[klibc] [PATCH v1 0/2] Support dropping of capabilities from early userspace.

Mike Waychison mikew at google.com
Tue Jul 19 13:38:43 PDT 2011

This patchset applies to klibc mainline.  As is it will probably collide
with Maximilian's recent patch to rename run-init to switch_root posted
last week.

To boot an untrusted environment with certain capabilities locked out,
we'd like to be able to drop the capabilities up front from early
userspace, before we actually transition onto the root volume.

This patchset implements this by adding a "drop capabilities" ability to
both kinit and run-init in the klibc package.  For kinit, it now
understands a new kernel command line option, "drop_capabilities" that
specifies a comma separated list of capability names that should be
dropped right before execing the next init binary on the next root

run-init also has the ability to use this drop_capabilities function by
specifying capabilities that should be dropped with a new command line
flag, '-d'.

Given that this patchset is meant to help secure boots, we treat any
errors as total failure to boot by exiting the process with a failing
exit code.


Mike Waychison

Related discussions
    - Thread discussing my wanting to compile out kernel interfaces that
      we do not want to expose to the userspace environment, with Alan
      Cox convincing me that I really just want to disable certain


Patchset summary

syscalls: Add capset and capget
run-init: Add drop_capabilities support.

More information about the klibc mailing list