mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
6327988d65
The only reason to have these split up is to be able to build extension images that use the base image as a base tree and install extra packages. Until we have such a use case, let's merge the base and system images to simplify things a bit. We keep the mkosi.images/ directory to not cause too many conflicts with the integration tests PR.
76 lines
3.0 KiB
Bash
Executable File
76 lines
3.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
set -e
|
|
|
|
if [ -n "$SANITIZERS" ]; then
|
|
LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
|
|
|
|
mkdir -p /etc/systemd/system.conf.d
|
|
|
|
cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
|
|
[Manager]
|
|
ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
|
|
UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
|
|
LD_PRELOAD=$LD_PRELOAD
|
|
DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
|
|
UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
|
|
LD_PRELOAD=$LD_PRELOAD
|
|
EOF
|
|
|
|
# ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
|
|
# all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
|
|
# sanitizer failures appear directly on the user's console.
|
|
mkdir -p /etc/systemd/system/systemd-journald.service.d
|
|
cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
|
|
[Service]
|
|
StandardOutput=tty
|
|
EOF
|
|
|
|
# Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
|
|
# This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
|
|
# a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
|
|
# from calling vhangup() so that journald's ASAN logs correctly end up in the console.
|
|
|
|
mkdir -p /etc/systemd/system/console-getty.service.d
|
|
cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
|
|
[Service]
|
|
TTYVHangup=no
|
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
|
EOF
|
|
# ASAN and syscall filters aren't compatible with each other.
|
|
find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
|
|
|
|
# `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
|
|
systemctl mask systemd-hwdb-update.service
|
|
fi
|
|
|
|
if command -v authselect >/dev/null; then
|
|
# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
|
|
# let's use the new name if it exists.
|
|
if [ -d /usr/share/authselect/default/local ]; then
|
|
PROFILE=local
|
|
else
|
|
PROFILE=minimal
|
|
fi
|
|
|
|
authselect select "$PROFILE"
|
|
|
|
if authselect list-features "$PROFILE" | grep -q "with-homed"; then
|
|
authselect enable-feature with-homed
|
|
fi
|
|
fi
|
|
|
|
# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
|
|
# if that's the case.
|
|
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
|
|
rm -f /etc/resolv.conf
|
|
|
|
# sbsign is not available on CentOS Stream
|
|
if command -v sbsign &>/dev/null; then
|
|
# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
|
|
addons_dir=/efi/loader/addons
|
|
mkdir -p "$addons_dir"
|
|
ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
|
|
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
|
|
fi
|