1 files changed, 33 insertions, 0 deletions

diff --git a/modules.d/02caps/README b/modules.d/02caps/README
new file mode 100644
index 0000000..34e0f02
--- /dev/null
+++ b/modules.d/02caps/README
@@ -0,0 +1,33 @@
+This adds the following parameters:
+rd.caps=1
+        turn the caps module on/off
+rd.caps.initdrop=cap_sys_module,cap_sys_rawio
+        drop the specified comma separated capabilities
+rd.caps.disablemodules=1
+        turn off module loading
+rd.caps.disablekexec=1
+        turn off the kexec functionality
+
+If module loading is turned off, all modules have to be loaded in the
+initramfs, which are used later on. This can be done with
+"rd.driver.pre="
+rd.driver.pre=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,....
+
+Because the kernel command line would get huge with all those drivers, I
+recommend to make use of $initramfs/etc/cmdline.
+
+So, all rd.caps.* and rd.driver.pre arguments are in caps.conf can be
+copied to $initramfs/etc/cmdline with "-i caps.conf /etc/cmdline".
+
+Also all modules have to be loaded in the initramfs via "--add-drivers".
+
+The resulting initramfs creation would look like this:
+
+  --add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 \
+  nf_defrag_ipv4 iptable_filter ip_tables
+  ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack
+  ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev
+  parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3
+  jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix
+  dm_mod" \
+  /boot/initramfs-caps.img