Bug 677340
| Summary: | Need new modules in dracut | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Steve Grubb <sgrubb> |
| Component: | dracut | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED ERRATA | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0 | CC: | eparis, jrieden, pholica, pknirsch, rwilliam, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A new module, dracut-caps has been added to let users omit selected dracut capabilities, and set one or more sysctl parameters.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 11:54:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Steve Grubb
2011-02-14 12:48:35 UTC
(In reply to comment #0) > Description of problem: > We need a module or modules that can: 1) drop selected capabilities, 2) set one > or more sysctl. We will add some more details later. need more details for devel_ack 1) how is this done? 2) I could add a kernel command line parameter style like "rd.sysctl.net.ipv4.ip_forward=1" or copy over /etc/sysctl.conf* and run sysctl Adding Eric to this bug. I don't think we want to use sysctl.conf. There may be one or two that need to be applied immediately during boot. If we could put them into a config file under /etc/dracut.conf.d/ or as args to a small program that would be ideal. So we need to do a couple of things inside the initrd. We cannot trust the root partition what so ever. 1) make sure the 'required' kernel modules are loaded. How we determine what is 'required' i'm not sure, but a config file (inside the initrd) is the only way I can think of..... 2) we need to set the sysctls kernel.modules_disabled and kernel.kexec_disabled 3) before we launch the real init we need to drop CAP_SYS_MODULE and CAP_SYS_RAWIO from both the bset and pI. I'm sure sgrubb can provide a small snippet of C to do this. 4) we need to set the sysctls with specific values for a new interface kernel.khelper.bset and kernel.khelper.inherited. This interface takes an array of base 10 ints, but the value we pass to it needs to have CAP_SYS_MODULE and CAP_SYS_RAWIO dropped. As soon as the interface is submitted in final form I'll include a snippet. And setting the sysctl's can be done with echo or something equally simple. It would not be a problem to require it being specified as a /proc/sys entry. (In reply to comment #3) > So we need to do a couple of things inside the initrd. We cannot trust the > root partition what so ever. > > 1) make sure the 'required' kernel modules are loaded. How we determine what > is 'required' i'm not sure, but a config file (inside the initrd) is the only > way I can think of..... feels like the fips module.. http://dracut.git.sourceforge.net/git/gitweb.cgi?p=dracut/dracut;a=tree;f=modules.d/01fips info "Loading and integrity checking all crypto modules" for module in $FIPSMODULES; do if [ "$module" != "tcrypt" ]; then modprobe ${module} || return 1 fi done info "Self testing crypto algorithms" modprobe tcrypt noexit=1 || return 1 rmmod tcrypt info "All initrd crypto checks done" (In reply to comment #3) > 3) before we launch the real init we need to drop CAP_SYS_MODULE and > CAP_SYS_RAWIO from both the bset and pI. I'm sure sgrubb can provide a small > snippet of C to do this. > > 4) we need to set the sysctls with specific values for a new interface > kernel.khelper.bset and kernel.khelper.inherited. This interface takes an > array of base 10 ints, but the value we pass to it needs to have CAP_SYS_MODULE > and CAP_SYS_RAWIO dropped. As soon as the interface is submitted in final form > I'll include a snippet. Hmm.. dracut is _noarch_ libcap-ng has python bindings if that's what you need. (In reply to comment #8) > libcap-ng has python bindings if that's what you need. NO! I will never pull in python in the initramfs, just to set some CAP... better write a small C util and put it in util-linux-ng. hmmmm, so 4) can be done with "echo" no worries. But 3 is going to require compiled code. Steve, what do you think of writing a exec wrapper helper program which takes as arguments 'allowed or denied capabilities' and a program, it will just drop those caps and then exec the program in question. dracut could then use this program to exec init if some configured.... Eric, maybe /usr/sbin/capsh from libcap? Here is something for you to test: http://people.redhat.com/harald/downloads/dracut/dracut-004-44/ Install dracut-caps create caps.conf # cat caps.conf rd.caps=1 rd.caps.initdrop=cap_sys_module,cap_sys_rawio rd.caps.disablemodules=1 rd.caps.disablekexec=1 rdloaddriver=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,nf_defrag_ipv4,iptable_filter,ip_tables,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6,xt_state,nf_conntrack,ip6table_filter,ip6_tables,dm_mirror,dm_region_hash,dm_log,uinput,ppdev,parport_pc,parport,ipv6,sg,8139too,8139cp,mii,i2c_piix4,i2c_core,ext3,jbd,mbcache,sd_mod,crc_t10dif,sr_mod,cdrom,ata_generic,pata_acpi,ata_piix,dm_mod # dracut -i caps.conf /etc/cmdline -a caps --add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3 jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix dm_mod" -f /boot/initramfs-caps.img boot from /boot/initramfs-caps.img Your kernel modules may vary :-) I just booted without dropping caps and did "lsmod" to get the list. I would have written the caps.conf contents on the kernel command line, but somehow only 240 chars ended up in /proc/cmdline!! So, we (might) have to take the way over $initramfs/etc/cmdline like shown with caps.conf and "-i caps.conf /etc/cmdline" "rd.caps=0" on the kernel command line turns the module off. I was playing with this some more today and I think we need to change the order this happens. I want this to happen before we do any work that uses the root filesystem. I don't know what all work we do inside the initrd that uses the root filesystem, but at the very least we load the selinux policy. At the very least we could craft and selinux policy inside the root filesystem that denies us permission to make these changes. After the machine was up we could change the selinux policy and then proceed as if these module had never run. Would it be possible to both check to make sure that every call was a success and panic if not as well as move the place we do these checks before the root file is used? So it seems like maybe I have a problem and the module isn't working. I've got: rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc .... and ran dracut with --add-drivers "nfs lockd fscache nfs_acl auth_rpcgss autofs4 sunrpc ..... But when the machine comes up the nfs module isn't loaded.... How can I debug? (In reply to comment #16) > So it seems like maybe I have a problem and the module isn't working. I've > got: > > rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc .... it's rdloaddriver not rd.loaddriver ... sorry for the inconsistency here. > > and ran dracut with > > --add-drivers "nfs lockd fscache nfs_acl auth_rpcgss autofs4 sunrpc ..... > > But when the machine comes up the nfs module isn't loaded.... > > How can I debug? http://people.redhat.com/harald/dracut-rhel6.html#troubleshooting (In reply to comment #17) > (In reply to comment #16) > > So it seems like maybe I have a problem and the module isn't working. I've > > got: > > > > rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc .... > > it's rdloaddriver not rd.loaddriver ... sorry for the inconsistency here. and for F15 it will be rd.driver.pre=... (introduced consistency here with rd.driver.{pre,post,blacklist}). Hello, can you please give instructions for QA how to test this? The test instructions are in comment #12. If you boot a system following those instructions you should be able to look at the capability bits seen in /proc/*/status If ANY process has bits in CapEff CapPrm CapInh CapBnd which were supposed to be dropped according to the configuration it didn't work. If every process is lacking those bits it worked. Verified according to Comment #12, /proc/sys/kernel/modules_disabled was set according to configuration when rd.caps was enabled. Disabling also worked. Verified on RHEL6.1-20110420.0 x86_64 Server, dracut-004-52.el6.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
A new module, dracut-caps has been added to let users omit selected dracut capabilities, and set one or more sysctl parameters.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0523.html |