mkosi: Changes to allow booting with sanitizers in mkosi

- Extra memory because ASAN needs it
- The environment variables to make the sanitizers more useful
- LD_PRELOAD because the ASAN DSO needs to be the first in the list
- The sanitizer library packages
- Disable syscall filters because they interfere with ASAN
- Disable systemd-hwdb-update because it's super slow when systemd-hwdb
  is built with sanitizers
- Take the value for meson's b_sanitize option from the SANITIZERS
  environment variable

1 files changed, 53 insertions, 2 deletions

diff --git a/mkosi.build b/mkosi.build
index 2be8fdbda1..27e5b1c65c 100755
--- a/mkosi.build
+++ b/mkosi.build
@@ -5,6 +5,9 @@ set -e
 # This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
 # Simply invoke "mkosi" in the project directory to build an OS image.
 
+ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
+UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+
 # On Fedora "ld" is (unfortunately — if you ask me) managed via
 # "alternatives". Since we'd like to support building images in environments
 # with only /usr/ around (e.g. mkosi's UsrOnly=1 option), we have the problem
@@ -61,7 +64,8 @@ if [ ! -f "$BUILDDIR"/build.ninja ] ; then
                 -D man=false \
                 -D translations=false \
                 -D version-tag="${VERSION_TAG}" \
-                -D mode=developer
+                -D mode=developer \
+                -D b_sanitize="${SANITIZERS:-none}"
 fi
 
 cd "$BUILDDIR"
@@ -71,7 +75,15 @@ if [ "$WITH_TESTS" = 1 ] ; then
                 getent group $id >/dev/null || groupadd -g $id testgroup$id
         done
 
-        ninja test
+        if [ -n "$SANITIZERS" ]; then
+                export ASAN_OPTIONS="$ASAN_OPTIONS"
+                export UBSAN_OPTIONS="$UBSAN_OPTIONS"
+                TIMEOUT_MULTIPLIER=3
+        else
+                TIMEOUT_MULTIPLIER=1
+        fi
+
+        meson test --timeout-multiplier=$TIMEOUT_MULTIPLIER
 fi
 cd "$SRCDIR"
 
@@ -120,3 +132,42 @@ if [ -n "$CI_BUILD" ]; then
         cp -v "$SRCDIR/test/mkosi-check-and-shutdown.sh" "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh"
         chmod +x "$DESTDIR/usr/lib/systemd/mkosi-check-and-shutdown.sh"
 fi
+
+if [ -n "$SANITIZERS" ]; then
+        LD_PRELOAD=$(ldd $BUILDDIR/systemd | grep libasan.so | awk '{print $3}')
+
+        mkdir -p "$DESTDIR/etc/systemd/system.conf.d"
+
+        cat > "$DESTDIR/etc/systemd/system.conf.d/10-asan.conf" <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+EOF
+
+        # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+        # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+        # sanitizer failures appear directly on the user's console.
+        mkdir -p "$DESTDIR/etc/systemd/system/systemd-journald.service.d"
+
+        cat > "$DESTDIR/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf" <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+        # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+        # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+        # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+        # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+        mkdir -p "$DESTDIR/etc/systemd/system/console-getty.service.d"
+
+        cat > "$DESTDIR/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf" <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+fi