Set kernel livepatches' scontext before apply not at rpm-post
Signed-off-by: snoweay <snoweay@163.com>
This commit is contained in:
snoweay
parent
6206af8de0
commit
c0f038fbc4
@ -2,19 +2,19 @@
|
||||
|
||||
Name: syscare
|
||||
Version: 1.0.0
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: system hot-fix service
|
||||
|
||||
License: MulanPSL-2.0 GPL-2.0-only
|
||||
URL: https://gitee.com/openeuler/syscare
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Patch1: v1.0.0-2.patch
|
||||
Patch1: v1.0.0-3.patch
|
||||
|
||||
BuildRequires: rust cargo gcc gcc-g++ cmake make
|
||||
BuildRequires: elfutils-libelf-devel
|
||||
BuildRequires: kernel-devel
|
||||
|
||||
Requires: kpatch-runtime
|
||||
Requires: kpatch-runtime coreutils
|
||||
|
||||
%description
|
||||
SysCare is a system-level hot-fix software that provides single-machine-level and cluster-level security patches and system error hot-fixes for the operating system.
|
||||
@ -107,6 +107,8 @@ depmod -a > /dev/null 2>&1 || true
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Dec 15 2022 snoweay<snoweay@163.com> - 1.0.0-3
|
||||
- Change kernel patches' scontext before apply not at rpm-post.
|
||||
* Wed Dec 14 2022 snoweay<snoweay@163.com> - 1.0.0-2
|
||||
- Fix some issues:
|
||||
- manager: Allow apply to actived kernel patch
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 81008c77dba79eb311ad537051086f10ba1ccd22 Mon Sep 17 00:00:00 2001
|
||||
From: Longjun Luo <luolongjuna@gmail.com>
|
||||
Date: Tue, 13 Dec 2022 16:08:45 +0800
|
||||
Subject: [PATCH 1/6] kmod: make it normal when using hack-gcc without env
|
||||
Subject: [PATCH 1/8] kmod: make it normal when using hack-gcc without env
|
||||
|
||||
Signed-off-by: Longjun Luo <luolongjuna@gmail.com>
|
||||
---
|
||||
@ -30,7 +30,7 @@ index 87cdc3e..9f45cb7 100755
|
||||
From 024e9cd683055ca1702710a60d9c8abebfdbcbb3 Mon Sep 17 00:00:00 2001
|
||||
From: snoweay <snoweay@163.com>
|
||||
Date: Wed, 14 Dec 2022 01:37:26 +0000
|
||||
Subject: [PATCH 2/6] manager: Allow apply to actived kernel patch
|
||||
Subject: [PATCH 2/8] manager: Allow apply to actived kernel patch
|
||||
|
||||
Signed-off-by: snoweay <snoweay@163.com>
|
||||
---
|
||||
@ -57,7 +57,7 @@ index 6e6c86a..8ee3bd0 100755
|
||||
From 5874b79701fe7854575f710277f241a63a50afeb Mon Sep 17 00:00:00 2001
|
||||
From: renoseven <dev@renoseven.net>
|
||||
Date: Wed, 14 Dec 2022 03:34:01 +0800
|
||||
Subject: [PATCH 3/6] build: only 'NOT-APPLIED' patch package can be removed
|
||||
Subject: [PATCH 3/8] build: only 'NOT-APPLIED' patch package can be removed
|
||||
|
||||
Signed-off-by: renoseven <dev@renoseven.net>
|
||||
---
|
||||
@ -86,7 +86,7 @@ index 9781eb1..917e12e 100644
|
||||
From 1506b703935004b04fbf73f8875f33b5a8b8fe87 Mon Sep 17 00:00:00 2001
|
||||
From: renoseven <dev@renoseven.net>
|
||||
Date: Wed, 14 Dec 2022 23:50:03 +0800
|
||||
Subject: [PATCH 4/6] build: fix 'kernel patch cannot be insmod during system
|
||||
Subject: [PATCH 4/8] build: fix 'kernel patch cannot be insmod during system
|
||||
start' issue
|
||||
|
||||
1. change ko file(s) security context type to 'modules_object_t' after
|
||||
@ -119,7 +119,7 @@ index 917e12e..f76e109 100644
|
||||
From dc73e5833888096518321e6ba15503d9806199fb Mon Sep 17 00:00:00 2001
|
||||
From: Longjun Luo <luolongjuna@gmail.com>
|
||||
Date: Wed, 14 Dec 2022 12:43:46 +0800
|
||||
Subject: [PATCH 5/6] kmod: adjust order of the misc device (un)register
|
||||
Subject: [PATCH 5/8] kmod: adjust order of the misc device (un)register
|
||||
|
||||
After all init finished, then provides the device
|
||||
for users.
|
||||
@ -186,7 +186,7 @@ index c96836b..d1328aa 100644
|
||||
From d54264a83c2cc997ebaba0be8c32fc90682a9c04 Mon Sep 17 00:00:00 2001
|
||||
From: lzwycc <lzw32321226@163.com>
|
||||
Date: Wed, 14 Dec 2022 19:44:23 +0800
|
||||
Subject: [PATCH 6/6] kmod: unregister when rmmod upatch
|
||||
Subject: [PATCH 6/8] kmod: unregister when rmmod upatch
|
||||
|
||||
unregister compiler and assembler when rmmod upatch
|
||||
|
||||
@ -323,3 +323,101 @@ index 9f45cb7..899b83f 100755
|
||||
--
|
||||
2.33.0
|
||||
|
||||
|
||||
From 8b8a62377a425c273c2a584ff9f299f88b70f0e5 Mon Sep 17 00:00:00 2001
|
||||
From: snoweay <snoweay@163.com>
|
||||
Date: Thu, 15 Dec 2022 18:34:53 +0800
|
||||
Subject: [PATCH 7/8] Revert "build: fix 'kernel patch cannot be insmod during
|
||||
system start' issue"
|
||||
|
||||
This reverts commit 1506b703935004b04fbf73f8875f33b5a8b8fe87.
|
||||
---
|
||||
build/src/package/rpm_spec_generator.rs | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/build/src/package/rpm_spec_generator.rs b/build/src/package/rpm_spec_generator.rs
|
||||
index f76e109..917e12e 100644
|
||||
--- a/build/src/package/rpm_spec_generator.rs
|
||||
+++ b/build/src/package/rpm_spec_generator.rs
|
||||
@@ -114,10 +114,6 @@ impl RpmSpecGenerator {
|
||||
writeln!(writer, "%{{patch_root}}")?;
|
||||
writeln!(writer)?;
|
||||
|
||||
- writeln!(writer, "%post")?;
|
||||
- writeln!(writer, "readonly KO_LIST=\"$(find %{{patch_root}} -name *.ko)\"")?;
|
||||
- writeln!(writer, "chcon -t modules_object_t \"${{KO_LIST}}\"")?;
|
||||
-
|
||||
writeln!(writer, "%preun")?;
|
||||
writeln!(writer, "if [ \"$(syscare status %{{patch_name}})\" != \"NOT-APPLIED\" ]; then")?;
|
||||
writeln!(writer, " echo \"error: cannot remove applied patch \'%{{patch_name}}\'\" >&2")?;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
|
||||
From 5171debddcbd632cb25c30d2325f0a655945c0f2 Mon Sep 17 00:00:00 2001
|
||||
From: snoweay <snoweay@163.com>
|
||||
Date: Thu, 15 Dec 2022 18:37:42 +0800
|
||||
Subject: [PATCH 8/8] manager: Set kpatch's scontext to modules_object_t
|
||||
|
||||
Signed-off-by: snoweay <snoweay@163.com>
|
||||
---
|
||||
manager/cli/main.sh | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/manager/cli/main.sh b/manager/cli/main.sh
|
||||
index 8ee3bd0..c056f62 100755
|
||||
--- a/manager/cli/main.sh
|
||||
+++ b/manager/cli/main.sh
|
||||
@@ -130,7 +130,7 @@ function get_patch_type() {
|
||||
}
|
||||
|
||||
function get_patch_elf_path() {
|
||||
- [ "${PATCH_TYPE}" == "kernel" ] && return
|
||||
+ [ "${PATCH_TYPE}" == "kernel" ] && return 0
|
||||
|
||||
local patch_name="$1"
|
||||
local patch_root=$(get_patch_root_by_patch_name "${patch_name}")
|
||||
@@ -164,12 +164,21 @@ function do_build() {
|
||||
"${SYSCARE_PATCH_BUILD}" "$@"
|
||||
}
|
||||
|
||||
+function set_kpatch_scontext() {
|
||||
+ local getenforce_bin=$(which getenforce 2> /dev/null)
|
||||
+ [ -n "${getenforce_bin}" ] || return 0
|
||||
+
|
||||
+ "${getenforce_bin}" | grep -q "Enforcing" 2> /dev/null || return 0
|
||||
+ chcon -t modules_object_t "${PATCH_ROOT}/${PATCH_NAME}.ko"
|
||||
+}
|
||||
+
|
||||
function apply_patch() {
|
||||
if [ "${PATCH_TYPE}" == "kernel" ] ; then
|
||||
check_kversion || return 1
|
||||
- [ "${PATCH_STATUS}" == "ACTIVED" ] && return
|
||||
+ [ "${PATCH_STATUS}" == "ACTIVED" ] && return 0
|
||||
|
||||
if [ "${PATCH_STATUS}" == "NOT-APPLIED" ]; then
|
||||
+ set_kpatch_scontext
|
||||
insmod "${PATCH_ROOT}/${PATCH_NAME}.ko" || return 1
|
||||
fi
|
||||
PATCH_STATUS="DEACTIVED"
|
||||
@@ -191,7 +200,7 @@ function apply_patch() {
|
||||
|
||||
function remove_patch() {
|
||||
if [ "${PATCH_TYPE}" == "kernel" ] ; then
|
||||
- [ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return
|
||||
+ [ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return 0
|
||||
[ "${PATCH_STATUS}" == "ACTIVED" ] && deactive_patch
|
||||
rmmod "${PATCH_NAME}" || return 1
|
||||
else
|
||||
@@ -306,7 +315,7 @@ function initialize_patch_info() {
|
||||
if [ "${PATCH_TYPE}" == "kernel" ]; then
|
||||
if [ ! -f "${KPATCH_STATE_FILE}" ]; then
|
||||
PATCH_STATUS="NOT-APPLIED"
|
||||
- return
|
||||
+ return 0
|
||||
fi
|
||||
|
||||
if [ $(cat "${KPATCH_STATE_FILE}") -eq 1 ]; then
|
||||
--
|
||||
2.33.0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user