From: Rahul Sandhu <nvraxn@gmail.com>
To: stephen.smalley.work@gmail.com
Cc: nvraxn@gmail.com, omosnace@redhat.com, paul@paul-moore.com,
selinux@vger.kernel.org
Subject: [PATCH v3] libselinux: fix parsing of the enforcing kernel cmdline parameter
Date: Thu, 24 Jul 2025 14:05:11 +0100 [thread overview]
Message-ID: <20250724130511.317098-1-nvraxn@gmail.com> (raw)
In-Reply-To: <CAEjxPJ6AuwTX9soXmHSiJbE2r69mRt8qFTTOQj-FhWUjnnYdQg@mail.gmail.com>
Currently, parsing of the cmdline has two issues:
- By using atoi, no error checking is done. What happens if an argument
that isn't an integer is provided, e.g. enforcing=foo? And as there
is also no validation that the number provided is actually valid, 1
or 0, what happens if enforcing=2?
- After the first strstr, no arguments that follow are searched for; if
I have enforcing=0 enforcing=1, the latter enforcing=1 is not taken
into account. This is made even worse due to halting searching after
finding the first "enforcing=" token, meaning that if the cmdline was
as follows:
fooenforcing=0 enforcing=0
the enforcing parameter is entirely ignored.
This patch fixes this by:
- Using strtol to actually validate that we got passed a number, and
then validating that that number is either 0 or 1. If instead we
get passed an invalid value, we skip over the argument entirely.
- Looping until the last "enforcing=" in the cmdline. Latter (valid)
arguments take precedence over previous arguments.
For the case where "enforcing=" is provided with a valid integer, 0 is
treated as permissive mode, and anything else (such as 1 or 2, etc) is
treated as enforcing mode. When "enforcing=" is passed an argument that
is not a valid integer (such as "on"), default to enforcing=0, i.e.
permissive mode. This is in line with how the kernel parses the
enforcing parameter.
Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
---
libselinux/src/load_policy.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
v2: Follow the same argument parsing behaviour as the kernel does.
v3: Actually follow the kernel's behaviour where "enforcing=" is not
provided with a valid integer...
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index dc1e4b6e..ec2d5614 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -244,17 +244,28 @@ int selinux_init_load_policy(int *enforce)
rc = mount("proc", "/proc", "proc", 0, 0);
cfg = fopen("/proc/cmdline", "re");
if (cfg) {
- char *tmp;
buf = malloc(selinux_page_size);
if (!buf) {
fclose(cfg);
return -1;
}
- if (fgets(buf, selinux_page_size, cfg) &&
- (tmp = strstr(buf, "enforcing="))) {
- if (tmp == buf || isspace((unsigned char)*(tmp - 1))) {
- secmdline =
- atoi(tmp + sizeof("enforcing=") - 1);
+ if (fgets(buf, selinux_page_size, cfg)) {
+ char *search = buf;
+ char *tmp;
+ while ((tmp = strstr(search, "enforcing="))) {
+ if (tmp == buf || isspace((unsigned char)*(tmp - 1))) {
+ char *valstr = tmp + sizeof("enforcing=") - 1;
+ char *endptr;
+ errno = 0;
+ const long val = strtol(valstr, &endptr, 0);
+ if (endptr != valstr && errno == 0) {
+ secmdline = val ? 1 : 0;
+ } else {
+ secmdline = 0;
+ }
+ }
+ /* advance past the current substring, latter arguments take precedence */
+ search = tmp + 1;
}
}
fclose(cfg);
--
2.50.1
next prev parent reply other threads:[~2025-07-24 13:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-20 12:52 [PATCH] libselinux: fix parsing of the enforcing kernel cmdline parameter Rahul Sandhu
2025-07-21 9:01 ` robinshao007
2025-07-21 9:47 ` Rahul Sandhu
2025-07-21 9:58 ` robinshao007
2025-07-21 12:56 ` Stephen Smalley
2025-07-21 14:18 ` Stephen Smalley
2025-07-22 5:42 ` Rahul Sandhu
2025-07-22 13:05 ` Stephen Smalley
2025-07-22 15:36 ` Stephen Smalley
2025-07-24 9:13 ` [PATCH v2] " Rahul Sandhu
2025-07-24 12:28 ` Stephen Smalley
2025-07-24 12:33 ` Rahul Sandhu
2025-07-24 13:05 ` Rahul Sandhu [this message]
2025-07-24 13:27 ` [PATCH v3] " Stephen Smalley
2025-07-24 13:30 ` Stephen Smalley
2025-07-24 13:51 ` [PATCH v4] " Rahul Sandhu
2025-07-24 19:29 ` Stephen Smalley
2025-07-25 22:03 ` Rahul Sandhu
2025-07-25 22:15 ` [PATCH v5] " Rahul Sandhu
2025-07-28 14:04 ` Stephen Smalley
2025-07-30 13:06 ` Stephen Smalley
[not found] <CAEjxPJ6-ZbOKxtpbpD4NixZeQy gU6Z3T8C8jLRvCPDHC-mL3w@mail.gmail.com>
2025-07-24 13:40 ` [PATCH v3] " Rahul Sandhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250724130511.317098-1-nvraxn@gmail.com \
--to=nvraxn@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.