File: livepatch.stp

package info (click to toggle)
systemtap 4.8-2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 39,000 kB
  • sloc: cpp: 78,785; ansic: 62,419; xml: 49,443; exp: 42,735; sh: 11,254; python: 3,062; perl: 2,252; tcl: 1,305; makefile: 1,072; lisp: 105; awk: 101; asm: 91; java: 56; sed: 16
file content (88 lines) | stat: -rw-r--r-- 2,210 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
// livepatch tapset macros
// Copyright (C) 2022 Red Hat Inc.
//
// This file is part of systemtap, and is free software.  You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
private cve_id
private cve_load_time

global cve_notify_p  = 1
global cve_fix_p     = 1
global cve_trace_p   = 1
global cve_enabled_p = 1
global cve_tmpdisabled_s = -1

probe begin {
  cve_id = module_name()
  cve_load_time = gettimeofday_s()

  if (cve_notify_p)
    printf("%s mitigation loaded\n", cve_id)
}

probe end,error {
  if (cve_notify_p)
    printf("%s mitigation unloaded\n", cve_id)
}

# Parameter reading and updating
@define cve_probe_procfs_parameter (glbl, f_name) %(
  probe procfs(@f_name).read
    { $value = sprintf("%d\n", @glbl) }

  probe procfs(@f_name).write
    { @glbl = strtol($value, 10) }
%)

@cve_probe_procfs_parameter(cve_notify_p  , "cve_notify_p")
@cve_probe_procfs_parameter(cve_trace_p   , "cve_trace_p")
@cve_probe_procfs_parameter(cve_fix_p     , "cve_fix_p")
@cve_probe_procfs_parameter(cve_enabled_p , "cve_enabled_p")

probe procfs("cve_tmpdisabled_s").read
  { $value = sprintf("%d\n", cve_tmpdisabled_s) }
probe procfs("cve_tmpdisabled_s").write
{ cve_tmpdisabled_s = strtol($value, 10)
  if (cve_tmpdisabled_s > 0)
    cve_enabled_p = 0  # trigger temporary disable
}


# The metric accumulation and prometheus
global cve_metrics

function cve_count_metric (key:string) {
  cve_metrics[key] ++
}

function cve_record_metric (key:string, value:long) {
  cve_metrics[key] = value
}

probe prometheus {
  cve_record_metric("runtime", gettimeofday_s() - cve_load_time)
  @prometheus_dump_array1(cve_metrics, cve_id, "metric")
}

# Disabling the patch
probe timer.s(1) {
  if(!cve_enabled_p && cve_tmpdisabled_s >= 0){
    if(cve_tmpdisabled_s > 0){
      cve_tmpdisabled_s--
    }else{
      if (cve_notify_p)
        printf("%s reenabling\n", cve_id)
      cve_enabled_p = 1
      cve_tmpdisabled_s = -1
    }
  }
}

function cve_tmpdisable(duration:long){
  if (cve_notify_p)
    printf("%s disabling temporarily\n", cve_id)
  cve_enabled_p = 0
  cve_tmpdisabled_s = duration
}