[klibc] [PATCH v3] kinit: Add drop_capabilities support.
H. Peter Anvin
hpa at zytor.com
Mon Aug 22 13:02:32 PDT 2011
On 08/03/2011 09:30 AM, Mike Waychison wrote:
> This patch adds the ability to kinit to allow the dropping of POSIX
> capabilities.
>
> kinit is modified by this change, such that it understands the new
> kernel command line "drop_capabilities=" that specifies a comma
> separated list of capability names that should be dropped before
> switching over to the next init in the boot strap (typically on the root
> disk).
>
> Dropping of capabilities happens in three parts. We explicitly drop the
> capability from init's inherited masks. We also drop the capability
> from the bounding set using PR_CAPBSET_DROP so that later setuid execs
> are bounded. Lastly, we drop the capabilities from the bset and
> inherited masks exposed at /proc/sys/kernel/usermodehelper if available
> (introduced in Linux v3.0.0).
>
> In all paths, we treat errors as fatal, as we do not want to continue to
> boot if there was a problem dropping capabilities. We fail because the
> new drop_capabilities= option on the command line mandates enforcement
> of a security policy, and we should err on the side of caution if we
> ever fail to satisfy the administrator's intention.
>
> Signed-off-by: Mike Waychison <mikew at google.com>
Looks good to me.
-hpa
More information about the klibc
mailing list