commit ea5f10ba55fce68d1ed614ca33afdb38816f0830 Author: Frank Ch. Eigler Date: Mon Nov 16 18:54:11 2020 -0500 PR26665: mokutil output parsing tweaks We encountered secureboot keys in the wild that didn't live up to the expectations of the current little state machine. Tweaked regexps to accept Issuer: O= as well as Issuer: CN= lines. With more verbosity, produces output on parsing process. diff --git a/session.cxx b/session.cxx index b5a8044..0437ca4 100644 --- a/session.cxx +++ b/session.cxx @@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info() // PR26665: but only Systemtap MOK keys; there may be others. getline(out, line); + if (verbose > 3) + clog << "MOK parse state: " << state << " line: " << line << endl; + if (state == "SHA1") { // look for a new key fingerprint if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches)) { @@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info() } // else stay in SHA1 state } else if (state == "Issuer") { // validate issuer - if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) { + if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) { if (verbose > 2) clog << "Issuer found: " << matches[1] << endl; - if (! regexp_match(matches[1], "Systemtap", matches)) + if (! regexp_match(matches[1], "Systemtap", matches)) { + if (verbose > 2) + clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl; mok_fingerprints.push_back(fingerprint); + } state = "SHA1"; // start looking for another key } } else { // some other line in mokutil output ... there are plenty commit 532eb9a1502026300a7f0b4bd287499101dd5803 Author: Frank Ch. Eigler Date: Tue Nov 17 16:34:59 2020 -0500 PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger A different older kernel API needs to be probed for rhel8 era detection of lockdown in effect. Added an (undocumented) $SYSTEMTAP_NOSIGN env var to override automatic --use-server on lockdown, so that one can inspect runtime/autoconf* operation locally, without stap-server. diff --git a/buildrun.cxx b/buildrun.cxx index 9b4066d..9c8e648 100644 --- a/buildrun.cxx +++ b/buildrun.cxx @@ -517,6 +517,7 @@ compile_pass (systemtap_session& s) output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c", "STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL); output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL); + output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL); // used by runtime/linux/netfilter.c output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK"); diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c new file mode 100644 index 0000000..90c2414 --- /dev/null +++ b/runtime/linux/autoconf-lockdown-kernel.c @@ -0,0 +1,5 @@ +#include + +int foo(void) { + return kernel_is_locked_down("something"); +} diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c index bb4a98b..5795533 100644 --- a/runtime/transport/transport.c +++ b/runtime/transport/transport.c @@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name) dbug_trans(1, "choosing procfs_p=1\n"); } #endif +#ifdef STAPCONF_LOCKDOWN_KERNEL + if (!debugfs_p && kernel_is_locked_down ("debugfs")) { + procfs_p = 1; + dbug_trans(1, "choosing procfs_p=1\n"); + } +#endif if (!procfs_p) { debugfs_p = 1; dbug_trans(1, "choosing debugfs_p=1\n"); diff --git a/session.cxx b/session.cxx index 0437ca4..36a4053 100644 --- a/session.cxx +++ b/session.cxx @@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed() if (getenv("SYSTEMTAP_SIGN")) return true; - + if (getenv("SYSTEMTAP_NOSIGN")) + return false; + statm >> status; if (status == 'Y') return true;