Mount the securityfs filesystem and make available its location through the
exported variable SECURITYFSDIR.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>
If /proc/cmdline is empty (like if root=... is set in /etc/cmdline),
modules.d/99base/init will crash with a message saying "can't shift that
many" right before switch_root. The problem is in the block of code that
tries to look for init args. It does something like:
read CMDLINE </proc/cmdline
[...]
set $CMDLINE
shift
If CMDLINE="" then "set $CMDLINE" will dump all the variables to stdout.
(That should be "set -- $CMDLINE" instead.) Since there's no $1, the
"shift" causes an error, and dracut crashes.
The 'shift' was copy-and-pasted from the previous block. It doesn't
belong here; remove it.
[Harald Hoyer <harald@redhat.com>: corrected commit message]
[Harald Hoyer <harald@redhat.com>: fixed indention]
Signed-off-by: Will Woods <wwoods@redhat.com>
Given that we boot into a modern Linux distribution with the "/run" toplevel
directory, we can easily mount move the whole /run directory to the real
root in the end and have the complete initramfs later on in
/run/initramfs. All log files and /run states are still accessible and
to save space /run/initramfs can be removed later on.
Because the kernel does not mount a tmpfs on /run prior to unpacking the
initramfs cpio image, we have to copy ourselves very early to a tmpfs
and mount it on /run.
Due to lazy umount the old initramfs binaries should
be removed in the end by switch_root.
This feature can be turned on with "--prefix".
This adds the following parameters:
rd.caps=1
turn the caps module on/off
rd.caps.initdrop=cap_sys_module,cap_sys_rawio
drop the specified comma seperated capabilities
rd.caps.disablemodules=1
turn off module loading
rd.caps.disablekexec=1
turn off the kexec functionality
If module loading is turned off, all modules have to be loaded in the
initramfs, which are used later on. This can be done with
"rd.driver.pre="
rd.driver.pre=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,....
Because the kernel command line would get huge with all those drivers, I
recommend to make use of $initramfs/etc/cmdline.
So, all rd.caps.* and rd.driver.pre arguments are in caps.conf can be
copied to $initramfs/etc/cmdline with "-i caps.conf /etc/cmdline".
Also all modules have to be loaded in the initramfs via "--add-drivers".
The resulting initramfs creation would look like this:
--add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 \
nf_defrag_ipv4 iptable_filter ip_tables
ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev
parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3
jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix
dm_mod" \
/boot/initramfs-caps.img
We want all "/var/run" information to live in /dev/.run, until the real
root is mounted.
Therefore we mount a tmpfs on /dev/.run, which can/will be bind/move mounted
on /var/run later on.
Harald Hoyer