new(ci): build with sanitizers in CI

Signed-off-by: Luca Guerra <luca@guerra.sh>
falcosecurity · Mar 29, 2024 · 21e11c5 · 21e11c5
1 parent fe4c37a
commit 21e11c5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,13 +22,17 @@ jobs:
     with:
       arch: x86_64
       version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
 
   build-dev-packages-arm64:
     needs: [fetch-version]
     uses: ./.github/workflows/reusable_build_packages.yaml
     with:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
 
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
@@ -82,6 +86,7 @@ jobs:
       arch: x86_64
       git_ref: ${{ github.event.pull_request.head.sha }}
       minimal: false
+      sanitizers: true
       build_type: Debug
       cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
 

diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml
@@ -14,6 +14,11 @@ on:
         description: Minimal build
         required: true
         type: boolean
+      sanitizers:
+        description: Enable sanitizer support
+        required: false
+        default: false
+        type: boolean
       build_type:
         description: One of 'Debug' or 'Release'
         required: true
@@ -59,6 +64,8 @@ jobs:
             -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
             -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
             -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
+            -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
             -DUSE_BUNDLED_DEPS=Off \
             -DUSE_BUNDLED_NLOHMANN_JSON=On \
             -DUSE_BUNDLED_CXXOPTS=On \

diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml
@@ -10,6 +10,16 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
+      build_type:
+        description: The build type
+        required: false
+        type: string
+        default: 'Release'
+      sanitizers:
+        description: enable sanitizer support
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   build-modern-bpf-skeleton:
@@ -50,7 +60,7 @@ jobs:
           yum -y install centos-release-scl
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
 
       - name: Checkout
         # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
@@ -67,17 +77,21 @@ jobs:
           curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
             | tar --directory=/usr --strip-components=1 -xzp
 
+      - name: Check sanitizer value
+        run: echo "${{ inputs.sanitizers }}"
+
       - name: Prepare project
         run: |
           source /opt/rh/devtoolset-9/enable
           cmake -B build -S . \
-              -DCMAKE_BUILD_TYPE=Release \
+              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
               -DBUILD_FALCO_MODERN_BPF=ON \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
+              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
@@ -133,7 +147,7 @@ jobs:
       - name: Prepare project
         run: |
           cmake -B build -S . \
-                -DCMAKE_BUILD_TYPE=Release \
+                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
                 -DCPACK_GENERATOR=TGZ \
                 -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
                 -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
@@ -184,7 +198,7 @@ jobs:
             -DBUILD_BPF=Off \
             -DBUILD_DRIVER=Off \
             -DBUILD_LIBSCAP_MODERN_BPF=OFF \
-            -DCMAKE_BUILD_TYPE=Release \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
             -DUSE_BUNDLED_DEPS=On \
             -DFALCO_ETC_DIR=/etc/falco \
             -DBUILD_FALCO_UNIT_TESTS=On \
@@ -224,15 +238,15 @@ jobs:
       # NOTE: Backslash doesn't work as line continuation on Windows.
       - name: Prepare project
         run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          cmake --build build --target package --config Release
+          cmake --build build --target package --config ${{ inputs.build_type }}
 
       - name: Run unit Tests
         run: |
-          build/unit_tests/Release/falco_unit_tests.exe
+          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
 
       - name: Upload Falco win32 installer
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@@ -245,7 +259,7 @@ jobs:
         with:
           name: falco-${{ inputs.version }}-win32.exe
           path: |
-            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
+            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
 
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}

diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml
@@ -39,6 +39,12 @@ jobs:
         run: |
           sudo apt update -y
           sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
+
+      # Some builds use sanitizers, we always install support for them so they can run
+      - name: Install sanitizer support
+        run: |
+          sudo apt update -y
+          sudo apt install -y libasan5 libubsan1
           
       - name: Run tests
         uses: falcosecurity/testing@main