[klibc] [PATCH v3] kinit: Add drop_capabilities support.

H. Peter Anvin hpa at zytor.com
Mon Aug 22 13:02:32 PDT 2011

On 08/03/2011 09:30 AM, Mike Waychison wrote:
> This patch adds the ability to kinit to allow the dropping of POSIX
> capabilities.
> kinit is modified by this change, such that it understands the new
> kernel command line "drop_capabilities=" that specifies a comma
> separated list of capability names that should be dropped before
> switching over to the next init in the boot strap (typically on the root
> disk).
> Dropping of capabilities happens in three parts.  We explicitly drop the
> capability from init's inherited masks.  We also drop the capability
> from the bounding set using PR_CAPBSET_DROP so that later setuid execs
> are bounded.  Lastly, we drop the capabilities from the bset and
> inherited masks exposed at /proc/sys/kernel/usermodehelper if available
> (introduced in Linux v3.0.0).
> In all paths, we treat errors as fatal, as we do not want to continue to
> boot if there was a problem dropping capabilities.  We fail because the
> new drop_capabilities= option on the command line mandates enforcement
> of a security policy, and we should err on the side of caution if we
> ever fail to satisfy the administrator's intention.
> Signed-off-by: Mike Waychison <mikew at google.com>

Looks good to me.


More information about the klibc mailing list