Add --with-asan for configure

[radosroka]

• fapolicyd can be linked with address sanitizer

[stevegrubb]

Just checked this. As it is, it causes an error:

./configure: line 14113: syntax error near unexpected token -faddress-sanitizer,' ./configure: line 14113: AX_CHECK_COMPILE_FLAG(-faddress-sanitizer,' make: *** [Makefile:369: config.status] Error 2 Failed making dist

You might look into the following macro. You'll need to manage flags before and after AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[TMPFLAGS="${CFLAGS} -Wno-unused-but-set-variable" AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)])

[stevegrubb]

Testing the new patch...it ends with a new problem: checking for rpmtsInitIterator in -lrpm... no configure: error: librpm not found

Removing --with-asan makes it work again. config.log shows this:

configure:14358: gcc -o conftest -g -O2 -fsanitize=address -fno-omit-frame-pointer -O0 -static-libasan conftest.c -lrpm -lrpm >&5 /usr/bin/ld: cannot find -lasan: No such file or directory

Normally, you only pass -fsanitize=address as an LDFLAG and let gcc figure out what it needs to link to. Also, I think you want to add the tested CFLAG/LDFLAG to the permanent list in the "yes" branch of the results. I'll watch for an update and test it when I notice.

[radosroka]

Testing the new patch...it ends with a new problem: checking for rpmtsInitIterator in -lrpm... no configure: error: librpm not found

Removing --with-asan makes it work again. config.log shows this:

configure:14358: gcc -o conftest -g -O2 -fsanitize=address -fno-omit-frame-pointer -O0 -static-libasan conftest.c -lrpm -lrpm >&5 /usr/bin/ld: cannot find -lasan: No such file or directory

Normally, you only pass -fsanitize=address as an LDFLAG and let gcc figure out what it needs to link to. Also, I think you want to add the tested CFLAG/LDFLAG to the permanent list in the "yes" branch of the results. I'll watch for an update and test it when I notice.

Does it work now?

[stevegrubb]

It is better in that it compiles and passes it as an LDFLAG. But I can't get it to report memory leaks when I intentionally comment out some frees. I also passed it as a CFLAG but no change.

[stevegrubb]

Continuing to look at this...if I comment out a free in the cli, I can see the memory leak reported. I don't know if it's the multi-threaded nature of the daemon or what is making it not create a report. But for the cli, it works fine. When I use ASAN, I usually add -ggdb to make sure the best debug info is available.

I also tried export ASAN_OPTIONS=detect_stack_use_after_return=true:strict_string_checks=true:detect_invalid_pointer_pairs=2:detect_leaks=1:log_path=asan.log

To see if I can get any report from the daemon. This works fine for the cli, but I still get nothing by the daemon. I guess the patch works based on the cli report.

[radosroka]

Continuing to look at this...if I comment out a free in the cli, I can see the memory leak reported. I don't know if it's the multi-threaded nature of the daemon or what is making it not create a report. But for the cli, it works fine. When I use ASAN, I usually add -ggdb to make sure the best debug info is available.

I also tried export ASAN_OPTIONS=detect_stack_use_after_return=true:strict_string_checks=true:detect_invalid_pointer_pairs=2:detect_leaks=1:log_path=asan.log

To see if I can get any report from the daemon. This works fine for the cli, but I still get nothing by the daemon. I guess the patch works based on the cli report.

I put malloc inside of fapolicyd.c and it got detected.

$ sudo ./src/fapolicyd --debug-deny

2/29/2024 17:23:52 [ INFO ]: Starting to listen for events
02/29/2024 17:23:52 [ DEBUG ]: Rule number API supported yes
^C02/29/2024 17:23:58 [ INFO ]: shutting down...
02/29/2024 17:24:01 [ DEBUG ]: Inter-thread max queue depth 7
02/29/2024 17:24:01 [ DEBUG ]: Allowed accesses: 2114
02/29/2024 17:24:01 [ DEBUG ]: Denied accesses: 0
02/29/2024 17:24:01 [ DEBUG ]: Trust database max pages: 256000
02/29/2024 17:24:01 [ DEBUG ]: Trust database pages in use: 12895 (5%)
02/29/2024 17:24:01 [ DEBUG ]: Subject cache size: 1549
02/29/2024 17:24:01 [ DEBUG ]: Subject slots in use: 84 (5%)
02/29/2024 17:24:01 [ DEBUG ]: Subject hits: 2030
02/29/2024 17:24:01 [ DEBUG ]: Subject misses: 98
02/29/2024 17:24:01 [ DEBUG ]: Subject evictions: 14 (0%)
02/29/2024 17:24:01 [ DEBUG ]: Object cache size: 8191
02/29/2024 17:24:01 [ DEBUG ]: Object slots in use: 30 (0%)
02/29/2024 17:24:01 [ DEBUG ]: Object hits: 2084
02/29/2024 17:24:01 [ DEBUG ]: Object misses: 30
02/29/2024 17:24:01 [ DEBUG ]: Object evictions: 0 (0%)

=================================================================
==3230023==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 10 byte(s) in 1 object(s) allocated from:
    #0 0x7ff6728d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 542ad02088f38edfdba9d4bfa465b2299f512d3e)
    #1 0x55d8a39b5087 in main daemon/fapolicyd.c:649
    #2 0x7ff672049b89 in __libc_start_call_main (/lib64/libc.so.6+0x27b89) (BuildId: 70e92bb237883be3065a6afc9f0696aef2d068bf)
    #3 0x7ff672049c4a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c4a) (BuildId: 70e92bb237883be3065a6afc9f0696aef2d068bf)
    #4 0x55d8a39b3b94 in _start (/home/rsroka/Work/fapolicyd-upstream-fork/src/fapolicyd+0x4b94) (BuildId: c53ee3c21bad73de2597f7a664cc3628d81bf7f4)

SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s).

diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
index 3109a43..eccb841 100644
--- a/src/daemon/fapolicyd.c
+++ b/src/daemon/fapolicyd.c
@@ -646,6 +646,8 @@ int main(int argc, const char *argv[])
        pfd[1].events = POLLIN;

        msg(LOG_INFO, "Starting to listen for events");
+       malloc(10);
+
        while (!stop) {
                int rc;
                if (hup) {
@@ -710,6 +712,6 @@ int main(int argc, const char *argv[])
        destroy_rules();
        destroy_fs_list();
        free_daemon_config(&config);
-
+       malloc(10);
        return 0;
 }

[stevegrubb]

Doing what you did also shows a leak on my end. Weird. I guess we can merge this and do the release.