On Mon, Feb 28, 2022 at 11:14 PM Randy Dunlap <rdunlap@xxxxxxxxxxxxx> wrote:
>
> Provide the full kernel boot option string (with ending '=' sign).
> They won't work without that and that is how other boot options are
> listed.
>
> If used without an '=' sign (as listed here), they cause an "Unknown
> parameters" message and are added to init's argument strings,
> polluting them.
>
> Unknown kernel command line parameters "enforcing checkreqprot
> BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space.
>
> Run /sbin/init as init process
> with arguments:
> /sbin/init
> enforcing
> checkreqprot
> with environment:
> HOME=/
> TERM=linux
> BOOT_IMAGE=/boot/bzImage-517rc6
>
> Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
> Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
> Cc: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxx
> Cc: Jonathan Corbet <corbet@xxxxxxx>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Thanks Randy.
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> --- linux-next-20220228.orig/Documentation/admin-guide/kernel-parameters.txt
> +++ linux-next-20220228/Documentation/admin-guide/kernel-parameters.txt
> @@ -550,7 +550,7 @@
> nosocket -- Disable socket memory accounting.
> nokmem -- Disable kernel memory accounting.
>
> - checkreqprot [SELINUX] Set initial checkreqprot flag value.
> + checkreqprot= [SELINUX] Set initial checkreqprot flag value.
> Format: { "0" | "1" }
> See security/selinux/Kconfig help text.
> 0 -- check protection applied by kernel (includes
> @@ -1409,7 +1409,7 @@
> (in particular on some ATI chipsets).
> The kernel tries to set a reasonable default.
>
> - enforcing [SELINUX] Set initial enforcing status.
> + enforcing= [SELINUX] Set initial enforcing status.
> Format: {"0" | "1"}
> See security/selinux/Kconfig help text.
> 0 -- permissive (log only, no denials).
--
paul-moore.com
