
+    kpartx
+    logger
+    login
+    ls
+    lsblk
+    lvm
+    mdadm
+    mkfs.btrfs
+    mkfs.erofs
+    mkfs.ext4
+    mkfs.vfat
+    mkfs.xfs
+    mksquashfs
+    mkswap
+    multipath
+    multipathd
+    nvme
+    p11-kit
+    pkill
+    ps
+    setfacl
+    setpriv
+    sshd
+    stat
+    su
+    tar
+    tgtd
+    useradd
+    userdel
+    veritysetup
+)
+
+for bin in "${wrap[@]}"; do
+    if ! command -v "$bin" >/dev/null; then
+        continue
+    fi
+
+    if [[ "$bin" == getent ]]; then
+        enable_lsan=1
+    else
+        enable_lsan=0
+    fi
+
+    target="$(command -v "$bin")"
+
+    mv "$target" "$target.orig"
+
+    cat >"$target" <<EOF
+#!/bin/bash
+# Preload the ASan runtime DSO, otherwise ASAn will complain
+export LD_PRELOAD="$ASAN_RT_PATH"
+# Disable LSan to speed things up, since we don't care about leak reports
+# from 'external' binaries
+export ASAN_OPTIONS=detect_leaks=$enable_lsan
+# Set argv[0] to the original binary name without the ".orig" suffix
+exec -a "\$0" -- "${target}.orig" "\$@"
+EOF
+    chmod +x "$target"
+done
+
+cat >/usr/lib/systemd/systemd-asan-env <<EOF
+LD_PRELOAD=$ASAN_RT_PATH
+LSAN_OPTIONS=detect_leaks=0
+EOF

src/test/test-execute.c

@@ -615,6 +615,7 @@ static void test_exec_inaccessiblepaths(Manager *m) {
         test(m, "exec-inaccessiblepaths-mount-propagation.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
 }
 
+#if !HAS_FEATURE_ADDRESS_SANITIZER
 static int on_spawn_io(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
         char **result = userdata;
         char buf[4096];
@@ -754,8 +755,10 @@ static int find_libraries(const char *exec, char ***ret) {
         *ret = TAKE_PTR(libraries);
         return 0;
 }
+#endif
 
 static void test_exec_mount_apivfs(Manager *m) {
+#if !HAS_FEATURE_ADDRESS_SANITIZER
         _cleanup_free_ char *fullpath_touch = NULL, *fullpath_test = NULL, *data = NULL;
         _cleanup_strv_free_ char **libraries = NULL, **libraries_test = NULL;
         int r;
@@ -801,6 +804,7 @@ static void test_exec_mount_apivfs(Manager *m) {
         test(m, "exec-mount-apivfs-no.service", can_unshare || !MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
 
         (void) rm_rf("/tmp/test-exec-mount-apivfs-no/root", REMOVE_ROOT|REMOVE_PHYSICAL);
+#endif
 }
 
 static void test_exec_noexecpaths(Manager *m) {
@@ -820,7 +824,7 @@ static void test_exec_temporaryfilesystem(Manager *m) {
 }
 
 static void test_exec_systemcallfilter(Manager *m) {
-#if HAVE_SECCOMP
+#if HAVE_SECCOMP && !HAS_FEATURE_ADDRESS_SANITIZER
         int r;
 
         if (!is_seccomp_available()) {
@@ -863,7 +867,7 @@ static void test_exec_systemcallfilter(Manager *m) {
 }
 
 static void test_exec_systemcallerrornumber(Manager *m) {
-#if HAVE_SECCOMP
+#if HAVE_SECCOMP && !HAS_FEATURE_ADDRESS_SANITIZER
         int r;
 
         if (!is_seccomp_available()) {

test/test-execute/exec-ambientcapabilities-dynuser.service

@@ -8,3 +8,4 @@ Type=oneshot
 AmbientCapabilities=CAP_CHOWN CAP_SETUID CAP_NET_RAW
 DynamicUser=yes
 PrivateUsers=yes
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-runtimedirectory1.service

@@ -10,3 +10,4 @@ Type=oneshot
 RuntimeDirectory=test-exec_runtimedirectorypreserve
 RuntimeDirectoryPreserve=yes
 DynamicUser=yes
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-runtimedirectory2.service

@@ -11,3 +11,4 @@ Type=oneshot
 RuntimeDirectory=test-exec_runtimedirectorypreserve
 RuntimeDirectoryPreserve=yes
 DynamicUser=yes
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-runtimedirectory3.service

@@ -10,3 +10,4 @@ ExecStart=sh -x -c 'touch $$RUNTIME_DIRECTORY/test'
 Type=oneshot
 RuntimeDirectory=test-exec_runtimedirectorypreserve
 DynamicUser=yes
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-statedir-migrate-step2.service

@@ -24,3 +24,4 @@ ExecStart=sh -x -c 'test "$$STATE_DIRECTORY" = "%S/test-dynamicuser-migrate:%S/t
 Type=oneshot
 DynamicUser=yes
 StateDirectory=test-dynamicuser-migrate test-dynamicuser-migrate2/hoge
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-statedir.service

@@ -83,3 +83,4 @@ ExecStart=sh -x -c 'test "$$STATE_DIRECTORY" = "%S/aaa:%S/aaa/bbb:%S/aaa/ccc:%S/
 Type=oneshot
 DynamicUser=yes
 StateDirectory=waldo quux/pief aaa/bbb aaa aaa/ccc xxx/yyy:aaa/111 xxx:aaa/222 xxx/zzz:aaa/333 abc:d\:ef
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-execute/exec-dynamicuser-supplementarygroups.service

@@ -8,3 +8,4 @@ ExecStart=sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exi
 Type=oneshot
 DynamicUser=yes
 SupplementaryGroups=1 2
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env

test/test-network/systemd-networkd-tests.py

@@ -106,7 +106,7 @@ def cp(src, dst):
     shutil.copy(src, dst)
 
 def cp_r(src, dst):
-    shutil.copytree(src, dst, copy_function=shutil.copy)
+    shutil.copytree(src, dst, copy_function=shutil.copy, dirs_exist_ok=True)
 
 def mkdir_p(path):
     os.makedirs(path, exist_ok=True)

test/units/TEST-02-UNITTESTS.sh

@@ -55,20 +55,18 @@ run_test() {
             ;;
     esac
 
-    systemd-run --quiet --property Delegate=1 --property "Environment=$environment" --unit="$name" --wait "$test" && ret=0 || ret=$?
+    systemd-run \
+        --quiet \
+        --property Delegate=1 \
+        --property EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+        --property "Environment=$environment" \
+        --unit="$name" \
+        --wait "$test" && ret=0 || ret=$?
 
     exec {LOCK_FD}> /lock
     flock --exclusive ${LOCK_FD}
 
-    if [[ $ret -ne 0 && $ret != 77 && $ret != 127 ]]; then
-        echo "$name failed with $ret"
-        echo "$name" >>/failed-tests
-        {
-            echo "--- $name begin ---"
-            journalctl --unit="$name" --no-hostname -o short-monotonic
-            echo "--- $name end ---"
-        } >>/failed
-    elif [[ $ret == 77 || $ret == 127 ]]; then
+    if [[ $ret -eq 77 ]] || [[ $ret -eq 127 ]]; then
         echo "$name skipped"
         echo "$name" >>/skipped-tests
         {
@@ -76,6 +74,14 @@ run_test() {
             journalctl --unit="$name" --no-hostname -o short-monotonic
             echo "--- $name end ---"
         } >>/skipped
+    elif [[ $ret -ne 0 ]]; then
+        echo "$name failed with $ret"
+        echo "$name" >>/failed-tests
+        {
+            echo "--- $name begin ---"
+            journalctl --unit="$name" --no-hostname -o short-monotonic
+            echo "--- $name end ---"
+        } >>/failed
     else
         echo "$name OK"
         echo "$name" >>/testok

test/units/TEST-05-RLIMITS.effective-limit.sh

@@ -9,22 +9,22 @@ set -o pipefail
 pre=test05
 cat >/run/systemd/system/"$pre"alpha.slice <<EOF
 [Slice]
-MemoryMax=40M
-MemoryHigh=40M
+MemoryMax=400M
+MemoryHigh=400M
 TasksMax=400
 EOF
 
 cat >/run/systemd/system/"$pre"alpha-beta.slice <<EOF
 [Slice]
-MemoryMax=10M
-MemoryHigh=10M
+MemoryMax=100M
+MemoryHigh=100M
 TasksMax=100
 EOF
 
 cat >/run/systemd/system/"$pre"alpha-beta-gamma.slice <<EOF
 [Slice]
-MemoryMax=20M
-MemoryHigh=20M
+MemoryMax=200M
+MemoryHigh=200M
 TasksMax=200
 EOF
 
@@ -35,14 +35,14 @@ slc0="$pre"alpha.slice
 slc="$pre"alpha-beta-gamma.slice
 
 systemd-run --unit "$srv" --slice "$slc"  \
-    -p MemoryMax=5M \
-    -p MemoryHigh=5M \
+    -p MemoryMax=50M \
+    -p MemoryHigh=50M \
     -p TasksMax=50 \
     sleep inf
 
 # Compare with inequality because test can run in a constrained container
-assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "5242880"
-assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "52428800"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "52428800"
 assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "50"
 
 systemctl stop "$srv"
@@ -50,17 +50,17 @@ systemctl stop "$srv"
 systemd-run --unit "$srv" --slice "$slc"  \
     sleep inf
 
-assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "10485760"
-assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "10485760"
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "104857600"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "104857600"
 assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "100"
 
 systemctl set-property "$slc0" \
-    MemoryMax=5M \
-    MemoryHigh=5M \
+    MemoryMax=50M \
+    MemoryHigh=50M \
     TasksMax=50
 
-assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "5242880"
-assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "5242880"
+assert_le "$(systemctl show -P EffectiveMemoryMax "$srv")" "52428800"
+assert_le "$(systemctl show -P EffectiveMemoryHigh "$srv")" "52428800"
 assert_le "$(systemctl show -P EffectiveTasksMax "$srv")" "50"
 
 systemctl stop "$srv"

test/units/TEST-36-NUMAPOLICY.sh

@@ -3,6 +3,11 @@
 set -eux
 set -o pipefail
 
+if [[ -n "${ASAN_OPTIONS:-}" ]]; then
+    echo "This test does not support running with sanitizers, skipping the test" | tee --append /skipped
+    exit 77
+fi
+
 # shellcheck disable=SC2317
 at_exit() {
     # shellcheck disable=SC2181

test/units/TEST-79-MEMPRESS.sh

@@ -49,7 +49,17 @@ EOF
 
 chmod +x "$SCRIPT"
 
-systemd-run -u "$UNIT" -p Type=exec -p ProtectControlGroups=1 -p DynamicUser=1 -p MemoryPressureWatch=on -p MemoryPressureThresholdSec=123ms -p BindPaths=$SCRIPT --wait "$SCRIPT"
+systemd-run \
+    -u "$UNIT" \
+    -p Type=exec \
+    -p ProtectControlGroups=1 \
+    -p DynamicUser=1 \
+    -p MemoryPressureWatch=on \
+    -p MemoryPressureThresholdSec=123ms \
+    -p BindPaths=$SCRIPT \
+    `# Make sanitizers happy when DynamicUser=1 pulls in instrumented systemd NSS modules` \
+    -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+    --wait "$SCRIPT"
 
 rm "$SCRIPT"