Set kernel livepatches' scontext before apply not at rpm-post

Signed-off-by: snoweay <snoweay@163.com> (cherry picked from commit 98d4e75fb300b64423cd330a518e5eef82c45ab7)
2022-12-15 11:04:03 +00:00 · 2022-12-15 11:04:03 +00:00 · ad4a83b9a5
commit ad4a83b9a5
parent abdf486b0d
2 changed files with 109 additions and 9 deletions
--- a/syscare.spec
+++ b/syscare.spec
@ -2,19 +2,19 @@
 Name:           syscare
 Version:        1.0.0
-Release:        2
+Release:        3
 Summary:        system hot-fix service
 License:        MulanPSL-2.0 GPL-2.0-only
 URL:            https://gitee.com/openeuler/syscare
 Source0:        %{name}-%{version}.tar.gz
-Patch1:         v1.0.0-2.patch
+Patch1:         v1.0.0-3.patch
 BuildRequires:  rust cargo gcc gcc-g++ cmake make
 BuildRequires:  elfutils-libelf-devel
 BuildRequires:  kernel-devel
-Requires:       kpatch-runtime
+Requires:       kpatch-runtime coreutils
 %description
 SysCare is a system-level hot-fix software that provides single-machine-level and cluster-level security patches and system error hot-fixes for the operating system.
@ -107,6 +107,8 @@ depmod -a > /dev/null 2>&1 || true
 %endif
 %changelog
 * Thu Dec 15 2022 snoweay<snoweay@163.com> - 1.0.0-3
 - Change kernel patches' scontext before apply not at rpm-post.
 * Wed Dec 14 2022 snoweay<snoweay@163.com> - 1.0.0-2
 - Fix some issues:
 - manager: Allow apply to actived kernel patch
--- a/v1.0.0-3.patch
+++ b/v1.0.0-3.patch
@ -1,7 +1,7 @@
 From 81008c77dba79eb311ad537051086f10ba1ccd22 Mon Sep 17 00:00:00 2001
 From: Longjun Luo <luolongjuna@gmail.com>
 Date: Tue, 13 Dec 2022 16:08:45 +0800
-Subject: [PATCH 1/6] kmod: make it normal when using hack-gcc without env
+Subject: [PATCH 1/8] kmod: make it normal when using hack-gcc without env
 Signed-off-by: Longjun Luo <luolongjuna@gmail.com>
 ---
@ -30,7 +30,7 @@ index 87cdc3e..9f45cb7 100755
 From 024e9cd683055ca1702710a60d9c8abebfdbcbb3 Mon Sep 17 00:00:00 2001
 From: snoweay <snoweay@163.com>
 Date: Wed, 14 Dec 2022 01:37:26 +0000
-Subject: [PATCH 2/6] manager: Allow apply to actived kernel patch
+Subject: [PATCH 2/8] manager: Allow apply to actived kernel patch
 Signed-off-by: snoweay <snoweay@163.com>
 ---
@ -57,7 +57,7 @@ index 6e6c86a..8ee3bd0 100755
 From 5874b79701fe7854575f710277f241a63a50afeb Mon Sep 17 00:00:00 2001
 From: renoseven <dev@renoseven.net>
 Date: Wed, 14 Dec 2022 03:34:01 +0800
-Subject: [PATCH 3/6] build: only 'NOT-APPLIED' patch package can be removed
+Subject: [PATCH 3/8] build: only 'NOT-APPLIED' patch package can be removed
 Signed-off-by: renoseven <dev@renoseven.net>
 ---
@ -86,7 +86,7 @@ index 9781eb1..917e12e 100644
 From 1506b703935004b04fbf73f8875f33b5a8b8fe87 Mon Sep 17 00:00:00 2001
 From: renoseven <dev@renoseven.net>
 Date: Wed, 14 Dec 2022 23:50:03 +0800
-Subject: [PATCH 4/6] build: fix 'kernel patch cannot be insmod during system
+Subject: [PATCH 4/8] build: fix 'kernel patch cannot be insmod during system
 start' issue
 1. change ko file(s) security context type to 'modules_object_t' after
@ -119,7 +119,7 @@ index 917e12e..f76e109 100644
 From dc73e5833888096518321e6ba15503d9806199fb Mon Sep 17 00:00:00 2001
 From: Longjun Luo <luolongjuna@gmail.com>
 Date: Wed, 14 Dec 2022 12:43:46 +0800
-Subject: [PATCH 5/6] kmod: adjust order of the misc device (un)register
+Subject: [PATCH 5/8] kmod: adjust order of the misc device (un)register
 After all init finished, then provides the device
 for users.
@ -186,7 +186,7 @@ index c96836b..d1328aa 100644
 From d54264a83c2cc997ebaba0be8c32fc90682a9c04 Mon Sep 17 00:00:00 2001
 From: lzwycc <lzw32321226@163.com>
 Date: Wed, 14 Dec 2022 19:44:23 +0800
-Subject: [PATCH 6/6] kmod: unregister when rmmod upatch
+Subject: [PATCH 6/8] kmod: unregister when rmmod upatch
 unregister compiler and assembler when rmmod upatch
@ -323,3 +323,101 @@ index 9f45cb7..899b83f 100755
 -- 
 2.33.0
 From 8b8a62377a425c273c2a584ff9f299f88b70f0e5 Mon Sep 17 00:00:00 2001
 From: snoweay <snoweay@163.com>
 Date: Thu, 15 Dec 2022 18:34:53 +0800
 Subject: [PATCH 7/8] Revert "build: fix 'kernel patch cannot be insmod during
 system start' issue"
 This reverts commit 1506b703935004b04fbf73f8875f33b5a8b8fe87.
 ---
 build/src/package/rpm_spec_generator.rs | 4 ----
 1 file changed, 4 deletions(-)
 diff --git a/build/src/package/rpm_spec_generator.rs b/build/src/package/rpm_spec_generator.rs
 index f76e109..917e12e 100644
 --- a/build/src/package/rpm_spec_generator.rs
 +++ b/build/src/package/rpm_spec_generator.rs
@@ -114,10 +114,6 @@ impl RpmSpecGenerator {
         writeln!(writer, "%{{patch_root}}")?;
         writeln!(writer)?;
 -        writeln!(writer, "%post")?;
 -        writeln!(writer, "readonly KO_LIST=\"$(find %{{patch_root}} -name *.ko)\"")?;
 -        writeln!(writer, "chcon -t modules_object_t \"${{KO_LIST}}\"")?;
 -
         writeln!(writer, "%preun")?;
         writeln!(writer, "if [ \"$(syscare status %{{patch_name}})\" != \"NOT-APPLIED\" ]; then")?;
         writeln!(writer, "    echo \"error: cannot remove applied patch \'%{{patch_name}}\'\" >&2")?;
 -- 
 2.33.0
 From 5171debddcbd632cb25c30d2325f0a655945c0f2 Mon Sep 17 00:00:00 2001
 From: snoweay <snoweay@163.com>
 Date: Thu, 15 Dec 2022 18:37:42 +0800
 Subject: [PATCH 8/8] manager: Set kpatch's scontext to modules_object_t
 Signed-off-by: snoweay <snoweay@163.com>
 ---
 manager/cli/main.sh | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/manager/cli/main.sh b/manager/cli/main.sh
 index 8ee3bd0..c056f62 100755
 --- a/manager/cli/main.sh
 +++ b/manager/cli/main.sh
@@ -130,7 +130,7 @@ function get_patch_type() {
 }
 function get_patch_elf_path() {
 -	[ "${PATCH_TYPE}" == "kernel" ] && return
 +	[ "${PATCH_TYPE}" == "kernel" ] && return 0
 	local patch_name="$1"
 	local patch_root=$(get_patch_root_by_patch_name "${patch_name}")
@@ -164,12 +164,21 @@ function do_build() {
 	"${SYSCARE_PATCH_BUILD}" "$@"
 }
 +function set_kpatch_scontext() {
 +	local getenforce_bin=$(which getenforce 2> /dev/null)
 +	[ -n "${getenforce_bin}" ] || return 0
 +
 +	"${getenforce_bin}" | grep -q "Enforcing" 2> /dev/null || return 0
 +	 chcon -t modules_object_t "${PATCH_ROOT}/${PATCH_NAME}.ko"
 +}
 +
 function apply_patch() {
 	if  [ "${PATCH_TYPE}" == "kernel" ] ; then
 		check_kversion || return 1
 -		[ "${PATCH_STATUS}" == "ACTIVED" ] && return
 +		[ "${PATCH_STATUS}" == "ACTIVED" ] && return 0
 		if [ "${PATCH_STATUS}" == "NOT-APPLIED" ]; then
 +			set_kpatch_scontext
 			insmod "${PATCH_ROOT}/${PATCH_NAME}.ko" || return 1
 		fi
 		PATCH_STATUS="DEACTIVED"
@@ -191,7 +200,7 @@ function apply_patch() {
 function remove_patch() {
 	if [ "${PATCH_TYPE}" == "kernel" ] ; then
 -		[ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return
 +		[ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return 0
 		[ "${PATCH_STATUS}" == "ACTIVED" ] && deactive_patch
 		rmmod "${PATCH_NAME}" || return 1
 	else
@@ -306,7 +315,7 @@ function initialize_patch_info() {
 	if [ "${PATCH_TYPE}" == "kernel" ]; then
 		if [ ! -f "${KPATCH_STATE_FILE}" ]; then
 			PATCH_STATUS="NOT-APPLIED"
 -			return
 +			return 0
 		fi
 		if [ $(cat "${KPATCH_STATE_FILE}") -eq 1 ]; then
 -- 
 2.33.0