On 2020/06/07 10:49, Alexei Starovoitov wrote: > So you're right that for most folks user space is the > answer. But there are cases where kernel has to have these things before > systemd starts. Why such cases can't use init= kernel command line argument? The program specified via init= kernel command line argument can do anything before systemd (a.k.a. global init process) starts. By the way, from the LSM perspective, doing a lot of things before global init process starts is not desirable, for access decision can be made only after policy is loaded (which is generally when /sbin/init on a device specified via root= kernel command line argument becomes ready). Since fork_usermode_blob((void *) "#!/bin/true\n", 12, info) is possible, I worry that the ability to start userspace code is abused for bypassing dentry/inode-based permission checks.
