mkosi.images/base/mkosi.postinst.chroot

   1 #!/bin/bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 set -e
   4
   5 if [ -n "$SANITIZERS" ]; then
   6     LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
   7
   8     mkdir -p /etc/systemd/system.conf.d
   9
  10     cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
  11 [Manager]
  12 ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
  13                    UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
  14                    LD_PRELOAD=$LD_PRELOAD
  15 DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
  16                    UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
  17                    LD_PRELOAD=$LD_PRELOAD
  18 EOF
  19
  20     # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
  21     # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
  22     # sanitizer failures appear directly on the user's console.
  23     mkdir -p /etc/systemd/system/systemd-journald.service.d
  24     cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
  25 [Service]
  26 StandardOutput=tty
  27 EOF
  28
  29     # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
  30     # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
  31     # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
  32     # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
  33
  34     mkdir -p /etc/systemd/system/console-getty.service.d
  35     cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
  36 [Service]
  37 TTYVHangup=no
  38 CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
  39 EOF
  40     # ASAN and syscall filters aren't compatible with each other.
  41     find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
  42
  43     # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
  44     systemctl mask systemd-hwdb-update.service
  45 fi
  46
  47 if command -v authselect >/dev/null; then
  48     # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
  49     # let's use the new name if it exists.
  50     if [ -d /usr/share/authselect/default/local ]; then
  51         PROFILE=local
  52     else
  53         PROFILE=minimal
  54     fi
  55
  56     authselect select "$PROFILE"
  57
  58     if authselect list-features "$PROFILE" | grep -q "with-homed"; then
  59         authselect enable-feature with-homed
  60     fi
  61 fi
  62
  63 # Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
  64 # if that's the case.
  65 mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
  66 rm -f /etc/resolv.conf
  67
  68 # sbsign is not available on CentOS Stream
  69 if command -v sbsign &>/dev/null; then
  70     # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
  71     addons_dir=/efi/loader/addons
  72     mkdir -p "$addons_dir"
  73     ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
  74     ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
  75 fi