On Mon, Jul 29, 2024 at 11:38 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Mon, Jul 29, 2024 at 11:28 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Mon, Jul 8, 2024 at 12:50 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > > > The lower 64 bits of the subnet prefix for an ibpkeycon rule should > > > all be 0's. Unfortunately the check uses the s6_addr macro which refers > > > to the 16 entry array of 8-bit values in the union and does not refer > > > to the correct bits. > > > > > > Use the s6_addr32 macro instead which refers to the 4 entry array of > > > 32-bit values in the union and refers to the lower 64 bits. > > > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > One caveat here is that I believe this breaks building checkpolicy on > macOS because s6_addr32 is non-portable. > But it looks like a previous commit re-introduced the usage of > s6_addr32 (we had gotten rid of them earlier to avoid > needing ifdefs for macOS). Applied. We may need to revisit though at some point for macOS.
