Recently a new way of setting rsbac boot parameters has been added. To avoid very long boot loader command lines, you can now pass a numerical argument, calculated according to the attached table.
Boot parameter | Numerical value |
---|---|
rsbac_softmode | 1 |
rsbac_softmode_once | 2 |
rsbac_softmode_never | 4 |
rsbac_softmode_freeze | 8 |
rsbac_um_no_excl | 16 |
rsbac_auth_learn | 32 |
rsbac_acl_learn_fd | 64 |
rsbac_cap_log_missing | 128 |
rsbac_jail_log_missing | 256 |
rsbac_dac_disable | 512 |
rsbac_no_delay_init | 1024 |
rsbac_no_defaults | 2048 |
rsbac_nosyslog | 4096 |
rsbac_cap_process_hiding | 8192 |
As you can see, these are just a power of two, the most simple yet powerful encoding scheme.
Example:
Say you would like to have rsbac_nosyslog, rsbac_cap_process_hiding, rsbac_cap_log_missing, rsbac_jail_log_missing set on every boot (actually it comes from my machines). To achieve this in a traditional way, a very long boot parameter line would have to be used - and remember, it cannot be of arbitrary sizes, it is limited (to 1024 bytes, from what I remember).
With the numerical encoding scheme you just calculate 4096+8192+128+256 = 12672 and write:
rsbac_flags = 12672
as the kernel command line. That's it, compact and elegant.