// livepatch tapset macros // Copyright (C) 2022 Red Hat Inc. // // This file is part of systemtap, and is free software. You can // redistribute it and/or modify it under the terms of the GNU General // Public License (GPL); either version 2, or (at your option) any // later version. private cve_id private cve_load_time global cve_notify_p = 1 global cve_fix_p = 1 global cve_trace_p = 1 global cve_enabled_p = 1 global cve_tmpdisabled_s = -1 probe begin { cve_id = module_name() cve_load_time = gettimeofday_s() if (cve_notify_p) printf("%s mitigation loaded\n", cve_id) } probe end,error { if (cve_notify_p) printf("%s mitigation unloaded\n", cve_id) } # Parameter reading and updating @define cve_probe_procfs_parameter (glbl, f_name) %( probe procfs(@f_name).read { $value = sprintf("%d\n", @glbl) } probe procfs(@f_name).write { @glbl = strtol($value, 10) } %) @cve_probe_procfs_parameter(cve_notify_p , "cve_notify_p") @cve_probe_procfs_parameter(cve_trace_p , "cve_trace_p") @cve_probe_procfs_parameter(cve_fix_p , "cve_fix_p") @cve_probe_procfs_parameter(cve_enabled_p , "cve_enabled_p") probe procfs("cve_tmpdisabled_s").read { $value = sprintf("%d\n", cve_tmpdisabled_s) } probe procfs("cve_tmpdisabled_s").write { cve_tmpdisabled_s = strtol($value, 10) if (cve_tmpdisabled_s > 0) cve_enabled_p = 0 # trigger temporary disable } # The metric accumulation and prometheus global cve_metrics /** * sfunction cve_count_metric - Increment the count of key * * @key: The metric * * Description: This function increments the count of the metric * key by 1. The metrics can be accessed in * /proc/systemtap/MODULE_NAME/__prometheus */ function cve_count_metric (key:string) { cve_metrics[key] ++ } /** * sfunction cve_record_metric - Set the value of key * * @key: The metric * @value: The new value * * Description: This function sets the value of the metric * key. The metrics can be accessed in * /proc/systemtap/MODULE_NAME/__prometheus */ function cve_record_metric (key:string, value:long) { cve_metrics[key] = value } probe prometheus { cve_record_metric("runtime", gettimeofday_s() - cve_load_time) @prometheus_dump_array1(cve_metrics, cve_id, "metric") } # Disabling the patch probe timer.s(1) { if(!cve_enabled_p && cve_tmpdisabled_s >= 0){ if(cve_tmpdisabled_s > 0){ cve_tmpdisabled_s-- }else{ if (cve_notify_p) printf("%s reenabling\n", cve_id) cve_enabled_p = 1 cve_tmpdisabled_s = -1 } } } /** * sfunction cve_tmpdisable - Disable the cve livepatch * * @duration: The number of seconds to disable * * Description: This function temporarily disables the * conditionals which use cve_enabled_p for duration seconds. * If duration is -1, disable the livepatch until reenabled. */ function cve_tmpdisable(duration:long){ if (cve_notify_p) printf("%s disabling temporarily\n", cve_id) cve_enabled_p = 0 cve_tmpdisabled_s = duration }