new(build): enable ASan and UBSan builds with options and in CI

.github/workflows/ci.yml

@@ -22,13 +22,17 @@ jobs:
     with:
       arch: x86_64
       version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
 
   build-dev-packages-arm64:
     needs: [fetch-version]
     uses: ./.github/workflows/reusable_build_packages.yaml
     with:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
 
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
@@ -82,6 +86,7 @@ jobs:
       arch: x86_64
       git_ref: ${{ github.event.pull_request.head.sha }}
       minimal: false
+      sanitizers: true
       build_type: Debug
       cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
 

.github/workflows/reusable_build_dev.yaml

@@ -14,6 +14,11 @@ on:
         description: Minimal build
         required: true
         type: boolean
+      sanitizers:
+        description: Enable sanitizer support
+        required: false
+        default: false
+        type: boolean
       build_type:
         description: One of 'Debug' or 'Release'
         required: true
@@ -59,6 +64,8 @@ jobs:
             -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
             -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
             -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
+            -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
             -DUSE_BUNDLED_DEPS=Off \
             -DUSE_BUNDLED_NLOHMANN_JSON=On \
             -DUSE_BUNDLED_CXXOPTS=On \

.github/workflows/reusable_build_packages.yaml

@@ -10,6 +10,16 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
+      build_type:
+        description: The build type
+        required: false
+        type: string
+        default: 'Release'
+      sanitizers:
+        description: enable sanitizer support
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   build-modern-bpf-skeleton:
@@ -50,7 +60,7 @@ jobs:
           yum -y install centos-release-scl
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
 
       - name: Checkout
         # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
@@ -71,13 +81,14 @@ jobs:
         run: |
           source /opt/rh/devtoolset-9/enable
           cmake -B build -S . \
-              -DCMAKE_BUILD_TYPE=Release \
+              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
               -DBUILD_FALCO_MODERN_BPF=ON \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
+              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
@@ -133,7 +144,7 @@ jobs:
       - name: Prepare project
         run: |
           cmake -B build -S . \
-                -DCMAKE_BUILD_TYPE=Release \
+                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
                 -DCPACK_GENERATOR=TGZ \
                 -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
                 -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
@@ -184,7 +195,7 @@ jobs:
             -DBUILD_BPF=Off \
             -DBUILD_DRIVER=Off \
             -DBUILD_LIBSCAP_MODERN_BPF=OFF \
-            -DCMAKE_BUILD_TYPE=Release \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
             -DUSE_BUNDLED_DEPS=On \
             -DFALCO_ETC_DIR=/etc/falco \
             -DBUILD_FALCO_UNIT_TESTS=On \
@@ -224,15 +235,15 @@ jobs:
       # NOTE: Backslash doesn't work as line continuation on Windows.
       - name: Prepare project
         run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          cmake --build build --target package --config Release
+          cmake --build build --target package --config ${{ inputs.build_type }}
 
       - name: Run unit Tests
         run: |
-          build/unit_tests/Release/falco_unit_tests.exe
+          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
 
       - name: Upload Falco win32 installer
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@@ -245,7 +256,7 @@ jobs:
         with:
           name: falco-${{ inputs.version }}-win32.exe
           path: |
-            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
+            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
 
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}

.github/workflows/reusable_test_packages.yaml

@@ -39,6 +39,12 @@ jobs:
         run: |
           sudo apt update -y
           sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
+
+      # Some builds use sanitizers, we always install support for them so they can run
+      - name: Install sanitizer support
+        run: |
+          sudo apt update -y
+          sudo apt install -y libasan5 libubsan1
 
       - name: Run tests
         uses: falcosecurity/testing@main    

CMakeLists.txt

@@ -21,6 +21,9 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
+option(USE_ASAN "Build with AddressSanitizer" OFF)
+option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
 
 if(WIN32)
   if(POLICY CMP0091)

cmake/modules/CompilerFlags.cmake

@@ -53,6 +53,17 @@ if(NOT MSVC)
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
 	endif()
 
+	if(USE_ASAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
+	endif()
+
+	if(USE_UBSAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")
+		if(UBSAN_HALT_ON_ERROR)
+			set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-sanitize-recover=undefined")
+		endif()
+	endif()
+
 	set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 	if(BUILD_WARNINGS_AS_ERRORS)

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -108,6 +108,7 @@ TEST_F(test_falco_engine, preconditions_postconditions)
 
 	s1.engine = nullptr;
 	s1.config = std::make_shared<falco_configuration>();
+	s1.options.all_events = false;
 	auto result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_FALSE(result.success);
 	ASSERT_NE(result.errstr, "");