Fixed livepatch PR check. (#4886)
* Adding livepatch for kernel 5.15.92.1-2.cm2.
This commit is contained in:
Родитель
3e36f4d528
Коммит
ba6d1b5b91
|
@ -25,7 +25,9 @@ jobs:
|
|||
python-version: 3.9
|
||||
|
||||
- name: Get Python dependencies
|
||||
run: sudo python3 -m pip install python-rpm-spec
|
||||
run: |
|
||||
sudo apt-get install -y python3-rpm
|
||||
sudo python3 -m pip install rpm pyrpm python-rpm-spec validators
|
||||
|
||||
- name: Check livepatch specs are valid
|
||||
run: |
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -2119,6 +2119,7 @@
|
|||
"livepatch-5.15.87.1-1.cm2",
|
||||
"livepatch-5.15.90.1-1.cm2",
|
||||
"livepatch-5.15.92.1-1.cm2",
|
||||
"livepatch-5.15.92.1-2.cm2",
|
||||
"livepatching",
|
||||
"lld",
|
||||
"local-path-provisioner",
|
||||
|
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"config-5.15.92.1-2.cm2": "02f78f4b512622c8ac5cb2698391a094d43cc07ef3377c1f5951ae500e26ced5",
|
||||
"kernel-5.15.92.1.tar.gz": "97a283ba4250880a88c7437eac88e8d86ed426430746c4e7dc6ecd9de9be04ea",
|
||||
"mariner-5.15.92.1-2.cm2.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,189 @@
|
|||
%define kernel_version_release 5.15.92.1-2.cm2
|
||||
%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
|
||||
%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
|
||||
|
||||
%define builds_module %([[ -n "$(echo "%{patches}" | grep -oP "CVE-\\d+-\\d+(?=\\.patch)")" ]] && echo 1 || echo 0)
|
||||
|
||||
# Kpatch module names allow only alphanumeric characters and '_'.
|
||||
%define livepatch_name %(value="%{name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
|
||||
%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
|
||||
%define livepatch_module_name %{livepatch_name}.ko
|
||||
%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
|
||||
|
||||
%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
|
||||
%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
|
||||
%define patch_loaded kpatch list | grep -qP "%{livepatch_name}.*enabled"
|
||||
|
||||
# Install patch if the RUNNING kernel matches.
|
||||
# No-op for initial (empty) livepatch.
|
||||
%define install_if_should \
|
||||
if %{patch_applicable_for_kernel} && ! %{patch_installed} \
|
||||
then \
|
||||
kpatch install %{livepatch_module_path} \
|
||||
fi
|
||||
|
||||
# Load patch, if the RUNNING kernel matches.
|
||||
# No-op for initial (empty) livepatch.
|
||||
%define load_if_should \
|
||||
if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
|
||||
then \
|
||||
kpatch load %{livepatch_module_path} \
|
||||
fi
|
||||
|
||||
%define uninstall_if_should \
|
||||
if %{patch_installed} \
|
||||
then \
|
||||
kpatch uninstall %{livepatch_name} \
|
||||
fi
|
||||
|
||||
%define unload_if_should \
|
||||
if %{patch_loaded} \
|
||||
then \
|
||||
kpatch unload %{livepatch_name} \
|
||||
fi
|
||||
|
||||
%define patches_description \
|
||||
%(
|
||||
echo "Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):"
|
||||
for patch in %{patches}
|
||||
do
|
||||
patch_file=$(basename "$patch")
|
||||
|
||||
cve_number="${patch_file%.*}"
|
||||
patch_suffix="${patch_file#*.}"
|
||||
|
||||
if [ "$patch_suffix" = "patch" ]
|
||||
then
|
||||
echo "*$cve_number"
|
||||
else
|
||||
echo "\!$cve_number: $(cat "$patch")"
|
||||
fi
|
||||
done
|
||||
)
|
||||
|
||||
Summary: Set of livepatches for kernel %{kernel_version_release}
|
||||
Name: livepatch-%{kernel_version_release}
|
||||
Version: 1.0.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
Group: System Environment/Base
|
||||
URL: https://github.com/microsoft/CBL-Mariner
|
||||
Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/kernel-%{kernel_version}.tar.gz
|
||||
Source1: config-%{kernel_version_release}
|
||||
Source2: mariner-%{kernel_version_release}.pem
|
||||
|
||||
ExclusiveArch: x86_64
|
||||
|
||||
Provides: livepatch = %{kernel_version_release}
|
||||
|
||||
# Must be kept below the "Patch" tags to correctly evaluate %%builds_module.
|
||||
%if %{builds_module}
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: bash
|
||||
BuildRequires: bc
|
||||
BuildRequires: binutils
|
||||
BuildRequires: bison
|
||||
BuildRequires: diffutils
|
||||
BuildRequires: dwarves
|
||||
BuildRequires: elfutils-libelf-devel
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: glib-devel
|
||||
BuildRequires: glibc-devel
|
||||
BuildRequires: kbd
|
||||
BuildRequires: kernel-debuginfo = %{kernel_version_release}
|
||||
BuildRequires: kernel-headers = %{kernel_version_release}
|
||||
BuildRequires: kmod-devel
|
||||
BuildRequires: kpatch-build
|
||||
BuildRequires: libdnet-devel
|
||||
BuildRequires: libmspack-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: procps-ng-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: rpm-build
|
||||
|
||||
Requires: coreutils
|
||||
Requires: livepatching-filesystem
|
||||
|
||||
Requires(post): coreutils
|
||||
Requires(post): kpatch
|
||||
|
||||
Requires(preun): kpatch
|
||||
|
||||
%description
|
||||
A set of kernel livepatches addressing CVEs present in Mariner's
|
||||
%{kernel_version_release} kernel.
|
||||
%{patches_description}
|
||||
|
||||
%prep
|
||||
%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{kernel_version}
|
||||
|
||||
cp %{SOURCE1} .config
|
||||
cp %{SOURCE2} certs/mariner.pem
|
||||
|
||||
sed -i 's#CONFIG_SYSTEM_TRUSTED_KEYS=""#CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem"#' .config
|
||||
sed -i 's/CONFIG_LOCALVERSION=""/CONFIG_LOCALVERSION="-%{kernel_release}"/' .config
|
||||
|
||||
%build
|
||||
# Building cumulative patch.
|
||||
all_patches_file=all.patch
|
||||
for patch in %{patches}
|
||||
do
|
||||
[[ "$patch" == *.patch ]] && cat "$patch" >> $all_patches_file
|
||||
done
|
||||
|
||||
kpatch-build -ddd \
|
||||
--sourcedir . \
|
||||
--vmlinux %{_libdir}/debug/lib/modules/%{kernel_version_release}/vmlinux \
|
||||
--name %{livepatch_name} \
|
||||
$all_patches_file
|
||||
|
||||
%install
|
||||
install -dm 755 %{buildroot}%{livepatch_install_dir}
|
||||
install -m 744 %{livepatch_module_name} %{buildroot}%{livepatch_module_path}
|
||||
|
||||
%post
|
||||
%load_if_should
|
||||
%install_if_should
|
||||
|
||||
%preun
|
||||
%uninstall_if_should
|
||||
%unload_if_should
|
||||
|
||||
# Re-enable patch on rollbacks to supported kernel.
|
||||
%triggerin -- kernel = %{kernel_version_release}
|
||||
%load_if_should
|
||||
%install_if_should
|
||||
|
||||
# Prevent the patch from being loaded after a reboot to a different kernel.
|
||||
# Previous kernel is still running, do NOT unload the livepatch.
|
||||
%triggerin -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
|
||||
%uninstall_if_should
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%dir %{livepatch_install_dir}
|
||||
%{livepatch_module_path}
|
||||
|
||||
# else builds_module
|
||||
%else
|
||||
%global debug_package %{nil}
|
||||
|
||||
%description
|
||||
Empty package enabling subscription to future kernel livepatches
|
||||
addressing CVEs present in Mariner's %{kernel_version_release} kernel.
|
||||
|
||||
%files
|
||||
|
||||
# endif builds_module
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 17 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-1
|
||||
- Original version for CBL-Mariner.
|
||||
- License verified.
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF
|
||||
ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
|
||||
UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD
|
||||
ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y
|
||||
MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
|
||||
bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0
|
||||
aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln
|
||||
bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc
|
||||
6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL
|
||||
Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC
|
||||
hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v
|
||||
w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I
|
||||
970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU
|
||||
KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E
|
||||
FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT
|
||||
FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf
|
||||
BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN
|
||||
hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl
|
||||
MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG
|
||||
CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz
|
||||
L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB
|
||||
Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E
|
||||
dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO
|
||||
NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL
|
||||
q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0
|
||||
5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj
|
||||
jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ
|
||||
-----END CERTIFICATE-----
|
|
@ -11716,6 +11716,16 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"component": {
|
||||
"type": "other",
|
||||
"other": {
|
||||
"name": "livepatch-5.15.92.1-2.cm2",
|
||||
"version": "1.0.0",
|
||||
"downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.92.1.tar.gz"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"component": {
|
||||
"type": "other",
|
||||
|
|
Загрузка…
Ссылка в новой задаче