Relased on Tue, 23 Aug 2011 15:31:29 +0000
[klibc] kinit: Add drop_capabilities support.

This patch adds the ability to kinit to allow the dropping of POSIX
capabilities.

kinit is modified by this change, such that it understands the new
kernel command line "drop_capabilities=" that specifies a comma
separated list of capability names that should be dropped before
switching over to the next init in the boot strap (typically on the root
disk).

Dropping of capabilities happens in three parts.  We explicitly drop the
capability from init's inherited masks.  We also drop the capability
from the bounding set using PR_CAPBSET_DROP so that later setuid execs
are bounded.  Lastly, we drop the capabilities from the bset and
inherited masks exposed at /proc/sys/kernel/usermodehelper if available
(introduced in Linux v3.0.0).

In all paths, we treat errors as fatal, as we do not want to continue to
boot if there was a problem dropping capabilities.  We fail because the
new drop_capabilities= option on the command line mandates enforcement
of a security policy, and we should err on the side of caution if we
ever fail to satisfy the administrator's intention.

Signed-off-by: Mike Waychison <mikew@google.com>
Reviewed-by: "Andrew G. Morgan" <agm@google.com> 
Reviewed-by: "H. Peter Anvin" <hpa@zytor.com> 
Signed-off-by: maximilian attems <max@stro.at>
4 files changed