1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
// livepatch tapset macros
// Copyright (C) 2022 Red Hat Inc.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
private cve_id
private cve_load_time
global cve_notify_p = 1
global cve_fix_p = 1
global cve_trace_p = 1
global cve_enabled_p = 1
global cve_tmpdisabled_s = -1
probe begin {
cve_id = module_name()
cve_load_time = gettimeofday_s()
if (cve_notify_p)
printf("%s mitigation loaded\n", cve_id)
}
probe end,error {
if (cve_notify_p)
printf("%s mitigation unloaded\n", cve_id)
}
# Parameter reading and updating
@define cve_probe_procfs_parameter (glbl, f_name) %(
probe procfs(@f_name).read
{ $value = sprintf("%d\n", @glbl) }
probe procfs(@f_name).write
{ @glbl = strtol($value, 10) }
%)
@cve_probe_procfs_parameter(cve_notify_p , "cve_notify_p")
@cve_probe_procfs_parameter(cve_trace_p , "cve_trace_p")
@cve_probe_procfs_parameter(cve_fix_p , "cve_fix_p")
@cve_probe_procfs_parameter(cve_enabled_p , "cve_enabled_p")
probe procfs("cve_tmpdisabled_s").read
{ $value = sprintf("%d\n", cve_tmpdisabled_s) }
probe procfs("cve_tmpdisabled_s").write
{ cve_tmpdisabled_s = strtol($value, 10)
if (cve_tmpdisabled_s > 0)
cve_enabled_p = 0 # trigger temporary disable
}
# The metric accumulation and prometheus
global cve_metrics
/**
* sfunction cve_count_metric - Increment the count of key
*
* @key: The metric
*
* Description: This function increments the count of the metric
* key by 1. The metrics can be accessed in
* /proc/systemtap/MODULE_NAME/__prometheus
*/
function cve_count_metric (key:string) {
cve_metrics[key] ++
}
/**
* sfunction cve_record_metric - Set the value of key
*
* @key: The metric
* @value: The new value
*
* Description: This function sets the value of the metric
* key. The metrics can be accessed in
* /proc/systemtap/MODULE_NAME/__prometheus
*/
function cve_record_metric (key:string, value:long) {
cve_metrics[key] = value
}
probe prometheus {
cve_record_metric("runtime", gettimeofday_s() - cve_load_time)
@prometheus_dump_array1(cve_metrics, cve_id, "metric")
}
# Disabling the patch
probe timer.s(1) {
if(!cve_enabled_p && cve_tmpdisabled_s >= 0){
if(cve_tmpdisabled_s > 0){
cve_tmpdisabled_s--
}else{
if (cve_notify_p)
printf("%s reenabling\n", cve_id)
cve_enabled_p = 1
cve_tmpdisabled_s = -1
}
}
}
/**
* sfunction cve_tmpdisable - Disable the cve livepatch
*
* @duration: The number of seconds to disable
*
* Description: This function temporarily disables the
* conditionals which use cve_enabled_p for duration seconds.
* If duration is -1, disable the livepatch until reenabled.
*/
function cve_tmpdisable(duration:long){
if (cve_notify_p)
printf("%s disabling temporarily\n", cve_id)
cve_enabled_p = 0
cve_tmpdisabled_s = duration
}
|
