| 1 |
day 09 ~ day 13 |
| 2 |
|
| 3 |
This week short summary: |
| 4 |
kpatch: |
| 5 |
- Minor fixes and cleaning |
| 6 |
- Installation path fix |
| 7 |
- Testing live patch with different gcc versions |
| 8 |
elivepatch: |
| 9 |
- Designed and wrote the first draft of elivepatch server and client |
| 10 |
- Made server anc client communicate togheter with RESTful api |
| 11 |
- Wrote the CVE downloader |
| 12 |
- Wrote the kernel version reader |
| 13 |
- Wrote the command line argument parser |
| 14 |
|
| 15 |
What to do next week: |
| 16 |
- Finalizing a simple elivepatch prototype demo |
| 17 |
- Create the target side software that will manage the live patching |
| 18 |
|
| 19 |
Day 09 |
| 20 |
|
| 21 |
--- |
| 22 |
The parallel build issue looks solved with the new kpatch ebuild. |
| 23 |
--- |
| 24 |
kpatch ebuild update still working on. |
| 25 |
dropped yum dependency. |
| 26 |
--- |
| 27 |
Kpatch core module is the part that will handle the injection of the |
| 28 |
patch and verify procedure safety. |
| 29 |
|
| 30 |
it have 4 states as is detailed in the source code. |
| 31 |
|
| 32 |
from the source code: |
| 33 |
+-----------------------------------------------------+ |
| 34 |
| | |
| 35 |
| + |
| 36 |
v +---> KPATCH_STATE_SUCCESS |
| 37 |
KPATCH_STATE_IDLE +---> KPATCH_STATE_UPDATING | |
| 38 |
^ +---> KPATCH_STATE_FAILURE |
| 39 |
| + |
| 40 |
| | |
| 41 |
+-----------------------------------------------------+ |
| 42 |
|
| 43 |
--- |
| 44 |
elivepatch |
| 45 |
for checking for CVE security problems we can use this repository |
| 46 |
https://github.com/nluedtke/linux_kernel_cves |
| 47 |
|
| 48 |
|
| 49 |
As now elivepatch diagram |
| 50 |
+-------------------------------------------------------+ |
| 51 |
| | |
| 52 |
| | |
| 53 |
| Search CVE | |
| 54 |
| ^ | |
| 55 |
| +-----> Request new patch | |
| 56 |
| | | |
| 57 |
| + | |
| 58 |
|elivepatch_client<-------------->elivepatch_server | |
| 59 |
| + RESTful + | |
| 60 |
| | | | |
| 61 |
| | | | |
| 62 |
| | | | |
| 63 |
| v v | |
| 64 |
| Live patch Kernel Get patch from | |
| 65 |
| Linux Git Hash | |
| 66 |
| String. | |
| 67 |
| Live patch success rate| |
| 68 |
+-------------------------------------------------------+ |
| 69 |
|
| 70 |
Updated the client structure for following the diagram: |
| 71 |
https://github.com/aliceinwire/elivepatch/commit/43a75cbe6712cda90d0bc163c01f42e5358ec7b2 |
| 72 |
|
| 73 |
Day 10 |
| 74 |
|
| 75 |
added einstalldocs to kpatch ebuild |
| 76 |
Fixed incorrect installation to /usr/local/ |
| 77 |
|
| 78 |
about the elivepatch design after talking with gokturk I need to: |
| 79 |
- Have a way for know which patch are already applyied and which are |
| 80 |
not. https://wiki.gentoo.org/wiki/GLEP:42#Client_Side |
| 81 |
- Place for keeping the applied patches. (local database) |
| 82 |
- Find a way for reapply patch on reboot and know which patch are for which |
| 83 |
kernel. (but for now is user responsability to invoke the tool on reboot) |
| 84 |
- Keep up on kernel upgrade. |
| 85 |
|
| 86 |
Day 11 |
| 87 |
Definine command line arguments. |
| 88 |
|
| 89 |
elivepatch --help will print the help output |
| 90 |
elivepatch --cve will check for security problem in the kernel |
| 91 |
elivepatch --patch will test a premade patch |
| 92 |
elivepatch --kernel will set a manual kernel |
| 93 |
elivepatch --debug will set the debug option |
| 94 |
elivepatch --verbose will print debug log |
| 95 |
elivepatch --version will print the version |
| 96 |
|
| 97 |
push command line parser first draft |
| 98 |
revision number 7c6cf4682ef05782d8e126ea6b7d64a707c59015 |
| 99 |
|
| 100 |
|
| 101 |
kpatch ebuild: |
| 102 |
pushed new revision |
| 103 |
|
| 104 |
Day 12 |
| 105 |
Finished the argument and configuration parser. |
| 106 |
Defaulted the cve repository folder in /tmp/kernel_cve/ |
| 107 |
Return kernel Version |
| 108 |
|
| 109 |
Did the summary of what we need to do and we have done. |
| 110 |
|
| 111 |
Next time we will need to work on the patching creation and deploy |
| 112 |
system. |
| 113 |
|
| 114 |
Day 13 |
| 115 |
Checked patching with different GCC versions 5.8.2 and 4.9.4 |
| 116 |
and it worked. |
| 117 |
|
| 118 |
I could make the elivepatch client and server communicating each |
| 119 |
other with RESTful API and basic auth. |
| 120 |
|
| 121 |
For communicating with the server, the client is using the requests |
| 122 |
library. |
| 123 |
The server is using flask RESTful. |
| 124 |
|
| 125 |
As now we are getting only the server version: |
| 126 |
|
| 127 |
kernel_dev elivepatch_client (master*) # PYTHONPATH=/root/elivepatch/ python3 bin/elivepatch --cve --url http://192.168.122.6:5000 |
| 128 |
Namespace(conf_file=None, config='/proc/config.gz', cve=True, debug=False, patch=None, url='http://192.168.122.6:5000', version=False) |
| 129 |
('4', '9', '16') |
| 130 |
{ |
| 131 |
"agent": [ |
| 132 |
{ |
| 133 |
"module": "elivepatch", |
| 134 |
"version": "0.01" |
| 135 |
} |
| 136 |
] |
| 137 |
} |
| 138 |
|
| 139 |
{'agent': [{'version': '0.01', 'module': 'elivepatch'}]} |
| 140 |
|
| 141 |
I tried the text version and the JSON version and was both working |
| 142 |
|
| 143 |
we probably need to add the url_pass and url_user for basic auth to the |
| 144 |
client arguments. |
| 145 |
|
| 146 |
Today I added the url argument for setting the elivepatch server url. |
| 147 |
|
| 148 |
Also wrote the first draft for sending the configuration file but not tested yet. |
| 149 |
|
| 150 |
------ |
| 151 |
def send_config(self, config_path, config_file): |
| 152 |
url = self.server_url |
| 153 |
headers = {'elivepatch': 'password'} |
| 154 |
files = {'file': (config_file, open(config_path, 'rb'), 'multipart/form-data', {'Expires': '0'})} |
| 155 |
r = requests.post(url, files=files, headers=headers) |
| 156 |
------ |
Archives