2 # SPDX-License-Identifier: LGPL-2.1-or-later
4 if [ "$1" = "build" ]; then
8 if [ -n "$SANITIZERS" ]; then
9 LD_PRELOAD
=$
(ldd
/usr
/lib
/systemd
/systemd |
grep libasan.so |
awk '{print $3}')
11 mkdir
-p /etc
/systemd
/system.conf.d
13 cat >/etc
/systemd
/system.conf.d
/10-asan.conf
<<EOF
15 ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
16 UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
17 LD_PRELOAD=$LD_PRELOAD
18 DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
19 UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
20 LD_PRELOAD=$LD_PRELOAD
23 # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
24 # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
25 # sanitizer failures appear directly on the user's console.
26 mkdir
-p /etc
/systemd
/system
/systemd-journald.service.d
27 cat >/etc
/systemd
/system
/systemd-journald.service.d
/10-stdout-tty.conf
<<EOF
32 # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
33 # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
34 # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
35 # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
37 mkdir
-p /etc
/systemd
/system
/console-getty.service.d
38 cat >/etc
/systemd
/system
/console-getty.service.d
/10-no-vhangup.conf
<<EOF
41 CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
43 # ASAN and syscall filters aren't compatible with each other.
44 find / -name '*.service' -type f
-exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
46 # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
47 systemctl mask systemd-hwdb-update.service
50 # Make sure dnsmasq.service doesn't start on boot on Debian/Ubuntu.
51 rm -f /etc
/systemd
/system
/multi-user.target.wants
/dnsmasq.service
53 if [ -n "$IMAGE_ID" ] ; then
57 -e "\$aIMAGE_ID=$IMAGE_ID" \
61 if [ -n "$IMAGE_VERSION" ] ; then
64 -e '/^IMAGE_VERSION=/!p' \
65 -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \