rpms/kpatch
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c9
rpms:c9s
rpms:c10s
rpms:c8s
rpms:c8-beta
rpms:imports/c9-beta/kpatch-0.9.10-10.el9
rpms:imports/c9/kpatch-0.9.7-10.el9
rpms:imports/c10s/kpatch-0.9.10-20.el10
rpms:imports/c8/kpatch-0.9.7-3.el8_10
rpms:imports/c9/kpatch-0.9.7-3.el9_6
rpms:imports/c10s/kpatch-0.9.7-5.el10
rpms:imports/c10s/kpatch-0.9.7-4.el10
rpms:imports/c10s/kpatch-0.9.7-3.el10
rpms:imports/c8/kpatch-0.9.7-2.el8
rpms:imports/c9/kpatch-0.9.7-2.el9
rpms:imports/c9-beta/kpatch-0.9.7-2.el9
rpms:imports/c8-beta/kpatch-0.9.7-2.el8
rpms:imports/c8s/kpatch-0.9.7-2.el8
rpms:imports/c9/kpatch-0.9.4-3.el9
rpms:imports/c8/kpatch-0.9.4-3.el8
rpms:imports/c9-beta/kpatch-0.9.4-3.el9
rpms:imports/c8-beta/kpatch-0.9.4-3.el8
rpms:imports/c8s/kpatch-0.9.4-3.el8
rpms:imports/c9/kpatch-0.9.4-2.el9
rpms:imports/c8/kpatch-0.9.4-2.el8
rpms:imports/c8-beta/kpatch-0.9.4-2.el8
rpms:imports/c9-beta/kpatch-0.9.4-2.el9
rpms:imports/c8s/kpatch-0.9.4-2.el8
rpms:imports/c9-beta/kpatch-0.9.4-1.el9
rpms:imports/c9-beta/kpatch-0.9.3-3.el9
rpms:imports/c8s/kpatch-0.9.4-1.el8
rpms:imports/c8s/kpatch-0.9.2-5.el8
rpms:imports/c8s/kpatch-0.9.2-3.el8
rpms:imports/c8s/kpatch-0.9.2-2.el8
rpms:imports/c8s/kpatch-0.6.1-6.el8
rpms:imports/c8-beta/kpatch-0.9.2-5.el8
rpms:imports/c8-beta/kpatch-0.9.2-3.el8
rpms:imports/c8-beta/kpatch-0.6.1-6.el8
rpms:imports/c8-beta/kpatch-0.6.1-3.el8
rpms:imports/c8/kpatch-0.9.2-5.el8
rpms:imports/c8/kpatch-0.9.2-3.el8
rpms:imports/c8/kpatch-0.6.1-6.el8
rpms:imports/c8/kpatch-0.6.1-5.el8
rpms:imports/c8/kpatch-0.6.1-1.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c9
rpms:c9s
rpms:c10s
rpms:c8
rpms:c8s
rpms:c8-beta
rpms:imports/c9-beta/kpatch-0.9.10-10.el9
rpms:imports/c9/kpatch-0.9.7-10.el9
rpms:imports/c10s/kpatch-0.9.10-20.el10
rpms:imports/c8/kpatch-0.9.7-3.el8_10
rpms:imports/c9/kpatch-0.9.7-3.el9_6
rpms:imports/c10s/kpatch-0.9.7-5.el10
rpms:imports/c10s/kpatch-0.9.7-4.el10
rpms:imports/c10s/kpatch-0.9.7-3.el10
rpms:imports/c8/kpatch-0.9.7-2.el8
rpms:imports/c9/kpatch-0.9.7-2.el9
rpms:imports/c9-beta/kpatch-0.9.7-2.el9
rpms:imports/c8-beta/kpatch-0.9.7-2.el8
rpms:imports/c8s/kpatch-0.9.7-2.el8
rpms:imports/c9/kpatch-0.9.4-3.el9
rpms:imports/c8/kpatch-0.9.4-3.el8
rpms:imports/c9-beta/kpatch-0.9.4-3.el9
rpms:imports/c8-beta/kpatch-0.9.4-3.el8
rpms:imports/c8s/kpatch-0.9.4-3.el8
rpms:imports/c9/kpatch-0.9.4-2.el9
rpms:imports/c8/kpatch-0.9.4-2.el8
rpms:imports/c8-beta/kpatch-0.9.4-2.el8
rpms:imports/c9-beta/kpatch-0.9.4-2.el9
rpms:imports/c8s/kpatch-0.9.4-2.el8
rpms:imports/c9-beta/kpatch-0.9.4-1.el9
rpms:imports/c9-beta/kpatch-0.9.3-3.el9
rpms:imports/c8s/kpatch-0.9.4-1.el8
rpms:imports/c8s/kpatch-0.9.2-5.el8
rpms:imports/c8s/kpatch-0.9.2-3.el8
rpms:imports/c8s/kpatch-0.9.2-2.el8
rpms:imports/c8s/kpatch-0.6.1-6.el8
rpms:imports/c8-beta/kpatch-0.9.2-5.el8
rpms:imports/c8-beta/kpatch-0.9.2-3.el8
rpms:imports/c8-beta/kpatch-0.6.1-6.el8
rpms:imports/c8-beta/kpatch-0.6.1-3.el8
rpms:imports/c8/kpatch-0.9.2-5.el8
rpms:imports/c8/kpatch-0.9.2-3.el8
rpms:imports/c8/kpatch-0.6.1-6.el8
rpms:imports/c8/kpatch-0.6.1-5.el8
rpms:imports/c8/kpatch-0.6.1-1.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

4 changed files with 154 additions and 109 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/kpatch-dnf-v0.5.tar.gz
SOURCES/v0.9.7.tar.gz
SOURCES/v0.9.10.tar.gz

2
.kpatch.metadata
View File

@ -1,2 +1,2 @@
28103e07453017fa2db783425dc1c23c3e7f3073 SOURCES/kpatch-dnf-v0.5.tar.gz
da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz
75965e61bf14d5e7c8660e327ef2f0f8c12d0d00 SOURCES/v0.9.10.tar.gz

101
SOURCES/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch Normal file
View File

@ -0,0 +1,101 @@
From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
Date: Tue, 9 Sep 2025 21:56:27 +0200
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
JIRA: https://issues.redhat.com/browse/RHEL-103845
Upstream: RHEL-ONLY
Enhances the list subcommand to display the CVE identifiers addressed
by each installed patch module.
The CVEs are extracted directly from the RPM changelogs of the corresponding
modules, giving users clearer insight into the security issues mitigated
by livepatch updates.
V2:
* Remove temporary files in favor of associative arrays
* Use printf and sed for indentation instead of a loop
V3:
* Syntactic changes using ShellCheck
Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
---
kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/kpatch/kpatch b/kpatch/kpatch
index c16a108..f029b59 100755
--- a/kpatch/kpatch
+++ b/kpatch/kpatch
@@ -24,12 +24,15 @@
# displaying information about kernel patch modules installed on the system.
INSTALLDIR=/var/lib/kpatch
+RPMINSTALLDIR=/lib/kpatch
SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
VERSION="0.9.10"
POST_ENABLE_WAIT=15 # seconds
POST_SIGNAL_WAIT=60 # seconds
MODULE_REF_WAIT=15 # seconds
+declare -A CVE_LIST
+
# How many times to try loading the patch if activeness safety check fails.
MAX_LOAD_ATTEMPTS=5
# How long to wait before retry, in seconds.
@@ -446,6 +449,32 @@ get_module_version() {
MODVER="${MODVER/ */}"
}
+query_module_cves() {
+ local module=$1
+ local rpm_log
+ local cve_list
+
+ [[ -z "$module" ]] && return
+
+ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
+ [[ -z "$rpm_log" ]] && return
+
+ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
+
+ CVE_LIST[$MODNAME]=$cve_list
+}
+
+query_cves() {
+ for kdir in "$RPMINSTALLDIR"/*; do
+ [[ -e "$kdir" ]] || continue
+ for module in "$kdir"/*.ko; do
+ [[ -e "$module" ]] || continue
+ mod_name "$module"
+ query_module_cves "$module"
+ done
+ done
+}
+
unset MODULE
# Initialize the $SYSFS var. This only works if the core module has been
@@ -593,6 +622,7 @@ case "$1" in
"list")
[[ "$#" -ne 1 ]] && usage
+ query_cves
echo "Loaded patch modules:"
for module in "$SYSFS"/*; do
if [[ -e "$module" ]]; then
@@ -605,6 +635,9 @@ case "$1" in
|| state="disabled"
fi
echo "$modname [$state]"
+ if [[ -v "CVE_LIST[$MODNAME]" ]]; then
+ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
+ fi
fi
done
show_stalled_processes
--
2.48.1

158
SPECS/kpatch.spec
View File

@ -1,8 +1,8 @@
%define kpatch_dnf_ver 0.5
Name: kpatch
Version: 0.9.7
Release: 3%{?dist}
Version: 0.9.10
Release: 10%{?dist}
Summary: Dynamic kernel patch manager
Group: System Environment/Kernel
@ -15,12 +15,13 @@ Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch
Patch1: 0002-kpatch-clarify-unload-unsupport.patch
Patch2: 0003-do-not-rm-selinux-rpm-owned-directory.patch
Patch3: 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
# Upstream backports
#Patch100: 0100-xxx.patch
# Upstream backports (inactive -- for future reference)
# %%Patch100: 0100-xxx.patch
# kpatch-dnf backports
#Patch200: 0200-xxx.patch
# kpatch-dnf backports (inactive -- for future reference)
# %%Patch200: 0200-foo-bar-etcetera.patch
Requires: bash kmod binutils
Recommends: kpatch-dnf
@ -39,7 +40,7 @@ Summary: kpatch-patch manager plugin for DNF
Version: %{version}_%{kpatch_dnf_ver}
BuildRequires: python3-devel python3-dnf
Requires: python3-dnf python3-hawkey
Provides: kpatch-dnf
Provides: kpatch-dnf = %{version}-%{release}
%description -n kpatch-dnf
kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates.
@ -48,13 +49,19 @@ kpatch-patch packages updates.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
# Use this to apply upstream patches to kpatch
# %%patch100 -p1
%setup -D -T -a 1
cd kpatch-dnf-%{kpatch_dnf_ver}
cd ..
%setup -D -T -a 1 -q
# Use this to apply patches to kpatch-dnf (inactive)
# cd kpatch-dnf-%%{kpatch_dnf_ver}
# %%patch200 -p1
# cd ..
%build
make -C man
@ -70,6 +77,9 @@ rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz
make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver}
%check
# No check available
%files
%{_sbindir}/kpatch
%{_usr}/lib/systemd/system/kpatch.service
@ -87,112 +97,46 @@ echo "To enable automatic kpatch-patch subscription, run:"
echo -e "\t$ dnf kpatch auto"
%changelog
* Tue Apr 08 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-3
- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85574)
* Thu Sep 11 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-10
- Rebase kpatch with upstream to v0.9.10 (RHEL-113130)
- Provide a list of CVEs currently patched using live patches (RHEL-103845)
* Fri Mar 07 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-3
- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-77113)
* Wed Nov 16 2022 Yannick Cote <ycote@redhat.com> 0.9.7-2
- augment kpatch-dnf package versioning to satisfy build (rhbz#2121211)
- augment kpatch-dnf package versioning to satisfy build (rhbz#2121212)
* Wed Nov 09 2022 Yannick Cote <ycote@redhat.com> 0.9.7-1
- rebase kpatch user utility code to v0.9.7 (rhbz#2121211)
- rebase kpatch user utility code to v0.9.7 (rhbz#2121212)
* Fri Jun 10 2022 Yannick Cote <ycote@redhat.com> 0.9.4-3
- Do not rm selinux rpm owned directory (rhbz#2065609)
- Do not rm selinux rpm owned directory (rhbz#2053413)
* Fri Jan 14 2022 Yannick Cote <ycote@redhat.com> 0.9.4-2
- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2022123)
* Thu Jan 27 2022 Yannick Cote <ycote@redhat.com> 0.9.4-2
- Add /usr/lib/kpatch to install and files list to appease SELinux (rhbz#2030004)
* Thu Sep 23 2021 Artem Savkov <asavkov@redhat.com> 0.9.4-1
- Update kpatch utility to 0.9.4 and kpatch-dnf to 0.4 (rhbz#2006841)
* Wed Sep 29 2021 Artem Savkov <asavkov@redhat.com> - 0.9.4-1
- Rebase to 0.9.4
* Mon Mar 15 2021 Artem Savkov <asavkov@redhat.com> 0.9.2-5
- Cleanup /var/lib/kpatch directory on uninstall (rhbz#1930108)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.3-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Mar 11 2021 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-4
- Fix kpatch-dnf package description typos (rhbz#1934293)
* Thu Jun 10 2021 Joe Lawrence <joe.lawrence@redhat.com> - 0.9.3-2
- Rebase to latest upstream (via backport patch)
* Mon Jan 04 2021 Julien Thierry <jthierry@redhat.com> 0.9.2-3
- Remove kpatch-dnf dependency on python3 (rhbz#1912224)
* Tue May 18 2021 Joel Savitz <jsavitz@redhat.com> - 0.9.3-1
- Rebase to latest upstream
* Fri Nov 20 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-2
- Fix unload issue under stress (rhbz#1883238)
- Fix dnf-kpatch man file permissions (rhbz#1899341)
- Do not replace dnf kpatch configuration file when reinstalling (rhbz#1898191)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.2-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
- Add kpatch-dnf subpackage (rhbz#1798711)
* Fri Mar 05 2021 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-4
- Fix kpatch-dnf package description typos (rhbz#1934292)
* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
- update to 0.9.2 (rhbz#1877857)
* Mon Jan 04 2021 Julien Thierry <jthierry@redhat.com> 0.9.2-2
- Remove kpatch-dnf dependency on python3 (rhbz#1912457)
* Tue Oct 22 2019 Yannick Cote <ycote@redhat.com> 0.6.1-6
- fix patch loading issue caused by recent kernel rebase (rhbz#1754679)
* Wed Aug 28 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-5
- kpatch: clarify that "kpatch unload" isn't supported (rhbz#1746461)
* Sun Jun 23 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-4
- kpatch script: don't fail if module already loaded+enabled (rhbz#1719305)
* Wed Jun 12 2019 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-3
- kpatch: patches shouldn't be unloaded on system shutdown (rhbz#1719305)
* Wed Jun 5 2019 Josh Poimboeuf <jpoimboe@redhat.com> 0.6.1-2
- CI gating test (rhbz#1717417)
* Tue Aug 14 2018 Joe Lawrence <joe.lawrence@redhat.com> 0.6.1-1
- update to 0.6.1 (rhbz#1615880)
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com> - 0.4.0-4
- Release Bumped for el8 Mass Rebuild
* Thu Nov 16 2017 Joe Lawrence <joe.lawrence@redhat.com> 0.4.0-3
- kpatch: better livepatch module support (rhbz#1504066)
* Wed Oct 18 2017 Josh Poimboeuf <jpoimboe@redhat.com> 0.4.0-2
- fix backwards compatibility with RHEL 7.3 patches (rhbz#1497735)
* Mon Mar 13 2017 Josh Poimboeuf <jpoimboe@redhat.com> 0.4.0-1
- update to 0.4.0 (rhbz#1427642)
* Wed Jun 15 2016 Josh Poimboeuf <jpoimboe@redhat.com> 0.3.2-1
- update to 0.3.2 (rhbz#1282508)
* Wed Nov 18 2015 Josh Poimboeuf <jpoimboe@redhat.com> 0.3.1-1
- update to 0.3.1 (rhbz#1282508)
* Tue Sep 16 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-4
- fix dracut dependencies (rhbz#1170369)
* Tue Sep 16 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-3
- support re-enabling forced modules (rhbz#1140268)
* Thu Sep 11 2014 Seth Jennings <sjenning@redhat.com> 0.1.10-2
- support modprobe format names (rhbz#1133045)
* Thu Jul 31 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.10-1
- update to kpatch 0.1.10
* Wed Jul 23 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.9-1
- update to kpatch 0.1.9
* Tue Jul 15 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.8-1
- update to kpatch 0.1.8
* Wed May 21 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.2-1
- update to kpatch 0.1.2
* Mon May 19 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.1-2
- fix initramfs core module path
* Mon May 19 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.1-1
- rebase to kpatch 0.1.1
* Fri May 9 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.0-2
- modprobe core module
* Tue May 6 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.1.0-1
- Initial kpatch release 0.1.0
* Thu Jan 30 2014 Josh Poimboeuf <jpoimboe@redhat.com> 0.0-1
- Initial build
* Wed Dec 2 2020 Joe Lawrence <joe.lawrence@redhat.com> 0.9.2-1
- initial kpatch utility build for rhel-9.0.0 (rhbz#1901593)