From patchwork Fri Dec 9 15:57:31 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9468521 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A92E5602F0 for ; Fri, 9 Dec 2016 15:55:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 97F4F28623 for ; Fri, 9 Dec 2016 15:55:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 893022863F; Fri, 9 Dec 2016 15:55:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9AB8E28623 for ; Fri, 9 Dec 2016 15:55:12 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,324,1477958400"; d="scan'208";a="1448187" IronPort-PHdr: =?us-ascii?q?9a23=3A2cYISRDodBQ15bzXKTXfUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPr4osywAkXT6L1XgUPTWs2DsrQf2rGQ7v6rAjdIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZb1/IA+2oAjQucUbj4VvIbstxxXUpXdFZ/?= =?us-ascii?q?5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnM?= =?us-ascii?q?VhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1hi?= =?us-ascii?q?gHLTo5+3zJhMJ2gqxQvRatqwVhz4LIZY2YMud1cKHActMAXWdPXthfWTFPDI2/?= =?us-ascii?q?aIUPF+gMMftWoobyu1QAogWxBRK3CePzyDJFnGP60Lcm3+g/FwzNwQwuH8gJsH?= =?us-ascii?q?TRtNj7KbsSXv6tzKnI0zrDae5d1yr46IfSdhAhpe+DXLJtesfW0kkgChjFg06M?= =?us-ascii?q?qY3lIzyV1uMNv3Kd7+p7T+2jkWEnqwZvojW2wMonl4rHhpoNx1zZ+ih0z5w5KN?= =?us-ascii?q?2lREJhf9KpH4VcuzuHO4ZwX8gsWXtnuDwgxb0DoZO7eS8Kx4k5yBPHcPyHdpSI?= =?us-ascii?q?4grkVOaMPTd0nHJld6y7hxa16UWg1vfzVtO10FZXtSpJiMXMt3AR2BzT7ciLUP?= =?us-ascii?q?198Vu62TmTzQzT7+BEIUQsmaraLZ4u3KIwm4IOvUnMESL6gkX7gLKMekk69eWk?= =?us-ascii?q?9f7rbqj+qp+ZLYB0iwX+Mqo0msy4BOQ1KhMOUHaf+eS90r3j4EL4TKxRgf0xj6?= =?us-ascii?q?nZtozVKtoApqOiHw9U0pos6xa4Dzu81tQYhmMIIEhKeBKAkYjlI0vOL+zgDfej?= =?us-ascii?q?n1Ssly9mx/HAPr39HJrNKmbMkLL/crZh8U5dyBE+zddH551KDLEBJej8Wk71tN?= =?us-ascii?q?PDCR84PBa4w+H9CNVyzokeQ36AAreFMKPOtl+F/uIuIuiLZI8Tozv9Lvwl6+fv?= =?us-ascii?q?jX8/g1Mde7Om3YEUaHC5APRpPV+VYXzyjdcdCW0KpBYxTPT2iF2eVj5ef2i9X7?= =?us-ascii?q?om6TEhCYKmFpzORpi3j7yb3Se7BYVWZmRcBV+QD3jkbYKEW+0DaCiKOM9ujiQE?= =?us-ascii?q?VaS9S48mzRyvug76y75iLuXK4C0Vrpzj28Zo6O3UjxE97yR0D96a02GPUW57gn?= =?us-ascii?q?8ISyUx3KBlrkx30k2D3rRgg/xECdxT4OtEUgkgNZHGyex1F9HyWhnac9eMUFam?= =?us-ascii?q?Q8yqASo/T9Iq2dMOZFx9G9q6hBDZwyWqG6MVl6CMBJEs8aLTxXvxJ8Fgy3vd16?= =?us-ascii?q?kulVomQsxSNWG8ga5/7QfTDZbTk0qFj6aqabgc3CnV+WiZ0GWOpkBYXxBqUaje?= =?us-ascii?q?R38Qek7Woc7+5kPYQL+kEa4nPRdZyc6eNqtKbcXkgklcS/fnJtveeH6xmme3BR?= =?us-ascii?q?uT3bODcIvqdHsb3CXBCUgLiRof/XCYOggiHi2huX7RDCRyFVLzZEPh6el+p22/?= =?us-ascii?q?Tk8wyAGHdElh16ep+h4SgPyTUekf3rUeuCcusz90Bkqy38rKC9qcoApsZL5cYd?= =?us-ascii?q?0n4FdAzmLZqxdwPoemL6BliF8edh54v0X02xVxFIpAjdAgrGk2wwpqNaKYzFRB?= =?us-ascii?q?eiuW3J/qPr3XNnf9/Aq0a6PNxFHRzsyW9bwS6PQ9sVnjuxupFkU6+XV9z9ZVy2?= =?us-ascii?q?ec5onNDAcKTZL+T1s49xlgqLHeeSQy+4TU1XhwPqauqT/Cx8glBO07xRa8Z91f?= =?us-ascii?q?Kr+LFBfuE80GAMijMOoqm1mtbhIAIu9S77U5MNm4ePuc366nJuFgnCipjW5f+o?= =?us-ascii?q?ByzlqM9zZgSu7Px5sK3uuX3hedWDjiglegvdv6lpxEZT4IBGq/1TbrBJRLaq10?= =?us-ascii?q?Y4kLFX+kI9erydVmm57tR3lY+Ua9B1MHxMCpZR2Sb0bn0QJM1UQXpnqnmSSjwj?= =?us-ascii?q?xwkjEpqLCQ3DbJw+j4cxoHIGFLTnF4jVjwOYi0k8waXE+wYggtlRul/lr6y7FA?= =?us-ascii?q?pKthK2nTQEFIfzX5Lmx5SauwrruCY8hO6Jw0qiVbSuK8bk6GSrTluRsVzzvjH3?= =?us-ascii?q?dCxDA8bzyqoJL5nxh+iG2DNnZ8sH3ZeM9ryBfE+dzTWeVR0iABRClihjndHkK8?= =?us-ascii?q?MMWx/dWIi5fDtfizV3q7WZ1OdSnn15mPuDGg6m1tBR2/g/ezmtv8HAg/zSP70d?= =?us-ascii?q?5qWjnSoBb6fIbry7ywMfh7cUlwGF/89816F5l7kos0nZ0fx34ai46L/XUZlWfz?= =?us-ascii?q?NctU2bjkYHoLWzEL38bf4BL51017MnKJ24X5W22ewsR/Ydm6eXgb2iEj4MBME6?= =?us-ascii?q?eU6qJLnTdvrlq/twLRbuB3ni0Bxvs29H4an+YJtRI1ziqHH7ASGVdXPTT2mBSO?= =?us-ascii?q?89Cxsr9XaX2ycbirykV+h8uhAKuZogFbRXb5YIstEjF+7sV4KlLM32P85pvieN?= =?us-ascii?q?bOcdIZrgeUnAvYj+hJNJIxkeIHhTRhOW3gpnAl1eg7ggFu3Z2guoiINXlt9rqj?= =?us-ascii?q?AhFELj31e98T+jb1gKZGhMmWwoSvE459FTUKQJvpTeukEDwIuvThLQqOFyc8qn?= =?us-ascii?q?iDE7rFAQCf8Ftmr27IE52zNHGWJH0Zwst5SRmYI0xfjg4UUysmnp4lFgCqw8nh?= =?us-ascii?q?f1lj6jAX+FH4tgNGyvh0OBnnTmffuACoZy86SJeFKhpW8gZC50LOPMyQ8O18Ai?= =?us-ascii?q?ZY/oe7owyVMGybYAZIAn8VVUyYHVzjOaOu5dbY+eiCGuW+N+fOYamJqeFGWPeI?= =?us-ascii?q?xY6g0pFm/jaUKsWPOWJvD/sl1UpfRnB2B97Wmy0RRCANkSLCcdKbrg+m+iJrts?= =?us-ascii?q?C/7OjrWAX36ISSDbtdK85i9A2wgaiZLeKQgzx5KTlA3JMW2XDI0KQf3EIViyx2?= =?us-ascii?q?bTmiDKkPuDXCTKLVla5bFRgbZD1vNMFQ9aIzwhFNOdLHitPyzrN4lOQ5CllfWV?= =?us-ascii?q?zkgM6pYcsKImGmOVzdGEmLMa6KJTrRw8H4eam8U6FfjP1Itx2svjaWC0njPi6Z?= =?us-ascii?q?mDnxTxCiKu9MjCCBPBxFpIG9fBdtCW75Q9LgdhK7McV4jTkszb0znHPKOnYWMS?= =?us-ascii?q?JgfENVsr2Q8SRYj+1iFGxa8HVqN+aEmzyD4OnGMZsWquFkAidpl+JA+ns20b9V?= =?us-ascii?q?7DxCRPNvgivet8Juo1alkuiPzTprShxOpShXhIiTp0VtJb3Z9oVcWXbD5B8C9m?= =?us-ascii?q?SQCxsNp9tjEdDgpr5fxcPOlK3pLjdO6dXU/dETB8LMMsKILGIhMQb1GD7TFAYK?= =?us-ascii?q?VzGrOnvBh0NDi/yS8WWVoYY8qpjpgpUOS7tbW0cyFvIVEEhlG8YCIJhvVDM+jb?= =?us-ascii?q?GblNII5Wa5rBTJWMVauZXHWuiIAfXoKTeWk79EaAASwbP/M4sTNZb21FBlall/?= =?us-ascii?q?gIvFAVHQXcxXri1ncAA0vF1H8GJiQW0rx0LldgSt7WcTFf6onh42jQ5+bv429D?= =?us-ascii?q?r35lc3J0bKpDEun0UrntXlmz+ReibrLKisRYFWFzb0t08pP5P9XQl6dwmykFdn?= =?us-ascii?q?NDfDXLJRk6FvdWZwiA/fuJtDA/hcQrNYYBUI3/GYe+0o0UhAqiWg3UJH//XKCY?= =?us-ascii?q?B8mwQwa56js3JA1hl4Y940P6zfOa1JzlZIhqKUoCCp1vo9wAkAKEYR6GmSYjIH?= =?us-ascii?q?uFQUNrk6ICql5vFj5hacmztCZWcMTOEnrehw9kMnPOSBwTng3KBfJUCsLeyfLr?= =?us-ascii?q?+Zumjamc6OXFwwylsCl1NZ8rhuzccjb02UWlghzLuLCRsGKNHCJhtTb8pO83jT?= =?us-ascii?q?Zj2Dvv/RzpJwJYm9EfroTeCWvqYOnk2kBBopH5gL7skZGpms11vYItnhLL8Ezh?= =?us-ascii?q?Ug/wvrJFOYDPhTfxKLijgHqdmlzJBrxYldOi0dAWJlPCWs+LnXog4qgPyeXNY5?= =?us-ascii?q?eXoVQowENncqV8KggC5Zo25MDD+p3eIF0AKC9SPzpjzMDDngaNpufOqbag9pCN?= =?us-ascii?q?Gx/zU/77W6hEXJ8prAPWH6NNVjutjJ6e8AoZaIFe9UR6Fns0jAg4lYW2CqU2nX?= =?us-ascii?q?HN62PZjxa5MjbdroCna6SVG/hDU1T9/tM9q3KKiHnx3oT55OsIaHxDAjKdO9Fj?= =?us-ascii?q?YGFhdspuED4aV8ZREDY5s7ehPnqgU+NqylLwiDyNmuRXiiKSdORflF0eq6f6BX?= =?us-ascii?q?zzYrbuKix3sgVIs1z++r8UMWRZEKiR/fxfC/Z4leTyfzG3pdexnRqiojjWRhMP?= =?us-ascii?q?g9wvsnyhPSrVYcKyyLdPBuaGFcpd48AVKSLmloBWUgQl+djYzD4gmq378I5CZS?= =?us-ascii?q?hNdU3vdDsHTnsJ/ffSigWKq1ppXJqyAgd8Qpo7VtMYz/JcuLrIjRkSLZTJTLqA?= =?us-ascii?q?KKTTC6GORAmthLOi1YWvlJlXsiOcwctopL8VAxWdsmJ7xTFKksoainaSBiDS4T?= =?us-ascii?q?0SAZV4SA3DgZgumkwrXUiw2efYglPhEfrJpChd4dXDJsbSMFuK+vTYPWmHGYSm?= =?us-ascii?q?ITOgcc8RxM5B4clo93Zu3q/IjIQ4VQxDNNv/10VS/LFp1p91TlUGGWnUb3R+mh?= =?us-ascii?q?k+Cz2gJS1v3s2MEBWBFjEUhd2/pWlkwwJbFtMaYQpInKvSSTeEPmpmLi0vWmK0?= =?us-ascii?q?dVyc3VcV34A47FtWvzUi0c5X0US5VAyGvaFZgIlQp2drorrk1WII+6Ykb++yAk?= =?us-ascii?q?x4NxEri4T8+r3EwqrXMHRyesCNdBCv1mv0jMWDJ5eZ+nspPlNItOQmVI4p2St0?= =?us-ascii?q?9ZkFlxMy6+0ZddJdtB7SIMXDhOpDWdvcG9SM5Y1M93EZADPMlwt236GKNeN5ib?= =?us-ascii?q?u2c2taD3yn/F5zA8t0+3xC20G6+8Ve1Z5WMfGgItJ2SQsUQvCuws8mDJ8l/Trl?= =?us-ascii?q?905eBbBqOUjUVwpjZ9EYpCBjFT1XCqN15zVmVJs/1GKKTJdMxRW+M9ZQWyOxw4?= =?us-ascii?q?D/Im3FeE/UB1nXf4fyx9rRFW+ybDUAkoTSMVmKvimSUCqsG7Pj8XU45IbTIkby?= =?us-ascii?q?reNwKXhSVXsw1FZ0FsRZ8ZHs5P+6sH0otM4srCVUGsJDkFXBN4LAI3y/5fmlNY?= =?us-ascii?q?vUqFZy/dFRKoeujLshJpZ8edtsmpLO72/A1fkIPorPg497kfR32hgQCtQ9feoJ?= =?us-ascii?q?Hnu9KXqESOb7n3M/egYXDfUTfAlxawiqk4D5PS5SjcLBJbK4VmyXojeZXuEmDL?= =?us-ascii?q?MghaK68ZOkZWW7t3ZslBouBfe8BrYr0J+bN3ChKBWBzvBJSlrONaIVbLWTTeMy?= =?us-ascii?q?KB//SloY3N8LPdSfLvZtCXynbDRKJ3IIl15SfnFLftzIBR5FD62vFz+UNmUVLG?= =?us-ascii?q?KTyOrMz9JgMX48mvblPivoY1HTzMHZhwjGHgxlpHd8oKWS2l7IoXyJVF6HbqU+?= =?us-ascii?q?141lL/sOpI97lr8YM3+axmyd+oJafOLvRXqVNnAgKKCQp065ogG3V/R2RNYu8L?= =?us-ascii?q?MvjRY6UZjcfqq+/pC6wb8hqV+/ZWadHfPUHOhtG/Ci2ASRxDhAoBrCQVLg+Y1/?= =?us-ascii?q?Gbh690VdyqqvLi10Ir/Ve+MgUGw6x36oec5KWEvunXYAXNzbIcQKjlWtvzrqgw?= =?us-ascii?q?u0OV/fAklqQBenZyYw28FOgSTNAdy3zlzaA3ySIsD8LDEK7h+PFZUXI5hSjsm5?= =?us-ascii?q?dnH1UZAvkUB6aE/ZxCnmcknOzULt8WfbpEmmaBDx6kFaINxmCw5iuLOmZlhArO?= =?us-ascii?q?0xbqTWO18lD2sTdyQTHQwNf7jkpVSr63CF9dXyq0OE94tDePMxTttNfspKs68l?= =?us-ascii?q?o5Mm3+u9KLjmehP6lXH8LnLtyGPSY0vE4XjIE2RtG334AbHcGwINYX8HF7dPfe?= =?us-ascii?q?6mWrkyFbo6hdnIre/tuV+ujLEnm8kq2asauCyCpfyngislE18sqgOe3W592WX/?= =?us-ascii?q?So0H4cTyJ4uwvHQx61paLUoksROUyKykjLnpIFPs1X3Hk/zEHm5/MjTMg19ApA?= =?us-ascii?q?CobKf+kCqizrODvo3VafZMo6Vi2F0ztSHl/4Cld4F7Yh12L3psLGj2/Q+0cvRo?= =?us-ascii?q?lyaUPomQB3A58/KUI351gd2jADHhQVaRCHELGoAlzoLY4AVUcdbBSH26a1eqMs?= =?us-ascii?q?0E183Lyv4/TTbfRmCKoRN/ZSlAqOnFldGpIKr6IeRLZ8e15S9KHJoAjtF5boU+?= =?us-ascii?q?LglXUuKf2/Wtpa/twBt3s+/ga/QAKt6YxZ4LYFkp+IebBLYYPXscBn9Uhn+yQA?= =?us-ascii?q?diNTjxhklR+5V/4TpPz76NjBrJWo8vquVLoqR+gP9Rg0BmF+goD1gF89odDYyf?= =?us-ascii?q?1cSozTiYTw6gxNJWCFuJrC2RlmNeUOM56rfKpn93gfJigfJmgBMsCKZPQn+C9i?= =?us-ascii?q?LinT6EJeDc8WYtMYJsXNkxhOikL1QLFT6tbbGliABohodsAo9GT2xyo38Zs9Tu?= =?us-ascii?q?bg8CW5JY3b71xWI/xDizhjm8zYq+gI2/rSDzIX7mODZxhy2COCxIGHC+zs8uWU?= =?us-ascii?q?1NHUS1QGEzYuU4hHODqN5QynR+SylJXzUQOY89Tzj4w6dEKRQHyxgasEv71UEe?= =?us-ascii?q?FaliX0wjheF47yh/KPsNqg8mhXuUNdEIZ18xLFHL9TPpJhORT3jsOrXFRzBjPj?= =?us-ascii?q?eMHIcRojoPaWxv0S7OV6LUT+Y5EULwkZxLL75npVTxduR6TtvlmDR+IRecFqSP?= =?us-ascii?q?XaoXBJ8YhgMbMAPECBpJz2qTdFsF82DxUzaLAusjxadlLDnAlUW6boprEAihET?= =?us-ascii?q?UcNiuUNWH2K/Jn4+7SLdVatJlKmRFOAV8jKLQ6wBTUpoND9+QxSy2JlpYLumg/?= =?us-ascii?q?RHsmJAniNgr/knyDhmSwWmuSzsva0BwzQg96+ktD8Zo3xKUv2ekzvUCVVE1PkK?= =?us-ascii?q?i6YcBGrl6Vy4enYDd5H+4LhgJcTn7okh+G8yYRAsciwJR+igDDvwj6yQCIyVrN?= =?us-ascii?q?1cnAKNuNnJbbKrIigdKq89yQn6S3Zg3QbQmhdo8G0WQjSv99IkK4C9NtwjxiW2?= =?us-ascii?q?A2Tbc0wM4qxRusvrqVELVPc2aU9mwGh70MiHQS0NRMrVF2kpjggkbXhEf49C6B?= =?us-ascii?q?8bEakomTWIvqhd8wEKYTfUDJ6q+o3NksfJw3U9S8llxn7OrK2fmpwqyGFlm89z?= =?us-ascii?q?7iOWuXQSafbXU8l3D3j3y4dQ1O3+Z/K2suwdT4tm0ruhWucYMsa/4Wu2xIlqWk?= =?us-ascii?q?i9y7QcAVW5PuEDxrPAXiarU2KYX/qEc3SWkzY/LEHy+QGiLkcrZ8dSs089LuzC?= =?us-ascii?q?i4ZTlw3lVrN1SDufpVvfzGE4KuMacAQ2uIa7dAAQSu4eefScL/A0wPIiEFsMc2?= =?us-ascii?q?PJHSxuBu+0sV6snJB7O3Jk4UX7feTi7BvrMN6TGhkYC47VsIR9+fugRmKOIXVg?= =?us-ascii?q?1gF9PFFo9+fDEFQ8rvNcc5eUndXLm9R70PIKd/RzPi05oNITnJxs6ZWM2seQbR?= =?us-ascii?q?7R1oryJc3SovWABv3fzkcqemJdUrcCYwP6/YY6Ptk/W7LNG7tVpxIcCrYmQJY5?= =?us-ascii?q?LWf+6Ll0LB9vcg7WfLm7mdflpuSXZpZPvH/W6lUwLDvAux0d1PO7UBZ3b5ewh3?= =?us-ascii?q?X9OJowXC5Or8VxCht6G4tCA80AoBSjA56VgKG0lcS8+kJ7u+8PtKr/FOrK1NCn?= =?us-ascii?q?0IlrWJha/0OLNi7LBKZ3mkRlkviygvDY35j/EcPiY9IEW/RlTWPeb7/GH5m/Ki?= =?us-ascii?q?iQNc7mfE5G6bGc2qpjUhqNfCD5Q7aGtCq8OfVj5UU01Jd1fPLXzDM39LHbxNry?= =?us-ascii?q?aH1Hpie5s3GGKoFT7FrUCuzCRxhUU+aK8H55Ha0Laov57OMOMd0kwNiB7Ah/9T?= =?us-ascii?q?BC0MqeI6i9tU/BwUN7eojdLEvuwSo5XpMKIBunO0s2nWDZsmjdAWhbLsW8Msli?= =?us-ascii?q?ntKVDh3r50lslmAhYWFPGnboRdiPI2gUxdq+axeR+QJIEdkDhei3dlA8tqKpVO?= =?us-ascii?q?loNY9JmeKwtLUIidxpMT3ARNBGPyHMK797Jj5RDuTUpFg0eRMFsqE1WoEvapSU?= =?us-ascii?q?JkMILluAwzvozQTeyU30a8Cs1KGRLSYT6HpI07LF0TlKpwm+ovuZnMzjULbHY5?= =?us-ascii?q?HyXf7SNjclVz6ASTQ1C0ap9k+uu+AYs/qAPWcfvlcUbzqQCAEJpaBvqsPfA3TO?= =?us-ascii?q?me1lYJ0KhPeaWz3/SC14iKo+HCBLul6QQ/AbDwnZc2fhgHZAuAylPvJD5mnqY7?= =?us-ascii?q?qcxqpUQOwWHpBMfueCQ9TGZf9SPSwomSsdOOa9ed3csrk430nUQmoZCanI6Uae?= =?us-ascii?q?QFSYQ/OG2zLrRoIVv44utiov4NLQkTd9E77UMLaHuz6u7om4gT6XueLETWYteU?= =?us-ascii?q?01j/wGAGSa3hlALHsLC8oUuEHwWKKAYVhD1G4xg+J0xxAMYBhzUmFp0nBOnva9?= =?us-ascii?q?H8pZSUQOjGOvW/0Ld1Z3Ayk1/UCU4w3+e9sAudrcR2VG7LsDVZIdLOU06InQIK?= =?us-ascii?q?YQ2/gp3Dd6ryE7sCiQFE1dgRyf86rRHaN8wbtC6XM+//5oQkGFWynffXTfyoq6?= =?us-ascii?q?F8JPwj9joXLj18rSuuBgL75aqJ9kD1cEBiJ2PMzS8i5bXWHyxgSyo0XzIDPLOz?= =?us-ascii?q?8d4TAWNQQZZ+11yKl9qx+OedHfum2KsKd0k1emEQaGDPKP3ZVPDsz4nVGjZTJj?= =?us-ascii?q?bSSgF5cwrO1E0tkVf/V0NsCFH1ndI12mXUqjsCcW+U2v+Oym?= X-IPAS-Result: =?us-ascii?q?A2H0BQCE0kpY/wHyM5BdGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgwwBAQEBAR+BUBC7ZSKHc1MBAQEBAQEBAQIBAl8oQhIBgV4agiMCJBMUI?= =?us-ascii?q?AsDAwkCFykICAMBLRUfCwUYBIhKqy89KgKLCyaPMxEBgmgLgwoFjwF9im2RIQK?= =?us-ascii?q?KLIYVApIZVmIcAhMOJIJ2RhyBe1SDc4Mbgi4BAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 09 Dec 2016 15:55:05 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB9FsWPY000686; Fri, 9 Dec 2016 10:54:39 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uB9FsV2P038786 for ; Fri, 9 Dec 2016 10:54:31 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB9FsTOc000679; Fri, 9 Dec 2016 10:54:29 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: Add tests for extended socket classes. Date: Fri, 9 Dec 2016 10:57:31 -0500 Message-Id: <1481299051-27863-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add tests for the extended_socket_class policy capability. This change includes the following tests: - Test that ICMP datagram sockets are mapped to the new icmp_socket class and not to rawip_socket for both IPv4 and IPv6. - Test that SCTP stream and seqpacket sockets are mapped to the new sctp_socket class and not to rawip_socket for both IPv4 and IPv6. - Test that Bluetooth sockets are mapped to the new bluetooth_socket class and not to socket. - Test that AF_ALG sockets are mapped to the new alg_socket class and not to socket. The tests are only run if the extended_socket_class policy capability is present and enabled in the kernel and the base policy, and only if the new classes are defined in the base policy. This avoids breaking the testsuite on systems with older kernels, older policies, or policies that do not enable the policy capability. Signed-off-by: Stephen Smalley --- README | 8 +++ policy/Makefile | 4 ++ policy/test_extended_socket_class.te | 64 +++++++++++++++++++++++ tests/Makefile | 4 ++ tests/extended_socket_class/Makefile | 4 ++ tests/extended_socket_class/sockcreate.c | 89 ++++++++++++++++++++++++++++++++ tests/extended_socket_class/test | 76 +++++++++++++++++++++++++++ 7 files changed, 249 insertions(+) create mode 100644 policy/test_extended_socket_class.te create mode 100644 tests/extended_socket_class/Makefile create mode 100644 tests/extended_socket_class/sockcreate.c create mode 100755 tests/extended_socket_class/test diff --git a/README b/README index 8dbbbda..521e965 100644 --- a/README +++ b/README @@ -39,6 +39,14 @@ CONFIG_JFS_SECURITY=y CONFIG_XFS_SECURITY=y CONFIG_JFFS2_FS_SECURITY=y +# Network protocol implementations. +# These are enabled to test the extended socket classes in +# tests/extended_socket_class; they are not required +# for SELinux operation itself. +CONFIG_IP_SCTP=m +CONFIG_BT=m +CONFIG_CRYPTO_USER_API=m + Do not set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX; it is an option for legacy distributions (Fedora 3 and 4). diff --git a/policy/Makefile b/policy/Makefile index 16ab3b9..992278b 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -30,6 +30,10 @@ ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_cap_userns.te endif +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_extended_socket_class.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te new file mode 100644 index 0000000..4f30c9f --- /dev/null +++ b/policy/test_extended_socket_class.te @@ -0,0 +1,64 @@ +######################################## +# +# Policy for testing the new socket classes +# introduced when the extended_socket_class +# policy capability is enabled in policy and +# supported by the kernel. + +attribute extsocktestdomain; + +# +# extended_socket_test(newclass, oldclass) +# +# Generate a pair of test domains and rules to test +# that when the extended_socket_class policy capability +# is enabled, the kernel checks permission against the +# 'newclass' security class rather than the 'oldclass' +# security class. +# +define(`extended_socket_class_test', ` +# Domain that is allowed to create $1_socket. +type test_$1_t; +domain_type(test_$1_t) +unconfined_runs_test(test_$1_t) +typeattribute test_$1_t extsocktestdomain; +typeattribute test_$1_t testdomain; + +# Allow $1 but not $2. +# This is to ensure that the kernel is checking the right class. +allow test_$1_t self:$1 create_socket_perms; + +# Domain that is not allowed to create $1. +type test_no_$1_t; +domain_type(test_no_$1_t) +unconfined_runs_test(test_no_$1_t) +typeattribute test_no_$1_t extsocktestdomain; +typeattribute test_no_$1_t testdomain; + +# Allow $2 but not $1. +# This is to ensure that the kernel is checking the right class. +allow test_no_$1_t self:$2 create_socket_perms; +') + +# Test use of icmp_socket class for ICMP datagram sockets instead of rawip_socket. +extended_socket_class_test(icmp_socket, rawip_socket) + +# Test use of sctp_socket class for SCTP sockets instead of rawip_socket. +extended_socket_class_test(sctp_socket, rawip_socket) + +# Test use of bluetooth_socket for Bluetooth sockets instead of socket. +extended_socket_class_test(bluetooth_socket, socket) + +# Test use of alg_socket for Alg (Crypto API) sockets instead of socket. +extended_socket_class_test(alg_socket, socket) + +# +# Common rules for all extended_socket_class test domains. +# + +# Trigger kernel module auto-loading of the network protocol implementations. +kernel_request_load_module(extsocktestdomain) + +# Entry into the test domains via the test program. +miscfiles_domain_entry_test_files(extsocktestdomain) +userdom_sysadm_entry_spec_domtrans_to(extsocktestdomain) diff --git a/tests/Makefile b/tests/Makefile index 57a5d12..228b764 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -16,6 +16,10 @@ ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo SUBDIRS += cap_userns endif +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) +SUBDIRS += extended_socket_class +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/extended_socket_class/Makefile b/tests/extended_socket_class/Makefile new file mode 100644 index 0000000..8dce555 --- /dev/null +++ b/tests/extended_socket_class/Makefile @@ -0,0 +1,4 @@ +TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c new file mode 100644 index 0000000..c5802ae --- /dev/null +++ b/tests/extended_socket_class/sockcreate.c @@ -0,0 +1,89 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +struct nameval { + const char *name; + const int value; +}; + +static struct nameval domains[] = { + { "inet", AF_INET }, + { "inet6", AF_INET6 }, + { "bluetooth", AF_BLUETOOTH }, + { "alg", AF_ALG }, + { NULL, 0 } +}; + +static struct nameval types[] = { + { "stream", SOCK_STREAM }, + { "dgram", SOCK_DGRAM }, + { "seqpacket", SOCK_SEQPACKET }, + { "raw", SOCK_RAW }, + { NULL, 0 } +}; + +static struct nameval protocols[] = { + { "icmp", IPPROTO_ICMP }, + { "icmpv6", IPPROTO_ICMPV6 }, + { "sctp", IPPROTO_SCTP }, + { "default", 0 }, + { NULL, 0 } +}; + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +static int lookup_value(const char *name, const struct nameval *nvlist) +{ + const struct nameval *nv; + + for (nv = nvlist; nv->name; nv++) { + if (!strcmp(nv->name, name)) + return nv->value; + } + return -1; +} + +int main(int argc, char **argv) +{ + int sock; + int domain, type, protocol; + + if (argc != 4) { + fprintf(stderr, "usage: %s domain type protocol\n", argv[0]); + exit(1); + } + + domain = lookup_value(argv[1], domains); + if (domain < 0) { + fprintf(stderr, "%s: unknown domain %s\n", argv[0], argv[1]); + exit(1); + } + + type = lookup_value(argv[2], types); + if (type < 0) { + fprintf(stderr, "%s: unknown type %s\n", argv[0], argv[2]); + exit(1); + } + + protocol = lookup_value(argv[3], protocols); + if (protocol < 0) { + fprintf(stderr, "%s: unknown protocol %s\n", argv[0], argv[3]); + exit(1); + } + + sock = socket(domain, type, protocol); + if (sock < 0) { + fprintf(stderr, "%s: socket(%s/%d, %s/%d, %s/%d): %s\n", + argv[0], argv[1], domain, argv[2], type, + argv[3], protocol, strerror(errno)); + exit(1); + } + close(sock); + exit(0); +} diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test new file mode 100755 index 0000000..eb100ee --- /dev/null +++ b/tests/extended_socket_class/test @@ -0,0 +1,76 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 16 }; + +$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +# Enable gid 0 to create ICMP sockets for testing. +system("echo 0 0 > /proc/sys/net/ipv4/ping_group_range"); + +# Verify that test_icmp_socket_t can create an ICMP socket. +$result = system("runcon -t test_icmp_socket_t -- $basedir/sockcreate inet dgram icmp 2>&1"); +ok($result, 0); + +# Verify that test_no_icmp_socket_t cannot create an ICMP socket. +$result = system("runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet dgram icmp 2>&1"); +ok($result); + +# Verify that test_icmp_socket_t can create an ICMPv6 socket. +$result = system("runcon -t test_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"); +ok($result, 0); + +# Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket. +$result = system("runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"); +ok($result); + +# Restore to the kernel defaults - no one allowed to create ICMP sockets. +system("echo 1 0 > /proc/sys/net/ipv4/ping_group_range"); + +# Verify that test_sctp_socket_t can create an IPv4 stream SCTP socket. +$result = system("runcon -t test_sctp_socket_t -- $basedir/sockcreate inet stream sctp 2>&1"); +ok($result, 0); + +# Verify that test_no_sctp_socket_t cannot create an IPv4 stream SCTP socket. +$result = system("runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet stream sctp 2>&1"); +ok($result); + +# Verify that test_sctp_socket_t can create an IPv4 seqpacket SCTP socket. +$result = system("runcon -t test_sctp_socket_t -- $basedir/sockcreate inet seqpacket sctp 2>&1"); +ok($result, 0); + +# Verify that test_no_sctp_socket_t cannot create an IPv4 seqpacket SCTP socket. +$result = system("runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet seqpacket sctp 2>&1"); +ok($result); + +# Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket. +$result = system("runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"); +ok($result, 0); + +# Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket. +$result = system("runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"); +ok($result); + +# Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket. +$result = system("runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"); +ok($result, 0); + +# Verify that test_no_sctp_socket_t cannot create an IPv6 seqpacket SCTP socket. +$result = system("runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"); +ok($result); + +# Verify that test_bluetooth_socket_t can create a Bluetooth socket. +$result = system("runcon -t test_bluetooth_socket_t -- $basedir/sockcreate bluetooth stream default 2>&1"); +ok($result, 0); + +# Verify that test_no_bluetooth_socket_t cannot create a Bluetooth socket. +$result = system("runcon -t test_no_bluetooth_socket_t -- $basedir/sockcreate bluetooth stream default 2>&1"); +ok($result); + +# Verify that test_alg_socket_t can create a Crypto API socket. +$result = system("runcon -t test_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"); +ok($result, 0); + +# Verify that test_no_alg_socket_t cannot create a Crypto API socket. +$result = system("runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"); +ok($result);