search for: bf6e140

...", + get_arg(cmdc, cmdv, "drop_capabilities="), + init_path, init_argv); /* If run_init returned, something went bad */ fprintf(stderr, "%s: %s: %s\n", progname, errmsg, strerror(errno)); diff --git a/usr/kinit/run-init/Kbuild b/usr/kinit/run-init/Kbuild index bf6e140..f7832b7 100644 --- a/usr/kinit/run-init/Kbuild +++ b/usr/kinit/run-init/Kbuild @@ -18,9 +18,14 @@ lib-y := $(objs) # personality(2) flag from getting set and passed to init). EXTRA_KLIBCLDFLAGS += -z noexecstack +# Additional include paths files +KLIBCCFLAGS += -I$(srctree)/$(src)/.. + # .o f...

...patch by Kees Cook <kees at ubuntu.com>, simplified to use the provided EXTRA_KLIBCLDFLAGS. Cc: Kees Cook <kees at ubuntu.com> Signed-off-by: maximilian attems <maks at debian.org> diff --git a/usr/kinit/run-init/Kbuild b/usr/kinit/run-init/Kbuild index 61a9d0b..bf6e140 100644 --- a/usr/kinit/run-init/Kbuild +++ b/usr/kinit/run-init/Kbuild @@ -14,6 +14,10 @@ objs := run-init.o runinitlib.o # Create built-in.o with all object files (used by kinit) lib-y := $(objs) +# force run-init to not have an executable stack (to keep READ_IMPLIES_EXEC +# personality(2) fla...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

On a train ride to Bruxelles, brought out my axe and directly attacked run_init(8). run_init(8) is dead, long live switch_root(8). The next run on switch_root(8) involves fdopendir, so another push for the upcoming stdio 1.6 branch. The following is boot tested with initramfs-tools, kinit(8) tests would very much be appreciated!? Michal Suchanek (1): [klibc] switch_root: Fix single file