diff --git a/.gitignore b/.gitignore index 65836b8..e4dcd69 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/kpatch-dnf-v0.4.tar.gz -SOURCES/v0.9.7.tar.gz +SOURCES/kpatch-dnf-v0.5.tar.gz +SOURCES/v0.9.10.tar.gz diff --git a/.kpatch.metadata b/.kpatch.metadata index daa834b..fd9d611 100644 --- a/.kpatch.metadata +++ b/.kpatch.metadata @@ -1,2 +1,2 @@ -fa86620559069e8253b5172849797a6d03b509be SOURCES/kpatch-dnf-v0.4.tar.gz -da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz +28103e07453017fa2db783425dc1c23c3e7f3073 SOURCES/kpatch-dnf-v0.5.tar.gz +75965e61bf14d5e7c8660e327ef2f0f8c12d0d00 SOURCES/v0.9.10.tar.gz diff --git a/SOURCES/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch b/SOURCES/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch new file mode 100644 index 0000000..e9d75a5 --- /dev/null +++ b/SOURCES/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch @@ -0,0 +1,101 @@ +From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001 +From: Radomir Vrbovsky +Date: Tue, 9 Sep 2025 21:56:27 +0200 +Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules + +JIRA: https://issues.redhat.com/browse/RHEL-103845 +Upstream: RHEL-ONLY + +Enhances the list subcommand to display the CVE identifiers addressed +by each installed patch module. + +The CVEs are extracted directly from the RPM changelogs of the corresponding +modules, giving users clearer insight into the security issues mitigated +by livepatch updates. + +V2: +* Remove temporary files in favor of associative arrays +* Use printf and sed for indentation instead of a loop + +V3: +* Syntactic changes using ShellCheck + +Signed-off-by: Radomir Vrbovsky +--- + kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/kpatch/kpatch b/kpatch/kpatch +index c16a108..f029b59 100755 +--- a/kpatch/kpatch ++++ b/kpatch/kpatch +@@ -24,12 +24,15 @@ + # displaying information about kernel patch modules installed on the system. + + INSTALLDIR=/var/lib/kpatch ++RPMINSTALLDIR=/lib/kpatch + SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")" + VERSION="0.9.10" + POST_ENABLE_WAIT=15 # seconds + POST_SIGNAL_WAIT=60 # seconds + MODULE_REF_WAIT=15 # seconds + ++declare -A CVE_LIST ++ + # How many times to try loading the patch if activeness safety check fails. + MAX_LOAD_ATTEMPTS=5 + # How long to wait before retry, in seconds. +@@ -446,6 +449,32 @@ get_module_version() { + MODVER="${MODVER/ */}" + } + ++query_module_cves() { ++ local module=$1 ++ local rpm_log ++ local cve_list ++ ++ [[ -z "$module" ]] && return ++ ++ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")") ++ [[ -z "$rpm_log" ]] && return ++ ++ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq) ++ ++ CVE_LIST[$MODNAME]=$cve_list ++} ++ ++query_cves() { ++ for kdir in "$RPMINSTALLDIR"/*; do ++ [[ -e "$kdir" ]] || continue ++ for module in "$kdir"/*.ko; do ++ [[ -e "$module" ]] || continue ++ mod_name "$module" ++ query_module_cves "$module" ++ done ++ done ++} ++ + unset MODULE + + # Initialize the $SYSFS var. This only works if the core module has been +@@ -593,6 +622,7 @@ case "$1" in + + "list") + [[ "$#" -ne 1 ]] && usage ++ query_cves + echo "Loaded patch modules:" + for module in "$SYSFS"/*; do + if [[ -e "$module" ]]; then +@@ -605,6 +635,9 @@ case "$1" in + || state="disabled" + fi + echo "$modname [$state]" ++ if [[ -v "CVE_LIST[$MODNAME]" ]]; then ++ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/' ++ fi + fi + done + show_stalled_processes +-- +2.48.1 + diff --git a/SPECS/kpatch.spec b/SPECS/kpatch.spec index aa39833..49e9ef0 100644 --- a/SPECS/kpatch.spec +++ b/SPECS/kpatch.spec @@ -1,8 +1,8 @@ -%define kpatch_dnf_ver 0.4 +%define kpatch_dnf_ver 0.5 Name: kpatch -Version: 0.9.7 -Release: 2%{?dist} +Version: 0.9.10 +Release: 10%{?dist} Summary: Dynamic kernel patch manager Group: System Environment/Kernel @@ -15,12 +15,13 @@ Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch Patch1: 0002-kpatch-clarify-unload-unsupport.patch Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch +Patch3: 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch # Upstream backports (inactive -- for future reference) -#Patch100: 0100-xxx.patch +# %%Patch100: 0100-xxx.patch # kpatch-dnf backports (inactive -- for future reference) -#Patch200: 0200-foo-bar-etcetera.patch +# %%Patch200: 0200-foo-bar-etcetera.patch Requires: bash kmod binutils Recommends: kpatch-dnf @@ -39,7 +40,7 @@ Summary: kpatch-patch manager plugin for DNF Version: %{version}_%{kpatch_dnf_ver} BuildRequires: python3-devel python3-dnf Requires: python3-dnf python3-hawkey -Provides: kpatch-dnf +Provides: kpatch-dnf = %{version}-%{release} %description -n kpatch-dnf kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates. @@ -48,18 +49,19 @@ kpatch-patch packages updates. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 +%patch -P 0 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 # Use this to apply upstream patches to kpatch -#%patch100 -p1 +# %%patch100 -p1 -%setup -D -T -a 1 +%setup -D -T -a 1 -q # Use this to apply patches to kpatch-dnf (inactive) -#cd kpatch-dnf-%{kpatch_dnf_ver} -#%patch200 -p1 -#cd .. +# cd kpatch-dnf-%%{kpatch_dnf_ver} +# %%patch200 -p1 +# cd .. %build make -C man @@ -75,6 +77,9 @@ rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver} +%check +# No check available + %files %{_sbindir}/kpatch %{_usr}/lib/systemd/system/kpatch.service @@ -92,6 +97,13 @@ echo "To enable automatic kpatch-patch subscription, run:" echo -e "\t$ dnf kpatch auto" %changelog +* Thu Sep 11 2025 Rado Vrbovsky 0.9.7-10 +- Rebase kpatch with upstream to v0.9.10 (RHEL-113130) +- Provide a list of CVEs currently patched using live patches (RHEL-103845) + +* Fri Mar 07 2025 Rado Vrbovsky 0.9.7-3 +- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-77113) + * Wed Nov 16 2022 Yannick Cote 0.9.7-2 - augment kpatch-dnf package versioning to satisfy build (rhbz#2121212)