diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f482d4512d..67a07f27e34 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,6 +22,8 @@ jobs: with: arch: x86_64 version: ${{ needs.fetch-version.outputs.version }} + build_type: Debug + sanitizers: true build-dev-packages-arm64: needs: [fetch-version] @@ -29,6 +31,8 @@ jobs: with: arch: aarch64 version: ${{ needs.fetch-version.outputs.version }} + build_type: Debug + sanitizers: true test-dev-packages: needs: [fetch-version, build-dev-packages] @@ -82,6 +86,7 @@ jobs: arch: x86_64 git_ref: ${{ github.event.pull_request.head.sha }} minimal: false + sanitizers: true build_type: Debug cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)" diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml index 0586b87dbf1..6f7c6793936 100644 --- a/.github/workflows/reusable_build_dev.yaml +++ b/.github/workflows/reusable_build_dev.yaml @@ -14,6 +14,11 @@ on: description: Minimal build required: true type: boolean + sanitizers: + description: Enable sanitizer support + required: false + default: false + type: boolean build_type: description: One of 'Debug' or 'Release' required: true @@ -59,6 +64,8 @@ jobs: -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ + -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ + -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ -DUSE_BUNDLED_DEPS=Off \ -DUSE_BUNDLED_NLOHMANN_JSON=On \ -DUSE_BUNDLED_CXXOPTS=On \ diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index e88165a17c8..1b3b409a80d 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -10,6 +10,16 @@ on: description: The Falco version to use when building packages required: true type: string + build_type: + description: The build type + required: false + type: string + default: 'Release' + sanitizers: + description: enable sanitizer support + required: false + type: boolean + default: false jobs: build-modern-bpf-skeleton: @@ -50,7 +60,7 @@ jobs: yum -y install centos-release-scl yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ source /opt/rh/devtoolset-9/enable - yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd + yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel - name: Checkout # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. @@ -71,13 +81,14 @@ jobs: run: | source /opt/rh/devtoolset-9/enable cmake -B build -S . \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DUSE_BUNDLED_DEPS=On \ -DFALCO_ETC_DIR=/etc/falco \ -DBUILD_FALCO_MODERN_BPF=ON \ -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off \ + -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \ -DFALCO_VERSION=${{ inputs.version }} - name: Build project @@ -133,7 +144,7 @@ jobs: - name: Prepare project run: | cmake -B build -S . \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DCPACK_GENERATOR=TGZ \ -DBUILD_BPF=Off -DBUILD_DRIVER=Off \ -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }} @@ -184,7 +195,7 @@ jobs: -DBUILD_BPF=Off \ -DBUILD_DRIVER=Off \ -DBUILD_LIBSCAP_MODERN_BPF=OFF \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DUSE_BUNDLED_DEPS=On \ -DFALCO_ETC_DIR=/etc/falco \ -DBUILD_FALCO_UNIT_TESTS=On \ @@ -224,15 +235,15 @@ jobs: # NOTE: Backslash doesn't work as line continuation on Windows. - name: Prepare project run: | - cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} + cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} - name: Build project run: | - cmake --build build --target package --config Release + cmake --build build --target package --config ${{ inputs.build_type }} - name: Run unit Tests run: | - build/unit_tests/Release/falco_unit_tests.exe + build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe - name: Upload Falco win32 installer uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 @@ -245,7 +256,7 @@ jobs: with: name: falco-${{ inputs.version }}-win32.exe path: | - ${{ github.workspace }}/build/userspace/falco/Release/falco.exe + ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe build-macos-package: if: ${{ inputs.arch == 'x86_64' }} diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml index b4ef688c1f7..82a2ba22bba 100644 --- a/.github/workflows/reusable_test_packages.yaml +++ b/.github/workflows/reusable_test_packages.yaml @@ -39,6 +39,12 @@ jobs: run: | sudo apt update -y sudo apt install -y --no-install-recommends linux-headers-$(uname -r) + + # Some builds use sanitizers, we always install support for them so they can run + - name: Install sanitizer support + run: | + sudo apt update -y + sudo apt install -y libasan5 libubsan1 - name: Run tests uses: falcosecurity/testing@main diff --git a/CMakeLists.txt b/CMakeLists.txt index a03992ca4fe..8f5768b3de3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -21,6 +21,9 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF) option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF) option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF) +option(USE_ASAN "Build with AddressSanitizer" OFF) +option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF) +option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON) if(WIN32) if(POLICY CMP0091) diff --git a/cmake/modules/CompilerFlags.cmake b/cmake/modules/CompilerFlags.cmake index c0993bd155b..08c2374238f 100644 --- a/cmake/modules/CompilerFlags.cmake +++ b/cmake/modules/CompilerFlags.cmake @@ -53,6 +53,17 @@ if(NOT MSVC) set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2") endif() + if(USE_ASAN) + set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address") + endif() + + if(USE_UBSAN) + set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined") + if(UBSAN_HALT_ON_ERROR) + set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-sanitize-recover=undefined") + endif() + endif() + set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}") if(BUILD_WARNINGS_AS_ERRORS) diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp index 17e751af7d7..1819fd1b1ad 100644 --- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp +++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp @@ -108,6 +108,7 @@ TEST_F(test_falco_engine, preconditions_postconditions) s1.engine = nullptr; s1.config = std::make_shared(); + s1.options.all_events = false; auto result = falco::app::actions::configure_interesting_sets(s1); ASSERT_FALSE(result.success); ASSERT_NE(result.errstr, "");