Building on the work in ff0a614bd724f6c4c6a5014a9955dc1bc028f336,
this moves the capability code down into the run-init library, so that
run-init can use it as well, via the new "-d" flag.
Signed-off-by: Kees Cook <kees at outflux.net>
---
usr/kinit/Kbuild | 3 +--
usr/kinit/capabilities.h | 10 ++++++++++
usr/kinit/kinit.c | 6 +++---
usr/kinit/run-init/Kbuild | 9 +++++++--
usr/kinit/run-init/run-init.c | 12 ++++++++----
usr/kinit/run-init/run-init.h | 2 +-
usr/kinit/run-init/runinitlib.c | 11 +++++++++--
7 files changed, 39 insertions(+), 14 deletions(-)
create mode 100644 usr/kinit/capabilities.h
diff --git a/usr/kinit/Kbuild b/usr/kinit/Kbuild
index 8f6d08e..5320127 100644
--- a/usr/kinit/Kbuild
+++ b/usr/kinit/Kbuild
@@ -3,14 +3,13 @@
#
# library part of kinit. Is used by programs in sub-directories (resume et al)
-lib-y := name_to_dev.o devname.o getarg.o
+lib-y := name_to_dev.o devname.o getarg.o capabilities.o
# use lib for kinit
kinit-y := lib.a
kinit-y += kinit.o do_mounts.o ramdisk_load.o initrd.o
kinit-y += getintfile.o readfile.o xpio.o
kinit-y += do_mounts_md.o do_mounts_mtd.o nfsroot.o
-kinit-y += capabilities.o
kinit-y += ipconfig/
kinit-y += nfsmount/
diff --git a/usr/kinit/capabilities.h b/usr/kinit/capabilities.h
new file mode 100644
index 0000000..a32a66a
--- /dev/null
+++ b/usr/kinit/capabilities.h
@@ -0,0 +1,10 @@
+/*
+ * capabilities.h
+ */
+
+#ifndef KINIT_CAPABILITIES_H
+#define KINIT_CAPABILITIES_H
+
+int drop_capabilities(const char *caps);
+
+#endif /* KINIT_CAPABILITIES_H */
diff --git a/usr/kinit/kinit.c b/usr/kinit/kinit.c
index 8ea0da5..523c92b 100644
--- a/usr/kinit/kinit.c
+++ b/usr/kinit/kinit.c
@@ -284,8 +284,6 @@ int main(int argc, char *argv[])
check_path("/root");
do_mounts(cmdc, cmdv);
- drop_capabilities(get_arg(cmdc, cmdv, "drop_capabilities="));
-
if (mnt_procfs) {
umount2("/proc", 0);
mnt_procfs = 0;
@@ -305,7 +303,9 @@ int main(int argc, char *argv[])
init_argv[0] = strrchr(init_path, '/') + 1;
- errmsg = run_init("/root", "/dev/console", init_path,
init_argv);
+ errmsg = run_init("/root", "/dev/console",
+ get_arg(cmdc, cmdv, "drop_capabilities="),
+ init_path, init_argv);
/* If run_init returned, something went bad */
fprintf(stderr, "%s: %s: %s\n", progname, errmsg, strerror(errno));
diff --git a/usr/kinit/run-init/Kbuild b/usr/kinit/run-init/Kbuild
index bf6e140..f7832b7 100644
--- a/usr/kinit/run-init/Kbuild
+++ b/usr/kinit/run-init/Kbuild
@@ -18,9 +18,14 @@ lib-y := $(objs)
# personality(2) flag from getting set and passed to init).
EXTRA_KLIBCLDFLAGS += -z noexecstack
+# Additional include paths files
+KLIBCCFLAGS += -I$(srctree)/$(src)/..
+
# .o files used to built executables
-static/run-init-y := $(objs)
-shared/run-init-y := $(objs)
+static/run-init-y := $(objs)
+static/run-init-lib := ../lib.a
+shared/run-init-y := $(objs)
+shared/run-init-lib := ../lib.a
# Cleaning
clean-dirs := static shared
diff --git a/usr/kinit/run-init/run-init.c b/usr/kinit/run-init/run-init.c
index 0f150dd..2147d06 100644
--- a/usr/kinit/run-init/run-init.c
+++ b/usr/kinit/run-init/run-init.c
@@ -26,13 +26,14 @@
* ----------------------------------------------------------------------- */
/*
- * Usage: exec run-init [-c /dev/console] /real-root /sbin/init "$@"
+ * Usage: exec run-init [-d caps] [-c /dev/console] /real-root /sbin/init
"$@"
*
* This program should be called as the last thing in a shell script
* acting as /init in an initramfs; it does the following:
*
* - Delete all files in the initramfs;
* - Remounts /real-root onto the root filesystem;
+ * - Drops comma-separated list of capabilities;
* - Chroots;
* - Opens /dev/console;
* - Spawns the specified init program (with arguments.)
@@ -50,7 +51,7 @@ static const char *program;
static void __attribute__ ((noreturn)) usage(void)
{
fprintf(stderr,
- "Usage: exec %s [-c consoledev] /real-root /sbin/init [args]\n",
+ "Usage: exec %s [-d caps] [-c consoledev] /real-root /sbin/init
[args]\n",
program);
exit(1);
}
@@ -62,6 +63,7 @@ int main(int argc, char *argv[])
const char *realroot;
const char *init;
const char *error;
+ const char *drop_caps = NULL;
char **initargs;
/* Variables... */
@@ -70,9 +72,11 @@ int main(int argc, char *argv[])
/* Parse the command line */
program = argv[0];
- while ((o = getopt(argc, argv, "c:")) != -1) {
+ while ((o = getopt(argc, argv, "c:d:")) != -1) {
if (o == 'c') {
console = optarg;
+ } else if (o == 'd') {
+ drop_caps = optarg;
} else {
usage();
}
@@ -85,7 +89,7 @@ int main(int argc, char *argv[])
init = argv[optind + 1];
initargs = argv + optind + 1;
- error = run_init(realroot, console, init, initargs);
+ error = run_init(realroot, console, drop_caps, init, initargs);
/* If run_init returns, something went wrong */
fprintf(stderr, "%s: %s: %s\n", program, error, strerror(errno));
diff --git a/usr/kinit/run-init/run-init.h b/usr/kinit/run-init/run-init.h
index a95328e..da3136a 100644
--- a/usr/kinit/run-init/run-init.h
+++ b/usr/kinit/run-init/run-init.h
@@ -29,6 +29,6 @@
#define RUN_INIT_H
const char *run_init(const char *realroot, const char *console,
- const char *init, char **initargs);
+ const char *drop_caps, const char *init, char **initargs);
#endif
diff --git a/usr/kinit/run-init/runinitlib.c b/usr/kinit/run-init/runinitlib.c
index 8f1562f..fe856bd 100644
--- a/usr/kinit/run-init/runinitlib.c
+++ b/usr/kinit/run-init/runinitlib.c
@@ -26,7 +26,7 @@
* ----------------------------------------------------------------------- */
/*
- * run_init(consoledev, realroot, init, initargs)
+ * run_init(realroot, consoledev, drop_caps, init, initargs)
*
* This function should be called as the last thing in kinit,
* from initramfs, it does the following:
@@ -34,6 +34,7 @@
* - Delete all files in the initramfs;
* - Remounts /real-root onto the root filesystem;
* - Chroots;
+ * - Drops comma-separated list of capabilities;
* - Opens /dev/console;
* - Spawns the specified init program (with arguments.)
*
@@ -53,6 +54,7 @@
#include <sys/types.h>
#include <sys/vfs.h>
#include "run-init.h"
+#include "capabilities.h"
/* Make it possible to compile on glibc by including constants that the
always-behind shipped glibc headers may not include. Classic example
@@ -154,7 +156,8 @@ static int nuke(const char *what)
}
const char *run_init(const char *realroot, const char *console,
- const char *init, char **initargs)
+ const char *drop_caps, const char *init,
+ char **initargs)
{
struct stat rst, cst;
struct statfs sfs;
@@ -195,6 +198,10 @@ const char *run_init(const char *realroot, const char
*console,
if (chroot(".") || chdir("/"))
return "chroot";
+ /* Drop capabilities */
+ if (drop_capabilities(drop_caps) < 0)
+ return "dropping capabilities";
+
/* Open /dev/console */
if ((confd = open(console, O_RDWR)) < 0)
return "opening console";
--
1.7.9.5
--
Kees Cook @outflux.net
maximilian attems
2012-May-16 05:31 UTC
[klibc] [PATCH] run-init: add drop_capabilities support
On Thu, 03 May 2012, Kees Cook wrote:> Building on the work in ff0a614bd724f6c4c6a5014a9955dc1bc028f336, > this moves the capability code down into the run-init library, so that > run-init can use it as well, via the new "-d" flag. > > Signed-off-by: Kees Cook <kees at outflux.net> > --- > usr/kinit/Kbuild | 3 +-- > usr/kinit/capabilities.h | 10 ++++++++++ > usr/kinit/kinit.c | 6 +++--- > usr/kinit/run-init/Kbuild | 9 +++++++-- > usr/kinit/run-init/run-init.c | 12 ++++++++---- > usr/kinit/run-init/run-init.h | 2 +- > usr/kinit/run-init/runinitlib.c | 11 +++++++++-- > 7 files changed, 39 insertions(+), 14 deletions(-) > create mode 100644 usr/kinit/capabilities.hthanks, hpa applied and pushed.
Mike Waychison
2012-May-16 06:26 UTC
[klibc] [PATCH] run-init: add drop_capabilities support
On Thu, May 3, 2012 at 7:04 PM, Kees Cook <keescook at chromium.org> wrote:> Building on the work in ff0a614bd724f6c4c6a5014a9955dc1bc028f336, > this moves the capability code down into the run-init library, so that > run-init can use it as well, via the new "-d" flag. > > Signed-off-by: Kees Cook <kees at outflux.net>Acked-by: Mike Waychison <mikew at google.com> Sorry I missed this Kees, it missed my inbox.> --- > ?usr/kinit/Kbuild ? ? ? ? ? ? ? ?| ? ?3 +-- > ?usr/kinit/capabilities.h ? ? ? ?| ? 10 ++++++++++ > ?usr/kinit/kinit.c ? ? ? ? ? ? ? | ? ?6 +++--- > ?usr/kinit/run-init/Kbuild ? ? ? | ? ?9 +++++++-- > ?usr/kinit/run-init/run-init.c ? | ? 12 ++++++++---- > ?usr/kinit/run-init/run-init.h ? | ? ?2 +- > ?usr/kinit/run-init/runinitlib.c | ? 11 +++++++++-- > ?7 files changed, 39 insertions(+), 14 deletions(-) > ?create mode 100644 usr/kinit/capabilities.h > > diff --git a/usr/kinit/Kbuild b/usr/kinit/Kbuild > index 8f6d08e..5320127 100644 > --- a/usr/kinit/Kbuild > +++ b/usr/kinit/Kbuild > @@ -3,14 +3,13 @@ > ?# > > ?# library part of kinit. Is used by programs in sub-directories (resume et al) > -lib-y ? := name_to_dev.o devname.o getarg.o > +lib-y ? := name_to_dev.o devname.o getarg.o capabilities.o > ?# use lib for kinit > ?kinit-y ?:= lib.a > > ?kinit-y ?+= kinit.o do_mounts.o ramdisk_load.o initrd.o > ?kinit-y ?+= getintfile.o readfile.o xpio.o > ?kinit-y ?+= do_mounts_md.o do_mounts_mtd.o nfsroot.o > -kinit-y ?+= capabilities.o > > ?kinit-y ?+= ipconfig/ > ?kinit-y ?+= nfsmount/ > diff --git a/usr/kinit/capabilities.h b/usr/kinit/capabilities.h > new file mode 100644 > index 0000000..a32a66a > --- /dev/null > +++ b/usr/kinit/capabilities.h > @@ -0,0 +1,10 @@ > +/* > + * capabilities.h > + */ > + > +#ifndef KINIT_CAPABILITIES_H > +#define KINIT_CAPABILITIES_H > + > +int drop_capabilities(const char *caps); > + > +#endif ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? /* KINIT_CAPABILITIES_H */ > diff --git a/usr/kinit/kinit.c b/usr/kinit/kinit.c > index 8ea0da5..523c92b 100644 > --- a/usr/kinit/kinit.c > +++ b/usr/kinit/kinit.c > @@ -284,8 +284,6 @@ int main(int argc, char *argv[]) > ? ? ? ?check_path("/root"); > ? ? ? ?do_mounts(cmdc, cmdv); > > - ? ? ? drop_capabilities(get_arg(cmdc, cmdv, "drop_capabilities=")); > - > ? ? ? ?if (mnt_procfs) { > ? ? ? ? ? ? ? ?umount2("/proc", 0); > ? ? ? ? ? ? ? ?mnt_procfs = 0; > @@ -305,7 +303,9 @@ int main(int argc, char *argv[]) > > ? ? ? ?init_argv[0] = strrchr(init_path, '/') + 1; > > - ? ? ? errmsg = run_init("/root", "/dev/console", init_path, init_argv); > + ? ? ? errmsg = run_init("/root", "/dev/console", > + ? ? ? ? ? ? ? ? ? ? ? ? get_arg(cmdc, cmdv, "drop_capabilities="), > + ? ? ? ? ? ? ? ? ? ? ? ? init_path, init_argv); > > ? ? ? ?/* If run_init returned, something went bad */ > ? ? ? ?fprintf(stderr, "%s: %s: %s\n", progname, errmsg, strerror(errno)); > diff --git a/usr/kinit/run-init/Kbuild b/usr/kinit/run-init/Kbuild > index bf6e140..f7832b7 100644 > --- a/usr/kinit/run-init/Kbuild > +++ b/usr/kinit/run-init/Kbuild > @@ -18,9 +18,14 @@ lib-y := $(objs) > ?# personality(2) flag from getting set and passed to init). > ?EXTRA_KLIBCLDFLAGS += -z noexecstack > > +# Additional include paths files > +KLIBCCFLAGS += -I$(srctree)/$(src)/.. > + > ?# .o files used to built executables > -static/run-init-y := $(objs) > -shared/run-init-y := $(objs) > +static/run-init-y ? := $(objs) > +static/run-init-lib := ../lib.a > +shared/run-init-y ? := $(objs) > +shared/run-init-lib := ../lib.a > > ?# Cleaning > ?clean-dirs := static shared > diff --git a/usr/kinit/run-init/run-init.c b/usr/kinit/run-init/run-init.c > index 0f150dd..2147d06 100644 > --- a/usr/kinit/run-init/run-init.c > +++ b/usr/kinit/run-init/run-init.c > @@ -26,13 +26,14 @@ > ?* ----------------------------------------------------------------------- */ > > ?/* > - * Usage: exec run-init [-c /dev/console] /real-root /sbin/init "$@" > + * Usage: exec run-init [-d caps] [-c /dev/console] /real-root /sbin/init "$@" > ?* > ?* This program should be called as the last thing in a shell script > ?* acting as /init in an initramfs; it does the following: > ?* > ?* - Delete all files in the initramfs; > ?* - Remounts /real-root onto the root filesystem; > + * - Drops comma-separated list of capabilities; > ?* - Chroots; > ?* - Opens /dev/console; > ?* - Spawns the specified init program (with arguments.) > @@ -50,7 +51,7 @@ static const char *program; > ?static void __attribute__ ((noreturn)) usage(void) > ?{ > ? ? ? ?fprintf(stderr, > - ? ? ? ? ? ? ? "Usage: exec %s [-c consoledev] /real-root /sbin/init [args]\n", > + ? ? ? ? ? ? ? "Usage: exec %s [-d caps] [-c consoledev] /real-root /sbin/init [args]\n", > ? ? ? ? ? ? ? ?program); > ? ? ? ?exit(1); > ?} > @@ -62,6 +63,7 @@ int main(int argc, char *argv[]) > ? ? ? ?const char *realroot; > ? ? ? ?const char *init; > ? ? ? ?const char *error; > + ? ? ? const char *drop_caps = NULL; > ? ? ? ?char **initargs; > > ? ? ? ?/* Variables... */ > @@ -70,9 +72,11 @@ int main(int argc, char *argv[]) > ? ? ? ?/* Parse the command line */ > ? ? ? ?program = argv[0]; > > - ? ? ? while ((o = getopt(argc, argv, "c:")) != -1) { > + ? ? ? while ((o = getopt(argc, argv, "c:d:")) != -1) { > ? ? ? ? ? ? ? ?if (o == 'c') { > ? ? ? ? ? ? ? ? ? ? ? ?console = optarg; > + ? ? ? ? ? ? ? } else if (o == 'd') { > + ? ? ? ? ? ? ? ? ? ? ? drop_caps = optarg; > ? ? ? ? ? ? ? ?} else { > ? ? ? ? ? ? ? ? ? ? ? ?usage(); > ? ? ? ? ? ? ? ?} > @@ -85,7 +89,7 @@ int main(int argc, char *argv[]) > ? ? ? ?init = argv[optind + 1]; > ? ? ? ?initargs = argv + optind + 1; > > - ? ? ? error = run_init(realroot, console, init, initargs); > + ? ? ? error = run_init(realroot, console, drop_caps, init, initargs); > > ? ? ? ?/* If run_init returns, something went wrong */ > ? ? ? ?fprintf(stderr, "%s: %s: %s\n", program, error, strerror(errno)); > diff --git a/usr/kinit/run-init/run-init.h b/usr/kinit/run-init/run-init.h > index a95328e..da3136a 100644 > --- a/usr/kinit/run-init/run-init.h > +++ b/usr/kinit/run-init/run-init.h > @@ -29,6 +29,6 @@ > ?#define RUN_INIT_H > > ?const char *run_init(const char *realroot, const char *console, > - ? ? ? ? ? ? ? ? ? ?const char *init, char **initargs); > + ? ? ? ? ? ? ? ? ? ?const char *drop_caps, const char *init, char **initargs); > > ?#endif > diff --git a/usr/kinit/run-init/runinitlib.c b/usr/kinit/run-init/runinitlib.c > index 8f1562f..fe856bd 100644 > --- a/usr/kinit/run-init/runinitlib.c > +++ b/usr/kinit/run-init/runinitlib.c > @@ -26,7 +26,7 @@ > ?* ----------------------------------------------------------------------- */ > > ?/* > - * run_init(consoledev, realroot, init, initargs) > + * run_init(realroot, consoledev, drop_caps, init, initargs) > ?* > ?* This function should be called as the last thing in kinit, > ?* from initramfs, it does the following: > @@ -34,6 +34,7 @@ > ?* - Delete all files in the initramfs; > ?* - Remounts /real-root onto the root filesystem; > ?* - Chroots; > + * - Drops comma-separated list of capabilities; > ?* - Opens /dev/console; > ?* - Spawns the specified init program (with arguments.) > ?* > @@ -53,6 +54,7 @@ > ?#include <sys/types.h> > ?#include <sys/vfs.h> > ?#include "run-init.h" > +#include "capabilities.h" > > ?/* Make it possible to compile on glibc by including constants that the > ? ?always-behind shipped glibc headers may not include. ?Classic example > @@ -154,7 +156,8 @@ static int nuke(const char *what) > ?} > > ?const char *run_init(const char *realroot, const char *console, > - ? ? ? ? ? ? ? ? ? ?const char *init, char **initargs) > + ? ? ? ? ? ? ? ? ? ?const char *drop_caps, const char *init, > + ? ? ? ? ? ? ? ? ? ?char **initargs) > ?{ > ? ? ? ?struct stat rst, cst; > ? ? ? ?struct statfs sfs; > @@ -195,6 +198,10 @@ const char *run_init(const char *realroot, const char *console, > ? ? ? ?if (chroot(".") || chdir("/")) > ? ? ? ? ? ? ? ?return "chroot"; > > + ? ? ? /* Drop capabilities */ > + ? ? ? if (drop_capabilities(drop_caps) < 0) > + ? ? ? ? ? ? ? return "dropping capabilities"; > + > ? ? ? ?/* Open /dev/console */ > ? ? ? ?if ((confd = open(console, O_RDWR)) < 0) > ? ? ? ? ? ? ? ?return "opening console"; > -- > 1.7.9.5 > > > -- > Kees Cook ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?@outflux.net
Possibly Parallel Threads
- [PATCH] Allow the initramfs to be persisted across root changes
- [PATCH klibc] run-init: Add dry-run mode
- [PATCH v1 0/2] Support dropping of capabilities from early userspace.
- [PATCH] Allow the initramfs to be persisted across root changes
- [klibc:master] run-init: Allow the initramfs to be persisted across root changes