Livepatch has fixed kernel vulnerabilities. Or not???

Keith keithw at caramail.com
Thu Apr 20 20:47:49 UTC 2023 

On 4/19/23 11:09 AM, Bo Berglund wrote:
[snipped]
> 
> So now I have tested a few of the items mentioned above and gotten this:
> 
> $ sudo ls -l /root/snap/canonical-livepatch
> total 12
> drwxr-xr-x 2 root root 4096 mar 12 08:26 196
> drwxr-xr-x 2 root root 4096 mar 12 08:26 202
> drwxr-xr-x 2 root root 4096 mar 12 08:26 common
> lrwxrwxrwx 1 root root    3 apr 14 17:54 current -> 202
> 
> $ ls -la ~/snap/canonical-livepatch/
> total 20
> drwxr-xr-x 5 bosse bosse 4096 apr 14 17:54 .
> drwx------ 3 bosse bosse 4096 mar 12 08:26 ..
> drwxr-xr-x 2 bosse bosse 4096 mar 12 08:26 196
> drwxr-xr-x 2 bosse bosse 4096 mar 12 08:26 202
> drwxr-xr-x 2 bosse bosse 4096 mar 12 08:26 common
> lrwxrwxrwx 1 bosse bosse    3 apr 14 17:54 current -> 202
> 
> 
> So there *is* now a canonical-livepatch dir and inside a symlink in both places!
> 
> $ sudo ls -la /var/lib/snapd/
> total 164
> drwxr-xr-x 24 root root  4096 apr 19 17:34 .
> drwxr-xr-x 75 root root  4096 jan  5  2022 ..
> drwxr-xr-x  4 root root  4096 jan  5  2022 apparmor
> drwxr-xr-x  4 root root  4096 jan  5  2022 assertions
> drwxr-xr-x  2 root root  4096 jan  5  2022 auto-import
> drwx------  2 root root  4096 apr 11 23:39 cache
> drwx------  2 root root  4096 mar 12 08:26 cookie
> drwxr-xr-x  4 root root  4096 jan  5  2022 dbus-1
> drwxr-xr-x  4 root root  4096 jan  5  2022 desktop
> drwxr-xr-x  3 root root  4096 jan  5  2022 device
> drwxr-xr-x  2 root root  4096 jan  5  2022 environment
> drwxr-xr-x  2 root root  4096 maj 23  2022 features
> drwxr-xr-x  2 root root  4096 jan  5  2022 firstboot
> drwxr-xr-x  2 root root  4096 jan  5  2022 hostfs
> drwxr-xr-x  2 root root  4096 mar 12 08:26 inhibit
> drwxr-xr-x  6 root root  4096 jan  5  2022 lib
> drwxr-xr-x  2 root root  4096 apr 16 04:59 mount
> drwxr-xr-x  3 root root  4096 jan  5  2022 seccomp
> drwxr-xr-x  4 root root  4096 jan  5  2022 seed
> drwxr-xr-x  2 root root  4096 apr 17 04:44 sequence
> drwxr-xr-x  3 root root  4096 apr 17 04:44 snaps
> drwx------  2 root root  4096 jan  5  2022 snapshots
> drwxr-xr-x  3 root root  4096 jan  5  2022 ssl
> -rw-------  1 root root 60701 apr 19 17:34 state.json
> -rw-r--r--  1 root root     0 apr  4  2022 state.lock
> -rw-r--r--  1 root root   629 mar 21 01:14 system-key
> -rw-r--r--  1 root root    10 jan 10 13:23 system-params
> d--x--x--x  2 root root  4096 jan  5  2022 void
> 
> $ sudo ls -la /var/lib/snapd/cache/
> total 888856
> drwx------  2 root root      4096 apr 11 23:39 .
> drwxr-xr-x 24 root root      4096 apr 19 17:34 ..
> -rw-------  1 root root  64770048 okt  7  2021
> 0570d23d6f7a25be85dff79984bf00c2d60fb51cc7af6833315ba24f5d8f399cabb2456bf9189a8d44ece20922d612d0
> -rw-------  1 root root 254115840 okt  7  2021
> 2eaaf63b7a8ee5928398901040ff4b24221b1162908459f1acd1ad9632f7266565e0900cc34bcc3fbbf77a02240e5a78
> -rw-------  2 root root  10031104 apr 11 23:39
> 5aed3f827d0acf21320166f484a8317e32af100e024f636334d6ac53cbc9675d07232bf694941dbbdd3a1a6eb3afe09d
> -rw-------  1 root root  53522432 jan  8  2021
> 790c957edf90fba117e0a4838c80759bd9298ad8d96bee76b63d7444403419b006b073c69447eb37726e83e0a84daf8b
> -rw-------  2 root root      4096 okt  7  2021
> 8692b00c936f6f46e9063a493de7294ad8285a6c7ddd9de8281f0138c72a9d6186f95004732a840e8d655bac34009732
> -rw-------  1 root root 434470912 okt  4  2022
> c91419f0d2e8df66f175d19cc637710b064f3fd44bd04e577e4795b49ffd5c650abeb32caf2ec4d5da915dbe9ba19801
> -rw-------  1 root root  73834496 okt  4  2022
> f8a6ceb7a7ed81b4f725d2a37facdc5e7c6a9373f1a137ccdd25b1a6757b613002de29186bc640402f7a4d1778c20d85
> -rw-------  1 root root   9396224 mar 12 08:26
> fa732a23552ff31171ff43aa9ac78dc3e4e49b470cda7e83efc627879d597f1c977589d87e23fd309873550460c49138
> -rw-------  1 root root  10027008 apr  5 23:19
> fadbee6b873b51bcaed23b73303c39ad7198e5c7a0d826300ba39923ec89f25200337ac377abcd002cd3bea3ef004deb
> 
> And here we have the cached files again owned by root.
> 
> I guess I should go back to your original steps and perform them again noa that
> I more clearly know what is being done...
> 
> I.e. uninstall canonical-livepatch and delete all cache files, even though they
> might not belong to canonical-livepatch?
> 
> I assume they are not needed but are a means of speeding up updates from locally
> cached files. If not existing then a download will be done, right???
> 
> Still having the reboot message on login but I have not yet rebooted. Such an
> action will disturb two remote locations abroad which connect back home...
> Must be manually reset locally.
> I probably have a window open tomorrow morning though.
> 
> 

The steps I outlined earlier are probably mooted now with the update to 
canonical-livepatch from version 10.5.3 to 10.5.4  When I posted my 
message, livepatch was still on 10.5.3 rev 196, so my directions were to 
see about clearing the config/cache directories and doing a clean 
re-install of that livepatch version to see if any stale file(s) were 
causing livepatch to think a restart was needed even after the system 
had been rebooted. Now that livepatch updated by downloading and 
installing new snap package, the part about clearing the cache files 
isn't needed unless you just want to recover some disk space.

You can still clear the livepatch directories in /root/snap and ~/snap 
by disabling canonical-livepatch, deleting the directories, and then 
re-enabling the service to recreate them again, but I think some of that 
may already done when installing the new version. So again it's probably 
moot at this point.

-- 
Keith

More information about the ubuntu-users mailing list