import CS git kpatch-0.9.10-20.el10

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-25 08:41:32 -04:00
parent ab2f51aaf5
commit 199d7a2f71
9 changed files with 257 additions and 202 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/kpatch-dnf-v0.5.tar.gz
SOURCES/v0.9.7.tar.gz
kpatch-dnf-v0.5.tar.gz
v0.9.10.tar.gz

View File

@ -1,2 +0,0 @@
28103e07453017fa2db783425dc1c23c3e7f3073 SOURCES/kpatch-dnf-v0.5.tar.gz
da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz

View File

@ -0,0 +1,101 @@
From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
Date: Tue, 9 Sep 2025 21:56:27 +0200
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
JIRA: https://issues.redhat.com/browse/RHEL-113127
Upstream: RHEL-ONLY
Enhances the list subcommand to display the CVE identifiers addressed
by each installed patch module.
The CVEs are extracted directly from the RPM changelogs of the corresponding
modules, giving users clearer insight into the security issues mitigated
by livepatch updates.
V2:
* Remove temporary files in favor of associative arrays
* Use printf and sed for indentation instead of a loop
V3:
* Syntactic changes using ShellCheck
Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
---
kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/kpatch/kpatch b/kpatch/kpatch
index c16a108..f029b59 100755
--- a/kpatch/kpatch
+++ b/kpatch/kpatch
@@ -24,12 +24,15 @@
# displaying information about kernel patch modules installed on the system.
INSTALLDIR=/var/lib/kpatch
+RPMINSTALLDIR=/lib/kpatch
SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
VERSION="0.9.10"
POST_ENABLE_WAIT=15 # seconds
POST_SIGNAL_WAIT=60 # seconds
MODULE_REF_WAIT=15 # seconds
+declare -A CVE_LIST
+
# How many times to try loading the patch if activeness safety check fails.
MAX_LOAD_ATTEMPTS=5
# How long to wait before retry, in seconds.
@@ -446,6 +449,32 @@ get_module_version() {
MODVER="${MODVER/ */}"
}
+query_module_cves() {
+ local module=$1
+ local rpm_log
+ local cve_list
+
+ [[ -z "$module" ]] && return
+
+ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
+ [[ -z "$rpm_log" ]] && return
+
+ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
+
+ CVE_LIST[$MODNAME]=$cve_list
+}
+
+query_cves() {
+ for kdir in "$RPMINSTALLDIR"/*; do
+ [[ -e "$kdir" ]] || continue
+ for module in "$kdir"/*.ko; do
+ [[ -e "$module" ]] || continue
+ mod_name "$module"
+ query_module_cves "$module"
+ done
+ done
+}
+
unset MODULE
# Initialize the $SYSFS var. This only works if the core module has been
@@ -593,6 +622,7 @@ case "$1" in
"list")
[[ "$#" -ne 1 ]] && usage
+ query_cves
echo "Loaded patch modules:"
for module in "$SYSFS"/*; do
if [[ -e "$module" ]]; then
@@ -605,6 +635,9 @@ case "$1" in
|| state="disabled"
fi
echo "$modname [$state]"
+ if [[ -v "CVE_LIST[$MODNAME]" ]]; then
+ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
+ fi
fi
done
show_stalled_processes
--
2.48.1

View File

@ -1,198 +0,0 @@
%define kpatch_dnf_ver 0.5
Name: kpatch
Version: 0.9.7
Release: 3%{?dist}
Summary: Dynamic kernel patch manager
Group: System Environment/Kernel
License: GPLv2
URL: https://github.com/dynup/kpatch
Source0: https://github.com/dynup/kpatch/archive/v%{version}.tar.gz
Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
# RHEL-only
Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch
Patch1: 0002-kpatch-clarify-unload-unsupport.patch
Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch
# Upstream backports
#Patch100: 0100-xxx.patch
# kpatch-dnf backports
#Patch200: 0200-xxx.patch
Requires: bash kmod binutils
Recommends: kpatch-dnf
BuildArch: noarch
%description
kpatch is a live kernel patch module manager. It allows the user to manage
a collection of binary kernel patch modules which can be used to dynamically
patch the kernel without rebooting.
%package -n kpatch-dnf
Summary: kpatch-patch manager plugin for DNF
Version: %{version}_%{kpatch_dnf_ver}
BuildRequires: python3-devel python3-dnf
Requires: python3-dnf python3-hawkey
Provides: kpatch-dnf
%description -n kpatch-dnf
kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates.
When enabled, kernel packages are automatically subscribed to corresponding
kpatch-patch packages updates.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%setup -D -T -a 1
cd kpatch-dnf-%{kpatch_dnf_ver}
cd ..
%build
make -C man
make -C kpatch-dnf-%{kpatch_dnf_ver}
%install
make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch
make install PREFIX=/usr DESTDIR=%{buildroot} -C man
make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib
mkdir -p %{buildroot}/%{_sharedstatedir}/kpatch
rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz
make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver}
%files
%{_sbindir}/kpatch
%{_usr}/lib/systemd/system/kpatch.service
%{_sharedstatedir}/kpatch
%doc %{_mandir}/man1/kpatch.1.gz
%files -n kpatch-dnf
%{python3_sitelib}/dnf-plugins/kpatch.py
%{python3_sitelib}/dnf-plugins/__pycache__
%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf
%doc %{_mandir}/man8/dnf.kpatch.8.gz
%post -n kpatch-dnf
echo "To enable automatic kpatch-patch subscription, run:"
echo -e "\t$ dnf kpatch auto"
%changelog
* Tue Apr 08 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-3
- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85574)
* Wed Nov 16 2022 Yannick Cote <ycote@redhat.com> 0.9.7-2
- augment kpatch-dnf package versioning to satisfy build (rhbz#2121211)
* Wed Nov 09 2022 Yannick Cote <ycote@redhat.com> 0.9.7-1
- rebase kpatch user utility code to v0.9.7 (rhbz#2121211)
* Fri Jun 10 2022 Yannick Cote <ycote@redhat.com> 0.9.4-3
- Do not rm selinux rpm owned directory (rhbz#2065609)
* Fri Jan 14 2022 Yannick Cote <ycote@redhat.com> 0.9.4-2
- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2022123)
* Thu Sep 23 2021 Artem Savkov <asavkov@redhat.com> 0.9.4-1
- Update kpatch utility to 0.9.4 and kpatch-dnf to 0.4 (rhbz#2006841)
* Mon Mar 15 2021 Artem Savkov <asavkov@redhat.com> 0.9.2-5
- Cleanup /var/lib/kpatch directory on uninstall (rhbz#1930108)
* Thu Mar 11 2021 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-4
- Fix kpatch-dnf package description typos (rhbz#1934293)
* Mon Jan 04 2021 Julien Thierry <jthierry@redhat.com> 0.9.2-3
- Remove kpatch-dnf dependency on python3 (rhbz#1912224)
* Fri Nov 20 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-2
- Fix unload issue under stress (rhbz#1883238)
- Fix dnf-kpatch man file permissions (rhbz#1899341)
- Do not replace dnf kpatch configuration file when reinstalling (rhbz#1898191)
* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
- Add kpatch-dnf subpackage (rhbz#1798711)
* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
- update to 0.9.2 (rhbz#1877857)
* Tue Oct 22 2019 Yannick Cote <ycote@redhat.com> 0.6.1-6
- fix patch loading issue caused by recent kernel rebase (rhbz#1754679)
* Wed Aug 28 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-5
- kpatch: clarify that "kpatch unload" isn't supported (rhbz#1746461)
* Sun Jun 23 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-4
- kpatch script: don't fail if module already loaded+enabled (rhbz#1719305)
* Wed Jun 12 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-3
- kpatch: patches shouldn't be unloaded on system shutdown (rhbz#1719305)
* Wed Jun 5 2019 Josh Poimboeuf <jpoimboe@redhat.com> 0.6.1-2
- CI gating test (rhbz#1717417)
* Tue Aug 14 2018 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-1
- update to 0.6.1 (rhbz#1615880)
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com> - 0.4.0-4
- Release Bumped for el8 Mass Rebuild
* Thu Nov 16 2017 Joe Lawrence <joe.lawrence@redhat.com> 0.4.0-3
- kpatch: better livepatch module support (rhbz#1504066)
* Wed Oct 18 2017 Josh Poimboeuf <jpoimboe@redhat.com> 0.4.0-2
- fix backwards compatibility with RHEL 7.3 patches (rhbz#1497735)
* Mon Mar 13 2017 Josh Poimboeuf <jpoimboe@redhat.com> 0.4.0-1
- update to 0.4.0 (rhbz#1427642)
* Wed Jun 15 2016 Josh Poimboeuf <jpoimboe@redhat.com> 0.3.2-1
- update to 0.3.2 (rhbz#1282508)
* Wed Nov 18 2015 Josh Poimboeuf <jpoimboe@redhat.com> 0.3.1-1
- update to 0.3.1 (rhbz#1282508)
* Tue Sep 16 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-4
- fix dracut dependencies (rhbz#1170369)
* Tue Sep 16 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-3
- support re-enabling forced modules (rhbz#1140268)
* Thu Sep 11 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-2
- support modprobe format names (rhbz#1133045)
* Thu Jul 31 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.10-1
- update to kpatch 0.1.10
* Wed Jul 23 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.9-1
- update to kpatch 0.1.9
* Tue Jul 15 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.8-1
- update to kpatch 0.1.8
* Wed May 21 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.2-1
- update to kpatch 0.1.2
* Mon May 19 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.1-2
- fix initramfs core module path
* Mon May 19 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.1-1
- rebase to kpatch 0.1.1
* Fri May 9 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.0-2
- modprobe core module
* Tue May 6 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.0-1
- Initial kpatch release 0.1.0
* Thu Jan 30 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.0-1
- Initial build

152
kpatch.spec Normal file
View File

@ -0,0 +1,152 @@
%define kpatch_dnf_ver 0.5
Name: kpatch
Version: 0.9.10
Release: 20%{?dist}
Summary: Dynamic kernel patch manager
Group: System Environment/Kernel
License: GPLv2
URL: https://github.com/dynup/kpatch
Source0: https://github.com/dynup/kpatch/archive/v%{version}.tar.gz
Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
# RHEL-only
Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch
Patch1: 0002-kpatch-clarify-unload-unsupport.patch
Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch
Patch3: 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
# Upstream backports (inactive -- for future reference)
# %%Patch100: 0100-xxx.patch
# kpatch-dnf backports (inactive -- for future reference)
# %%Patch200: 0200-foo-bar-etcetera.patch
BuildRequires: make
Requires: bash kmod binutils
Recommends: kpatch-dnf
BuildArch: noarch
%description
kpatch is a live kernel patch module manager. It allows the user to manage
a collection of binary kernel patch modules which can be used to dynamically
patch the kernel without rebooting.
%package -n kpatch-dnf
Summary: kpatch-patch manager plugin for DNF
Version: %{version}_%{kpatch_dnf_ver}
BuildRequires: python3-devel python3-dnf
Requires: python3-dnf python3-hawkey
Provides: kpatch-dnf = %{version}-%{release}
%description -n kpatch-dnf
kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates.
When enabled, kernel packages are automatically subscribed to corresponding
kpatch-patch packages updates.
%prep
%setup -q
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
# Use this to apply upstream patches to kpatch
# %%patch -P 100 -p1
%setup -D -T -a 1 -q
# Use this to apply patches to kpatch-dnf (inactive)
# cd kpatch-dnf-%%{kpatch_dnf_ver}
# %%patch200 -p1
# cd ..
%build
make -C man
make -C kpatch-dnf-%{kpatch_dnf_ver}
%install
make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch
make install PREFIX=/usr DESTDIR=%{buildroot} -C man
make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib
mkdir -p %{buildroot}/%{_sharedstatedir}/kpatch
rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz
make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver}
%check
# No check available
%files
%{_sbindir}/kpatch
%{_usr}/lib/systemd/system/kpatch.service
%{_sharedstatedir}/kpatch
%doc %{_mandir}/man1/kpatch.1.gz
%files -n kpatch-dnf
%{python3_sitelib}/dnf-plugins/kpatch.py
%{python3_sitelib}/dnf-plugins/__pycache__
%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf
%doc %{_mandir}/man8/dnf.kpatch.8.gz
%post -n kpatch-dnf
echo "To enable automatic kpatch-patch subscription, run:"
echo -e "\t$ dnf kpatch auto"
%changelog
* Tue Sep 09 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-20
- Rebase kpatch with upstream to v0.9.10 (RHEL-113127)
- Provide a list of CVEs currently patched using live patches (RHEL-106283)
* Thu Apr 10 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-5
- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85686)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.9.7-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Fri May 3 2024 Joe Lawrence <joe.lawrence@redhat.com> 0.9.7-3
- Fix cs10 build error on missing `make` command
- Fix "warning: %%patchN is deprecated"
* Wed Nov 16 2022 Yannick Cote <ycote@redhat.com> 0.9.7-2
- augment kpatch-dnf package versioning to satisfy build (rhbz#2121212)
* Wed Nov 09 2022 Yannick Cote <ycote@redhat.com> 0.9.7-1
- rebase kpatch user utility code to v0.9.7 (rhbz#2121212)
* Fri Jun 10 2022 Yannick Cote <ycote@redhat.com> 0.9.4-3
- Do not rm selinux rpm owned directory (rhbz#2053413)
* Thu Jan 27 2022 Yannick Cote <ycote@redhat.com> 0.9.4-2
- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2030004)
* Wed Sep 29 2021 Artem Savkov <asavkov@redhat.com> - 0.9.4-1
- Rebase to 0.9.4
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.3-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jun 10 2021 Joe Lawrence <joe.lawrence@redhat.com> - 0.9.3-2
- Rebase to latest upstream (via backport patch)
* Tue May 18 2021 Joel Savitz <jsavitz@redhat.com> - 0.9.3-1
- Rebase to latest upstream
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.2-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Mar 05 2021 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-4
- Fix kpatch-dnf package description typos (rhbz#1934292)
* Mon Jan 04 2021 Julien Thierry <jthierry@redhat.com> 0.9.2-2
- Remove kpatch-dnf dependency on python3 (rhbz#1912457)
* Wed Dec 2 2020 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-1
- initial kpatch utility build for rhel-9.0.0 (rhbz#1901593)

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (kpatch-dnf-v0.5.tar.gz) = 68593edf725eac5605b690f0a3144abec71b57663c3b10fd7207b500bf47df0c86adf150621fa51e87a7de0f3edbca1c0a718852ca70ebdec485d9bcdbfdcc0b
SHA512 (v0.9.10.tar.gz) = d27f0e92d93539cc6ae6137419a99d124e5e2dba8bfbf67d15b0bf89230d2e92584c974ccae6932ce7a02460d73da9d46806e9104ee019ea3c6d3cfe8658be83