site  contact  subhomenews

Disable drives for multisession EasyPup

November 29, 2020 — BarryK

I promised another "goodie"! Here are the previous two:

...except, have put zram compression on-hold for now, as ran into a problem with switch_root failing, and haven't as yet determined why. So staying with uncompressed files when they are read in from the DVD.

Recently I received an email with a request. Can't think of the person's name, it is there in my mind... if you are reading this, apologies for not recalling your name, send me a reminder on the "Contact me" form.

Anyway, the person wanted to stay with EasyPup, wasn't interested in all that container stuff, but he did like the ability of EasyOS to bootup with everything in RAM and all drives disabled -- with saving possible to a removable drive by plugging it in. The request was, could I implement that feature, of disabling all drives, in EasyPup.

I replied in the negative, as didn't want to commit to doing any development work on EasyPup.

But now I am on a roll, adding goodies to EasyPup, so have added disabling of drives as well.

I see it as a very nice feature with multisession-DVD. All that you have to do is create an empty file /root/.lockdown.flg, save the session at shutdown, then at next bootup, all drives cannot be accessed, except for the optical drive.

Running in RAM, still able to save session to DVD, but the internal drives in the PC are completely inaccessible. Very simple. Just like EasyOS, if you do want to save elsewhere, plug in a USB stick, and can mount and save to it.

Implementation was very simple. In the 'init' script in the initrd.gz, the switch_root was modified like this:

EDIT 2020-11-29:
Lockdown can be tightened. Instead of only "cap_mknod", I have added the kernel boot parameter "lockdown=confidentiality". This requires a kernel 5.4 or later. See code in green:

#20201129 need this for lockdown=confidentiality
mount -t securityfs securityfs /pup_new/sys/kernel/security

if [ -e /pup_new/root/.lockdown.flg ];then #20201129
#remove the device nodes...
rm -rf /pup_new/root/.pup_event/drive_mm* 2>/dev/null
rm -rf /pup_new/root/.pup_event/drive_nv* 2>/dev/null
rm -rf /pup_new/root/.pup_event/drive_sd* 2>/dev/null
rm -f /pup_new/dev/mm* 2>/dev/null
rm -f /pup_new/dev/nv* 2>/dev/null
rm -f /pup_new/dev/sd* 2>/dev/null
#instead of "lockdown=confidentiality" boot param, can do it this way...
echo confidentiality > /pup_new/sys/kernel/security/lockdown

#drop capbilities when switch_root...
#capsh --drop=cap_mknod -- -c "exec switch_root /pup_new /sbin/init"
#this is another way of doing it...
exec switch_root /pup_new /sbin/capsh --drop=cap_mknod -- -c "exec /sbin/init"
exec switch_root /pup_new /sbin/init

...I only dropped "cap_mknod", so applications cannot create device nodes, however, could drop more Linux Capabilities if want to lockdown even more.

Haven't done it yet, but there will be checkbox to create /root/.lockdown.flg when save the session. Or, untick the checkbox will remove it. 

Tags: easy