From: Victor Julien Date: Wed, 9 Nov 2022 14:44:26 +0000 (+0200) Subject: security: disable setrlimit with asan X-Git-Tag: suricata-7.0.0-rc1~394 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca6ce935b569bafee5adf88cd77413680a269741;p=thirdparty%2Fsuricata.git security: disable setrlimit with asan Various parts of ASAN will require creation of threads. At least LSAN reporting and ASAN stack traces require this. Detect if we run with ASAN and bypass the noproc setting with a warning. Bug: #5661. --- diff --git a/src/suricata-common.h b/src/suricata-common.h index 1e7e316af1..49e82b8a41 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -36,6 +36,14 @@ #define _GNU_SOURCE #define __USE_GNU +#if defined(__has_feature) +#if __has_feature(address_sanitizer) +#define SC_ADDRESS_SANITIZER 1 +#endif +#elif defined(__SANITIZE_ADDRESS__) +#define SC_ADDRESS_SANITIZER 1 +#endif + #if HAVE_CONFIG_H #include #endif diff --git a/src/suricata.c b/src/suricata.c index 8ac0552097..31ba223ed0 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -691,7 +691,6 @@ static void PrintBuildInfo(void) const char *tls; printf("This is %s version %s\n", PROG_NAME, GetProgramVersion()); - #ifdef DEBUG strlcat(features, "DEBUG ", sizeof(features)); #endif @@ -766,6 +765,9 @@ static void PrintBuildInfo(void) strlcat(features, "MAGIC ", sizeof(features)); #endif strlcat(features, "RUST ", sizeof(features)); +#if defined(SC_ADDRESS_SANITIZER) + strlcat(features, "ASAN ", sizeof(features)); +#endif if (strlen(features) == 0) { strlcat(features, "none", sizeof(features)); } @@ -2913,8 +2915,17 @@ int SuricataMain(int argc, char **argv) if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) { limit_nproc = 0; } + +#if defined(SC_ADDRESS_SANITIZER) if (limit_nproc) { -#ifdef HAVE_SYS_RESOURCE_H + SCLogWarning(SC_ERR_SYSCONF, + "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer"); + limit_nproc = 0; + } +#endif + + if (limit_nproc) { +#if defined(HAVE_SYS_RESOURCE_H) #ifdef linux if (geteuid() == 0) { SCLogWarning(SC_ERR_SYSCONF, "setrlimit has no effet when running as root.");