| Message ID | 20240708165032.86647-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | checkpolicy: Check the right bits of an ibpkeycon rule subnet prefix | expand |
On Mon, Jul 8, 2024 at 12:50 PM James Carter <jwcart2@gmail.com> wrote: > > The lower 64 bits of the subnet prefix for an ibpkeycon rule should > all be 0's. Unfortunately the check uses the s6_addr macro which refers > to the 16 entry array of 8-bit values in the union and does not refer > to the correct bits. > > Use the s6_addr32 macro instead which refers to the 4 entry array of > 32-bit values in the union and refers to the lower 64 bits. > > Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > checkpolicy/policy_define.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 4931f23d..bfeda86b 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -5036,7 +5036,7 @@ int define_ibpkey_context(unsigned int low, unsigned int high) > goto out; > } > > - if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) { > + if (subnet_prefix.s6_addr32[2] || subnet_prefix.s6_addr32[3]) { > yyerror("subnet prefix should be 0's in the low order 64 bits."); > rc = -1; > goto out; > -- > 2.45.2 > >
On Mon, Jul 29, 2024 at 11:28 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Jul 8, 2024 at 12:50 PM James Carter <jwcart2@gmail.com> wrote: > > > > The lower 64 bits of the subnet prefix for an ibpkeycon rule should > > all be 0's. Unfortunately the check uses the s6_addr macro which refers > > to the 16 entry array of 8-bit values in the union and does not refer > > to the correct bits. > > > > Use the s6_addr32 macro instead which refers to the 4 entry array of > > 32-bit values in the union and refers to the lower 64 bits. > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> One caveat here is that I believe this breaks building checkpolicy on macOS because s6_addr32 is non-portable. But it looks like a previous commit re-introduced the usage of s6_addr32 (we had gotten rid of them earlier to avoid needing ifdefs for macOS). > > > --- > > checkpolicy/policy_define.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > > index 4931f23d..bfeda86b 100644 > > --- a/checkpolicy/policy_define.c > > +++ b/checkpolicy/policy_define.c > > @@ -5036,7 +5036,7 @@ int define_ibpkey_context(unsigned int low, unsigned int high) > > goto out; > > } > > > > - if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) { > > + if (subnet_prefix.s6_addr32[2] || subnet_prefix.s6_addr32[3]) { > > yyerror("subnet prefix should be 0's in the low order 64 bits."); > > rc = -1; > > goto out; > > -- > > 2.45.2 > > > >
On Mon, Jul 29, 2024 at 11:38 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Jul 29, 2024 at 11:28 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Mon, Jul 8, 2024 at 12:50 PM James Carter <jwcart2@gmail.com> wrote: > > > > > > The lower 64 bits of the subnet prefix for an ibpkeycon rule should > > > all be 0's. Unfortunately the check uses the s6_addr macro which refers > > > to the 16 entry array of 8-bit values in the union and does not refer > > > to the correct bits. > > > > > > Use the s6_addr32 macro instead which refers to the 4 entry array of > > > 32-bit values in the union and refers to the lower 64 bits. > > > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > One caveat here is that I believe this breaks building checkpolicy on > macOS because s6_addr32 is non-portable. > But it looks like a previous commit re-introduced the usage of > s6_addr32 (we had gotten rid of them earlier to avoid > needing ifdefs for macOS). Applied. We may need to revisit though at some point for macOS.
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 4931f23d..bfeda86b 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -5036,7 +5036,7 @@ int define_ibpkey_context(unsigned int low, unsigned int high) goto out; } - if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) { + if (subnet_prefix.s6_addr32[2] || subnet_prefix.s6_addr32[3]) { yyerror("subnet prefix should be 0's in the low order 64 bits."); rc = -1; goto out;
The lower 64 bits of the subnet prefix for an ibpkeycon rule should all be 0's. Unfortunately the check uses the s6_addr macro which refers to the 16 entry array of 8-bit values in the union and does not refer to the correct bits. Use the s6_addr32 macro instead which refers to the 4 entry array of 32-bit values in the union and refers to the lower 64 bits. Signed-off-by: James Carter <jwcart2@gmail.com> --- checkpolicy/policy_define.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)