lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1184856088.17338.513.camel@moss-spartans.epoch.ncsc.mil>
Date:	Thu, 19 Jul 2007 10:41:28 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Bodo Eggert <7eggert@....de>
Cc:	Rob Landley <rob@...dley.net>, linux-kernel@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	Chris Wright <chrisw@...s-sol.org>
Subject: Re: [PATCH 0/3][try 1] init: enable system-on-initramfs

On Thu, 2007-07-19 at 15:56 +0200, Bodo Eggert wrote:
> On Wed, 18 Jul 2007, Rob Landley wrote:
> > On Friday 13 July 2007 2:56:00 pm Bodo Eggert wrote:
> 
> > > I toyed with setting up a diskless system in initramfs. In the process, I
> > > came across some things:
> > >
> > > 1)  There is no way to have the kernel not mount a filesystem,
> > >     unless you use /init or rdinit=.
> > 
> > Er, yes.  By design.
> > 
> > The kernel has to run an init program in order to hand off control to 
> > userspace.  In initramfs, this is defined as /init.  It looks in exactly one 
> > documented place.
> > 
> > The older root= mechanism fell back to a half-dozen places (eventually trying 
> > things like /bin/sh if it couldn't find anything else).  This is because 
> > there wasn't a documented standard for what should be executed, like there is 
> > with initramfs.
> 
> Ever since I started using linux in 1997, the first program to run from an
> installed system was /sbin/init. (I might think about removing the other 
> paths.)
> 
> The ramfs' /init was intended for system setup, which is a separate job.
> It is not intended to be the program running the system. Mixing those two
> up just does not feel right. Setting root= in order to change the root
> directory is much more natural.
> 
> > > 1a) In the process of writing these patches, I found prepare_namespace not
> > > to be called if /init is present. prepare_namespace will call
> > >     security_sb_post_mountroot after mounting the root fs. I did not yet
> > > see a way to call this from /init, and grepping kinit for "security" did
> > > not help, too.
> > 
> > I don't use selinux.  I'm neither a Fortune 500 company nor the NSA.
> 
> That's no reason for keeping bugs in that part.
> 
> > However, if you don't trust your own initramfs, where everything starts out 
> > running as root, you have bigger problems.
> 
> Using that argument, you can deduce that nobody would need selinux at all.
> Obviously some people disagree, and maybe some of them are no fools,
> therefore we should try to DTRT for them and do the callback when it's
> supposed to happen.

Not wanting to get into any flamewars here about selinux, but just FYI:
security_sb_post_mountroot is obsolete and can be removed without harm
to selinux; it is a leftover of selinux before we moved the initial
policy load to userspace.  These days, initial policy load is done
by /sbin/init in most distros that support selinux, although I'd prefer
to do it earlier from the initramfs (the Fedora folks didn't like that
idea though at the time, so /sbin/init got patched instead - but that
was back in 2003, so maybe things have changed).

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ