| Message ID | 20220301041454.18960-1-rdunlap@infradead.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | docs: selinux: add '=' signs to kernel boot options | expand |
On Mon, Feb 28, 2022 at 11:14 PM Randy Dunlap <rdunlap@infradead.org> wrote: > > Provide the full kernel boot option string (with ending '=' sign). > They won't work without that and that is how other boot options are > listed. > > If used without an '=' sign (as listed here), they cause an "Unknown > parameters" message and are added to init's argument strings, > polluting them. > > Unknown kernel command line parameters "enforcing checkreqprot > BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space. > > Run /sbin/init as init process > with arguments: > /sbin/init > enforcing > checkreqprot > with environment: > HOME=/ > TERM=linux > BOOT_IMAGE=/boot/bzImage-517rc6 > > Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Randy Dunlap <rdunlap@infradead.org> > Cc: Paul Moore <paul@paul-moore.com> > Cc: Stephen Smalley <stephen.smalley.work@gmail.com> > Cc: Eric Paris <eparis@parisplace.org> > Cc: selinux@vger.kernel.org > Cc: Jonathan Corbet <corbet@lwn.net> > --- > Documentation/admin-guide/kernel-parameters.txt | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Thanks Randy. Acked-by: Paul Moore <paul@paul-moore.com> > --- linux-next-20220228.orig/Documentation/admin-guide/kernel-parameters.txt > +++ linux-next-20220228/Documentation/admin-guide/kernel-parameters.txt > @@ -550,7 +550,7 @@ > nosocket -- Disable socket memory accounting. > nokmem -- Disable kernel memory accounting. > > - checkreqprot [SELINUX] Set initial checkreqprot flag value. > + checkreqprot= [SELINUX] Set initial checkreqprot flag value. > Format: { "0" | "1" } > See security/selinux/Kconfig help text. > 0 -- check protection applied by kernel (includes > @@ -1409,7 +1409,7 @@ > (in particular on some ATI chipsets). > The kernel tries to set a reasonable default. > > - enforcing [SELINUX] Set initial enforcing status. > + enforcing= [SELINUX] Set initial enforcing status. > Format: {"0" | "1"} > See security/selinux/Kconfig help text. > 0 -- permissive (log only, no denials).
On Tue, Mar 1, 2022 at 12:34 PM Paul Moore <paul@paul-moore.com> wrote: > On Mon, Feb 28, 2022 at 11:14 PM Randy Dunlap <rdunlap@infradead.org> wrote: > > > > Provide the full kernel boot option string (with ending '=' sign). > > They won't work without that and that is how other boot options are > > listed. > > > > If used without an '=' sign (as listed here), they cause an "Unknown > > parameters" message and are added to init's argument strings, > > polluting them. > > > > Unknown kernel command line parameters "enforcing checkreqprot > > BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space. > > > > Run /sbin/init as init process > > with arguments: > > /sbin/init > > enforcing > > checkreqprot > > with environment: > > HOME=/ > > TERM=linux > > BOOT_IMAGE=/boot/bzImage-517rc6 > > > > Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") > > Signed-off-by: Randy Dunlap <rdunlap@infradead.org> > > Cc: Paul Moore <paul@paul-moore.com> > > Cc: Stephen Smalley <stephen.smalley.work@gmail.com> > > Cc: Eric Paris <eparis@parisplace.org> > > Cc: selinux@vger.kernel.org > > Cc: Jonathan Corbet <corbet@lwn.net> > > --- > > Documentation/admin-guide/kernel-parameters.txt | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > Thanks Randy. > > Acked-by: Paul Moore <paul@paul-moore.com> I assumed the doc folks would have picked this up but I don't see it in the tree so I'm going to pull it into the selinux/next tree right now. Thanks again Randy, I'm sorry for the delay.
Paul Moore <paul@paul-moore.com> writes: > I assumed the doc folks would have picked this up but I don't see it > in the tree so I'm going to pull it into the selinux/next tree right > now. Thanks again Randy, I'm sorry for the delay. Sorry, the "doc folks" have learned that, in general, folks in the security subsystems prefer to carry their own patches upward, so I assumed this one was taken care of. If you'd rather I picked up SELinux documentation patches, I'd be glad to do so. Thanks, jon
On Mon, Jun 13, 2022 at 3:23 PM Jonathan Corbet <corbet@lwn.net> wrote: > Paul Moore <paul@paul-moore.com> writes: > > > I assumed the doc folks would have picked this up but I don't see it > > in the tree so I'm going to pull it into the selinux/next tree right > > now. Thanks again Randy, I'm sorry for the delay. > > Sorry, the "doc folks" have learned that, in general, folks in the > security subsystems prefer to carry their own patches upward, so I > assumed this one was taken care of. If you'd rather I picked up SELinux > documentation patches, I'd be glad to do so. Hi Jon, I don't care much either way, as long as Linus' tree is correct I'm happy. In this particular case there were no changes under security/selinux so I assumed that the "doc folks" would merge it; I have similar assumptions regarding other subsystems when it comes to SELinux adjacent patches. However, we all know the old joke about making assumptions, so I generally keep tracking those patches for a while and apply them myself if the other subsystems do not. Generally speaking, if I add an Acked-by for a patch I'm not expecting to merge that patch (hence the ACK to let the other maintainer know I'm okay with the patch). Otherwise I'll merge the patch and send a reply to the thread that it has been merged into the relevant SELinux branch.
--- linux-next-20220228.orig/Documentation/admin-guide/kernel-parameters.txt +++ linux-next-20220228/Documentation/admin-guide/kernel-parameters.txt @@ -550,7 +550,7 @@ nosocket -- Disable socket memory accounting. nokmem -- Disable kernel memory accounting. - checkreqprot [SELINUX] Set initial checkreqprot flag value. + checkreqprot= [SELINUX] Set initial checkreqprot flag value. Format: { "0" | "1" } See security/selinux/Kconfig help text. 0 -- check protection applied by kernel (includes @@ -1409,7 +1409,7 @@ (in particular on some ATI chipsets). The kernel tries to set a reasonable default. - enforcing [SELINUX] Set initial enforcing status. + enforcing= [SELINUX] Set initial enforcing status. Format: {"0" | "1"} See security/selinux/Kconfig help text. 0 -- permissive (log only, no denials).
Provide the full kernel boot option string (with ending '=' sign). They won't work without that and that is how other boot options are listed. If used without an '=' sign (as listed here), they cause an "Unknown parameters" message and are added to init's argument strings, polluting them. Unknown kernel command line parameters "enforcing checkreqprot BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init enforcing checkreqprot with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <stephen.smalley.work@gmail.com> Cc: Eric Paris <eparis@parisplace.org> Cc: selinux@vger.kernel.org Cc: Jonathan Corbet <corbet@lwn.net> --- Documentation/admin-guide/kernel-parameters.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)