From patchwork Tue Nov 29 20:56:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9453119 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A3DCC6071C for ; Tue, 29 Nov 2016 20:54:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95E632832C for ; Tue, 29 Nov 2016 20:54:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8A6872835B; Tue, 29 Nov 2016 20:54:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A51F52832C for ; Tue, 29 Nov 2016 20:54:23 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,570,1473120000"; d="scan'208";a="1408596" IronPort-PHdr: =?us-ascii?q?9a23=3AStnrmRd92BAuDkEIQ5NkIJFvlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxcq5ZRON2/xhgRfzUJnB7Loc0qyN4vumAjNLu8jQ+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?= =?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG4oAnLuMQbg4RuJrgwxxbNv3BFZ/?= =?us-ascii?q?lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbD?= =?us-ascii?q?SxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lC?= =?us-ascii?q?sKMSMy/2/Nisx0kalVvhSvqRJiyILQeY2ZKuZycqbbcNgHR2ROQ9xRWjRBDI2i?= =?us-ascii?q?coUBAekPM+FAr4T/ulcDoxSxChWjCuzx0T9FnWP20K8g3ug9CwzKwBIsEtQTu3?= =?us-ascii?q?rUttX1M6ISXPiowqnU0zrDd/NW1in76IPVbx4hpOuDXbZ0ccXPyUgkCgTIjk6N?= =?us-ascii?q?poz+JD6VyuQMvHSb7+pnT+6vjXUnpBtrrjigwccslJDEi4QIwV7H7SV02Js5KN?= =?us-ascii?q?K3RUJhYdOoDYFcuz+VOodoWM8uXmdlszsgxLIco560Zi0KxYwixx7YdvOIbZCF?= =?us-ascii?q?4gnmVOaNOTd4g29leK6nixay70egzur8W9Go0FlQtCpFk8TMtmsX2xzP6smIVv?= =?us-ascii?q?t9/kC71TaJyw/T8f1LLVoxlaraL54t2r8wlpwNvkTfBiL6hUr7gaCMekgk5+Sk?= =?us-ascii?q?8frrb7r4qpOGKoN4kgT+Pb4vmsy7D+Q4KA8OX22D9OSnyrLj+Uz5QLNXjvw5i6?= =?us-ascii?q?XWq5faJdkdpqGlHQBVyZ0u6wq/Dji60NQYmmMLLFReeB2dlYTpNFbOIO7gAfel?= =?us-ascii?q?n1usiCtrx+zBPrD5DJXNNGLMkLH9crZ88E5R0w8zzche555NEbEALunzVlX2tN?= =?us-ascii?q?zCAR8zKxa0zPr/CNVhyoMeXnqCAqyDP6PRtl+I+/kiI+qWa48Wvzb9NuIp5/n0?= =?us-ascii?q?jX82gVUdZ7Wm3YMLaHCkGfRrO1+Wbmf2gtcAD2gKpBEzQ/b2h12HSzJTYGyyX6?= =?us-ascii?q?0k7DEhFI2mFZvDRpyqgLGZ3Ce0AJlWZmRBCl2XFXfoapmEW/AJaC2IOMNhlSYE?= =?us-ascii?q?Vbe5QY87yR6urBP6y6ZgLufM4S0Yu4jj1N9u5+3Pjhwy7jp0D8OT0mGIVW50mH?= =?us-ascii?q?kERzko06BjuUZ90EuM0bBkg/xEEtxe//1IXR0+NZ7A0eN6EcvyVxnfftiXUlap?= =?us-ascii?q?WcimATQrQtI22d8ObF53G8++gRDbwyqqH7gVmqSXBJMp763c3mL+J8Jmxnna06?= =?us-ascii?q?khikUpTdFUNW26nKJ/8RbcB5LRmUWDi6mqbbgc3DLK9Gqby2qOvUVYUApuXqXe?= =?us-ascii?q?Rn0QfFXZrc7+5k/YSL+uE7snOBNbycGeMqtKdsHpjVJeSfj+Itvef3i+lHm+BR?= =?us-ascii?q?eH3b6DcIrqdH8H3CXBFkcEiRof/XCYOggiHi2huX7RDCRyFVLzZEPh6fd+qHKn?= =?us-ascii?q?QU8oyAGKdVdt2Ka1+h4Sg/ycROge3rYFuCcnsTp0BlG908jRC9qaqAprZL9cbs?= =?us-ascii?q?8l4FdbyWLZsBRwPpihL6B5ml4Sah93sF3q1xV2DIVAjMcroWgxzApqKKKY1lJB?= =?us-ascii?q?eC+D3ZzqPL3YNHXy9gi1a6HKwlHezMqW+qAX5fQirFXjuAWpGVQ483p71NlU3W?= =?us-ascii?q?CR5o7XDAUOSpL9SEE39wJ1p7vCeCky+5vU1WFwMamzqjLCw8gmBPYhyhq6ZdhT?= =?us-ascii?q?KriLFAj2E80GAMiuLvcnm121YhICO+Bd6LQ4P8W4ePuawKSrJvpvnCq6jWRb54?= =?us-ascii?q?BwykeM9y5lRuHW2ZYI2O+Y0RWDVzf4klihqNr7mYZaajEOBmC/0zTrBJZNZq1u?= =?us-ascii?q?eoYGEWSuLNOxxtVlnJPtWGBX9Fi4B1MAxsCpZQCeb1vn3Q1fzU4Xu2ComTOkzz?= =?us-ascii?q?xolDEktrSf3CrTzOn5ahoHPHNERGl4gVfqP4e0k8gQXFK0YAgxiBul+UH6yrBD?= =?us-ascii?q?pKtlMmnTRVxFcDT3L2F+Uqq8r7SCbNRJ6J8ytiVXSuu8a0iASrHhuxsazz/jH2?= =?us-ascii?q?xGyTAhaj6lp470nxN/iGOSNnpzqmTWed1ozxfF+NPcXeJR3iYBRCRgkTnYHEW8?= =?us-ascii?q?P9238tWMjZjDtPy+WHy7VpBIbCnr1p2PtDGg5WFwGh2/mO2zmsf7Hgck3y/70M?= =?us-ascii?q?NqVSrWoxrmZInkybi6O/p9fkZ0HF/899Z6GoZmn4s+np4Q32QahpKQ/Xccn2f8?= =?us-ascii?q?L8hU2aXkbHUXXT4L2dnV4Ar710J/MnKF3YX5Vm+SwsF5fdm1fnsW2j4h78BNEK?= =?us-ascii?q?qU47xEkjdvolu4tQLRff99kywbyfQw9H4amP0GtxA1ziqDGLwSG1dXPTD0nRSS?= =?us-ascii?q?89++tLlXZHqocbWo0Upxh9ShDLWcrQFARHb2YI0tEDR27sphLFLMy2H85Zv8eN?= =?us-ascii?q?bOd94TsAObkwvYhehPNJ0xjuYKhTZgOW/lp30p0eA6gQZr3Z6guIiHLGVs8bmj?= =?us-ascii?q?DRFEMz35fcQT+ivijaxGhMaZw5ivHol9GjUMRJboS+ioHygKtfT/LAuOHjw8qm?= =?us-ascii?q?2AGbrDEw+f6UFmoGjJE5+3NnGYPn0Zwc9lRBmHK0xVmBoUUykinp4lCgCqw9Ts?= =?us-ascii?q?cF9n6T8K+FH4rBpMyv5vNxTkU2fQuhmnZSkuRJiYNhpW4RlI513JPsyG8uJzAy?= =?us-ascii?q?ZY84W8owyWNGOUfQtIDXsTVUyaHF3jJaOh5drd8+iCHOWyNf/OYaiIqeNETfeE?= =?us-ascii?q?3I6v0oxl/zeMMcWDJH9iAOMn2kBbR3B2B9zZmykTSywQjy/NdNSUpAmm9S14sM?= =?us-ascii?q?+/6+/mWBn16ouREbRSPstg+wusjaeFKeGQmD5zKSxE2ZMU2X/I1L8f0UYJhCFv?= =?us-ascii?q?eDmtFrIAuDXQQ63OgaBXDgQUayVpOMtP9aI80RFHOdTHhdPtyr54kvk1Bk9fWl?= =?us-ascii?q?zugM6pe9IFLnq6NFPfGkmLMrGGKifKw8Hzeqy8TrJRgP9Ttx2qtjaRC1XjMSib?= =?us-ascii?q?lzn1SxCvNvlBjD2cPBxboo29aBFtCGn9Q9LgcRK7Kth3giM1wbAvmnzKMmscPi?= =?us-ascii?q?RmfENWsr2c9yVYjetjG2ZZ9HpqMfGEmzqF7+nfMpsWsvtqAiBqmO9B5XQ6zLVV?= =?us-ascii?q?7C9aS/xphCvSrtluo1S4neWVzDpoTgZOoC5RhI2XpUViJbnZ9p5YVHbF+hIN8X?= =?us-ascii?q?ufCxAUqNtgFNLvp7pQy9jUmaL0MDdN7dTU/c4GCMjVLMKIK30hMBXzFD7TFgsF?= =?us-ascii?q?QiahNXvDiExFjPGS6nqVo4A8qpfygpUOTqRWVF8yFvMBFkRqBtoCIIx0XjMli7?= =?us-ascii?q?KbitAH5WamphnLWMpapozHVu6VAfj3MjaWk6JEaAUSzrPiMYsTNpb21Fdjallg?= =?us-ascii?q?gYvKHETQXchXoiJ/bg44ukNN/2ZiTmcrwULqdhut4GMPFf6zhhM5lwx+YeIr9D?= =?us-ascii?q?jx/Vg3IlvKqTAqn0Yvg9XlhiqdcDnrLKe/RYtWETb7t1AtMpPnRAZ4dRC9klZ6?= =?us-ascii?q?NDfFWr1RlKBtenpxiA/GvptOF+VcQrNYbx8N3/GXZuko0FRGpiWh20BH+fPPCY?= =?us-ascii?q?F+mwsybZ6ss3VA1hptbN4vO6PfObFJwUJWhqKSuS+ozfs8zxUCKEYI6m+SfzQI?= =?us-ascii?q?uEMQPLk8OyWo5vBs6RCFmzZbfGgMUOAqrexs9kI8POSN1C3g07heKkyrMOyfNa?= =?us-ascii?q?yZsXDalcGUWlMwyl8Il05d8Lhtz8gjd0uUV0YyzLqeDBkGKc3CKQRJYMVI73jT?= =?us-ascii?q?YTyCsePTzpJpJ4+9DPznTfeStKYIhUKpBAUpH54M78sbGJmszEHYINzoLL4C0R?= =?us-ascii?q?Ui+B7nJFObA/RVYBiLiisIo9mjzJ9r2olQPi0dAWR4MSWw+rbXpg8rjeGeU9c3?= =?us-ascii?q?YnYVRJALOmgwWMKkhy5Tp25AAyWv0uIF1AiC6CfxpiTXDDbiYdpseu2UaAhtCN?= =?us-ascii?q?6o5zow7bK6iVnN8pXRP2v6L8htusfT6eMGoJaKE+lbTb18s0jAhYZXX3mqUm7J?= =?us-ascii?q?Ed6yIZj/cZIhYsf1CnmgVFyzkjw1T9rrMNarMKeInRniRZxIv4mDwDAjKci9Gy?= =?us-ascii?q?kFFBhuoeEO/7hzahAdY5Ulex7orB4xN7a/IQuC1dWuWWmtIyNMT/ZD1eW6e6BX?= =?us-ascii?q?zy00Y++11XsgT5U6z+2p/k4IX5wFkw/Ryu2iZ4ZEVyj/AHtdex/ApSAhjWhuKv?= =?us-ascii?q?4ywvsjwBPPqVQcKTaLdO11Z2xEuNE8AUiSL21vBGQlXVGRkY3N7xWw0LAV+itS?= =?us-ascii?q?g8xb0fZZsHTkuJ/Qfi6sUrSxqZrJqyogccQmo6ppPIP/IMuJro/RkyfDQ5nXtg?= =?us-ascii?q?2FVC+6GORAmthMPi1XXPlIlXsiOcwctopL8VAxWdsmJ7xTFKksoainaSB+Ai4I?= =?us-ascii?q?yi8WTJiN3CAYguimxbvViBOQcJUkMBwLtJVCg9QdUy5qYiMQvqCjTYDWm3WCSm?= =?us-ascii?q?cVPAcZ9R5M6x4Ylo9sYuDl55LFTZ9WxD5Nuf10VyrLFp9z+lv6VmGZm0P4R+m7?= =?us-ascii?q?nOCz2wJd0u7s2MEBWBFjEUhd2/pWlkwwJbB5MaUfoo7Ksj6NdUP7pm3ty/CrJF?= =?us-ascii?q?hPxsLKaVL0Fo3FtXDzUicE430bWZdPyG3DFZQViwd2crwrpEhKIIy8eUbz/D0k?= =?us-ascii?q?x4VoH7mkTs+n3VAlomgaRy2yCdpOF/lmsE7LWD1ie52rp4/lNI9UQm9M45Cdql?= =?us-ascii?q?BZkUtrMy6lyZpTNcBN4jgQXDdRuzWRpt2yR9Nf2cVuFZ8DPs9/u2vhGKNDIJWR?= =?us-ascii?q?v3o2urn0x3/F5zw8tUy1yC+1G6CmU+JT53ceFRkxJ2SCtkkvCPMh8mfI/VDXqF?= =?us-ascii?q?90+/pUC6OSgkpvuDZ9Bo5BBjJX2nC/NVhzS2NGs+pCIqTPb8NcW+UyZQOoOxEm?= =?us-ascii?q?F/4m2FKG8FppknjneCx9qBFa+zzDUAYpTyUVhKnimSEGoMG9JTAaU45IbSkmby?= =?us-ascii?q?rdMA2blzxYsApdZk13VZ0UGcpK+7Ye3YRI5MXCUlqsJTsDXBN8KgIyyeBfmlJb?= =?us-ascii?q?sEWEZSDdChKldezRvRJqfceettKpIe/9/AdAlIPorv40+LkER3K7hwKhW9beoJ?= =?us-ascii?q?HgtteSrEuBaL/4M/GgYX/GVDXMlQuwhas+AJbX4yjeKxFbK55nyXo+fZfuF2jL?= =?us-ascii?q?PQhcJ60BI0pXT6d6ac9JoupCfc9rZL4J+bNxBhKAXh7vBJavo+dYIVnOXjneMi?= =?us-ascii?q?GB8vCloY3J87zdSO/gZsiSyHbbWa53OY166TbjEbfwzYBe4lb22utq9k5iVFfG?= =?us-ascii?q?NTqOoc/8KQMN/saubEzivocmHTnOGpd/jGLtxl1cd8oQWyCq8o4XyIle6HbrTe?= =?us-ascii?q?J3yFbzvfZX97l57Yk3/7Fpxtu1JajIL/RaqlVrAh+OBgVl7p8tGnRwR3hNYu8N?= =?us-ascii?q?L/fcZaYZgtroq+D5DawX7wCa9PJCZNvbPU7BnNK/CjaGRRxCgggBtSYQLhGA2P?= =?us-ascii?q?6dh690VcGlqPD/2kIp+FW+LxgGzLV36YeF/KqIqvXXYAHKzbgYQKjqW9/8rqgx?= =?us-ascii?q?u0OI+/IojrkOenZ6Ywe/CugSStYdxnv8zaAt1S8sFcLDEK7n+P5HTX05hSjsm5?= =?us-ascii?q?F6H1URAfMUBqGG/YFRk2Y3geDZMccWcq9akGaVCRGkCqMCyWKs6yaPPGZqmBXO?= =?us-ascii?q?3A/rQWOv7F72qjR1QTDQwNfijEVVUKW3BUZIUCazP093ri+PNhLytNXroaQ18F?= =?us-ascii?q?02Mmv8udKJj2uhPbNaEtbxJNOCPCY0o0gXg4cpRty13oAbG8SyL8sN8H1kafve?= =?us-ascii?q?8WyrmTdbo6hbn4re/t2V+vLPEHmli62VtbCNxDdGxXg8plw/5c6vNvbV592SWf?= =?us-ascii?q?uoy2cRQD17uwvAWR61tqLUr1QQOUyK30fEhooKMc1H0nUi0EHp+vQjSsop9ApC?= =?us-ascii?q?DobAe+8CpTfrNTv2wFafZsk6ViyA3DpXAF31C1h4GK4z2G7qusLGi2vQ8UUyRo?= =?us-ascii?q?Zsb0znmQB3D4IgJEIs6VkY2DAMHhQWZBCAEr6oGVrqIpceWUgEcxSH06Cwer0r?= =?us-ascii?q?0k1r3rOv+OjTYPRnCKoMLfZcgBSBnFpaGpIKqa0RWq98e1tG+aHLoQjtFpboUO?= =?us-ascii?q?L7lXoqMv21WNpV/doet3s47Qa1XwCg5otb77YHlJCIcbZJYYDWs8Bg80hn5TAO?= =?us-ascii?q?ditXgBh8lh+5Sv4TpOTi4tjdrZqp5f2jVL43SOUL6xc0B2p/j5zqgFAgu93X1P?= =?us-ascii?q?lTSpfTiYvh9ABBOXmKuJzV0xNkM+oBN5qrfKp893UAPyUeO2gOMsSSa/Ym5S9i?= =?us-ascii?q?Li7e6EFDAsMDZNMYINDCmRtOhU3zRbFf7MzbFUGEC41rbcAn83L3yCwp8Zs7Su?= =?us-ascii?q?vg5yW5JYrB4FFRP/NOlyFslNPepOcLwfrdEjUX4WKDZxhz3CyC14GHC+zs8uWU?= =?us-ascii?q?1NHUS1QGEzY5U4hDIjqC5QunRu2ymJXyTAyU7s7zgJQjdEOfXXGxmLoKsrxMEO?= =?us-ascii?q?FakCn72CZRFpztjfKPr9Ws8HdXtkFAEItr6B3FH6NfPol0ORvmjcSrQ0l8CTH5?= =?us-ascii?q?eM7Kahovtu2Wxv0P4+VlLUf+Y5EUIg4cwbLg9XVVVhduSKLxvluBUuIeeMBmSO?= =?us-ascii?q?jdon5I5oxuLa4PPF6ApJ3ltTpIp1U2DxUvaLAutDBacVPOnAJNUabupLEAkhcc?= =?us-ascii?q?UcJ+uUJUG2KwP2I+5zzdWatJjKmRDOEV/SiST6wPVUVoKSB+QxKu1ZVwerupg+?= =?us-ascii?q?pIsmdbkSN8uvQq1SJpRAeksy32u60NwS4g+K2/tDgZuHxFUP+RkyHTBFVH0fQF?= =?us-ascii?q?kKYcC3H56VCmZ3kDdoTy6qF9Jcv87Ykh/2g/YRI7ci0EQ+ugBS/wj6eTD42Bqt?= =?us-ascii?q?1cggCCuNnUYb+1MycSKqw3yQj/SHhlzgjegBFo/XMEQjWk698lKpuyOcIhxiez?= =?us-ascii?q?Amjbc1AM4qJVv8frs14EUvc2Y0t7wGp/ysiHWjENRMvXFmY3jgglaX1EcJVH6R?= =?us-ascii?q?8bC6knnC2FvqxH/gEIejfbDJ6p+o7KncfHwXM9V8tlxnrKpq2ZgZMnyGFlm9Jx?= =?us-ascii?q?7iOVpHQSdvDXU8xyDXj3zItfz/LxZ+m1uOAdVIRm0KihUOMFMsS7/Gu22ZZqWk?= =?us-ascii?q?yixrkFHVq2KuwDxrDdUyi7T22UQ+KLfHaQnzwhKE79+QGoLkEraMdNt0IyKfXN?= =?us-ascii?q?hphAlwD6SrN0QiKQpUPHzGw9L+wVahg6uIC9ewwFVOQRffSTJfAywP0iD1sBd2?= =?us-ascii?q?fJHSxyC+Csq16sko97O3Fu4UjhZOTt9QfmMMCMFRYYC47aqYVx+ee7RmKHNn9s?= =?us-ascii?q?1hpyPFN79+3HDVQ+qvdcc4qNndjXn9l73/AKd/NsMS0lpNEegYNi6YiR0MePbx?= =?us-ascii?q?7R1JLyKs/PrvifGf3fwFwgentGXboBfQP1+4I6M8Y5W73PHbtZuhEcCrIhQJE6?= =?us-ascii?q?Mmfx9b10LBltfQLLY7S0mMbqrPqRZpRIv3/W8k4wLCDEthwN0vy0Vw17YIy0iH?= =?us-ascii?q?jpJZAwRy5Br8dzBRd8G4tPAcwApRK9A5GIgKG7l8Ox+0Ritu8Ntar/FOvH1My9?= =?us-ascii?q?34prRJha+U2LMyrNBKlxnEtqkP6+gvHe3ZntEcniY88LVPBnQm7Zbb/LBoG/Kj?= =?us-ascii?q?OIOsLhdE9K6rqc0LNiUhWNfyD0RKuGuzeiNPVj+0k7zZZ4fOXLxjw3877bwMfy?= =?us-ascii?q?Z31cpiq7tn6GKp9f7F3MBezDUBNYTvWL8HplHaIJd4v76v8OPsY5zdif/QZz9j?= =?us-ascii?q?JC39WBI6e6s0/M1Vh3dZXBLEvmwyw5Q5UFIAyjMUswhm/UsnDdAXVHLsi4MsRs?= =?us-ascii?q?gc+VDhr36EVrn2EieHJBEHLyRdiNIWgbx96+ZAqS+QJOFdkMg+63eU8+tq21Uu?= =?us-ascii?q?RoJJRFmeO0u7UDkNZpLTzPRcdAMyHXNr92MSJbDv/Tq1gwfh4Er781V583ZZeU?= =?us-ascii?q?I0MHN1yPxDjvzQvEzU30d9us1LuGICYW7nVL1bTF3iZQpwOho/aWntXjUKzFbJ?= =?us-ascii?q?HxRPPdKzEqWjaeRTQzCkap5Uykt+AfvPWGPWgTuEsUbTyWCA4SoKBvsNfRA3TP?= =?us-ascii?q?luxjZp0KmeuaVzr+SSJiiKoyHSFLtUaWT/oEDwnWYGfrgHBAtwy6Ov9M4XXlYq?= =?us-ascii?q?WXxqVPQOMWGIpMfeOdQ9bDZ/BeIy0nli4YOOahZdHcqag20k7QR2sDD6bI7EGe?= =?us-ascii?q?TFKRQvGExTLrWIIVv5Iuuiop4dLdhSl3HL7NP7mBpj6i6Im4jDyXuefGTGkif1?= =?us-ascii?q?Q1gP4eAGmG2BRPNmMEC9YVuEHrWa6AYEBM2WkmieJ0xh8MZhp8Umd03n1Qgvm9?= =?us-ascii?q?BtVTSUQIg2O2XP0GcFd3ASsr/U+E5w39fd0NtMPISm9A6LQMU4sdLfgv6InRIq?= =?us-ascii?q?cQxugm3C5+qiwgryqdF09djh6C86fIHqJ8wbtC5W0j8vFzQE6AXj3fcm/dyoW6?= =?us-ascii?q?Fc1D3yFurm7415mcguc4L7ZepodkEH8WECl2IZbb5jkHXmbqiyWouBPuJyiTOD?= =?us-ascii?q?IU5n4wICUBcutkh7tgvA3gasfK6UTWsbko7kSsF1DYWfKPxJVXB5Sxhk2DYi5R?= =?us-ascii?q?fGDuTch7?= X-IPAS-Result: =?us-ascii?q?A2HiAwAT6j1Y/wHyM5BTChoBAQEBAgEBAQEIAQEBARUBAQE?= =?us-ascii?q?BAgEBAQEIAQEBAYMNAQEBAQEfgUsQu1klh3VTAQEBAQEBAQECAQJfKIIzGoIjA?= =?us-ascii?q?iQTFCALAwMJAhcpCAgDAS0VHwsFGASITK5VPSoCizcBJI80BgsBgmgLgwoFiFC?= =?us-ascii?q?GInxFiiKRCAKKHIYSApF9VWEXAhEMIoM3HBiBY1SGIYIuAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 29 Nov 2016 20:54:21 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uATKrR6R017916; Tue, 29 Nov 2016 15:53:37 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uATKrP5p098528 for ; Tue, 29 Nov 2016 15:53:25 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uATKrPWi017910; Tue, 29 Nov 2016 15:53:25 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] libsepol, libselinux, audit2allow: teach audit2why about type bounds failures Date: Tue, 29 Nov 2016 15:56:27 -0500 Message-Id: <1480452987-10340-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Teach audit2why to recognize type bounds failures. This required updating libsepol sepol_compute_av_reason() to identify bounds failures, and updating libsepol context_struct_compute_av() to include the type bounds logic from the kernel. This could potentially be further augmented to provide more detailed reporting via the reason buffer to include information similar to what security_dump_masked_av() reports in the kernel. However, it is unclear if this is needed. It is already possible to get type bounds checking at policy build time by enabling expand-check=1 in /etc/selinux/semanage.conf (or by default when compiling monolithic policy). Before: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. After: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Typebounds violation. Add an allow rule for the parent type. Signed-off-by: Stephen Smalley --- libselinux/src/audit2why.c | 5 ++ libsepol/include/sepol/policydb/services.h | 7 +-- libsepol/src/services.c | 77 ++++++++++++++++++++++++++++-- python/audit2allow/audit2allow | 5 ++ 4 files changed, 86 insertions(+), 8 deletions(-) diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index 3d312a1..3135eed 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -28,6 +28,7 @@ #define BOOLEAN 3 #define CONSTRAINT 4 #define RBAC 5 +#define BOUNDS 6 struct boolean_t { char *name; @@ -425,6 +426,9 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args if (reason & SEPOL_COMPUTEAV_RBAC) RETURN(RBAC) + if (reason & SEPOL_COMPUTEAV_BOUNDS) + RETURN(BOUNDS) + RETURN(BADCOMPUTE) } @@ -481,6 +485,7 @@ PyMODINIT_FUNC initaudit2why(void) PyModule_AddIntConstant(m,"BOOLEAN", BOOLEAN); PyModule_AddIntConstant(m,"CONSTRAINT", CONSTRAINT); PyModule_AddIntConstant(m,"RBAC", RBAC); + PyModule_AddIntConstant(m,"BOUNDS", BOUNDS); #if PY_MAJOR_VERSION >= 3 return m; diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 29f57cf..9162149 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -52,9 +52,10 @@ extern int sepol_compute_av(sepol_security_id_t ssid, /* IN */ /* Same as above, but also return the reason(s) for any denials of the requested permissions. */ -#define SEPOL_COMPUTEAV_TE 1 -#define SEPOL_COMPUTEAV_CONS 2 -#define SEPOL_COMPUTEAV_RBAC 4 +#define SEPOL_COMPUTEAV_TE 0x1U +#define SEPOL_COMPUTEAV_CONS 0x2U +#define SEPOL_COMPUTEAV_RBAC 0x4U +#define SEPOL_COMPUTEAV_BOUNDS 0x8U extern int sepol_compute_av_reason(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 068759d..03fb120 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -824,6 +824,67 @@ out: return rc; } +/* Forward declaration */ +static int context_struct_compute_av(context_struct_t * scontext, + context_struct_t * tcontext, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason, + char **r_buf, + unsigned int flags); + +static void type_attribute_bounds_av(context_struct_t *scontext, + context_struct_t *tcontext, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason) +{ + context_struct_t lo_scontext; + context_struct_t lo_tcontext, *tcontextp = tcontext; + struct sepol_av_decision lo_avd; + type_datum_t *source; + type_datum_t *target; + sepol_access_vector_t masked = 0; + + source = policydb->type_val_to_struct[scontext->type - 1]; + if (!source->bounds) + return; + + target = policydb->type_val_to_struct[tcontext->type - 1]; + + memset(&lo_avd, 0, sizeof(lo_avd)); + + memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); + lo_scontext.type = source->bounds; + + if (target->bounds) { + memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); + lo_tcontext.type = target->bounds; + tcontextp = &lo_tcontext; + } + + context_struct_compute_av(&lo_scontext, + tcontextp, + tclass, + requested, + &lo_avd, + NULL, /* reason intentionally omitted */ + NULL, + 0); + + masked = ~lo_avd.allowed & avd->allowed; + + if (!masked) + return; /* no masked permission */ + + /* mask violated permissions */ + avd->allowed &= ~masked; + + *reason |= SEPOL_COMPUTEAV_BOUNDS; +} + /* * Compute access vectors based on a context structure pair for * the permissions in a particular class. @@ -835,7 +896,7 @@ static int context_struct_compute_av(context_struct_t * scontext, struct sepol_av_decision *avd, unsigned int *reason, char **r_buf, - unsigned int flags) + unsigned int flags) { constraint_node_t *constraint; struct role_allow *ra; @@ -860,7 +921,8 @@ static int context_struct_compute_av(context_struct_t * scontext, avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; - *reason = 0; + if (reason) + *reason = 0; /* * If a specific type enforcement rule was defined for @@ -899,7 +961,8 @@ static int context_struct_compute_av(context_struct_t * scontext, } if (requested & ~avd->allowed) { - *reason |= SEPOL_COMPUTEAV_TE; + if (reason) + *reason |= SEPOL_COMPUTEAV_TE; requested &= avd->allowed; } @@ -919,7 +982,8 @@ static int context_struct_compute_av(context_struct_t * scontext, } if (requested & ~avd->allowed) { - *reason |= SEPOL_COMPUTEAV_CONS; + if (reason) + *reason |= SEPOL_COMPUTEAV_CONS; requested &= avd->allowed; } @@ -942,10 +1006,13 @@ static int context_struct_compute_av(context_struct_t * scontext, } if (requested & ~avd->allowed) { - *reason |= SEPOL_COMPUTEAV_RBAC; + if (reason) + *reason |= SEPOL_COMPUTEAV_RBAC; requested &= avd->allowed; } + type_attribute_bounds_av(scontext, tcontext, tclass, requested, avd, + reason); return 0; } diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow index 4b50c5b..37ab23a 100644 --- a/python/audit2allow/audit2allow +++ b/python/audit2allow/audit2allow @@ -285,6 +285,11 @@ class AuditToPolicy: print("\t\tAdd an allow rule for the role pair.\n") continue + if rc == audit2why.BOUNDS: + print("\t\tTypebounds violation.\n") + print("\t\tAdd an allow rule for the parent type.\n") + continue + audit2why.finish() return