From ae1206288f5664cc6921723d23097a59fcaae489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Mon, 17 Sep 2018 22:26:20 +0200 Subject: [PATCH] fix: remove some harcoded /proc paths, use $procfs instead --- spectre-meltdown-checker.sh | 40 ++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 5fa4462..56d6610 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -949,7 +949,7 @@ mount_debugfs() load_msr() { if [ "$os" = Linux ]; then - if ! grep -e msr /proc/modules 2>/dev/null; then + if ! grep -e msr "$procfs/modules" 2>/dev/null; then modprobe msr 2>/dev/null && insmod_msr=1 _debug "attempted to load module msr, insmod_msr=$insmod_msr" else @@ -968,7 +968,7 @@ load_msr() load_cpuid() { if [ "$os" = Linux ]; then - if ! grep -e cpuid /proc/modules 2>/dev/null; then + if ! grep -e cpuid "$procfs/modules" 2>/dev/null; then modprobe cpuid 2>/dev/null && insmod_cpuid=1 _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid" else @@ -1474,9 +1474,9 @@ if [ "$opt_live" = 1 ]; then # try to find the image of the current running kernel # first, look for the BOOT_IMAGE hint in the kernel cmdline - if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then - opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) - _debug "found opt_kernel=$opt_kernel in /proc/cmdline" + if [ -r "$procfs/cmdline" ] && grep -q 'BOOT_IMAGE=' "$procfs/cmdline"; then + opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' "$procfs/cmdline" | cut -d= -f2) + _debug "found opt_kernel=$opt_kernel in $procfs/cmdline" # if the boot partition is within a btrfs subvolume, strip the subvolume name # if /boot is a separate subvolume, the remainder of the code in this section should handle it if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi @@ -1520,8 +1520,8 @@ if [ "$opt_live" = 1 ]; then fi # system.map - if [ -e /proc/kallsyms ] ; then - opt_map=/proc/kallsyms + if [ -e "$procfs/kallsyms" ] ; then + opt_map="$procfs/kallsyms" elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then opt_map="/lib/modules/$(uname -r)/System.map" elif [ -e "/boot/System.map-$(uname -r)" ] ; then @@ -1531,9 +1531,9 @@ if [ "$opt_live" = 1 ]; then fi # config - if [ -e /proc/config.gz ] ; then + if [ -e "$procfs/config.gz" ] ; then dumped_config="$(mktemp /tmp/config-XXXXXX)" - gunzip -c /proc/config.gz > "$dumped_config" + gunzip -c "$procfs/config.gz" > "$dumped_config" # dumped_config will be deleted at the end of the script opt_config="$dumped_config" elif [ -e "/lib/modules/$(uname -r)/config" ]; then @@ -1563,7 +1563,7 @@ if [ "$os" = Linux ]; then fi if [ -n "$dumped_config" ] && [ -n "$opt_config" ]; then - _verbose "Will use kconfig \033[35m/proc/config.gz (decompressed)\033[0m" + _verbose "Will use kconfig \033[35m$procfs/config.gz (decompressed)\033[0m" elif [ -n "$opt_config" ]; then _verbose "Will use kconfig \033[35m$opt_config\033[0m" else @@ -2503,7 +2503,7 @@ check_CVE_2017_5715_linux() for dir in \ /sys/kernel/debug \ /sys/kernel/debug/x86 \ - /proc/sys/kernel; do + "$procfs/sys/kernel"; do if [ -e "$dir/ibrs_enabled" ]; then # if the file is there, we have IBRS compiled-in # /sys/kernel/debug/ibrs_enabled: vanilla @@ -3191,13 +3191,13 @@ check_CVE_2017_5754_linux() # Test if the current host is a Xen PV Dom0 / DomU - if [ -d "/proc/xen" ]; then + if [ -d "$procfs/xen" ]; then # XXX do we have a better way that relying on dmesg? dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$? if [ $ret -eq 2 ]; then _warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script" elif [ $ret -eq 0 ]; then - if [ -e /proc/xen/capabilities ] && grep -q "control_d" /proc/xen/capabilities; then + if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then xen_pv_domo=1 else xen_pv_domu=1 @@ -3241,7 +3241,7 @@ check_CVE_2017_5754_linux() if [ -n "$kpti_support" ]; then if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`" - elif grep -q -w nopti -w pti=off /proc/cmdline; then + elif grep -q -w nopti -w pti=off "$procfs/cmdline"; then explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration" else explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it" @@ -3372,9 +3372,9 @@ check_CVE_2018_3639() if [ "$opt_sysfs_only" != 1 ]; then _info_nol "* Kernel supports speculation store bypass: " if [ "$opt_live" = 1 ]; then - if grep -Eq 'Speculation.?Store.?Bypass:' /proc/self/status 2>/dev/null; then - kernel_ssb='found in /proc/self/status' - _debug "found Speculation.Store.Bypass: in /proc/self/status" + if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then + kernel_ssb="found in $procfs/self/status" + _debug "found Speculation.Store.Bypass: in $procfs/self/status" fi fi if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then @@ -3582,8 +3582,8 @@ check_CVE_2018_3646() _info "* Mitigation 2" _info_nol " * L1D flush is supported by kernel: " - if [ "$opt_live" = 1 ] && grep -qw flush_l1d /proc/cpuinfo; then - l1d_kernel='found flush_l1d in /proc/cpuinfo' + if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then + l1d_kernel="found flush_l1d in $procfs/cpuinfo" fi if [ -z "$l1d_kernel" ]; then if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then @@ -3628,7 +3628,7 @@ check_CVE_2018_3646() _info_nol " * Hardware-backed L1D flush supported: " if [ "$opt_live" = 1 ]; then - if grep -qw flush_l1d /proc/cpuinfo; then + if grep -qw flush_l1d "$procfs/cpuinfo"; then pstatus green YES "performance impact of the mitigation will be greatly reduced" else pstatus blue NO "flush will be done in software, this is slower"