Blame SOURCES/rhbz1873492.patch

665f76
commit ea5f10ba55fce68d1ed614ca33afdb38816f0830
665f76
Author: Frank Ch. Eigler <fche@redhat.com>
665f76
Date:   Mon Nov 16 18:54:11 2020 -0500
665f76
665f76
    PR26665: mokutil output parsing tweaks
665f76
    
665f76
    We encountered secureboot keys in the wild that didn't live up
665f76
    to the expectations of the current little state machine.  Tweaked
665f76
    regexps to accept Issuer: O= as well as Issuer: CN= lines.  With
665f76
    more verbosity, produces output on parsing process.
665f76
665f76
diff --git a/session.cxx b/session.cxx
665f76
index b5a8044..0437ca4 100644
665f76
--- a/session.cxx
665f76
+++ b/session.cxx
665f76
@@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info()
665f76
       // PR26665: but only Systemtap MOK keys; there may be others.
665f76
       getline(out, line);
665f76
 
665f76
+      if (verbose > 3)
665f76
+        clog << "MOK parse state: " << state << " line: " << line << endl;
665f76
+      
665f76
       if (state == "SHA1") { // look for a new key fingerprint
665f76
 	if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches))
665f76
 	  {
665f76
@@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info()
665f76
 	  }
665f76
 	// else stay in SHA1 state
665f76
       } else if (state == "Issuer") { // validate issuer
665f76
-	if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) {
665f76
+	if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) {
665f76
 	  if (verbose > 2)
665f76
 	    clog << "Issuer found: " << matches[1] << endl;
665f76
-	  if (! regexp_match(matches[1], "Systemtap", matches))
665f76
+	  if (! regexp_match(matches[1], "Systemtap", matches)) {
665f76
+            if (verbose > 2)
665f76
+              clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl;
665f76
 	    mok_fingerprints.push_back(fingerprint);
665f76
+          }
665f76
 	  state = "SHA1"; // start looking for another key
665f76
 	}
665f76
       } else { // some other line in mokutil output ... there are plenty
665f76
commit 532eb9a1502026300a7f0b4bd287499101dd5803
665f76
Author: Frank Ch. Eigler <fche@redhat.com>
665f76
Date:   Tue Nov 17 16:34:59 2020 -0500
665f76
665f76
    PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger
665f76
    
665f76
    A different older kernel API needs to be probed for rhel8 era detection
665f76
    of lockdown in effect.  Added an (undocumented) $SYSTEMTAP_NOSIGN env
665f76
    var to override automatic --use-server on lockdown, so that one can
665f76
    inspect runtime/autoconf* operation locally, without stap-server.
665f76
665f76
diff --git a/buildrun.cxx b/buildrun.cxx
665f76
index 9b4066d..9c8e648 100644
665f76
--- a/buildrun.cxx
665f76
+++ b/buildrun.cxx
665f76
@@ -517,6 +517,7 @@ compile_pass (systemtap_session& s)
665f76
   output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c",
665f76
 		  "STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL);
665f76
   output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL);
665f76
+  output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL);
665f76
   
665f76
   // used by runtime/linux/netfilter.c
665f76
   output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK");
665f76
diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c
665f76
new file mode 100644
665f76
index 0000000..90c2414
665f76
--- /dev/null
665f76
+++ b/runtime/linux/autoconf-lockdown-kernel.c
665f76
@@ -0,0 +1,5 @@
665f76
+#include <linux kernel.h="">
665f76
+
665f76
+int foo(void) {
665f76
+  return kernel_is_locked_down("something");
665f76
+}
665f76
diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
665f76
index bb4a98b..5795533 100644
665f76
--- a/runtime/transport/transport.c
665f76
+++ b/runtime/transport/transport.c
665f76
@@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name)
665f76
 		dbug_trans(1, "choosing procfs_p=1\n");
665f76
         }
665f76
 #endif
665f76
+#ifdef STAPCONF_LOCKDOWN_KERNEL
665f76
+        if (!debugfs_p && kernel_is_locked_down ("debugfs")) {
665f76
+                procfs_p = 1;
665f76
+		dbug_trans(1, "choosing procfs_p=1\n");
665f76
+        }
665f76
+#endif
665f76
         if (!procfs_p) {
665f76
                 debugfs_p = 1;
665f76
 		dbug_trans(1, "choosing debugfs_p=1\n");
665f76
diff --git a/session.cxx b/session.cxx
665f76
index 0437ca4..36a4053 100644
665f76
--- a/session.cxx
665f76
+++ b/session.cxx
665f76
@@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed()
665f76
 
665f76
   if (getenv("SYSTEMTAP_SIGN"))
665f76
     return true;
665f76
-
665f76
+  if (getenv("SYSTEMTAP_NOSIGN"))
665f76
+    return false;
665f76
+  
665f76
   statm >> status;
665f76
   if (status == 'Y')
665f76
     return true;