From c55945cddf7a026b47f3ba2bb4c063323fcad77f Mon Sep 17 00:00:00 2001 From: yueyuankun Date: Thu, 4 Jul 2024 14:10:35 +0800 Subject: [PATCH 1/3] add excludearch loongarch64 (cherry picked from commit 124a9e96e22231eedfcbf09c1771c5f1eb0f272a) --- syscare.spec | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/syscare.spec b/syscare.spec index daff8f1..b2d6618 100644 --- a/syscare.spec +++ b/syscare.spec @@ -35,19 +35,19 @@ Patch0019: 0019-upatch-diff-fix-lookup_relf-failed-issue.patch Patch0020: 0020-upatch-diff-only-check-changed-file-symbols.patch Patch0021: 0021-upatch-diff-remove-rela-check-while-build-rebuilding.patch Patch0022: 0022-syscared-fix-apply-kernel-module-patch-failure-issue.patch -Patch0023: 0023-all-finding-executable-from-environment-variables.patch -Patch0024: 0024-all-remove-redundant-code.patch -Patch0025: 0025-all-add-c-rust-compilation-options.patch -Patch0026: 0026-common-fix-failed-to-set-selinux-status-issue.patch -Patch0027: 0027-upatch-diff-exit-with-error-when-any-tls-var-include.patch -Patch0028: 0028-upatch-diff-fix-lookup_relf-duplicate-failure.patch +Patch0023: 0023-all-finding-executable-from-environment-variables.patch +Patch0024: 0024-all-remove-redundant-code.patch +Patch0025: 0025-all-add-c-rust-compilation-options.patch +Patch0026: 0026-common-fix-failed-to-set-selinux-status-issue.patch +Patch0027: 0027-upatch-diff-exit-with-error-when-any-tls-var-include.patch +Patch0028: 0028-upatch-diff-fix-lookup_relf-duplicate-failure.patch Patch0029: 0029-upatch-diff-fix-memory-leak.patch -Patch0030: 0030-upatch-hijacker-fix-memory-leak.patch -Patch0031: 0031-upatch-manage-fix-memory-leak.patch -Patch0032: 0032-security-sanitize-sensitive-code.patch -Patch0033: 0033-all-implement-asan-gcov-build-type.patch -Patch0034: 0034-all-clean-code.patch -Patch0035: 0035-syscare-abi-remove-display-limit-of-patch_info.patch +Patch0030: 0030-upatch-hijacker-fix-memory-leak.patch +Patch0031: 0031-upatch-manage-fix-memory-leak.patch +Patch0032: 0032-security-sanitize-sensitive-code.patch +Patch0033: 0033-all-implement-asan-gcov-build-type.patch +Patch0034: 0034-all-clean-code.patch +Patch0035: 0035-syscare-abi-remove-display-limit-of-patch_info.patch Patch0036: 0036-syscare-abi-fix-clippy-warnings.patch BuildRequires: cmake >= 3.14 make @@ -57,6 +57,8 @@ BuildRequires: kernel-devel Requires: coreutils systemd Requires: kpatch-runtime +Excludearch: loongarch64 + ############### Description ################ %description SysCare is a system-level hot-fix service that provides security patches and system error hot-fixes for the operating system. @@ -199,7 +201,7 @@ fi ############################################ %changelog * Mon Jul 1 2024 renoseven - 1.2.1-9 -- abi: remove display limit of patch info +- abi: remove display limit of patch info - all: clean code - all: implement asan gcov build type - security: sanitize sensitive code @@ -212,6 +214,7 @@ fi - all: add compile options - all: remove redundant code - all: finding executable from environment variables +- add excludearch loongarch64 * Mon May 20 2024 ningyu - 1.2.1-8 - syscared: fix apply kernel module patch failure issue * Tue May 14 2024 ningyu - 1.2.1-7 -- Gitee From bcac33eb5aa6ba35ff32404ec10b6c629464386d Mon Sep 17 00:00:00 2001 From: renoseven Date: Fri, 16 Aug 2024 11:08:11 +0800 Subject: [PATCH 2/3] add generate patch script Signed-off-by: renoseven (cherry picked from commit 573a495c2fd6137fc873d97c2655b45e95bbf340) --- generate_patches.sh | 55 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100755 generate_patches.sh diff --git a/generate_patches.sh b/generate_patches.sh new file mode 100755 index 0000000..b0f1ee9 --- /dev/null +++ b/generate_patches.sh @@ -0,0 +1,55 @@ +#!/bin/bash -e +readonly ROOT_DIR="$(dirname $(readlink -f ${BASH_SOURCE[0]}))" + +readonly SPEC_FILE="$(find . -name '*.spec' | head -n 1)" +readonly REPO_NAME="$(basename ${SPEC_FILE} | sed 's/.spec//')" +readonly REPO_VERSION="$(grep Version ${SPEC_FILE} | head -n 1 | awk -F ' ' '{print $NF}')" +readonly REPO_REMOTE="origin" + +readonly PKG_NAME="${REPO_NAME}-${REPO_VERSION}" +readonly PKG_DIR="${ROOT_DIR}/${PKG_NAME}" +readonly PKG_BRANCH="$(git branch --show-current | sed 's/-LTS.*//')" + +echo "Preparing..." +# clean old files +rm -f ${ROOT_DIR}/*.patch +rm -rf ${PKG_DIR} + +# extract package +tar -xf ${PKG_NAME}.tar.gz + +# fetch baseline +pushd ${PKG_DIR} > /dev/null +readonly PKG_BASELINE=$(git rev-parse --short HEAD) +popd > /dev/null + +echo "------------------------------" +echo "Name: ${PKG_NAME}" +echo "Branch: ${PKG_BRANCH}" +echo "Baseline: ${PKG_BASELINE}" +echo "------------------------------" + +echo "Syncing with remote..." +pushd ${PKG_DIR} > /dev/null +git fetch ${REPO_REMOTE} +popd > /dev/null + +echo "Generating patches..." +# format patches +pushd ${PKG_DIR} > /dev/null +git checkout -q ${REPO_REMOTE}/${PKG_BRANCH} +git format-patch -qN -o ${ROOT_DIR} ${PKG_BASELINE} +popd > /dev/null + +# print patch list +patch_list="$(find ${ROOT_DIR} -maxdepth 1 -name "*.patch" | sort)" +for patch_file in ${patch_list}; do + patch_name="$(basename ${patch_file})" + patch_id="$(echo ${patch_name} | awk -F '-' '{print $1}')" + echo "Patch${patch_id}: ${patch_name}" +done + +echo "Cleaning up..." +rm -rf ${PKG_DIR} + +echo "Done" -- Gitee From 27a40f53c012d6382bcfaa4ff3fe38b88b16f808 Mon Sep 17 00:00:00 2001 From: renoseven Date: Fri, 16 Aug 2024 11:15:04 +0800 Subject: [PATCH 3/3] update to 1.2.1-10 Signed-off-by: renoseven (cherry picked from commit ee389461c106cec66c0e7e2d493c4e1fd1fb6a6d) --- 0037-update-README.md.patch | 30 ++ ...ff-fix-.rela.text-section-status-bug.patch | 46 +++ 0039-upatch-manage-resolve-plt-firstly.patch | 34 +++ ...ch-manage-fix-find-upatch-region-bug.patch | 261 ++++++++++++++++++ 0041-update-README.md.patch | 26 ++ ...lize-empty-path-return-current-path-.patch | 28 ++ ...TCH_CHECK-action-when-status-change-.patch | 30 ++ syscare.spec | 87 +++--- 8 files changed, 505 insertions(+), 37 deletions(-) create mode 100644 0037-update-README.md.patch create mode 100644 0038-upatch-diff-fix-.rela.text-section-status-bug.patch create mode 100644 0039-upatch-manage-resolve-plt-firstly.patch create mode 100644 0040-upatch-manage-fix-find-upatch-region-bug.patch create mode 100644 0041-update-README.md.patch create mode 100644 0042-common-fix-normalize-empty-path-return-current-path-.patch create mode 100644 0043-syscared-Add-PACTCH_CHECK-action-when-status-change-.patch diff --git a/0037-update-README.md.patch b/0037-update-README.md.patch new file mode 100644 index 0000000..87e2a7c --- /dev/null +++ b/0037-update-README.md.patch @@ -0,0 +1,30 @@ +From 7459e69b764af5926e620fab94a12e7e16c6834f Mon Sep 17 00:00:00 2001 +From: lixiang_yewu +Date: Thu, 1 Aug 2024 02:34:16 +0000 +Subject: [PATCH] =?UTF-8?q?update=20README.md.=20=E6=8C=87=E4=BB=A4?= + =?UTF-8?q?=E5=86=99=E9=94=99=E4=BA=86?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: lixiang_yewu +--- + README.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README.md b/README.md +index 138c059..f12b03d 100644 +--- a/README.md ++++ b/README.md +@@ -113,7 +113,7 @@ $ sudo syscare active redis-6.2.5-1/HP001 + + 3. 补丁去激活 + ```bash +-$ sudo syscarae deactive redis-6.2.5-1/HP001 ++$ sudo syscare deactive redis-6.2.5-1/HP001 + ``` + + 4. 补丁卸载/移除 +-- +2.34.1 + diff --git a/0038-upatch-diff-fix-.rela.text-section-status-bug.patch b/0038-upatch-diff-fix-.rela.text-section-status-bug.patch new file mode 100644 index 0000000..cffe2bd --- /dev/null +++ b/0038-upatch-diff-fix-.rela.text-section-status-bug.patch @@ -0,0 +1,46 @@ +From c1edef425ec9da9249f37c7a7a4519447c64f43e Mon Sep 17 00:00:00 2001 +From: ningyu <405888464@qq.com> +Date: Fri, 9 Aug 2024 12:17:18 +0800 +Subject: [PATCH] upatch-diff: fix .rela.text section status bug + +Signed-off-by: ningyu <405888464@qq.com> +--- + upatch-diff/create-diff-object.c | 2 +- + upatch-diff/elf-compare.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/upatch-diff/create-diff-object.c b/upatch-diff/create-diff-object.c +index 8830956..0eea362 100644 +--- a/upatch-diff/create-diff-object.c ++++ b/upatch-diff/create-diff-object.c +@@ -868,7 +868,7 @@ static void verify_patchability(struct upatch_elf *uelf) + int errs = 0; + + list_for_each_entry(sec, &uelf->sections, list) { +- if (sec->status == CHANGED && !sec->include) { ++ if (sec->status == CHANGED && !sec->include && !is_rela_section(sec)) { + log_normal("Section '%s' is changed, but it is not selected for inclusion\n", sec->name); + errs++; + } +diff --git a/upatch-diff/elf-compare.c b/upatch-diff/elf-compare.c +index 851c25f..5d39825 100644 +--- a/upatch-diff/elf-compare.c ++++ b/upatch-diff/elf-compare.c +@@ -345,12 +345,10 @@ static inline void update_section_status(struct section *sec, enum status status + sec->twin->status = status; + } + if (is_rela_section(sec)) { +- if ((sec->base != NULL) && +- (sec->base->sym != NULL)) { ++ if ((sec->base != NULL) && (sec->base->sym != NULL) && status != SAME) { + sec->base->sym->status = status; + } +- } +- else { ++ } else { + if (sec->sym != NULL) { + sec->sym->status = status; + } +-- +2.34.1 + diff --git a/0039-upatch-manage-resolve-plt-firstly.patch b/0039-upatch-manage-resolve-plt-firstly.patch new file mode 100644 index 0000000..8efa6e7 --- /dev/null +++ b/0039-upatch-manage-resolve-plt-firstly.patch @@ -0,0 +1,34 @@ +From 07046dcc548fe71c1db1f2223144fc6c86fa46ae Mon Sep 17 00:00:00 2001 +From: ningyu <405888464@qq.com> +Date: Fri, 9 Aug 2024 14:18:50 +0800 +Subject: [PATCH] upatch-manage: resolve plt firstly + +Signed-off-by: ningyu <405888464@qq.com> +--- + upatch-manage/upatch-resolve.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/upatch-manage/upatch-resolve.c b/upatch-manage/upatch-resolve.c +index 197ea2f..5f1c2de 100644 +--- a/upatch-manage/upatch-resolve.c ++++ b/upatch-manage/upatch-resolve.c +@@ -254,12 +254,12 @@ static unsigned long resolve_symbol(struct upatch_elf *uelf, + * Approach 3 is more general, but difficulty to implement. + */ + +- /* resolve from got */ +- elf_addr = resolve_rela_dyn(uelf, obj, name, &patch_sym); ++ /* resolve from plt */ ++ elf_addr = resolve_rela_plt(uelf, obj, name, &patch_sym); + +- /* resolve from plt */ ++ /* resolve from got */ + if (!elf_addr) { +- elf_addr = resolve_rela_plt(uelf, obj, name, &patch_sym); ++ elf_addr = resolve_rela_dyn(uelf, obj, name, &patch_sym); + } + + /* resolve from dynsym */ +-- +2.34.1 + diff --git a/0040-upatch-manage-fix-find-upatch-region-bug.patch b/0040-upatch-manage-fix-find-upatch-region-bug.patch new file mode 100644 index 0000000..4f24995 --- /dev/null +++ b/0040-upatch-manage-fix-find-upatch-region-bug.patch @@ -0,0 +1,261 @@ +From 391296d6138ca838b650ab8103c88e45472f7565 Mon Sep 17 00:00:00 2001 +From: ningyu <405888464@qq.com> +Date: Fri, 9 Aug 2024 14:33:01 +0800 +Subject: [PATCH] upatch-manage: fix find upatch region bug + +Signed-off-by: ningyu <405888464@qq.com> +--- + upatch-manage/arch/aarch64/process.h | 28 --------- + upatch-manage/arch/x86_64/process.h | 28 --------- + upatch-manage/upatch-patch.c | 2 +- + upatch-manage/upatch-process.c | 91 ++++++---------------------- + upatch-manage/upatch-process.h | 6 +- + 5 files changed, 23 insertions(+), 132 deletions(-) + delete mode 100644 upatch-manage/arch/aarch64/process.h + delete mode 100644 upatch-manage/arch/x86_64/process.h + +diff --git a/upatch-manage/arch/aarch64/process.h b/upatch-manage/arch/aarch64/process.h +deleted file mode 100644 +index 8acf04b..0000000 +--- a/upatch-manage/arch/aarch64/process.h ++++ /dev/null +@@ -1,28 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * upatch-manage +- * Copyright (C) 2024 Huawei Technologies Co., Ltd. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License along +- * with this program; if not, write to the Free Software Foundation, Inc., +- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +- */ +- +-#ifndef __PROCESS__ +-#define __PROCESS__ +- +-#ifndef MAX_DISTANCE +-#define MAX_DISTANCE 0x8000000 +-#endif +- +-#endif +\ No newline at end of file +diff --git a/upatch-manage/arch/x86_64/process.h b/upatch-manage/arch/x86_64/process.h +deleted file mode 100644 +index 5de8fc3..0000000 +--- a/upatch-manage/arch/x86_64/process.h ++++ /dev/null +@@ -1,28 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * upatch-manage +- * Copyright (C) 2024 Huawei Technologies Co., Ltd. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License along +- * with this program; if not, write to the Free Software Foundation, Inc., +- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +- */ +- +-#ifndef __PROCESS__ +-#define __PROCESS__ +- +-#ifndef MAX_DISTANCE +-#define MAX_DISTANCE 0x80000000 +-#endif +- +-#endif +\ No newline at end of file +diff --git a/upatch-manage/upatch-patch.c b/upatch-manage/upatch-patch.c +index 8a1ad41..c9fcbc9 100644 +--- a/upatch-manage/upatch-patch.c ++++ b/upatch-manage/upatch-patch.c +@@ -271,7 +271,7 @@ static void *upatch_alloc(struct object_file *obj, size_t sz) + unsigned long addr; + struct vm_hole *hole = NULL; + +- addr = object_find_patch_region_nolimit(obj, sz, &hole); ++ addr = object_find_patch_region(obj, sz, &hole); + if (!addr) + return NULL; + +diff --git a/upatch-manage/upatch-process.c b/upatch-manage/upatch-process.c +index 84ec030..f4033cb 100644 +--- a/upatch-manage/upatch-process.c ++++ b/upatch-manage/upatch-process.c +@@ -33,7 +33,6 @@ + + #include "list.h" + #include "log.h" +-#include "process.h" + #include "upatch-common.h" + #include "upatch-elf.h" + #include "upatch-process.h" +@@ -804,8 +803,9 @@ int vm_hole_split(struct vm_hole *hole, unsigned long alloc_start, + * and the next hole as a right candidate. Pace through them until there is + * enough space in the hole for the patch. + * +- * Since holes can be much larger than 2GiB take extra caution to allocate +- * patch region inside the (-2GiB, +2GiB) range from the original object. ++ * Due to relocation constraints, the hole position should be whin 4GB range ++ * from the obj. ++ * eg: R_AARCH64_ADR_GOT_PAGE + */ + unsigned long object_find_patch_region(struct object_file *obj, size_t memsize, + struct vm_hole **hole) +@@ -813,96 +813,41 @@ unsigned long object_find_patch_region(struct object_file *obj, size_t memsize, + struct list_head *head = &obj->proc->vmaholes; + struct vm_hole *left_hole = obj->previous_hole; + struct vm_hole *right_hole = next_hole(left_hole, head); +- unsigned long max_distance = MAX_DISTANCE; ++ unsigned long region_start = 0; + struct obj_vm_area *sovma; +- + unsigned long obj_start, obj_end; +- unsigned long region_start = 0, region_end = 0; +- +- log_debug("Looking for patch region for '%s'...\n", obj->name); + + sovma = list_first_entry(&obj->vma, struct obj_vm_area, list); + obj_start = sovma->inmem.start; + sovma = list_entry(obj->vma.prev, struct obj_vm_area, list); + obj_end = sovma->inmem.end; + +- max_distance -= memsize; +- +- /* TODO carefully check for the holes laying between obj_start and +- * obj_end, i.e. just after the executable segment of an executable +- */ +- while (left_hole != NULL && right_hole != NULL) { +- if (right_hole != NULL && +- right_hole->start - obj_start > max_distance) +- right_hole = NULL; +- else if (hole_size(right_hole) > memsize) { +- region_start = right_hole->start; +- region_end = (right_hole->end - obj_start) <= +- max_distance ? +- right_hole->end - memsize : +- obj_start + max_distance; +- *hole = right_hole; +- break; +- } else +- right_hole = next_hole(right_hole, head); +- +- if (left_hole != NULL && +- obj_end - left_hole->end > max_distance) +- left_hole = NULL; +- else if (hole_size(left_hole) > memsize) { +- region_start = (obj_end - left_hole->start) <= +- max_distance ? +- left_hole->start : +- obj_end > max_distance ? +- obj_end - max_distance : +- 0; +- region_end = left_hole->end - memsize; +- *hole = left_hole; +- break; +- } else +- left_hole = prev_hole(left_hole, head); +- } +- +- if (region_start == region_end) { +- log_error("Cannot find suitable region for patch '%s'\n", obj->name); +- return -1UL; +- } +- +- region_start = (region_start >> (unsigned long)PAGE_SHIFT) << (unsigned long)PAGE_SHIFT; +- log_debug("Found patch region for '%s' at 0x%lx\n", obj->name, +- region_start); +- +- return region_start; +-} +-unsigned long object_find_patch_region_nolimit(struct object_file *obj, size_t memsize, +- struct vm_hole **hole) +-{ +- struct list_head *head = &obj->proc->vmaholes; +- struct vm_hole *left_hole = obj->previous_hole; +- struct vm_hole *right_hole = next_hole(left_hole, head); +- unsigned long region_start = 0; +- + log_debug("Looking for patch region for '%s'...\n", obj->name); + +- while (right_hole != NULL) { ++ while (right_hole != NULL || left_hole != NULL) { + if (hole_size(right_hole) > memsize) { + *hole = right_hole; ++ region_start = right_hole->start; ++ if (region_start + memsize - obj_start > MAX_DISTANCE) { ++ continue; ++ } + goto found; +- } else +- right_hole = next_hole(right_hole, head); +- +- while (left_hole != NULL) ++ } + if (hole_size(left_hole) > memsize) { + *hole = left_hole; ++ region_start = left_hole->end - memsize; ++ if (obj_end - region_start > MAX_DISTANCE) { ++ continue; ++ } + goto found; +- } else +- left_hole = prev_hole(left_hole, head); ++ } ++ right_hole = next_hole(right_hole, head); ++ left_hole = prev_hole(left_hole, head); + } +- + log_error("Cannot find suitable region for patch '%s'\n", obj->name); + return -1UL; + found: +- region_start = ((*hole)->start >> PAGE_SHIFT) << PAGE_SHIFT; ++ region_start = (region_start >> PAGE_SHIFT) << PAGE_SHIFT; + log_debug("Found patch region for '%s' 0xat %lx\n", obj->name, + region_start); + +diff --git a/upatch-manage/upatch-process.h b/upatch-manage/upatch-process.h +index be44cb5..fdbd752 100644 +--- a/upatch-manage/upatch-process.h ++++ b/upatch-manage/upatch-process.h +@@ -33,6 +33,10 @@ + #define ELFMAG "\177ELF" + #define SELFMAG 4 + ++#ifndef MAX_DISTANCE ++#define MAX_DISTANCE (1UL << 32) ++#endif ++ + enum { + MEM_READ, + MEM_WRITE, +@@ -143,7 +147,5 @@ int vm_hole_split(struct vm_hole *, unsigned long, unsigned long); + + unsigned long object_find_patch_region(struct object_file *, size_t, + struct vm_hole **); +-unsigned long object_find_patch_region_nolimit(struct object_file *, size_t, +- struct vm_hole **); + + #endif +-- +2.34.1 + diff --git a/0041-update-README.md.patch b/0041-update-README.md.patch new file mode 100644 index 0000000..6f68f6d --- /dev/null +++ b/0041-update-README.md.patch @@ -0,0 +1,26 @@ +From c059e2c6fc90f0f35bb54ce9cb173b0c9f7092f4 Mon Sep 17 00:00:00 2001 +From: Caohongtao +Date: Wed, 14 Aug 2024 06:39:31 +0000 +Subject: [PATCH] update README.md. + +Signed-off-by: Caohongtao +--- + README.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README.md b/README.md +index f12b03d..15d4d48 100644 +--- a/README.md ++++ b/README.md +@@ -9,7 +9,7 @@ + + ## 软件架构 + +-​ 可以利用系统组件源代码与相应的patch问题,制作出相应组件补丁的RPM(包含补丁文件、依赖信息与配置信息等). 制作的补丁RPM,可以上传到相应的补丁仓库中,集群的系统demon定时去查询补丁仓库, 对系统中运行的CVE与软件错误进行热修复,保证系统安全、稳定、高效运行。 ++​ 可以利用系统组件源代码与相应的patch问题,制作出相应组件补丁的RPM(包含补丁文件、依赖信息与配置信息等). 制作的补丁RPM,可以上传到相应的补丁仓库中,集群的系统daemon定时去查询补丁仓库, 对系统中运行的CVE与软件错误进行热修复,保证系统安全、稳定、高效运行。 + + + +-- +2.34.1 + diff --git a/0042-common-fix-normalize-empty-path-return-current-path-.patch b/0042-common-fix-normalize-empty-path-return-current-path-.patch new file mode 100644 index 0000000..e2c89ef --- /dev/null +++ b/0042-common-fix-normalize-empty-path-return-current-path-.patch @@ -0,0 +1,28 @@ +From 25d19d0d5f5acdd7833bd73afcb16a693e54fbd4 Mon Sep 17 00:00:00 2001 +From: renoseven +Date: Tue, 13 Aug 2024 17:31:50 +0800 +Subject: [PATCH] common: fix 'normalize empty path return current path' issue + +Signed-off-by: renoseven +--- + syscare-common/src/fs/fs_impl.rs | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/syscare-common/src/fs/fs_impl.rs b/syscare-common/src/fs/fs_impl.rs +index e794c98..29c5d6e 100644 +--- a/syscare-common/src/fs/fs_impl.rs ++++ b/syscare-common/src/fs/fs_impl.rs +@@ -290,6 +290,10 @@ pub fn normalize>(path: P) -> io::Result { + let mut new_path = PathBuf::new(); + + let orig_path = path.as_ref(); ++ if orig_path.as_os_str().is_empty() { ++ return Ok(new_path); ++ } ++ + if orig_path.is_relative() { + new_path.push(env::current_dir()?); + } +-- +2.34.1 + diff --git a/0043-syscared-Add-PACTCH_CHECK-action-when-status-change-.patch b/0043-syscared-Add-PACTCH_CHECK-action-when-status-change-.patch new file mode 100644 index 0000000..0465e39 --- /dev/null +++ b/0043-syscared-Add-PACTCH_CHECK-action-when-status-change-.patch @@ -0,0 +1,30 @@ +From 78645769fefec83f62adf45d7085fc6792f10dda Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=81=E5=AE=87?= <405888464@qq.com> +Date: Thu, 15 Aug 2024 07:33:24 +0000 +Subject: [PATCH] syscared: Add PACTCH_CHECK action when status change from + Deactived to Actived +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: 宁宇 <405888464@qq.com> +--- + syscared/src/patch/manager.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/syscared/src/patch/manager.rs b/syscared/src/patch/manager.rs +index d156e4a..3a724db 100644 +--- a/syscared/src/patch/manager.rs ++++ b/syscared/src/patch/manager.rs +@@ -54,7 +54,7 @@ lazy_static! { + (PatchStatus::NotApplied, PatchStatus::Actived) => vec![PATCH_CHECK, PATCH_APPLY, PATCH_ACTIVE], + (PatchStatus::NotApplied, PatchStatus::Accepted) => vec![PATCH_CHECK, PATCH_APPLY, PATCH_ACTIVE, PATCH_ACCEPT], + (PatchStatus::Deactived, PatchStatus::NotApplied) => vec![PATCH_REMOVE], +- (PatchStatus::Deactived, PatchStatus::Actived) => vec![PATCH_ACTIVE], ++ (PatchStatus::Deactived, PatchStatus::Actived) => vec![PATCH_CHECK, PATCH_ACTIVE], + (PatchStatus::Deactived, PatchStatus::Accepted) => vec![PATCH_ACTIVE, PATCH_ACCEPT], + (PatchStatus::Actived, PatchStatus::NotApplied) => vec![PATCH_DEACTIVE, PATCH_REMOVE], + (PatchStatus::Actived, PatchStatus::Deactived) => vec![PATCH_DEACTIVE], +-- +2.34.1 + diff --git a/syscare.spec b/syscare.spec index b2d6618..80f37e3 100644 --- a/syscare.spec +++ b/syscare.spec @@ -7,48 +7,55 @@ ############################################ Name: syscare Version: 1.2.1 -Release: 9 +Release: 10 Summary: System hot-fix service License: MulanPSL-2.0 and GPL-2.0-only URL: https://gitee.com/openeuler/syscare Source0: %{name}-%{version}.tar.gz -Patch0001: 0001-upatch-hijacker-fix-compile-bug.patch -Patch0002: 0002-daemon-fix-cannot-get-file-selinux-xattr-when-selinu.patch -Patch0003: 0003-syscared-fix-syscare-check-command-does-not-check-sy.patch -Patch0004: 0004-syscared-fix-cannot-find-process-of-dynlib-patch-iss.patch -Patch0005: 0005-syscared-optimize-patch-error-logic.patch -Patch0006: 0006-syscared-optimize-transaction-creation-logic.patch -Patch0007: 0007-upatch-manage-optimize-output.patch -Patch0008: 0008-common-impl-CStr-from_bytes_with_next_nul.patch -Patch0009: 0009-syscared-improve-patch-management.patch -Patch0010: 0010-syscared-stop-activating-ignored-process-on-new-proc.patch -Patch0011: 0011-syscared-adapt-upatch-manage-exit-code-change.patch -Patch0012: 0012-upatch-manage-change-exit-code.patch -Patch0013: 0013-upatch-manage-change-the-way-to-calculate-frozen-tim.patch -Patch0014: 0014-upatch-build-fix-file-detection-cause-build-failure-.patch -Patch0015: 0015-upatch-diff-optimize-log-output.patch -Patch0016: 0016-security-change-directory-permission.patch -Patch0017: 0017-security-change-daemon-socket-permission.patch -Patch0018: 0018-upatch-manage-Fixed-the-core-dump-issue-after-applyi.patch -Patch0019: 0019-upatch-diff-fix-lookup_relf-failed-issue.patch -Patch0020: 0020-upatch-diff-only-check-changed-file-symbols.patch -Patch0021: 0021-upatch-diff-remove-rela-check-while-build-rebuilding.patch -Patch0022: 0022-syscared-fix-apply-kernel-module-patch-failure-issue.patch -Patch0023: 0023-all-finding-executable-from-environment-variables.patch -Patch0024: 0024-all-remove-redundant-code.patch -Patch0025: 0025-all-add-c-rust-compilation-options.patch -Patch0026: 0026-common-fix-failed-to-set-selinux-status-issue.patch -Patch0027: 0027-upatch-diff-exit-with-error-when-any-tls-var-include.patch -Patch0028: 0028-upatch-diff-fix-lookup_relf-duplicate-failure.patch -Patch0029: 0029-upatch-diff-fix-memory-leak.patch -Patch0030: 0030-upatch-hijacker-fix-memory-leak.patch -Patch0031: 0031-upatch-manage-fix-memory-leak.patch -Patch0032: 0032-security-sanitize-sensitive-code.patch -Patch0033: 0033-all-implement-asan-gcov-build-type.patch -Patch0034: 0034-all-clean-code.patch -Patch0035: 0035-syscare-abi-remove-display-limit-of-patch_info.patch -Patch0036: 0036-syscare-abi-fix-clippy-warnings.patch +Patch0001: 0001-upatch-hijacker-fix-compile-bug.patch +Patch0002: 0002-daemon-fix-cannot-get-file-selinux-xattr-when-selinu.patch +Patch0003: 0003-syscared-fix-syscare-check-command-does-not-check-sy.patch +Patch0004: 0004-syscared-fix-cannot-find-process-of-dynlib-patch-iss.patch +Patch0005: 0005-syscared-optimize-patch-error-logic.patch +Patch0006: 0006-syscared-optimize-transaction-creation-logic.patch +Patch0007: 0007-upatch-manage-optimize-output.patch +Patch0008: 0008-common-impl-CStr-from_bytes_with_next_nul.patch +Patch0009: 0009-syscared-improve-patch-management.patch +Patch0010: 0010-syscared-stop-activating-ignored-process-on-new-proc.patch +Patch0011: 0011-syscared-adapt-upatch-manage-exit-code-change.patch +Patch0012: 0012-upatch-manage-change-exit-code.patch +Patch0013: 0013-upatch-manage-change-the-way-to-calculate-frozen-tim.patch +Patch0014: 0014-upatch-build-fix-file-detection-cause-build-failure-.patch +Patch0015: 0015-upatch-diff-optimize-log-output.patch +Patch0016: 0016-security-change-directory-permission.patch +Patch0017: 0017-security-change-daemon-socket-permission.patch +Patch0018: 0018-upatch-manage-Fixed-the-core-dump-issue-after-applyi.patch +Patch0019: 0019-upatch-diff-fix-lookup_relf-failed-issue.patch +Patch0020: 0020-upatch-diff-only-check-changed-file-symbols.patch +Patch0021: 0021-upatch-diff-remove-rela-check-while-build-rebuilding.patch +Patch0022: 0022-syscared-fix-apply-kernel-module-patch-failure-issue.patch +Patch0023: 0023-all-finding-executable-from-environment-variables.patch +Patch0024: 0024-all-remove-redundant-code.patch +Patch0025: 0025-all-add-c-rust-compilation-options.patch +Patch0026: 0026-common-fix-failed-to-set-selinux-status-issue.patch +Patch0027: 0027-upatch-diff-exit-with-error-when-any-tls-var-include.patch +Patch0028: 0028-upatch-diff-fix-lookup_relf-duplicate-failure.patch +Patch0029: 0029-upatch-diff-fix-memory-leak.patch +Patch0030: 0030-upatch-hijacker-fix-memory-leak.patch +Patch0031: 0031-upatch-manage-fix-memory-leak.patch +Patch0032: 0032-security-sanitize-sensitive-code.patch +Patch0033: 0033-all-implement-asan-gcov-build-type.patch +Patch0034: 0034-all-clean-code.patch +Patch0035: 0035-syscare-abi-remove-display-limit-of-patch_info.patch +Patch0036: 0036-syscare-abi-fix-clippy-warnings.patch +Patch0037: 0037-update-README.md.patch +Patch0038: 0038-upatch-diff-fix-.rela.text-section-status-bug.patch +Patch0039: 0039-upatch-manage-resolve-plt-firstly.patch +Patch0040: 0040-upatch-manage-fix-find-upatch-region-bug.patch +Patch0041: 0041-update-README.md.patch +Patch0042: 0042-common-fix-normalize-empty-path-return-current-path-.patch +Patch0043: 0043-syscared-Add-PACTCH_CHECK-action-when-status-change-.patch BuildRequires: cmake >= 3.14 make BuildRequires: rust >= 1.51 cargo >= 1.51 @@ -200,6 +207,12 @@ fi ################ Change log ################ ############################################ %changelog +* Mon Jul 1 2024 renoseven - 1.2.1-10 +- upatch-diff: fix '.rela' '.rela.text' resolving issue +- upatch-manage: fix plt resolving issue +- upatch-manage: fix patch region finding issue +- common: fix normalizing empty path return non-empty issue +- syscared: add check action for [DEACTIVED -> ACTIVED] transition * Mon Jul 1 2024 renoseven - 1.2.1-9 - abi: remove display limit of patch info - all: clean code -- Gitee