From patchwork Sat Sep 22 00:17:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10612353 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9F30B14BD for ; Mon, 24 Sep 2018 12:29:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8BDDD29EA4 for ; Mon, 24 Sep 2018 12:29:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7FBE129EA6; Mon, 24 Sep 2018 12:29:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil [214.24.24.82]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 57CF729EA4 for ; Mon, 24 Sep 2018 12:29:31 +0000 (UTC) X-EEMSG-check-008: 772125068|UCOL19PA09_EEMSG_MP7.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="772125068" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by ucol19pa09.eemsg.mail.mil with ESMTP; 24 Sep 2018 12:29:28 +0000 X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="18575176" IronPort-PHdr: 9a23:xKz0YhzY1WdrGkjXCy+O+j09IxM/srCxBDY+r6Qd1u0VKPad9pjvdHbS+e9qxAeQG9mDtLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYO/RkfqPZYNgUW2xPUMhMXCBFG4+wcpcDA+8HMOlfrYbyvVsOrRy5BQW1He/i1jFFi37r0aEjz+gtDBzN0Ag+E94StXjZqsj+OqUPXuCv1KTG0zvDYfNV1znz5ofHfRIur+yUXb9ybMbcx1UgGQzbgVWLsoHlIzGY2/4Rv2SH4edsS+SigHMnpQFrpTivw98hh5fTiYIO1F/F9ThyzpspKt24UkF7fNCkEJ9OuCGAKoB7Rd8tTHtzuCkkyrwLooW7czQKyJs92h7fZfiHfJaS4h76SOmeOy10i25ieLK6nhu/91WrxO7kVsSszVpHoSVInsPMu3wQzRDf9MeKRuVn8ku8wTqC1gLe5vtZLU01kafXMZ8sz74qmpYNr0jOESn7k1jsgqCMbEUr4O2o5vziYrXhu5CTKZd5ihr7MqQygsy/Bvk4MhQWU2ib5+u80Lrj8FXlQLpQlP02k7TZsIvAKcQHpq+2Hw9V0oE55xa5Ezimy8gXkWMCLFJEfBKLl4npO1fQL/DkFfqznluhnThxy/3GI7HtGIvBI3fdnLv7YLpx80tcxxAyzdBb6ZJUELYBIPfrV0/qqtPYCh45Mwqpw+foEdlyzYQeWX+JAqCFLqzSqkSF5v4vIuaQZI8VvyzxK/4+5/H0l3M5llgdfbex0ZsNdH+4BuhmI1meYXf0gNcBFmEKsRAiTOzqklKCVyVeZ3S1X6I64zE0EpmmDZvdSYC3m7yNxiC7HodZZmpeEFCDDW/od5mYW/cLcC+SIM1hnSYYWriiUI8h0heutA7ky7d8IOrU/jAYtJ3429ho4e3TiQwy+SZzD8SH3GGHV3t0kX8QRz8qwKB/plRwy1mC0ah8hvxXC8ZT6uhHUggkKJHcyPZ6BMrqWgLbedeJSkipTcm6AT0rSdIx2dAOaV5nG9q+lhDDwzaqA7gNmrOWGJM096Xc337tJ8pg0HvGyrcuj0MnQspOMm2mgLRz9w7NCI7Vi0+ZjbqldbwA3C7R82eO1XSBvFlCXw5qUKXFRmsSZlPMotTj50PCVKeuCbA9PQRd18GOMKxKasfmjV9eXvfsJMzeY36tm2e3HRuIxamDbInte2UAxyjdC1ILkwMU/XabLwQ+AT2ho23GBjx0CV3ve1/s8fV5qH6jVEA70huKb0x/2Lqv4RMan+CTS/YJ0rIDoichpC1+HEyh0NLOF9qAuw1hcb1Abtwn5FdIy3nZtxB9P5ynNK1inUIRcwVpsEPoyxV3C59PndIsrHw00Ap4MbiY309ZdzOEwZDwPaXaKnPv8x+ycKPW1VTe0dmM9qcJ9vs4t03pvBu1GUo673Vnz95V3mOH5pXEFgoSVonxUlos+hhhobHaZSc854bO2n1qK6W0tCHN284xDus/1hmgZ8tfML+DFALqHcwVHcyuKPA0lFizdRIJJ/5S+7AuP8y9avuG3bSnPOF6nDKplW5H+pxy0lqQ9ypgTe7Fx5AFw/Cc3guDSTj8l0ysvdrploBeYjEeBG2/yTLrBIRJfK19YZ4LCXuyI82w3thxmoLtVGRC9FO4G1wG38qpdgaIYFzmwQ1cz0IXrmK7mSGg1Tx7jykprraD3CzJ2+niahsHNXJXRGlll1fgO5S7j9AdXEiuYAgkjx+l5Uf8x6dBvqR/KHPfQUBSfyj5N2tiSLe/tqKeY85T75MlqSFXUOWnYVCGU7L9uAUV0yfiH2tY2TA6eCqnuo7hnxx7jmKdLWp8rGHDdcF22xjf+MTWReRN0ToeWCl4lT7XC0CmP9mu+dWUk4nMsvqiWGKmWJxeajLrzZ6cuyug/2FqBge/n/+rkN39DQc6yTP718VtVSjQrxbzfI/r17+hPOJkYEZoAkT868xkFYFiiIcwg4sQ2XcCjJWP4XUHiXvzMclc2a/mdHoCXyMLw9rL7wj9wkJjKG6JyJzjVniG38thfMe1YnkN2i4n9MBKD7qU7KZYkiRrrFq4qhjRYfdjkTsHz/sh9mIaifkTuAUx1iWdHqwSHU5AMCzykRSH8suzrLtRZGmycbi8zkx+ks69DLuauAFTRG75eos+HS939sh/KEjD0GD36oz/ZNbQbM4Ttx2NnxfOledVLog9lv0QhSpoIWj9p2Eqy/YnjRxy2pG3pIaHJH9r/KKlBR5YMyb4Z80N9T7wiqZehNyZ35i1HpVmGDUEQofnTe6yHDIVr/TnOB6EECcgpXeDBbrfAQif5V9jr33VF5CrM2+YJGUFzdp4XhaQP0pfjx4IXDUhgpE2DBiqy9L7fEd/+D8R+kbyqgFQxeJwKxn/TmDfqR+majcuVpeQMQFW4RtE50fJNsye9fl+EDtE8Z2ktgCNLXabZwtQB2ETRkOEH0zjPqWp5dTY6+iXGPGxIOXIYbWPtexeUOyFxZOx3YR44TmALMKPPmNtD/cjwEpMQWh5G9jFmzUIUyEYjDnCY8mfpBe94S13stu//O7wWA3x+YSDEaBSPstr+xC3h6eDKuGRiT1lJjdYzJMM2GTIxKIR3VEIlyFubD6tEbIauS7KVqLQlbddDwQHZCNrKMtI86U80xFWNs7ahdP10bh4g+UoBFhbTlPhm9umZcoQL2G6LlPHC16BNK6aKj3T38H3faS8RKVSjOVUtxywoTGbE0viPjSfiTbkTBWvMeBQjCGBIhNSooa9cgxiCWL7VtLpdgW7MMNrjT0x2bA0hXPLNWoCPjVndkNNqbOQ7S1GjfVjB2xB7n1lLeyalCqD6enXNIoWu+NxAitoj+Ja/Gg6y7xN4SFCWvN6gi/So8Vto1GhiemP1iBoUBxVqjZIhYKHp0NiNrvF9pNYQ3bL4AoN7XmMCxQNv9ZlEMPgu7tOxdfVjqL8NDdC/snP8ssdHcjbNcWHMHQ5MRrzBjHVDBEJTTi1OmHDn0Zdiu2d9mWJrpgmrZjhgIcBSrhdVFwzC/wVFEBlHN0ZLZhtQDwki7mbgNQP5XqkoxnbXN9asYzfVvKOHfXvLy6UgqReaBsWwLP3MJ8TO5bh1Ex4cFl6m4rLG1HOUt9Rvy1hdA40oFlN8XRkSG08xV7lYBu34HAPDf60ggI2igxmbOQp8zfs+Uk4JlzLpSs3i0QxltPlgS2LfD72NqewUplcCzDouEgpLpP7XwF1YBWpnUN6MDfERrRRj6ZvdG1wlADcvp5PFuJGQq1ffB8c3/eXaOs00V5EsCWo2VdH5ffZCZtljAYqbZ+sr3dH2wJ/bN40JbfdK7dIzllQnK2BpTWk1uYvzw8CP0wN6n+deDYUuEwUMbkrPzCn/uht6QOehTRMYG0MVvosovJt8EMyIf+NwDnh07FZLEC9LuKfL76Dt2jGi8GIXks61lkUmEld4bh2zcAjflKPWE8xyrucDA4GOtfcKQ5LdcpS72LcfTyOsOnXxpJ1JYq9HPjyTeCSrKYUnl6kHAExEoQD88QBH52s0EXGIsfiN7MK1Asi6x/qJFqfCvRFYhWLkC0Io8un1p94wZFdJi0BAWV6KSi3/LDXpg42j/qDW9c2ZmwaUJMdOHwrQsO3hylXsm9cAzmw1+IW1BKN7yTgpijKCjnzccZjbu+OZRxwENG25Sk/86+uhF7N6JrePWb6Os95t9/T8+MVvYiHBO1QTbl8tUfclI1YR32lU27PDd61KYL/a5MpbdDuDHa1TEC/gSovT8jtJNatMrSIgQbwSIdaqoWUwDAjNc64FjEfARhwpPoO5KNiagIdfZU3exnotx4xN6anOgeXzs2uQ3qxKTtRV/RfyP+1Z6ZUzyUycu+6yX0gTp4hwui560ENQo0FjhXZxfa+eoZeSjL/GnpDdAXTvSA5jXRuNv4uwucjxxPFqUMTMyqWdOxvcmBEvMoxBVKTIXV3Fmo3XEWQjYzd7Q6wx7oS5TdSn85I0e1Zt3jzpoPfYDWpWKGwtZXZry8gYsM8r613L4PjPtOMtInCkTzHUJnQrgqFXTa4F/pdhNddOz9XT+dTmW47I8wGpZRO5lcrWsc4ObNPFLEmpqq2Zjp8ES4S0SgZWpuc3DMfn+i82qHVlhOLfZs+NxwEtYlNjcEGUy5qeC8eorGsV5nOnW+eVmcLOBsT7RhL5A8Yjo9wZfzl75DVQ59Q0DNWuPV0UjbRFpZ06VT7TH2WgULiR/WlieCp2hhSzP302NkBRBF/EVRdx/pRlkYwM753JbUfspLIvzOVe073p37iyOyjJFZN08LUbEH4AJDDtWXiTi0W4WcUSpNXyHHDCZQSlBJ0aLw1q1pRIICpYFr+6icgx4RuAbm3S96nyEoirXkbWSimCdxBBP96sFjPQj1qf4irqIn5O5VVWmJQ5IedpElHn0pwKCO51J5cK91X4jEWQjhPoDKdvN+sR81fw8N2CIUMIthnsXfnBKxEIISRo2ExurH3yH/W4So8sFChxDW3AaC4UflU/2gDGgUtO2Seq1UgD+o2/WfU6VDBqFd0//1UBrKXl0V+vC59HoxSBjZOzX2lLU58TH9Is+VAL6TabtJTTuIuZRC1PRw+Dvkm01aP/U5qgXfzezZyuRdC+yDBQwk0UjEYgrHpmTAFq8GnPzoaR4hJbTUnYSfFMRiUmTtLvBZFdkFlR4wZAstf+74Fx4dU+dDCSUm0IyEfQBNiLh440eZYlUNbtkWYeDzSDQ2sdfnVqR17Z8aRrMmuLPTi5wdKkYbnve839qkZQH2mgwKtS8jEr4Dgrt2KqleOdKDgPu24en/BSTjBgAu+hbg6EpbK+DLTPxBDK5lgznokY4buBnLXPRhcIKIbPUVbX7hgadpauuBae9NkeKER9K9vBxKHQwjiGImxo/hGMFnTXzXeLyOO8uClp4Lc86DdQ/D6ZsOQ33bHX753PpBi5Dn6Grbly5VR9Vbt1/d26Ex6VUbJPDyboNTmPAML69GodlH+sZ0xATPWHJBwnWL2yUFBbMoWTTel8JYZyJNF8Hb/U/940kzoveJO8Llr9Jc47Kp0yceuIqfSM+5VvVVgAhiOCQVg7o8tD3RnR2BNfu8RL+/cfbwDgsDyt+/3F6IW6BqP++xacNfHPF/Oms2+CjGaVBxFkxwMqSYAIQuAy/GFm6F1ScG/pej6wE4t4EaxLgQAzL9z4YeI4K2IpPXYbxHJ17gLRrDqRt/vrrQro06S6uMrlLgSemxyZA2rF/MdWdAZxmfhy6Aq0C0tHtjHH73+4v5CV2g2kijmm59jA1UcAukUEqaT/YRCgmc4nPTUOcEUcq9YhmmCDgKrErgGyX6v6iuYPnNlgg3Q3B7sQWO/9lj2rTV3QSHU1dfsjlJVVqWrBUdVRyepPEh4sDWTPArnqtX6oqE17EAsPWziqt2NiGWgOLRNH838P9yQOy80q0wLjJcpXNygxZgbGcahINcW6Hx+YefR63iwkyNYvqlJiIzQ4sCT+vXKEnitlKKaq7CXyzBe1Hc0p1Y/6sqvNvvW/d2FX+yo13oNTyd4owbBXRm1qrzdr1wOJUOL0EPLmJEXMdBY3Hk40Frm5OsiQN8o6gVeF5jAaOkGpT/uOTv421CfbMwrViOGyTtYAkr1EUVkGKg7wG/wvdzJmm3W+1AzQolwalHohR1wD4UjM04t70IXwiUbGwgXdR+bFK2oBVjiLYYcV0gMdxqH3La+eqos00x82LWv6/HPbeBmAaoCKOpdhBaUnFdHApIWrbEeQLVkdl9S8K7XoQbjBJbjX/jijncwLvq1QsZb8c8FrXci5BiwRwa445dZ87kbkIyIdrJDYZXUssB89V1o5TgTeSxMmxhylBa5UfgdpOz6+djavoGo5vypVKY3SOUd7wI0CHhmj5vsnFAjpsna1+JdSo3WioT/9xtAI3yQt4bZ1Bl8L/QBK4SxcLZm6XoHOzAUJ2gSMtqOd/k8/yhtPS3I6FNcBMMMecgVPNHJmQBTlk3pRK9T+dTGFVOCDIdzbc8o5XLtyD8p6Zs8Tvrg6DiuKJDH6FFNO+lMjD9ildLFoOgVz+HfCC0Q4XmecBh63D+Ny4OKC/br5uWMydfUV1wcEi4xSYddKyKI+Ra7SeqtiJXpTgSU59f9gJ0gcEKQR2Sxk7oev6dNEO5AjyD70SZEFoDxmf2Zqd2s6HFYtldfCoZ88QXFGLlDPpV8IRn5mNGrRlJ9BiTjZs7ZbR8uuOuKxucW/epyLUz+ZZUUIhgc0bL19WJVThdySL7xpluZWuYRa8V9RfPcqnBa85lgK7MOPFeBuJzqtClHp04sDA8vdrAwsiRQdlPSkw1NR6b0pLkAhxMYUd54v09MBG2xNHs65zrGTqRVkLKRBecU8jqJSKwOVF9kMiRkQxO6wJ9uYaemnehbsmNamSNwuP0q3CZ6Sxu8uC3soaUN1Ck++LG5sjUOp3hFTuSYkyfVBlRP1vMKjb0TC3z681yzfGEDbJfu4LlgPcng95Mu43c4YRo4ZCAGQOKgCz3wj6OPH4yPv9JchAKXtMXIc7CzMTAYNq4hxhL7W3h9zg/ekQ5z8GsFRzWv8N4pKYamNMY72CWoA2nbdVcL4qNPqsfxs0AETPdlIW9mlUFY94DTQiwLWdyKAGs+kxIldXQBdZVP9BsXP7cnjyzOvaRc+AwQJjDOHdLhsqvZmMrTkVw6V81r3SqCpKiCnIkry1VjktZ572iJontEM6TjfodIA37uxs8L0uH6ZvOwosgbWYBmz/KnS/ZEPc69ry/+/LZOfwfxwrUYAkr8M+IZwLrfezmqRHfeWumRdWWI2TEjPRi2rTuvLlt/SsBKpkkmP+2K0pxblwunU7R0TyOLqFnzx2UlNuUbfAsy/oygflpOBM0cavPUDu8pw7VqC1YBdHTOGiheAO+stlusgY09PG9vtwGyXenx6R3hePubHBUNWdrCo5h+5P28A2GMI3ltyDVzeU1z6eqZDF0yq/VVNZCc29rI0ZAz6ecYc79INiont5ZHgot+7aGM2dqONBTWyYz/Y9rSp67cS8bDwlwqd2cSab8QZQf49s1uJdIic6HCFrte+xIHDO41R4J3cy+78KByMRM2fBXdaaq5huH0qe+RIJhZvXnb6hQ3NiiW80kHy/qpXUl1dJynmXj2CI4/SygHrNB3DBZiWoxVFJVE5yOjDo6ZiemXjNWr+lJzvadeuKb3AOrLxd2/94p0Vpleo0eMOWCVTIxqiUdsDeCFuf7E2w33QZfneNgsWOl0Q23CZvnAE5npbnq1M8biclJB6bPU9b9iVQ+YbymxC7HAsSC/M+9t6kxilKR3eePSyHom6LSNi/XoYGQOjS64oG/BD5Bf5UHEAeHEF0ZfQOGI4U5+Fq0ecIXw+f1LOtVky9+ZtVogpA9e2deIdvDy5nTH3Vh2INeKdBGziS8kRYkHJgi+OkIwgGjf727QGmlYMtP+dZI/ve65JUfG32Apwycga2taFSztTNaVf20a35HbBkWR7AweKdEFkqasfFIg8LWoQLxjM45IiM2xv7UOjNhtJjuKT8EcNCbVf9oUdiFJALDpo14lKgUBr6BzX440YZaUJ0ZSO06bxDLa1gDC2FD6c9G2ka2AZi0R9yYirfreyTYZgQ6/tL6Ch9H7FrDUaJajRPnJLC8sTS2XXxwpFkCo8gz85r9d5LyTJmEEp0pSZyuTDEgZqPopvNHQCWiVkupmL/hozPyZWiWlUCRjj+JyHSdEs0mQXuAOXRfbdX7vgWdQ+USiK/ZA8Gijbuiw16NVXOtQCYxJfw== X-IPAS-Result: A2AYBQCF16hb/wHyM5BaHAEBAQQBAQcEAQGDXAOBCFwojGiLSYFogn6UCoFYMRMBhQSDFiE4FAEDAQEBAQEBAgFsHAyCNSSCYAMDAQIkEwYBAQwgDAIDCQEBNwkICAMBLRQBEQYBBwUGAgEBARgEgwCBagMVA5cRihyBajOCdQEBBYEEAQF1gjADglMIF4phF4IAgRInDIIxhGcSARIBXoUZiEqFNUExjhAJggyOFwgVWYg7hhiOe4dnIWRxTSMVO4JsghkMF4NGihwBVU97AQGJfYI9AQE Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 24 Sep 2018 12:29:30 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8OCTT4u028687; Mon, 24 Sep 2018 08:29:29 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8M0HWus018231 for ; Fri, 21 Sep 2018 20:17:32 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8M0HQnF009805 for ; Fri, 21 Sep 2018 20:17:32 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1B6AADYiKVblywbGNZbHAEBAQQBAQcEAQGDXIFnKINziHSLS4Fogn6UCoFmhHcCQoMEITgUAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQIRFQICRRIGAQwGAgEBgx2BagMVA5gmihxvezOCdQEBBYEEAQF1gj4DglEIF3SJZReCAIESJwyCMYRngQSCQoJXiEqFM0Exjg0JggyOFwgVWYg7hhSOd4djgXZNIxU7gmyCGQwOCYNGihwBVU+OVAEB X-IPAS-Result: A1B6AADYiKVblywbGNZbHAEBAQQBAQcEAQGDXIFnKINziHSLS4Fogn6UCoFmhHcCQoMEITgUAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQIRFQICRRIGAQwGAgEBgx2BagMVA5gmihxvezOCdQEBBYEEAQF1gj4DglEIF3SJZReCAIESJwyCMYRngQSCQoJXiEqFM0Exjg0JggyOFwgVWYg7hhSOd4djgXZNIxU7gmyCGQwOCYNGihwBVU+OVAEB X-IronPort-AV: E=Sophos;i="5.54,287,1534824000"; d="scan'208";a="375809" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 21 Sep 2018 20:17:31 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BxAACWiaVblywbGNZbHAEBAQQBAQcEAQGDXIFnKINziHSLS4Fogn6UCoFmhHcCQoMEITgUAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAhEVAgJFEgYBDAYCAQGDHYFqAxUDmCCKHG97M4J1AQEFgQQBAXWCPgOCUQgXdIllF4IAgRInDIIxhGeBBIJCgleISoUzQTGODQmCDI4XCBVZiDuGFI53h2OBdk0jFTuCbIIZDA4Jg0aKHAFVT45UAQE X-IPAS-Result: A0BxAACWiaVblywbGNZbHAEBAQQBAQcEAQGDXIFnKINziHSLS4Fogn6UCoFmhHcCQoMEITgUAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAhEVAgJFEgYBDAYCAQGDHYFqAxUDmCCKHG97M4J1AQEFgQQBAXWCPgOCUQgXdIllF4IAgRInDIIxhGeBBIJCgleISoUzQTGODQmCDI4XCBVZiDuGFI53h2OBdk0jFTuCbIIZDA4Jg0aKHAFVT45UAQE X-IronPort-AV: E=Sophos;i="5.54,287,1534809600"; d="scan'208";a="18546019" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa05.eemsg.mail.mil ([214.24.27.44]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 22 Sep 2018 00:17:30 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;9a391598-54ab-4ecf-a85a-12bb3ef2c3db Authentication-Results: UPDC3CPA02.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic305-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 251531434|UPDC3CPA02_EEMSG_MP18.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.133.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CAAgCniKVbhzGFBkpbHQEBBQEHBQGFQyiDc4h0jTOCfpQKgWaEdwJCgwQZBgY0FAEDAQEBAQEBAQEBEwEBAQoLCQgbDiMMgjUkgmADAyMEGQEBOA8lAhEVAgJFEgYBDAYCAQGDHYFqAxWYKIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iXyCAIESJwyCMYRngQSCQoJXiEqFM0Exjg0JggyOFwgVWYg7hhSOd4djgXZNIxU7gmyCGQwOCYNGihwBVR8wjlQBAQ X-IPAS-Result: A0CAAgCniKVbhzGFBkpbHQEBBQEHBQGFQyiDc4h0jTOCfpQKgWaEdwJCgwQZBgY0FAEDAQEBAQEBAQEBEwEBAQoLCQgbDiMMgjUkgmADAyMEGQEBOA8lAhEVAgJFEgYBDAYCAQGDHYFqAxWYKIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iXyCAIESJwyCMYRngQSCQoJXiEqFM0Exjg0JggyOFwgVWYg7hhSOd4djgXZNIxU7gmyCGQwOCYNGihwBVR8wjlQBAQ Received: from sonic305-10.consmr.mail.bf2.yahoo.com ([74.6.133.49]) by UPDC3CPA02.eemsg.mail.mil with ESMTP; 22 Sep 2018 00:17:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537575437; bh=MnqnWnzHOkd2XlWvfSIXxqEnsufnVOpiMDOJOGJfGRs=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=kNU8VtAMsKpcs6Za5W7rEgKtBdP7l7QRnfTAUk84xUS1X6v8gKIzmj+kU28XgDcQLkqbIq3TwFGObxpgBnvAwsdDmx38SGa64O1Kr+kNWYE3vKYtZHf3j3MEhe+FFRf0YPlHxTWqoJ9wPZccfTTLyrgHnwJxNMsHYiwpew6BYLlGTn8i6QvcExMiUXHpnOYpeLFyY0a93HvPTyNMlw6uklAYCHJlG3liQcnvlA7wYM/55RU3YwcJMjjZewdow9OANWLncGr6x2LHQh+uqIFvfwYV+FjW7EyVu20DrDLzeKJPRCvh8a1QeNIG+drXBLS3yKa/QxJ2tjVT19YIp0XoxA== X-YMail-OSG: 6R7mYVAVM1lOIATux6udexBjqaMA7hAHv.zLMEsz545qcp1fZQkmBkpSXhoHfFv wUWxMLoNr.lB.eiCTJMOuPzAGg8A.gbi1TE8OfT6Y13TVvE.gEMQhdWfnbRzwyKHagSRVIEmkUVj 1ggvSjDptEGS8xcsSYXc3dGCckZLKvIbKOPAd45TcFpiza7HZvXpHhqeHWXWqNn0Yoq6aEoG2zpu rJT5LGuIY8BvbzbiOJ4J0KOJ1ohy4W.gHGNkNg79xOmF5PvKtdk7uSpEjmSOZwavhWUpeQ2IiG6u PewIcq26dCP0ksBGhqKhtsguA21B5aDtyd1IIPy7PaXDze0rucpOtUEJf2JKeeH2V1wPK.kctOXd Bwekvcg_Z0PkKNdcO.6Lsqo20d15guF_AxCFiOdfI8PX.i.eWFpMxnE829ketc8FZZ1.vinSoJoe fEI5FGGThf7basZP1qfY5oazRfi0DyhcnYg8gTa7w7tYAeimWvG9DvhDdX4G5dgUC4N2kaA8KtNT tsFuZ5Br4DHy3tZXvLFsmnOEkm101lqYqth4SdchKb5bLp2LoBSSaojsxfKzNVEBSD0BeP_hDZGq H4Ju8UAO07qUGVcomV9JR_DhmME.tFvrw8sNUzjCrKOAfF_ByYoMONJnvQDEU6KIIkOHmK0aKyke jIO4ZuR4DBmtHFzDyiLhPmqHyyEuo5SnYwiL7mnMenJ8WAbsgpUIdD_YwbL2ycppR2DrsoPrFQP8 1f4mQWYr3R9FuEzhx0xcx.4.hOlpOAP_gjIo4f8JhxGgJpUxNMSgFS_dHjgqUEwabtXCitfmWYEF gAlqzOZC_wnwuVhSoNiLuuB5stULscAtxTFfhMO22._vrDObifwxvCHufCH0Jwo5vD5fgxOAFF2B 38u.2XGa_dbpctwWZk5AL6Nf3wje2Xs48n0bRVwc4T3ro8Vhxvfa390bfMFf4wqtAyy4NyyaGF_q 6Athu8PhJ540GtzS_mIZiA7xhZZFmrEjeWBOz6KSiiAF7MQmuWkOi13AhP9A.GYsL60wPbBUMv21 lc_v7H1WslyZILiwkcWOyrum2RxXjk3Gd Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Sat, 22 Sep 2018 00:17:17 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp419.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 684c4260c9ce7e69931b3535a90e1556; Sat, 22 Sep 2018 00:17:13 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <03191752-22d3-4066-3d3a-8fbe209447e5@schaufler-ca.com> Date: Fri, 21 Sep 2018 17:17:08 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mailman-Approved-At: Mon, 24 Sep 2018 08:26:06 -0400 Subject: [PATCH v4 02/19] Smack: Abstract use of cred security blob X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook --- security/smack/smack.h | 17 +++++++++-- security/smack/smack_access.c | 4 +-- security/smack/smack_lsm.c | 57 +++++++++++++++++------------------ security/smack/smackfs.c | 18 +++++------ 4 files changed, 53 insertions(+), 43 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index f7db791fb566..01a922856eba 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -356,6 +356,11 @@ extern struct list_head smack_onlycap_list; #define SMACK_HASH_SLOTS 16 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; +static inline struct task_smack *smack_cred(const struct cred *cred) +{ + return cred->security; +} + /* * Is the directory transmuting? */ @@ -382,13 +387,19 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp) return tsp->smk_task; } -static inline struct smack_known *smk_of_task_struct(const struct task_struct *t) +static inline struct smack_known *smk_of_task_struct( + const struct task_struct *t) { struct smack_known *skp; + const struct cred *cred; rcu_read_lock(); - skp = smk_of_task(__task_cred(t)->security); + + cred = __task_cred(t); + skp = smk_of_task(smack_cred(cred)); + rcu_read_unlock(); + return skp; } @@ -405,7 +416,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp) */ static inline struct smack_known *smk_of_current(void) { - return smk_of_task(current_security()); + return smk_of_task(smack_cred(current_cred())); } /* diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 9a4c0ad46518..489d49a20b47 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -275,7 +275,7 @@ int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, int smk_curacc(struct smack_known *obj_known, u32 mode, struct smk_audit_info *a) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_tskacc(tsp, obj_known, mode, a); } @@ -635,7 +635,7 @@ DEFINE_MUTEX(smack_onlycap_lock); */ bool smack_privileged_cred(int cap, const struct cred *cred) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_known *skp = tsp->smk_task; struct smack_known_list_elem *sklep; int rc; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 340fc30ad85d..68ee3ae8f25c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -122,7 +122,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp, static int smk_bu_current(char *note, struct smack_known *oskp, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (rc <= 0) @@ -143,7 +143,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp, #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_task(struct task_struct *otp, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *smk_task = smk_of_task_struct(otp); char acc[SMK_NUM_ACCESS_TYPE + 1]; @@ -165,7 +165,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_inode(struct inode *inode, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct inode_smack *isp = inode->i_security; char acc[SMK_NUM_ACCESS_TYPE + 1]; @@ -195,7 +195,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc) #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_file(struct file *file, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); struct inode_smack *isp = inode->i_security; @@ -225,7 +225,7 @@ static int smk_bu_file(struct file *file, int mode, int rc) static int smk_bu_credfile(const struct cred *cred, struct file *file, int mode, int rc) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); struct inode_smack *isp = inode->i_security; @@ -429,7 +429,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, } rcu_read_lock(); - tsp = __task_cred(tracer)->security; + tsp = smack_cred(__task_cred(tracer)); tracer_known = smk_of_task(tsp); if ((mode & PTRACE_MODE_ATTACH) && @@ -496,7 +496,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) int rc; struct smack_known *skp; - skp = smk_of_task(current_security()); + skp = smk_of_task(smack_cred(current_cred())); rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); return rc; @@ -913,7 +913,7 @@ static int smack_sb_statfs(struct dentry *dentry) static int smack_bprm_set_creds(struct linux_binprm *bprm) { struct inode *inode = file_inode(bprm->file); - struct task_smack *bsp = bprm->cred->security; + struct task_smack *bsp = smack_cred(bprm->cred); struct inode_smack *isp; struct superblock_smack *sbsp; int rc; @@ -1744,7 +1744,7 @@ static int smack_mmap_file(struct file *file, return -EACCES; mkp = isp->smk_mmap; - tsp = current_security(); + tsp = smack_cred(current_cred()); skp = smk_of_current(); rc = 0; @@ -1840,7 +1840,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct smack_known *skp; - struct smack_known *tkp = smk_of_task(tsk->cred->security); + struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); struct file *file; int rc; struct smk_audit_info ad; @@ -1888,7 +1888,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); ssp = sock->sk->sk_security; - tsp = current_security(); + tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the * passed socket or if the passed socket can't @@ -1930,7 +1930,7 @@ static int smack_file_receive(struct file *file) */ static int smack_file_open(struct file *file) { - struct task_smack *tsp = file->f_cred->security; + struct task_smack *tsp = smack_cred(file->f_cred); struct inode *inode = file_inode(file); struct smk_audit_info ad; int rc; @@ -1977,7 +1977,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) */ static void smack_cred_free(struct cred *cred) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_rule *rp; struct list_head *l; struct list_head *n; @@ -2007,7 +2007,7 @@ static void smack_cred_free(struct cred *cred) static int smack_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - struct task_smack *old_tsp = old->security; + struct task_smack *old_tsp = smack_cred(old); struct task_smack *new_tsp; int rc; @@ -2038,15 +2038,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, */ static void smack_cred_transfer(struct cred *new, const struct cred *old) { - struct task_smack *old_tsp = old->security; - struct task_smack *new_tsp = new->security; + struct task_smack *old_tsp = smack_cred(old); + struct task_smack *new_tsp = smack_cred(new); new_tsp->smk_task = old_tsp->smk_task; new_tsp->smk_forked = old_tsp->smk_task; mutex_init(&new_tsp->smk_rules_lock); INIT_LIST_HEAD(&new_tsp->smk_rules); - /* cbs copy rule list */ } @@ -2057,12 +2056,12 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) * * Sets the secid to contain a u32 version of the smack label. */ -static void smack_cred_getsecid(const struct cred *c, u32 *secid) +static void smack_cred_getsecid(const struct cred *cred, u32 *secid) { struct smack_known *skp; rcu_read_lock(); - skp = smk_of_task(c->security); + skp = smk_of_task(smack_cred(cred)); *secid = skp->smk_secid; rcu_read_unlock(); } @@ -2076,7 +2075,7 @@ static void smack_cred_getsecid(const struct cred *c, u32 *secid) */ static int smack_kernel_act_as(struct cred *new, u32 secid) { - struct task_smack *new_tsp = new->security; + struct task_smack *new_tsp = smack_cred(new); new_tsp->smk_task = smack_from_secid(secid); return 0; @@ -2094,7 +2093,7 @@ static int smack_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_smack *isp = inode->i_security; - struct task_smack *tsp = new->security; + struct task_smack *tsp = smack_cred(new); tsp->smk_forked = isp->smk_inode; tsp->smk_task = tsp->smk_forked; @@ -2278,7 +2277,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, * specific behavior. This is not clean. For one thing * we can't take privilege into account. */ - skp = smk_of_task(cred->security); + skp = smk_of_task(smack_cred(cred)); rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); return rc; @@ -3605,7 +3604,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) */ static int smack_setprocattr(const char *name, void *value, size_t size) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct cred *new; struct smack_known *skp; struct smack_known_list_elem *sklep; @@ -3646,7 +3645,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size) if (new == NULL) return -ENOMEM; - tsp = new->security; + tsp = smack_cred(new); tsp->smk_task = skp; /* * process can change its label only once @@ -4291,7 +4290,7 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - struct smack_known *skp = smk_of_task(cred->security); + struct smack_known *skp = smk_of_task(smack_cred(cred)); key->security = skp; return 0; @@ -4322,7 +4321,7 @@ static int smack_key_permission(key_ref_t key_ref, { struct key *keyp; struct smk_audit_info ad; - struct smack_known *tkp = smk_of_task(cred->security); + struct smack_known *tkp = smk_of_task(smack_cred(cred)); int request = 0; int rc; @@ -4591,7 +4590,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) return -ENOMEM; } - tsp = new_creds->security; + tsp = smack_cred(new_creds); /* * Get label from overlay inode and set it in create_sid @@ -4619,8 +4618,8 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, const struct cred *old, struct cred *new) { - struct task_smack *otsp = old->security; - struct task_smack *ntsp = new->security; + struct task_smack *otsp = smack_cred(old); + struct task_smack *ntsp = smack_cred(new); struct inode_smack *isp; int may; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index f6482e53d55a..9d2dde608298 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = { static void *load_self_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_rules); } static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_rules); } @@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file) static ssize_t smk_write_load_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, &tsp->smk_rules_lock, SMK_FIXED24_FMT); @@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = { static void *load_self2_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_rules); } static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_rules); } @@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file) static ssize_t smk_write_load_self2(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, &tsp->smk_rules_lock, SMK_LONG_FMT); @@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = { static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_relabel); } static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_relabel); } @@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); char *data; int rc; LIST_HEAD(list_tmp);