libselinux: normalize enforce values from the kernel

Normalize enforce values received from the kernel via /sys/fs/selinux/enforce or netlink selinux notifications to ensure that we always return a 0 or 1 to userspace code. selinux_status_getenforce(), which reads the enforce value via the SELinux kernel status page (/sys/fs/selinux/status) already normalizes its result, so we do not need to update it. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
SELinuxProject · Nov 18, 2016 · a609434 · a609434
1 parent 9140de7
commit a609434
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
@@ -176,6 +176,7 @@ static int avc_netlink_process(void *buf)
 
 	case SELNL_MSG_SETENFORCE:{
 		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
+		msg->val = !!msg->val;
 		avc_log(SELINUX_INFO,
 			"%s:  received setenforce notice (enforcing=%d)\n",
 			avc_prefix, msg->val);

diff --git a/libselinux/src/getenforce.c b/libselinux/src/getenforce.c
@@ -34,7 +34,7 @@ int security_getenforce(void)
 	if (sscanf(buf, "%d", &enforce) != 1)
 		return -1;
 
-	return enforce;
+	return !!enforce;
 }
 
 hidden_def(security_getenforce)