From patchwork Mon May 22 13:08:25 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Jurgens <danielj@mellanox.com>
X-Patchwork-Id: 9740317
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DEE7C601C2 for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 May 2017 13:16:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB3311FF22
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 May 2017 13:16:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BCD5A2846A; Mon, 22 May 2017 13:16:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3D5611FF22
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 May 2017 13:16:19 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.38,377,1491264000"; d="scan'208";a="7298192"
IronPort-PHdr: =?us-ascii?q?9a23=3AEOisPRaxXmkghyQcv2RhJTD/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZoc24YR7h7PlgxGXEQZ/co6odzbGH7Oa6Bideu96oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?=
	=?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52Lhi6txvdu8sZjYZjNKo61wfErGZPd+?=
	=?us-ascii?q?lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLe?=
	=?us-ascii?q?TQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgz?=
	=?us-ascii?q?oJOD4j9GHcl9J+gqRVrhm8oxBz2pPYbJ2QOPd4Y6jTf84VRXBZU8hRSSJPH42y?=
	=?us-ascii?q?YYgIAeUDM+ZYt4vwq0YAoBSgHgmhH//jxiNSi3Pqx6A2z/gtHAfb1wIgBdIOt3?=
	=?us-ascii?q?HUoc37OqgIV+C+0a3GzSjZb/NZxzj97pPIeQ0mrP6RR71wd8vRxlcrFwPHlViQ?=
	=?us-ascii?q?rJLqPzeR1usXtWib6OVhWfizhG4grgF8uz6izdovhInRno8Z11/J+CpjzIs1ON?=
	=?us-ascii?q?G0UlB3bNG6HJdKqi2WL5Z6T8csTm1ytys3yKcKtYO6cSUK0pgr2gDTZviBfoOV?=
	=?us-ascii?q?+BzsTvyRLi19hH99fbK/gAu9/la4x+3nU8m0zE5Kri1YktnQrnwN1wLc6syASv?=
	=?us-ascii?q?Zl4keuwyyP1wHO6uFfO0w0iaraJIIhwr43jJYTt1jMHjTql0nsia+Wd0Ek9vCp?=
	=?us-ascii?q?6+ThfLrmuoeRO5J7hwzxKKgjmtGzDf4mPgUBQWSX4/mw2KXm/ULjQbVKivM2kr?=
	=?us-ascii?q?PesJDfPckbvbC2AwtU0oYl9ha+AC6q388fnXkaKlJKZAyIj5PyNlHSIPH3Efe/?=
	=?us-ascii?q?g1O2nDdt3PDJJKftAprKLnjdiLvhZ6py61ZAyAovytBS/5BUCrYHIP3pRk/xtM?=
	=?us-ascii?q?bXDhkiPgy2xObnDtB92ZkFWWKTHKCZKrjSvUWP5uI1LOmGfJUVtyrlK/g5+/7u?=
	=?us-ascii?q?imc0mV0ffaazwZQXa2u4HvNgI0WYf3rhmdkBEWMXvgsxV+PqlVuCUSJOZ3qoWK?=
	=?us-ascii?q?I8/D47Apq8DYjfXoCtnKCB3CCjE5xYZ2BGDlWMHmnyd4ifVfcDdj+dIsh7kjMe?=
	=?us-ascii?q?TbihUYgh1ROwuwDm17prNO3U+jcXtZj7zth6+/XTlQ0u9TxzF8mSzn2CT2Rznm?=
	=?us-ascii?q?MOWz86wbtyoVJjxVeZ0Kh5gvtYFdpJ6/NPTAg6KYbWz/ZmBNDqRgLBYtCJRU67?=
	=?us-ascii?q?TdW6Gz4xVMk8zMMJY0Z4B9qtlAvD3zawD78TibOLGIQ+8rjA0HjpO8Z913HG2b?=
	=?us-ascii?q?EhjlgnRctPM3arhqt79wTKBo7JlV+Vl6CweqQG3y7N9XmDwnSUsEFeTgFwTb3P?=
	=?us-ascii?q?XWoDaUvOsdT5+kTCQqewBrQ/KARB08+CKrBRZ93xl1pGXvbjOM/GY2K1gWi/GQ?=
	=?us-ascii?q?iHyqmLbIrwdGUXxD/dB1QckwAP4XaGMhAzBim7o23ECjxhCVPvY1j3/Ol7sHO7?=
	=?us-ascii?q?T1Y4zxqEbk16zba1/QQVhfOEQfMJwr0EoDshqylzHFul3NLZEdmApw18fKhHYt?=
	=?us-ascii?q?My+lRH1WXEtwBnOZygNa9ijEYEcwtrp0Puywl3CoJYnMcwsXwq1gtyJryC0F5a?=
	=?us-ascii?q?bTyXwZXwNqfQKmno8xClc7TW1U3G0NaK5qcP7+w1q07tvAGzEUoi6Gln3sJO03?=
	=?us-ascii?q?ua4ZXLAg8SXoj3Ukot8Rh1ua3aaDEn54zIzX1sLbW0sjja1tMnHuQlzgqgcMlF?=
	=?us-ascii?q?MKOfDwLyDdMVB9K1J+w3nlildBUEPPpd9KQsJcOpa+OG2LK3POZnhD+mkXlI75?=
	=?us-ascii?q?180k2W8ypxUfLH35EAw/6ExASHTCv8gE2nss/phYBOfSsSEXanySj4GI5RYbV/?=
	=?us-ascii?q?fYAKCWeqJ8242M5+ioX3VHFG7l6jAEkK2MizeRqdd1b9xxFf1VwLoXy7niu11y?=
	=?us-ascii?q?J0kzA1oaqD2yzO2f7uewYHOm5MQmligkzhIYy1j9AcRkeodQ8pmAGi5UbgyKhR?=
	=?us-ascii?q?vL5/IHXLQUdUYyj2KHlvUq+xtrqZf85D8YgovjtTUOS9Z1CaV7H8rgAB0yP7Hm?=
	=?us-ascii?q?tewjE7eC2xupnjmRx1ln6dJm5prHXFYcFw2Qvf5NvESP5L2ToGQC14hifNBleg?=
	=?us-ascii?q?ONmo886Zl4zesu+iTGKtTJpTcTPkzYmYriu0+XVqAQGjn/C0gtDnCRI10TL/19?=
	=?us-ascii?q?VwTyrEtg3zYo7v16SmNuJneFJlBFrg58p8HYFxjpE8hJcO1ngGnp+V52YIkX/v?=
	=?us-ascii?q?MdVH3qLzdHkNSiANw97O+wXl21NsLnSSx4L/SHqd3tFtZ96gYmMZwig99dxFCL?=
	=?us-ascii?q?+I7LxYmit4ukS4rQTMbvVmgDcdz+Yh6H4Aj+EPpgUt0j2XAqoOEklAISzsixOI?=
	=?us-ascii?q?4simrKpNeWavdaO921Z/ndC9DLCOuw9cV2z/eps4Gi9w9Mp/OkrW0HLv8oHkZM?=
	=?us-ascii?q?XQbdULux2OjhjPkvNYKJ00lvsFnyZnP3zyvWE9we4hkRNuxY26vJSAK2h15KK2?=
	=?us-ascii?q?GANYNjnraMML4D7ti7pekdiM3420A5VhASsEXIHzTf6yCzISsunnNxySHzIipH?=
	=?us-ascii?q?ebHqDfHQCB50t8qXLADYyrPWmNJHYF1dViWAWdJEtHjQAaRjo6mII5FgevxMH6?=
	=?us-ascii?q?fkd2+C0e5lniqhRW0uJoLR7/UmXBqwi0djc4Up+fLABZ7gta/UfaLdSe7v5vHy?=
	=?us-ascii?q?Ff5pChqRaCKmifZwtWEWEJRlaLCEr4M7mo+9bA7/OYCfakIPvWf7qCs+peWOmU?=
	=?us-ascii?q?xZi3yItp4y6MNtmTPnllF/A7wFBPXH5jF8TcgToPTysXliLWYsGBuBi8/zd7rs?=
	=?us-ascii?q?el8PTkQAjv/5eAC6NOMdVz/BC7mamDN/SOiylkMjZXzJUMxWPPyLgEx1MdkT1h?=
	=?us-ascii?q?dzy3HbQHry7NQ7ramrVLAB4DdyNzKMxI4ro63glXI8Hbksv126V2jv40EVdFTk?=
	=?us-ascii?q?Dhms+oZcwMOW69Mk/IBEeRO7SCPzHLxNv3YaykQ71KkOpUrwGwuSqcE0L7JjSM?=
	=?us-ascii?q?iSLmWA6pMeFNkCGbOwdTuICjfRlzF2fvVtXmage0MNVvlz053aU0hm/WNW4bKT?=
	=?us-ascii?q?VzblhNoaOK4iNXmPVwAXJB42F+LeaemCaZ8vPYJYwMvftvHyR0kfhV4G4jx7tJ?=
	=?us-ascii?q?6yFER/x0mCzIot5ovV6mjvGFyiB7XxpWtjZLmIWLsF15OarD6JlPQ3nE8wwW7W?=
	=?us-ascii?q?iLEBQFvcVlBcfgu69O0djDjqTzJyle89jM58sTG9DUKN6bMHomKRfmAz/UDAQC?=
	=?us-ascii?q?TT6tLmzQmlJSn+qT9nKPqJg2sJ/smIABSrVDTlw6CusaClh5HNwFOJp4RDwknq?=
	=?us-ascii?q?SFjMEW/ne+qwHRS9tcvpDCTP2SAPHvJy2ejbhLfRcIxqn4LYsLPI3hx0NickV6?=
	=?us-ascii?q?nJjNG0fIQdBNpShhYhUuoEVK8XlxUGsz1Fn/agOq/nATFuW5kQIxigt7fesi7i?=
	=?us-ascii?q?zs40stKlrMuiQwjFE7mc/5jjCJbD7xMKCwUJlVCyv0s0g+LIj2QwNybQ28k0xr?=
	=?us-ascii?q?KivER65Rj7tncGBklhXQuZ1RFv5AVadEegMfxemLZ/U01lRRsiOnylFd6uvBEp?=
	=?us-ascii?q?ZilwwqcYWwr31a3QJjd901Ja3KKKpP0FdQmrqEvjW02eAp3A8eO0EN/XuIeCEW?=
	=?us-ascii?q?o0wHKKMpJzC08exs8gGNgDpDeHIRWPotrPJq7lk9NPqAzi761b5MNFyxPfSFL6?=
	=?us-ascii?q?yFo2jAidKIQlQo20wVkElF+7523to9fEqQVkAi16GeGAoTNcrFMw1VaNBS9HfL?=
	=?us-ascii?q?dyaUrerN2Y51P5m6Fu3wUOCBrrgUgkO5EwYyBIkD9N4BHoOr0EDWNsfoMqIKyQ?=
	=?us-ascii?q?g35ATqOFWEDO5FeBSVnzcbu8u/1oN43ZFBJjEBBmVwKSG35rHNpgA0hvqCXdA2?=
	=?us-ascii?q?b2wVXosCK3I6Qsq6mzRWv35YFjm4zvoZyBSe7z/7vinQFyfzb95iZPeSeBNtB8?=
	=?us-ascii?q?q79ik486izlVHY6I7eJ33gOdRkpNDP9fsQp4ybBPNMUbl9r0DclpFbR3ywU2/A?=
	=?us-ascii?q?C9i1J4Twa4Q3Ytz0DW66XUClhzIzUcjxIM6nLrKUjgHwWYZUrI6b0Sg/Nc+8Ez?=
	=?us-ascii?q?EeHAtwp+ED5a9neAIDYpo6bgTzuAgkMaywPhuY2M20Q2mxMTtWU+VfzeKiarNN?=
	=?us-ascii?q?yyosb/O1x2U4QZE/z+i390kNRJcQgRzF3vmjZpNRUS7qFnxTZgXDvyw5mHZ9Nu?=
	=?us-ascii?q?wq2Ocw3AvIsUUAMzCMbOFmc3JLv9cnCFyIPHp2FHQ3R0WHjYXZ+A6t36oe/yxH?=
	=?us-ascii?q?n9ZbyedFqmTxvofDYDKwX6ymsZrVszchbdgip61+L4njL9Cbu5zAhTPfTYPfsg?=
	=?us-ascii?q?ufXC69DfpalcBaIDhET/lQhWElJcsGtJJb6Uo3V8cxO7xPCK4oprCxcTRqFDMc?=
	=?us-ascii?q?wzUFWo2HxzENnuC8277GmRiKa5QiLAYIsJNcjdsBSyR2eD8RpLe/V4XKkG+JUn?=
	=?us-ascii?q?ILLx0J7QRL/w0NjZNwfvr/74rWUpBMzz9Wo/R7UivPF5lo+Fv7Sn2YgVfiUvWh?=
	=?us-ascii?q?lval3QRMw/LwytMbQgJwCVBBx+ZKkUslML92J7MMsY7Ksz+IcEL6s3juyOa9JV?=
	=?us-ascii?q?le19PbeEPiAIrCr2r8XTUW+WcISo9X1HHfCZMSnhJjZ6YxuVVMJpqqekXl6jwl?=
	=?us-ascii?q?xoRpHqW4Wtuxy1Yjs3kGWz+gE8BdBOF+rFLXRDplboiqqJXjJ5VdXGtQ94OYq1?=
	=?us-ascii?q?hHjEVtKS64xIFbK8FV/DEMWj1Pri+cvNu2U8JD3sB3A4ULItdltHf3ALlEN4SJ?=
	=?us-ascii?q?o30qprzvzWfU+z8msFigwjWzB7S1T+Ne/2wQHAUpO2SepVcuD+sq7mfd7ErNvk?=
	=?us-ascii?q?py/+hFGriFlV9xryplHpBSGjZJ0mioL0h0THlDqOhaNLjZc8lHTPUoYx+gJQA+?=
	=?us-ascii?q?H+Y830OV5UF0gWv5Yytquwta4S/dRRM7VS0Ijbr2hDIRtNmnOScERJJMczohdT?=
	=?us-ascii?q?3JKwWBmSBYpBxfcV1lW4gFAtZZ/LEWxYlU/s3cRku3NC4KQgdiORwi0fpDi0FM?=
	=?us-ascii?q?rV+UeSbDAgq0bfzPqAF4fd+NrM61K/T05BxIio37v+wk9agPWnOrlBaxTtDZqo?=
	=?us-ascii?q?/zqseFtlCSdKviNe2zf2PBRiDWjR+snbckE4XK/y/LPQpBNZZ11HokboL9CWPQ?=
	=?us-ascii?q?ORRGILwbKFRFWa9mbtVJv/5Va9VieKkX5a9nHgiHSQ/3GIyzsPlGKU7eRSzFLy?=
	=?us-ascii?q?Wd6OOwvJ7T4KfGSejne8yM3WrITLxxPpdm8zn0AbPq3ZVZ+krs1fdn7ll6RkTe?=
	=?us-ascii?q?MyCdsNThIRsG5NW4dkT8oJImACjbAIp0kHrx3EFPbdQXQyyt8JQc1pxZ9Gz8Se?=
	=?us-ascii?q?Vi0kj8qOdS7aVr6ZEr47B1zse5PaXSJu5AsU9gGRiUAh9l9os2DWh6WmBRZvMR?=
	=?us-ascii?q?KPbNcqQYl8/urfv3G7YQ6B2P9OxTccHHKF3ZmsmjFjGcTgRJnAUbpj4cIAuczf?=
	=?us-ascii?q?mFlLJqRsu+uej2wEQt40O5LhIcyrBi+5uE8LKSpODLdxvR0aQEWq/yS8P1qrQh?=
	=?us-ascii?q?oEKS5fshlLIUe2x1ZQOnEPIHWc4G2mfg170qwj4wE8PeBbLv5uRPV3UjnjLvg5?=
	=?us-ascii?q?p9BUkZGusIHbqX+oRThmE4m+3FOd0RdqBNgH2PGQSlEr8Fzn6r8DCXLXJgghzB?=
	=?us-ascii?q?3BD8W2Sz7EX5rSVgWyvD08/jklZJVrmwHUpdQzCmOUtmvzOUIArptN33tL8u7E?=
	=?us-ascii?q?4qM2zrqtSNlHegOLxNBcH/IsKTITUsrlINkJIxXsCv2ZwcGdelJNcR63R+Y/vF?=
	=?us-ascii?q?5mOljSBOvqBHh5DE7cGN4PXXGnuggLOGpLWR3jxYzWI4vV4n4NC6Kv7O/8GKQ+?=
	=?us-ascii?q?iv12sJTSd/ug7BUgWwqrPFr1EbJ1aL0EbNmIwFJN1Z22c31l3+7ug5XN0z7Ble?=
	=?us-ascii?q?FprHZ/4apDDyOSH7zkyDbN8sTSmRzSdXEUzpHlViH6g8wm3wttrTlXjM410oWp?=
	=?us-ascii?q?Vwd0v/iBNsDoU4Mkws50IVwioCDQgNcQqUDKysBUn+MYQEUlUMZgqd07inYKc3?=
	=?us-ascii?q?2ldzzam16O/Ud+x8CLIHNuxBgQ6WgFhbBpUWvLUGQL1mZ19S6K7XpwblC4j9XP?=
	=?us-ascii?q?jqjGEwOuOxQsBb98AZqnQj7x2nRxW69ZdM87YbiZ6Pdq5eYpjApsN84Fl95T4J?=
	=?us-ascii?q?aCNNhAJzjxSjUeATvOrj+MTUsIK06uayU6YgX/kX9wIqCGR6lZTwhk4srMrK2O?=
	=?us-ascii?q?ddRY3ViJj//xpWI3GQoobazgNwKewQJIK3ZLxg7WkIJzACJ3ISOtqbc/Y87DV3?=
	=?us-ascii?q?MDrN+1xCAtgBZdcZPMrRhw9UilfmWKxI9sbBHF+XFZtzfdgy72Xr0DA17Yc8Uu?=
	=?us-ascii?q?H45T+5O5/f6U1NP/REjClrj9LNuuwVwfvUCCgK7niUcBx1zT2Yy5iNEfn85+OM?=
	=?us-ascii?q?x8/IV1keBC45T59dJCae+QygXue6iJfpXRmI5cLonJ0+c0aQRniwnKsbqKZMDf?=
	=?us-ascii?q?BPhTn73jREEYD1nf2VucK26GRLrl1HDJpz7RrdFaVaOZV7Pwj4lsa1SUVnAyv/?=
	=?us-ascii?q?edvbdhwwt+qKyOYM5P9+N0jlZYMBJBIL1a7642JPTgRyUL72okqZXeUJadtpVP?=
	=?us-ascii?q?zEtWtV5Zt9JaEAOladpZrqripHqV0tDw8pbaU/rjpEeUXUmw1VQan0sqYaigQA?=
	=?us-ascii?q?Sd55pVNMGWWoNWI84DrHVaJVgLONB/wV9jWTU7EBUkRpMiN4WBO125RudqC3nf?=
	=?us-ascii?q?BGrGNJhCd9r+Ur0zB8QhuzpzHsrboX2T084LG4qCkBuXtdQ+WfjSfHE1NDwe8O?=
	=?us-ascii?q?jacBFnni6Fu8YGIZYIv1+rlnKtzq9ZM97HQnfRUjYyoGUPyiCy7ugaOIDIiPvc?=
	=?us-ascii?q?lShRGXvsXBc6OzITIUNrsj1RLpX2J93RTGnBZ07GsLRS2t7NAgJIW6N8cq2C6o?=
	=?us-ascii?q?GWzAeVYX5aNJtsrxukIRQOswd1xh3H1p0tKbSS0VWMzPB2E1gxAmaWVEcJND8R?=
	=?us-ascii?q?gaF60pgjaUoKZL5QQUYDbIEoS/5Ibch8DI2WMyTd1y3GLZurWFho820H1ig950?=
	=?us-ascii?q?8i+OuHEJeuzEUs9jHnvz2ZlbyeDkYfWirPwHQpN8yLu9SP8CLtWj+Wyu1ZVvW0?=
	=?us-ascii?q?+lxbceH12iPe8B3LjbUCClSWuGVuSNaWSMmSg2MlLq7xmyMlI3cNtKr1M6Muba?=
	=?us-ascii?q?nZFTiQvhUa9vSyWLoV/by3AjMf8Edw0opYirYQsKTPQeZ+KEP+gh3OU+CEcQb3?=
	=?us-ascii?q?/OBSZ2E+i2sVq3k4hhNXRg5kH6Yer2/wDjN9uSHQIEHpDGoZ5r/vy6XXmBOX5m?=
	=?us-ascii?q?zB19JkV08P3fF1spvO9Gb5mRhcTQh8h80eMdefdiLyk9ut8Lmo198oSV0caKcR?=
	=?us-ascii?q?TUzpnsP9HVpuaXD+fYz0QwdWFQSqAZbh/t54UmIt45XKXeHLVBvRQGBKg1XIIu?=
	=?us-ascii?q?Onz09KF1MANzaBDeaK6zgsnwqeKBfoFUqGPO7lIsMCfcvAUOyvuwTQNldJ2qn3?=
	=?us-ascii?q?HyL4orRjJdrt1iFgdmHJFRFMwetQanBYCbmL2jgd+r50x6o/MKsbb3Cv3S0NS5?=
	=?us-ascii?q?3oNxX4VV5ECSODbRBbJrglh+jumpg/fPyJ/xCcT4ddMDTuh7TXbPaqXaEYWnNj?=
	=?us-ascii?q?KOJsX8dlZd87GC1LJ5UxORZD32XqaBuyOkKPVk7lshyoNmZOrc1icg77LF19vo?=
	=?us-ascii?q?YWFUuCOjomWUNJtQ9lDKAvbeXx1MQ/qf7GllBbEXbZfz9OoWNNwt2sST4wly7D?=
	=?us-ascii?q?RE18uIOLahrk7K2k1lcZLbLU3p2zs2WIUQJxS/K0Qsi3fDqnvBGXRcMtSkKc51?=
	=?us-ascii?q?jdaXFBPt5E5xlno2a25cHGroWdeROW8G28KxZA2K6BhHD9AdkO6rYUQ4rLG9Sf?=
	=?us-ascii?q?F0OpVZnuWnrK4Ins1uJyHLRchaJD3QLKRsMjpKEOrAuEIkYgUavLgxW4c1Y4WO?=
	=?us-ascii?q?IUwcPUicySLy1xbC0Vbue92izqmJPD0W8nJBz77f1jhMvQa5s+6DgsL/SLDZcI?=
	=?us-ascii?q?32XPnKPSoqTD6VXi4yEUe39legoPcEov6YLn0EolAVfyKeEggTqb5zrdLIFG/c?=
	=?us-ascii?q?hfVjfIEWhPCdQy3wSih4lK0oBiZRtECMWOEOFQ/MYH/knmVcuRauJvhW/XLqd7?=
	=?us-ascii?q?eY3LZaW/QKAotQdf2UW8DYef5bJzg0lzgUO/2xf8PCoLYj01LJTGwZE6/S+F2Y?=
	=?us-ascii?q?UkGWXq/U+zW+RogRvo4pqgI069nQmWlxCK2OMLGB9BC09YvtoC+e8c/DTGYgZV?=
	=?us-ascii?q?d91O4LBmiMxBtoLWwAD9gTv1GrSamFMRUfnEk1gP5jjkdfMD94VWdjhzgPxPs?=
	=?us-ascii?q?=3D?=
X-IPAS-Result: =?us-ascii?q?A2GYAgDs4yJZ/wHyM5BcGwEBAQMBAQEJAQEBFgEBAQMBAQE?=
	=?us-ascii?q?JAQEBgwEpgW6OepB9cpcQJIwXVwEBAQEBAQEBAgECaAUjgjMkgkIGAQIXDVUDC?=
	=?us-ascii?q?QEBFwgpCAMBUxkFiE+BUASxYjomAosZiD2CZ4RmhiMFkCiBAYxtkyGLG4ZTlEh?=
	=?us-ascii?q?YWTFPIhWEbQsBAQFCHIFmc4Ztgj0BAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 22 May 2017 13:16:11 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4MDFYfB014690;
	Mon, 22 May 2017 09:15:42 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v4MDFXKK141696 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 22 May 2017 09:15:33 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4MDFWnw014688
	for <selinux@tycho.nsa.gov>; Mon, 22 May 2017 09:15:32 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1B1AgB44yJZf4GlL8FcHAEBBAEBCgEBgyyCF456kH1ylxOGJAKGaQECAQEBAQECEwEBIV2FGQMDGg1SEBgIMVcZiFSBVLFiOosPMog9gmeEZoYjBZAogQGMbZMhkW6USFZaMU8iFYU9HIFmPTaGbYI9AQEB
X-IPAS-Result: 
 A1B1AgB44yJZf4GlL8FcHAEBBAEBCgEBgyyCF456kH1ylxOGJAKGaQECAQEBAQECEwEBIV2FGQMDGg1SEBgIMVcZiFSBVLFiOosPMog9gmeEZoYjBZAogQGMbZMhkW6USFZaMU8iFYU9HIFmPTaGbYI9AQEB
X-IronPort-AV: E=Sophos;i="5.38,377,1491278400"; d="scan'208";a="6061055"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 22 May 2017 09:15:32 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AwLJI8RINzzpgM2Gjb9mcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgRKPjxwZ3uMQTl6Ol3ixeRBMOAuq0C0bWd7fqocFdDyK7JiGoFfp1IWk1Nou?=
	=?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?=
	=?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDiwbalsIBi0ognct9caipZ+J6gszRfEvmFGcP?=
	=?us-ascii?q?lMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLD?=
	=?us-ascii?q?QheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2UxLjlj?=
	=?us-ascii?q?sJOCAl/2HWksxwjbxUoBS9pxxk3oXYZJiZOOdicq/BeN8XQ3dKUMRMWCxbGo6y?=
	=?us-ascii?q?b5UBAfcPM+hbqIfypVUOoACiCQWwHu7j1iVFimPq0aA8zu8vERvG3AslH98Wvn?=
	=?us-ascii?q?rbttP1P7oWX+Co1qnIwivMb/VN2Tzg74XHbwouofeNXb1udcrRy1IiFwbbgVWU?=
	=?us-ascii?q?rYzqJTWV1uMCsmSB8+VgUuevhnchpgpsoTav3t8hhpTNi48b0FzJ+id0zJwoKd?=
	=?us-ascii?q?C5SEN3e8OoHIVUuiycKoB4WNktQ3tytyY/0rAGuYC0fCwNyJk/wh7QdfiHc4yS?=
	=?us-ascii?q?7RLlU+aQLi10i25ieL6lhhay9VCsyuz6VsaqzFZHtjdJn93Cu3wX2BHe6NKLRu?=
	=?us-ascii?q?Z880qhwzqDyh7f5+VcLUAxj6XbKpohwrAqlpoUtETOBjL5l1/wjK+XaEok/uqo?=
	=?us-ascii?q?5v/iYrr4op+cM5V7igf5MqUhgMCwHeM4Mg0WU2iB5eu8zKHj/VH+QLhSlf05jK?=
	=?us-ascii?q?3ZsJHcJcQGqa+0GBNV04Y/5Ba/CDeqytIYnWIdI15fdxKHiJbpaBnyJ6XjAPO+?=
	=?us-ascii?q?hUm8uCt6zPDBeLv6C9PCKWaQvq3meONR4kgU6hcpwt1Z/NoABrgHIf/3WGf0ud?=
	=?us-ascii?q?jcBxk+I0q/xOOxW4Y17Z8XRW/aWvzRC6jVq1Ldo7t3e+Q=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HmAQDs4yJZf4GlL8FcHAEBBAEBCgEBF?=
	=?us-ascii?q?wEBBAEBCgEBgwGCF456kH1ylxOGJAKGaQEBAQEBAQEBAgECEAEBIV2CMyQBgkE?=
	=?us-ascii?q?DAxoNUhAYCDFXGYhUgVSxYjqLDzKIPYJnhGaGIwWQKIEBjG2TIZFulEhWWzFPI?=
	=?us-ascii?q?hWFPRyBZj02hm2CPQEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0HmAQDs4yJZf4GlL8FcHAEBBAEBCgEBFwEBBAEBCgEBgwG?=
	=?us-ascii?q?CF456kH1ylxOGJAKGaQEBAQEBAQEBAgECEAEBIV2CMyQBgkEDAxoNUhAYCDFXG?=
	=?us-ascii?q?YhUgVSxYjqLDzKIPYJnhGaGIwWQKIEBjG2TIZFulEhWWzFPIhWFPRyBZj02hm2?=
	=?us-ascii?q?CPQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.38,377,1491264000"; d="scan'208";a="7298158"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from mail-il-dmz.mellanox.com (HELO mellanox.co.il)
	([193.47.165.129])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 22 May 2017 13:15:30 +0000
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
	danielj@mellanox.com)
	with ESMTPS (AES256-SHA encrypted); 22 May 2017 16:08:48 +0300
Received: from x-vnc01.mtx.labs.mlnx. (x-vnc01.mtx.labs.mlnx [10.12.150.16])
	by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id v4MD8f0p017562;
	Mon, 22 May 2017 16:08:46 +0300
From: Dan Jurgens <danielj@mellanox.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH v3 3/9] libsepol: Add Infiniband Pkey handling to CIL
Date: Mon, 22 May 2017 16:08:25 +0300
Message-Id: <1495458511-46724-4-git-send-email-danielj@mellanox.com>
X-Mailer: git-send-email 1.7.1
In-Reply-To: <1495458511-46724-1-git-send-email-danielj@mellanox.com>
References: <1495458511-46724-1-git-send-email-danielj@mellanox.com>
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Daniel Jurgens <danielj@mellanox.com>

Add Infiniband pkey parsing, symbol table management, and policy
generation to CIL.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
---
 libsepol/cil/src/cil.c             | 19 +++++++++
 libsepol/cil/src/cil_binary.c      | 39 +++++++++++++++++
 libsepol/cil/src/cil_binary.h      | 12 ++++++
 libsepol/cil/src/cil_build_ast.c   | 86 ++++++++++++++++++++++++++++++++++++++
 libsepol/cil/src/cil_build_ast.h   |  2 +
 libsepol/cil/src/cil_copy_ast.c    | 26 ++++++++++++
 libsepol/cil/src/cil_copy_ast.h    |  1 +
 libsepol/cil/src/cil_flavor.h      |  1 +
 libsepol/cil/src/cil_internal.h    | 11 +++++
 libsepol/cil/src/cil_policy.c      | 16 +++++++
 libsepol/cil/src/cil_post.c        | 45 ++++++++++++++++++++
 libsepol/cil/src/cil_post.h        |  1 +
 libsepol/cil/src/cil_reset_ast.c   |  9 ++++
 libsepol/cil/src/cil_resolve_ast.c | 27 ++++++++++++
 libsepol/cil/src/cil_resolve_ast.h |  1 +
 libsepol/cil/src/cil_tree.c        | 16 ++++++-
 libsepol/cil/src/cil_verify.c      | 23 ++++++++++
 17 files changed, 334 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 9b9ccc36..3df670a7 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -188,6 +188,7 @@ static void cil_init_keys(void)
 	CIL_KEY_MLSVALIDATETRANS = cil_strpool_add("mlsvalidatetrans");
 	CIL_KEY_CONTEXT = cil_strpool_add("context");
 	CIL_KEY_FILECON = cil_strpool_add("filecon");
+	CIL_KEY_IBPKEYCON = cil_strpool_add("ibpkeycon");
 	CIL_KEY_PORTCON = cil_strpool_add("portcon");
 	CIL_KEY_NODECON = cil_strpool_add("nodecon");
 	CIL_KEY_GENFSCON = cil_strpool_add("genfscon");
@@ -257,6 +258,7 @@ void cil_db_init(struct cil_db **db)
 	cil_sort_init(&(*db)->genfscon);
 	cil_sort_init(&(*db)->filecon);
 	cil_sort_init(&(*db)->nodecon);
+	cil_sort_init(&(*db)->ibpkeycon);
 	cil_sort_init(&(*db)->portcon);
 	cil_sort_init(&(*db)->pirqcon);
 	cil_sort_init(&(*db)->iomemcon);
@@ -308,6 +310,7 @@ void cil_db_destroy(struct cil_db **db)
 	cil_sort_destroy(&(*db)->genfscon);
 	cil_sort_destroy(&(*db)->filecon);
 	cil_sort_destroy(&(*db)->nodecon);
+	cil_sort_destroy(&(*db)->ibpkeycon);
 	cil_sort_destroy(&(*db)->portcon);
 	cil_sort_destroy(&(*db)->pirqcon);
 	cil_sort_destroy(&(*db)->iomemcon);
@@ -728,6 +731,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
 	case CIL_FILECON:
 		cil_destroy_filecon(*data);
 		break;
+	case CIL_IBPKEYCON:
+		cil_destroy_ibpkeycon(*data);
+		break;
 	case CIL_PORTCON:
 		cil_destroy_portcon(*data);
 		break;
@@ -1097,6 +1103,8 @@ const char * cil_node_to_string(struct cil_tree_node *node)
 		return CIL_KEY_FSUSE;
 	case CIL_FILECON:
 		return CIL_KEY_FILECON;
+	case CIL_IBPKEYCON:
+		return CIL_KEY_IBPKEYCON;
 	case CIL_PORTCON:
 		return CIL_KEY_PORTCON;
 	case CIL_NODECON:
@@ -2255,6 +2263,17 @@ void cil_filecon_init(struct cil_filecon **filecon)
 	(*filecon)->context = NULL;
 }
 
+void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon)
+{
+	*ibpkeycon = cil_malloc(sizeof(**ibpkeycon));
+
+	(*ibpkeycon)->subnet_prefix_str = NULL;
+	(*ibpkeycon)->pkey_low = 0;
+	(*ibpkeycon)->pkey_high = 0;
+	(*ibpkeycon)->context_str = NULL;
+	(*ibpkeycon)->context = NULL;
+}
+
 void cil_portcon_init(struct cil_portcon **portcon)
 {
 	*portcon = cil_malloc(sizeof(**portcon));
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index e1481a43..1ddbf21f 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3218,6 +3218,40 @@ exit:
 	return rc;
 }
 
+int cil_ibpkeycon_to_policydb(policydb_t *pdb, struct cil_sort *ibpkeycons)
+{
+	int rc = SEPOL_ERR;
+	uint32_t i = 0;
+	ocontext_t *tail = NULL;
+	struct in6_addr subnet_prefix;
+
+	for (i = 0; i < ibpkeycons->count; i++) {
+		struct cil_ibpkeycon *cil_ibpkeycon = ibpkeycons->array[i];
+		ocontext_t *new_ocon = cil_add_ocontext(&pdb->ocontexts[OCON_IBPKEY], &tail);
+
+		rc = inet_pton(AF_INET6, cil_ibpkeycon->subnet_prefix_str, &subnet_prefix);
+		if (rc != 1) {
+			cil_log(CIL_ERR, "ibpkeycon subnet prefix not in valid IPV6 format\n");
+			rc = SEPOL_ERR;
+			goto exit;
+		}
+
+		memcpy(&new_ocon->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0],
+		       sizeof(new_ocon->u.ibpkey.subnet_prefix));
+		new_ocon->u.ibpkey.low_pkey = cil_ibpkeycon->pkey_low;
+		new_ocon->u.ibpkey.high_pkey = cil_ibpkeycon->pkey_high;
+
+		rc = __cil_context_to_sepol_context(pdb, cil_ibpkeycon->context, &new_ocon->context[0]);
+		if (rc != SEPOL_OK)
+			goto exit;
+	}
+
+	return SEPOL_OK;
+
+exit:
+	return rc;
+}
+
 int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
 {
 	int rc = SEPOL_ERR;
@@ -3848,6 +3882,11 @@ int __cil_contexts_to_policydb(policydb_t *pdb, const struct cil_db *db)
 		goto exit;
 	}
 
+	rc = cil_ibpkeycon_to_policydb(pdb, db->ibpkeycon);
+	if (rc != SEPOL_OK) {
+		goto exit;
+	}
+
 	if (db->target_platform == SEPOL_TARGET_XEN) {
 		rc = cil_pirqcon_to_policydb(pdb, db->pirqcon);
 		if (rc != SEPOL_OK) {
diff --git a/libsepol/cil/src/cil_binary.h b/libsepol/cil/src/cil_binary.h
index c59b1e3c..a03d250d 100644
--- a/libsepol/cil/src/cil_binary.h
+++ b/libsepol/cil/src/cil_binary.h
@@ -330,6 +330,18 @@ int cil_sepol_level_define(policydb_t *pdb, struct cil_sens *cil_sens);
 int cil_rangetransition_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_rangetransition *rangetrans, hashtab_t range_trans_table);
 
 /**
+ * Insert cil ibpkeycon structure into sepol policydb.
+ * The function is given a structure containing the sorted ibpkeycons and
+ * loops over this structure inserting them into the policy database.
+ *
+ * @param[in] pdb The policy database to insert the ibpkeycon into.
+ * @param[in] node The cil_sort structure that contains the sorted ibpkeycons.
+ *
+ * @return SEPOL_OK upon success or an error otherwise.
+ */
+int cil_ibpkeycon_to_policydb(policydb_t *pdb, struct cil_sort *ibpkeycons);
+
+/**
  * Insert cil portcon structure into sepol policydb.
  * The function is given a structure containing the sorted portcons and
  * loops over this structure inserting them into the policy database.
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 36cc6735..11215744 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4256,6 +4256,89 @@ void cil_destroy_filecon(struct cil_filecon *filecon)
 	free(filecon);
 }
 
+int cil_gen_ibpkeycon(__attribute__((unused)) struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
+{
+	enum cil_syntax syntax[] = {
+		CIL_SYN_STRING,
+		CIL_SYN_STRING,
+		CIL_SYN_STRING | CIL_SYN_LIST,
+		CIL_SYN_STRING | CIL_SYN_LIST,
+		CIL_SYN_END
+	};
+	int syntax_len = sizeof(syntax) / sizeof(*syntax);
+	int rc = SEPOL_ERR;
+	struct cil_ibpkeycon *ibpkeycon = NULL;
+
+	if (!db || !parse_current || !ast_node)
+		goto exit;
+
+	rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
+	if (rc != SEPOL_OK)
+		goto exit;
+
+	cil_ibpkeycon_init(&ibpkeycon);
+
+	ibpkeycon->subnet_prefix_str = parse_current->next->data;
+
+	if (parse_current->next->next->cl_head) {
+		if (parse_current->next->next->cl_head->next &&
+		    !parse_current->next->next->cl_head->next->next) {
+			rc = cil_fill_integer(parse_current->next->next->cl_head, &ibpkeycon->pkey_low, 0);
+			if (rc != SEPOL_OK) {
+				cil_log(CIL_ERR, "Improper ibpkey specified\n");
+				goto exit;
+			}
+			rc = cil_fill_integer(parse_current->next->next->cl_head->next, &ibpkeycon->pkey_high, 0);
+			if (rc != SEPOL_OK) {
+				cil_log(CIL_ERR, "Improper ibpkey specified\n");
+				goto exit;
+			}
+		} else {
+			cil_log(CIL_ERR, "Improper ibpkey range specified\n");
+			rc = SEPOL_ERR;
+			goto exit;
+		}
+	} else {
+		rc = cil_fill_integer(parse_current->next->next, &ibpkeycon->pkey_low, 0);
+		if (rc != SEPOL_OK) {
+			cil_log(CIL_ERR, "Improper ibpkey specified\n");
+			goto exit;
+		}
+		ibpkeycon->pkey_high = ibpkeycon->pkey_low;
+	}
+
+	if (!parse_current->next->next->next->cl_head) {
+		ibpkeycon->context_str = parse_current->next->next->next->data;
+	} else {
+		cil_context_init(&ibpkeycon->context);
+
+		rc = cil_fill_context(parse_current->next->next->next->cl_head, ibpkeycon->context);
+		if (rc != SEPOL_OK)
+			goto exit;
+	}
+
+	ast_node->data = ibpkeycon;
+	ast_node->flavor = CIL_IBPKEYCON;
+	return SEPOL_OK;
+
+exit:
+	cil_tree_log(parse_current, CIL_ERR, "Bad ibpkeycon declaration");
+	cil_destroy_ibpkeycon(ibpkeycon);
+
+	return rc;
+}
+
+void cil_destroy_ibpkeycon(struct cil_ibpkeycon *ibpkeycon)
+{
+	if (!ibpkeycon)
+		return;
+
+	if (!ibpkeycon->context_str && ibpkeycon->context)
+		cil_destroy_context(ibpkeycon->context);
+
+	free(ibpkeycon);
+}
+
 int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
 {
 	enum cil_syntax syntax[] = {
@@ -6215,6 +6298,9 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	} else if (parse_current->data == CIL_KEY_FILECON) {
 		rc = cil_gen_filecon(db, parse_current, ast_node);
 		*finished = CIL_TREE_SKIP_NEXT;
+	} else if (parse_current->data == CIL_KEY_IBPKEYCON) {
+		rc = cil_gen_ibpkeycon(db, parse_current, ast_node);
+		*finished = CIL_TREE_SKIP_NEXT;
 	} else if (parse_current->data == CIL_KEY_PORTCON) {
 		rc = cil_gen_portcon(db, parse_current, ast_node);
 		*finished = CIL_TREE_SKIP_NEXT;
diff --git a/libsepol/cil/src/cil_build_ast.h b/libsepol/cil/src/cil_build_ast.h
index 33bae997..c2d7b31e 100644
--- a/libsepol/cil/src/cil_build_ast.h
+++ b/libsepol/cil/src/cil_build_ast.h
@@ -175,6 +175,8 @@ int cil_gen_context(struct cil_db *db, struct cil_tree_node *parse_current, stru
 void cil_destroy_context(struct cil_context *context);
 int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
 void cil_destroy_filecon(struct cil_filecon *filecon);
+int cil_gen_ibpkeycon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
+void cil_destroy_ibpkeycon(struct cil_ibpkeycon *ibpkeycon);
 int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
 void cil_destroy_portcon(struct cil_portcon *portcon);
 int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c
index d6685050..7307b08b 100644
--- a/libsepol/cil/src/cil_copy_ast.c
+++ b/libsepol/cil/src/cil_copy_ast.c
@@ -1204,6 +1204,29 @@ int cil_copy_nodecon(struct cil_db *db, void *data, void **copy, __attribute__((
 	return SEPOL_OK;
 }
 
+int cil_copy_ibpkeycon(struct cil_db *db, void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
+{
+	struct cil_ibpkeycon *orig = data;
+	struct cil_ibpkeycon *new = NULL;
+
+	cil_ibpkeycon_init(&new);
+
+	new->subnet_prefix_str = orig->subnet_prefix_str;
+	new->pkey_low = orig->pkey_low;
+	new->pkey_high = orig->pkey_high;
+
+	if (orig->context_str) {
+		new->context_str = orig->context_str;
+	} else {
+		cil_context_init(&new->context);
+		cil_copy_fill_context(db, orig->context, new->context);
+	}
+
+	*copy = new;
+
+	return SEPOL_OK;
+}
+
 int cil_copy_portcon(struct cil_db *db, void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
 {
 	struct cil_portcon *orig = data;
@@ -1916,6 +1939,9 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, __attribute__((unused)) u
 	case CIL_NODECON:
 		copy_func = &cil_copy_nodecon;
 		break;
+	case CIL_IBPKEYCON:
+		copy_func = &cil_copy_ibpkeycon;
+		break;
 	case CIL_PORTCON:
 		copy_func = &cil_copy_portcon;
 		break;
diff --git a/libsepol/cil/src/cil_copy_ast.h b/libsepol/cil/src/cil_copy_ast.h
index 78c34b87..a50c3708 100644
--- a/libsepol/cil/src/cil_copy_ast.h
+++ b/libsepol/cil/src/cil_copy_ast.h
@@ -99,6 +99,7 @@ int cil_copy_netifcon(struct cil_db *db, void *data, void **copy, symtab_t *symt
 int cil_copy_genfscon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
 int cil_copy_filecon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
 int cil_copy_nodecon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
+int cil_copy_ibpkeycon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
 int cil_copy_portcon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
 int cil_copy_pirqcon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
 int cil_copy_iomemcon(struct cil_db *db, void *data, void **copy, symtab_t *symtab);
diff --git a/libsepol/cil/src/cil_flavor.h b/libsepol/cil/src/cil_flavor.h
index c01f967a..4505b8bb 100644
--- a/libsepol/cil/src/cil_flavor.h
+++ b/libsepol/cil/src/cil_flavor.h
@@ -113,6 +113,7 @@ enum cil_flavor {
 	CIL_HANDLEUNKNOWN,
 	CIL_MLS,
 	CIL_SRC_INFO,
+	CIL_IBPKEYCON,
 
 /*
  *          boolean  constraint  set  catset
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index aee3f00c..2add97bb 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -203,6 +203,7 @@ char *CIL_KEY_VALIDATETRANS;
 char *CIL_KEY_MLSVALIDATETRANS;
 char *CIL_KEY_CONTEXT;
 char *CIL_KEY_FILECON;
+char *CIL_KEY_IBPKEYCON;
 char *CIL_KEY_PORTCON;
 char *CIL_KEY_NODECON;
 char *CIL_KEY_GENFSCON;
@@ -286,6 +287,7 @@ struct cil_db {
 	struct cil_sort *genfscon;
 	struct cil_sort *filecon;
 	struct cil_sort *nodecon;
+	struct cil_sort *ibpkeycon;
 	struct cil_sort *portcon;
 	struct cil_sort *pirqcon;
 	struct cil_sort *iomemcon;
@@ -737,6 +739,14 @@ enum cil_protocol {
 	CIL_PROTOCOL_DCCP
 };
 
+struct cil_ibpkeycon {
+	char *subnet_prefix_str;
+	uint32_t pkey_low;
+	uint32_t pkey_high;
+	char *context_str;
+	struct cil_context *context;
+};
+
 struct cil_portcon {
 	enum cil_protocol proto;
 	uint32_t port_low;
@@ -1007,6 +1017,7 @@ void cil_catset_init(struct cil_catset **catset);
 void cil_cats_init(struct cil_cats **cats);
 void cil_senscat_init(struct cil_senscat **senscat);
 void cil_filecon_init(struct cil_filecon **filecon);
+void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon);
 void cil_portcon_init(struct cil_portcon **portcon);
 void cil_nodecon_init(struct cil_nodecon **nodecon);
 void cil_genfscon_init(struct cil_genfscon **genfscon);
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index 77179e63..35a0a29e 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -1714,6 +1714,21 @@ static void cil_genfscons_to_policy(FILE *out, struct cil_sort *genfscons, int m
 	}
 }
 
+static void cil_ibpkeycons_to_policy(FILE *out, struct cil_sort *ibpkeycons, int mls)
+{
+	uint32_t i = 0;
+
+	for (i = 0; i < ibpkeycons->count; i++) {
+		struct cil_ibpkeycon *ibpkeycon = (struct cil_ibpkeycon *)ibpkeycons->array[i];
+
+		fprintf(out, "ibpkeycon %s ", ibpkeycon->subnet_prefix_str);
+		fprintf(out, "%d ", ibpkeycon->pkey_low);
+		fprintf(out, "%d ", ibpkeycon->pkey_high);
+		cil_context_to_policy(out, ibpkeycon->context, mls);
+		fprintf(out, "\n");
+	}
+}
+
 static void cil_portcons_to_policy(FILE *out, struct cil_sort *portcons, int mls)
 {
 	unsigned i;
@@ -1942,6 +1957,7 @@ void cil_gen_policy(FILE *out, struct cil_db *db)
 	cil_genfscons_to_policy(out, db->genfscon, db->mls);
 	cil_portcons_to_policy(out, db->portcon, db->mls);
 	cil_netifcons_to_policy(out, db->netifcon, db->mls);
+	cil_ibpkeycons_to_policy(out, db->ibpkeycon, db->mls);
 	cil_nodecons_to_policy(out, db->nodecon, db->mls);
 	cil_pirqcons_to_policy(out, db->pirqcon, db->mls);
 	cil_iomemcons_to_policy(out, db->iomemcon, db->mls);
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 1941fab3..893860d5 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -154,6 +154,28 @@ int cil_post_filecon_compare(const void *a, const void *b)
 	return rc;
 }
 
+int cil_post_ibpkeycon_compare(const void *a, const void *b)
+{
+	int rc = SEPOL_ERR;
+	struct cil_ibpkeycon *aibpkeycon = *(struct cil_ibpkeycon **)a;
+	struct cil_ibpkeycon *bibpkeycon = *(struct cil_ibpkeycon **)b;
+
+	rc = strcmp(aibpkeycon->subnet_prefix_str, bibpkeycon->subnet_prefix_str);
+	if (rc)
+		return rc;
+
+	rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low)
+		- (bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+	if (rc == 0) {
+		if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
+			rc = -1;
+		else if (bibpkeycon->pkey_low < aibpkeycon->pkey_low)
+			rc = 1;
+	}
+
+	return rc;
+}
+
 int cil_post_portcon_compare(const void *a, const void *b)
 {
 	int rc = SEPOL_ERR;
@@ -401,6 +423,9 @@ static int __cil_post_db_count_helper(struct cil_tree_node *node, uint32_t *fini
 	case CIL_NODECON:
 		db->nodecon->count++;
 		break;
+	case CIL_IBPKEYCON:
+		db->ibpkeycon->count++;
+		break;
 	case CIL_PORTCON:
 		db->portcon->count++;
 		break;
@@ -535,6 +560,17 @@ static int __cil_post_db_array_helper(struct cil_tree_node *node, uint32_t *fini
 		sort->index++;
 		break;
 	}
+	case CIL_IBPKEYCON: {
+		struct cil_sort *sort = db->ibpkeycon;
+		uint32_t count = sort->count;
+		uint32_t i = sort->index;
+
+		if (!sort->array)
+			sort->array = cil_malloc(sizeof(*sort->array) * count);
+		sort->array[i] = node->data;
+		sort->index++;
+		break;
+	}
 	case CIL_PORTCON: {
 		struct cil_sort *sort = db->portcon;
 		uint32_t count = sort->count;
@@ -1618,6 +1654,14 @@ static int __cil_post_db_cat_helper(struct cil_tree_node *node, uint32_t *finish
 		}
 		break;
 	}
+	case CIL_IBPKEYCON: {
+		struct cil_ibpkeycon *ibpkeycon = node->data;
+
+		rc = __evaluate_levelrange_expression(ibpkeycon->context->range, db);
+		if (rc != SEPOL_OK)
+			goto exit;
+		break;
+	}
 	case CIL_PORTCON: {
 		struct cil_portcon *portcon = node->data;
 		rc = __evaluate_levelrange_expression(portcon->context->range, db);
@@ -1977,6 +2021,7 @@ static int cil_post_db(struct cil_db *db)
 
 	qsort(db->netifcon->array, db->netifcon->count, sizeof(db->netifcon->array), cil_post_netifcon_compare);
 	qsort(db->genfscon->array, db->genfscon->count, sizeof(db->genfscon->array), cil_post_genfscon_compare);
+	qsort(db->ibpkeycon->array, db->ibpkeycon->count, sizeof(db->ibpkeycon->array), cil_post_ibpkeycon_compare);
 	qsort(db->portcon->array, db->portcon->count, sizeof(db->portcon->array), cil_post_portcon_compare);
 	qsort(db->nodecon->array, db->nodecon->count, sizeof(db->nodecon->array), cil_post_nodecon_compare);
 	qsort(db->fsuse->array, db->fsuse->count, sizeof(db->fsuse->array), cil_post_fsuse_compare);
diff --git a/libsepol/cil/src/cil_post.h b/libsepol/cil/src/cil_post.h
index 74393ccf..fe7f3a58 100644
--- a/libsepol/cil/src/cil_post.h
+++ b/libsepol/cil/src/cil_post.h
@@ -38,6 +38,7 @@ struct fc_data {
 
 void cil_post_fc_fill_data(struct fc_data *fc, char *path);
 int cil_post_filecon_compare(const void *a, const void *b);
+int cil_post_ibpkeycon_compare(const void *a, const void *b);
 int cil_post_portcon_compare(const void *a, const void *b);
 int cil_post_genfscon_compare(const void *a, const void *b);
 int cil_post_netifcon_compare(const void *a, const void *b);
diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
index 676e156e..fc23a2c8 100644
--- a/libsepol/cil/src/cil_reset_ast.c
+++ b/libsepol/cil/src/cil_reset_ast.c
@@ -288,6 +288,12 @@ static void cil_reset_filecon(struct cil_filecon *filecon)
 	}
 }
 
+static void cil_reset_ibpkeycon(struct cil_ibpkeycon *ibpkeycon)
+{
+	if (!ibpkeycon->context)
+		cil_reset_context(ibpkeycon->context);
+}
+
 static void cil_reset_portcon(struct cil_portcon *portcon)
 {
 	if (portcon->context_str == NULL) {
@@ -489,6 +495,9 @@ int __cil_reset_node(struct cil_tree_node *node,  __attribute__((unused)) uint32
 	case CIL_FILECON:
 		cil_reset_filecon(node->data);
 		break;
+	case CIL_IBPKEYCON:
+		cil_reset_ibpkeycon(node->data);
+		break;
 	case CIL_PORTCON:
 		cil_reset_portcon(node->data);
 		break;
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 8925b271..9e3cb2b5 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -1923,6 +1923,30 @@ int cil_resolve_filecon(struct cil_tree_node *current, void *extra_args)
 	return SEPOL_OK;
 }
 
+int cil_resolve_ibpkeycon(struct cil_tree_node *current, void *extra_args)
+{
+	struct cil_ibpkeycon *ibpkeycon = current->data;
+	struct cil_symtab_datum *context_datum = NULL;
+	int rc = SEPOL_ERR;
+
+	if (ibpkeycon->context_str) {
+		rc = cil_resolve_name(current, ibpkeycon->context_str, CIL_SYM_CONTEXTS, extra_args, &context_datum);
+		if (rc != SEPOL_OK)
+			goto exit;
+
+		ibpkeycon->context = (struct cil_context *)context_datum;
+	} else {
+		rc = cil_resolve_context(current, ibpkeycon->context, extra_args);
+		if (rc != SEPOL_OK)
+			goto exit;
+	}
+
+	return SEPOL_OK;
+
+exit:
+	return rc;
+}
+
 int cil_resolve_portcon(struct cil_tree_node *current, void *extra_args)
 {
 	struct cil_portcon *portcon = current->data;
@@ -3567,6 +3591,9 @@ int __cil_resolve_ast_node(struct cil_tree_node *node, void *extra_args)
 		case CIL_FILECON:
 			rc = cil_resolve_filecon(node, args);
 			break;
+		case CIL_IBPKEYCON:
+			rc = cil_resolve_ibpkeycon(node, args);
+			break;
 		case CIL_PORTCON:
 			rc = cil_resolve_portcon(node, args);
 			break;
diff --git a/libsepol/cil/src/cil_resolve_ast.h b/libsepol/cil/src/cil_resolve_ast.h
index 1175f974..0506a3de 100644
--- a/libsepol/cil/src/cil_resolve_ast.h
+++ b/libsepol/cil/src/cil_resolve_ast.h
@@ -74,6 +74,7 @@ int cil_resolve_constrain(struct cil_tree_node *current, void *extra_args);
 int cil_resolve_validatetrans(struct cil_tree_node *current, void *extra_args);
 int cil_resolve_context(struct cil_tree_node *current, struct cil_context *context, void *extra_args);
 int cil_resolve_filecon(struct cil_tree_node *current, void *extra_args);
+int cil_resolve_ibpkeycon(struct cil_tree_node *current, void *extra_args);
 int cil_resolve_portcon(struct cil_tree_node *current, void *extra_args);
 int cil_resolve_genfscon(struct cil_tree_node *current, void *extra_args);
 int cil_resolve_nodecon(struct cil_tree_node *current, void *extra_args);
diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
index 2cc2744a..89706d0f 100644
--- a/libsepol/cil/src/cil_tree.c
+++ b/libsepol/cil/src/cil_tree.c
@@ -1,6 +1,6 @@
 /*
  * Copyright 2011 Tresys Technology, LLC. All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  * 
@@ -1409,6 +1409,20 @@ void cil_tree_print_node(struct cil_tree_node *node)
 			return;
 
 		}
+		case CIL_IBPKEYCON: {
+			struct cil_ibpkeycon *ibpkeycon = node->data;
+
+			cil_log(CIL_INFO, "IBPKEYCON: %s", ibpkeycon->subnet_prefix_str);
+			cil_log(CIL_INFO, " (%d %d) ", ibpkeycon->pkey_low, ibpkeycon->pkey_high);
+
+			if (ibpkeycon->context)
+				cil_tree_print_context(ibpkeycon->context);
+			else if (ibpkeycon->context_str)
+				cil_log(CIL_INFO, " %s", ibpkeycon->context_str);
+
+			cil_log(CIL_INFO, "\n");
+			return;
+		}
 		case CIL_PORTCON: {
 			struct cil_portcon *portcon = node->data;
 			cil_log(CIL_INFO, "PORTCON:");
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 47dcfaa2..108da33d 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -1080,6 +1080,26 @@ exit:
 	return rc;
 }
 
+int __cil_verify_ibpkeycon(struct cil_db *db, struct cil_tree_node *node)
+{
+	int rc = SEPOL_ERR;
+	struct cil_ibpkeycon *pkey = node->data;
+	struct cil_context *ctx = pkey->context;
+
+	/* Verify only when anonymous */
+	if (!ctx->datum.name) {
+		rc = __cil_verify_context(db, ctx);
+		if (rc != SEPOL_OK)
+			goto exit;
+	}
+
+	return SEPOL_OK;
+
+exit:
+	cil_tree_log(node, CIL_ERR, "Invalid ibpkeycon");
+	return rc;
+}
+
 int __cil_verify_portcon(struct cil_db *db, struct cil_tree_node *node)
 {
 	int rc = SEPOL_ERR;
@@ -1452,6 +1472,9 @@ int __cil_verify_helper(struct cil_tree_node *node, uint32_t *finished, void *ex
 		case CIL_NODECON:
 			rc = __cil_verify_nodecon(db, node);
 			break;
+		case CIL_IBPKEYCON:
+			rc = __cil_verify_ibpkeycon(db, node);
+			break;
 		case CIL_PORTCON:
 			rc = __cil_verify_portcon(db, node);
 			break;