diff --git a/.gitignore b/.gitignore index b6047f5..247c454 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/kpatch-dnf-v0.5.tar.gz -SOURCES/v0.9.7.tar.gz +kpatch-dnf-v0.5.tar.gz +v0.9.10.tar.gz diff --git a/.kpatch.metadata b/.kpatch.metadata deleted file mode 100644 index d9b37d0..0000000 --- a/.kpatch.metadata +++ /dev/null @@ -1,2 +0,0 @@ -28103e07453017fa2db783425dc1c23c3e7f3073 SOURCES/kpatch-dnf-v0.5.tar.gz -da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz diff --git a/SOURCES/0001-contrib-disable-upstart-kpatch.conf-install.patch b/0001-contrib-disable-upstart-kpatch.conf-install.patch similarity index 100% rename from SOURCES/0001-contrib-disable-upstart-kpatch.conf-install.patch rename to 0001-contrib-disable-upstart-kpatch.conf-install.patch diff --git a/SOURCES/0002-kpatch-clarify-unload-unsupport.patch b/0002-kpatch-clarify-unload-unsupport.patch similarity index 100% rename from SOURCES/0002-kpatch-clarify-unload-unsupport.patch rename to 0002-kpatch-clarify-unload-unsupport.patch diff --git a/SOURCES/0003-do-not-rm-selinux-rpm-owned-directory.patch b/0003-do-not-rm-selinux-rpm-owned-directory.patch similarity index 100% rename from SOURCES/0003-do-not-rm-selinux-rpm-owned-directory.patch rename to 0003-do-not-rm-selinux-rpm-owned-directory.patch diff --git a/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch new file mode 100644 index 0000000..9392b81 --- /dev/null +++ b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch @@ -0,0 +1,101 @@ +From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001 +From: Radomir Vrbovsky +Date: Tue, 9 Sep 2025 21:56:27 +0200 +Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules + +JIRA: https://issues.redhat.com/browse/RHEL-113127 +Upstream: RHEL-ONLY + +Enhances the list subcommand to display the CVE identifiers addressed +by each installed patch module. + +The CVEs are extracted directly from the RPM changelogs of the corresponding +modules, giving users clearer insight into the security issues mitigated +by livepatch updates. + +V2: +* Remove temporary files in favor of associative arrays +* Use printf and sed for indentation instead of a loop + +V3: +* Syntactic changes using ShellCheck + +Signed-off-by: Radomir Vrbovsky +--- + kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/kpatch/kpatch b/kpatch/kpatch +index c16a108..f029b59 100755 +--- a/kpatch/kpatch ++++ b/kpatch/kpatch +@@ -24,12 +24,15 @@ + # displaying information about kernel patch modules installed on the system. + + INSTALLDIR=/var/lib/kpatch ++RPMINSTALLDIR=/lib/kpatch + SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")" + VERSION="0.9.10" + POST_ENABLE_WAIT=15 # seconds + POST_SIGNAL_WAIT=60 # seconds + MODULE_REF_WAIT=15 # seconds + ++declare -A CVE_LIST ++ + # How many times to try loading the patch if activeness safety check fails. + MAX_LOAD_ATTEMPTS=5 + # How long to wait before retry, in seconds. +@@ -446,6 +449,32 @@ get_module_version() { + MODVER="${MODVER/ */}" + } + ++query_module_cves() { ++ local module=$1 ++ local rpm_log ++ local cve_list ++ ++ [[ -z "$module" ]] && return ++ ++ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")") ++ [[ -z "$rpm_log" ]] && return ++ ++ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq) ++ ++ CVE_LIST[$MODNAME]=$cve_list ++} ++ ++query_cves() { ++ for kdir in "$RPMINSTALLDIR"/*; do ++ [[ -e "$kdir" ]] || continue ++ for module in "$kdir"/*.ko; do ++ [[ -e "$module" ]] || continue ++ mod_name "$module" ++ query_module_cves "$module" ++ done ++ done ++} ++ + unset MODULE + + # Initialize the $SYSFS var. This only works if the core module has been +@@ -593,6 +622,7 @@ case "$1" in + + "list") + [[ "$#" -ne 1 ]] && usage ++ query_cves + echo "Loaded patch modules:" + for module in "$SYSFS"/*; do + if [[ -e "$module" ]]; then +@@ -605,6 +635,9 @@ case "$1" in + || state="disabled" + fi + echo "$modname [$state]" ++ if [[ -v "CVE_LIST[$MODNAME]" ]]; then ++ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/' ++ fi + fi + done + show_stalled_processes +-- +2.48.1 + diff --git a/SPECS/kpatch.spec b/SPECS/kpatch.spec deleted file mode 100644 index e0749fc..0000000 --- a/SPECS/kpatch.spec +++ /dev/null @@ -1,198 +0,0 @@ -%define kpatch_dnf_ver 0.5 - -Name: kpatch -Version: 0.9.7 -Release: 3%{?dist} -Summary: Dynamic kernel patch manager - -Group: System Environment/Kernel -License: GPLv2 -URL: https://github.com/dynup/kpatch -Source0: https://github.com/dynup/kpatch/archive/v%{version}.tar.gz -Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz - -# RHEL-only -Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch -Patch1: 0002-kpatch-clarify-unload-unsupport.patch -Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch - -# Upstream backports -#Patch100: 0100-xxx.patch - -# kpatch-dnf backports -#Patch200: 0200-xxx.patch - -Requires: bash kmod binutils -Recommends: kpatch-dnf - -BuildArch: noarch - - -%description -kpatch is a live kernel patch module manager. It allows the user to manage -a collection of binary kernel patch modules which can be used to dynamically -patch the kernel without rebooting. - - -%package -n kpatch-dnf -Summary: kpatch-patch manager plugin for DNF -Version: %{version}_%{kpatch_dnf_ver} -BuildRequires: python3-devel python3-dnf -Requires: python3-dnf python3-hawkey -Provides: kpatch-dnf - -%description -n kpatch-dnf -kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates. -When enabled, kernel packages are automatically subscribed to corresponding -kpatch-patch packages updates. - -%prep -%setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 - -%setup -D -T -a 1 -cd kpatch-dnf-%{kpatch_dnf_ver} -cd .. - -%build -make -C man - -make -C kpatch-dnf-%{kpatch_dnf_ver} - -%install -make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch -make install PREFIX=/usr DESTDIR=%{buildroot} -C man -make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib -mkdir -p %{buildroot}/%{_sharedstatedir}/kpatch -rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz - -make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver} - -%files -%{_sbindir}/kpatch -%{_usr}/lib/systemd/system/kpatch.service -%{_sharedstatedir}/kpatch -%doc %{_mandir}/man1/kpatch.1.gz - -%files -n kpatch-dnf -%{python3_sitelib}/dnf-plugins/kpatch.py -%{python3_sitelib}/dnf-plugins/__pycache__ -%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf -%doc %{_mandir}/man8/dnf.kpatch.8.gz - -%post -n kpatch-dnf -echo "To enable automatic kpatch-patch subscription, run:" -echo -e "\t$ dnf kpatch auto" - -%changelog -* Tue Apr 08 2025 Rado Vrbovsky 0.9.7-3 -- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85574) - -* Wed Nov 16 2022 Yannick Cote 0.9.7-2 -- augment kpatch-dnf package versioning to satisfy build (rhbz#2121211) - -* Wed Nov 09 2022 Yannick Cote 0.9.7-1 -- rebase kpatch user utility code to v0.9.7 (rhbz#2121211) - -* Fri Jun 10 2022 Yannick Cote 0.9.4-3 -- Do not rm selinux rpm owned directory (rhbz#2065609) - -* Fri Jan 14 2022 Yannick Cote 0.9.4-2 -- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2022123) - -* Thu Sep 23 2021 Artem Savkov 0.9.4-1 -- Update kpatch utility to 0.9.4 and kpatch-dnf to 0.4 (rhbz#2006841) - -* Mon Mar 15 2021 Artem Savkov 0.9.2-5 -- Cleanup /var/lib/kpatch directory on uninstall (rhbz#1930108) - -* Thu Mar 11 2021 Joe Lawrence 0.9.2-4 -- Fix kpatch-dnf package description typos (rhbz#1934293) - -* Mon Jan 04 2021 Julien Thierry 0.9.2-3 -- Remove kpatch-dnf dependency on python3 (rhbz#1912224) - -* Fri Nov 20 2020 Julien Thierry 0.9.2-2 -- Fix unload issue under stress (rhbz#1883238) -- Fix dnf-kpatch man file permissions (rhbz#1899341) -- Do not replace dnf kpatch configuration file when reinstalling (rhbz#1898191) - -* Thu Sep 24 2020 Julien Thierry 0.9.2-1 -- Add kpatch-dnf subpackage (rhbz#1798711) - -* Thu Sep 24 2020 Julien Thierry 0.9.2-1 -- update to 0.9.2 (rhbz#1877857) - -* Tue Oct 22 2019 Yannick Cote 0.6.1-6 -- fix patch loading issue caused by recent kernel rebase (rhbz#1754679) - -* Wed Aug 28 2019 Joe Lawrence 0.6.1-5 -- kpatch: clarify that "kpatch unload" isn't supported (rhbz#1746461) - -* Sun Jun 23 2019 Joe Lawrence 0.6.1-4 -- kpatch script: don't fail if module already loaded+enabled (rhbz#1719305) - -* Wed Jun 12 2019 Joe Lawrence 0.6.1-3 -- kpatch: patches shouldn't be unloaded on system shutdown (rhbz#1719305) - -* Wed Jun 5 2019 Josh Poimboeuf 0.6.1-2 -- CI gating test (rhbz#1717417) - -* Tue Aug 14 2018 Joe Lawrence 0.6.1-1 -- update to 0.6.1 (rhbz#1615880) - -* Mon Aug 13 2018 Troy Dawson - 0.4.0-4 -- Release Bumped for el8 Mass Rebuild - -* Thu Nov 16 2017 Joe Lawrence 0.4.0-3 -- kpatch: better livepatch module support (rhbz#1504066) - -* Wed Oct 18 2017 Josh Poimboeuf 0.4.0-2 -- fix backwards compatibility with RHEL 7.3 patches (rhbz#1497735) - -* Mon Mar 13 2017 Josh Poimboeuf 0.4.0-1 -- update to 0.4.0 (rhbz#1427642) - -* Wed Jun 15 2016 Josh Poimboeuf 0.3.2-1 -- update to 0.3.2 (rhbz#1282508) - -* Wed Nov 18 2015 Josh Poimboeuf 0.3.1-1 -- update to 0.3.1 (rhbz#1282508) - -* Tue Sep 16 2014 Seth Jennings 0.1.10-4 -- fix dracut dependencies (rhbz#1170369) - -* Tue Sep 16 2014 Seth Jennings 0.1.10-3 -- support re-enabling forced modules (rhbz#1140268) - -* Thu Sep 11 2014 Seth Jennings 0.1.10-2 -- support modprobe format names (rhbz#1133045) - -* Thu Jul 31 2014 Josh Poimboeuf 0.1.10-1 -- update to kpatch 0.1.10 - -* Wed Jul 23 2014 Josh Poimboeuf 0.1.9-1 -- update to kpatch 0.1.9 - -* Tue Jul 15 2014 Josh Poimboeuf 0.1.8-1 -- update to kpatch 0.1.8 - -* Wed May 21 2014 Josh Poimboeuf 0.1.2-1 -- update to kpatch 0.1.2 - -* Mon May 19 2014 Josh Poimboeuf 0.1.1-2 -- fix initramfs core module path - -* Mon May 19 2014 Josh Poimboeuf 0.1.1-1 -- rebase to kpatch 0.1.1 - -* Fri May 9 2014 Josh Poimboeuf 0.1.0-2 -- modprobe core module - -* Tue May 6 2014 Josh Poimboeuf 0.1.0-1 -- Initial kpatch release 0.1.0 - -* Thu Jan 30 2014 Josh Poimboeuf 0.0-1 -- Initial build diff --git a/kpatch.spec b/kpatch.spec new file mode 100644 index 0000000..ef86c40 --- /dev/null +++ b/kpatch.spec @@ -0,0 +1,152 @@ +%define kpatch_dnf_ver 0.5 + +Name: kpatch +Version: 0.9.10 +Release: 20%{?dist} +Summary: Dynamic kernel patch manager + +Group: System Environment/Kernel +License: GPLv2 +URL: https://github.com/dynup/kpatch +Source0: https://github.com/dynup/kpatch/archive/v%{version}.tar.gz +Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz + +# RHEL-only +Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch +Patch1: 0002-kpatch-clarify-unload-unsupport.patch +Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch +Patch3: 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch + +# Upstream backports (inactive -- for future reference) +# %%Patch100: 0100-xxx.patch + +# kpatch-dnf backports (inactive -- for future reference) +# %%Patch200: 0200-foo-bar-etcetera.patch + +BuildRequires: make + +Requires: bash kmod binutils +Recommends: kpatch-dnf + +BuildArch: noarch + + +%description +kpatch is a live kernel patch module manager. It allows the user to manage +a collection of binary kernel patch modules which can be used to dynamically +patch the kernel without rebooting. + + +%package -n kpatch-dnf +Summary: kpatch-patch manager plugin for DNF +Version: %{version}_%{kpatch_dnf_ver} +BuildRequires: python3-devel python3-dnf +Requires: python3-dnf python3-hawkey +Provides: kpatch-dnf = %{version}-%{release} + +%description -n kpatch-dnf +kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates. +When enabled, kernel packages are automatically subscribed to corresponding +kpatch-patch packages updates. + +%prep +%setup -q +%patch -P 0 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +# Use this to apply upstream patches to kpatch +# %%patch -P 100 -p1 + +%setup -D -T -a 1 -q + +# Use this to apply patches to kpatch-dnf (inactive) +# cd kpatch-dnf-%%{kpatch_dnf_ver} +# %%patch200 -p1 +# cd .. + +%build +make -C man + +make -C kpatch-dnf-%{kpatch_dnf_ver} + +%install +make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch +make install PREFIX=/usr DESTDIR=%{buildroot} -C man +make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib +mkdir -p %{buildroot}/%{_sharedstatedir}/kpatch +rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz + +make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver} + +%check +# No check available + +%files +%{_sbindir}/kpatch +%{_usr}/lib/systemd/system/kpatch.service +%{_sharedstatedir}/kpatch +%doc %{_mandir}/man1/kpatch.1.gz + +%files -n kpatch-dnf +%{python3_sitelib}/dnf-plugins/kpatch.py +%{python3_sitelib}/dnf-plugins/__pycache__ +%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf +%doc %{_mandir}/man8/dnf.kpatch.8.gz + +%post -n kpatch-dnf +echo "To enable automatic kpatch-patch subscription, run:" +echo -e "\t$ dnf kpatch auto" + +%changelog +* Tue Sep 09 2025 Rado Vrbovsky 0.9.7-20 +- Rebase kpatch with upstream to v0.9.10 (RHEL-113127) +- Provide a list of CVEs currently patched using live patches (RHEL-106283) + +* Thu Apr 10 2025 Rado Vrbovsky 0.9.7-5 +- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85686) + +* Tue Oct 29 2024 Troy Dawson - 0.9.7-4 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Fri May 3 2024 Joe Lawrence 0.9.7-3 +- Fix cs10 build error on missing `make` command +- Fix "warning: %%patchN is deprecated" + +* Wed Nov 16 2022 Yannick Cote 0.9.7-2 +- augment kpatch-dnf package versioning to satisfy build (rhbz#2121212) + +* Wed Nov 09 2022 Yannick Cote 0.9.7-1 +- rebase kpatch user utility code to v0.9.7 (rhbz#2121212) + +* Fri Jun 10 2022 Yannick Cote 0.9.4-3 +- Do not rm selinux rpm owned directory (rhbz#2053413) + +* Thu Jan 27 2022 Yannick Cote 0.9.4-2 +- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2030004) + +* Wed Sep 29 2021 Artem Savkov - 0.9.4-1 +- Rebase to 0.9.4 + +* Mon Aug 09 2021 Mohan Boddu - 0.9.3-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Jun 10 2021 Joe Lawrence - 0.9.3-2 +- Rebase to latest upstream (via backport patch) + +* Tue May 18 2021 Joel Savitz - 0.9.3-1 +- Rebase to latest upstream + +* Fri Apr 16 2021 Mohan Boddu - 0.9.2-5 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Mar 05 2021 Joe Lawrence 0.9.2-4 +- Fix kpatch-dnf package description typos (rhbz#1934292) + +* Mon Jan 04 2021 Julien Thierry 0.9.2-2 +- Remove kpatch-dnf dependency on python3 (rhbz#1912457) + +* Wed Dec 2 2020 Joe Lawrence 0.9.2-1 +- initial kpatch utility build for rhel-9.0.0 (rhbz#1901593) diff --git a/sources b/sources new file mode 100644 index 0000000..28f6ca1 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (kpatch-dnf-v0.5.tar.gz) = 68593edf725eac5605b690f0a3144abec71b57663c3b10fd7207b500bf47df0c86adf150621fa51e87a7de0f3edbca1c0a718852ca70ebdec485d9bcdbfdcc0b +SHA512 (v0.9.10.tar.gz) = d27f0e92d93539cc6ae6137419a99d124e5e2dba8bfbf67d15b0bf89230d2e92584c974ccae6932ce7a02460d73da9d46806e9104ee019ea3c6d3cfe8658be83