346333 – sys-kernel/hardened-sources-2.6.36-r2 does not compile if GRKERNSEC_SELINUX_AVC_LOG_IPADDR is set

Bug 346333 - sys-kernel/hardened-sources-2.6.36-r2 does not compile if GRKERNSEC_SELINUX_AVC_LOG_IPADDR is set

Summary: sys-kernel/hardened-sources-2.6.36-r2 does not compile if GRKERNSEC_SELINUX_A...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	AMD64 Linux

Importance:	High normal (vote)
Assignee:	The Gentoo Linux Hardened Kernel Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-21 17:18 UTC by Karl-Johan Karlsson
Modified:	2010-12-20 23:46 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Switches from NIPQUAD to %pI4 (fix-grkernsec-selinux-avc-log-ipaddr.patch,453 bytes, patch) 2010-11-23 15:52 UTC, Anthony Basile	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karl-Johan Karlsson 2010-11-21 17:18:16 UTC

If GRKERNSEC_SELINUX_AVC_LOG_IPADDR ("Add source IP address to SELinux AVC log messages") is set in the kernel configuration, GRSecurity tries to use the NIPQUAD macro, but NIPQUAD no longer exists in 2.6.36 (as of http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cf4ca4874fc45166198424384275f443a672d0b7), so compilation fails with:

security/selinux/avc.c: In function 'avc_dump_query':
security/selinux/avc.c:148: error: implicit declaration of function 'NIPQUAD'
security/selinux/avc.c:148: warning: too few arguments for format

Reproducible: Always

Steps to Reproduce:

Comment 1 Anthony Basile gentoo-dev

2010-11-21 17:55:51 UTC

Okay this is an easy one.  I'm going to pass it by the grsec/pax team first and see how they want to handle it.  Otherwise, I can just reintroduce the macro myself.  I'm make sure its fixed for 2.6.36-r3.

Thanks for reporting.

Comment 2 Anthony Basile gentoo-dev

2010-11-23 15:50:18 UTC

Can you please test the following simple patch.  It compiles, but I don't use SELinux so I'd like a runtime check from you.  If all is good, I'll throw it into the next rev bump:

diff -Naur avc.c.orig avc.c
--- avc.c.orig	2010-11-23 10:48:18.000000000 -0500
+++ avc.c	2010-11-23 10:48:37.000000000 -0500
@@ -145,7 +145,7 @@
 
 #ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR
 	if (current->signal->curr_ip)
-		audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
+		audit_log_format(ab, "ipaddr=%pI4 ", &current->signal->curr_ip);
 #endif
 
 	rc = security_sid_to_context(ssid, &scontext, &scontext_len);

Comment 3 Anthony Basile gentoo-dev

2010-11-23 15:52:34 UTC

Created attachment 255193 [details, diff]
Switches from NIPQUAD to %pI4

Sorry about the line wrap in the previous comment.  Here's the patch as an attachment.

Comment 4 Karl-Johan Karlsson 2010-11-23 19:10:00 UTC

Yes, that patch seems to work.

Comment 5 Anthony Basile gentoo-dev

2010-11-29 01:34:06 UTC

(In reply to comment #4)
> Yes, that patch seems to work.
> 

The fix is in

   hardened-sources-2.6.32-r28.ebuild
   hardened-sources-2.6.36-r3.ebuild

which I just committed to the tree.  I'll close this bug as soon as both of these (or higher) go stable.

Comment 6 Anthony Basile gentoo-dev

2010-12-04 14:39:29 UTC

>    hardened-sources-2.6.32-r28.ebuild
>    hardened-sources-2.6.36-r3.ebuild
> 

Those ebuilds are off the tree because of serious breakage (not related to his).  Please use 

    hardened-sources-2.6.32-r29.ebuild
    hardened-sources-2.6.36-r4.ebuild

and above.

Comment 7 Anthony Basile gentoo-dev

2010-12-20 23:46:12 UTC

Just stabilized hardened-sources-2.6.32-r31.ebuild and hardened-sources-2.6.36-r6.ebuild which include the fix.  Closing.