Disable drives for multisession EasyPup
I promised another "goodie"! Here are the previous two:
https://bkhome.org/news/202011/multisession-dvd-with-zisofs-compression.html
https://bkhome.org/news/202011/easypup-zram-compression-in-ram.html
...except, have put zram compression on-hold for now, as ran into a
problem with switch_root failing, and haven't as yet determined why. So
staying with uncompressed files when they are read in from the DVD.
Recently I received an email with a request. Can't think of the
person's name, it is there in my mind... if you are reading this,
apologies for not recalling your name, send me a reminder on the
"Contact me" form.
Anyway, the person wanted to stay with EasyPup, wasn't interested in
all that container stuff, but he did like the ability of EasyOS to
bootup with everything in RAM and all drives disabled -- with saving
possible to a removable drive by plugging it in. The request was, could I
implement that feature, of disabling all drives, in EasyPup.
I replied in the negative, as didn't want to commit to doing any development work on EasyPup.
But now I am on a roll, adding goodies to EasyPup, so have added disabling of drives as well.
I see it as a very nice feature with multisession-DVD. All that you
have to do is create an empty file /root/.lockdown.flg, save the session
at shutdown, then at next bootup, all drives cannot be accessed, except
for the optical drive.
Running in RAM, still able to save session to DVD, but the internal
drives in the PC are completely inaccessible. Very simple. Just like
EasyOS, if you do want to save elsewhere, plug in a USB stick, and can
mount and save to it.
Implementation was very simple. In the 'init' script in the initrd.gz, the switch_root was modified like this:
EDIT 2020-11-29:
Lockdown can be tightened. Instead of only "cap_mknod", I have added the
kernel boot parameter "lockdown=confidentiality". This requires a
kernel 5.4 or later. See code in green:
#20201129 need this for lockdown=confidentiality
mount -t securityfs securityfs /pup_new/sys/kernel/security
if [ -e /pup_new/root/.lockdown.flg ];then #20201129
#remove the device nodes...
rm -rf /pup_new/root/.pup_event/drive_mm* 2>/dev/null
rm -rf /pup_new/root/.pup_event/drive_nv* 2>/dev/null
rm -rf /pup_new/root/.pup_event/drive_sd* 2>/dev/null
rm -f /pup_new/dev/mm* 2>/dev/null
rm -f /pup_new/dev/nv* 2>/dev/null
rm -f /pup_new/dev/sd* 2>/dev/null
#instead of "lockdown=confidentiality" boot param, can do it this way...
echo confidentiality > /pup_new/sys/kernel/security/lockdown
#drop capbilities when switch_root...
#capsh --drop=cap_mknod -- -c "exec switch_root /pup_new /sbin/init"
#this is another way of doing it...
exec switch_root /pup_new /sbin/capsh --drop=cap_mknod -- -c "exec /sbin/init"
else
exec switch_root /pup_new /sbin/init
fi
...I only dropped "cap_mknod", so applications cannot create device
nodes, however, could drop more Linux Capabilities if want to lockdown
even more.
Haven't done it yet, but there will be checkbox to create
/root/.lockdown.flg when save the session. Or, untick the checkbox will
remove it.
Tags: easy