* [PATCH] ci: run the tests under ASan/UBsan on GHActions
@ 2021-11-15 18:58 Evgeny Vereshchagin
2021-12-20 18:05 ` Christian Göttsche
2022-01-06 17:06 ` James Carter
0 siblings, 2 replies; 4+ messages in thread
From: Evgeny Vereshchagin @ 2021-11-15 18:58 UTC (permalink / raw)
To: selinux; +Cc: cgzones, nicolas.iooss, Evgeny Vereshchagin
It was tested in https://github.com/SELinuxProject/selinux/pull/321 and
https://github.com/SELinuxProject/selinux/pull/320. In the process
it discovered a few issues all of which were fixed in
https://github.com/SELinuxProject/selinux/commit/b98d3c4c53f35cb2ab77dd5b2973591815932620
https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903
https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b
https://github.com/SELinuxProject/selinux/commit/f95dbf2c74246f69fbdf0881434567576159e5f6
Now that all the issues are gone it should be safe to turn it on
to make it easier to automatically catch bugs like that almost as soon as
they end up in the repository.
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
---
.github/workflows/run_tests.yml | 42 ++++++++++++++++++++-------------
libsepol/tests/Makefile | 10 ++++++--
2 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
index ef4be8af..fd3626da 100644
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -29,6 +29,9 @@ jobs:
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
- compiler: clang
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
+ include:
+ - compiler: gcc
+ python-ruby-version: {python: 3.9, ruby: 2.7, other: sanitizers}
steps:
- uses: actions/checkout@v2
@@ -88,6 +91,11 @@ jobs:
elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
# Test hat debug build works fine
EXPLICIT_MAKE_VARS="DEBUG=1"
+ elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then
+ sanitizers='-fsanitize=address,undefined'
+ EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS="
+ echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV
+ echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV
else
EXPLICIT_MAKE_VARS=
fi
@@ -139,18 +147,18 @@ jobs:
- name: Run tests
run: |
echo "::group::make install"
- make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
+ eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
echo "::endgroup::"
echo "::group::make install-pywrap"
- make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
+ eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
echo "::endgroup::"
echo "::group::make install-rubywrap"
- make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
+ eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
echo "::endgroup::"
# Now that everything is installed, run "make all" to build everything which may have not been built
echo "::group::make all"
- make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
+ eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
echo "::endgroup::"
# Set up environment variables for the tests and show variables (to help debugging issues)
@@ -164,19 +172,21 @@ jobs:
# Run tests
echo "::group::make test"
- make test $EXPLICIT_MAKE_VARS
+ eval make test $EXPLICIT_MAKE_VARS
echo "::endgroup::"
- # Test Python and Ruby wrappers
- echo "::group::Test Python and Ruby wrappers"
- $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
- $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
- echo "::endgroup::"
-
- # Run Python linter, but not on the downloaded refpolicy
- echo "::group::scripts/run-flake8"
- ./scripts/run-flake8
- echo "::endgroup::"
+ if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then
+ # Test Python and Ruby wrappers
+ echo "::group::Test Python and Ruby wrappers"
+ $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
+ $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
+ echo "::endgroup::"
+
+ # Run Python linter, but not on the downloaded refpolicy
+ echo "::group::scripts/run-flake8"
+ ./scripts/run-flake8
+ echo "::endgroup::"
+ fi
echo "::group::Test .gitignore and make clean distclean"
# Remove every installed files
@@ -184,6 +194,6 @@ jobs:
# Test that "git status" looks clean, or print a clear error message
git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
# Clean up everything and show which file needs to be added to "make clean"
- make clean distclean $EXPLICIT_MAKE_VARS
+ eval make clean distclean $EXPLICIT_MAKE_VARS
git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
echo "::endgroup::"
diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile
index fc9bd1a3..a72c327d 100644
--- a/libsepol/tests/Makefile
+++ b/libsepol/tests/Makefile
@@ -1,3 +1,4 @@
+ENV ?= env
M4 ?= m4
MKDIR ?= mkdir
EXE ?= libsepol-tests
@@ -44,10 +45,15 @@ clean:
rm -f $(objs) $(EXE)
rm -f $(policies)
rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
-
+# mkdir is run in a clean environment created by env -i to avoid failing under ASan with:
+#
+# ASan runtime does not come first in initial library list;
+# you should either link runtime to your application or manually preload it with LD_PRELOAD
+#
+# when the source code is built with ASan
test: $(EXE) $(policies)
- $(MKDIR) -p policies/test-downgrade
+ $(ENV) -i $(MKDIR) -p policies/test-downgrade
../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
./$(EXE)
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ci: run the tests under ASan/UBsan on GHActions
2021-11-15 18:58 [PATCH] ci: run the tests under ASan/UBsan on GHActions Evgeny Vereshchagin
@ 2021-12-20 18:05 ` Christian Göttsche
2022-01-06 17:06 ` James Carter
1 sibling, 0 replies; 4+ messages in thread
From: Christian Göttsche @ 2021-12-20 18:05 UTC (permalink / raw)
To: SElinux list; +Cc: Evgeny Vereshchagin
On Tue, 16 Nov 2021 at 12:59, Evgeny Vereshchagin <evvers@ya.ru> wrote:
>
> It was tested in https://github.com/SELinuxProject/selinux/pull/321 and
> https://github.com/SELinuxProject/selinux/pull/320. In the process
> it discovered a few issues all of which were fixed in
> https://github.com/SELinuxProject/selinux/commit/b98d3c4c53f35cb2ab77dd5b2973591815932620
> https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903
> https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b
> https://github.com/SELinuxProject/selinux/commit/f95dbf2c74246f69fbdf0881434567576159e5f6
>
> Now that all the issues are gone it should be safe to turn it on
> to make it easier to automatically catch bugs like that almost as soon as
> they end up in the repository.
>
> Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
> ---
Kindly ping
> .github/workflows/run_tests.yml | 42 ++++++++++++++++++++-------------
> libsepol/tests/Makefile | 10 ++++++--
> 2 files changed, 34 insertions(+), 18 deletions(-)
>
> diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
> index ef4be8af..fd3626da 100644
> --- a/.github/workflows/run_tests.yml
> +++ b/.github/workflows/run_tests.yml
> @@ -29,6 +29,9 @@ jobs:
> python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
> - compiler: clang
> python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
> + include:
> + - compiler: gcc
> + python-ruby-version: {python: 3.9, ruby: 2.7, other: sanitizers}
>
> steps:
> - uses: actions/checkout@v2
> @@ -88,6 +91,11 @@ jobs:
> elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
> # Test hat debug build works fine
> EXPLICIT_MAKE_VARS="DEBUG=1"
> + elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then
> + sanitizers='-fsanitize=address,undefined'
> + EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS="
> + echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV
> + echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV
> else
> EXPLICIT_MAKE_VARS=
> fi
> @@ -139,18 +147,18 @@ jobs:
> - name: Run tests
> run: |
> echo "::group::make install"
> - make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
> echo "::group::make install-pywrap"
> - make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
> echo "::group::make install-rubywrap"
> - make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
>
> # Now that everything is installed, run "make all" to build everything which may have not been built
> echo "::group::make all"
> - make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
>
> # Set up environment variables for the tests and show variables (to help debugging issues)
> @@ -164,19 +172,21 @@ jobs:
>
> # Run tests
> echo "::group::make test"
> - make test $EXPLICIT_MAKE_VARS
> + eval make test $EXPLICIT_MAKE_VARS
> echo "::endgroup::"
>
> - # Test Python and Ruby wrappers
> - echo "::group::Test Python and Ruby wrappers"
> - $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> - $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> - echo "::endgroup::"
> -
> - # Run Python linter, but not on the downloaded refpolicy
> - echo "::group::scripts/run-flake8"
> - ./scripts/run-flake8
> - echo "::endgroup::"
> + if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then
> + # Test Python and Ruby wrappers
> + echo "::group::Test Python and Ruby wrappers"
> + $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> + $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> + echo "::endgroup::"
> +
> + # Run Python linter, but not on the downloaded refpolicy
> + echo "::group::scripts/run-flake8"
> + ./scripts/run-flake8
> + echo "::endgroup::"
> + fi
>
> echo "::group::Test .gitignore and make clean distclean"
> # Remove every installed files
> @@ -184,6 +194,6 @@ jobs:
> # Test that "git status" looks clean, or print a clear error message
> git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
> # Clean up everything and show which file needs to be added to "make clean"
> - make clean distclean $EXPLICIT_MAKE_VARS
> + eval make clean distclean $EXPLICIT_MAKE_VARS
> git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
> echo "::endgroup::"
> diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile
> index fc9bd1a3..a72c327d 100644
> --- a/libsepol/tests/Makefile
> +++ b/libsepol/tests/Makefile
> @@ -1,3 +1,4 @@
> +ENV ?= env
> M4 ?= m4
> MKDIR ?= mkdir
> EXE ?= libsepol-tests
> @@ -44,10 +45,15 @@ clean:
> rm -f $(objs) $(EXE)
> rm -f $(policies)
> rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
> -
>
> +# mkdir is run in a clean environment created by env -i to avoid failing under ASan with:
> +#
> +# ASan runtime does not come first in initial library list;
> +# you should either link runtime to your application or manually preload it with LD_PRELOAD
> +#
> +# when the source code is built with ASan
> test: $(EXE) $(policies)
> - $(MKDIR) -p policies/test-downgrade
> + $(ENV) -i $(MKDIR) -p policies/test-downgrade
> ../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
> ./$(EXE)
>
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ci: run the tests under ASan/UBsan on GHActions
2021-11-15 18:58 [PATCH] ci: run the tests under ASan/UBsan on GHActions Evgeny Vereshchagin
2021-12-20 18:05 ` Christian Göttsche
@ 2022-01-06 17:06 ` James Carter
2022-01-12 13:37 ` James Carter
1 sibling, 1 reply; 4+ messages in thread
From: James Carter @ 2022-01-06 17:06 UTC (permalink / raw)
To: Evgeny Vereshchagin; +Cc: SElinux list, Christian Göttsche, Nicolas Iooss
On Tue, Nov 16, 2021 at 7:03 AM Evgeny Vereshchagin <evvers@ya.ru> wrote:
>
> It was tested in https://github.com/SELinuxProject/selinux/pull/321 and
> https://github.com/SELinuxProject/selinux/pull/320. In the process
> it discovered a few issues all of which were fixed in
> https://github.com/SELinuxProject/selinux/commit/b98d3c4c53f35cb2ab77dd5b2973591815932620
> https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903
> https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b
> https://github.com/SELinuxProject/selinux/commit/f95dbf2c74246f69fbdf0881434567576159e5f6
>
> Now that all the issues are gone it should be safe to turn it on
> to make it easier to automatically catch bugs like that almost as soon as
> they end up in the repository.
>
> Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> .github/workflows/run_tests.yml | 42 ++++++++++++++++++++-------------
> libsepol/tests/Makefile | 10 ++++++--
> 2 files changed, 34 insertions(+), 18 deletions(-)
>
> diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
> index ef4be8af..fd3626da 100644
> --- a/.github/workflows/run_tests.yml
> +++ b/.github/workflows/run_tests.yml
> @@ -29,6 +29,9 @@ jobs:
> python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
> - compiler: clang
> python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
> + include:
> + - compiler: gcc
> + python-ruby-version: {python: 3.9, ruby: 2.7, other: sanitizers}
>
> steps:
> - uses: actions/checkout@v2
> @@ -88,6 +91,11 @@ jobs:
> elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
> # Test hat debug build works fine
> EXPLICIT_MAKE_VARS="DEBUG=1"
> + elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then
> + sanitizers='-fsanitize=address,undefined'
> + EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS="
> + echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV
> + echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV
> else
> EXPLICIT_MAKE_VARS=
> fi
> @@ -139,18 +147,18 @@ jobs:
> - name: Run tests
> run: |
> echo "::group::make install"
> - make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
> echo "::group::make install-pywrap"
> - make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
> echo "::group::make install-rubywrap"
> - make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
>
> # Now that everything is installed, run "make all" to build everything which may have not been built
> echo "::group::make all"
> - make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> + eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> echo "::endgroup::"
>
> # Set up environment variables for the tests and show variables (to help debugging issues)
> @@ -164,19 +172,21 @@ jobs:
>
> # Run tests
> echo "::group::make test"
> - make test $EXPLICIT_MAKE_VARS
> + eval make test $EXPLICIT_MAKE_VARS
> echo "::endgroup::"
>
> - # Test Python and Ruby wrappers
> - echo "::group::Test Python and Ruby wrappers"
> - $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> - $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> - echo "::endgroup::"
> -
> - # Run Python linter, but not on the downloaded refpolicy
> - echo "::group::scripts/run-flake8"
> - ./scripts/run-flake8
> - echo "::endgroup::"
> + if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then
> + # Test Python and Ruby wrappers
> + echo "::group::Test Python and Ruby wrappers"
> + $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> + $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> + echo "::endgroup::"
> +
> + # Run Python linter, but not on the downloaded refpolicy
> + echo "::group::scripts/run-flake8"
> + ./scripts/run-flake8
> + echo "::endgroup::"
> + fi
>
> echo "::group::Test .gitignore and make clean distclean"
> # Remove every installed files
> @@ -184,6 +194,6 @@ jobs:
> # Test that "git status" looks clean, or print a clear error message
> git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
> # Clean up everything and show which file needs to be added to "make clean"
> - make clean distclean $EXPLICIT_MAKE_VARS
> + eval make clean distclean $EXPLICIT_MAKE_VARS
> git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
> echo "::endgroup::"
> diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile
> index fc9bd1a3..a72c327d 100644
> --- a/libsepol/tests/Makefile
> +++ b/libsepol/tests/Makefile
> @@ -1,3 +1,4 @@
> +ENV ?= env
> M4 ?= m4
> MKDIR ?= mkdir
> EXE ?= libsepol-tests
> @@ -44,10 +45,15 @@ clean:
> rm -f $(objs) $(EXE)
> rm -f $(policies)
> rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
> -
>
> +# mkdir is run in a clean environment created by env -i to avoid failing under ASan with:
> +#
> +# ASan runtime does not come first in initial library list;
> +# you should either link runtime to your application or manually preload it with LD_PRELOAD
> +#
> +# when the source code is built with ASan
> test: $(EXE) $(policies)
> - $(MKDIR) -p policies/test-downgrade
> + $(ENV) -i $(MKDIR) -p policies/test-downgrade
> ../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
> ./$(EXE)
>
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ci: run the tests under ASan/UBsan on GHActions
2022-01-06 17:06 ` James Carter
@ 2022-01-12 13:37 ` James Carter
0 siblings, 0 replies; 4+ messages in thread
From: James Carter @ 2022-01-12 13:37 UTC (permalink / raw)
To: Evgeny Vereshchagin; +Cc: SElinux list, Christian Göttsche, Nicolas Iooss
On Thu, Jan 6, 2022 at 12:06 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Nov 16, 2021 at 7:03 AM Evgeny Vereshchagin <evvers@ya.ru> wrote:
> >
> > It was tested in https://github.com/SELinuxProject/selinux/pull/321 and
> > https://github.com/SELinuxProject/selinux/pull/320. In the process
> > it discovered a few issues all of which were fixed in
> > https://github.com/SELinuxProject/selinux/commit/b98d3c4c53f35cb2ab77dd5b2973591815932620
> > https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903
> > https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b
> > https://github.com/SELinuxProject/selinux/commit/f95dbf2c74246f69fbdf0881434567576159e5f6
> >
> > Now that all the issues are gone it should be safe to turn it on
> > to make it easier to automatically catch bugs like that almost as soon as
> > they end up in the repository.
> >
> > Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
This has been applied.
Thanks,
Jim
> > ---
> > .github/workflows/run_tests.yml | 42 ++++++++++++++++++++-------------
> > libsepol/tests/Makefile | 10 ++++++--
> > 2 files changed, 34 insertions(+), 18 deletions(-)
> >
> > diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
> > index ef4be8af..fd3626da 100644
> > --- a/.github/workflows/run_tests.yml
> > +++ b/.github/workflows/run_tests.yml
> > @@ -29,6 +29,9 @@ jobs:
> > python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
> > - compiler: clang
> > python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
> > + include:
> > + - compiler: gcc
> > + python-ruby-version: {python: 3.9, ruby: 2.7, other: sanitizers}
> >
> > steps:
> > - uses: actions/checkout@v2
> > @@ -88,6 +91,11 @@ jobs:
> > elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
> > # Test hat debug build works fine
> > EXPLICIT_MAKE_VARS="DEBUG=1"
> > + elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then
> > + sanitizers='-fsanitize=address,undefined'
> > + EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS="
> > + echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV
> > + echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV
> > else
> > EXPLICIT_MAKE_VARS=
> > fi
> > @@ -139,18 +147,18 @@ jobs:
> > - name: Run tests
> > run: |
> > echo "::group::make install"
> > - make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> > + eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
> > echo "::endgroup::"
> > echo "::group::make install-pywrap"
> > - make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> > + eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
> > echo "::endgroup::"
> > echo "::group::make install-rubywrap"
> > - make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> > + eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
> > echo "::endgroup::"
> >
> > # Now that everything is installed, run "make all" to build everything which may have not been built
> > echo "::group::make all"
> > - make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> > + eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
> > echo "::endgroup::"
> >
> > # Set up environment variables for the tests and show variables (to help debugging issues)
> > @@ -164,19 +172,21 @@ jobs:
> >
> > # Run tests
> > echo "::group::make test"
> > - make test $EXPLICIT_MAKE_VARS
> > + eval make test $EXPLICIT_MAKE_VARS
> > echo "::endgroup::"
> >
> > - # Test Python and Ruby wrappers
> > - echo "::group::Test Python and Ruby wrappers"
> > - $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> > - $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> > - echo "::endgroup::"
> > -
> > - # Run Python linter, but not on the downloaded refpolicy
> > - echo "::group::scripts/run-flake8"
> > - ./scripts/run-flake8
> > - echo "::endgroup::"
> > + if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then
> > + # Test Python and Ruby wrappers
> > + echo "::group::Test Python and Ruby wrappers"
> > + $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
> > + $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
> > + echo "::endgroup::"
> > +
> > + # Run Python linter, but not on the downloaded refpolicy
> > + echo "::group::scripts/run-flake8"
> > + ./scripts/run-flake8
> > + echo "::endgroup::"
> > + fi
> >
> > echo "::group::Test .gitignore and make clean distclean"
> > # Remove every installed files
> > @@ -184,6 +194,6 @@ jobs:
> > # Test that "git status" looks clean, or print a clear error message
> > git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
> > # Clean up everything and show which file needs to be added to "make clean"
> > - make clean distclean $EXPLICIT_MAKE_VARS
> > + eval make clean distclean $EXPLICIT_MAKE_VARS
> > git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
> > echo "::endgroup::"
> > diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile
> > index fc9bd1a3..a72c327d 100644
> > --- a/libsepol/tests/Makefile
> > +++ b/libsepol/tests/Makefile
> > @@ -1,3 +1,4 @@
> > +ENV ?= env
> > M4 ?= m4
> > MKDIR ?= mkdir
> > EXE ?= libsepol-tests
> > @@ -44,10 +45,15 @@ clean:
> > rm -f $(objs) $(EXE)
> > rm -f $(policies)
> > rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
> > -
> >
> > +# mkdir is run in a clean environment created by env -i to avoid failing under ASan with:
> > +#
> > +# ASan runtime does not come first in initial library list;
> > +# you should either link runtime to your application or manually preload it with LD_PRELOAD
> > +#
> > +# when the source code is built with ASan
> > test: $(EXE) $(policies)
> > - $(MKDIR) -p policies/test-downgrade
> > + $(ENV) -i $(MKDIR) -p policies/test-downgrade
> > ../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
> > ./$(EXE)
> >
> > --
> > 2.31.1
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-12 13:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-15 18:58 [PATCH] ci: run the tests under ASan/UBsan on GHActions Evgeny Vereshchagin
2021-12-20 18:05 ` Christian Göttsche
2022-01-06 17:06 ` James Carter
2022-01-12 13:37 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.