2 # SPDX-License-Identifier: LGPL-2.1-or-later
5 if [ -n "$SANITIZERS" ]; then
6 LD_PRELOAD
=$
(ldd
/usr
/lib
/systemd
/systemd |
grep libasan.so |
awk '{print $3}')
8 mkdir
-p /etc
/systemd
/system.conf.d
10 cat >/etc
/systemd
/system.conf.d
/10-asan.conf
<<EOF
12 ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
13 UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
14 LD_PRELOAD=$LD_PRELOAD
15 DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
16 UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
17 LD_PRELOAD=$LD_PRELOAD
20 # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
21 # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
22 # sanitizer failures appear directly on the user's console.
23 mkdir
-p /etc
/systemd
/system
/systemd-journald.service.d
24 cat >/etc
/systemd
/system
/systemd-journald.service.d
/10-stdout-tty.conf
<<EOF
29 # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
30 # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
31 # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
32 # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
34 mkdir
-p /etc
/systemd
/system
/console-getty.service.d
35 cat >/etc
/systemd
/system
/console-getty.service.d
/10-no-vhangup.conf
<<EOF
38 CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
40 # ASAN and syscall filters aren't compatible with each other.
41 find / -name '*.service' -type f
-exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
43 # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
44 systemctl mask systemd-hwdb-update.service
47 if command -v authselect
>/dev
/null
; then
48 # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
49 # let's use the new name if it exists.
50 if [ -d /usr
/share
/authselect
/default
/local ]; then
56 authselect
select "$PROFILE"
58 if authselect list-features
"$PROFILE" |
grep -q "with-homed"; then
59 authselect enable-feature with-homed
63 # Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
65 mountpoint
-q /etc
/resolv.conf
&& umount
/etc
/resolv.conf
66 rm -f /etc
/resolv.conf
68 # sbsign is not available on CentOS Stream
69 if command -v sbsign
&>/dev
/null
; then
70 # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
71 addons_dir
=/efi
/loader
/addons
72 mkdir
-p "$addons_dir"
73 ukify build
--secureboot-private-key mkosi.key
--secureboot-certificate mkosi.crt
--cmdline this_should_be_here
-o "$addons_dir/good.addon.efi"
74 ukify build
--cmdline this_should_not_be_here
-o "$addons_dir/bad.addon.efi"