From 15a0e790600de061cd3019897ff3ff6a9a59f87e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 30 Oct 2025 09:12:51 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 libpulp revision 99ab3563401efb5964d6489ca0fae580 --- libpulp-0.3.17.tar.gz | 3 + libpulp-0.3.5.tar.gz | 3 - libpulp.changes | 138 +++++++++++++++++++++++++++++++++++++ libpulp.spec | 59 ++++++++++++++-- macros.userspace-livepatch | 24 +++++++ rpm-helper | 89 +++++++++++++++++++++--- selinux-ulp.conf | 1 + ulp-tmp.conf | 1 + 8 files changed, 301 insertions(+), 17 deletions(-) create mode 100644 libpulp-0.3.17.tar.gz delete mode 100644 libpulp-0.3.5.tar.gz create mode 100644 selinux-ulp.conf create mode 100644 ulp-tmp.conf diff --git a/libpulp-0.3.17.tar.gz b/libpulp-0.3.17.tar.gz new file mode 100644 index 0000000..7473717 --- /dev/null +++ b/libpulp-0.3.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:749225de57c5d6a02b3ad4f8fcd2d36fb62f69bf8711426a727bbc2765cacee7 +size 663086 diff --git a/libpulp-0.3.5.tar.gz b/libpulp-0.3.5.tar.gz deleted file mode 100644 index c1ca789..0000000 --- a/libpulp-0.3.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cf123f45d00ed943c3bd4f4b8d6090e00902a90c32015993fdc6b15f9433ab57 -size 622977 diff --git a/libpulp.changes b/libpulp.changes index 510bb47..f14ff83 100644 --- a/libpulp.changes +++ b/libpulp.changes @@ -1,3 +1,141 @@ +------------------------------------------------------------------- +Thu Oct 2 14:45:48 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.17: + - Fix dlopen and dlmopen search paths (bsc#1250436). + +------------------------------------------------------------------- +Mon Sep 22 14:39:22 UTC 2025 - Giuliano Belinassi + +- Fix ld.so.conf being modified in SLE-16. + +------------------------------------------------------------------- +Wed Sep 17 15:29:56 UTC 2025 - Giuliano Belinassi + +- Fix `ldconfig` constructing ld.so.cache in the new snapshot (bsc#1249417). + +------------------------------------------------------------------- +Thu Sep 4 21:12:23 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.16: + - Improve `ulp --help` (bsc#1243787). + - Add support to glibc 2.42. + +------------------------------------------------------------------- +Wed Jun 18 13:57:40 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.15: + - Fix race condition on ppc64le livepatching (bsc#1244263) + - Fix SIGABRT when non-valid JSON is given at input (bsc#1243923) + - Fix linking against libpthread on older versions of glibc for ppc64le. + +------------------------------------------------------------------- +Wed Apr 30 15:39:17 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.14: + - Remove any linking to GLIBC_PRIVATE symbols. + +------------------------------------------------------------------- +Tue Apr 29 13:18:14 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.13: + - Improve detection of -msplit-patch-nops flag (bsc#1240031). + - Allow `trigger` to disable seccomp in target process while livepaching. + - Make sure libpulp don't crash when calling libc.so.6 (bsc#1241897) + +------------------------------------------------------------------- +Fri Apr 4 15:33:01 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.12: + - Remove TEXTRELs in ppc64le port (bsc#1239092). + - Check for -msplit-patch-nops flag. + +------------------------------------------------------------------- +Tue Feb 25 12:20:15 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.11: + - Detect whenever the process was loaded in a custom starting address. + - ulp_stack now allocates multiples of page size. + - Fix livepatching of `malloc` in ppc64le (jsc#PED-11850). + +------------------------------------------------------------------- +Mon Feb 10 20:42:18 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.10: + - Fix livepatching on Debian systems. + - Improve error message when ptrace_scope is active. + - Avoid saving unecessary registers in ppc64le. + - Fix failing tests when libpulp is loaded system-wide. + - Correct TOC loading in ppc64le (jsc#PED-11850). + +------------------------------------------------------------------- +Thu Jan 30 21:25:17 UTC 2025 - Giuliano Belinassi + +- Update package with libpulp-0.3.9: + - Fix limitation in ppc64le not being able to livepatch functions with more + than 8 parameters (jsc#PED-11850). + +------------------------------------------------------------------- +Fri Jan 17 11:41:13 UTC 2025 - Giuliano Belinassi + +- Re-enable support for userspace livepatching in ppc64le (jsc#PED-11850). + +------------------------------------------------------------------- +Fri Jan 10 13:25:15 UTC 2025 - Giuliano Belinassi + +- Disable build on ppc64le until gcc-13 pfe patch reaches SP7. + +------------------------------------------------------------------- +Thu Dec 19 23:10:29 UTC 2024 - Giuliano Belinassi + +- Update package with libpulp-0.3.8: + - Fix livepatching failure in glibc 2.40. +- Force compilation with gcc-13 for SP7 and Tumbleweed (jsc#PED-10952). +- Add ppc64le as supported architecture (jsc#PED-10952). + +------------------------------------------------------------------- +Thu Dec 12 19:41:51 UTC 2024 - Giuliano Belinassi + +- Cleanup /var/livepatches on boot time. + +------------------------------------------------------------------- +Sat Dec 7 00:59:13 UTC 2024 - Giuliano Belinassi + +- Add timestamps on each message. + +------------------------------------------------------------------- +Wed Dec 4 18:58:38 UTC 2024 - Giuliano Belinassi + +- Update rpm-helper script for SLE Micro (bsc#1228879). +- Update macros.userspace-livepatch for SLE Micro (bsc#1228879). +- Guard macros behind sle_version >= 1600. + +------------------------------------------------------------------- +Thu Nov 14 01:15:15 UTC 2024 - Giuliano Belinassi + +- Add SELinux policy for /var/livepatches (bsc#1228879). +- Update rpm-helper script for SLE Micro. + +------------------------------------------------------------------- +Fri Oct 18 19:24:22 UTC 2024 - Giuliano Belinassi + +- Update package with libpulp-0.3.7 + - Fix fails due to realpath returning NULL in SLE-Micro. + - Return insn_queue because of permission errors on /proc/self/mem. + - Fix livepatch of malloc (bsc#1231727). + +------------------------------------------------------------------- +Wed Sep 11 13:27:19 UTC 2024 - Giuliano Belinassi + +- Update .spec license to match libpulp's license. + +------------------------------------------------------------------- +Fri Sep 6 14:34:08 UTC 2024 - Giuliano Belinassi + +- Update package with libpulp-0.3.6 + * Ptrace-yama-scope (bsc#1221763). + * Drop insn_queue in favor of /proc/self/mem. + ------------------------------------------------------------------- Wed Jul 3 15:01:44 UTC 2024 - Giuliano Belinassi diff --git a/libpulp.spec b/libpulp.spec index 2b83a5a..6c79205 100644 --- a/libpulp.spec +++ b/libpulp.spec @@ -1,7 +1,7 @@ # # spec file for package libpulp # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,15 +17,17 @@ Name: libpulp -Version: 0.3.5 +Version: 0.3.17 Release: 0 Summary: Userspace live patching library and tools -License: LGPL-2.1-only +License: LGPL-2.1-or-later Group: Productivity/Security URL: https://github.com/suse/libpulp Source0: %{name}-%{version}.tar.gz Source1: rpm-helper Source2: macros.userspace-livepatch +Source3: selinux-ulp.conf +Source4: ulp-tmp.conf Source99: libpulp.rpmlintrc # Required to hardlink identical files. BuildRequires: fdupes @@ -34,17 +36,27 @@ BuildRequires: gcc-c++ # Required to build the tools, which are needed to run the tests. BuildRequires: libjson-c-devel BuildRequires: libelf-devel +BuildRequires: procps BuildRequires: python3-pexpect BuildRequires: python3-psutil BuildRequires: libseccomp-devel # Disable ptrace_scope on tumbleweed -%if 0%{?suse_version} > 1600 +%if 0%{?suse_version} >= 1600 BuildRequires: aaa_base-yama-enable-ptrace %endif # Only available for these architectures. +%if 0%{?sle_version} >= 150700 || 0%{suse_version} >= 1570 +# For ppc64le onwards we need gcc-13 for a fix to -fpatchable-function-entry +# which is not currently upstream and not in gcc-14. +BuildRequires: gcc13 +BuildRequires: gcc13-c++ +ExclusiveArch: x86_64 ppc64le +%else +# Block to x86_64 for older versions of SLE. ExclusiveArch: x86_64 +%endif %description Library and tools for user space live patching. @@ -74,6 +86,13 @@ This package contains the tools to apply user-space live patches. %build +# For ppc64le onwards we need gcc-13 for a fix to -fpatchable-function-entry +# which is not currently upstream and not in gcc-14. +%if 0%{?sle_version} >= 150700 || 0%{suse_version} >= 1570 +export CC=gcc-13 +export CXX=g++-13 +%endif + %configure %make_build @@ -84,6 +103,11 @@ This package contains the tools to apply user-space live patches. %make_install install -D -m0755 %{SOURCE1} %{buildroot}%{_prefix}/lib/userspace-livepatch/rpm-helper install -D -m0644 %{SOURCE2} %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.userspace-livepatch +install -D -m0644 %{SOURCE3} %{buildroot}%{_prefix}/etc/tukit.conf.d/selinux-ulp.conf +install -D -m0644 %{SOURCE4} %{buildroot}%{_prefix}/lib/tmpfiles.d/ulp-tmp.conf + +# Create /var/livepatches +mkdir -p %{buildroot}/var/livepatches/ # Convert identical files into hardlinks. %fdupes %{buildroot}/%{_prefix} @@ -93,6 +117,28 @@ install -D -m0644 %{SOURCE2} %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.user find %{buildroot}/%{_prefix} -name libpulp.la -delete find %{buildroot}/%{_prefix} -name libpulp.so -delete +%post -n libpulp-tools +%define ld_so_conf /etc/ld.so.conf +%define addline include /var/livepatches/ld.so.conf + +# There are special logic needed in sle-micro onwards. +if [ "$TRANSACTIONAL_UPDATE" = "true" ] && [ "x$TRANSACTIONAL_UPDATE_ROOT" != "x" ]; then + # Add instance of /var/livepatches if it doesn't already exist. + grep -qxF '%{addline}' %{ld_so_conf} || echo '%{addline}' >> %{ld_so_conf} +else + # Remove any instance of /var/livepatches from ld.so.conf if it exists. There + # is a bug in older verisons of libpulp tools that add this live even for + # non-transactional systems. + sed -i '\#%{addline}#d' %{ld_so_conf} +fi + +%postun -n libpulp-tools + +if [ "$1" == "0" ]; then + # Delete all instances of libpulp in the ld_so_conf. + sed -i '\#%{addline}#d' %{ld_so_conf} +fi + %post -n libpulp0 -p /sbin/ldconfig %postun -n libpulp0 -p /sbin/ldconfig @@ -107,6 +153,11 @@ find %{buildroot}/%{_prefix} -name libpulp.so -delete %dir %{_prefix}/lib/userspace-livepatch %{_prefix}/lib/userspace-livepatch/* %{_prefix}/lib/rpm/* +%{_prefix}/lib/tmpfiles.d/ulp-tmp.conf +%{_prefix}/etc/tukit.conf.d/selinux-ulp.conf +%{_prefix}/etc/tukit.conf.d +%{_prefix}/etc +/var/livepatches %license LICENSE %changelog diff --git a/macros.userspace-livepatch b/macros.userspace-livepatch index cd8d43d..9c79136 100644 --- a/macros.userspace-livepatch +++ b/macros.userspace-livepatch @@ -7,3 +7,27 @@ echo "Executing ulp_post_hook(). About to execute rpm-helper..." \ /bin/bash /usr/lib/userspace-livepatch/rpm-helper install "%1" "%2" "%3" $1 \ echo "Done executing rpm-helper." \ %{nil} + +# Hook for %post used by livepatch packages move the system libraries to the +# current snapshot for sle-micro. +# +# The parameters are ... +%ulp_post_move_libs() \ +%if 0%{?suse_version} >= 1600 \ +echo "Executing ulp_post_move_libs()" \ +/bin/bash /usr/lib/userspace-livepatch/rpm-helper movelibs "%1" "%2" "%3" $1 \ +echo "Done executing ulp_post_move_libs()" \ +%endif \ +%{nil} + +# Hook for %postun used by livepatch packages to remove the moved system +# libraries +# +# The parameters are +%ulp_post_remove_libs() \ +%if 0%{?suse_version} >= 1600 \ +echo "Executing ulp_post_remove_libs()" \ +/bin/bash /usr/lib/userspace-livepatch/rpm-helper removelibs "%1" "%2" "%3" $1 \ +echo "Done executing ulp_post_remove_libs()" \ +%endif \ +%{nil} diff --git a/rpm-helper b/rpm-helper index 38e7e34..f7aa3f2 100644 --- a/rpm-helper +++ b/rpm-helper @@ -45,14 +45,26 @@ do_install() check_livepatching_env || return 0 - # Check if we are running a transactional update. If yes, set the root - # accordingly. + INSTALL_DIR="/usr/lib64/$PACKAGE/$VER" + TRIGGER_PATH="$INSTALL_DIR" + + # Check if we are running a transactional update. If yes, then we need to + # move the livepatches to a better location. if [ "$TRANSACTIONAL_UPDATE" = "true" ] && [ "x$TRANSACTIONAL_UPDATE_ROOT" != "x" ]; then - ROOT="-R $TRANSACTIONAL_UPDATE_ROOT" + TRIGGER_PATH="/var/livepatches/$PACKAGE/$VER/lp" + + # Create path if it doesn't already exist. + mkdir -p "$TRIGGER_PATH" + + # Clean the path + rm -rf "$TRIGGER_PATH" + + # Copy the patches to the location we have permission. + cp -rZ "$INSTALL_DIR" "$TRIGGER_PATH" fi - ulp trigger $ROOT --recursive -r 100 --timeout 200 --revert-all=target \ - "/usr/lib64/$PACKAGE/$VER/*.so" + ulp trigger --recursive -r 100 --timeout 200 --revert-all=target \ + "$TRIGGER_PATH/*.so" echo "ulp trigger executed." } @@ -62,10 +74,66 @@ do_remove() : # reserved for future use } -if test $# -ne 5; then - echo 'WARNING: Unexpected number of parameters. Are the live patch RPM scripts compatible with this rpm-helper?' >&2 -fi +# Execute this on sle-micro to move the new libraries to the current snapshot. +do_movelibs() +{ + if test -e /.buildenv; then + echo "Skipping move libs in buildroot" + return 0 + fi + local ld_so_conf="/var/livepatches/ld.so.conf" + local addline="/var/livepatches/$PACKAGE/$VER/libs" + local line_pattern="/var/livepatches/$PACKAGE/.*/libs" + + # check if we are running a transactional update. if no, there is no need to + # move libraries around. + if [ "$TRANSACTIONAL_UPDATE" = "true" ] && [ "x$TRANSACTIONAL_UPDATE_ROOT" != "x" ]; then + [[ -e $ld_so_conf ]] && sed -i "\#$line_pattern#d" $ld_so_conf + + echo "$addline" >> $ld_so_conf + + mkdir -p $addline + + for i in $(seq 1 3); do + shift + done + + for file in "$@"; do + [[ -e $file ]] && install -D -Z $file "$addline/$(basename $file)" + done + + # Update ldconfig cache for the old snapshot. + /sbin/ldconfig -r /proc/1/root/ + fi +} + +# Execute this on sle-micro to move the new libraries to the current snapshot. +do_removelibs() +{ + if test -e /.buildenv; then + echo "Skipping move libs in buildroot" + return 0 + fi + + local ld_so_conf="/var/livepatches/ld.so.conf" + local addline="/var/livepatches/$PACKAGE/$VER/libs" + local line_pattern="/var/livepatches/$PACKAGE/.*/libs" + + # check if we are running a transactional update. if no, there is no need to + # move libraries around. + if [ "$TRANSACTIONAL_UPDATE" = "true" ] && [ "x$TRANSACTIONAL_UPDATE_ROOT" != "x" ]; then + # Remove the line of ld.so.conf + [[ -e $ld_so_conf ]] && sed -i "\#$line_pattern#d" $ld_so_conf + + # Update ldconfig cache for the new snapshot, as programs may be using + # libraries in that folder. + /sbin/ldconfig + + # Delete copied libs. + rm -rf $addline + fi +} # Parse first argument (install or remove). cmd=$1 @@ -73,9 +141,10 @@ PACKAGE=$2 VER=$3 TARGET_LIB=$4 NUM_PACKAGES=${5-0} + case "$cmd" in -install|remove) - do_$cmd +install|remove|movelibs|removelibs) + do_$cmd "$@" exit ;; *) diff --git a/selinux-ulp.conf b/selinux-ulp.conf new file mode 100644 index 0000000..bcd1317 --- /dev/null +++ b/selinux-ulp.conf @@ -0,0 +1 @@ +BINDDIRS[ulp]=/var/livepatches diff --git a/ulp-tmp.conf b/ulp-tmp.conf new file mode 100644 index 0000000..f365740 --- /dev/null +++ b/ulp-tmp.conf @@ -0,0 +1 @@ +R /var/livepatches/*