a RiJ@sddlZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZddlmZmZmZdZdZdZdZd Zd d d d Z gd Z!d dZ"gd e"dZ#ddZ$ddZ%Gddde&Z'ddZ(dHddZ)ddZ*ddZ+ddZ,dId!d"Z-d#d$Z.e%d%d&Z/e%d'd(Z0e%d)d*Z1d+d,Z2d-d.Z3d/d0Z4d1d2Z5d3d4Z6d5d6Z7e%e(ej8d7d8Z9ej8e:d9ej;e%e(e jd>d?Z?d@dAZ@dJdBdCZAdDdEZBdFdGZCdS)KN)auth capabilitiesconfigconfig_handlers constantserrorsfetch log_utilsplatform_utils process_utilsselinux server_info update_utilsutils) HTTPErrorjson_loads_nstrurlquotez!/usr/libexec/kcare/libcare-client)z/run/libcare/libcare.sockz/var/run/libcare.sockz /var/cache/kcare/libcare_patchesz /var/cache/kcare/libcare_cvelistz&/etc/sysconfig/kcare/libcare.logrotatedb)ZmysqldZmariadbdZpostgres)libcZlibsslZnscdZlibmcCsrz tdd\}}|}Wnty:ttYS0|drNttSd|vrh|drhttStdgS)aReturn libs list, excluding libnss_dns on distros with cross-library patches (libnss_dns + libresolv) already deployed: - EL7 (all distros): glibc-rh1296031.patch (CVE-2015-7547) - Ubuntu 16.04: revert-CVE-2015-5180.diff See LIBCARE-2943 for details. N7Zubuntuz16.Z libnss_dns)r get_distrolower Exceptionlist _LIBS_BASE startswith)nameversionr -/usr/libexec/kcare/python/kcarectl/libcare.py_get_userspace_lib_list-s   r")rlibscGstjjtjd|g|RS)N userspace)ospathjoinr PATCH_CACHE)libnamepartsr r r!get_userspace_cache_pathFsr+csfdd}|S)Ncsz|i|Wz tdWStyT}z tjd|ddWYd}~Sd}~00Sz tdWqty}z tjd|ddWYd}~qd}~00nHz tdWn8ty}z tjd|ddWYd}~n d}~000dS)N clearcachez$Libcare cache clearing failed: '{0}'F print_msg)libcare_clientrr logerrorformat)argskwargserrclblr r!wrapperKs * , z$clear_libcare_cache..wrapperr r6r7r r5r!clear_libcare_cacheJs r9cs0eZdZdfdd Zd ddZddZZS) UserspacePatchLevelNcst||||SN)super__new__)clsr)buildidlevelbaseurl __class__r r!r=YszUserspacePatchLevel.__new__cCs||_||_||_||_dSr;)r@r)r?rA)selfr)r?r@rAr r r!__init__\szUserspacePatchLevel.__init__cGst|j|jt|g|RSr;)r+r)r?str)rDr*r r r! cache_pathbszUserspacePatchLevel.cache_path)N)N)__name__ __module__ __qualname__r=rErG __classcell__r r rBr!r:Xs r:csddfdd}|S)Nc Ssd\}}z|durt}i}g}t|D],}|dd||d<||dgq(tj|dd}d d d |D}d t|}Wtj t |d d tj t |d d n"tj t |d d tj t |d d 0dS)z(KPT-1543 Save info about applied patches)rLNlatest-versionrLpackagepatchescve) cve_field cSsg|]}d|qS) r').0recr r r! szLrefresh_applied_patches_list..save_current_state..T) ensure_dir) _libcare_info_get_patches_infogetextendrextract_unique_cvesr'itemssorted atomic_writeLIBCARE_PATCHESLIBCARE_CVE_LIST)infoZversionsZcvesZpackagesZ all_patchesrVZcves_setr r r!save_current_stategs  z8refresh_applied_patches_list..save_current_statecs0d}z|i|}|W|S|0dSr;r )r2r3rdr6rer r!r7ysz-refresh_applied_patches_list..wrapperr r8r rfr!refresh_applied_patches_listfsrgc CsDtjpd}t|}t|}tt|d|||d}|dt d|7}t|d}zt t j |dd}Wn*tjytjt||d d Yn0t|jtt|}|d g}t|std |t|||d |d} t|d } t||| d} tj !| r2tj "| dkrt|d}zt j#|| tj$t %| dWn>t&y} z$| j'dvrt(dWYd} ~ n d} ~ 00t||| } dd| d| dg}t)j*|d d d\}}}|rtj+d|||ddt||d}tj ,|s tj -|r t|t.| |dt/|d|dS)Nmainuz latest.v1z?info=updater#F) check_licenseT) ignore_errorsrzkLatest LibCare patchset for {0} is incompatible with the current kernecare package version, please upgrade.r@rAz patch.tar.gzrZ patch_url)check_signature hash_checker)iizKC+ licence is requiredtarZxfz-Cz--no-same-owner catch_stdout catch_stderrz(Patches unpacking error: '{0}' '{1}' {2}zpatches unpacking errorstatuslatestz.tmp)0rPREFIXrstriprget_patch_server_url LIBNAME_MAPr\rZencoded_server_lib_infor wrap_with_cache_keyr urlopen_authrNotFoundshutilrmtreer+rset_feature_flags_from_headersheadersrnstrreadrhas_lc_capabilitiesCapabilitiesMismatchr1r:rFr%r&existsgetsize fetch_url USE_SIGNATUREget_hash_checkerrcodeNoLibcareLicenseExceptionr run_command KcareErrorislinkisdirsymlinkrename)r)build_id patch_levelprefixurl cache_dstresponsemetarequired_capabilitiesr@plevelZ patch_pathexdstcmdrstdoutstderrZ link_namer r r!fetch_userspace_patchsV             rcCsL| t_|sttj|rdndd|r0ttjd|r@dnddS)NFALSEYES)LIBCARE_DISABLEDzlibcare service is enableddisabled) rrlibcare_server_stopr update_configlibcare_server_startr kcarelogrd)rr r r!set_libcare_statussrcCs:ztddddg}Wnty*YdS0t|dS)Nservicez /usr/sbin/z/sbin/libcarestopr find_cmdrrrr r r!rs  rcCsttjstjtjr:ttjddgttjddgn6ztddddg}Wnt ydYdS0t|dS)Nz reset-failedrZrestartzlibcare.socketrrstart) rSKIP_SYSTEMCTL_CHECKr%r&r SYSTEMCTLr rrrrr r r!rs rTc sdddt|pgD}ddg}s6|dd|g7}z t|}Wn8tyz}z tjd|d d WYd}~n d}~00g}|d D]0}|rz|t |Wqt yYq0qd d |D}|D]&}t fdd|d D|d<q|S)N|css|]}d|VqdS)z({0})N)r1)rUprocr r r! rXz _libcare_info..rdz-jz-lz-rz/Gathering userspace libraries info error: '{0}'zuserspace libs info errorrsrRcSs$g|]}|d|d|dqS)commpid)rrr#)pop)rUliner r r!rWrXz!_libcare_info..c3s&|]\}}d|vss||fVqdS)patchlvlNr )rUkvpatchedr r!rrXr#)r'r`r/rrrr1splitappendjsonloads ValueErrordictr_)rlimitZregexprlinesr4resultrr rr!rZs& * $rZc Cst}|D]0}|dD]\}}||d|dfqq g}tD]j}|D]`\}}t||t|d} tj| rLt | d } | t | WdqL1s0YqLqD|S)Nr#r?rz info.jsonr) setr_add USERSPACE_MAPr+rFr%r&isfileopenrrload) rdrOrV_datarrrrZpatch_info_filenamefdr r r!r[s   2r[cCs ttSr;)r[rZr r r r!libcare_patch_info_basicsrcCs"t}|stdtd|iSNzNo patched processes.r)rr r0rdumpsrr r r!libcare_patch_info s rcCs"t}|stdtd|iSr)rZr r0rrrr r r! libcare_infos rcCs*i}tD]}|dd||d<q |S)NrMrLrN)rr\)rrVr r r!_libcare_versions rcCs*tD]\}}||r |Sq dS)NrL)rr_r)r)rNrr r r!libcare_version#s  rcCsddd|DdS)NrXcss|]}t|dVqdS)N)rbstr)rUpr r r!r+rXz(libcare_client_format..rrT)paramsr r r!libcare_client_format*srcCs,tD]}tj|r|SqtddS)NzLibcare socket is not found.)LIBCARE_SOCKETr%r&rrr)Zlibcare_socketr r r!get_available_libcare_socket.s  rcGstjrtdttjtjd}|dd}z|t |tj t |}t dj|d|||d}|s~q||7}qn|dd }t d j|d |W|S|0dS) NzLibcare is disabled.r rXzLibcare socket send: {cmd}rizutf-8replacez!Libcare socket recieved: {result}r)rrrrsocketAF_UNIX SOCK_STREAM settimeoutconnectrLIBCARE_SOCKET_TIMEOUTrr logdebugr1sendallrecvdecodeclose)rsockresrrrr r r!r/5s*        r/c Cs|D]}ztdt|Wn8tyR}z tjd|ddWYd}~n d}~00z tdWqty}z tjd|ddWYd}~qd}~00qdS)NZstoragez(Userspace storage switching error: '{0}'zuserspace storage switch errorrsrjz%Userspace patch applying error: '{0}'zuserspace patch apply error)r/r+rrrr1)rrr4r r r!libcare_patch_applyMs* rc CsJz tdWn8tyD}z tjd|ddWYd}~n d}~00dS)Nunloadz&Userspace patch unloading error: '{0}'zuserspace patch unload errorrs)r/rrrr1)r4r r r!libcare_unloadZs rrc Cst|tjkrtjsdS|dur.tt}g}|D]}|t |gq6|sft d |dSt |d\}}}}|rtd|st ddSttjtjdtz t|Wn>tjy}z$t t|tdWYd}~n d}~00t} t| } ttdd | Ds*dSt d j |d t d j | d tdd | D} tdd |D} | | } tdd | D}t dj t | |d| !D] \}}t d |t |q| S)z0Patch userspace processes to the latest version.NzNo such userspace patches: {0}rz8There were errors while patches downloading (unpacking).zNo patches were found.r$z)There were errors while patches applying.css|]}|dVqdS)r#Nr )rUitemr r r!rrXz&do_userspace_update..zPatched before: {before})beforezPatched after: {after})aftercss|]}|D] }|Vq qdSr;r rUr_rr r r!rrXcss|]}|D] }|Vq qdSr;r rr r r!rrXcss|]}t|VqdSr;)len)rUrr r r!rrXzThe patches have been successfully applied to {count} newly discovered processes. The overall amount of applied patches is {overall}.)countoverallz*Object `{0}` is patched for {1} processes.)"rotate_libcare_logsrUPDATE_MODE_AUTOrLIB_AUTO_UPDATErrkeysr]r\r loginfor1check_userspace_updatesrrr restore_selinux_contextr%r&r'r(rr0rFrZ_get_userspace_procsanyrrvaluessumrr_)moderZprocess_filterZuserspace_patchfailedsomething_foundrrrZ data_afterrZuniq_procs_afterZuniq_procs_beforediffrrrr r r!do_userspace_updateesT     r cCsjz.F)rrTrrr)rrrZrrrrrr logwarnrFr|rAlreadyTrialedExceptionrr0rtouch_status_gap_file) rZ data_beforerr r rrVr)rrerr rr!rs4    "& rc s^d}d}tjddd}|rztj|tgdd\}}}Wn0tyf}zd}t|}WYd}~n d}~00|rtjd |dd ntj d dd d t j sdSt jd }zt }tdfdd|D}dd|D}|jddd} |D]8\}} | t j | 7} | |krt | tjd| qWn"tyXtjddd Yn0dS)NrrLZ logrotateF) raise_excT)rrrz5failed to run logrotate for libcare logs, stderr: {0}r-zlogrotate utility wasn't foundz/var/log/libcare/iz ^\d+\.log.*cs$g|]}|rtj|qSr )matchr%r&r')rUfnZlibcare_log_directoryZ pidlog_rer r!rWrXz'rotate_libcare_logs..cSsg|]}tj||fqSr )r%r&getctime)rUfpr r r!rWrX)reversez%Removed %s because of logs size limitz)Failed to cleanup libcare server logfiles)r rrLIBCARE_LOGROTATE_CONFIGrrFr r0r1rr%r&rr!LIBCARE_PIDLOGS_MAX_TOTAL_SIZE_MBlistdirrecompilesortrremoverrdlogexc) rcrZlogrotate_pathrrZmax_total_sizeZ log_filesZ pidlog_filesZpidlog_files_with_ctZ total_sizefilepathr rr!rs<       rcCsJztddddg}Wnty*YdS0tj|ddd\}}}|dkS) zKAssume that whenever the service is not running, we did not patch anything.rrrrtFTrprr)rrrr r r!libcare_server_started!s  r+)N)TN)N)Drr%r$r}rrLrrrrrrr r r r r rrrpy23rrrDictListTupleZLIBCARE_CLIENTrrbrcr!ryrr"rr+r9intr:rgrrrrrZr[rrrrrrrr/rlog_all_parent_processesrtrack_update_statusskip_if_no_selinux_moduleUPDATE_MODE_MANUALr rrrrrr+r r r r!sp@  5      F   "*