site
contact
newsIsolated bootup using cap_sys_mount
I wrote about a kernel patch created by Nicolas, to split mount/umount capability out of cap_sys_admin:
http://bkhome.org/news/201805/improving-linux-capabilities.html
However, the patch does not work quite how I want it to. It requires
that cap_sys_admin must be disabled, then cap_sys_mount can be enabled
or disabled depending on whether we want to be able to mount/umount or
not.
Disabling cap_sys_admin takes away a lot of administration rights,
and I have a scenario where I want to retain those rights and only want
to drop cap_sys_mount. So, I have modified the patch to make
cap_sys_mount independent of cap_sys_admin. I am not 100% certain that I
did it correctly, but it does work.
I have compiled kernel 4.14.44 with the modified patch. All sources including patches are here:
http://distro.ibiblio.org/easyos/source/kernel/4.14.44/
I have conducted a preliminary experiment, something useful. We are
all becoming increasingly paranoid about security, and this little
experiment is a very simple and neat way of booting EasyOS so that it is
isolated....
When booting Easy from a USB stick, or any partition for that matter,
the kernel loads file 'initrd.q' which is the initramfs, and runs
script '/init' inside the initramfs. This script does various things,
and at the end performs a switch_root into the working partition.
Now, the really neat thing, if we drop cap_sys_mount capability when
perform the switch_root, Easy will run but cannot mount or unmount
anything. Nothing. The working partition is already mounted, which would
be the second partition on the USB stick if booted from a USB stick,
and that is all that can be accessed.
This is like we have made all of Easy into one big container.
A scenario where this is useful is you bootup from a USB stick and
nobody, not even yourself, can access any partitions on the computer.
You are completely isolated. But, what if you did want to access a hard
drive partition? -- the syslinux/refind boot menu can have menu choices
for isolated bootup or full-access normal bootup. So, it would require a
reboot, but this might be a small price to pay for the security.
Note, for this to be really secure, the boot-partition has to be
different from the working-partition. This is the case when boot from a
USB-stick, and can also be achieved if do an install of Easy to internal
hard drive.
For those who are not familiar with Puppy Linux and derivatives, in
most of the pups we run as root, the administrator. We have the option
of running network apps, such as a browser, as user 'spot', and in the
case of Easy, in a restricted container.
The situation that I am describing here, is we are still running as
root. Linux capabilities is a mechanism to selectively drop root
capabilities, even to the extent that it has less rights than a non-root
user. Just dropping cap_sys_mount means that we are still running with
full root privileges, just unable to mount/unmount any filesystems.
Some more technical details, for the developer reading this, /tmp,
/proc, /sys, etc., are mounted before the switch_root. Shutdown will be a
bit dirty, as will be unable to unmount anything. Won't be able to run
anything in a container either. I'm going to explore a simplified Easy
where the working-partition is zram (running in RAM).
I really like this. will post more details, and expect it in the next release of Easy.
Tags: easy