kpatch: List CVEs for loaded livepatch modules
JIRA: https://issues.redhat.com/browse/RHEL-113127 Upstream: RHEL-ONLY Enhances the list subcommand to display the CVE identifiers addressed by each installed patch module. The CVEs are extracted directly from the RPM changelogs of the corresponding modules, giving users clearer insight into the security issues mitigated by livepatch updates. V2: * Remove temporary files in favor of associative arrays * Use printf and sed for indentation instead of a loop V3: * Syntactic changes using ShellCheck Resolves: RHEL-113127 Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
This commit is contained in:
Radomir Vrbovsky
parent
7ecc52d2e0
commit
4134b11f7f
101
0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
Normal file
101
0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
|
||||
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
|
||||
Date: Tue, 9 Sep 2025 21:56:27 +0200
|
||||
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-113127
|
||||
Upstream: RHEL-ONLY
|
||||
|
||||
Enhances the list subcommand to display the CVE identifiers addressed
|
||||
by each installed patch module.
|
||||
|
||||
The CVEs are extracted directly from the RPM changelogs of the corresponding
|
||||
modules, giving users clearer insight into the security issues mitigated
|
||||
by livepatch updates.
|
||||
|
||||
V2:
|
||||
* Remove temporary files in favor of associative arrays
|
||||
* Use printf and sed for indentation instead of a loop
|
||||
|
||||
V3:
|
||||
* Syntactic changes using ShellCheck
|
||||
|
||||
Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
|
||||
---
|
||||
kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
|
||||
diff --git a/kpatch/kpatch b/kpatch/kpatch
|
||||
index c16a108..f029b59 100755
|
||||
--- a/kpatch/kpatch
|
||||
+++ b/kpatch/kpatch
|
||||
@@ -24,12 +24,15 @@
|
||||
# displaying information about kernel patch modules installed on the system.
|
||||
|
||||
INSTALLDIR=/var/lib/kpatch
|
||||
+RPMINSTALLDIR=/lib/kpatch
|
||||
SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
|
||||
VERSION="0.9.10"
|
||||
POST_ENABLE_WAIT=15 # seconds
|
||||
POST_SIGNAL_WAIT=60 # seconds
|
||||
MODULE_REF_WAIT=15 # seconds
|
||||
|
||||
+declare -A CVE_LIST
|
||||
+
|
||||
# How many times to try loading the patch if activeness safety check fails.
|
||||
MAX_LOAD_ATTEMPTS=5
|
||||
# How long to wait before retry, in seconds.
|
||||
@@ -446,6 +449,32 @@ get_module_version() {
|
||||
MODVER="${MODVER/ */}"
|
||||
}
|
||||
|
||||
+query_module_cves() {
|
||||
+ local module=$1
|
||||
+ local rpm_log
|
||||
+ local cve_list
|
||||
+
|
||||
+ [[ -z "$module" ]] && return
|
||||
+
|
||||
+ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
|
||||
+ [[ -z "$rpm_log" ]] && return
|
||||
+
|
||||
+ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
|
||||
+
|
||||
+ CVE_LIST[$MODNAME]=$cve_list
|
||||
+}
|
||||
+
|
||||
+query_cves() {
|
||||
+ for kdir in "$RPMINSTALLDIR"/*; do
|
||||
+ [[ -e "$kdir" ]] || continue
|
||||
+ for module in "$kdir"/*.ko; do
|
||||
+ [[ -e "$module" ]] || continue
|
||||
+ mod_name "$module"
|
||||
+ query_module_cves "$module"
|
||||
+ done
|
||||
+ done
|
||||
+}
|
||||
+
|
||||
unset MODULE
|
||||
|
||||
# Initialize the $SYSFS var. This only works if the core module has been
|
||||
@@ -593,6 +622,7 @@ case "$1" in
|
||||
|
||||
"list")
|
||||
[[ "$#" -ne 1 ]] && usage
|
||||
+ query_cves
|
||||
echo "Loaded patch modules:"
|
||||
for module in "$SYSFS"/*; do
|
||||
if [[ -e "$module" ]]; then
|
||||
@@ -605,6 +635,9 @@ case "$1" in
|
||||
|| state="disabled"
|
||||
fi
|
||||
echo "$modname [$state]"
|
||||
+ if [[ -v "CVE_LIST[$MODNAME]" ]]; then
|
||||
+ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
|
||||
+ fi
|
||||
fi
|
||||
done
|
||||
show_stalled_processes
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: kpatch
|
||||
Version: 0.9.10
|
||||
Release: 5%{?dist}
|
||||
Release: 20%{?dist}
|
||||
Summary: Dynamic kernel patch manager
|
||||
|
||||
Group: System Environment/Kernel
|
||||
@ -15,6 +15,7 @@ Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
|
||||
Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch
|
||||
Patch1: 0002-kpatch-clarify-unload-unsupport.patch
|
||||
Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch
|
||||
Patch3: 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
|
||||
|
||||
# Upstream backports (inactive -- for future reference)
|
||||
#Patch100: 0100-xxx.patch
|
||||
@ -53,6 +54,7 @@ kpatch-patch packages updates.
|
||||
%patch -P 0 -p1
|
||||
%patch -P 1 -p1
|
||||
%patch -P 2 -p1
|
||||
%patch -P 3 -p1
|
||||
# Use this to apply upstream patches to kpatch
|
||||
#%patch -P 100 -p1
|
||||
|
||||
@ -94,6 +96,10 @@ echo "To enable automatic kpatch-patch subscription, run:"
|
||||
echo -e "\t$ dnf kpatch auto"
|
||||
|
||||
%changelog
|
||||
* Tue Sep 09 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-20
|
||||
- Rebase kpatch with upstream to v0.9.10 (RHEL-113127)
|
||||
- Provide a list of CVEs currently patched using live patches (RHEL-106283)
|
||||
|
||||
* Thu Apr 10 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-5
|
||||
- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85686)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user