3.3 Managing the Enhanced Ksplice Client

You manage the enhanced Ksplice client by using the ksplice command instead of the uptrack commands that are used with the traditional Ksplice client. The ksplice command allows you to perform user-space patching in addition to kernel patching.

To display the running user-space processes that the client can patch, use the ksplice all list-targets command, for example:

# ksplice all list-targets
User-space targets:

  └─ gnome-shell (3783)

  ├─ firewalld (680)
  ├─ tuned (695)
  ├─ libvirtd (1492)
  ├─ sshd (1497)
  ├─ httpd (1503)
  ├─ httpd (1706)
  ├─ httpd (1707)
  ├─ httpd (1708)
  ├─ httpd (1709)
  ├─ httpd (1710)
  ├─ colord (1942)
  ├─ gdm-session-wor (3418)
  ├─ gnome-session (3460)
  ├─ gvfsd (3534)
  ├─ gvfsd-fuse (3555)
  ├─ ssh-agent (3617)
  ├─ gnome-settings- (3658)
  ├─ gvfs-udisks2-vo (3727)
  ├─ gvfs-afc-volume (3754)
  ├─ gvfs-mtp-volume (3761)
  ├─ gvfs-gphoto2-vo (3765)
  ├─ gvfs-goa-volume (3769)
  ├─ goa-daemon (3772)
  ├─ gnome-shell (3783)
  ├─ ibus-daemon (3817)
  ├─ ibus-dconf (3821)
  ├─ ibus-x11 (3823)
  ├─ evolution-sourc (3853)
  ├─ nautilus (3882)
  ├─ ibus-engine-sim (3884)
  ├─ tracker-store (3943)
  ├─ abrt-applet (3980)
  ├─ tracker-miner-f (4040)
  ├─ gvfsd-trash (4062)
  ├─ sshd (29328)
  ├─ packagekitd (29465)
  └─ python (29679)
Kernel version: Linux/x86_64/3.10.0-229.el7.x86_64/#1 SMP Fri Mar 6 04:05:24 PST 2015

For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.

To display the updates that have been applied to the system, use the ksplice all show command:

# ksplice all show
httpd (1706)
httpd (1708)
httpd (1707)
httpd (1709)
httpd (1710)
rsyslogd (689)
chronyd (705)
httpd (1503)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

Ksplice kernel updates installed:

Installed updates:
[rfywob9d] Clear garbage data on the kernel stack when handling signals.
[6w5ho5e2] Provide an interface to freeze tasks.
[ftjj21d0] CVE-2015-1421: Privilege escalation in SCTP INIT collisions.
[kw5m66w8] CVE-2015-8159: Privilege escalation in Infiniband userspace access.
[2w6jgsn7] CVE-2015-3331: Privilege escalation in Intel AES RFC4106 decryption.
[p0gek4ir] CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.
[sjqkwypd] CVE-2014-9529: Use-after-free when garbage collecting keys.
[tfn81scy] CVE-2015-1593: Stack layout randomization entropy reduction.
[jga5l35w] CVE-2015-1573: Use-after-free when flushing netfilter rules.
[gdzmj5lc] CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.
[01560qvg] CVE-2015-2830: mis-handling of int80 fork from 64bits application.
[7ylonu77] CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.
[7yehlpm8] Kernel hang on UDP flood with wrong checksums.
[xp1v1o7h] CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.
[89yjgn50] CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.
[g327jyvw] CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

The command reports both the updates that have been applied to running processes and to the kernel. In this example, Ksplice has applied updates for CVE-2014-7817 and CVE-2015-1781 to all of the listed processes.

To restrict the scope of the ksplice command to user-space updates or to kernel updates, specify user or kernel instead of all to the command.

To display the updates that have been applied to a process specified by its PID, use the --pid=PID option with the ksplice user show command:

# ksplice user show --pid=705
chronyd (705)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

You can use the remove subcommand to remove all updates from a process, for example:

# ksplice user remove --all --pid=705

To remove a specific update that Ksplice has applied to a process, use the undo subcommand.

# ksplice user undo --pid=705 h73qvumn

If necessary, you can prevent Ksplice from patching specified executables and libraries. See Section 3.4, “Preventing Ksplice from Patching User-Space Processes and Libraries”.

Ksplice patches are stored in /var/cache/uptrack. Following a reboot, Ksplice automatically re-applies these patches very early in the boot process before the network is configured, so that the system is hardened before any remote connections can be established.

To list the available Ksplice updates, use the upgrade subcommand. For example, list all available kernel updates:

# ksplice -n kernel upgrade

To install all available Ksplice updates, use the upgrade subcommand. For example, install all available user-space updates:

# ksplice -y user upgrade

After Ksplice has applied updates to a running kernel, the kernel has an effective version that is different from the original boot version displayed by the uname -a command. Use the ksplice kernel uname -r command to display the effective version of the kernel:

# ksplice kernel uname -r

The ksplice kernel uname command supports the commonly used uname flags, including -a and -r, and provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.

To view the updates that Ksplice Uptrack has made to the running kernel:

# ksplice kernel show

To view the updates that are available to be installed:

# ksplice kernel show --available

To remove all updates from the kernel:

# ksplice kernel remove --all

To prevent Ksplice from reapplying the updates at the next system reboot, create the empty file /etc/uptrack/disable:

# touch /etc/uptrack/disable

Alternatively, specify nouptrack as a parameter on the boot command line when you next restart the system.

For more information about using the ksplice command, see the ksplice(8) manual page.