site  contact  subhomenews

Isolated bootup using cap_sys_mount

May 30, 2018 — BarryK

I wrote about a kernel patch created by Nicolas, to split mount/umount capability out of cap_sys_admin:

http://bkhome.org/news/201805/improving-linux-capabilities.html

However, the patch does not work quite how I want it to. It requires that cap_sys_admin must be disabled, then cap_sys_mount can be enabled or disabled depending on whether we want to be able to mount/umount or not.

Disabling cap_sys_admin takes away a lot of administration rights, and I have a scenario where I want to retain those rights and only want to drop cap_sys_mount. So, I have modified the patch to make cap_sys_mount independent of cap_sys_admin. I am not 100% certain that I did it correctly, but it does work.

I have compiled kernel 4.14.44 with the modified patch. All sources including patches are here:

http://distro.ibiblio.org/easyos/source/kernel/4.14.44/

I have conducted a preliminary experiment, something useful. We are all becoming increasingly paranoid about security, and this little experiment is a very simple and neat way of booting EasyOS so that it is isolated....

When booting Easy from a USB stick, or any partition for that matter, the kernel loads file 'initrd.q' which is the initramfs, and runs script '/init' inside the initramfs. This script does various things, and at the end performs a switch_root into the working partition.

Now, the really neat thing, if we drop cap_sys_mount capability when perform the switch_root, Easy will run but cannot mount or unmount anything. Nothing. The working partition is already mounted, which would be the second partition on the USB stick if booted from a USB stick, and that is all that can be accessed.

This is like we have made all of Easy into one big container.

A scenario where this is useful is you bootup from a USB stick and nobody, not even yourself, can access any partitions on the computer. You are completely isolated. But, what if you did want to access a hard drive partition? -- the syslinux/refind boot menu can have menu choices for isolated bootup or full-access normal bootup. So, it would require a reboot, but this might be a small price to pay for the security.

Note, for this to be really secure, the boot-partition has to be different from the working-partition. This is the case when boot from a USB-stick, and can also be achieved if do an install of Easy to internal hard drive.

For those who are not familiar with Puppy Linux and derivatives, in most of the pups we run as root, the administrator. We have the option of running network apps, such as a browser, as user 'spot', and in the case of Easy, in a restricted container.
The situation that I am describing here, is we are still running as root. Linux capabilities is a mechanism to selectively drop root capabilities, even to the extent that it has less rights than a non-root user. Just dropping cap_sys_mount means that we are still running with full root privileges, just unable to mount/unmount any filesystems.

Some more technical details, for the developer reading this, /tmp, /proc, /sys, etc., are mounted before the switch_root. Shutdown will be a bit dirty, as will be unable to unmount anything. Won't be able to run anything in a container either. I'm going to explore a simplified Easy where the working-partition is zram (running in RAM).

I really like this. will post more details, and expect it in the next release of Easy.

Tags: easy