Bug#679436: add "drop_capabilities=..." support, like kinit

Thu, 28 Jun 2012 10:06:14 -0700 

Package: initramfs-tools
Version: 0.106
Severity: normal
Tags: patch

This adds knowledge of the "drop_capabilities=..." option that kinit
supports. When set, it gets passed to run-init's new "-d" option.

This lets a system owner drop capabilities (like CAP_SYS_MODULE and
CAP_SYS_RAWIO) before the system init starts.

Thanks,

-Kees

-- 
Kees Cook                                            @debian.org

diff -Nru initramfs-tools-0.106/debian/changelog 
initramfs-tools-0.107~0kees1/debian/changelog
--- initramfs-tools-0.106/debian/changelog      2012-06-07 05:40:53.000000000 
-0700
+++ initramfs-tools-0.107~0kees1/debian/changelog       2012-06-28 
09:59:06.000000000 -0700
@@ -1,3 +1,11 @@
+initramfs-tools (0.107~0kees1) unstable; urgency=low
+
+  * init: provide logic to mirror the new kinit kernel command line option
+    "drop_capabilities=...". This allows dropping of capabilities before
+    system's init runs, via new -d option to run-init.
+
+ -- Kees Cook <k...@debian.org>  Thu, 28 Jun 2012 09:52:04 -0700
+
 initramfs-tools (0.106) unstable; urgency=high
 
   [ Josh Triplett ]
diff -Nru initramfs-tools-0.106/init initramfs-tools-0.107~0kees1/init
--- initramfs-tools-0.106/init  2012-06-06 06:04:52.000000000 -0700
+++ initramfs-tools-0.107~0kees1/init   2012-06-28 09:56:59.000000000 -0700
@@ -54,6 +54,7 @@
 export blacklist=
 export resume=
 export resume_offset=
+export drop_caps=
 
 # Bring in the main config
 . /conf/initramfs.conf
@@ -140,6 +141,9 @@
        noresume)
                noresume=y
                ;;
+       drop_capabilities=*)
+               drop_caps="-d ${x#drop_capabilities=}"
+               ;;
        panic=*)
                panic="${x#panic=}"
                case ${panic} in
@@ -289,7 +293,7 @@
 maybe_break init
 
 # don't leak too much of env - some init(8) don't clear it
-# (keep init, rootmnt)
+# (keep init, rootmnt, drop_caps)
 unset debug
 unset MODPROBE_OPTIONS
 unset DPKG_ARCH
@@ -315,10 +319,10 @@
 mount -n -o move /proc ${rootmnt}/proc
 
 # Chain to real filesystem
-if command -v switch_root >/dev/null 2>&1; then
+if [ -z "$drop_caps" ] && command -v switch_root >/dev/null 2>&1; then
        exec switch_root ${rootmnt} ${init} "$@" <${rootmnt}/dev/console 
>${rootmnt}/dev/console
 elif command -v run-init >/dev/null 2>&1; then
-       exec run-init ${rootmnt} ${init} "$@" <${rootmnt}/dev/console 
>${rootmnt}/dev/console
+       exec run-init ${drop_caps} ${rootmnt} ${init} "$@" 
<${rootmnt}/dev/console >${rootmnt}/dev/console
 fi
 echo "Something went badly wrong in the initramfs."
 panic "Please file a bug on initramfs-tools."

Reply via email to