Kernel 5.2.7 with cap_sys_mount patch

I posted about an experiment in May 2018, to drop Linux Capabilites prior to switch_root:

http://bkhome.org/news/201805/isolated-bootup-using-capsysmount.html

I thought it was very interesting, but took it no further.

Now, I have applied a modified patch to the 5.2.7 kernel. This patch adds Linux Capability 'cap_sys_mount', but does not remove it from 'cap_sys_admin'. That is, if cap_sys_admin capability is dropped, so to will be the ability to mount and unmount partitions. I wanted cap_sys_admin to work as before. Now though, mount/unmount capability can be individually dropped, by dropping cap_sys_mount and keeping cap_sys_admin.

Kernel source is here:

http://distro.ibiblio.org/easyos/source/kernel/5.2.7/

The kernel PET is here:

http://distro.ibiblio.org/easyos/amd64/packages/pet/pet_packages-buster/linux_kernel-5.2.7-buster64.pet

The plan is to offer option to drop mount/unmount capability in the early boot menu. 

Tags: easy