[apparmor] [Merge] lp:~smcv/apparmor/af-gaps into lp:apparmor

Simon McVittie simon.mcvittie at collabora.co.uk
Fri Feb 27 17:41:40 UTC 2015


Simon McVittie has proposed merging lp:~smcv/apparmor/af-gaps into lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~smcv/apparmor/af-gaps/+merge/251296

The network_families array is automatically built from AF_NAMES, which is
extracted from the defines in <bits/socket.h>. The code assumes that
network_families is indexed by the AF defines. However, since the
defines are sparse, and the gaps in the array are not packed with
zeroes, the array is shorter than expected, and the indexing is wrong.

When this function was written, the network families that were
covered might well have been consecutive, but this is no longer true:
there's a gap between AF_LLC (26) and AF_CAN (29). In addition,
the code that parses <sys/socket.h> does not recognise AF_DECnet (12)
due to the lower-case letters, leading to a gap betwen AF_ROSE (11)
and AF_NETBEUI (13).

This assumption caused a crash in our testing while parsing the rule
"network raw" (although unfortunately I can't actually reproduce
that crash any more - it might depend on optimization, phase of moon,
etc.)
-- 
Your team AppArmor Developers is requested to review the proposed merge of lp:~smcv/apparmor/af-gaps into lp:apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: review-diff.txt
Type: text/x-diff
Size: 1629 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150227/8a106577/attachment.diff>


More information about the AppArmor mailing list