shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-27 10:25:37 +03:00
Code
862c68a914
systemd/mkosi.sanitizers.chroot
Daan De Meyer 20345a86b7 mkosi: Adapt configuration to take into account configuration rework 
In https://github.com/systemd/mkosi/pull/2847, the '@' specifier is
removed, CLI arguments take priority over configuration files again
and the "main" image is defined at the top level instead of in
mkosi.images/. Additionally, not every setting from the top level
configuration is inherited by the images in mkosi.images/ anymore,
only settings which make sense to be inherited are inherited.

This commit gets rid of all the usages of '@', moves the "main" image
configuration from mkosi.images/system to the top level and gets rid
of various hacks we had in place to deal with quirks of the old
configuration parsing logic.

We also remove usages of Images= and --append as these options are
removed by the mentioned PR.
2024-07-09 08:07:09 +02:00

128 lines
2.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
set -o nounset
if [[ -z "${SANITIZERS:-}" ]]; then
exit 0
fi
# Sanitizers log to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
# all the sanitizer logs. To rectify that, let's connect journald's stdout to kmsg so that the sanitizer
# failures end up in the journal.
mkdir -p /etc/systemd/system/systemd-journald.service.d
cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
[Service]
StandardOutput=kmsg
EOF
# ASAN and syscall filters aren't compatible with each other.
find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
# 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default.
systemctl mask systemd-hwdb-update.service
ASAN_RT_PATH="$(grep libasan.so < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
if [[ -z "$ASAN_RT_PATH" ]]; then
ASAN_RT_PATH="$(grep libclang_rt.asan < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)"
# As clang's ASan DSO is usually in a non-standard path, let's check if the RUNPATH is set accordingly.
if ldd /usr/lib/systemd/systemd | grep -q "libclang_rt.asan.*not found"; then
echo >&2 "clang's ASan DSO libclang_rt.asan is not present in the runtime library path"
exit 1
fi
fi
if [[ -z "$ASAN_RT_PATH" ]]; then
echo >&2 "systemd is not linked against the ASan DSO"
echo >&2 "gcc does this by default, for clang compile with -shared-libasan"
exit 1
fi
wrap=(
/usr/lib/polkit-1/polkitd
/usr/libexec/polkit-1/polkitd
agetty
btrfs
capsh
chgrp
chown
cryptsetup
curl
dbus-broker-launch
dbus-daemon
delv
dhcpd
dig
dmsetup
dnsmasq
findmnt
getent
getfacl
id
integritysetup
iscsid
kpartx
logger
login
ls
lsblk
lvm
mdadm
mkfs.btrfs
mkfs.erofs
mkfs.ext4
mkfs.vfat
mkfs.xfs
mksquashfs
mkswap
multipath
multipathd
nvme
p11-kit
pkill
ps
setfacl
setpriv
sshd
stat
su
tar
tgtd
useradd
userdel
veritysetup
)
for bin in "${wrap[@]}"; do
if ! command -v "$bin" >/dev/null; then
continue
fi
if [[ "$bin" == getent ]]; then
enable_lsan=1
else
enable_lsan=0
fi
target="$(command -v "$bin")"
mv "$target" "$target.orig"
cat >"$target" <<EOF
#!/bin/bash
# Preload the ASan runtime DSO, otherwise ASAn will complain
export LD_PRELOAD="$ASAN_RT_PATH"
# Disable LSan to speed things up, since we don't care about leak reports
# from 'external' binaries
export ASAN_OPTIONS=detect_leaks=$enable_lsan
# Set argv[0] to the original binary name without the ".orig" suffix
exec -a "\$0" -- "${target}.orig" "\$@"
EOF
chmod +x "$target"
done
cat >/usr/lib/systemd/systemd-asan-env <<EOF
LD_PRELOAD=$ASAN_RT_PATH
LSAN_OPTIONS=detect_leaks=0
EOF
View Git Blame Copy Permalink