commit edcf4475559e2e2189c794b7913fe46a06ca7ceb1013805246538dfbea036f33 Author: Adrian Schröter Date: Fri May 3 15:31:27 2024 +0200 Sync from SUSE:SLFO:Main libpulp revision 534c6af72c6b3f90c44995cd613764cf diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/libpulp-0.3.0.tar.gz b/libpulp-0.3.0.tar.gz new file mode 100644 index 0000000..afee456 --- /dev/null +++ b/libpulp-0.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ed5f8bd15ec60df254d1d2ec3a0fa0208908fe367731be708fdb10ecb062d573 +size 629101 diff --git a/libpulp.changes b/libpulp.changes new file mode 100644 index 0000000..a05cd4f --- /dev/null +++ b/libpulp.changes @@ -0,0 +1,183 @@ +------------------------------------------------------------------- +Tue Jun 27 14:23:33 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.3.0: + * Add support for processes with blocked mprotect (process launched by + systemd, for example) (bsc#1210224, jsc#PED-2877). + * Add support for processes which chroots into /proc. + * Supports livepathcing all processes in SLE. + +------------------------------------------------------------------- +Fri Jun 16 14:45:03 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.2.11: + * Avoid warning on symbol read of processes which user do not have access. + * Fix a bug in livepatch installation counting. + * Fix a warning message of library not loaded when reverting all patches when + the library is loaded. + * Fix a crash when `patches` is called with invalid PID. + * Enable batch processing for patching a single process via PID. + +------------------------------------------------------------------- +Thu Apr 13 21:47:06 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.2.10: + * Fix typo which makes write_bytes fallback to ptrace mode when vm_writev is + available. + * Detect when mprotect is blocked by seccomp (process launched by systemd, + for example) and disable livepatching in the process (bsc#1210224, + jsc#PED-2877). + +------------------------------------------------------------------- +Thu Mar 9 19:24:46 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.2.9: + * Add mechanism to enable or disable livepatching based or environment variables + and in the new command `ulp set_patchable` (jsc#PED-2877). + * Change `patch already applied` message from error to skipped. + +------------------------------------------------------------------- +Thu Feb 23 21:24:45 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.2.8: + * Minor code refactoring. + * Fixed a bug where libpulp rejected correct ELF files as library input. + * Fixed a file descriptor leak when -check-stack is passed to ulp. + * Fixed a bug where ulp did not shown libcrypto.so.1.1 as a livepatchable library (bsc#1208575) + +------------------------------------------------------------------- +Mon Jan 2 19:53:55 UTC 2023 - Giuliano Belinassi + +- Update package with libpulp-0.2.7: + * Add support to library to JSON library dumps, Removing any requirement of + adding the original library .so file into the livepatch build tarball. + * Update the ulp post hook script for transactional systems (jsc#PED-1078). + * Add `setup_package.sh` as part of libpulp tools. + +------------------------------------------------------------------- +Thu Nov 10 18:00:41 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.6 + * Add new `-R` option to specify a prefix root for livepatches + (jsc#PED-1078). + +------------------------------------------------------------------- +Wed Aug 18 12:23:31 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.5. + * Fix ulp tool not patching on highly stressed environments. The reason behind + it is that a 10s timeout was not enough depending of how stressed the + machine is. Worse cases when libpulp is running in a VM (bsc#1200316). + * Fix HANA testcase failures (bsc#1200129). + * Add support for searching for patches recursively. Previous versions only + searched on the path specified, ignoring subdirectories. + * Improve patching performance. Previous version took up to 20s ~ 25s to + patch 4000 processes. This version reduces this time to 6s. The way this + is done is reducing ptrace calls and switching to process_vm_readv/writev + when possible, and moving process discovery to a different thread. + +------------------------------------------------------------------- +Fri Jun 24 20:10:22 UTC 2022 - Giuliano Belinassi + +- Fix ulp tool not patching on high process count (bsc#1200316). +- Implement a timeout feature in case of deadlocks. + +------------------------------------------------------------------- +Thu Jun 23 00:03:18 UTC 2022 - Giuliano Belinassi + +- Fix ulp tool crashing on high process count (bsc#1200316). +- Avoid parsing /proc//comm when not needed. + +------------------------------------------------------------------- +Mon Jun 13 19:15:37 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.4. +- Fix dlsym interposition changing program behaviour (bsc#1200129) +- Fix free call of mmap'ed buffers (bsc#1200129) +- Fix error message when user has no permission to open livepatch. + +------------------------------------------------------------------- +Thu May 12 14:53:49 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.3 (jsc#SLE-20049). +- Add support for endbr64 instructions on function beginning. +- Fix use-after-free bug. +- Fix compilation in Tumbleweed. + +------------------------------------------------------------------- +Mon May 2 14:56:48 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.2 (jsc#SLE-20049). +- Use colored output by default (disable with --color=no) +- Packer now reports errors in .dsc in a GCC 5+ fashion. +- Trigger now has a summarized mode (disable with -v) + +------------------------------------------------------------------- +Tue Apr 12 19:27:29 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.1 (jsc#SLE-20049). +- Fix base address load of non-library variables in target process. +- Dump references information on `ulp dump`. + +------------------------------------------------------------------- +Wed Mar 30 18:54:12 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.2.0 (jsc#SLE-20049). +- Embed metadata (.ulp) into livepatch container (.so). + +------------------------------------------------------------------- +Fri Mar 25 13:58:11 UTC 2022 - Libor Pechacek + +- Add patch build macros and deployment scripts. (jsc#SLE-20049) + +------------------------------------------------------------------- +Tue Feb 22 18:03:18 UTC 2022 - Giuliano Belinassi + +- Update package with libpulp-0.1.1 (jsc#SLE-20049). +- Add new command `ulp livepatchable` to check if a library is livepatchable. + +------------------------------------------------------------------- +Wed Feb 16 13:50:17 UTC 2022 - Giuliano Belinassi + +- Update package with newest libpulp features (jsc#SLE-20049). +- Fix a bug which causes the ulp tool to fail if itself was loaded with libpulp. + +------------------------------------------------------------------- +Fri Jan 28 15:33:12 UTC 2022 - Giuliano Belinassi + +- Update package with newest libpulp features (jsc#SLE-20049). +- Fix --revert-all when no wildcards are provided. +- Fix batch processing of .rev files. +- Disable lto when building libpulp. + +------------------------------------------------------------------- +Fri Nov 12 15:39:24 UTC 2021 - Giuliano Belinassi + +- Update libpulp with ulp_apply in trigger. + +------------------------------------------------------------------- +Fri Oct 22 19:41:03 UTC 2021 - Giuliano Belinassi + +- Remove gcc9 as build requirement. + +------------------------------------------------------------------- +Tue Oct 12 14:59:28 UTC 2021 - Libor Pechacek + +- Add libpulp.rpmlintrc to the sources. (jsc#SLE-20049) +- Refresh the .spec file with spec-cleaner. + +------------------------------------------------------------------- +Tue Oct 5 18:11:08 UTC 2021 - Giuliano Belinassi + +- Update libpulp .tar.gz package. + +------------------------------------------------------------------- +Mon Sep 27 18:54:11 UTC 2021 - Giuliano Belinassi + +- Update libpulp .tar.gz package. +- Remove gcc9-PIE from libpulp.spec, as it is not provided anymore. + +------------------------------------------------------------------- +Mon Feb 3 16:58:33 UTC 2020 - Gabriel F. T. Gomes + +- Initial package. diff --git a/libpulp.rpmlintrc b/libpulp.rpmlintrc new file mode 100644 index 0000000..4f286b3 --- /dev/null +++ b/libpulp.rpmlintrc @@ -0,0 +1,14 @@ +# When a library is being live patched, the program using it is unaware +# of the operation, so much so that it's not the application who starts +# the live patching. Instead, an external tool (__ulp_trigger) halts +# the execution of every thread of the application and changes +# trampolines to patched functions. If some of these operations fail, +# there's nothing the application could do to salvage the execution, so +# it's mandatory that the live patching calls exit to kill the process. +addFilter("W: shared-lib-calls-exit") + +# Libpulp is the upstream name of the project, so placing the tools +# under libpulp-tools makes it more likely to show up on searches with +# zypper. However, this package does not ship libraries, which cause a +# lintian warning. +addFilter("libpulp-tools.* shlib-policy-missing-lib"); diff --git a/libpulp.spec b/libpulp.spec new file mode 100644 index 0000000..5b6d1fb --- /dev/null +++ b/libpulp.spec @@ -0,0 +1,105 @@ +# +# spec file for package libpulp +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: libpulp +Version: 0.3.0 +Release: 0 +Summary: Userspace live patching library and tools +License: LGPL-2.1-only +Group: Productivity/Security +URL: https://github.com/suse/libpulp +Source0: %{name}-%{version}.tar.gz +Source1: rpm-helper +Source2: macros.userspace-livepatch +Source99: libpulp.rpmlintrc +# Required to hardlink identical files. +BuildRequires: fdupes +# Required to run the tests. +BuildRequires: gcc-c++ +# Required to build the tools, which are needed to run the tests. +BuildRequires: libjson-c-devel +BuildRequires: libelf-devel +BuildRequires: python3-pexpect +BuildRequires: python3-psutil +BuildRequires: libseccomp-devel +# Only available for these architectures. +ExclusiveArch: x86_64 + +%description +Library and tools for user space live patching. + +%package -n libpulp0 +Summary: User space live patching library +Group: System/Libraries + +%description -n libpulp0 +Libpulp is a library (and a framework) that enables live patching of +user space libraries. + +This package contains the runtime files. + +%package tools +Summary: User space live patching tools +Group: System/Management + +%description tools +This package contains the tools to apply user-space live patches. + +# Disable LTO for libpulp, as it is currently not supported. +%define _lto_cflags %{nil} + +%prep +%autosetup -p1 + +%build +%configure +%make_build + +%check +%make_build check + +%install +%make_install +install -D -m0755 %{SOURCE1} %{buildroot}%{_prefix}/lib/userspace-livepatch/rpm-helper +install -D -m0644 %{SOURCE2} %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.userspace-livepatch + +# Convert identical files into hardlinks. +%fdupes %{buildroot}/%{_prefix} +# Remove .la and .so files. libpulp.so is not supposed to be linked +# against any programs or libraries, but LD_PRELOAD'ed, so do not +# distribute it, not even in the devel package. +find %{buildroot}/%{_prefix} -name libpulp.la -delete +find %{buildroot}/%{_prefix} -name libpulp.so -delete + +%post -n libpulp0 -p /sbin/ldconfig +%postun -n libpulp0 -p /sbin/ldconfig + +%files -n libpulp0 +%{_libdir}/lib*.so.* +%doc README.md +%license LICENSE + +%files tools +%{_bindir}/* +%{_mandir}/*/* +%dir %{_prefix}/lib/userspace-livepatch +%{_prefix}/lib/userspace-livepatch/* +%{_prefix}/lib/rpm/* +%license LICENSE + +%changelog diff --git a/macros.userspace-livepatch b/macros.userspace-livepatch new file mode 100644 index 0000000..5fc8570 --- /dev/null +++ b/macros.userspace-livepatch @@ -0,0 +1,9 @@ +# Hook for %post used by livepatch packages to apply a livepatch (or multiple +# livepatches) on the system. +# +# The parameters are +%ulp_post_hook() \ +echo "Executing ulp_post_hook(). About to execute rpm-helper..." \ +/bin/bash /usr/lib/userspace-livepatch/rpm-helper install "%1" "%2" "%3" $1 \ +echo "Done executing rpm-helper." \ +%{nil} diff --git a/rpm-helper b/rpm-helper new file mode 100644 index 0000000..dd72245 --- /dev/null +++ b/rpm-helper @@ -0,0 +1,84 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0-or-later + +USAGE="$0 " + +if test "$1" = "-h" -o "$1" = "--help"; then + echo "$USAGE" + exit 0 +fi +if test "$#" -lt 2; then + echo "$USAGE" >&2 + exit 1 +fi + +# ulp trigger have problems with bash expanding its arguments. Disable that +# and let it expand the wildcard by itself. +shopt -s nullglob + +check_livepatching_env() +{ + [ -z "$PACKAGE" ] && return 0 + + echo $PACKAGE + + COMPONENT=${PACKAGE%-livepatches} + COMPONENT=${COMPONENT^^} + COMPONENT=${COMPONENT/-/_} + CONF_VAR_NAME="LIVEPATCH_$COMPONENT" + eval "$CONF_VAR_NAME"=auto + + # Check if a sysconfig for livepatching exists. If yes, include the file. + if test -f "/etc/sysconfig/livepatching"; then + . /etc/sysconfig/livepatching || : + fi + + return 0 +} + +do_install() +{ + if test -e /.buildenv; then + echo "Skipping userspace live patches in buildroot" + return 0 + fi + + check_livepatching_env || return 0 + + # Check if we are running a transactional update. If yes, set the root + # accordingly. + if [ "$TRANSACTIONAL_UPDATE" = "true" ] && [ "x$TRANSACTIONAL_UPDATE_ROOT" != "x" ]; then + ROOT="-R $TRANSACTIONAL_UPDATE_ROOT" + fi + + ulp trigger $ROOT --recursive -r 100 --timeout 200 --revert-all=target \ + "/usr/lib64/$PACKAGE/$VER/*.so" + + echo "ulp trigger executed." +} + +do_remove() +{ + : # reserved for future use +} + +if test $# -ne 5; then + echo 'WARNING: Unexpected number of parameters. Are the live patch RPM scripts compatible with this rpm-helper?' >&2 +fi + + +# Parse first argument (install or remove). +cmd=$1 +PACKAGE=$2 +VER=$3 +TARGET_LIB=$4 +NUM_PACKAGES=${5-0} +case "$cmd" in +install|remove) + do_$cmd + exit + ;; +*) + echo "$USAGE" >&2 + exit 1 +esac