Which exceptions for ULP exist?

[scmschmidt]

So far I have:

• static binaries
• LD_PRELOAD for SetUID/SetGID binaries
• From internal documentation (Userspace live patching):
  • MemoryDenyWriteExecute=yes in service configuration file.
    In SLES15.4 I found:
    • auditd.service
    • augenrules.service
    • systemd-journald.service
    • systemd-logind.service
    • systemd-udevd.service
    • uuidd.service
• seccomp driver causing calls to mprotect with EXEC flags to be blocked
  (Can this be detected? Do we have a list?)
• I assume SELinux or AppArmor settings?

We need to document the exceptions. Also we should provide admins with the tooling to discover such non-livepatchable processes, so they can restart them.

[giulianobelinassi]

The ulp patches in Libpulp 0.2.10 is able to detect this. When the process is launched with libpulp, its initialization process is able to test its livepatchable capabilities. In such cases ulp patches will report as disabled by some internal error.

[scmschmidt]

I checked with a static binary and auditd and it worked. Thanks.