From b01ef55f6b0375fe874a5ee447d1d92c1fed9da3 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 25 Mar 2024 16:34:26 +0000 Subject: [PATCH] new(ci): build with sanitizers in CI Signed-off-by: Luca Guerra --- .github/workflows/ci.yml | 5 ++++ .github/workflows/reusable_build_dev.yaml | 7 +++++ .../workflows/reusable_build_packages.yaml | 27 +++++++++++++------ .github/workflows/reusable_test_packages.yaml | 6 +++++ 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f482d4512d..67a07f27e34 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,6 +22,8 @@ jobs: with: arch: x86_64 version: ${{ needs.fetch-version.outputs.version }} + build_type: Debug + sanitizers: true build-dev-packages-arm64: needs: [fetch-version] @@ -29,6 +31,8 @@ jobs: with: arch: aarch64 version: ${{ needs.fetch-version.outputs.version }} + build_type: Debug + sanitizers: true test-dev-packages: needs: [fetch-version, build-dev-packages] @@ -82,6 +86,7 @@ jobs: arch: x86_64 git_ref: ${{ github.event.pull_request.head.sha }} minimal: false + sanitizers: true build_type: Debug cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)" diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml index 0586b87dbf1..6f7c6793936 100644 --- a/.github/workflows/reusable_build_dev.yaml +++ b/.github/workflows/reusable_build_dev.yaml @@ -14,6 +14,11 @@ on: description: Minimal build required: true type: boolean + sanitizers: + description: Enable sanitizer support + required: false + default: false + type: boolean build_type: description: One of 'Debug' or 'Release' required: true @@ -59,6 +64,8 @@ jobs: -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ + -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ + -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ -DUSE_BUNDLED_DEPS=Off \ -DUSE_BUNDLED_NLOHMANN_JSON=On \ -DUSE_BUNDLED_CXXOPTS=On \ diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index e88165a17c8..1b3b409a80d 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -10,6 +10,16 @@ on: description: The Falco version to use when building packages required: true type: string + build_type: + description: The build type + required: false + type: string + default: 'Release' + sanitizers: + description: enable sanitizer support + required: false + type: boolean + default: false jobs: build-modern-bpf-skeleton: @@ -50,7 +60,7 @@ jobs: yum -y install centos-release-scl yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ source /opt/rh/devtoolset-9/enable - yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd + yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel - name: Checkout # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. @@ -71,13 +81,14 @@ jobs: run: | source /opt/rh/devtoolset-9/enable cmake -B build -S . \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DUSE_BUNDLED_DEPS=On \ -DFALCO_ETC_DIR=/etc/falco \ -DBUILD_FALCO_MODERN_BPF=ON \ -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off \ + -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \ -DFALCO_VERSION=${{ inputs.version }} - name: Build project @@ -133,7 +144,7 @@ jobs: - name: Prepare project run: | cmake -B build -S . \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DCPACK_GENERATOR=TGZ \ -DBUILD_BPF=Off -DBUILD_DRIVER=Off \ -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }} @@ -184,7 +195,7 @@ jobs: -DBUILD_BPF=Off \ -DBUILD_DRIVER=Off \ -DBUILD_LIBSCAP_MODERN_BPF=OFF \ - -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DUSE_BUNDLED_DEPS=On \ -DFALCO_ETC_DIR=/etc/falco \ -DBUILD_FALCO_UNIT_TESTS=On \ @@ -224,15 +235,15 @@ jobs: # NOTE: Backslash doesn't work as line continuation on Windows. - name: Prepare project run: | - cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} + cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} - name: Build project run: | - cmake --build build --target package --config Release + cmake --build build --target package --config ${{ inputs.build_type }} - name: Run unit Tests run: | - build/unit_tests/Release/falco_unit_tests.exe + build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe - name: Upload Falco win32 installer uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 @@ -245,7 +256,7 @@ jobs: with: name: falco-${{ inputs.version }}-win32.exe path: | - ${{ github.workspace }}/build/userspace/falco/Release/falco.exe + ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe build-macos-package: if: ${{ inputs.arch == 'x86_64' }} diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml index b4ef688c1f7..82a2ba22bba 100644 --- a/.github/workflows/reusable_test_packages.yaml +++ b/.github/workflows/reusable_test_packages.yaml @@ -39,6 +39,12 @@ jobs: run: | sudo apt update -y sudo apt install -y --no-install-recommends linux-headers-$(uname -r) + + # Some builds use sanitizers, we always install support for them so they can run + - name: Install sanitizer support + run: | + sudo apt update -y + sudo apt install -y libasan5 libubsan1 - name: Run tests uses: falcosecurity/testing@main