Merge pull request systemd#33101 from DaanDeMeyer/revert

Revert accidentally merged commits

.github/workflows/mkosi.yml

@@ -117,14 +117,12 @@ jobs:
  WITH_DEBUG=1
  # Enabling optimizations significantly speeds up integration tests.
  OPTIMIZATION=g
- SANITIZERS=address,undefined
 
  [Host]
  ToolsTree=default
  ToolsTreeDistribution=fedora
  # TODO: Drop once https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed in Github Actions
  QemuFirmware=uefi
- QemuMem=4G
  # We build with debuginfo so there's no point in mounting the sources into the machine.
  RuntimeBuildSources=no
  EOF

mkosi.conf

@@ -10,9 +10,13 @@ MinimumVersion=23~devel
 @CacheDirectory=build/mkosi.cache
 
 [Content]
-# The kernel versions in CentOS Stream 9 and Ubuntu 22.04 don't support orphan_file, but later
-# versions of mkfs.ext4 enabled it by default, so we disable it explicitly.
-Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+# Prevent ASAN warnings when building the image and ship the real ASAN options prefixed with MKOSI_.
+Environment=ASAN_OPTIONS=verify_asan_link_order=false
+ MKOSI_ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
+ MKOSI_UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+ # The kernel versions in CentOS Stream 9 and Ubuntu 22.04 don't support orphan_file, but later
+ # versions of mkfs.ext4 enabled it by default, so we disable it explicitly.
+ SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
 @SELinuxRelabel=no
 BuildSourcesEphemeral=yes
 

mkosi.images/exitrd/mkosi.conf.d/10-arch.conf

@@ -15,6 +15,11 @@ RemoveFiles=
  /usr/lib/libgomp.so*
  /usr/lib/libgphobos.so*
  /usr/lib/libobjc.so*
+ /usr/lib/libasan.so*
+ /usr/lib/libtsan.so*
+ /usr/lib/liblsan.so*
+ /usr/lib/libubsan.so*
+ /usr/lib/libstdc++.so*
  /usr/lib/libgdruntime.so*
 
  # Remove all files that are only required for development.

mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf

@@ -17,6 +17,11 @@ RemoveFiles=
  /usr/lib/libgomp.so*
  /usr/lib/libgphobos.so*
  /usr/lib/libobjc.so*
+ /usr/lib/libasan.so*
+ /usr/lib/libtsan.so*
+ /usr/lib/liblsan.so*
+ /usr/lib/libubsan.so*
+ /usr/lib/libstdc++.so*
  /usr/lib/libgdruntime.so*
 
  # Remove all files that are only required for development.

mkosi.images/system/mkosi.conf

@@ -27,13 +27,6 @@ ExtraTrees=
  %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
  %O/exitrd:/exitrd
 
-PostInstallationScripts=mkosi.sanitizers.chroot
-
-InitrdPackages=
- findutils
- grep
- sed
-
 Packages=
  acl
  attr

mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot

@@ -49,8 +49,6 @@ build() {
  IFS=
  # TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once
  # https://github.com/mesonbuild/meson/pull/12835 is available.
- # TODO: Replace __meson_auto_features override with meson_extra_configure_options once the suse spec
- # starts to use it.
  # shellcheck disable=SC2046
  rpmbuild \
  -bb \
@@ -71,7 +69,7 @@ build() {
  --define "build_cflags $(rpm --eval %build_cflags) $EXTRA_CFLAGS" \
  --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} %{nil}}" \
  --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \
- --define "__meson_auto_features auto -D mode=developer -D b_sanitize=${SANITIZERS:-none}" \
+ --define "meson_extra_configure_options -D mode=developer -D b_sanitize=${SANITIZERS:-none}" \
  --define "__os_install_post /usr/lib/rpm/brp-suse %{nil}" \
  --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
  --define "__script_requires %{nil}" \

mkosi.images/system/mkosi.postinst.chroot

@@ -2,6 +2,48 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
+if [ -n "$SANITIZERS" ]; then
+ LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+ mkdir -p /etc/systemd/system.conf.d
+
+ cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+EOF
+
+ # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+ # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+ # sanitizer failures appear directly on the user's console.
+ mkdir -p /etc/systemd/system/systemd-journald.service.d
+ cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+ # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+ # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+ # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+ # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+ mkdir -p /etc/systemd/system/console-getty.service.d
+ cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+ # ASAN and syscall filters aren't compatible with each other.
+ find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+ # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+ systemctl mask systemd-hwdb-update.service
+fi
+
 if command -v authselect >/dev/null; then
  # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
  # let's use the new name if it exists.