dbfdg 3 °ÎwhòDã@sddlZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlmZdd lmZdd lm Z ddlmZddlmZdd lmZddlmZddlmZmZmZdZdXZdZdZdZddddddœZdddgddgddgd œZd!d"„Zd#d$„ZGd%d&„d&eƒZ d'd(„Z!dYd)d*„Z"d+d,„Z#d-d.„Z$d/d0„Z%dZd2d3„Z&d4d5„Z'd6d7„Z(ed8d9„ƒZ)ed:d;„ƒZ*dd?„Z,d@dA„Z-dBdC„Z.dDdE„Z/dFdG„Z0ee!dHdI„ƒƒZ1ej2ee!ej3dfdJdK„ƒƒƒZ4edLdM„ƒZ5dNdO„Z6dPdQ„Z7d[dRdS„Z8dTdU„Z9dVdW„Z:dS)\éNé)Ú constants)Úconfig)Úconfig_handlers)Ú log_utils)Ú process_utils)Úutils)Úauth)Úerrors)Úselinux)Úfetch)Úupdate_utils)Úserver_info)Újson_loads_nstrÚurlquoteÚ HTTPErrorz!/usr/libexec/kcare/libcare-clientú/run/libcare/libcare.sockú/var/run/libcare.sockz /var/cache/kcare/libcare_patchesz /var/cache/kcare/libcare_cvelistz&/etc/sysconfig/kcare/libcare.logrotateÚdbÚqemu)ÚmysqldÚmariadbdÚpostgreszqemu-kvmzqemu-system-x86_64rrrzqemu-kvmzqemu-system-x86_64ÚlibcZlibssl)rrÚlibscGstjjtjd|f|žŽS)NÚ userspace)ÚosÚpathÚjoinrÚPATCH_CACHE)ÚlibnameÚparts©r"ú-/usr/libexec/kcare/python/kcarectl/libcare.pyÚget_userspace_cache_path.sr$cs‡fdd„}|S)NcsVz ˆ||ŽSytdƒWn6tk rN}ztjdj|ƒddWYdd}~XnXXdS)NÚ clearcachez$Libcare cache clearing failed: '{0}'F)Ú print_msg)Úlibcare_clientÚ ExceptionrÚlogerrorÚformat)ÚargsÚkwargsÚerr)Úclblr"r#Úwrapper3s z$clear_libcare_cache..wrapperr")r.r/r")r.r#Úclear_libcare_cache2s r0cs0eZdZd‡fdd„ Zd dd„Zdd„Z‡ZS) ÚUserspacePatchLevelNcst||ƒj||ƒS)N)ÚsuperÚ__new__)Úclsr ÚbuildidÚlevelÚbaseurl)Ú __class__r"r#r3AszUserspacePatchLevel.__new__cCs||_||_||_||_dS)N)r6r r5r7)Úselfr r5r6r7r"r"r#Ú__init__DszUserspacePatchLevel.__init__cGst|j|jt|ƒf|žŽS)N)r$r r5Ústr)r9r!r"r"r#Ú cache_pathJszUserspacePatchLevel.cache_path)N)N)Ú__name__Ú __module__Ú__qualname__r3r:r<Ú __classcell__r"r")r8r#r1@s r1csdd„‰‡‡fdd„}|S)NcSsºd\}}zŠ|dkrtƒ}i}g}xLt|ƒD]@}|jddƒ||jdƒ<x$|jdgƒD]}|j|jdƒƒqRWq*Wdjdd „|jƒDƒƒ}dj|ƒ}Wdtjt|d dtjt |d dXdS) z(KPT-1543 Save info about applyed patchesÚNzlatest-versionÚpackageÚpatchesZcveÚ cSsg|]}dj|ƒ‘qS)ú )r)Ú.0Úrecr"r"r#ú [szLrefresh_applied_patches_list..save_current_state..T)Ú ensure_dir)rArA) Ú _libcare_infoÚ_get_patches_infoÚgetÚappendrÚitemsrÚatomic_writeÚLIBCARE_PATCHESÚLIBCARE_CVE_LIST)ÚinfoZversionsZcvesZpackagesZ cves_listrGÚpatchr"r"r#Úsave_current_stateOsz8refresh_applied_patches_list..save_current_statecs"d}zˆ||Ž}|Sˆ|ƒXdS)Nr")r+r,rR)r.rTr"r#r/as z-refresh_applied_patches_list..wrapperr")r.r/r")r.rTr#Úrefresh_applied_patches_listNsrUcCs$tjpd}t|ƒ}t|jƒƒ}tjtj|dƒ|||dƒ}|dtj tj d|ƒƒ7}tj|dƒ}ytjt jƒ|dd}Wn,tjk r¢tjt||ƒd d ‚YnXtj|jƒttj|jƒƒƒ}t|||d|jdƒƒ}t|dƒ} t||| d ƒ} tjj| ƒstjj| ƒdkr€tj|dƒ}ytj || tj!tj"|ƒdWn<t#k r~}z|j$dkrltj%dƒ‚‚WYdd}~XnXt||| ƒ}dd| d|dg} t&j'| d d d\}}}|rÌtj(dj)|||ƒƒ‚t||dƒ}tjj*|ƒrtjj+|ƒrtj|ƒtj,| |dƒtj-|d|ƒdS)NÚmainÚuz latest.v1z?info=ÚupdaterF)Ú check_licenseT)Ú ignore_errorsr6r7zpatch.tar.gzrZ patch_url)Zcheck_signatureÚhash_checkeré“é‘zKC+ licence is requiredÚtarZxfz-Cz--no-same-owner)Úcatch_stdoutÚcatch_stderrz(Patches unpacking error: '{0}' '{1}' {2}Úlatestz.tmp)r\r]).rÚPREFIXrÚstriprÚget_patch_server_urlÚLIBNAME_MAPrLrZencode_server_lib_infoZserver_lib_inforÚwrap_with_cache_keyr Úurlopen_authr ÚNotFoundÚshutilÚrmtreer$rÚset_config_from_patchserverÚheadersrÚnstrÚreadr1r;rrÚexistsÚgetsizeÚ fetch_urlÚ USE_SIGNATUREÚget_hash_checkerrÚcodeÚNoLibcareLicenseExceptionrÚrun_commandÚ KcareErrorr*ÚislinkÚisdirÚsymlinkÚrename)r Úbuild_idÚpatch_levelÚprefixÚurlÚ cache_dstÚresponseÚmetar6ÚplevelZ patch_pathÚexÚdstÚcmdrtÚstdoutÚstderrZ link_namer"r"r#Úfetch_userspace_patchlsD " r‰cCsL|t_|stƒtj|rdndd|r0tƒtjjd|r@dndƒdS)NÚFALSEÚYES)ÚLIBCARE_DISABLEDzlibcare service is ÚenabledÚdisabled) rrŒÚlibcare_server_stoprÚ update_configÚlibcare_server_startrÚkcarelogrR)rr"r"r#Úset_libcare_status™sr“cCs:ytjddƒddg}Wntk r*dSXtj|ƒdS)NÚserviceú /usr/sbin/ú/sbin/ÚlibcareÚstop)r•r–)rÚfind_cmdr(rv)r†r"r"r#r£s rcCsttjstjjtjƒr:tjtjddgƒtjtjddgƒn6ytjdd ƒddg}Wnt k rddSXtj|ƒdS) Nzreset-failedr—Zrestartzlibcare.socketr”ú /usr/sbin/ú/sbin/Ústart)ršr›) rÚSKIP_SYSTEMCTL_CHECKrrroÚ SYSTEMCTLrrvr™r()r†r"r"r#r‘«sr‘Tcsþdjdd„t|pgƒDƒƒ}ddg}ˆs6|dd|g7}yt|Ž}Wn2tk rt}ztjdj|ƒƒ‚WYdd}~XnXg}x@|jd ƒD]2}|r†y|jt j |ƒƒWq†tk r¶Yq†Xq†Wd d„|Dƒ}x.|D]&}t‡fdd„|d j ƒDƒƒ|d <qÐW|S)Nú|css|]}dj|ƒVqdS)z({0})N)r*)rFÚprocr"r"r#ú ºsz _libcare_info..rRz-jz-lz-rz/Gathering userspace libraries info error: '{0}'rDcSs$g|]}|jdƒ|jdƒ|dœ‘qS)ÚcommÚpid)r¢r£r)Úpop)rFÚliner"r"r#rHÐsz!_libcare_info..c3s(|] \}}d|ksˆr||fVqdS)ÚpatchlvlNr")rFÚkÚv)Úpatchedr"r#r¡Ósr)rÚsortedr'r(r rwr*ÚsplitrMÚjsonÚloadsÚ ValueErrorÚdictrN)r©ÚlimitZregexpr†Úlinesr-Úresultr¥r")r©r#rJ¹s&" &rJcCs°tƒ}x<|D]4}x.|djƒD]\}}|j|d|dfƒqWqWg}xbtD]Z}xT|D]L\}}t||t|ƒdƒ} tjj| ƒrXt | dƒ} |j tj| ƒƒWdQRXqXWqNW|S)Nrr5r¦z info.jsonÚr) ÚsetrNÚaddÚ USERSPACE_MAPr$r;rrÚisfileÚopenrMr¬Úload)rRrCrGÚ_Údatar²r€r|r¦Zpatch_info_filenameÚfdr"r"r#rKØs "rKcCs ttƒƒS)N)rKrJr"r"r"r#Úlibcare_patch_info_basicçsr½cCs"tƒ}|stjdƒtjd|iƒS)NzNo patched processes.r²)r½rr)r¬Údumps)r²r"r"r#Úlibcare_patch_infoës r¿cCs"tƒ}|stjdƒtjd|iƒS)NzNo patched processes.r²)rJrr)r¬r¾)r²r"r"r#Úlibcare_infoós rÀcCs.i}x$tƒD]}|jddƒ||jdƒ<qW|S)Nzlatest-versionrArB)r½rL)r²rGr"r"r#Ú_libcare_versionûsrÁcCs*x$tƒjƒD]\}}|j|ƒr|SqWdS)NrA)rÁrNÚ startswith)r rBÚversionr"r"r#Úlibcare_versions rÄcCsdjdd„|DƒƒdS)Nócss|]}tj|ƒdVqdS)óN)rÚbstr)rFÚpr"r"r#r¡ sz(libcare_client_format..rÆ)r)Úparamsr"r"r#Úlibcare_client_format srÊcCs,xtD]}tjj|ƒr|SqWtjdƒ‚dS)NzLibcare socket is not found.)ÚLIBCARE_SOCKETrrror rw)Zlibcare_socketr"r"r#Úget_available_libcare_socket s rÌc Gs¼tjrtjdƒ‚tjtjtjdƒ}|jdƒd}z||jt ƒƒ|jtj ƒt|ƒ}tj dj|dƒ|j|ƒx|jdƒ}|s€P||7}qpW|jdd ƒ}tj d j|dƒ|S|jƒXdS)NzLibcare is disabled.ré rÅzLibcare socket send: {cmd})r†izutf-8Úreplacez!Libcare socket recieved: {result})r²)rrŒr rwÚsocketÚAF_UNIXÚSOCK_STREAMÚ settimeoutÚconnectrÌÚLIBCARE_SOCKET_TIMEOUTrÊrÚlogdebugr*ÚsendallÚrecvÚdecodeÚclose)rÉÚsockÚresr†r»r²r"r"r#r's( r'cCs˜x’|D]Š}ytdt|ƒƒWn2tk rN}ztjdj|ƒƒ‚WYdd}~XnXytdƒWqtk rŽ}ztjdj|ƒƒ‚WYdd}~XqXqWdS)NZstoragez(Userspace storage switching error: '{0}'rXz%Userspace patch applying error: '{0}')r'r$r(r rwr*)r°r…r-r"r"r#Úlibcare_patch_apply,s "rÜcCsDytdƒWn2tk r>}ztjdj|ƒƒ‚WYdd}~XnXdS)NÚunloadz&Userspace patch unloading error: '{0}')r'r(r rwr*)r-r"r"r#Úlibcare_unload9srÞcCsðtjƒtƒ|tjkr$tjr$dS|dkr8ttj ƒƒ}g}x|D]}|j tj|gƒƒqBW|sttj dj|ƒƒdSt|d\}}}}|r”tjdƒ‚|s¦tj dƒdStjtjjtjdƒƒtƒyt|ƒWn>tjk r}ztjt|ƒƒtjdƒ‚WYdd}~XnXtƒ} t| ƒ} ttdd „| Dƒƒƒs8dStjd j|dƒtjdj| d ƒtdd „| j ƒDƒƒ}tdd „|j ƒDƒƒ}||} t!dd „| j ƒDƒƒ}tj djt"| ƒ|dƒx,| j#ƒD] \}}tj dj|t"|ƒƒƒqÈW| S)z0Patch userspace processes to the latest version.NzNo such userspace patches: {0})r°z:There was an errors while patches downloading (unpacking).zNo patches were found.rz+There was an errors while patches applying.css|]}|dVqdS)rNr")rFÚitemr"r"r#r¡tsz&do_userspace_update..zPatched before: {before})ÚbeforezPatched after: {after})Úaftercss|]}|D] }|Vq qdS)Nr")rFrNr¨r"r"r#r¡{scss|]}|D] }|Vq qdS)Nr")rFrNr¨r"r"r#r¡|scss|]}t|ƒVqdS)N)Úlen)rFr¨r"r"r#r¡sz…The patches have been successfully applied to {count} newly discovered processes. The overall amount of applied patches is {overall}.)ÚcountÚoverallz*Object `{0}` is patched for {1} processes.)$rÚlog_all_parent_processesÚrotate_libcare_logsrÚUPDATE_MODE_AUTOrÚLIB_AUTO_UPDATEÚlistr¶ÚkeysÚextendrLrÚloginfor*Úcheck_userspace_updatesr rwrÚrestore_selinux_contextrrrrrÜr)r;rJÚ_get_userspace_procsÚanyrÕr´ÚvaluesÚsumrârN)Úmoder°Zprocess_filterZuserspace_patchÚfailedÚsomething_foundrºràr„Z data_afterráZuniq_procs_afterZuniq_procs_beforeZdiffrär§r¨r"r"r#Údo_userspace_updateBsR röcCsNytƒ\}}}}Wntjk r(dSX|r2dS|r:dStjddrJdSdS)Nérz.libcarestatus)Úfilenameér)rír rwr Ústatus_gap_passed)rôrºÚlibs_not_patchedr"r"r#Úget_userspace_update_statusŒsrücCsdi}xZ|D]R}xL|djƒD]<\}}|jdƒr||kr>g||<||j|d|dfƒqWq W|S)Nrr¦r£r¢)rNrLrM)rRr²rßr rGr"r"r#rïœs "rïcCsNtƒ}xB|D]:}x4|djƒD]$\}}|j||d|jddƒfƒqWqW|S)Nrr5r¦r)r´rNrµrL)rRr²rßr rGr"r"r#Ú_get_userspace_libs§s $rýcsúˆsg‰‡fdd„tjƒDƒtdˆd}t|ƒ}d}}d}x¢t|ƒD]–}|\}}} y t||| ƒd}| dkrtd}WqHtjtjfk r’YqHtj k r¨‚YqHtj k rÜ} zd}tjt | ƒƒWYdd} ~ XqHXqHWtjdd||||fS) Ncsg|]}ˆj|ƒ‘qSr")rë)rFr)r°r"r#rH²sz+check_userspace_updates..F)r©r°Trz.libcarestatus)rø)r¶rñrJrïrýr‰r rhruÚAlreadyTrialedExceptionrwrr)r;r Útouch_status_gap_file)r°Zdata_beforeràrôrõrûrGr r|r¦r„r")r°r#rí¯s. $rícsfd}d}tjddd}|r€ytj|tgdd\}}}Wn.tk rd}zd}t|ƒ}WYdd}~XnX|rŽtjd j|ƒdd ntj ddd d‰t jjˆƒs¢dSt jd}yt jˆƒ}tjdƒ‰‡‡fdd„|Dƒ}dd„|Dƒ}|jddd} xD|D]<\}} | t jj| ƒ7} | |krút j| ƒtjjd| ƒqúWWn$tk r`tjddd YnXdS)NrrAZ logrotateF)Ú raise_excT)r`rz5failed to run logrotate for libcare logs, stderr: {0})r&zlogrotate utility wasn't foundz/var/log/libcare/irùz^\d+\.log.*cs$g|]}ˆj|ƒrtjjˆ|ƒ‘qSr")Úmatchrrr)rFÚfn)Úlibcare_log_directoryÚ pidlog_rer"r#rHçsz'rotate_libcare_logs..cSsg|]}tjj|ƒ|f‘qSr")rrÚgetctime)rFÚfpr"r"r#rHés)Úreversez%Removed %s because of logs size limitz)Failed to cleanup libcare server logfilesi)rr™rvÚLIBCARE_LOGROTATE_CONFIGr(r;rr)r*ÚlogwarnrrryrÚ!LIBCARE_PIDLOGS_MAX_TOTAL_SIZE_MBÚlistdirÚreÚcompileÚsortrpÚremover’rRÚlogexc)ÚrcrˆZlogrotate_pathrºÚeZmax_total_sizeZ log_filesZpidlog_filesZpidlog_files_with_ctZ total_sizeÚfilepathr")rrr#ræÎs< ræc CsJytjdd ƒddg}Wntk r*dSXtj|ddd\}}}|d kS)zKAssume that whenever the service is not running, we did not patch anything.r”ú /usr/sbin/ú/sbin/r—ÚstatusFT)r_r`r)rr)rr™r(rv)r†rtrºr"r"r#Úlibcare_server_startedøsr)rr)N)TN)N);rrrirÏr¬rArrrrrrr r rrr rÚpy23rrrZLIBCARE_CLIENTrËrPrQrrer¶r$r0Úintr1rUr‰r“rr‘rJrKr½r¿rÀrÁrÄrÊrÌr'rÜrÞÚskip_if_no_selinux_moduleÚUPDATE_MODE_MANUALrörürïrýrírærr"r"r"r#Úst - G *