diff --git a/SOURCES/dracut-kdump.sh b/SOURCES/dracut-kdump.sh index 2497218..c7cf528 100755 --- a/SOURCES/dracut-kdump.sh +++ b/SOURCES/dracut-kdump.sh @@ -136,7 +136,7 @@ dump_ssh() fi _exitcode=$? else - $CORE_COLLECTOR /proc/vmcore | ssh $_opt $_host "dd bs=512 of=$_dir/vmcore-incomplete" + $CORE_COLLECTOR /proc/vmcore | ssh $_opt $_host "umask 0077 && dd bs=512 of=$_dir/vmcore-incomplete" _exitcode=$? _vmcore="vmcore.flat" fi @@ -218,7 +218,7 @@ save_vmcore_dmesg_ssh() { local _location=$4 dinfo "saving vmcore-dmesg.txt to $_location:$_path" - $_dmesg_collector /proc/vmcore | ssh $_opts $_location "dd of=$_path/vmcore-dmesg-incomplete.txt" + $_dmesg_collector /proc/vmcore | ssh $_opts $_location "umask 0077 && dd of=$_path/vmcore-dmesg-incomplete.txt" _exitcode=$? if [ $_exitcode -eq 0 ]; then diff --git a/SOURCES/dracut-module-setup.sh b/SOURCES/dracut-module-setup.sh index 917afed..22740db 100755 --- a/SOURCES/dracut-module-setup.sh +++ b/SOURCES/dracut-module-setup.sh @@ -119,12 +119,122 @@ kdump_setup_dns() { done < "/etc/resolv.conf" } +# $1: repeat times +# $2: string to be repeated +# $3: separator +repeatedly_join_str() { + local _count="$1" + local _str="$2" + local _separator="$3" + local i _res + + if [[ "$_count" -le 0 ]]; then + echo -n "" + return + fi + + i=0 + _res="$_str" + ((_count--)) + + while [[ "$i" -lt "$_count" ]]; do + ((i++)) + _res="${_res}${_separator}${_str}" + done + echo -n "$_res" +} + +# $1: prefix +# $2: ipv6_flag="-6" indicates it's IPv6 +# Given a prefix, calculate the netmask (equivalent of "ipcalc -m") +# by concatenating three parts, +# 1) the groups with all bits set 1 +# 2) a group with partial bits set to 0 +# 3) the groups with all bits set to 0 +cal_netmask_by_prefix() { + local _prefix="$1" + local _ipv6_flag="$2" _ipv6 + local _bits_per_octet=8 + local _count _res _octets_per_group _octets_total _seperator _total_groups + local _max_group_value _max_group_value_repr _bits_per_group _tmp _zero_bits + + if [[ "$_ipv6_flag" == "-6" ]]; then + _ipv6=1 + else + _ipv6=0 + fi + + if [[ "$_prefix" -lt 0 || "$_prefix" -gt 128 ]] || \ + ( ((!_ipv6)) && [[ "$_prefix" -gt 32 ]] ); then + derror "Bad prefix:$_prefix for calculating netmask" + exit 1 + fi + + if ((_ipv6)); then + _octets_per_group=2 + _octets_total=16 + _seperator=":" + else + _octets_per_group=1 + _octets_total=4 + _seperator="." + fi + + _total_groups=$((_octets_total/_octets_per_group)) + _bits_per_group=$((_octets_per_group * _bits_per_octet)) + _max_group_value=$(((1 << _bits_per_group) - 1)) + + if ((_ipv6)); then + _max_group_value_repr=$(printf "%x" $_max_group_value) + else + _max_group_value_repr="$_max_group_value" + fi + + _count=$((_prefix/_octets_per_group/_bits_per_octet)) + _first_part=$(repeatedly_join_str "$_count" "$_max_group_value_repr" "$_seperator") + _res="$_first_part" + + _tmp=$((_octets_total*_bits_per_octet-_prefix)) + _zero_bits=$(expr $_tmp % $_bits_per_group) + if [[ "$_zero_bits" -ne 0 ]]; then + _second_part=$((_max_group_value >> _zero_bits << _zero_bits)) + if ((_ipv6)); then + _second_part=$(printf "%x" $_second_part) + fi + ((_count++)) + if [[ -z "$_first_part" ]]; then + _res="$_second_part" + else + _res="${_first_part}${_seperator}${_second_part}" + fi + fi + + _count=$((_total_groups-_count)) + if [[ "$_count" -eq 0 ]]; then + echo -n "$_res" + return + fi + + if ((_ipv6)) && [[ "$_count" -gt 1 ]] ; then + # use condensed notion for IPv6 + _third_part=":" + else + _third_part=$(repeatedly_join_str "$_count" "0" "$_seperator") + fi + + if [[ -z "$_res" ]] && ((!_ipv6)) ; then + echo -n "${_third_part}" + else + echo -n "${_res}${_seperator}${_third_part}" + fi +} + #$1: netdev name #$2: srcaddr #if it use static ip echo it, or echo null kdump_static_ip() { local _netdev="$1" _srcaddr="$2" _ipv6_flag - local _netmask _gateway _ipaddr _target _nexthop + local _netmask _gateway _ipaddr _target _nexthop _prefix _ipaddr=$(ip addr show dev $_netdev permanent | awk "/ $_srcaddr\/.* /{print \$2}") @@ -142,7 +252,12 @@ kdump_static_ip() { _srcaddr="[$_srcaddr]" _gateway="[$_gateway]" else - _netmask=$(ipcalc -m $_ipaddr | cut -d'=' -f2) + _prefix=$(cut -d'/' -f2 <<< "$_ipaddr") + _netmask=$(cal_netmask_by_prefix "$_prefix" "$_ipv6_flag") + if [[ "$?" -ne 0 ]]; then + derror "Failed to calculate netmask for $_ipaddr" + exit 1 + fi fi echo -n "${_srcaddr}::${_gateway}:${_netmask}::" fi @@ -829,6 +944,7 @@ install() { inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg" inst "/usr/bin/printf" "/sbin/printf" inst "/usr/bin/logger" "/sbin/logger" + inst "/usr/bin/chmod" "/sbin/chmod" inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh" inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh" inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh" diff --git a/SOURCES/kdump-lib-initramfs.sh b/SOURCES/kdump-lib-initramfs.sh index a43c7dd..e030fe6 100755 --- a/SOURCES/kdump-lib-initramfs.sh +++ b/SOURCES/kdump-lib-initramfs.sh @@ -111,6 +111,7 @@ save_log() if command -v journalctl > /dev/null; then journalctl -ab >> $KDUMP_LOG_FILE fi + chmod 600 $KDUMP_LOG_FILE } # dump_fs @@ -171,6 +172,7 @@ save_vmcore_dmesg_fs() { _exitcode=$? if [ $_exitcode -eq 0 ]; then mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt + chmod 600 ${_path}/vmcore-dmesg.txt # Make sure file is on disk. There have been instances where later # saving vmcore failed and system rebooted without sync and there diff --git a/SOURCES/kdump-lib.sh b/SOURCES/kdump-lib.sh index 1c15a3d..8ae8617 100755 --- a/SOURCES/kdump-lib.sh +++ b/SOURCES/kdump-lib.sh @@ -617,16 +617,11 @@ is_secure_boot_enforced() local secure_boot_file setup_mode_file local secure_boot_byte setup_mode_byte - # On powerpc, secure boot is enforced if: - # host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists - # guest secure boot: /ibm,secure-boot >= 2 + # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot + # is enforced. Return success, if it is found. if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then return 0 fi - if [ -f /proc/device-tree/ibm,secure-boot ] && \ - [ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]; then - return 0 - fi # Detect secure boot on x86 and arm64 secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) diff --git a/SOURCES/kdumpctl b/SOURCES/kdumpctl index 099d5fc..c3ada0d 100755 --- a/SOURCES/kdumpctl +++ b/SOURCES/kdumpctl @@ -237,12 +237,7 @@ restore_default_initrd() check_config() { local -A _opt_rec - while read config_opt config_val; do - if [ -z "$config_val" ]; then - derror "Invalid kdump config value for option $config_opt" - return 1 - fi - + while read -r config_opt config_val; do case "$config_opt" in dracut_args) if [[ $config_val == *--mount* ]]; then @@ -269,12 +264,20 @@ check_config() derror "Deprecated kdump config option: $config_opt. Refer to kdump.conf manpage for alternatives." return 1 ;; + '') + continue + ;; *) derror "Invalid kdump config option $config_opt" return 1 ;; esac + if [[ -z "$config_val" ]]; then + derror "Invalid kdump config value for option '$config_opt'" + return 1 + fi + if [ -n "${_opt_rec[$config_opt]}" ]; then if [ $config_opt == _target ]; then derror "More than one dump targets specified" @@ -643,35 +646,6 @@ check_rebuild() return $? } -# On ppc64le LPARs, the keys trusted by firmware do not end up in -# .builtin_trusted_keys. So instead, add the key to the .ima keyring -function load_kdump_kernel_key() -{ - # this is only called inside is_secure_boot_enforced, - # no need to retest - - # this is only required if DT /ibm,secure-boot is a file. - # if it is a dir, we are on OpenPower and don't need this. - if ! [ -f /proc/device-tree/ibm,secure-boot ]; then - return - fi - - KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer | - keyctl padd asymmetric kernelkey-$RANDOM %:.ima) -} - -# remove a previously loaded key. There's no real security implication -# to leaving it around, we choose to do this because it makes it easier -# to be idempotent and so as to reduce the potential for confusion. -function remove_kdump_kernel_key() -{ - if [ -z "$KDUMP_KEY_ID" ]; then - return - fi - - keyctl unlink $KDUMP_KEY_ID %:.ima -} - # Load the kdump kernel specified in /etc/sysconfig/kdump # If none is specified, try to load a kdump kernel with the same version # as the currently running kernel. @@ -688,7 +662,6 @@ load_kdump() if is_secure_boot_enforced; then dinfo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" - load_kdump_kernel_key fi ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" @@ -710,8 +683,6 @@ load_kdump() set +x exec 2>&12 12>&- - remove_kdump_kernel_key - if [ $ret == 0 ]; then dinfo "kexec: loaded kdump kernel" return 0 diff --git a/SPECS/kexec-tools.spec b/SPECS/kexec-tools.spec index a01500e..47df50f 100644 --- a/SPECS/kexec-tools.spec +++ b/SPECS/kexec-tools.spec @@ -1,6 +1,6 @@ Name: kexec-tools Version: 2.0.20 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2 Group: Applications/System Summary: The kexec/kdump userspace component @@ -378,8 +378,11 @@ done %endif %changelog -* Thu Feb 25 2021 Pingfan Liu - 2.0.20-46 -- kdumpctl: enable secure boot on ppc64le LPARs +* Mon May 10 2021 Pingfan Liu - 2.0.20-47 +- Implement IP netmask calculation to replace "ipcalc -m" +- kdumpctl: fix check_config error when kdump.conf is empty +- Fix incorrect vmcore permissions when dumped through ssh +- Fix incorrect permissions on kdump dmesg file * Mon Jan 25 2021 Pingfan Liu - 2.0.20-45 - origin/rhel-8.4.0) Revert "Revert "Append both nofail and x-systemd.before to kdump mount target""