Re: [PATCH v1 2/2] run-init: Add drop_capabilities support.

[Maximilian Attems <max@stro.at>]

On Fri, 29 Jul 2011, Mike Waychison wrote:

> On Fri, Jul 29, 2011 at 1:45 PM, Maximilian Attems <max@stro.at> wrote:
> > On Tue, 19 Jul 2011, Mike Waychison wrote:
> >
> >> This patch adds the ability to run-init to allow the dropping of
> >> POSIX capabilities.
> >>
> >> This works by adding a "-d" flag to run-init, which takes a comma
> >> separated list of capability names that should be dropped right before
> >> exec'ing the real init binary.
> >>
> >> kinit is also modified by this change, such that it understands the same
> >> argument when prepended with "drop_capabilities=" on the kernel command
> >> line.
> >>
> >> When processing capabilities to drop, CAP_SETPCAP is special cased to be
> >> dropped last, so that the order that capabilities are given does not
> >> cause dropping of later enumerated capabilities to fail if it is listed
> >> early on.
> >>
> >> Dropping of capabilities happens in three parts.  We explicitly drop the
> >> capability from init's inherited, permitted and effective masks.  We
> >> also drop the capability from the bounding set using PR_CAPBSET_DROP.
> >> Lastly, if available, we drop the capabilities from the bset and
> >> inheritted masks exposed at /proc/sys/kernel/usermodehelper if available
> >> (introduced in v3.0.0).
> >
> > hmm as 3.0 is out, I don't think we need more backward compatibility.
> > do you have a strong arg for it?
> > especially since this is an *optional* calling arg I really don't see
> > the need of that backward crap.
> 
> I'd like to keep it for the time being. I'm still building both 2.6.34
> and 2.6.39 kernels at the moment, though I can maintain these last few
> compatibility bits in-house if that makes it easier for you.

you include anyway linux/version.h, would build disabling help you?
that way that macro doesn't need duplicating.