lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 19 Jul 2011 13:38:43 -0700
From:	Mike Waychison <mikew@...gle.com>
To:	"Andrew G. Morgan" <agm@...gle.com>,
	Maximilian Attems <max@...o.at>,
	Eric Northup <digitaleric@...gle.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	"H. Peter Anvin" <hpa@...or.com>
Cc:	Eric Paris <eparis@...isplace.org>, klibc@...or.com,
	linux-kernel@...r.kernel.org
Subject: [PATCH v1 0/2] Support dropping of capabilities from early userspace.

This patchset applies to klibc mainline.  As is it will probably collide
with Maximilian's recent patch to rename run-init to switch_root posted
last week.



To boot an untrusted environment with certain capabilities locked out,
we'd like to be able to drop the capabilities up front from early
userspace, before we actually transition onto the root volume.

This patchset implements this by adding a "drop capabilities" ability to
both kinit and run-init in the klibc package.  For kinit, it now
understands a new kernel command line option, "drop_capabilities" that
specifies a comma separated list of capability names that should be
dropped right before execing the next init binary on the next root
device.

run-init also has the ability to use this drop_capabilities function by
specifying capabilities that should be dropped with a new command line
flag, '-d'.

Given that this patchset is meant to help secure boots, we treat any
errors as total failure to boot by exiting the process with a failing
exit code.

Thanks,

Mike Waychison

Related discussions
===================
    - Thread discussing my wanting to compile out kernel interfaces that
      we do not want to expose to the userspace environment, with Alan
      Cox convincing me that I really just want to disable certain
      capabilities:

      https://lkml.org/lkml/2011/7/15/412

Patchset summary
================

syscalls: Add capset and capget
run-init: Add drop_capabilities support.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ