Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Which exceptions for ULP exist? #175

Open
scmschmidt opened this issue May 2, 2023 · 2 comments
Open

Which exceptions for ULP exist? #175

scmschmidt opened this issue May 2, 2023 · 2 comments

Comments

@scmschmidt
Copy link

So far I have:

  • static binaries
  • LD_PRELOAD for SetUID/SetGID binaries
  • From internal documentation (Userspace live patching):
    • MemoryDenyWriteExecute=yes in service configuration file.
      In SLES15.4 I found:
      • auditd.service
      • augenrules.service
      • systemd-journald.service
      • systemd-logind.service
      • systemd-udevd.service
      • uuidd.service
  • seccomp driver causing calls to mprotect with EXEC flags to be blocked
    (Can this be detected? Do we have a list?)
  • I assume SELinux or AppArmor settings?

We need to document the exceptions. Also we should provide admins with the tooling to discover such non-livepatchable processes, so they can restart them.
@giulianobelinassi
Copy link
Collaborator

The ulp patches in Libpulp 0.2.10 is able to detect this. When the process is launched with libpulp, its initialization process is able to test its livepatchable capabilities. In such cases ulp patches will report as disabled by some internal error.

@scmschmidt
Copy link
Author

I checked with a static binary and auditd and it worked. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giulianobelinassi @scmschmidt