From: "Rahul Sandhu" <nvraxn@gmail.com>
To: <stephen.smalley.work@gmail.com>
Cc: <nvraxn@gmail.com>, <omosnace@redhat.com>, <paul@paul-moore.com>,
<selinux@vger.kernel.org>
Subject: Re: [PATCH] libselinux: fix parsing of the enforcing kernel cmdline parameter
Date: Tue, 22 Jul 2025 06:42:40 +0100 [thread overview]
Message-ID: <DBICEHLQ2KYS.2WJEMIZAPCJCG@gmail.com> (raw)
In-Reply-To: <CAEjxPJ5M76PFEMghyCWPsJW27rNA6A4yxhFydGoWWDW0Eybqfw@mail.gmail.com>
Hi Stephen,
> We should make it match the kernel's logic for parsing and handling
> enforcing= on the cmdline. For reference, the kernel does this:
>
> static int __init enforcing_setup(char *str)
> {
> unsigned long enforcing;
> if (!kstrtoul(str, 0, &enforcing))
> selinux_enforcing_boot = enforcing ? 1 : 0;
> return 1;
> }
> __setup("enforcing=", enforcing_setup);
Okay, seems reasonable, I'll send a v2 to follow that logic shortly.
> And the kernel's parser ignores anything after a "--", passing
> anything after that to the init process.
Just to clarify, unless I'm missing anything I don't see any need for
us to worry about that as:
1. Based on the logic above it would seem 'enforcing=' is recognised by
the kernel?
2. We're reading /proc/cmdline anyway, so I don't see a reason for that
to be a concern - we're going to see all arguments as far as I can
tell.
Although, I'm a bit confused about CONFIG_SECURITY_SELINUX_DEVELOP, how
are we handling that in libselinux? I don't think that stops userspace
from loading in permissive mode, and even with:
#define selinux_enforcing_boot 1
I don't see how that would stop libselinux from loading in permissive.
Regards,
Rahul
next prev parent reply other threads:[~2025-07-22 5:42 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-20 12:52 [PATCH] libselinux: fix parsing of the enforcing kernel cmdline parameter Rahul Sandhu
2025-07-21 9:01 ` robinshao007
2025-07-21 9:47 ` Rahul Sandhu
2025-07-21 9:58 ` robinshao007
2025-07-21 12:56 ` Stephen Smalley
2025-07-21 14:18 ` Stephen Smalley
2025-07-22 5:42 ` Rahul Sandhu [this message]
2025-07-22 13:05 ` Stephen Smalley
2025-07-22 15:36 ` Stephen Smalley
2025-07-24 9:13 ` [PATCH v2] " Rahul Sandhu
2025-07-24 12:28 ` Stephen Smalley
2025-07-24 12:33 ` Rahul Sandhu
2025-07-24 13:05 ` [PATCH v3] " Rahul Sandhu
2025-07-24 13:27 ` Stephen Smalley
2025-07-24 13:30 ` Stephen Smalley
2025-07-24 13:51 ` [PATCH v4] " Rahul Sandhu
2025-07-24 19:29 ` Stephen Smalley
2025-07-25 22:03 ` Rahul Sandhu
2025-07-25 22:15 ` [PATCH v5] " Rahul Sandhu
2025-07-28 14:04 ` Stephen Smalley
2025-07-30 13:06 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBICEHLQ2KYS.2WJEMIZAPCJCG@gmail.com \
--to=nvraxn@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.