3 files changed, 92 insertions, 0 deletions
diff --git a/modules.d/02caps/README b/modules.d/02caps/README
new file mode 100644
index 0000000..34e0f02
--- /dev/null
+++ b/modules.d/02caps/README
@@ -0,0 +1,33 @@
+This adds the following parameters:
+rd.caps=1
+        turn the caps module on/off
+rd.caps.initdrop=cap_sys_module,cap_sys_rawio
+        drop the specified comma separated capabilities
+rd.caps.disablemodules=1
+        turn off module loading
+rd.caps.disablekexec=1
+        turn off the kexec functionality
+
+If module loading is turned off, all modules have to be loaded in the
+initramfs, which are used later on. This can be done with
+"rd.driver.pre="
+rd.driver.pre=autofs4,sunrpc,ipt_REJECT,nf_conntrack_ipv4,....
+
+Because the kernel command line would get huge with all those drivers, I
+recommend to make use of $initramfs/etc/cmdline.
+
+So, all rd.caps.* and rd.driver.pre arguments are in caps.conf can be
+copied to $initramfs/etc/cmdline with "-i caps.conf /etc/cmdline".
+
+Also all modules have to be loaded in the initramfs via "--add-drivers".
+
+The resulting initramfs creation would look like this:
+
+  --add-drivers "autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 \
+  nf_defrag_ipv4 iptable_filter ip_tables
+  ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack
+  ip6table_filter ip6_tables dm_mirror dm_region_hash dm_log uinput ppdev
+  parport_pc parport ipv6 sg 8139too 8139cp mii i2c_piix4 i2c_core ext3
+  jbd mbcache sd_mod crc_t10dif sr_mod cdrom ata_generic pata_acpi ata_piix
+  dm_mod" \
+  /boot/initramfs-caps.img
diff --git a/modules.d/02caps/caps.sh b/modules.d/02caps/caps.sh
new file mode 100755
index 0000000..6c28299
--- /dev/null
+++ b/modules.d/02caps/caps.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+capsmode=$(getarg rd.caps)
+
+if [ "$capsmode" = "1" ]; then
+    CAPS_INIT_DROP=$(getarg rd.caps.initdrop=)
+    # shellcheck disable=SC2016
+    CAPS_USERMODEHELPER_BSET=$(capsh --drop="$CAPS_INIT_DROP" -- -c 'while read a b  || [ -n "$a" ]; do [ "$a" = "CapBnd:" ] && echo $((0x${b:$((${#b}-8)):8})) $((0x${b:$((${#b}-16)):8})) && break; done < /proc/self/status')
+    CAPS_MODULES_DISABLED=$(getarg rd.caps.disablemodules=)
+    CAPS_KEXEC_DISABLED=$(getarg rd.caps.disablekexec=)
+
+    info "Loading CAPS_MODULES $CAPS_MODULES"
+    for i in $CAPS_MODULES; do modprobe "$i" 2>&1 > /dev/null | vinfo; done
+
+    if [ "$CAPS_MODULES_DISABLED" = "1" -a -e /proc/sys/kernel/modules_disabled ]; then
+        info "Disabling module loading."
+        echo "$CAPS_MODULES_DISABLED" > /proc/sys/kernel/modules_disabled
+    fi
+
+    if [ "$CAPS_KEXEC_DISABLED" = "1" -a -e /proc/sys/kernel/kexec_disabled ]; then
+        info "Disabling kexec."
+        echo "$CAPS_KEXEC_DISABLED" > /proc/sys/kernel/kexec_disabled
+    fi
+
+    info "CAPS_USERMODEHELPER_BSET=$CAPS_USERMODEHELPER_BSET"
+    if [ -e /proc/sys/kernel/usermodehelper/bset ]; then
+        info "Setting usermode helper bounding set."
+        echo "$CAPS_USERMODEHELPER_BSET" > /proc/sys/kernel/usermodehelper/bset
+        echo "$CAPS_USERMODEHELPER_BSET" > /proc/sys/kernel/usermodehelper/inheritable
+    fi
+
+    echo "CAPS_INIT_DROP=\"$CAPS_INIT_DROP\"" > /etc/capsdrop
+    info "Will drop capabilities $CAPS_INIT_DROP from init."
+fi
diff --git a/modules.d/02caps/module-setup.sh b/modules.d/02caps/module-setup.sh
new file mode 100755
index 0000000..18073e2
--- /dev/null
+++ b/modules.d/02caps/module-setup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# called by dracut
+check() {
+    require_binaries capsh
+    return 255
+}
+
+# called by dracut
+depends() {
+    echo bash
+    return 0
+}
+
+# called by dracut
+install() {
+    if ! dracut_module_included "systemd"; then
+        inst_hook pre-pivot 00 "$moddir/caps.sh"
+        inst "$(find_binary capsh 2> /dev/null)" /usr/sbin/capsh
+        # capsh wants bash and we need bash also
+        inst /bin/bash
+    else
+        dwarning "caps: does not work with systemd in the initramfs"
+    fi
+}