fix: remove some harcoded /proc paths, use $procfs instead
This commit is contained in:
Stéphane Lesimple
parent
b44d2b5470
commit
ae1206288f
|
|
@ -949,7 +949,7 @@ mount_debugfs()
|
||||||
load_msr()
|
load_msr()
|
||||||
{
|
{
|
||||||
if [ "$os" = Linux ]; then
|
if [ "$os" = Linux ]; then
|
||||||
if ! grep -e msr /proc/modules 2>/dev/null; then
|
if ! grep -e msr "$procfs/modules" 2>/dev/null; then
|
||||||
modprobe msr 2>/dev/null && insmod_msr=1
|
modprobe msr 2>/dev/null && insmod_msr=1
|
||||||
_debug "attempted to load module msr, insmod_msr=$insmod_msr"
|
_debug "attempted to load module msr, insmod_msr=$insmod_msr"
|
||||||
else
|
else
|
||||||
|
|
@ -968,7 +968,7 @@ load_msr()
|
||||||
load_cpuid()
|
load_cpuid()
|
||||||
{
|
{
|
||||||
if [ "$os" = Linux ]; then
|
if [ "$os" = Linux ]; then
|
||||||
if ! grep -e cpuid /proc/modules 2>/dev/null; then
|
if ! grep -e cpuid "$procfs/modules" 2>/dev/null; then
|
||||||
modprobe cpuid 2>/dev/null && insmod_cpuid=1
|
modprobe cpuid 2>/dev/null && insmod_cpuid=1
|
||||||
_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
|
_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
|
||||||
else
|
else
|
||||||
|
|
@ -1474,9 +1474,9 @@ if [ "$opt_live" = 1 ]; then
|
||||||
|
|
||||||
# try to find the image of the current running kernel
|
# try to find the image of the current running kernel
|
||||||
# first, look for the BOOT_IMAGE hint in the kernel cmdline
|
# first, look for the BOOT_IMAGE hint in the kernel cmdline
|
||||||
if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then
|
if [ -r "$procfs/cmdline" ] && grep -q 'BOOT_IMAGE=' "$procfs/cmdline"; then
|
||||||
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
|
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' "$procfs/cmdline" | cut -d= -f2)
|
||||||
_debug "found opt_kernel=$opt_kernel in /proc/cmdline"
|
_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
|
||||||
# if the boot partition is within a btrfs subvolume, strip the subvolume name
|
# if the boot partition is within a btrfs subvolume, strip the subvolume name
|
||||||
# if /boot is a separate subvolume, the remainder of the code in this section should handle it
|
# if /boot is a separate subvolume, the remainder of the code in this section should handle it
|
||||||
if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
|
if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
|
||||||
|
|
@ -1520,8 +1520,8 @@ if [ "$opt_live" = 1 ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# system.map
|
# system.map
|
||||||
if [ -e /proc/kallsyms ] ; then
|
if [ -e "$procfs/kallsyms" ] ; then
|
||||||
opt_map=/proc/kallsyms
|
opt_map="$procfs/kallsyms"
|
||||||
elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
|
elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
|
||||||
opt_map="/lib/modules/$(uname -r)/System.map"
|
opt_map="/lib/modules/$(uname -r)/System.map"
|
||||||
elif [ -e "/boot/System.map-$(uname -r)" ] ; then
|
elif [ -e "/boot/System.map-$(uname -r)" ] ; then
|
||||||
|
|
@ -1531,9 +1531,9 @@ if [ "$opt_live" = 1 ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# config
|
# config
|
||||||
if [ -e /proc/config.gz ] ; then
|
if [ -e "$procfs/config.gz" ] ; then
|
||||||
dumped_config="$(mktemp /tmp/config-XXXXXX)"
|
dumped_config="$(mktemp /tmp/config-XXXXXX)"
|
||||||
gunzip -c /proc/config.gz > "$dumped_config"
|
gunzip -c "$procfs/config.gz" > "$dumped_config"
|
||||||
# dumped_config will be deleted at the end of the script
|
# dumped_config will be deleted at the end of the script
|
||||||
opt_config="$dumped_config"
|
opt_config="$dumped_config"
|
||||||
elif [ -e "/lib/modules/$(uname -r)/config" ]; then
|
elif [ -e "/lib/modules/$(uname -r)/config" ]; then
|
||||||
|
|
@ -1563,7 +1563,7 @@ if [ "$os" = Linux ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$dumped_config" ] && [ -n "$opt_config" ]; then
|
if [ -n "$dumped_config" ] && [ -n "$opt_config" ]; then
|
||||||
_verbose "Will use kconfig \033[35m/proc/config.gz (decompressed)\033[0m"
|
_verbose "Will use kconfig \033[35m$procfs/config.gz (decompressed)\033[0m"
|
||||||
elif [ -n "$opt_config" ]; then
|
elif [ -n "$opt_config" ]; then
|
||||||
_verbose "Will use kconfig \033[35m$opt_config\033[0m"
|
_verbose "Will use kconfig \033[35m$opt_config\033[0m"
|
||||||
else
|
else
|
||||||
|
|
@ -2503,7 +2503,7 @@ check_CVE_2017_5715_linux()
|
||||||
for dir in \
|
for dir in \
|
||||||
/sys/kernel/debug \
|
/sys/kernel/debug \
|
||||||
/sys/kernel/debug/x86 \
|
/sys/kernel/debug/x86 \
|
||||||
/proc/sys/kernel; do
|
"$procfs/sys/kernel"; do
|
||||||
if [ -e "$dir/ibrs_enabled" ]; then
|
if [ -e "$dir/ibrs_enabled" ]; then
|
||||||
# if the file is there, we have IBRS compiled-in
|
# if the file is there, we have IBRS compiled-in
|
||||||
# /sys/kernel/debug/ibrs_enabled: vanilla
|
# /sys/kernel/debug/ibrs_enabled: vanilla
|
||||||
|
|
@ -3191,13 +3191,13 @@ check_CVE_2017_5754_linux()
|
||||||
|
|
||||||
|
|
||||||
# Test if the current host is a Xen PV Dom0 / DomU
|
# Test if the current host is a Xen PV Dom0 / DomU
|
||||||
if [ -d "/proc/xen" ]; then
|
if [ -d "$procfs/xen" ]; then
|
||||||
# XXX do we have a better way that relying on dmesg?
|
# XXX do we have a better way that relying on dmesg?
|
||||||
dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$?
|
dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$?
|
||||||
if [ $ret -eq 2 ]; then
|
if [ $ret -eq 2 ]; then
|
||||||
_warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script"
|
_warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script"
|
||||||
elif [ $ret -eq 0 ]; then
|
elif [ $ret -eq 0 ]; then
|
||||||
if [ -e /proc/xen/capabilities ] && grep -q "control_d" /proc/xen/capabilities; then
|
if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
|
||||||
xen_pv_domo=1
|
xen_pv_domo=1
|
||||||
else
|
else
|
||||||
xen_pv_domu=1
|
xen_pv_domu=1
|
||||||
|
|
@ -3241,7 +3241,7 @@ check_CVE_2017_5754_linux()
|
||||||
if [ -n "$kpti_support" ]; then
|
if [ -n "$kpti_support" ]; then
|
||||||
if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
|
if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
|
||||||
explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
|
explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
|
||||||
elif grep -q -w nopti -w pti=off /proc/cmdline; then
|
elif grep -q -w nopti -w pti=off "$procfs/cmdline"; then
|
||||||
explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
|
explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
|
||||||
else
|
else
|
||||||
explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
|
explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
|
||||||
|
|
@ -3372,9 +3372,9 @@ check_CVE_2018_3639()
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
_info_nol "* Kernel supports speculation store bypass: "
|
_info_nol "* Kernel supports speculation store bypass: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if grep -Eq 'Speculation.?Store.?Bypass:' /proc/self/status 2>/dev/null; then
|
if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
|
||||||
kernel_ssb='found in /proc/self/status'
|
kernel_ssb="found in $procfs/self/status"
|
||||||
_debug "found Speculation.Store.Bypass: in /proc/self/status"
|
_debug "found Speculation.Store.Bypass: in $procfs/self/status"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
|
if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
|
||||||
|
|
@ -3582,8 +3582,8 @@ check_CVE_2018_3646()
|
||||||
|
|
||||||
_info "* Mitigation 2"
|
_info "* Mitigation 2"
|
||||||
_info_nol " * L1D flush is supported by kernel: "
|
_info_nol " * L1D flush is supported by kernel: "
|
||||||
if [ "$opt_live" = 1 ] && grep -qw flush_l1d /proc/cpuinfo; then
|
if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
|
||||||
l1d_kernel='found flush_l1d in /proc/cpuinfo'
|
l1d_kernel="found flush_l1d in $procfs/cpuinfo"
|
||||||
fi
|
fi
|
||||||
if [ -z "$l1d_kernel" ]; then
|
if [ -z "$l1d_kernel" ]; then
|
||||||
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then
|
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then
|
||||||
|
|
@ -3628,7 +3628,7 @@ check_CVE_2018_3646()
|
||||||
|
|
||||||
_info_nol " * Hardware-backed L1D flush supported: "
|
_info_nol " * Hardware-backed L1D flush supported: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if grep -qw flush_l1d /proc/cpuinfo; then
|
if grep -qw flush_l1d "$procfs/cpuinfo"; then
|
||||||
pstatus green YES "performance impact of the mitigation will be greatly reduced"
|
pstatus green YES "performance impact of the mitigation will be greatly reduced"
|
||||||
else
|
else
|
||||||
pstatus blue NO "flush will be done in software, this is slower"
|
pstatus blue NO "flush will be done in software, this is slower"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue