site
contact
newslibcap-ng and pflask recompiled for patched 5.4.84 kernel
Utility 'pflask' is used in EasyContainers to run containers with various reduced capabilities, what we call "crippled root".
It has 'libcap-ng' dependency, which is a problem as that is compiled
for a 4.19.x kernel with un-patched Linux Capabilities. I have patched
the 5.4.84 kernel in the EasyOS Buster-series with CAP_SYS_MOUNT
capability separated from CAP_SYS_ADMIN. Note, have also done it for the
5.10 kernel, as reported here:
https://bkhome.org/news/202012/kernel-510-lockdown-success.html
...however, the Buster-series is going to stay with the 5.4.x kernel.
A problem is that Linux Capabilities is different in the 5.10 kernel,
a few extra have been added. Each capability has a number, in the 5.4
kernel it is 0 to 37, in the 5.8 and later kernel it is 0 to 40: look at
/usr/include/linux/capability.h
In the 5.4.x kernel CAP_SYS_MOUNT has been added as #38, and in the 5.10 kernel as #41.
'libcap' (including 'capsh' utility), 'libcap-ng' and 'pflask' all have to be recompiled for each of these kernels.
I have installed 'linux-headers-5.4.84-buster64.pet', running EasyOS
2.5.3.2 and 5.4.84 kernel, and recompiled libcap-ng and pflask -- capsh
was already ok (I had previously compiled it statically with musl, as it
is used in the initrd).
Script 'ec-chroot' in /usr/local/easy_containers has been edited. It
runs "capsh --supports=cap_sys_mount" to test if kernel has that patch.
If so, for the choice of dropping CAP_SYS_ADMIN in the container,
CAP_SYS_MOUNT is also dropped.
Will have to go through the same exercise when move to the 5.10 kernel.
Tags: easy