#!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e set -o nounset LIBSYSTEMD="$(mkosi-chroot ldconfig -p | grep libsystemd.so.0 | sed 's/[^/]*\//\//')" if [[ ! -f "$BUILDROOT/$LIBSYSTEMD" ]]; then exit 0 fi # ASAN and syscall filters aren't compatible with each other. find "$BUILDROOT"/usr "$BUILDROOT"/etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + # 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default. systemctl --root="$BUILDROOT" mask systemd-hwdb-update.service ASAN_RT_PATH="$(grep libasan.so < <(mkosi-chroot ldd "$LIBSYSTEMD") | cut -d ' ' -f 3)" if [[ -z "$ASAN_RT_PATH" ]]; then ASAN_RT_PATH="$(grep libclang_rt.asan < <(mkosi-chroot ldd "$LIBSYSTEMD") | cut -d ' ' -f 3)" # As clang's ASan DSO is usually in a non-standard path, let's check if the RUNPATH is set accordingly. if mkosi-chroot ldd "$LIBSYSTEMD" | grep -q "libclang_rt.asan.*not found"; then echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path" exit 1 fi fi if [[ -z "$ASAN_RT_PATH" ]]; then echo >&2 "systemd is not linked against the ASan DSO" echo >&2 "gcc does this by default, for clang compile with -shared-libasan" exit 1 fi wrap=( /usr/lib/polkit-1/polkitd /usr/libexec/polkit-1/polkitd agetty btrfs capsh chgrp chown cryptsetup curl dbus-broker-launch dbus-daemon delv dhcpd dig dnf dnf5 dmsetup dnsmasq findmnt getent getfacl id integritysetup iscsid kpartx logger login ls lsblk lvm mdadm mkfs.btrfs mksquashfs multipath multipathd nvme p11-kit pkill ps setfacl setpriv sshd stat su tar tgtd useradd userdel veritysetup ) for bin in "${wrap[@]}"; do if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then continue fi if [[ "$bin" == getent ]]; then enable_lsan=1 else enable_lsan=0 fi target="$(mkosi-chroot bash -c "command -v $bin")" mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig" cat >"$BUILDROOT/$target" <"$BUILDROOT"/usr/lib/systemd/systemd-asan-env <