FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 06-28-2012, 05:03 PM
Kees Cook
 
Default Bug#679436: add "drop_capabilities=..." support, like kinit

Package: initramfs-tools
Version: 0.106
Severity: normal
Tags: patch

This adds knowledge of the "drop_capabilities=..." option that kinit
supports. When set, it gets passed to run-init's new "-d" option.

This lets a system owner drop capabilities (like CAP_SYS_MODULE and
CAP_SYS_RAWIO) before the system init starts.

Thanks,

-Kees

--
Kees Cook @debian.org
diff -Nru initramfs-tools-0.106/debian/changelog initramfs-tools-0.107~0kees1/debian/changelog
--- initramfs-tools-0.106/debian/changelog 2012-06-07 05:40:53.000000000 -0700
+++ initramfs-tools-0.107~0kees1/debian/changelog 2012-06-28 09:59:06.000000000 -0700
@@ -1,3 +1,11 @@
+initramfs-tools (0.107~0kees1) unstable; urgency=low
+
+ * init: provide logic to mirror the new kinit kernel command line option
+ "drop_capabilities=...". This allows dropping of capabilities before
+ system's init runs, via new -d option to run-init.
+
+ -- Kees Cook <kees@debian.org> Thu, 28 Jun 2012 09:52:04 -0700
+
initramfs-tools (0.106) unstable; urgency=high

[ Josh Triplett ]
diff -Nru initramfs-tools-0.106/init initramfs-tools-0.107~0kees1/init
--- initramfs-tools-0.106/init 2012-06-06 06:04:52.000000000 -0700
+++ initramfs-tools-0.107~0kees1/init 2012-06-28 09:56:59.000000000 -0700
@@ -54,6 +54,7 @@
export blacklist=
export resume=
export resume_offset=
+export drop_caps=

# Bring in the main config
. /conf/initramfs.conf
@@ -140,6 +141,9 @@
noresume)
noresume=y
;;
+ drop_capabilities=*)
+ drop_caps="-d ${x#drop_capabilities=}"
+ ;;
panic=*)
panic="${x#panic=}"
case ${panic} in
@@ -289,7 +293,7 @@
maybe_break init

# don't leak too much of env - some init(8) don't clear it
-# (keep init, rootmnt)
+# (keep init, rootmnt, drop_caps)
unset debug
unset MODPROBE_OPTIONS
unset DPKG_ARCH
@@ -315,10 +319,10 @@
mount -n -o move /proc ${rootmnt}/proc

# Chain to real filesystem
-if command -v switch_root >/dev/null 2>&1; then
+if [ -z "$drop_caps" ] && command -v switch_root >/dev/null 2>&1; then
exec switch_root ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
elif command -v run-init >/dev/null 2>&1; then
- exec run-init ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
+ exec run-init ${drop_caps} ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
fi
echo "Something went badly wrong in the initramfs."
panic "Please file a bug on initramfs-tools."
 

Thread Tools




All times are GMT. The time now is 07:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org