Sync from SUSE:SLFO:Main kernel-livepatch-tools revision f71b7c82d3a105bace4a071f75492dc9
This commit is contained in:
commit
e79fb77957
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
339
COPYING
Normal file
339
COPYING
Normal file
@ -0,0 +1,339 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Lesser General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) year name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Lesser General
|
||||||
|
Public License instead of this License.
|
9
cache-cleaner
Normal file
9
cache-cleaner
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
rm -f /var/cache/livepatch/*
|
||||||
|
|
||||||
|
for module in /sys/kernel/livepatch/*; do
|
||||||
|
/usr/bin/klp store_patch_info "${module#/sys/kernel/livepatch/}"
|
||||||
|
done
|
||||||
|
|
||||||
|
# vim: ai sw=4 et sts=4 ft=sh
|
20
dracut-kernel-livepatch.sh
Normal file
20
dracut-kernel-livepatch.sh
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
|
||||||
|
|
||||||
|
if getargbool 1 klp; then
|
||||||
|
modules=($(find "/lib/modules/$(uname -r)/livepatch" -type f | \
|
||||||
|
sed -rn 's:.*/(livepatch[^/]*)\.ko(\.[gx]z|\.zst)?$:\1:p'))
|
||||||
|
|
||||||
|
if test ${#modules[@]} -gt 0; then
|
||||||
|
for mod in "${modules[@]}"; do
|
||||||
|
info "[klp] Loading $mod"
|
||||||
|
modprobe "${mod##*/}"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
info "[klp] No patches found"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
info "[klp] Disabled on kernel commandline, not loading any patches"
|
||||||
|
fi
|
||||||
|
|
21
dracut-module-setup.sh
Normal file
21
dracut-module-setup.sh
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
check()
|
||||||
|
{
|
||||||
|
test -d "$srcmods/livepatch"
|
||||||
|
}
|
||||||
|
|
||||||
|
install()
|
||||||
|
{
|
||||||
|
inst_hook pre-pivot 99 "$moddir/kernel-livepatch.sh"
|
||||||
|
inst_binary find
|
||||||
|
}
|
||||||
|
|
||||||
|
installkernel()
|
||||||
|
{
|
||||||
|
# Cannot use instmods =livepatch, because this syntax only
|
||||||
|
# works for subdirectories of subdirectories of $srcmods
|
||||||
|
find "$srcmods/livepatch" -type f -regex '.*\.ko\(\.[gx]z\|\.zst\)?$' -printf '%P\n' | \
|
||||||
|
hostonly='' instmods
|
||||||
|
}
|
||||||
|
|
48
kernel-livepatch-subpackage
Normal file
48
kernel-livepatch-subpackage
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
%define _this_kmp_name %{-n*}-%(echo %2 | sed -r 'y/\./_/')
|
||||||
|
%package -n %_this_kmp_name
|
||||||
|
Release: %{-r*}
|
||||||
|
Summary: %summary
|
||||||
|
Group: %group
|
||||||
|
Supplements: packageand(%3:kernel-livepatch-tools)
|
||||||
|
Requires: coreutils grep
|
||||||
|
Requires: %3
|
||||||
|
Requires(post): kernel-livepatch-tools >= 1.2
|
||||||
|
Requires(postun): kernel-livepatch-tools >= 1.2
|
||||||
|
%description -n %_this_kmp_name
|
||||||
|
%(
|
||||||
|
for spec in {%_sourcedir,%_specdir}/%name.spec /dev/null; do
|
||||||
|
[ -e $spec ] && break
|
||||||
|
done
|
||||||
|
awk '
|
||||||
|
/^%%/ { in_desc = \
|
||||||
|
($0 ~ /^%%description[ \t]*$/ ||
|
||||||
|
$0 ~ /^%%description[ \t]+-n[ \t]*%name[ \t]*$/)
|
||||||
|
next }
|
||||||
|
in_desc { print }
|
||||||
|
' $spec
|
||||||
|
)
|
||||||
|
|
||||||
|
%pre -n %_this_kmp_name
|
||||||
|
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||||
|
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper check "$nvr" "%1" $1
|
||||||
|
|
||||||
|
%post -n %_this_kmp_name
|
||||||
|
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||||
|
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper install "$nvr" "%1" $1
|
||||||
|
|
||||||
|
%posttrans -n %_this_kmp_name
|
||||||
|
%{?regenerate_initrd_posttrans}
|
||||||
|
|
||||||
|
%postun -n %_this_kmp_name
|
||||||
|
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||||
|
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper remove "$nvr" "%1" $1
|
||||||
|
|
||||||
|
%files -n %_this_kmp_name
|
||||||
|
%defattr (-,root,root)
|
||||||
|
%if 0%{?suse_version} >= 1600
|
||||||
|
%dir /usr/lib/modules/%1
|
||||||
|
/usr/lib/modules/%1/livepatch
|
||||||
|
%else
|
||||||
|
%dir /lib/modules/%1
|
||||||
|
/lib/modules/%1/livepatch
|
||||||
|
%endif
|
300
kernel-livepatch-tools.changes
Normal file
300
kernel-livepatch-tools.changes
Normal file
@ -0,0 +1,300 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 14 14:12:02 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||||
|
|
||||||
|
- Release version 1.4
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 14 14:09:59 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||||
|
|
||||||
|
- kernel-livepatch-tools-devel produces livepatch packages
|
||||||
|
compatible with kernel-livepatch-tool >= 1.2
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 14 11:28:34 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||||
|
|
||||||
|
- Fix installation paths for SL Micro 6.0 (jsc#PED-8219):
|
||||||
|
* %%{_libexecdir} newly pointing to /usr/libexec; update macros
|
||||||
|
calling kernel-livepatch/rpm-helper accordingly
|
||||||
|
* dracut files stay in /usr/lib/dracut
|
||||||
|
* rpm files stay in /usr/lib/rpm
|
||||||
|
+ kernel modules are installed under /usr/lib
|
||||||
|
- Keep backward compatibility with SLE15:
|
||||||
|
+ install the rpm macros in %%{_sysconfdir} when built for
|
||||||
|
SLE15 code base
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 14 09:09:46 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||||
|
|
||||||
|
- Mark the package noarch. It is not architecture specific after
|
||||||
|
the klp-convert removal. But rather be conservative and do it
|
||||||
|
only for new products.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jan 25 10:32:11 UTC 2024 - Lukáš Hruška <lukas.hruska@suse.com>
|
||||||
|
|
||||||
|
- Remove klp-convert from kernel-livepatch-tools-devel (bsc#1218644)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 14 05:28:08 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Move RPM macros away from /etc as hinted by RPMLINT
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 1 20:31:28 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- klp.sh, rpm-helper: Cache live patch metadata (bsc#1191344)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 24 08:12:45 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- klp.sh: Add patch expiration info to klp -vv patches output
|
||||||
|
(jsc#SLE-23644)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 10 10:05:16 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- rpm-helper: Avoid error messages in the absence of the
|
||||||
|
sysconfig file (bsc#1200407)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 22 09:51:14 UTC 2021 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Add support for ZSTD kernel module compression (jsc#SLE-21256)
|
||||||
|
- klp.man,klp.sh: Fix option description and parsing
|
||||||
|
- klp.man: Drop the extra 'check' command description
|
||||||
|
- klp.sh: Add 'downgrade' command (jsc#SLE-23644)
|
||||||
|
- klp.man: Fix formatting, correct typos, adjust wording
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 3 14:51:38 UTC 2021 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Introduce controlled live patch deployment to solve the
|
||||||
|
incompatibility with the transactional server role. The
|
||||||
|
deployment mode is defined in /etc/sysconfig/livepatching.
|
||||||
|
(bsc#1187780)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 7 09:16:05 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Add support for compressed kernel modules (jsc#SLE-10886)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 13 13:23:11 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Fix interference with System Z boot sequence - no Grub prompt
|
||||||
|
(bsc#1171301)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 21 19:24:45 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Fix absence of live patch from initrd (bsc#1169827)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 4 12:09:53 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Remove klp-kvm-l1tf-ctrl-smt script previously used for
|
||||||
|
disabling SMT (bsc#1154648)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 24 11:12:01 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Remove superfluous self-Provides: from live patches
|
||||||
|
(bsc#1151657)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 6 13:56:21 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
- Simplify rpm-helper invocation in preparation for handling
|
||||||
|
non-standard kernels. As rpm-helper argument ordering changed,
|
||||||
|
package version has been bumped and Requires: for post/postun
|
||||||
|
scripts are now versioned. (bsc#1149422)
|
||||||
|
- rpm macros: fix dependencies against -rc kernels (bsc#1149422)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 5 18:24:40 UTC 2019 - Joao Moreira <jmoreira@suse.com>
|
||||||
|
|
||||||
|
- Fix zero-index and .TOC. relocations in klp-convert (bsc#1129076)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 28 07:26:16 UTC 2019 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Use kernel source hash for dependencies (fate#325312)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 4 03:31:29 UTC 2018 - jmoreira@suse.com
|
||||||
|
|
||||||
|
- Build klp-convert without kernel-default-devel dependency
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 20 20:01:12 UTC 2018 - jmoreira@suse.com
|
||||||
|
|
||||||
|
- Add klp-convert to kernel-livepatch-tools-devel (fate#326849)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 14 13:13:35 UTC 2018 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Add script for disabling SMT (bsc#1099306)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 3 10:57:52 UTC 2018 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- klp.sh: Fix blocking tasks display (bsc#1087476)
|
||||||
|
- klp.sh: Fix klp check
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 9 08:55:16 UTC 2018 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- kgr.sh, kgr.man: Compatibility wrapper added (bsc#1084612)
|
||||||
|
- Fix Obsoletes:/Provides:
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 13 14:20:23 UTC 2017 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- klp.man: Better describe klp -v patches output (bsc#1072162)
|
||||||
|
- klp.man: Document klp check command (bsc#1051711)
|
||||||
|
- klp.sh: Use KLP: change log records (bsc#1072117)
|
||||||
|
- klp.sh: Fix thread command line display in kgr -vv blocking
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 1 14:59:58 UTC 2017 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Version bump and Obsoletes: added (fate#323682)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 30 10:53:21 UTC 2017 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- rename kGraft to Kernel Live Patching (fate#323682)
|
||||||
|
dracut-kgraft-patch.sh -> dracut-kernel-livepatch.sh
|
||||||
|
kgraft-rpm-helper -> rpm-helper
|
||||||
|
kgraft-module-subpackage -> kernel-livepatch-subpackage
|
||||||
|
kgraft.changes -> kernel-livepatch-tools.changes
|
||||||
|
kgraft.spec -> kernel-livepatch-tools.spec
|
||||||
|
kgr.man -> klp.man
|
||||||
|
kgr.sh -> klp.sh
|
||||||
|
macros.kgraft -> macros.kernel-livepatch
|
||||||
|
kgraft-patch* modules are now livepatch* and live in
|
||||||
|
/lib/modules/$(uname -r)/livepatch
|
||||||
|
- adapt the tools to Kernel Live Patching (fate#323504)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jun 15 18:19:53 UTC 2017 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- exclusively use Fixes tag for kgr -v patches output
|
||||||
|
- kgr.sh: Correct typos
|
||||||
|
- Provide more debugging information in RPM post-trans script
|
||||||
|
(bsc#1041710)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 2 10:53:15 UTC 2017 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Fix raw reference count leak in kgr -v patches (bsc#1006780)
|
||||||
|
- Make kgr useful for non-root users (bsc#989374)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 5 12:33:25 UTC 2016 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- kgr.sh: Indicate initial patch in kgr patches (bsc#939130)
|
||||||
|
- kgr.sh: Use Fixes tag for kgr -v patches output (bsc#939130)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 22 07:24:51 UTC 2015 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- kgr.sh: provide more useful information in 'patches' output
|
||||||
|
(bsc#939131)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 1 11:34:49 UTC 2015 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- kgraft-rpm-helper: Fix regexp for unused kgraft patches
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 29 06:29:25 UTC 2015 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- kgr.sh: Fix process migration race in kgr poke (bsc#932505)
|
||||||
|
- kgr.sh: Introduce blocking_threads (bsc#931843)
|
||||||
|
- kgr.sh: Write out help when no command is provided (bnc#916191)
|
||||||
|
- kgr.sh: Deal with exiting processes (bsc#912900)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 12 08:26:59 UTC 2015 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Added license file (bsc#912640)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 1 15:01:33 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Fix unloading of unused modules (bnc#907788)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 25 15:43:28 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Unload unused patches before installing a new patch (fate#318188)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 24 13:57:54 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Automatically name the packages as kgraft-patch-<kver>-<flavor>.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 21 15:58:38 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Use kernel-<flavor>-<version>-<release> in Supplements (bnc#901925)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 21 15:55:40 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Wait for the global kGraft flag to be cleared (bnc#905087)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 12 11:10:36 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Regenerate the initrd on package removal (bnc#904867)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 11 21:52:41 UTC 2014 - mmarek@suse.com
|
||||||
|
|
||||||
|
- Do not run the preinstall check if the target kernel is not
|
||||||
|
running (bnc#904963)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 11 21:13:20 UTC 2014 - mmarek@suse.com
|
||||||
|
|
||||||
|
- Do not duplicate the kernel version in the package version
|
||||||
|
(bnc#904668)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 10 13:36:12 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Switch to Supplements: packageand(kernel-<flavor>:kgraft)
|
||||||
|
(bnc#901925).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 27 14:07:06 UTC 2014 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Add Supplements: kernel-<flavor>
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 7 16:12:18 UTC 2014 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Sanitized .spec file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 2 12:18:46 UTC 2014 - lpechacek@suse.com
|
||||||
|
|
||||||
|
- Added kgr tool
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 15 16:04:14 UTC 2014 - mmarek@suse.com
|
||||||
|
|
||||||
|
- Flag the initrd to be regenerated on removal of a kgraft patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 15 13:49:10 UTC 2014 - mmarek@suse.com
|
||||||
|
|
||||||
|
- Add kgraft dracut module
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 14 20:17:18 UTC 2014 - mmarek@suse.com
|
||||||
|
|
||||||
|
- Package kGraft scripts and macros (fate#313296)
|
||||||
|
|
134
kernel-livepatch-tools.spec
Normal file
134
kernel-livepatch-tools.spec
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
#
|
||||||
|
# spec file for package kernel-livepatch-tools
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
# From dracut package
|
||||||
|
%define dracutlibdir %{_prefix}/lib/dracut
|
||||||
|
|
||||||
|
Name: kernel-livepatch-tools
|
||||||
|
Version: 1.4
|
||||||
|
Release: 0
|
||||||
|
Summary: Scripts for installing kernel live patches
|
||||||
|
License: GPL-2.0-only
|
||||||
|
Group: System/Kernel
|
||||||
|
Source1: rpm-helper
|
||||||
|
Source2: dracut-module-setup.sh
|
||||||
|
Source3: dracut-kernel-livepatch.sh
|
||||||
|
Source4: kernel-livepatch-subpackage
|
||||||
|
Source5: macros.kernel-livepatch
|
||||||
|
Source6: klp.sh
|
||||||
|
Source7: klp.man
|
||||||
|
Source8: COPYING
|
||||||
|
Source12: sysconfig.livepatching
|
||||||
|
Source13: cache-cleaner
|
||||||
|
Source14: systemd-default-klp.preset
|
||||||
|
Source15: systemd-klp-info-cache.service
|
||||||
|
# compatibility with SLE 12, to be removed in SLE > 15
|
||||||
|
Source50: kgr.sh
|
||||||
|
Source51: kgr.man
|
||||||
|
Provides: kgraft = %version
|
||||||
|
Obsoletes: kgraft < %version
|
||||||
|
%if 0%{?suse_version} >= 1600
|
||||||
|
BuildArch: noarch
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description
|
||||||
|
This package contains a helper script used when installing kernel live patch
|
||||||
|
packages and kernel live patch monitoring tool.
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Macros for building kernel live patches
|
||||||
|
Group: Development/Tools/Building
|
||||||
|
# The OBS build does a testinstallation of all built packages, which needs
|
||||||
|
# the kernel-livepatch-tools runtime package
|
||||||
|
Requires: %{name}
|
||||||
|
Requires: kmod-compat
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package contains RPM macro definitions for building kernel live patch
|
||||||
|
packages.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -Tc
|
||||||
|
cp %{_sourcedir}/{rpm-helper,dracut-{module-setup,kernel-livepatch}.sh,sysconfig.livepatching} .
|
||||||
|
cp %{_sourcedir}/{kernel-livepatch-subpackage,macros.kernel-livepatch} .
|
||||||
|
cp %{_sourcedir}/k{lp,gr}.{sh,man} .
|
||||||
|
cp %{_sourcedir}/{cache-cleaner,systemd-{default-klp.preset,klp-info-cache.service}} .
|
||||||
|
cp %{_sourcedir}/COPYING .
|
||||||
|
|
||||||
|
%build
|
||||||
|
|
||||||
|
%install
|
||||||
|
install -D rpm-helper %{buildroot}%{_libexecdir}/kernel-livepatch/rpm-helper
|
||||||
|
install -D dracut-module-setup.sh \
|
||||||
|
%{buildroot}%{dracutlibdir}/modules.d/99kernel-livepatch/module-setup.sh
|
||||||
|
install -D dracut-kernel-livepatch.sh \
|
||||||
|
%{buildroot}%{dracutlibdir}/modules.d/99kernel-livepatch/kernel-livepatch.sh
|
||||||
|
install -D -m0644 kernel-livepatch-subpackage %{buildroot}%{_prefix}/lib/rpm/kernel-livepatch-subpackage
|
||||||
|
%if 0%{?suse_version} >= 1600
|
||||||
|
install -D -m0644 macros.kernel-livepatch %{buildroot}%{_rpmmacrodir}/macros.kernel-livepatch
|
||||||
|
%else
|
||||||
|
install -D -m0644 macros.kernel-livepatch %{buildroot}%{_sysconfdir}/rpm/macros.kernel-livepatch
|
||||||
|
%endif
|
||||||
|
install -D -m0755 klp.sh %{buildroot}%{_bindir}/klp
|
||||||
|
install -D -m0755 kgr.sh %{buildroot}%{_bindir}/kgr
|
||||||
|
sed -i 's/@@VERSION@@/%{version}-%{release}/' %{buildroot}%{_bindir}/klp
|
||||||
|
install -d %{buildroot}%{_mandir}/man8
|
||||||
|
gzip -c9 klp.man > %{buildroot}%{_mandir}/man8/klp.8.gz
|
||||||
|
gzip -c9 kgr.man > %{buildroot}%{_mandir}/man8/kgr.8.gz
|
||||||
|
install -D -m0755 cache-cleaner %{buildroot}%{_libexecdir}/kernel-livepatch/cache-cleaner
|
||||||
|
install -D -m0644 systemd-klp-info-cache.service %{buildroot}/%{_unitdir}/klp-info-cache.service
|
||||||
|
install -D -m0644 systemd-default-klp.preset %{buildroot}/%{_presetdir}/60-default-klp.preset
|
||||||
|
install -d %{buildroot}%{_docdir}
|
||||||
|
install -D -m 644 sysconfig.livepatching %{buildroot}%{_fillupdir}/sysconfig.livepatching
|
||||||
|
install -d %{buildroot}%{_localstatedir}/cache/livepatch/
|
||||||
|
|
||||||
|
%pre
|
||||||
|
%service_add_pre klp-info-cache.service
|
||||||
|
|
||||||
|
%post
|
||||||
|
%service_add_post klp-info-cache.service
|
||||||
|
%{fillup_only -n livepatching}
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%service_del_preun klp-info-cache.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%service_del_postun klp-info-cache.service
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_libexecdir}/kernel-livepatch
|
||||||
|
%dir %{dracutlibdir}
|
||||||
|
%dir %{dracutlibdir}/modules.d
|
||||||
|
%{dracutlibdir}/modules.d/99kernel-livepatch
|
||||||
|
%{_bindir}/k{lp,gr}
|
||||||
|
%{_mandir}/man8/k{lp,gr}.8%{ext_man}
|
||||||
|
%{_fillupdir}/*
|
||||||
|
%dir %{_localstatedir}/cache/livepatch/
|
||||||
|
%{_libexecdir}/kernel-livepatch/cache-cleaner
|
||||||
|
%{_unitdir}/klp-info-cache.service
|
||||||
|
%{_presetdir}/60-default-klp.preset
|
||||||
|
%license COPYING
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%if 0%{?suse_version} >= 1600
|
||||||
|
%{_rpmmacrodir}/macros.kernel-livepatch
|
||||||
|
%else
|
||||||
|
%{_sysconfdir}/rpm/macros.kernel-livepatch
|
||||||
|
%endif
|
||||||
|
%{_prefix}/lib/rpm/kernel-livepatch-subpackage
|
||||||
|
|
||||||
|
%changelog
|
83
kgr.man
Normal file
83
kgr.man
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
.\" Libor Pechacek <lpechacek@suse.com>
|
||||||
|
.\"
|
||||||
|
.TH KLP 8 2017-12-13 "SLES 15" "SLE Live Patching"
|
||||||
|
.SH NAME
|
||||||
|
kgr \- compatibility wrapper for migration from kGraft / SLE 12
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.ll +8
|
||||||
|
.B kgr
|
||||||
|
.RB [ " \-hv " ]
|
||||||
|
.RI COMMAND
|
||||||
|
.ll -8
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.I kgr
|
||||||
|
is a lightweight wrapper for the new klp tool. It is provided for smooth
|
||||||
|
migration from SLE 12 and will be removed in future SLE releases.
|
||||||
|
.SH COMMANDS
|
||||||
|
.TP
|
||||||
|
.B status
|
||||||
|
See klp(1) for description.
|
||||||
|
.TP
|
||||||
|
.B check
|
||||||
|
See klp(1) for description.
|
||||||
|
.TP
|
||||||
|
.B patches
|
||||||
|
See klp(1) for description.
|
||||||
|
.TP
|
||||||
|
.B blocking
|
||||||
|
See klp(1) for description. Unlike the SLE 12 implementation, this command
|
||||||
|
displays execution threads. Processes display is known to be incomplete for
|
||||||
|
multi-threaded applications.
|
||||||
|
.TP
|
||||||
|
.B blocking_threads
|
||||||
|
Obsolete command.
|
||||||
|
Same as
|
||||||
|
.I kgr
|
||||||
|
.IR blocking .
|
||||||
|
.TP
|
||||||
|
.B poke
|
||||||
|
Obsolete command. Send STOP and CONT signals to processess that are blocking
|
||||||
|
kGraft progress. See
|
||||||
|
.SM
|
||||||
|
.B CAVEATS
|
||||||
|
for discussion about this method.
|
||||||
|
.SH OPTIONS
|
||||||
|
.TP
|
||||||
|
.B \-h --help
|
||||||
|
Display a help screen and quit.
|
||||||
|
.TP
|
||||||
|
.B \-v --verbose
|
||||||
|
Verbose. Makes
|
||||||
|
.I kgr
|
||||||
|
print out process command line with
|
||||||
|
.B blocking
|
||||||
|
and
|
||||||
|
.B blocking_threads
|
||||||
|
commands.
|
||||||
|
Another
|
||||||
|
.B \-v
|
||||||
|
will display also strack traces.
|
||||||
|
.TP
|
||||||
|
.B \--version
|
||||||
|
Version. Display the version number.
|
||||||
|
.SH EXIT STATUS
|
||||||
|
With
|
||||||
|
.B
|
||||||
|
check
|
||||||
|
command the exit status is 0 when system is ready for kernel live patching and
|
||||||
|
1 when patching is in progress. For other commands the exit status is 0 upon
|
||||||
|
successful command completion and 1 upon error.
|
||||||
|
.SH CAVEATS
|
||||||
|
By design, kGraft technology requires the processes to cross the user
|
||||||
|
space/kernel boundary to present them with the patched kernel code. Processes
|
||||||
|
that sleep in kernel code at the time the patch module is loaded will prevent
|
||||||
|
patching process from finishing until they leave kernel space. These processes
|
||||||
|
usually leave kernel after the event, for which they are waiting, happens or
|
||||||
|
timeout elapses.
|
||||||
|
.P
|
||||||
|
Sending regular processes STOP signal followed by CONT signal achieves the
|
||||||
|
goal of making them to cross the user space/kernel boundary immediately. However, this
|
||||||
|
method may not be suitable for all processes running in the system and does not
|
||||||
|
apply to kernel threads and processess in
|
||||||
|
.B D
|
||||||
|
process state. This method is also known to interfere with shell job control.
|
81
kgr.sh
Normal file
81
kgr.sh
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Compatibility wrapper for kGraft / SLE 12
|
||||||
|
# Will be removed in future SLE releases
|
||||||
|
# Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
unset VERBOSE
|
||||||
|
unset VERBOSE_OPT
|
||||||
|
|
||||||
|
function kgr_poke_processes() {
|
||||||
|
if [[ $EUID -ne 0 ]]; then
|
||||||
|
echo "Warning: running as non-root user, only this user's processes will be poked" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
for PROC in /proc/[0-9]*; do
|
||||||
|
if [ 0$(cat $PROC/kgr_in_progress 2>/dev/null) -ne 0 ]; then
|
||||||
|
PID=$(echo $PROC | cut -d/ -f3)
|
||||||
|
if [ -n "$VERBOSE" ]; then
|
||||||
|
echo "sending $PID STOP/CONT"
|
||||||
|
fi
|
||||||
|
kill -STOP $PID
|
||||||
|
# give kernel time to distribute the signal to all threads
|
||||||
|
sleep .1
|
||||||
|
kill -CONT $PID
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
USAGE="Usage: $0 [-h][-v] COMMAND
|
||||||
|
Compatibility wrapper for migration from kGraft / SLE 12. Use klp(1) in new
|
||||||
|
applications. This wrappere will be removed in future SLE releases.
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
status: display the overall status of kernel live patching
|
||||||
|
patches: display the list of loaded patches
|
||||||
|
blocking: list execution threads that are preventing kernel
|
||||||
|
live patching from finishing
|
||||||
|
blocking_threads: (obsolete) same as blocking
|
||||||
|
poke: (obsolete) move forward with the kernel live patching by
|
||||||
|
sending STOP and CONT signal to the pending processes
|
||||||
|
|
||||||
|
Options:
|
||||||
|
-h print this help
|
||||||
|
-v more detailed output
|
||||||
|
|
||||||
|
Report bugs at https://bugzilla.suse.com/."
|
||||||
|
PKGVERSION="@@VERSION@@"
|
||||||
|
|
||||||
|
while getopts vh-: opt
|
||||||
|
do
|
||||||
|
case $opt$OPTARG in
|
||||||
|
-help|h)
|
||||||
|
exec echo "$USAGE" ;;
|
||||||
|
-version)
|
||||||
|
exec echo "kgr $PKGVERSION" ;;
|
||||||
|
v) VERBOSE=$((${VERBOSE:-0} + 1))
|
||||||
|
VERBOSE_OPT="$VERBOSE_OPT -v";;
|
||||||
|
*)
|
||||||
|
echo "$0: try '$0 --help'" >&2; exit 1 ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
shift `expr $OPTIND - 1`
|
||||||
|
|
||||||
|
if [ $# -ne 1 ]; then
|
||||||
|
echo -e "Error: no command provided\n" >&2
|
||||||
|
echo "$USAGE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
blocking) exec klp $VERBOSE_OPT blocking ;;
|
||||||
|
blocking_threads) exec klp $VERBOSE_OPT blocking ;;
|
||||||
|
poke) kgr_poke_processes ;;
|
||||||
|
status) exec klp $VERBOSE_OPT status ;;
|
||||||
|
check) exec klp $VERBOSE_OPT check ;;
|
||||||
|
patches) exec klp $VERBOSE_OPT patches ;;
|
||||||
|
*) echo "Error: unknown command \`$1'"; exit 1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# vim: ai sw=4 et sts=4 ft=sh
|
112
klp.man
Normal file
112
klp.man
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
.\" Libor Pechacek <lpechacek@suse.com>
|
||||||
|
.\"
|
||||||
|
.TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching"
|
||||||
|
.SH NAME
|
||||||
|
klp \- query kernel live patching status
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.ll +8
|
||||||
|
.B klp
|
||||||
|
.RB [ " \-hv " ]
|
||||||
|
.RI COMMAND
|
||||||
|
.ll -8
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.I klp
|
||||||
|
command can be used for getting a quick overview of the kernel live patching status.
|
||||||
|
For some of the commands, the output can be made more verbose by using the
|
||||||
|
.B \-v
|
||||||
|
option.
|
||||||
|
.SH COMMANDS
|
||||||
|
.TP
|
||||||
|
.B status
|
||||||
|
Display the overall status of kernel live patching (ready or in_progress)
|
||||||
|
.TP
|
||||||
|
.B check
|
||||||
|
Indicate the overall kernel live patching status with exit code. This command
|
||||||
|
is intended for use in scripts.
|
||||||
|
.TP
|
||||||
|
.B patches
|
||||||
|
Display the list of loaded patches. By default, the command prints out only
|
||||||
|
kernel modules that contain live patches. With
|
||||||
|
.B \-v
|
||||||
|
additional fields are printed.
|
||||||
|
.I Active
|
||||||
|
tells whether the patch is currently in use or can be unloaded.
|
||||||
|
.I RPM
|
||||||
|
shows the RPM package name in which the kernel live patch was distributed. The
|
||||||
|
.I CVE
|
||||||
|
section lists fixes included in this live patch, which have CVE numbers
|
||||||
|
assigned. The
|
||||||
|
.I "Bug fixes and enhancements"
|
||||||
|
part lists changes included in this live patch, which do not have CVEs assigned.
|
||||||
|
More information about individual changes can be found in the patch RPM
|
||||||
|
package changelog, SUSE Security Advisories, CVE database, and the patch RPM
|
||||||
|
source code. Another
|
||||||
|
.B \-v
|
||||||
|
will display patch expiration and update status information.
|
||||||
|
.TP
|
||||||
|
.B blocking
|
||||||
|
List process threads that are preventing live patching from finishing. By
|
||||||
|
default, just the PIDs are listed. By specifying the
|
||||||
|
.B \-v
|
||||||
|
option will make
|
||||||
|
.I klp
|
||||||
|
print out the process command line. Another
|
||||||
|
.B \-v
|
||||||
|
will display also stack traces if available.
|
||||||
|
.TP
|
||||||
|
.B downgrade
|
||||||
|
Replace the current kernel live patch with its previous version. The tool
|
||||||
|
first constructs a system management command for the downgrade and, after
|
||||||
|
confirmation, performs the downgrade. Specifying the non\(hyinteractive
|
||||||
|
mode with
|
||||||
|
.B \-n
|
||||||
|
will make
|
||||||
|
.I klp
|
||||||
|
skip the confirmation.
|
||||||
|
.TP
|
||||||
|
.SH OPTIONS
|
||||||
|
.TP
|
||||||
|
.B \-h, \-\-help
|
||||||
|
Display a help screen and quit.
|
||||||
|
.TP
|
||||||
|
.B \-n, \-\-non\-interactive
|
||||||
|
Switches to non\(hyinteractive mode and assumes "yes" on interactive commands.
|
||||||
|
.TP
|
||||||
|
.B \-v, \-\-verbose
|
||||||
|
Verbose. Makes
|
||||||
|
.I klp
|
||||||
|
print out process command line with
|
||||||
|
.B blocking
|
||||||
|
command.
|
||||||
|
Another
|
||||||
|
.B \-v
|
||||||
|
will also display stack traces.
|
||||||
|
.TP
|
||||||
|
.B \-\-version
|
||||||
|
Version. Display the version number.
|
||||||
|
.SH CAVEATS
|
||||||
|
By design, kernel live patching technology requires the processes to cross the
|
||||||
|
userspace/kernel boundary to present them with the patched kernel code. Processes
|
||||||
|
that execute kernel code at the time the patch module is loaded will prevent
|
||||||
|
the patching process from finishing until they leave kernel space. These processes
|
||||||
|
usually leave kernel after the event for which they are waiting happens or
|
||||||
|
timeout elapses. As an optimization, the kernel live patching core will not
|
||||||
|
consider processes that do not interact with the live patch being applied in
|
||||||
|
the above migration. The live patching core will also "wake up" sleeping
|
||||||
|
processes in a userspace transparent way, making the patch application progress.
|
||||||
|
.P
|
||||||
|
Despite the above measures, processes in
|
||||||
|
.B D
|
||||||
|
process state can prevent the patch from fully applying, and also kernel threads can
|
||||||
|
become a blocker under certain conditions.
|
||||||
|
.SH CHANGES FROM KGR TOOL
|
||||||
|
.I klp
|
||||||
|
tool is a modernized version of the previous
|
||||||
|
.I kgr
|
||||||
|
tool distributed with SUSE Linux Enterprise 12. It leaves out the
|
||||||
|
.B poke
|
||||||
|
functionality, which is now implemented in the kernel, and
|
||||||
|
.B blocking_threads
|
||||||
|
display, which is the default operation of
|
||||||
|
.I klp blocking
|
||||||
|
command.
|
280
klp.sh
Normal file
280
klp.sh
Normal file
@ -0,0 +1,280 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Check kernel live patching status
|
||||||
|
# Libor Pechacek <lpechacek@suse.com>
|
||||||
|
|
||||||
|
unset VERBOSE
|
||||||
|
|
||||||
|
function klp_in_progress() {
|
||||||
|
for p in /sys/kernel/livepatch/*; do
|
||||||
|
[ 0$(cat "$p/transition" 2>/dev/null) -ne 0 ] && return 0
|
||||||
|
done
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_dump_blocking_threads() {
|
||||||
|
if [[ $EUID -ne 0 ]]; then
|
||||||
|
echo "Warning: running as non-root user, display will be limited" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset PIDS
|
||||||
|
|
||||||
|
TRANSITIONING_PATCH="$(grep -ls '^1$' /sys/kernel/livepatch/*/transition | head -n1)"
|
||||||
|
|
||||||
|
if [ -n "$TRANSITIONING_PATCH" ]; then
|
||||||
|
TRANSITION_DIRECTION=$(cat "${TRANSITIONING_PATCH/%\/transition/\/enabled}")
|
||||||
|
|
||||||
|
for DIR in /proc/[0-9]*/task/[0-9]*; do
|
||||||
|
PATCH_STATE=$(cat $DIR/patch_state 2>/dev/null)
|
||||||
|
if [ -n "$PATCH_STATE" ] && [ "$PATCH_STATE" -ge 0 \
|
||||||
|
-a "$PATCH_STATE" -ne "$TRANSITION_DIRECTION" ]; then
|
||||||
|
PID=${DIR#/proc/}
|
||||||
|
PID=${PID%/task/*}
|
||||||
|
TID=${DIR#*/task/}
|
||||||
|
if [ -n "$VERBOSE" ]; then
|
||||||
|
COMM="$(cat $DIR/cmdline 2>/dev/null | tr \\0 \ )"
|
||||||
|
# fallback to the command name, for example for kernel threads
|
||||||
|
[ -z "$COMM" ] && COMM="[$(cat $DIR/comm 2>/dev/null | tr \\0 \ )]"
|
||||||
|
if [ ${VERBOSE:-0} -gt 1 ]; then
|
||||||
|
STACK=$(cat $DIR/stack 2>/dev/null | sed 's/^/ /')
|
||||||
|
fi
|
||||||
|
# don't write out anything in case the process has exited
|
||||||
|
if [ -e "$DIR" ]; then
|
||||||
|
echo "$PID $TID $COMM"
|
||||||
|
[ ${VERBOSE:-0} -gt 1 ] && echo "$STACK"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo $PID $TID
|
||||||
|
fi
|
||||||
|
PIDS="$PIDS $PID"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$PIDS" -a -n "$VERBOSE" ]; then
|
||||||
|
echo "no threads with klp_in_progress set"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_status() {
|
||||||
|
if klp_in_progress ; then
|
||||||
|
echo "in_progress"
|
||||||
|
else
|
||||||
|
echo "ready"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_check() {
|
||||||
|
if klp_in_progress ; then
|
||||||
|
echo "Following processes have not finished a previous kernel live patching yet:"
|
||||||
|
VERBOSE=2 klp_dump_blocking_threads
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_patches() {
|
||||||
|
unset PATCHES_FOUND
|
||||||
|
for d in /sys/kernel/livepatch/*; do
|
||||||
|
[ ! -d "$d" ] && continue
|
||||||
|
PATCH_NAME=${d#/sys/kernel/livepatch/}
|
||||||
|
PATCH_MOD=${PATCH_NAME}
|
||||||
|
echo "${PATCH_MOD}"
|
||||||
|
if [ -n "$VERBOSE" ]; then
|
||||||
|
klp_detailed_patch_info "${PATCH_MOD}" | sed 's/^/ /'
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
PATCHES_FOUND=1
|
||||||
|
done
|
||||||
|
if [ -z "$PATCHES_FOUND" -a -n "$VERBOSE" ]; then
|
||||||
|
echo "no patch"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_patch_rpm_name() {
|
||||||
|
# srcversion is the link between loaded kernel module and its RPM
|
||||||
|
SRCVERSION=$(cat "/sys/module/$1/srcversion")
|
||||||
|
|
||||||
|
# exit when the module cannot be tracked down
|
||||||
|
MODPATH=$(/usr/sbin/modinfo -n "$1" 2>/dev/null) || exit
|
||||||
|
MODSRCVERSION=$(/usr/sbin/modinfo -F srcversion "$1")
|
||||||
|
|
||||||
|
if [ "$SRCVERSION" != "$MODSRCVERSION" ]; then
|
||||||
|
echo "Warning: patch module srcversion does not match the on-disk checksum:" \
|
||||||
|
"$1 ($SRCVERSION/$MODSRCVERSION)" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo $(rpm -qf "${MODPATH}" 2>/dev/null)
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_info_from_rpm() {
|
||||||
|
|
||||||
|
RPMNAME=$(klp_patch_rpm_name "$1")
|
||||||
|
[ -n "$RPMNAME" ] || exit
|
||||||
|
|
||||||
|
REFS=($(rpm -q --changelog "${RPMNAME}" | \
|
||||||
|
sed 's/^[[:space:]]*KLP:[[:space:]]*\(.*\)/\1/;t b;d;:b s/[[:space:]]/\n/g' | \
|
||||||
|
sort -ru))
|
||||||
|
declare -a CVES
|
||||||
|
declare -a BUGS_FATES
|
||||||
|
for REF in "${REFS[@]}"; do
|
||||||
|
if [ ${REF:0:3} = 'CVE' ]; then
|
||||||
|
CVES+=($REF)
|
||||||
|
else
|
||||||
|
BUGS_FATES+=($REF)
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
declare -p RPMNAME
|
||||||
|
declare -p CVES
|
||||||
|
declare -p BUGS_FATES
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_detailed_patch_info() {
|
||||||
|
REFCNT=$(cat "/sys/module/$1/refcnt")
|
||||||
|
ACTIVE=$([[ "$REFCNT" -eq 0 ]]; echo $?)
|
||||||
|
|
||||||
|
echo "active: ${ACTIVE}"
|
||||||
|
|
||||||
|
# collect info if we have it; first try the "cache" (bsc#1191344)
|
||||||
|
SRCVERSION=$(cat "/sys/module/$1/srcversion")
|
||||||
|
CACHE_FILE="/var/cache/livepatch/$1-$SRCVERSION"
|
||||||
|
if [ -e "$CACHE_FILE" ]; then
|
||||||
|
. "$CACHE_FILE"
|
||||||
|
else
|
||||||
|
KLP_INFO=$(klp_info_from_rpm $1)
|
||||||
|
echo "$KLP_INFO" > "$CACHE_FILE"
|
||||||
|
eval "$KLP_INFO"
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$RPMNAME" ] || exit
|
||||||
|
echo "RPM: ${RPMNAME}"
|
||||||
|
echo -n "CVE: "
|
||||||
|
if [ ${#CVES[*]} -gt 0 ]; then
|
||||||
|
echo ${CVES[*]}
|
||||||
|
else
|
||||||
|
echo -n "(none"
|
||||||
|
[ ${#BUGS_FATES[*]} -eq 0 ] && echo -n " - this is an initial kernel live patch"
|
||||||
|
echo ")"
|
||||||
|
fi
|
||||||
|
echo -n "bug fixes and enhancements: "
|
||||||
|
if [ ${#BUGS_FATES[*]} -gt 0 ]; then
|
||||||
|
echo ${BUGS_FATES[*]}
|
||||||
|
else
|
||||||
|
echo "(none)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ${VERBOSE:-0} -gt 1 ]; then
|
||||||
|
SHORT_RPMNAME=$(rpm -q --qf "%{name}" "$RPMNAME" 2>/dev/null)
|
||||||
|
|
||||||
|
echo -n "Update status: "
|
||||||
|
if zypper -qn --no-refresh up -D "$SHORT_RPMNAME" 2>/dev/null | fgrep -q "package to upgrade"; then
|
||||||
|
echo "newer version is available"
|
||||||
|
else
|
||||||
|
echo "up to date"
|
||||||
|
fi
|
||||||
|
|
||||||
|
EXP_DATE=$(grep "^$SHORT_RPMNAME," /usr/share/lifecycle/data/sle-module-live-patching.lifecycle 2>/dev/null \
|
||||||
|
| cut -d, -f3)
|
||||||
|
|
||||||
|
echo -n "Patches issued until: "
|
||||||
|
if [ -n "$EXP_DATE" ]; then
|
||||||
|
echo "$EXP_DATE"
|
||||||
|
else
|
||||||
|
echo "to be announced"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function klp_downgrade()
|
||||||
|
{
|
||||||
|
VERBOSE_ORIG="$VERBOSE"
|
||||||
|
unset VERBOSE
|
||||||
|
|
||||||
|
for patch in $(klp_patches); do
|
||||||
|
RPM_FULL_NAME=$(klp_patch_rpm_name "$patch")
|
||||||
|
if [ -z "$RPM_FULL_NAME" ]; then
|
||||||
|
echo "Warning: cannot determine RPM package for $patch" >&2
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
RPM_INFO=$(rpm -q --qf '%{name};%{version}' "$RPM_FULL_NAME")
|
||||||
|
RPM_VERSION=${RPM_INFO#*;}
|
||||||
|
RPM_NAME=${RPM_INFO%;*}
|
||||||
|
if [ "$RPM_VERSION" -le 1 ]; then
|
||||||
|
echo "$RPM_FULL_NAME is the initial kernel live patch and cannot be downgraded."
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
ZYPPER_COMMAND="zypper -n in --oldpackage $RPM_NAME = $(($RPM_VERSION-1))"
|
||||||
|
echo "KLP tool will replace the current kernel live patch with its previous version."
|
||||||
|
echo "The command for downgrade is: $ZYPPER_COMMAND"
|
||||||
|
if [ -z "$NON_INTERACTIVE" ]; then
|
||||||
|
read -p "Continue? (y/N) " -n 1 -r
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
REPLY=Y
|
||||||
|
fi
|
||||||
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||||
|
eval $ZYPPER_COMMAND
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
VERBOSE="$VERBOSE_ORIG"
|
||||||
|
}
|
||||||
|
|
||||||
|
USAGE="Usage: $0 [-h][-v] COMMAND
|
||||||
|
Query kernel live patching status.
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
status: display the overall status of kernel live patching
|
||||||
|
patches: display the list of loaded patches
|
||||||
|
blocking: list execution threads that are preventing kernel
|
||||||
|
live patching from finishing
|
||||||
|
downgrade: revert the current live patch by installing
|
||||||
|
the previous one
|
||||||
|
|
||||||
|
Options:
|
||||||
|
-h print this help
|
||||||
|
-n non-interactive mode
|
||||||
|
-v more detailed output
|
||||||
|
|
||||||
|
Report bugs at https://bugzilla.suse.com/"
|
||||||
|
PKGVERSION="@@VERSION@@"
|
||||||
|
|
||||||
|
while getopts hnv-: opt
|
||||||
|
do
|
||||||
|
case $opt$OPTARG in
|
||||||
|
-help|h)
|
||||||
|
exec echo "$USAGE" ;;
|
||||||
|
-non-interactive|n)
|
||||||
|
NON_INTERACTIVE=1 ;;
|
||||||
|
-version)
|
||||||
|
exec echo "klp $PKGVERSION" ;;
|
||||||
|
-verbose|v) VERBOSE=$((${VERBOSE:-0} + 1)) ;;
|
||||||
|
*)
|
||||||
|
echo "$0: try '$0 --help'" >&2; exit 1 ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
shift `expr $OPTIND - 1`
|
||||||
|
|
||||||
|
if [ $# -lt 1 ]; then
|
||||||
|
echo -e "Error: no command provided\n" >&2
|
||||||
|
echo "$USAGE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
blocking) klp_dump_blocking_threads ;;
|
||||||
|
status) klp_status ;;
|
||||||
|
check) klp_check ;;
|
||||||
|
store_patch_info)
|
||||||
|
SRCVERSION=$(cat "/sys/module/$2/srcversion")
|
||||||
|
klp_info_from_rpm $2 > "/var/cache/livepatch/$2-$SRCVERSION" ;;
|
||||||
|
patches) klp_patches ;;
|
||||||
|
downgrade) klp_downgrade ;;
|
||||||
|
*) echo "Error: unknown command \`$1'"; exit 1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# vim: ai sw=4 et sts=4 ft=sh
|
35
macros.kernel-livepatch
Normal file
35
macros.kernel-livepatch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
# Defines %flavors_to_build and %kernel_source() as a side effect.
|
||||||
|
%klp_module_package(n:x) \
|
||||||
|
%{expand:%( \
|
||||||
|
subpkg=/usr/lib/rpm/kernel-livepatch-subpackage \
|
||||||
|
echo "%%define _suse_klp_module_subpackage(n:v:r:f:p:bc) %%{expand:%%(cd %_sourcedir; cat $subpkg; echo %%%%nil)}" \
|
||||||
|
flavors_to_build= \
|
||||||
|
flavors="%*" \
|
||||||
|
for flavor in $(ls /usr/src/linux-obj/%_target_cpu 2>/dev/null); do \
|
||||||
|
case " $flavors " in \
|
||||||
|
(*" $flavor "*) \
|
||||||
|
[ -n "%{-x}" ] && continue ;; \
|
||||||
|
(*) \
|
||||||
|
[ -z "%{-x}" -a -n "$flavors" ] && continue ;; \
|
||||||
|
esac \
|
||||||
|
krel=$(make -s -C /usr/src/linux-obj/%_target_cpu/$flavor kernelrelease) \
|
||||||
|
krpmver_flavor=${krel/.0-rc/.rc} \
|
||||||
|
krpmver=${krpmver_flavor%%-*} \
|
||||||
|
kprovide="kernel-$flavor-$krpmver" \
|
||||||
|
khashprovide=$(rpm -q --whatprovides "$kprovide" --provides | grep "^kernel-$flavor-srchash-") \
|
||||||
|
if [ -n "$khashprovide" ]; then \
|
||||||
|
kprovide="$khashprovide" \
|
||||||
|
fi \
|
||||||
|
flavors_to_build="$flavors_to_build $flavor" \
|
||||||
|
echo "%%_suse_klp_module_subpackage -n %{-n*}%{!-n:kernel-livepatch} -r %{release} $krel $krpmver_flavor $kprovide" \
|
||||||
|
done \
|
||||||
|
echo "%%global flavors_to_build${flavors_to_build:-%%nil}" \
|
||||||
|
echo "%%{expand:%%(test -z '%flavors_to_build' && echo %%%%internal_kmp_error)}" \
|
||||||
|
echo "%%global kernel_source() /usr/src/linux-obj/%_target_cpu/%%%%{1}" \
|
||||||
|
\
|
||||||
|
echo "%package -n %{-n*}%{!-n:kernel-livepatch}-kmp-_dummy_" \
|
||||||
|
echo "Version: %version" \
|
||||||
|
echo "Summary: %summary" \
|
||||||
|
echo "Group: %group" \
|
||||||
|
echo "%description -n %{-n*}%{!-n:kernel-livepatch}-kmp-_dummy_" \
|
||||||
|
)}
|
141
rpm-helper
Normal file
141
rpm-helper
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
USAGE="$0 <check|install|remove> <package-version-release>"
|
||||||
|
|
||||||
|
if test "$1" = "-h" -o "$1" = "--help"; then
|
||||||
|
echo "$USAGE"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if test "$#" -lt 2; then
|
||||||
|
echo "$USAGE" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
shopt -s nullglob
|
||||||
|
|
||||||
|
check_livepatching_env()
|
||||||
|
{
|
||||||
|
LIVEPATCH_KERNEL=auto
|
||||||
|
# Check if a sysconfig for livepatching exists. If yes, include the file.
|
||||||
|
if test -e "/etc/sysconfig/livepatching"; then
|
||||||
|
. /etc/sysconfig/livepatching || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
# We want to preserve the immutability of the system in the
|
||||||
|
# transactional server role. To that end, we define the "auto" patch
|
||||||
|
# deployment mode that skips the patch loading in transactional
|
||||||
|
# updates.
|
||||||
|
DO_PATCHING=0
|
||||||
|
[ "$TRANSACTIONAL_UPDATE" != "true" -a "$LIVEPATCH_KERNEL" == "auto" ] && DO_PATCHING=1
|
||||||
|
[ "$LIVEPATCH_KERNEL" == "always" ] && DO_PATCHING=1
|
||||||
|
|
||||||
|
[ "$DO_PATCHING" -eq 0 ] && return 1
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
do_check()
|
||||||
|
{
|
||||||
|
if test -e /.buildenv; then
|
||||||
|
echo "Skipping kernel live patches in buildroot"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_livepatching_env || return 0
|
||||||
|
|
||||||
|
if test "$(uname -r)" != "$KREL"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
klp check >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
refresh_initrd()
|
||||||
|
{
|
||||||
|
local image
|
||||||
|
|
||||||
|
/sbin/depmod -F "/boot/System.map-$KREL" -e "$KREL" || return
|
||||||
|
# copied from weak-modules2
|
||||||
|
for image in vmlinuz image vmlinux linux bzImage uImage Image ""; do
|
||||||
|
if test -f "/boot/$image-$KREL"; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if test -z "$image"; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
if test "$1" = "--force"; then
|
||||||
|
/sbin/mkinitrd -k "/boot/$image-$KREL" -i "/boot/initrd-$KREL"
|
||||||
|
else
|
||||||
|
mkdir -p /var/run/regenerate-initrd
|
||||||
|
touch "/var/run/regenerate-initrd/$image-$KREL"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
do_install()
|
||||||
|
{
|
||||||
|
local mod modules err
|
||||||
|
|
||||||
|
if test -e /.buildenv; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
refresh_initrd
|
||||||
|
|
||||||
|
if test "$(uname -r)" != "$KREL"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! check_livepatching_env; then
|
||||||
|
echo "[klp] Skipping installation of the kernel live patch."
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
err=0
|
||||||
|
modules=($(grep -l '^0$' /sys/module/livepatch*/refcnt /dev/null | sed 's:/refcnt::; s:/sys/module/::'))
|
||||||
|
for mod in "${modules[@]}"; do
|
||||||
|
echo "[klp] Unloading $mod"
|
||||||
|
# Can't use modprobe -r, as the modules do not exist on disk
|
||||||
|
# anymore
|
||||||
|
rmmod "$mod" || :
|
||||||
|
done
|
||||||
|
modules=($(rpm -ql "$PACKAGE" | sed -rn 's:.*/(livepatch[^/]*)\.ko(\.[gx]z|\.zst)?$:\1:p'))
|
||||||
|
for mod in "${modules[@]}"; do
|
||||||
|
echo "[klp] Loading $mod"
|
||||||
|
modprobe "$mod" || err=$?
|
||||||
|
done
|
||||||
|
|
||||||
|
klp store_patch_info "$(echo "$mod" | tr - _)"
|
||||||
|
|
||||||
|
return $err
|
||||||
|
}
|
||||||
|
|
||||||
|
do_remove()
|
||||||
|
{
|
||||||
|
if test -e /.buildenv; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$NUM_PACKAGES" -eq 0; then
|
||||||
|
# bnc#904867
|
||||||
|
refresh_initrd --force
|
||||||
|
else
|
||||||
|
refresh_initrd
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
if test $# -ne 4; then
|
||||||
|
echo 'WARNING: Unexpected number of parameters. Are the live patch RPM scripts compatible with this rpm-helper?' >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
cmd=$1
|
||||||
|
PACKAGE=$2
|
||||||
|
KREL=$3
|
||||||
|
NUM_PACKAGES=${4-0}
|
||||||
|
case "$cmd" in
|
||||||
|
check|install|remove)
|
||||||
|
do_$cmd
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "$USAGE" >&2
|
||||||
|
exit 1
|
||||||
|
esac
|
10
sysconfig.livepatching
Normal file
10
sysconfig.livepatching
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
## Path: System/Live Patching
|
||||||
|
## Description: Configuration of the system live patch deployment
|
||||||
|
|
||||||
|
## Type: string
|
||||||
|
## Default: "auto"
|
||||||
|
# Controls whether kernel live patches should be loaded into
|
||||||
|
# kernel during live patch RPM package installation. The valid
|
||||||
|
# settings are "always", "never" and "auto".
|
||||||
|
LIVEPATCH_KERNEL='auto'
|
||||||
|
|
1
systemd-default-klp.preset
Normal file
1
systemd-default-klp.preset
Normal file
@ -0,0 +1 @@
|
|||||||
|
enable klp-info-cache.service
|
13
systemd-klp-info-cache.service
Normal file
13
systemd-klp-info-cache.service
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Clean up the klp(8) tool cache on boot
|
||||||
|
After=local-fs.target
|
||||||
|
ConditionPathIsReadWrite=/var/cache/livepatch
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
Nice=19
|
||||||
|
IOSchedulingClass=idle
|
||||||
|
ExecStart=/usr/lib/kernel-livepatch/cache-cleaner
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user