RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 677340 - Need new modules in dracut
Summary: Need new modules in dracut
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut
Version: 6.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-14 12:48 UTC by Steve Grubb
Modified: 2015-09-28 02:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A new module, dracut-caps has been added to let users omit selected dracut capabilities, and set one or more sysctl parameters.
Clone Of:
Environment:
Last Closed: 2011-05-19 11:54:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0523 0 normal SHIPPED_LIVE dracut bug fix and enhancement update 2011-05-18 17:44:57 UTC

Description Steve Grubb 2011-02-14 12:48:35 UTC 
Description of problem:
We need a module or modules that can: 1) drop selected capabilities, 2) set one or more sysctl. We will add some more details later.
Comment 1 Harald Hoyer 2011-02-17 07:27:49 UTC 
(In reply to comment #0)
> Description of problem:
> We need a module or modules that can: 1) drop selected capabilities, 2) set one
> or more sysctl. We will add some more details later.

need more details for devel_ack

1) how is this done?
2) I could add a kernel command line parameter style like
   "rd.sysctl.net.ipv4.ip_forward=1"
   or copy over /etc/sysctl.conf* and run sysctl
Comment 2 Steve Grubb 2011-02-18 16:12:58 UTC 
Adding Eric to this bug. I don't think we want to use sysctl.conf. There may be one or two that need to be applied immediately during boot. If we could put them into a config file under /etc/dracut.conf.d/ or as args to a small program that would be ideal.
Comment 3 Eric Paris 2011-02-18 16:38:05 UTC 
So we need to do a couple of things inside the initrd.  We cannot trust the root partition what so ever.

1) make sure the 'required' kernel modules are loaded.  How we determine what is 'required' i'm not sure, but a config file (inside the initrd) is the only way I can think of.....

2) we need to set the sysctls kernel.modules_disabled and kernel.kexec_disabled

3) before we launch the real init we need to drop CAP_SYS_MODULE and CAP_SYS_RAWIO from both the bset and pI.  I'm sure sgrubb can provide a small snippet of C to do this.

4) we need to set the sysctls with specific values for a new interface kernel.khelper.bset and kernel.khelper.inherited.  This interface takes an array of base 10 ints, but the value we pass to it needs to have CAP_SYS_MODULE and CAP_SYS_RAWIO dropped.  As soon as the interface is submitted in final form I'll include a snippet.
Comment 4 Steve Grubb 2011-02-18 16:57:03 UTC 
And setting the sysctl's can be done with echo or something equally simple. It would not be a problem to require it being specified as a /proc/sys entry.
Comment 5 Harald Hoyer 2011-02-18 17:05:01 UTC 
(In reply to comment #3)
> So we need to do a couple of things inside the initrd.  We cannot trust the
> root partition what so ever.
> 
> 1) make sure the 'required' kernel modules are loaded.  How we determine what
> is 'required' i'm not sure, but a config file (inside the initrd) is the only
> way I can think of.....

feels like the fips module..

http://dracut.git.sourceforge.net/git/gitweb.cgi?p=dracut/dracut;a=tree;f=modules.d/01fips

    info "Loading and integrity checking all crypto modules"
    for module in $FIPSMODULES; do
        if [ "$module" != "tcrypt" ]; then
            modprobe ${module} || return 1
        fi
    done
    info "Self testing crypto algorithms"
    modprobe tcrypt noexit=1 || return 1
    rmmod tcrypt
    info "All initrd crypto checks done"
Comment 7 Harald Hoyer 2011-03-03 15:13:53 UTC 
(In reply to comment #3)

> 3) before we launch the real init we need to drop CAP_SYS_MODULE and
> CAP_SYS_RAWIO from both the bset and pI.  I'm sure sgrubb can provide a small
> snippet of C to do this.
> 
> 4) we need to set the sysctls with specific values for a new interface
> kernel.khelper.bset and kernel.khelper.inherited.  This interface takes an
> array of base 10 ints, but the value we pass to it needs to have CAP_SYS_MODULE
> and CAP_SYS_RAWIO dropped.  As soon as the interface is submitted in final form
> I'll include a snippet.

Hmm.. dracut is _noarch_
Comment 8 Steve Grubb 2011-03-03 15:26:56 UTC 
libcap-ng has python bindings if that's what you need.
Comment 9 Harald Hoyer 2011-03-03 15:39:52 UTC 
(In reply to comment #8)
> libcap-ng has python bindings if that's what you need.

NO! I will never pull in python in the initramfs, just to set some CAP... better write a small C util and put it in util-linux-ng.
Comment 10 Eric Paris 2011-03-03 15:45:10 UTC 
hmmmm, so 4) can be done with "echo" no worries.  But 3 is going to require compiled code.

Steve, what do you think of writing a exec wrapper helper program which takes as arguments 'allowed or denied capabilities' and a program, it will just drop those caps and then exec the program in question.  dracut could then use this program to exec init if some configured....
Comment 11 Steve Grubb 2011-03-03 15:56:56 UTC 
Eric, maybe /usr/sbin/capsh from libcap?
Comment 12 Harald Hoyer 2011-03-09 21:12:04 UTC 
Here is something for you to test:
http://people.redhat.com/harald/downloads/dracut/dracut-004-44/

Install dracut-caps

create caps.conf

# cat caps.conf
rd.caps=1 
rd.caps.initdrop=cap_sys_module,cap_sys_rawio 
rd.caps.disablemodules=1 
rd.caps.disablekexec=1
rdloaddriver=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,nf_defrag_ipv4,iptable_filter,ip_tables,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6,xt_state,nf_conntrack,ip6table_filter,ip6_tables,dm_mirror,dm_region_hash,dm_log,uinput,ppdev,parport_pc,parport,ipv6,sg,8139too,8139cp,mii,i2c_piix4,i2c_core,ext3,jbd,mbcache,sd_mod,crc_t10dif,sr_mod,cdrom,ata_generic,pata_acpi,ata_piix,dm_mod 

# dracut -i caps.conf /etc/cmdline -a caps --add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3 jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix dm_mod" -f /boot/initramfs-caps.img 

boot from /boot/initramfs-caps.img 

Your kernel modules may vary :-) I just booted without dropping caps and did "lsmod" to get the list.

I would have written the caps.conf contents on the kernel command line, but somehow only 240 chars ended up in /proc/cmdline!!

So, we (might) have to take the way over $initramfs/etc/cmdline like shown with caps.conf and "-i caps.conf /etc/cmdline"

"rd.caps=0" on the kernel command line turns the module off.
Comment 14 Eric Paris 2011-03-11 22:20:55 UTC 
I was playing with this some more today and I think we need to change the order this happens.  I want this to happen before we do any work that uses the root filesystem.  I don't know what all work we do inside the initrd that uses the root filesystem, but at the very least we load the selinux policy.  At the very least we could craft and selinux policy inside the root filesystem that denies us permission to make these changes.  After the machine was up we could change the selinux policy and then proceed as if these module had never run.

Would it be possible to both check to make sure that every call was a success and panic if not as well as move the place we do these checks before the root file is used?
Comment 16 Eric Paris 2011-03-11 23:14:01 UTC 
So it seems like maybe I have a problem and the module isn't working.  I've got:

rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc ....

and ran dracut with

--add-drivers "nfs lockd fscache nfs_acl auth_rpcgss autofs4 sunrpc .....

But when the machine comes up the nfs module isn't loaded....

How can I debug?
Comment 17 Harald Hoyer 2011-03-14 16:03:03 UTC 
(In reply to comment #16)
> So it seems like maybe I have a problem and the module isn't working.  I've
> got:
> 
> rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc ....

it's rdloaddriver not rd.loaddriver ... sorry for the inconsistency here.

> 
> and ran dracut with
> 
> --add-drivers "nfs lockd fscache nfs_acl auth_rpcgss autofs4 sunrpc .....
> 
> But when the machine comes up the nfs module isn't loaded....
> 
> How can I debug?

http://people.redhat.com/harald/dracut-rhel6.html#troubleshooting
Comment 18 Harald Hoyer 2011-03-14 16:04:23 UTC 
(In reply to comment #17)
> (In reply to comment #16)
> > So it seems like maybe I have a problem and the module isn't working.  I've
> > got:
> > 
> > rd.loaddriver=nfs,lockd,fscache,nfs_acl,auth_rpcgss,autofs4,sunrpc ....
> 
> it's rdloaddriver not rd.loaddriver ... sorry for the inconsistency here.

and for F15 it will be rd.driver.pre=... (introduced consistency here with rd.driver.{pre,post,blacklist}).
Comment 24 Pavel Holica 2011-04-07 08:43:27 UTC 
Hello,
can you please give instructions for QA how to test this?
Comment 25 Eric Paris 2011-04-07 13:23:24 UTC 
The test instructions are in comment #12.  If you boot a system following those instructions you should be able to look at the capability bits seen in /proc/*/status   If ANY process has bits in CapEff CapPrm CapInh CapBnd which were supposed to be dropped according to the configuration it didn't work.  If every process is lacking those bits it worked.
Comment 27 Pavel Holica 2011-04-27 10:43:06 UTC 
Verified according to Comment #12, /proc/sys/kernel/modules_disabled was set according to configuration when rd.caps was enabled. Disabling also worked.

Verified on RHEL6.1-20110420.0 x86_64 Server, dracut-004-52.el6.
Comment 29 Laura Bailey 2011-05-05 07:24:43 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A new module, dracut-caps has been added to let users omit selected dracut capabilities, and set one or more sysctl parameters.
Comment 30 errata-xmlrpc 2011-05-19 11:54:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0523.html
Note You need to log in before you can comment on or make changes to this bug.