mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 05:17:54 +00:00
Code Issues Releases Wiki Activity

Enable address and undefined behavior sanitizers in CI builds.

Browse Source 
We need to disable leak sanitizer during "make check" because it
uses ptrace which is not allowed for unprivileged containers.
This commit is contained in:
Todd C. Miller 2021-10-05 08:40:00 -06:00
parent 49611d6cca
commit 8508044721
4 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.circleci/config.yml
View File

@ -10,7 +10,7 @@ jobs:
- checkout - checkout
- run: - run:
name: "Building and packaging sudo" name: "Building and packaging sudo"
command: ./scripts/mkpkg --flavor=ldap --enable-warnings --enable-werror command: ./scripts/mkpkg --flavor=ldap --enable-warnings --enable-werror --enable-sanitizer
# Save workspace for subsequent jobs (i.e. test) # Save workspace for subsequent jobs (i.e. test)
- persist_to_workspace: - persist_to_workspace:
root: . root: .
@ -27,6 +27,9 @@ jobs:
- run: - run:
name: "Running tests" name: "Running tests"
command: make check command: make check
environment:
# Leak sanitizer requires ptrace, disable it
ASAN_OPTIONS: detect_leaks=0
# Orchestrate our job run sequence # Orchestrate our job run sequence
workflows: workflows:

11
docker/README
View File

@ -27,3 +27,14 @@ Multi-arch containers are supported by creating a manifest, e.g.:
Finally push the manifest to dockerhub: Finally push the manifest to dockerhub:
podman push sudoproject/debian:latest podman push sudoproject/debian:latest
Note that memory sanitizer uses ptrace which is not allowed for
non-root containers by default. This will cause a failure when
running the tests if sudo is configured with --enable-sanitizer.
The simplest solution is to run the container with the SYS_PTRACE
capability. E.g.
podman run -it --cap-add SYS_PTRACE ...
Alternately, disable leak sanitizer by setting
ASAN_OPTIONS=detect_leaks=0
in the environment of the container doing "make check".

6
docker/fedora/latest/Dockerfile
View File

@ -2,7 +2,7 @@ FROM docker.io/library/fedora:latest
ENV TZ=America/Denver ENV TZ=America/Denver
RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel \ RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel \
libselinux-devel libsepol-devel openldap-devel openssl-devel pam-devel \ libasan libubsan libselinux-devel libsepol-devel openldap-devel \
python3-devel rpm-build zlib-devel binutils ed gcc gdb git openssh \ openssl-devel pam-devel python3-devel rpm-build zlib-devel binutils \
procps which ed gcc gdb git openssh procps which
RUN useradd -ms /bin/bash build RUN useradd -ms /bin/bash build

6
docker/fedora/rawhide/Dockerfile
View File

@ -2,7 +2,7 @@ FROM docker.io/library/fedora:rawhide
ENV TZ=America/Denver ENV TZ=America/Denver
RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel \ RUN dnf -y install audit-libs-devel cyrus-sasl-devel glibc-devel \
libselinux-devel libsepol-devel openldap-devel openssl-devel pam-devel \ libasan libubsan libselinux-devel libsepol-devel openldap-devel \
python3-devel rpm-build zlib-devel binutils ed gcc gdb git openssh \ openssl-devel pam-devel python3-devel rpm-build zlib-devel binutils \
procps which ed gcc gdb git openssh procps which
RUN useradd -ms /bin/bash build RUN useradd -ms /bin/bash build