talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Capabilities still dropped when sysctl.kernel.kexec_load_disabled=1

Open bzub opened this issue 3 years ago • 4 comments

Follow-up to https://github.com/siderolabs/talos/issues/4445

Dropping CAP_SYS_BOOT and CAP_SYS_MODULES does not get skipped after I disable kexec per the release notes.

This patch makes it work as advertised:

--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -294,7 +294,7 @@ func SetRLimit(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFun
 // DropCapabilities drops some capabilities so that they can't be restored by child processes.
 func DropCapabilities(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFunc, string) {
        return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
-               prop, err := krnl.ReadParam(&kernel.Param{Key: "kernel.kexec_load_disabled"})
+               prop, err := krnl.ReadParam(&kernel.Param{Key: "proc.sys.kernel.kexec_load_disabled"})
                if v := strings.TrimSpace(string(prop)); err == nil && v != "0" {
                        logger.Printf("kernel.kexec_load_disabled is %v, skipping dropping capabilities", v)

bzub avatar Aug 08 '22 16:08 bzub

did you set the kernel arg or the sysctl? As per release notes, it can't be sysctl.

When kexec support is disabled (see `Reboots via kexec`),
Talos no longer drops Linux capabilities (`CAP_SYS_BOOT` and `CAP_SYS_MODULES`) for child processes.
That is helpful for advanced use-cases like Docker-in-Docker.
If you want to permanently disable kexec and capabilities dropping, pass `kexec_load_disabled=1` argument to the kernel.
For example:


install:
  extraKernelArgs:
    - kexec_load_disabled=1

Please note that capabilities are dropped before machine configuration is loaded,
so disabling kexec via `machine.sysctls` (like in the section `Reboots via kexec`) will not be enough.

frezbo avatar Aug 08 '22 16:08 frezbo

also the kernelArgs only take effect on a talos upgrade

frezbo avatar Aug 08 '22 17:08 frezbo

Kernel command line, and used talosctl upgrade + reboot. talosctl cat /proc/cmdline shows sysctl.kernel.kexec_load_disabled=1.

bzub avatar Aug 08 '22 17:08 bzub

This sounds like a bug, we probably forgot to update this place in the code while doing other a refactoring.

smira avatar Aug 08 '22 17:08 smira