From e8b45df48ac33a3bdf5933f369fb1f371940708c Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Mon, 19 Aug 2024 18:09:17 -0300 Subject: [PATCH] libapparmor: make af_protos.h consistent in different archs af_protos.h is a generated table of the protocols created by looking for definitions of IPPROTO_* in netinet/in.h. Depending on the architecture, the order of the table may change when using -dM in the compiler during the extraction of the defines. This causes an issue because there is more than one IPPROTO defined by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table, then protocol=0 in the audit logs would be translated to hopopts. This caused a failure in arm 32bit: Output doesn't match expected data: --- ./test_multi/testcase_unix_01.out 2024-08-15 01:47:53.000000000 +0000 +++ ./test_multi/out/testcase_unix_01.out 2024-08-15 23:42:10.187416392 +0000 @@ -12,7 +12,7 @@ Peer Addr: @test_abstract_socket Network family: unix Socket type: stream -Protocol: ip +Protocol: hopopts Class: net Epoch: 1711454639 Audit subid: 322 By the time protocol is resolved in grammar.y, we don't have have access to the net family to check if it's inet6. Instead of making protocol dependent on the net family, make the order of the af_protos.h table consistent between architectures using -dD. Signed-off-by: Georgia Garcia (cherry picked from commit 95c419dc45aa777196a613d41ea72ebca3a679ac) Signed-off-by: Georgia Garcia --- libraries/libapparmor/src/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am index 7093b3aef..63b49ded9 100644 --- a/libraries/libapparmor/src/Makefile.am +++ b/libraries/libapparmor/src/Makefile.am @@ -46,7 +46,7 @@ scanner.h: scanner.l scanner.c: scanner.l af_protos.h: - echo '#include ' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@ + echo '#include ' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@ lib_LTLIBRARIES = libapparmor.la noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h