Re: [PATCH v3] kinit: Add drop_capabilities support.

[maximilian attems <max@stro.at>]

On Wed, 03 Aug 2011, Mike Waychison wrote:

> This patch adds the ability to kinit to allow the dropping of POSIX
> capabilities.
> 
> kinit is modified by this change, such that it understands the new
> kernel command line "drop_capabilities=" that specifies a comma
> separated list of capability names that should be dropped before
> switching over to the next init in the boot strap (typically on the root
> disk).
> 
> Dropping of capabilities happens in three parts.  We explicitly drop the
> capability from init's inherited masks.  We also drop the capability
> from the bounding set using PR_CAPBSET_DROP so that later setuid execs
> are bounded.  Lastly, we drop the capabilities from the bset and
> inherited masks exposed at /proc/sys/kernel/usermodehelper if available
> (introduced in Linux v3.0.0).
> 
> In all paths, we treat errors as fatal, as we do not want to continue to
> boot if there was a problem dropping capabilities.  We fail because the
> new drop_capabilities= option on the command line mandates enforcement
> of a security policy, and we should err on the side of caution if we
> ever fail to satisfy the administrator's intention.
> 
> Signed-off-by: Mike Waychison <mikew@google.com>
> ---
> v3
>     - Removed special handling of dropping CAP_SETPCAP now that we are
>       only dropping the capability from the inherited mask as suggested
>       by Andrew Morgan.
> v2
>     - Only drop from the inherited capabilities mask.  Only this mask
>       was required as per Andrew Morgan.  This also allows us to
>       continue having capabilities to call run-init later on, allowing
>       the following:
>     - Moved dropping of capabilities out of run-init and into kinit.
>       This was required to ensure access to the proc filesystem, which
>       is required for manipulating the masks the kernel uses when
>       spawning new tasks on the kernel's behalf via the
>       call_usermodehelper() routine.
>     - Fixed paths to the usermodehelper settings files.
>     - Fixed sscanf to allow for a newline character when reading the
>       usermodehelper capability mask settings.
>     - Fixed the return check of the write to the usermodehelper files.
>       These proc files return 0 on successful write(2).
>     - Added a format atttribute to the fail() wrapper for better
>       compiler warnings.
>     - Removed kernel version check.  The boot will now always fail if we
>       could not manipulate the usermodehelper settings.
>     - Sent as a single patch as capset/capget are now in klibc master.
> ---

Should appear shortly on:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary
Applied and pushed. Thank you!

-- 
maks