SUSE / libpulp

libpulp enables live patching in user space applications.
GNU Lesser General Public License v2.1
55 stars 11 forks source link

Add mechanism to opt-out livepatching #168

Closed giulianobelinassi closed 1 year ago

giulianobelinassi commented 1 year ago

This PR adds the ability for libpulp to disable livepatching given some parameters.

The first parameter is through the environment variables:

  1. LIBPULP_DISABLE_ON_PATH=path_wildcard1:path_wildcard2:...
  2. LIBPULP_DISABLE_ON_USERS=user_wildcard1:user_wildcard2:...
  3. LIBPULP_DISABLE_ON_GROUPS=group1_wildcard:group2_wildcard:...

Each variable accepts multiple arguments separated by : token. For example, if the variable: LIBPULP_DISABLE_ON_PATH=*/numserv:/home/* is defined, then all processes with name numserv and all processes which binary is housed in /home/* will have livepatching blocked regardless if run with libpulp or not.

Another example: LIBPULP_DISABLE_ON_USERS=:1000:giulianob will block livepatching on users with uid = 1000 or which name is giulianob.

Now, since the user may want to re-enable livepatching, we provide the new command set_patchable:

$ ulp set_patchable -p <PID|NAME> -u <UID|USERNAME> enable

Example:

$ ulp set_patchable -p numserv enable

will enable livepatching to all processes with name numserv.

susematz commented 1 year ago

FWIW, I do like the approach with fnmatch based patterns in envvars and the explicit command to enable it per process again.