[PATCH] docs: selinux: add '=' signs to kernel boot options

[PATCH] docs: selinux: add '=' signs to kernel boot options

[Randy Dunlap]

Provide the full kernel boot option string (with ending '=' sign).
They won't work without that and that is how other boot options are
listed.

If used without an '=' sign (as listed here), they cause an "Unknown
parameters" message and are added to init's argument strings,
polluting them.

  Unknown kernel command line parameters "enforcing checkreqprot
    BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space.

 Run /sbin/init as init process
   with arguments:
     /sbin/init
     enforcing
     checkreqprot
   with environment:
     HOME=/
     TERM=linux
     BOOT_IMAGE=/boot/bzImage-517rc6

Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Eric Paris <eparis@parisplace.org>
Cc: selinux@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
---
 Documentation/admin-guide/kernel-parameters.txt |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-next-20220228.orig/Documentation/admin-guide/kernel-parameters.txt
+++ linux-next-20220228/Documentation/admin-guide/kernel-parameters.txt
@@ -550,7 +550,7 @@
 			nosocket -- Disable socket memory accounting.
 			nokmem -- Disable kernel memory accounting.
 
-	checkreqprot	[SELINUX] Set initial checkreqprot flag value.
+	checkreqprot=	[SELINUX] Set initial checkreqprot flag value.
 			Format: { "0" | "1" }
 			See security/selinux/Kconfig help text.
 			0 -- check protection applied by kernel (includes
@@ -1409,7 +1409,7 @@
 			(in particular on some ATI chipsets).
 			The kernel tries to set a reasonable default.
 
-	enforcing	[SELINUX] Set initial enforcing status.
+	enforcing=	[SELINUX] Set initial enforcing status.
 			Format: {"0" | "1"}
 			See security/selinux/Kconfig help text.
 			0 -- permissive (log only, no denials).

Re: [PATCH] docs: selinux: add '=' signs to kernel boot options

[Paul Moore]

On Mon, Feb 28, 2022 at 11:14 PM Randy Dunlap <rdunlap@infradead.org> wrote:
>
> Provide the full kernel boot option string (with ending '=' sign).
> They won't work without that and that is how other boot options are
> listed.
>
> If used without an '=' sign (as listed here), they cause an "Unknown
> parameters" message and are added to init's argument strings,
> polluting them.
>
>   Unknown kernel command line parameters "enforcing checkreqprot
>     BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space.
>
>  Run /sbin/init as init process
>    with arguments:
>      /sbin/init
>      enforcing
>      checkreqprot
>    with environment:
>      HOME=/
>      TERM=linux
>      BOOT_IMAGE=/boot/bzImage-517rc6
>
> Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
> Cc: Eric Paris <eparis@parisplace.org>
> Cc: selinux@vger.kernel.org
> Cc: Jonathan Corbet <corbet@lwn.net>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Thanks Randy.

Acked-by: Paul Moore <paul@paul-moore.com>

> --- linux-next-20220228.orig/Documentation/admin-guide/kernel-parameters.txt
> +++ linux-next-20220228/Documentation/admin-guide/kernel-parameters.txt
> @@ -550,7 +550,7 @@
>                         nosocket -- Disable socket memory accounting.
>                         nokmem -- Disable kernel memory accounting.
>
> -       checkreqprot    [SELINUX] Set initial checkreqprot flag value.
> +       checkreqprot=   [SELINUX] Set initial checkreqprot flag value.
>                         Format: { "0" | "1" }
>                         See security/selinux/Kconfig help text.
>                         0 -- check protection applied by kernel (includes
> @@ -1409,7 +1409,7 @@
>                         (in particular on some ATI chipsets).
>                         The kernel tries to set a reasonable default.
>
> -       enforcing       [SELINUX] Set initial enforcing status.
> +       enforcing=      [SELINUX] Set initial enforcing status.
>                         Format: {"0" | "1"}
>                         See security/selinux/Kconfig help text.
>                         0 -- permissive (log only, no denials).

-- 
paul-moore.com

Re: [PATCH] docs: selinux: add '=' signs to kernel boot options

[Paul Moore]

On Tue, Mar 1, 2022 at 12:34 PM Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Feb 28, 2022 at 11:14 PM Randy Dunlap <rdunlap@infradead.org> wrote:
> >
> > Provide the full kernel boot option string (with ending '=' sign).
> > They won't work without that and that is how other boot options are
> > listed.
> >
> > If used without an '=' sign (as listed here), they cause an "Unknown
> > parameters" message and are added to init's argument strings,
> > polluting them.
> >
> >   Unknown kernel command line parameters "enforcing checkreqprot
> >     BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space.
> >
> >  Run /sbin/init as init process
> >    with arguments:
> >      /sbin/init
> >      enforcing
> >      checkreqprot
> >    with environment:
> >      HOME=/
> >      TERM=linux
> >      BOOT_IMAGE=/boot/bzImage-517rc6
> >
> > Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> > Cc: Paul Moore <paul@paul-moore.com>
> > Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
> > Cc: Eric Paris <eparis@parisplace.org>
> > Cc: selinux@vger.kernel.org
> > Cc: Jonathan Corbet <corbet@lwn.net>
> > ---
> >  Documentation/admin-guide/kernel-parameters.txt |    4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
>
> Thanks Randy.
>
> Acked-by: Paul Moore <paul@paul-moore.com>

I assumed the doc folks would have picked this up but I don't see it
in the tree so I'm going to pull it into the selinux/next tree right
now.  Thanks again Randy, I'm sorry for the delay.

-- 
paul-moore.com

Re: [PATCH] docs: selinux: add '=' signs to kernel boot options

[Jonathan Corbet]

Paul Moore <paul@paul-moore.com> writes:

> I assumed the doc folks would have picked this up but I don't see it
> in the tree so I'm going to pull it into the selinux/next tree right
> now.  Thanks again Randy, I'm sorry for the delay.

Sorry, the "doc folks" have learned that, in general, folks in the
security subsystems prefer to carry their own patches upward, so I
assumed this one was taken care of.  If you'd rather I picked up SELinux
documentation patches, I'd be glad to do so.

Thanks,

jon

Re: [PATCH] docs: selinux: add '=' signs to kernel boot options

[Paul Moore]

On Mon, Jun 13, 2022 at 3:23 PM Jonathan Corbet <corbet@lwn.net> wrote:
> Paul Moore <paul@paul-moore.com> writes:
>
> > I assumed the doc folks would have picked this up but I don't see it
> > in the tree so I'm going to pull it into the selinux/next tree right
> > now.  Thanks again Randy, I'm sorry for the delay.
>
> Sorry, the "doc folks" have learned that, in general, folks in the
> security subsystems prefer to carry their own patches upward, so I
> assumed this one was taken care of.  If you'd rather I picked up SELinux
> documentation patches, I'd be glad to do so.

Hi Jon,

I don't care much either way, as long as Linus' tree is correct I'm
happy.  In this particular case there were no changes under
security/selinux so I assumed that the "doc folks" would merge it; I
have similar assumptions regarding other subsystems when it comes to
SELinux adjacent patches.  However, we all know the old joke about
making assumptions, so I generally keep tracking those patches for a
while and apply them myself if the other subsystems do not.

Generally speaking, if I add an Acked-by for a patch I'm not expecting
to merge that patch (hence the ACK to let the other maintainer know
I'm okay with the patch).  Otherwise I'll merge the patch and send a
reply to the thread that it has been merged into the relevant SELinux
branch.

-- 
paul-moore.com