site  contact  subhomenews

Lockdown turned on inside initrd

August 20, 2020 — BarryK

Up until now, the boot choice "Copy session to RAM & disable drives" booted with kernel parameters "qfix=lock2 lockdown=confidentiality". Well, that is the case when that option is chosen from the rEFInd or Syslinux menus. However, when chosen from the Shutdown menu, which creates file '.lockdown.flg' that the 'init' script reads at the next bootup, it is impractical to insert those kernel boot parameters.

So now, lockdown is achieved inside the 'init' script in the initrd. Near the end of the 'init' script, just before the switch_root, firstly securityfs is mounted:

mount -t securityfs securityfs /easy_new/sys/kernel/security #200820

Where /easy_new is the folder with the aufs layered filesystem, and will become "/" after switch_root.

Then, just before switch_root and dropping of Linux capabilities:

 echo confidentiality > /easy_new/sys/kernel/security/lockdown #200820

Haven't actually tried it yet!

Note, I have just compiled kernel 5.4.59, intend it for the next release. Only change is enabled "Yama" LSM, disabled "Integrity" LSM. 

Tags: easy