Tree:
f709fa439b
master
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
033-502
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
RHEL-7.1
RHEL-7.2
${ noResults }
1 Commits (f709fa439bf7e2cade1ce78a977637e6aa894d53)
| Author | SHA1 | Message | Date |
|---|---|---|---|
Harald Hoyer
|
529349c66d |
add caps module, to drop capabilities
This adds the following parameters: rd.caps=1 turn the caps module on/off rd.caps.initdrop=cap_sys_module,cap_sys_rawio drop the specified comma seperated capabilities rd.caps.disablemodules=1 turn off module loading rd.caps.disablekexec=1 turn off the kexec functionality If module loading is turned off, all modules have to be loaded in the initramfs, which are used later on. This can be done with "rd.driver.pre=" rd.driver.pre=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,.... Because the kernel command line would get huge with all those drivers, I recommend to make use of $initramfs/etc/cmdline. So, all rd.caps.* and rd.driver.pre arguments are in caps.conf can be copied to $initramfs/etc/cmdline with "-i caps.conf /etc/cmdline". Also all modules have to be loaded in the initramfs via "--add-drivers". The resulting initramfs creation would look like this: --add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 \ nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3 jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix dm_mod" \ /boot/initramfs-caps.img |
14 years ago |