Re: [PATCH 0/3][try 1] init: enable system-on-initramfs

From: Stephen Smalley
Date: Thu Jul 19 2007 - 10:42:55 EST


On Thu, 2007-07-19 at 15:56 +0200, Bodo Eggert wrote:
> On Wed, 18 Jul 2007, Rob Landley wrote:
> > On Friday 13 July 2007 2:56:00 pm Bodo Eggert wrote:
>
> > > I toyed with setting up a diskless system in initramfs. In the process, I
> > > came across some things:
> > >
> > > 1) There is no way to have the kernel not mount a filesystem,
> > > unless you use /init or rdinit=.
> >
> > Er, yes. By design.
> >
> > The kernel has to run an init program in order to hand off control to
> > userspace. In initramfs, this is defined as /init. It looks in exactly one
> > documented place.
> >
> > The older root= mechanism fell back to a half-dozen places (eventually trying
> > things like /bin/sh if it couldn't find anything else). This is because
> > there wasn't a documented standard for what should be executed, like there is
> > with initramfs.
>
> Ever since I started using linux in 1997, the first program to run from an
> installed system was /sbin/init. (I might think about removing the other
> paths.)
>
> The ramfs' /init was intended for system setup, which is a separate job.
> It is not intended to be the program running the system. Mixing those two
> up just does not feel right. Setting root= in order to change the root
> directory is much more natural.
>
> > > 1a) In the process of writing these patches, I found prepare_namespace not
> > > to be called if /init is present. prepare_namespace will call
> > > security_sb_post_mountroot after mounting the root fs. I did not yet
> > > see a way to call this from /init, and grepping kinit for "security" did
> > > not help, too.
> >
> > I don't use selinux. I'm neither a Fortune 500 company nor the NSA.
>
> That's no reason for keeping bugs in that part.
>
> > However, if you don't trust your own initramfs, where everything starts out
> > running as root, you have bigger problems.
>
> Using that argument, you can deduce that nobody would need selinux at all.
> Obviously some people disagree, and maybe some of them are no fools,
> therefore we should try to DTRT for them and do the callback when it's
> supposed to happen.

Not wanting to get into any flamewars here about selinux, but just FYI:
security_sb_post_mountroot is obsolete and can be removed without harm
to selinux; it is a leftover of selinux before we moved the initial
policy load to userspace. These days, initial policy load is done
by /sbin/init in most distros that support selinux, although I'd prefer
to do it earlier from the initramfs (the Fedora folks didn't like that
idea though at the time, so /sbin/init got patched instead - but that
was back in 2003, so maybe things have changed).

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/