From patchwork Thu Dec 8 14:14:47 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9466451 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7C1746071E for ; Thu, 8 Dec 2016 14:12:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F2C72858B for ; Thu, 8 Dec 2016 14:12:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 53E702858D; Thu, 8 Dec 2016 14:12:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 852672858B for ; Thu, 8 Dec 2016 14:12:41 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,319,1477958400"; d="scan'208";a="1398976" IronPort-PHdr: =?us-ascii?q?9a23=3AZ4PZzxNXrqD1jwh/dEol6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0LP/4pcbcNUDSrc9gkEXOFd2CrakV0KyL7+u6ByQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7?= =?us-ascii?q?Ovr6GpLIj8Swyuu+54Dfbx9GiTe5b75+NhW7oAreusUIgIZpN7o8xAbOrnZUYe?= =?us-ascii?q?pd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbY?= =?us-ascii?q?VguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLmhy?= =?us-ascii?q?cdMz4y7X/ZhMp+gqlGpB6tvgJzz5LRbIyTKfFwfL7SfckCSGRBQMhfSiJPDIC7?= =?us-ascii?q?YYsXDecNIOhVoIbhqFUBsxS+HhKhBP/txzJSmnP7x7E23/onHArb3AIgBdUOsH?= =?us-ascii?q?HModvoKKcdT/i1zKnWwjXFcvhYxDL955LMchAlv/6NXa97fM3KyUYyDAPIlUmQ?= =?us-ascii?q?qIz5MDOV0eQBqW6b7/F6Wu61hG4nrB9xryGpy8wxiYfJnpoYxk3L+Ch22oo4Jc?= =?us-ascii?q?C0RFRlbdOrDpdcrTyWOo1rSc04WW5oojw1yrgetJ6+eygF1YooygbEa/yCb4iI?= =?us-ascii?q?+hXjVPuNITtghHJqZra/hxGq/Ei80OL8TMi00EtRriZfjtnNtmwC1xzU6sSdTP?= =?us-ascii?q?ty4lyh1iqV2wDW6+FEJVg4lavdK5E/3r49jocfvEvMEyPsmEj6kbWaelsr9+S2?= =?us-ascii?q?8ejrf63qppqGOI91jgH+PL4umsu6AekgKQgBQWyb+eW61L3+8kz1Wa5Fjvorkq?= =?us-ascii?q?nfrJ/VO98bq7WlAw5Vzokj6xG/Ay2g0NQDh3YLNl1FeBWZj4TxIVHBPOj4Deuj?= =?us-ascii?q?g1SriDpk2ejGMaf7ApXMNXjOi6/hcqxn605d0woz1dRf6IhIBb4fOv7zXVXxtN?= =?us-ascii?q?PABB8jLwO02/rnCMl61o4GV2KPGLWWMKXOvl+J/eIiOOyMZJcUuDrkMPgk6eXu?= =?us-ascii?q?gWU+mV8HcqmjxYEXZ2ygHvR6P0WZZmLhgtQbHmcJuQo+UffniF6YXj5QYHayQr?= =?us-ascii?q?gw5jYhCIKpFY3DXJyigKSd3CenGZ1bfnpJBU2WEXfpaYqEQewBZziOLc9kiDAE?= =?us-ascii?q?UqKhS4A53xG0qAD606ZnLvbT+iAAtZLsytx15+nUlRwp8Tx0Etid02aIT25uhG?= =?us-ascii?q?8IQCU23K9nq0xn1liDybR4g+BfFdFL/PNJXB06NZnHz+xmEN3yQQTBftCHSVaj?= =?us-ascii?q?WNqmBys9TtQvzN8Se0x9Acmtjgjf3yq2BL8Yj7KKC4Yw8qLAwXfxPd19xm3Y1K?= =?us-ascii?q?Y/lVkpWdZPNWi8iq547QjTCJbDk1+FmKayaaQcwCnN+X+fzWWToU5YURR/UaHe?= =?us-ascii?q?UH8DYUvWqMj26VnZT7+yE7gnNBVOydKaIKtQdtLplUlGROvkONnGZWKxmmOwBR?= =?us-ascii?q?KWybOXd4flYXsS3D/aCEQelAAT53mGPxAkBii9u2LeECBuFVX3bkzx6+Z+tGm0?= =?us-ascii?q?QVE6zwCFdEBuy7q19QQPhfyAVfwTxKgIuCE/pDVoBFy9xc7ZC8Kcpwp9e6VRec?= =?us-ascii?q?094FZb2mLFsAx9JIasILxihl4ZdQR3sFjj1xF2CoVGi8cqtnQqwBB1KaKC31NL?= =?us-ascii?q?bymY0ozoOr3LNmny+wiia6rX2lHFzNaa47wP5+o8q1XiugGpC0Uj/m5809lN0n?= =?us-ascii?q?uc4JTKAxYJUZ7rVEY46QR6ranAYiYh/4PUyWFsMa6svz/Y3NIpAO8lxQi6f9hD?= =?us-ascii?q?N6OFGhT/E9YHB8eyM+wmgV+pbggLPOpK7q47I9umd+ea2K6sJOtghCipjXlD4I?= =?us-ascii?q?xnyE2A7TFzSunM35YZxPGY2BCKVzLggFentcD4hZpIZTcMEWqj0SLkHpJeZrVu?= =?us-ascii?q?fYYXDmejO8i3xtFni5HzXX5V70CjCE0C2M+tZxWSdUbx3QtO2kQLuXangze3zy?= =?us-ascii?q?RokzE1qaqSxC/OzPrkdBocIWNLR3dtjVH3IYiykd8aQFKkbw8zlBuq/Uz63bRU?= =?us-ascii?q?pLxjL2nPRkdFZzb2L2d/XaarqLqCZdNA6JMyvSVRTuu8fUiQSqThrBsCzyPjA2?= =?us-ascii?q?xeySgjdz6wp5X5mwd3h36cLHZvrHvVYM9wyg3Z5NDGQv5RxDUGTjFiiTbLHli8?= =?us-ascii?q?I8Wp/dKMmpfZr++xSnmsVpJWcSjk14+AsjW05XFyCx2lg/+zgsHnERQ90SLjz9?= =?us-ascii?q?llTzjIrBLibYnzzau6N/5ncVdyBFLn9sp6AZ9xkpErhJ0KwngagYiV/WAbnmjt?= =?us-ascii?q?P9Vb3rj+bHUTSjIRxd7a/hTl0lV5Ln2V34L5Smmdwsx5atm0eGwW3D4978dPCK?= =?us-ascii?q?qP4rxLgzZ6ol2irQ3Lefh9hDAdyfkw53EGn+EFog0tzj+SAroKB0lXITTslwiU?= =?us-ascii?q?79C5tKhXa2avfqSq1Et+hdChELaCrxpaWHnnZpciBjN/4d9nMF3SynHz7J/reM?= =?us-ascii?q?XIZ9IJqhKUiwvAj/RSKJ8pk/oFny5nOWbjsn051+40lwZh0Iq8vIeZN2Vt5762?= =?us-ascii?q?DQRANjLrfc8T/C/ijbpGlMaMw4+vBolhGikMXJbwV/KkCjwTue7iNwmUFD08rX?= =?us-ascii?q?eaFKHFEgCD7UdqtXXPE4qkN3uPPnkW0c1iRAWBJExYmA0UWi86kYQhFgCy38Hh?= =?us-ascii?q?fkZ55ioK5l7kpBtMy+RoOAP5UmjDpQencDM0RIKYLBpM4QFI/13VPtCG7uJvAy?= =?us-ascii?q?FY+YWsrBSTJWOAeQtIC2AJWlCDB134P7mh+8fP/PaCCuq5NfvObq2EqfZCWPeQ?= =?us-ascii?q?2ZKvzoxm8i6ROcWUIHZtFfI72lBZUnBnAMnZgC8ASy8KlyLXdcGXvhO8+jBxrs?= =?us-ascii?q?+l6vTnQR7v5YyMC7pSNtVj4Ra2jrmfN+SIniZ2NS5Y1o8QxX/P0LUfx0Qdiz90?= =?us-ascii?q?eDmiD7sArjXATLnKla9JFREbZD18NNBS46I6wAZNJdbRisnp2b5gkv41F1BFWE?= =?us-ascii?q?T6lcGoaswKJGe9OUjaC0mVL7uGJCfEw8ftbaO7U71Qg/1etwestjaDD0/jIjOD?= =?us-ascii?q?miHzWBCgK+5Mkj+UMQdZuIGlbBltD23jQ8jnah2/K9B3ijI3zaczhnPQOm4WKS?= =?us-ascii?q?J8fF9Vrr2M8SNYhe1yG3BG7npgN+WEgSGZ7ujGJZYQqvRrGCN0mPxZ4Hkh17RV?= =?us-ascii?q?6yRES+BvlyvJst5iuVemnfeTyjB/ShpBti5LhJ6XvUVlIajZ9ZlBWXLa8x8W6G?= =?us-ascii?q?WQDBoKp9V7Bd3zp6BQyt/PlKftJztY9dLb49ccDdDOKM2bKHohLQbpGDnMAQsE?= =?us-ascii?q?Sz6rKX/Qh0hDn/GX6HKVsoI6q5j3lZoJUr9USlo1FvYABURkGNwNO5B3Xzw+nb?= =?us-ascii?q?6cls4I6mK0rAPNS8VCopDHSvWSDO3pKDmHl7ZEYwAFwbD/LYQIKo30wUpiakJ5?= =?us-ascii?q?nITLAUbQW85CojF5ZA8uvEpN6GR+TnE020/9cAOi/mQTGuCukR4slgR+Yf8g+y?= =?us-ascii?q?zt41ctO1XKoyUwkFErmdr7gTGdajjxI7msXYtOESr7q1AxMo/nQwZydQC9gEtk?= =?us-ascii?q?NDHCR71MkbRgcWFrhRTGtpRRA/5cSrdIYBgKxfGYf/8oy0hTqj27xU9b4uvIEY?= =?us-ascii?q?ZtmxE0cZ6tsn1AwBluY8QvJazKI6pIwENQibySsS+1zOAxwRMeJkYX/GOUZiEI?= =?us-ascii?q?pFQCNqM6KCqw4uxs9QuCliNNeGgWSfUlv+lq+Vk7O+ScyCLgyKVOJVqtOOyaNa?= =?us-ascii?q?+ZvHLAlcGQSFMqykwIj1VF/aRx0co7d0qUUFovw6WXFxUIMsrPMg5Vb8xP9HTJ?= =?us-ascii?q?eiaOq+rNy4pvP4qhDuDoUfOOtKEMj0K/AgkpG4UM7sIcHpijy0zXMcDnLLsZxh?= =?us-ascii?q?o3/wTrOE+JDPJXdxKXiD0Hud2wzIdr3YlBITEQGWZ9MT+357nNoA8qnPqDUcw5?= =?us-ascii?q?YncdRosLKmg6WMuklC5Fp35AFiW40voFyAie6D/xvjjQDDj5b9pkePeUZRNtBc?= =?us-ascii?q?qr9jU+86m5k0XY/o/YJ27kKdRoosXP5v8Cp5abF/NUSqFwvF3Ym4lZW3OlTXbA?= =?us-ascii?q?Edu1Jpj2bIksa8b7B22hXVy+kT01Sd79PNiwLqSShwHnW5pUupGB3D8/Lc+9Ci?= =?us-ascii?q?0eGxBoqu4Y+q18YxYObIAmbh72qQs+Lbe/Lx2C0tSuWWqtLiFWT/ZHx+Wge7NX?= =?us-ascii?q?1zYsbvO9yHY4QZE60ui38UoJRJ4UixHT3uusaJdFXijyAHNdfR/DpS0jl2huLu?= =?us-ascii?q?wy2PswwAvUsVkANDCGbPZpaGpFv94gBVOSJnF2CnEgSVGFkITN+BKh0bcJ8iRB?= =?us-ascii?q?mNZU1PFKv2Llvp/Dej6sXrKkqYnNuSo6cdcmu7FxMZDkIsaeqJzenCbQQ4XLvw?= =?us-ascii?q?KZVy66E/5amtlOLyJCXPlHh30qOcwctYpG80oxWd80J6ZTB6k0urCqdT1kADYI?= =?us-ascii?q?zSADTYOA2ycNj/yg27vAjBiQbootMBgFsJVEjdsdVy92YiwepK+/WYXZjXWESm?= =?us-ascii?q?0RLAcV8wtM+BoKlpVsceD9/IrIUJhMxiZWov1uSSvEDJxo91r9SmyNgFj4VO+u?= =?us-ascii?q?k/e10g1I1v7s1McUWAJnA0hH2+lWjlcoKK1wK6QIsI/GqCOHdUP7vGLoyeupPl?= =?us-ascii?q?pRxNbVd1LmEoXKq3DwUioG+X0bXYVP0m3QFYwOkwplb6YmvE9DIJq7ekb4/TAk?= =?us-ascii?q?xJ9kH7i5VcCq21YqtmwKRyG0HNpdE+tmqk7YWCV5Y5C3r5XoI5pSQnVK952bt1?= =?us-ascii?q?dUi0RtMym3yJpaN8FN4iADXDlJoTWBotSyUtdP2cloAJ8QOt1/oWvyGLtYOJiN?= =?us-ascii?q?pH07oqDvynjc+z0nrFe22DCzFLSiQ+Jf4WIeBh0jJ36CpUk3E+ss7mDS/0jNsl?= =?us-ascii?q?9u5edUHLyPglhqrTlgAJ9OHi5J2m6hL1ttVnlKqeJaKL7ac8ZEWfk9eQevOwAi?= =?us-ascii?q?Ff4hx0GJ/0Z0kmnibiNvqARa4D7SXxMoVSYLn7jhgzsepd+7OTUCUZJHcS0hbz?= =?us-ascii?q?vZKwKcgS1YpxhfZF12V50bH9pI9aoW0pdT/srHVUmjMzoFXAB4OgI+z/VfiVZJ?= =?us-ascii?q?sF+EdiDFEQqoafHPvwVtfciPscGpLO72/Btch4Pjt+A46bsMS2O6lg2qXN/RsZ?= =?us-ascii?q?XwttuUuUuSbK34KfGzYWfdTDjQihC9na8kD4LW/yfJLQVbN4J3yWEjYZj8E27E?= =?us-ascii?q?IQpJJ6QHJ0pBT696bc9KoudAZ89rYKwJ47NiBgqbRhPzH4yitOVGLkzNSjvAMi?= =?us-ascii?q?qM6fG/oYbP7bzHU+fgeM2Mx3HDQ61pIpd28z77G63l0YVG4Er5xu9t9l9mSVjB?= =?us-ascii?q?Ky2OsdLhKRkQ6ca/cEvtpIclHTTMAJd/iHDt3F1Pd9ILQy2295QV0JFZ52zqSe?= =?us-ascii?q?J/yUjztPdd96d/5Iky/rBpzdu0JabOJvRbq0BnBAOUCh9t9pU3D2h1X3pRbfMJ?= =?us-ascii?q?KPfNYaQZitjjq+LtGKwR5h2V4etZZsbZKEzahsmwEDecSQdDnAsbrz4VMBec3e?= =?us-ascii?q?afm6BoUcalufT52kU17li4Kh4L17Ft5YGB+qaSpe/XaRXRzaIeVajxWsPztKks?= =?us-ascii?q?tF+O5f05jr4BZHZ5Ywq9EOgSTsQd3Hvvzbg2zSIwFMPOB7Tg+P9fWHI+mjLvgY?= =?us-ascii?q?t9E08XGvMTGrqL5p9ek3w9m+HWOdwaaKdCmnyAFRS8CL8N1War6zeLIGlimhzB?= =?us-ascii?q?zwv/QWet41/tsS95QSzMwsz4kkVJV7m4G0FSXzaoOUBiqj+POhTntMbvs6Qv8E?= =?us-ascii?q?42KnDktM6KlGa5PLNXBMj/KdyHLCk6ul0YkZoxRsa11oADA9q9J9UR/29iYfvC?= =?us-ascii?q?8W+rlDVBo6hfjYrE/s6V4unXHWWnj6CCrrWNwC5Xyn0/vV4h7tCtLf7O6MONQ/?= =?us-ascii?q?Szz2YeVTt/uwrbUB6xq7zbqUwUNlKP0EfPmYwKMc9W3X8k2U74/uQjRsw89BlG?= =?us-ascii?q?HIbae/wCvSzzOCfzwVuHYdI3Vyye3iBSHl3rEVh3BrI82GP2vMLGj3vQ/UMnRp?= =?us-ascii?q?VofUz9mRN3F5k4KV4q6FUPwyoCEBICZgqHA7yzHkTqM5cEWlYfZhid27i6YKg3?= =?us-ascii?q?11Vpwryz/O/TcfB8B60VO/lGjw6Oh1ZaFYgUsa0fXLJ8Y0VS9LPTpgX5F4fnWO?= =?us-ascii?q?XpmmQqOv2oWMBa9toZuGE47ga4XRqg5o9J76wHh5CQaq5EfZ/Msdhk70h9+T4A?= =?us-ascii?q?aixNgRZ4jxOjUuAQvfvj7cbfsJqp7OauSaksSv4P9xcuG2Rxk5vwgV4kodHN1O?= =?us-ascii?q?dQUI7Vhprl8ABLPXGKvJzW0x5mKeoBM4irZqpv920bJygCIHIDJcaWa+Mi7C9p?= =?us-ascii?q?KjrT4UJND9gRatMZM8rNmBxUhVfyWL5J7MrbB0WUC4FteMA092D30iw68YMgUu?= =?us-ascii?q?b87z+7PZ/f4EtXP/xdkCVslMnPpOwUwfrOFicX4WOWawVuwi+YzZmCFerw9/2W?= =?us-ascii?q?yN7IT1MGAjI2U4BFKTqN5wOnQPa1lJLuUg+T8c/8npY+dEOWRnysk6UIqaJMHv?= =?us-ascii?q?BaiiT7xDdSDIb1iOyJs9C08mtYqkVHEJpv7R3CAKhfO5J7ORLklsmkWEdxHS7/?= =?us-ascii?q?eMDOeRoopuWW2ukN4+JkN0v9fo8XOBQExKzm6XBNVAthVKb2vkqFXeIWfNZmR+?= =?us-ascii?q?/LrmtO6Y55NqEBM16TpJ3srjdVp1E7GwApaLoqoTxcaEbChgpVW7z7uLQYkAsT?= =?us-ascii?q?TcZ5uVNQGWK3IG8+5T3HVaRTjKWLFPMV8jGTTrETXERpMyN+RQi12JZve7ayg/?= =?us-ascii?q?BHs31GkTl5oPc30jxqXh28tjPwp6gVwzIv5Km4tCkduXxCVuiekjnIBk9FzPkR?= =?us-ascii?q?iaccFmvt6V27YHkYdofy56NnJcv4/4k7/3s/eQkjfzEBXem4CSH/ka2IAoKLsN?= =?us-ascii?q?9Hih+CosPOYqGvLSQIMLQy1w7jTWBn0gfChBZo7HcLQjK44d8rIIW9PsgkyTSs?= =?us-ascii?q?GWjfb1sM+aRJsM3wtVEXVuc2b01uwHl72MidWiINXNDPG3oyjgU8a2VEcJJC6Q?= =?us-ascii?q?cdF6ksgzaIordJ8xoRYDfVDoSl4Jffkd3P2XknQtdg3njWqbGdhpM2zH1lnMt5?= =?us-ascii?q?7iGTuHQTauPYVNRhAmTp1ohBz+z+e++isuQdR4tg1LuhUeUNPtOl+WSoxJVgQl?= =?us-ascii?q?WlyagGH1qlLO8Dwa/WUzukSW2dQumLb2mMkCo6MkHs4RmkNFs3Z9lWr0UlKOvN?= =?us-ascii?q?moZclxH9UbNzXiiQoF7bzG8gMeMdbA82up2oew8NTO4XeeecI/IiwPsgB1sQd3?= =?us-ascii?q?XJBzd5C/eqsV6xm4h2I25v7lv8YeTx6Q3mK9+SGh4YEY7GsJ5+5+G1SniGOX96?= =?us-ascii?q?wx14JFN0+PvHF1Qtqu9cdI6cncDXh9R/y+EFbflsMSo5ut4dgY9j7I6U0MCRcR?= =?us-ascii?q?7P0pnyP9bVouODA/3eyUQqdXtWUr0DYQP6/486JMI2W6XPHbtFuhQRHaY6T4Il?= =?us-ascii?q?N2fw7KF7Mhh+cw/QZLSxh8nluPiLZp9KqHPM6VIwNijcsQUZyvOoVQx7c4yqh3?= =?us-ascii?q?LqLZAwWjJBr9ptCh58E4tUAM4AqgunA4KOmK6lkdOx/Fl6u+ASu6rqFv/KzMi5?= =?us-ascii?q?35l2X5VC602LJCzRBKh3jUt7lemyh/bA0oXrCcz8Y98EU/J7QmHdYL/cAoq/Mi?= =?us-ascii?q?6OOt77e0Ne9L6c1Kx2Xw6JZCD9RaWGrzGkNPR47kUn0Ix3YvTcwCYr777FxNv4?= =?us-ascii?q?f3tbqTu7rX6VKJtf60THBejfXxJSVPqE/39pHakWbYvv6OcOKscvwNmG7Al16z?= =?us-ascii?q?ROysyFI7KurkXUwEJ0aYrbLFf12yY+QYQKOwqwMU8tgW/ft3TcDnNQIMe4Kclt?= =?us-ascii?q?ntmVFALi51Frlmw2ZW5OBHDoRdGPNmgfwM2+eQKK+BhMD9YZkO69YVQ4ubGqSe?= =?us-ascii?q?l0JpVFnv2ntLEGkdZyNyHCX8lbPzjWLLBsJDZRCPvApEQwaB4er7c1Qps1ZYSJ?= =?us-ascii?q?IE4fNUeP0z/9zQvD0U3ycNyhz7iJICcQ8npZy7LF0D5MpxS2uPqDhc3jSr/ZZo?= =?us-ascii?q?nsXPHOKColSi2aRTMqHEar41ikuP0Es+GDLGcCpFAUfiKSCAkOpqBgrdjQEnXf?= =?us-ascii?q?met9c50WnPqaQTz/SDVklKouASZGrVuDTOEEGQnSbn/hm3ZcuBe4Kv9X433qc6?= =?us-ascii?q?eUxrFLVOwSA4tMdOCZQtTDdP9CJzYojCgZOP2mc9zStbk5zknITWwfE6XS812e?= =?us-ascii?q?VkGWSOSGxz33RYUVo5Q0ui0w99LfhCB4CL7IP7eBqD6q6YO4kiKYtvfFVmksfk?= =?us-ascii?q?w5muQCD3edwBNYMmELF8kVuF3xQq6Hf0tM1ncpieV02x8WeQRzSWZj0ntMk/a4?= =?us-ascii?q?BMJZSEQYjGS0QP0JdFp3Fi8//VeW4g3uZtwNodvTR2Fb9rQQSIcQL+Il6JfJN6?= =?us-ascii?q?sKwfYo3TVmoCogvyWbEVxdkhqP87DME6Jk2r1C+W448ul0XkGIRTPfdnPKyo+4?= =?us-ascii?q?BM1Syydupmrk2NbKsex3MrtVuZ15Ux82BndtK9Tc+y1ReX3l0wu1+RCgFXKRJy?= =?us-ascii?q?xKziwMIHk+auttz+J9+C3Nf9LF5FLY47kts2O3GA2LDfyyw5UNBcb3g1brIRJX?= =?us-ascii?q?eCmmQsgl4s1Gk8wfNOZ9PYU=3D?= X-IPAS-Result: =?us-ascii?q?A2FjBgAGaklY/wHyM5BeGwEBAQMBAQEJAQEBFwEBBAEBCgE?= =?us-ascii?q?BgwwBAQEBAR+BUBC7XCeHd1MBAQEBAQEBAQIBAl8oQg4BgWIagiMCJBMUIAsDA?= =?us-ascii?q?wkCFykICAMBLRUfCwUYBIhKqiQ9KgKLHSaPMxEBaIIAC4MKBY8BfYpskR+Bc4g?= =?us-ascii?q?4DIYKkhZWYRcCEQ4jg26BY1SDRIJAgi4BAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 08 Dec 2016 14:12:39 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB8EBjl3009260; Thu, 8 Dec 2016 09:11:52 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uB8EBiKx020240 for ; Thu, 8 Dec 2016 09:11:44 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB8EBgP4009253; Thu, 8 Dec 2016 09:11:42 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH v2] selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces Date: Thu, 8 Dec 2016 09:14:47 -0500 Message-Id: <1481206487-544-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: seth.forshee@canonical.com, Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for unprivileged mounts from user namespaces") prohibited any use of context mount options within non-init user namespaces. However, this breaks use of context mount options for tmpfs mounts within user namespaces, which are being used by Docker/runc. There is no reason to block such usage for tmpfs, ramfs or devpts. Exempt these filesystem types from this restriction. Before: sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp mount: tmpfs is write-protected, mounting read-only mount: cannot mount tmpfs read-only After: sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp sh# ls -Zd /tmp unconfined_u:object_r:user_tmp_t:s0:c13 /tmp Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a90a0b..8fae174 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, } /* - * If this is a user namespace mount, no contexts are allowed - * on the command line and security labels must be ignored. + * If this is a user namespace mount and the filesystem type is not + * explicitly whitelisted, then no contexts are allowed on the command + * line and security labels must be ignored. */ - if (sb->s_user_ns != &init_user_ns) { + if (sb->s_user_ns != &init_user_ns && + strcmp(sb->s_type->name, "tmpfs") && + strcmp(sb->s_type->name, "ramfs") && + strcmp(sb->s_type->name, "devpts")) { if (context_sid || fscontext_sid || rootcontext_sid || defcontext_sid) { rc = -EACCES;