[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#679436: add "drop_capabilities=..." support, like kinit

Package: initramfs-tools
Version: 0.106
Severity: normal
Tags: patch

This adds knowledge of the "drop_capabilities=..." option that kinit
supports. When set, it gets passed to run-init's new "-d" option.

This lets a system owner drop capabilities (like CAP_SYS_MODULE and
CAP_SYS_RAWIO) before the system init starts.

Thanks,

-Kees

-- 
Kees Cook                                            @debian.org

diff -Nru initramfs-tools-0.106/debian/changelog initramfs-tools-0.107~0kees1/debian/changelog
--- initramfs-tools-0.106/debian/changelog	2012-06-07 05:40:53.000000000 -0700
+++ initramfs-tools-0.107~0kees1/debian/changelog	2012-06-28 09:59:06.000000000 -0700
@@ -1,3 +1,11 @@
+initramfs-tools (0.107~0kees1) unstable; urgency=low
+
+  * init: provide logic to mirror the new kinit kernel command line option
+    "drop_capabilities=...". This allows dropping of capabilities before
+    system's init runs, via new -d option to run-init.
+
+ -- Kees Cook <kees@debian.org>  Thu, 28 Jun 2012 09:52:04 -0700
+
 initramfs-tools (0.106) unstable; urgency=high
 
   [ Josh Triplett ]
diff -Nru initramfs-tools-0.106/init initramfs-tools-0.107~0kees1/init
--- initramfs-tools-0.106/init	2012-06-06 06:04:52.000000000 -0700
+++ initramfs-tools-0.107~0kees1/init	2012-06-28 09:56:59.000000000 -0700
@@ -54,6 +54,7 @@
 export blacklist=
 export resume=
 export resume_offset=
+export drop_caps=
 
 # Bring in the main config
 . /conf/initramfs.conf
@@ -140,6 +141,9 @@
 	noresume)
 		noresume=y
 		;;
+	drop_capabilities=*)
+		drop_caps="-d ${x#drop_capabilities=}"
+		;;
 	panic=*)
 		panic="${x#panic=}"
 		case ${panic} in
@@ -289,7 +293,7 @@
 maybe_break init
 
 # don't leak too much of env - some init(8) don't clear it
-# (keep init, rootmnt)
+# (keep init, rootmnt, drop_caps)
 unset debug
 unset MODPROBE_OPTIONS
 unset DPKG_ARCH
@@ -315,10 +319,10 @@
 mount -n -o move /proc ${rootmnt}/proc
 
 # Chain to real filesystem
-if command -v switch_root >/dev/null 2>&1; then
+if [ -z "$drop_caps" ] && command -v switch_root >/dev/null 2>&1; then
 	exec switch_root ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
 elif command -v run-init >/dev/null 2>&1; then
-	exec run-init ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
+	exec run-init ${drop_caps} ${rootmnt} ${init} "$@" <${rootmnt}/dev/console >${rootmnt}/dev/console
 fi
 echo "Something went badly wrong in the initramfs."
 panic "Please file a bug on initramfs-tools."
Reply to: