|
 |
f3378a |
commit ea5f10ba55fce68d1ed614ca33afdb38816f0830
|
|
|
f3378a |
Author: Frank Ch. Eigler <fche@redhat.com>
|
|
|
f3378a |
Date: Mon Nov 16 18:54:11 2020 -0500
|
|
|
f3378a |
|
|
|
f3378a |
PR26665: mokutil output parsing tweaks
|
|
|
f3378a |
|
|
|
f3378a |
We encountered secureboot keys in the wild that didn't live up
|
|
|
f3378a |
to the expectations of the current little state machine. Tweaked
|
|
|
f3378a |
regexps to accept Issuer: O= as well as Issuer: CN= lines. With
|
|
|
f3378a |
more verbosity, produces output on parsing process.
|
|
|
f3378a |
|
|
|
f3378a |
diff --git a/session.cxx b/session.cxx
|
|
|
f3378a |
index b5a8044..0437ca4 100644
|
|
|
f3378a |
--- a/session.cxx
|
|
|
f3378a |
+++ b/session.cxx
|
|
|
f3378a |
@@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info()
|
|
|
f3378a |
// PR26665: but only Systemtap MOK keys; there may be others.
|
|
|
f3378a |
getline(out, line);
|
|
|
f3378a |
|
|
|
f3378a |
+ if (verbose > 3)
|
|
|
f3378a |
+ clog << "MOK parse state: " << state << " line: " << line << endl;
|
|
|
f3378a |
+
|
|
|
f3378a |
if (state == "SHA1") { // look for a new key fingerprint
|
|
|
f3378a |
if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches))
|
|
|
f3378a |
{
|
|
|
f3378a |
@@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info()
|
|
|
f3378a |
}
|
|
|
f3378a |
// else stay in SHA1 state
|
|
|
f3378a |
} else if (state == "Issuer") { // validate issuer
|
|
|
f3378a |
- if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) {
|
|
|
f3378a |
+ if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) {
|
|
|
f3378a |
if (verbose > 2)
|
|
|
f3378a |
clog << "Issuer found: " << matches[1] << endl;
|
|
|
f3378a |
- if (! regexp_match(matches[1], "Systemtap", matches))
|
|
|
f3378a |
+ if (! regexp_match(matches[1], "Systemtap", matches)) {
|
|
|
f3378a |
+ if (verbose > 2)
|
|
|
f3378a |
+ clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl;
|
|
|
f3378a |
mok_fingerprints.push_back(fingerprint);
|
|
|
f3378a |
+ }
|
|
|
f3378a |
state = "SHA1"; // start looking for another key
|
|
|
f3378a |
}
|
|
|
f3378a |
} else { // some other line in mokutil output ... there are plenty
|
|
|
f3378a |
commit 532eb9a1502026300a7f0b4bd287499101dd5803
|
|
|
f3378a |
Author: Frank Ch. Eigler <fche@redhat.com>
|
|
|
f3378a |
Date: Tue Nov 17 16:34:59 2020 -0500
|
|
|
f3378a |
|
|
|
f3378a |
PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger
|
|
|
f3378a |
|
|
|
f3378a |
A different older kernel API needs to be probed for rhel8 era detection
|
|
|
f3378a |
of lockdown in effect. Added an (undocumented) $SYSTEMTAP_NOSIGN env
|
|
|
f3378a |
var to override automatic --use-server on lockdown, so that one can
|
|
|
f3378a |
inspect runtime/autoconf* operation locally, without stap-server.
|
|
|
f3378a |
|
|
|
f3378a |
diff --git a/buildrun.cxx b/buildrun.cxx
|
|
|
f3378a |
index 9b4066d..9c8e648 100644
|
|
|
f3378a |
--- a/buildrun.cxx
|
|
|
f3378a |
+++ b/buildrun.cxx
|
|
|
f3378a |
@@ -517,6 +517,7 @@ compile_pass (systemtap_session& s)
|
|
|
f3378a |
output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c",
|
|
|
f3378a |
"STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL);
|
|
|
f3378a |
output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL);
|
|
|
f3378a |
+ output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL);
|
|
|
f3378a |
|
|
|
f3378a |
// used by runtime/linux/netfilter.c
|
|
|
f3378a |
output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK");
|
|
|
f3378a |
diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c
|
|
|
f3378a |
new file mode 100644
|
|
|
f3378a |
index 0000000..90c2414
|
|
|
f3378a |
--- /dev/null
|
|
|
f3378a |
+++ b/runtime/linux/autoconf-lockdown-kernel.c
|
|
|
f3378a |
@@ -0,0 +1,5 @@
|
|
|
f3378a |
+#include <linux/kernel.h>
|
|
|
f3378a |
+
|
|
|
f3378a |
+int foo(void) {
|
|
|
f3378a |
+ return kernel_is_locked_down("something");
|
|
|
f3378a |
+}
|
|
|
f3378a |
diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
|
|
|
f3378a |
index bb4a98b..5795533 100644
|
|
|
f3378a |
--- a/runtime/transport/transport.c
|
|
|
f3378a |
+++ b/runtime/transport/transport.c
|
|
|
f3378a |
@@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name)
|
|
|
f3378a |
dbug_trans(1, "choosing procfs_p=1\n");
|
|
|
f3378a |
}
|
|
|
f3378a |
#endif
|
|
|
f3378a |
+#ifdef STAPCONF_LOCKDOWN_KERNEL
|
|
|
f3378a |
+ if (!debugfs_p && kernel_is_locked_down ("debugfs")) {
|
|
|
f3378a |
+ procfs_p = 1;
|
|
|
f3378a |
+ dbug_trans(1, "choosing procfs_p=1\n");
|
|
|
f3378a |
+ }
|
|
|
f3378a |
+#endif
|
|
|
f3378a |
if (!procfs_p) {
|
|
|
f3378a |
debugfs_p = 1;
|
|
|
f3378a |
dbug_trans(1, "choosing debugfs_p=1\n");
|
|
|
f3378a |
diff --git a/session.cxx b/session.cxx
|
|
|
f3378a |
index 0437ca4..36a4053 100644
|
|
|
f3378a |
--- a/session.cxx
|
|
|
f3378a |
+++ b/session.cxx
|
|
|
f3378a |
@@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed()
|
|
|
f3378a |
|
|
|
f3378a |
if (getenv("SYSTEMTAP_SIGN"))
|
|
|
f3378a |
return true;
|
|
|
f3378a |
-
|
|
|
f3378a |
+ if (getenv("SYSTEMTAP_NOSIGN"))
|
|
|
f3378a |
+ return false;
|
|
|
f3378a |
+
|
|
|
f3378a |
statm >> status;
|
|
|
f3378a |
if (status == 'Y')
|
|
|
f3378a |
return true;
|