3 capsmode
=$
(getarg rd.caps
)
5 if [ "$capsmode" = "1" ]; then
6 CAPS_INIT_DROP
=$
(getarg rd.caps.initdrop
=)
7 CAPS_USERMODEHELPER_BSET
=$
(capsh
--drop="$CAPS_INIT_DROP" -- -c 'while read a b || [ -n "$a" ]; do [ "$a" = "CapBnd:" ] && echo $((0x${b:$((${#b}-8)):8})) $((0x${b:$((${#b}-16)):8})) && break; done < /proc/self/status')
8 CAPS_MODULES_DISABLED
=$
(getarg rd.caps.disablemodules
=)
9 CAPS_KEXEC_DISABLED
=$
(getarg rd.caps.disablekexec
=)
11 info
"Loading CAPS_MODULES $CAPS_MODULES"
12 for i
in $CAPS_MODULES;do modprobe
$i 2>&1 >/dev
/null | vinfo
; done
14 if [ "$CAPS_MODULES_DISABLED" = "1" -a -e /proc
/sys
/kernel
/modules_disabled
]; then
15 info
"Disabling module loading."
16 echo $CAPS_MODULES_DISABLED > /proc
/sys
/kernel
/modules_disabled
19 if [ "$CAPS_KEXEC_DISABLED" = "1" -a -e /proc
/sys
/kernel
/kexec_disabled
]; then
20 info
"Disabling kexec."
21 echo $CAPS_KEXEC_DISABLED > /proc
/sys
/kernel
/kexec_disabled
24 info
"CAPS_USERMODEHELPER_BSET=$CAPS_USERMODEHELPER_BSET"
25 if [ -e /proc
/sys
/kernel
/usermodehelper
/bset
]; then
26 info
"Setting usermode helper bounding set."
27 echo $CAPS_USERMODEHELPER_BSET > /proc
/sys
/kernel
/usermodehelper
/bset
28 echo $CAPS_USERMODEHELPER_BSET > /proc
/sys
/kernel
/usermodehelper
/inheritable
31 echo "CAPS_INIT_DROP=\"$CAPS_INIT_DROP\"" > /etc
/capsdrop
32 info
"Will drop capabilities $CAPS_INIT_DROP from init."
