lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCETrWdVZUuUz9MGqxJHLPQ7VtFG1Kf2tG8GvEswH-zsFaF2w@mail.gmail.com>
Date:	Fri, 26 Sep 2014 12:32:37 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	Rob Landley <rob@...dley.net>
Cc:	Chuck Ebbert <cebbert.lkml@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Randy Dunlap <rdunlap@...radead.org>,
	Shuah Khan <shuah.kh@...sung.com>,
	Rusty Russell <rusty@...tcorp.com.au>
Subject: Re: [PATCH v3] init: Add strictinit to disable init= fallbacks

On Fri, Sep 26, 2014 at 12:30 PM, Rob Landley <rob@...dley.net> wrote:
> On Fri, Sep 26, 2014 at 2:23 PM, Chuck Ebbert <cebbert.lkml@...il.com> wrote:
>> On Fri, 26 Sep 2014 12:13:57 -0700
>> Andy Lutomirski <luto@...capital.net> wrote:
>>
>>> If a user puts init=/whatever on the command line and /whatever
>>> can't be run, then the kernel will try a few default options before
>>> giving up.  If init=/whatever came from a bootloader prompt, then
>>> this probably makes sense.  On the other hand, if it comes from a
>>> script (e.g. a tool like virtme or perhaps a future kselftest
>>> script), then the fallbacks are likely to exist, but they'll do the
>>> wrong thing.  For example, they might unexpectedly invoke systemd.
>>>
>>> This adds a new option called strictinit.  If init= and strictinit
>>> are both set, and the init= binary is not executable, then the
>>> kernel will panic immediately.  If strictinit is set but init= is
>>> not set, then strictinit will have no effect, because the only real
>>> alternative would be to panic regardless of the contents of the root
>>> fs.
>>>
>>> Signed-off-by: Andy Lutomirski <luto@...capital.net>
>>> ---
>>>  Documentation/kernel-parameters.txt |  8 ++++++++
>>>  init/main.c                         | 16 ++++++++++++++--
>>>  2 files changed, 22 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>>> index 10d51c2f10d7..1576273edce6 100644
>>> --- a/Documentation/kernel-parameters.txt
>>> +++ b/Documentation/kernel-parameters.txt
>>> @@ -3236,6 +3236,14 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>>>       stifb=          [HW]
>>>                       Format: bpp:<bpp1>[:<bpp2>[:<bpp3>...]]
>>>
>>> +     strictinit      [KNL,BOOT]
>>> +                     Normally, if the kernel can't find the init binary
>>> +                     specified by rdinit= and/or init=, then it will
>>> +                     try several fallbacks.  If strictinit is set
>>> +                     and the value specified by init= does not work,
>>> +                     then the kernel will panic instead.
>>> +                     This option makes no sense if init= is not specified.
>>> +
>>>       sunrpc.min_resvport=
>>>       sunrpc.max_resvport=
>>>                       [NFS,SUNRPC]
>>> diff --git a/init/main.c b/init/main.c
>>> index bb1aed928f21..2ae0f2776155 100644
>>> --- a/init/main.c
>>> +++ b/init/main.c
>>> @@ -131,6 +131,7 @@ static char *initcall_command_line;
>>>
>>>  static char *execute_command;
>>>  static char *ramdisk_execute_command;
>>> +static bool strictinit;
>>>
>>>  /*
>>>   * Used to generate warnings if static_key manipulation functions are used
>>> @@ -347,6 +348,13 @@ static int __init rdinit_setup(char *str)
>>>  }
>>>  __setup("rdinit=", rdinit_setup);
>>>
>>> +static int __init strictinit_setup(char *str)
>>> +{
>>> +     strictinit = true;
>>> +     return 1;
>>> +}
>>> +__setup("strictinit", strictinit_setup);
>>> +
>>>  #ifndef CONFIG_SMP
>>>  static const unsigned int setup_max_cpus = NR_CPUS;
>>>  #ifdef CONFIG_X86_LOCAL_APIC
>>> @@ -960,8 +968,12 @@ static int __ref kernel_init(void *unused)
>>>               ret = run_init_process(execute_command);
>>>               if (!ret)
>>>                       return 0;
>>> -             pr_err("Failed to execute %s (error %d).  Attempting defaults...\n",
>>> -                     execute_command, ret);
>>> +             if (strictinit)
>>> +                     panic("Requested init %s failed (error %d) and strictinit was set.",
>>> +                           execute_command, ret);
>>> +             else
>>> +                     pr_err("Failed to execute %s (error %d).  Attempting defaults...\n",
>>> +                            execute_command, ret);
>>>       }
>>>       if (!try_to_run_init_process("/sbin/init") ||
>>>           !try_to_run_init_process("/etc/init") ||
>>
>> Can't you just make it use "init=foo,strict" instead?
>
> Can't we just change the default behavior and add a
> CONFIG_INIT_FALLBACK that defaults to "n" which you can switch on to
> get the old behavior? (And then immediately deprecate it?)
>
> If you're specifying an init, you probably want that init...

Hmm, that's a reasonable point.

Thoughts, anyone?  I'd be okay with doing that.

--Andy

>
> Rob



-- 
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ