From patchwork Fri Sep 21 16:31:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10610809 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C3B02161F for ; Fri, 21 Sep 2018 18:02:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE2AC2E3D3 for ; Fri, 21 Sep 2018 18:02:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A18F92E44A; Fri, 21 Sep 2018 18:02:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from upbd19pa11.eemsg.mail.mil (upbd19pa11.eemsg.mail.mil [214.24.27.86]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 99CA32E3D3 for ; Fri, 21 Sep 2018 18:02:09 +0000 (UTC) X-EEMSG-check-008: 159534851|UPBD19PA11_EEMSG_MP11.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa11.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 21 Sep 2018 18:02:04 +0000 X-IronPort-AV: E=Sophos;i="5.54,285,1534809600"; d="scan'208";a="18532630" IronPort-PHdr: 9a23:Ulwe9xViZCvZPQdILN3DwgFio0PV8LGtZVwlr6E/grcLSJyIuqrYYRWAu6dThVPEFb/W9+hDw7KP9fy4BipYud6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9uLhi6txndutULioZ+N6g9zQfErGFVcOpM32NoIlyTnxf45siu+ZNo7jpdtfE8+cNeSKv2Z6s3Q6BWAzQgKGA1+dbktQLfQguV53sTSXsZnxxVCAXY9h76X5Pxsizntuph3SSRIMP7QawoVTmk8qxkRgXoiCMaPDAn9m/ZhNF7gKZCrB+gohByxZPfboOIO/pkZq7detMUS3RPUMhSVSNBDI2zYIQSAeoZP+tUsofwqEcBoxSgHgmhH//vxz1Si3PqwaE3yfotHAfb1wIgBdIOt3HUoc37OqgIT+C1zbTHxijBYfNR1zby9ozIchQ6ofqRWr9/bMrRyU4hFgzbilWQrZflMiiP1usTrmeb7/BvVf61h2E7rAFxpyGiy8ExgYfKnoIY0k3I+Cp2zYovJdC0VVR3bcCrHZdOrS2WKpN6Tt0+T2xsoio217MLtYChcCQXy5kqyQTTZ+KEfoWO/xntTvyeIS1ii3JgYL+/ghGy/lW+xeDkTcm01UpKrjJCktnRqnABzxzT5daDSvt65kqhxSyA1xrS6uFZOkA4j7bbKp49zb4wkZofq0LDETPtmErqlqOWc0Qk+uyw5+TmZLXpuIOcOpdphgzxPakigMyyDfkiPgQQUGWX5/6w2KD78U38WrpKj/k2kqfDsJDdIMQWvrW5DBFR0oYi7Ra/Ejin3M0DknkAMVJFfg6IgJbyO1zVPPD5Deuwg1SrkDtxwfDGJafuDo/CLnjEjrftZax95FJEyAov0dBf4IpZCrMGIPL1QEDxqNzYAQU/MwGvwebnD9N91oYEVmKUHq+WLrnSsUSS6uIoOemMa5cfuCzhJPg9+/7ukXg5lEcffamrx5QYdHO4Hu9hI0WfYHrsnMwMEWkOvgojQ+3lk0CCUThPZ3avRa484Ss7CI2+B4fZWo+tmKCB3Du8HpBOaGFGC1SMEXL2eIWeQPoMZjydLdJmkjweT7ehU5Uh1RastADk17VnMvDY+ioCtZLszNJ1/fHclQku9TxoCMSQy3yCQH1xnmMPQT82wL1zrFdjylidy6h4gv1ZFdtV5/9TVAc1K4LcxfRgC9/uQgLBYsuJSFG+T9WlGz4xTdUxw8IVbkZ+AdqijRfD3zewD78SjbyLC4Q+8rjA0HjpO8Z913HG2bE7gFY7WMtPNHOphrRk+gfJG4HJll+Vl6GwdaQTxCTN7nuMzXKSvEFEVw59SbnKUmobZkTIttT5+kPDT7i1BLQ8LgRByNCNKq1Wat3ol1pKXvHjN8rCY2ipgWe/GQ6Ixq+QbIrtY2gdxjjSB1UfngAc+HaHOhIyBiG/rGLCFDZuD07gY1vw8elir3O2VlQ0zw+Qb01mzLq15gUYheeaS/MU0LMEvT0uqzNuEFa7wd3WF8KKpxB9c6VEfdM9/FBH2HrXtgNnOpygM75thkQFcwlsoUPhyQ93BZ5dkcgvtn8qyxByKa2A2lNbazyYxYzwOqHQKmTq+hCvaqrW2lXA39aN4aoA8uo3q0/kvA2zEUoi6Xpn2cFP03SA/pXKEBYSUZXpX0kq6xh1vavabzIh6IPT0H1jLbO7siTe294zAusq1Aqgdc9FMKyYDA/yD9EaB8+2Jew0mlimcg4EPOdI9KIuI8ymd/yG2KikPOt7mDKmjGJH75pn0kKL7SZ8TfTI35kdyfGCwgSHTyv8jEumss3vnYBEZCoSHnamxSj/GoFRYqxyfYAWCWahOMC33c1+h5/rW35Z6FGjHEkK2Mm3dhqOd1b9xxFf1VwLoXy7niu11yZ0kzYtrqqbwiPO2fjtdB0JO2NQX2likEvjIZOug9AdRkioYBAjlAG56kbi26hbuKN/InHQQUhWeSj2NHpvUqiuubqEeM5P7o0nsTlNXOS7e1CaRab3owEG3CP7A2te2Dc7eimyuprjghx6jHySLG5po3rfZcF/2w3f6cfBRf5KwDUGXjJ4hSPMBli7Itmp58mbmInNsuC5TWKhWYNcfTPtzYyeqCux/XdqDgGnn/Cvht3nFhA30TH919Z3TijIshD8bZTr16igN+JoYFVoDkfm68VmAoF+jpcwhJYI1HgCnJqV4H4HnHzvPtVaxaL/bGMBRTARzN7T+gTl31djLn2RzYLjSnqd2tdhZ8W9Ym4O1CIy9cZKCLuT7LxBhiZ1rES3oh/WYfhnhDgd0eEu6HkYg+4XpAUt0j+RArcIHUlXJSbsjQiH78iirKVLY2aiab2w21B6ndClEr6Cvh1cV2zjdZo5Gy9/8Nl/MEnQ33Lp8oHrZsPcbdQNuR2Iix3AlfRaKIotlvoWgipqIWz9vWc7xOEmlhxhx5e6vJSAK2V256+2GAJXNjjva8MU4DHtgr5UntyK0IC3ApVhBjILUYPwTf22Cz0dq/LnNweSED07sXqbGKTQEhGB50t8qHLPCZ+rPWmNJHYF1dViWAWdJEtHjQ8PRzo2mZo5FgGxxMz9a0d1/CsR6UDkpRdW0eJnKR3/UmbZpAe1ZTY5U4SQLRpM7gFf/EfZK8Kf4fhvHyFD+Z2hqhaBKmuBZwRHFWsJQFCLB0j/Prmy4tnN6/OXBuuxL/vJZ7WDsvFRWOmTypKuyIRm+SyANsKVPnltF/c7wFZMXWhlG8TFnDUCUy4XlyLNbs6Doxe8/ix3rtyh//nwXQLv5JePC6FMPtl1/BC2m6iDPfaKhCllMTZYyo8MxXjQxbgc3F8Sjz9heiKoEbQHuy7NQrzfmrNLDx4bbCNzMdVH47g63gZTJc7Rksn12aJgjv4pF1dFUkTsld+xZcMQOWG9NUjHCV2TNLucPz3Lwtr3Ybu4SbJKkOpbqQe8uTGBE0/sJj6DjSXmVwizMeFQiyGWJBpet5+nfRZpEmXjT9XmaganMNBtiz022r40hnLQOW4aLzd8b1tHrqeM4iNAnvV/B2tB42J/LeaagCaW8fPXKowKvvtrGSl7jONa4G4nxLtS4iFEXOZ1lzXSr9J0pVGpjPWPwCJ9UBVSsjZLmJ6LvUJ6NKrE8ZlAX3DE8w8T4mWUChQHvMFqBcP1u6BX0NTPk7jzKDha+dLO4cQcH9TUKN6AMHc5LBXmAiDUDAoYQj6wLmzQnVZdkOuV9nybtZg1tITjmIcUSr9aSFw0FukWCkJ7E9weOJ13RC8rkaaHjM4U4nqztB3RRMJAvp/ZUPKTAPLvJS2WjblCehsE27T4LZ4cNofjwUxtdkF6nJjWG0rXRd1NuTNubgs1oEVL7Xh/QXY+1F7iagOo/HAcD+W0ngIshgt4f+st6C/m400rKVrSuCswjE4xlM35gTCQdT7xK7uwXYFWCifvqkcxM5P6TBxuYgGom0xrKivETapLj7R8bWBrlBPcuZxXFPFGSa1EYQMfyu+PaPUt0VVcrCKnxUld6ubeEpRilRElcZi1o3JOxgJvdtg1KrLMJKBR1FhfmrqOvjO01uA22AIRPFgC8GWJdSESpUMIKKcpJzCz/uN28wyDmyFPeG8WV/oluvhq7F8yO/yczyL81L5OMk+xN/GeL6Odv2jPi8uIT0gt2UwWjEZF/KJ50cE5f0qTTUAvw6ObFw4VOsraNQFVc81S+WDJfSaIsOXC3ZJ1P4K5FuDzVeGArbsajFi4EQguBIkD8sMBHpyw307CNsfnMKQJyRMz6wT3PF+FFuhGeAqXkDcbpMGy1IV30pNHJjEaGmpwKjm35qzNqQ80nvWDWNY2YnEVXosAN3I2V826mzJXv3taFjm31/gVyA6c4D/gvi7QFiXzb8J/ZPeIYhNhEN+39S8j/Ki2iF7X95TeKHv5Ndl5u9/A9/0VqIidB/NTV7l9vF/Wm5NESHyyT27PDdm1KoD1a4Y2d9z0CWi1UkC+izIzQMf8J9isIbKOgQ70QYZUt5Sb0y04NcOnEDERBQtwrfkZ5K1gfQ0Df4Y7YRnwugskLay/PQGY3s+tQ2u2KDtWTvhfzfmhaLBNySojcPO6wmM6Tp4m1+m37VINRJYSgxHCwvajYpJTUTTvFnxYYArDvyw5mHZ9Nuwq2Ocw3AvIsUUAMzCMbOFpamtEsM8nCFyPP3p2EXQ3R0WAjYXd/wGgxbYS8DVBn9xMy+1KrGD+voPDYDKrQKGrp4/VvDAmbdc6oq1xKpfuIs6etJPfhzDfV5fRshafXC69DfpalcBaIDhET/lQhWElJcsGtJJd6UUsS8g+JqZACK03q7+2bjpkCDIdwjUCV4OcxjAChPmz26fCnBeKbJsiKAAEsIlFgtYFSy52eT8eq7W+WIXKjGKEUW8LIBoJ7QtQ+g0AkJNwfvr/74rMVpNMzCRWo/1sWCvRCpZo70f7Sn2RgVXgU/qhnfCm0R5Qwf7x3NQWQwJwCU9Yx+lKjEQoM613J7MWvoHUrj+CbVn6s371yOu6OFlRztXZd0fmA4XYtWrzSDEc9GYQRY9I1nHQC4oenBZ+aKk2ulpAOoamdVji5zY83YRmA6G4Vdy3x1YitXsGWz2qHMRfBO57q1/XRTllY4yxqJr/JZVSQ2hQ+JmDpFdFikltNDS5yZVEIcFX/jEMRCRPoSmavNaqSs1Mw9V2D5gXItd7oXj9BrhJOJ2Mo30yprzvy2PW+zEmv1e83zW/Aai4T/hW/2cGAAUmO3yeqlUzD+sr6mrS8ErCslZ6/+dBAbiAkFt+rS1hHp9UADZJznelI051THZYr+VQML7VfNBEQ/kueR+vPAQzFfgi30GS/EF0m3L5bzZztgtc9SDdRRM7VTIJgrf3hD0Rtt2nOSIAS51WdzkhaD3FKw2DkyBNoBlfc11qW4weAttd/bEb3Jdb/s3GSUm2MiEJRh1iNgU/0fpEjk5Oq0CYdC/SDAaycvbPqBJ3d9+LrMG1NPT54BtHioT/veA87KUDQn2rlBajQd/AsoD8sceKuVGWdKfiNO28Y2HOQyTQjRyqgrckFZbK9TDJMAVHM5l61WYkYZ/5BG7JPBRGIrkWJ09FWqF6d9pGuOFaZ8lreKoT/69iGA6HTAv1GIOztPlGMkrTRTPGIiWA8+2wu5jc4qDGROj7eMOM22jITL5tMpd98zn7FK/g0ZVC9Uruxvdt6kR6REDdPCCAt9TgKBkE5Mujdkv+pp0mBy7WAJNrnXXxwUFPatQYTDe38JQCz5NZ8mz/Rfh/0kjpv+1Y76Nk5pUv47B11ce0Ir/fKexAvk97HheUBgtr9pI3AGh8XmxRefEeKPPQfaQfkMDvpPv6F7QN5x2J5+NZadXGJ0bbmsm8ED2cSgJLnB0HqTEEKguQzfmFm7V7Scy9v+j2xlot40SiLh4B1L1t6pmL+qyUpO/QaBvdyqMEVbbuRsPyqLQspkyT6OYglLEQYGx0YxeoHPIbVsED2mfq1boqwj40E8PfA7Lg/+ZOWG47nj36h59wBEkZGvQQHbqP/IRRgH04m/DHOdIKcqBOgGGPFQSrErUa036k9zOXIHV5ghHJyxzwRGSz7FnqrS93XyTB1NLjkktPWbmxG0hSQySoOUhisDOMJwrkrtz3trop7EsuKGzrqMqNlHe9OLNQB8D/K8CTITIvpF4OkZM/Sdqh2YEdGdqgL9Yc635+bv7E5GOtjSBNuaBHh5DR4suN4PXYAWGgj7GGq7WK3D1YyH84vVE56ty6Kv7O59mKQ+m12GcQTid/vRDBXx20qrHAsVAUOFKL313PmIMXP9FVx3842V/65OI7WtI86B1eFprcZ/MFvT3zOSX0zkyZY98sUimeziZYHlPyEVljAqQ833jwvM3Rn3fK51IoXpVwd1DghRFvDYU3N0wt6FYTwicYHwkCcxabA6+0BUj/K4sLS1QDYwyd3LemYqc3wVFzwrS36e/caex8AKQMOehZjg6Kh1VbAZUWsasfQL1gYVNd8rDYphT6AYj9Q/fmjWYwNeGyQs1C9MAZtngi4gW4Rxe765dM9bUbiJeOdqFaZ5jApsZ84Fl75TQXbCxCnAB/jw+lUeAbvO3s+cbUsJy06uu1T6YtQ+IX9wQoB2RgkZT/nUovodbN1+dTUofVk5jw8BhRI36Wv4bXywF8Ke0KK42xZrZh+XIHJywQJ38VONqWbP484zRzPzrP/VxCBdgMZcgZPMrLlgBYkErpWKtc9sDDAF+XF59zd9w072rw0D01/4UzUuLh6D+uO5/S9FBMP/JGjCVpit3CvuwVzuTIBCgQ+3mZZAB/wjmexJmVF/bw4eKMxcnaVlMeBC42UptSKySZ9AyiR+q1iI/pXR2O5s/0mpI+e1qaRmatk6QdrqZMDelAhz383jhaCI/4nOqVs96252tMql1HEZp87QHfGKpBIJp3IxL4mde3RkJkHCvwZNnUdgYyuOqR3uoM5+R+N03jZY4UOx4Ez7P66WFJTgt1U7P2v0yWXeQWZNd8T/PEtH9V45p6K6ATJFiduIDqrjBQpVAzGgAmdL8wrj1cdknJhwBVRaf0uLgehQsYUN55v1JMGG2qNGI5/TrHWrxfjLONB/wN7jWTUqsOXl1qMixkQBO1345hdqC0nfBBrmNGniR9oOUl0zxmWBuwoyvsqLwR2Tg44rG3qC0BuWBZTuWZiyrIC1BDzPMQjacGCnbi8kexYH8ZY4v3/rZnJN7s9Y4743QweR8jZTEJXfy8CyHsiKOFGpePsNxZhBGRucjDbqS+LTYMObQnyBLiRn990g7EkBZu7mQLXmbo0NhxOoSnPu43yyypBy7fdVAR8uVOqsS3qF1YYvExbAZNyXti3oCnQTIAQMjUUzI5jg87ZGFAa7pZ5BMaHrVuiTGN6PoVtjoIaSvZR9z2srLbmt3FjDxjF404z3/KpqCDmpIh2WFknNUx9COVpXAObLaFCJ1RIlnXjaxn4LSkIfigt/sIDo5vybDnVf4GYazBsWe12ZA/XEijy/xeGleiK+YMy//dVDvtUmyXX+mHMiCMkj81P1S05EyuKVs6O6Io51QlPL7kgZhR3xbkTasyXj+Z8FPby3MuNecBXxg7tIeuZ0oBS+tCAorUPvAglcU3E0BEdHrVBW1zAu6yv0Sqmd13O3J/7EH+esz3/wzmOcfUER4BQuu45oVp96mCT3macWRl0AU0PERw8LLHEE8ts+ZHb5uLtd3A3pJh3OIFfusrOio46btx0o5m4JOfhd+DagqZjo6nI9bTr7CUAuaKyUMsdyASXu8DbA/17pl8Ndk8Vg== X-IPAS-Result: A2BrAABrMaVb/wHyM5BbHAEBAQQBAQcEAQGBUYFeJwOBCFwojAhfi02BaJZ0FIFYGRgTAYQ7A4NKITQYAQMBAQEBAQECAWwogjUkgmADAwECJBMUIAsDAwkBAUAICAMBLRURDgsFGASCNYJNA6QSM4oJinAXgUE/gRIzgjGEeQESAQeFcAKIPoU9QXeNRwmJSoZ2iGeGQZUBgUI4ZHEzGggbFTuCbIIlF44ZbgxvAQEUinQNFweCHwEB Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 21 Sep 2018 18:02:02 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8LI1qqW020582; Fri, 21 Sep 2018 14:01:59 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8LGVeAv017583 for ; Fri, 21 Sep 2018 12:31:40 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8LGVdiC009870; Fri, 21 Sep 2018 12:31:39 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1A4AACEG6Vbly0WGNZaHQEBBQEHBQGBUYFeJ4FnKINziBVfjTWWdBSBZgsshEACg0YhNBgBAwEBAQEBAQIUAQEBAQEGGAaGEQMDIwRSECUCJgICRxAZglZLggIDoxJ7M4oMgQuJZReBQT+BEjOCMYUUgxmCVwKIPoU9QXeNRwmJSoZ2iGeGQZUBgUKCDTMaCBsVgyeCJQ4JEY4IbgyBBYsAK4IfAQE X-IPAS-Result: A1A4AACEG6Vbly0WGNZaHQEBBQEHBQGBUYFeJ4FnKINziBVfjTWWdBSBZgsshEACg0YhNBgBAwEBAQEBAQIUAQEBAQEGGAaGEQMDIwRSECUCJgICRxAZglZLggIDoxJ7M4oMgQuJZReBQT+BEjOCMYUUgxmCVwKIPoU9QXeNRwmJSoZ2iGeGQZUBgUKCDTMaCBsVgyeCJQ4JEY4IbgyBBYsAK4IfAQE X-IronPort-AV: E=Sophos;i="5.54,285,1534824000"; d="scan'208";a="375415" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 21 Sep 2018 12:31:38 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AsAABKHKVbly0WGNZaHQEBBQEHBQGBUYFeJ4FnKINziBVfjTWWdBSBZgsshEACg0YhNBgBAwEBAQEBAQIBEwEBAQEBBhgGWII1JAGCXwMDIwRSECUCJgICRxAZglZLggIDoxJ7M4oMgQuJZReBQT+BEjOCMYUUgxmCVwKIPoU9QXeNRwmJSoZ2iGeGQZUBgUKCDTMaCBsVgyeCJQ4JEY4IbgyBBYsAK4IfAQE X-IPAS-Result: A0AsAABKHKVbly0WGNZaHQEBBQEHBQGBUYFeJ4FnKINziBVfjTWWdBSBZgsshEACg0YhNBgBAwEBAQEBAQIBEwEBAQEBBhgGWII1JAGCXwMDIwRSECUCJgICRxAZglZLggIDoxJ7M4oMgQuJZReBQT+BEjOCMYUUgxmCVwKIPoU9QXeNRwmJSoZ2iGeGQZUBgUKCDTMaCBsVgyeCJQ4JEY4IbgyBBYsAK4IfAQE X-IronPort-AV: E=Sophos;i="5.54,285,1534809600"; d="scan'208";a="16106024" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from usat3cpa07.eemsg.mail.mil ([214.24.22.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 21 Sep 2018 16:31:37 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;48b19ed5-7ccb-4aa3-8724-37084c05981a Authentication-Results: UHIL3CPA02.eemsg.mail.mil; dkim=none (message not signed) header.i=none; spf=None smtp.pra=dhowells@redhat.com; spf=Pass smtp.mailfrom=dhowells@redhat.com; spf=Pass smtp.helo=postmaster@mx1.redhat.com; dmarc=pass (p=none dis=none) d=redhat.com X-EEMSG-check-008: 508442459|UHIL3CPA02_EEMSG_MP18.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 209.132.183.28 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AeAQB4HKVbhxy3hNFaHQEBBQEHBQGBUYFegg4og3OIFV+NNYNikxIUgWYLKwGEQAKDRhoGAQQwGAEDAQEBAQEBAQEBEwEBAQgNCQgpL4I1JAGCXwMDIwRSECUCJgICRxAZglZLggKjEnszigyBC4llF4FBP4ESM4IxhRSDGYJXAog+hT1Bd41HCYlKhnaIZ4ZBlQGBQoINMxoIGxWDJ4IlDgmOGT4wDIEDAQGLACuCHwEB X-IPAS-Result: A0AeAQB4HKVbhxy3hNFaHQEBBQEHBQGBUYFegg4og3OIFV+NNYNikxIUgWYLKwGEQAKDRhoGAQQwGAEDAQEBAQEBAQEBEwEBAQgNCQgpL4I1JAGCXwMDIwRSECUCJgICRxAZglZLggKjEnszigyBC4llF4FBP4ESM4IxhRSDGYJXAog+hT1Bd41HCYlKhnaIZ4ZBlQGBQoINMxoIGxWDJ4IlDgmOGT4wDIEDAQGLACuCHwEB Received: from mx1.redhat.com ([209.132.183.28]) by UHIL3CPA02.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 21 Sep 2018 16:31:31 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 164B12DE42B; Fri, 21 Sep 2018 16:31:31 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-123-84.rdu2.redhat.com [10.10.123.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3C0A5C23B; Fri, 21 Sep 2018 16:31:28 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 X-EEMSG-check-009: 444-444 From: David Howells To: viro@zeniv.linux.org.uk Date: Fri, 21 Sep 2018 17:31:27 +0100 Message-ID: <153754748795.17872.16927661345949556851.stgit@warthog.procyon.org.uk> In-Reply-To: <153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk> References: <153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 21 Sep 2018 16:31:31 +0000 (UTC) X-Mailman-Approved-At: Fri, 21 Sep 2018 13:59:05 -0400 Subject: [PATCH 10/34] selinux: Implement the new mount API LSM hooks [ver #12] X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: mszeredi@redhat.com, Stephen Smalley , linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Implement the new mount API LSM hooks for SELinux. At some point the old hooks will need to be removed. Question: Should the ->fs_context_parse_source() hook be implemented to check the labels on any source devices specified? Signed-off-by: David Howells cc: Paul Moore cc: Stephen Smalley cc: selinux@tycho.nsa.gov cc: linux-security-module@vger.kernel.org --- security/selinux/hooks.c | 336 ++++++++++++++++++++++++++++++++--- security/selinux/include/security.h | 16 +- 2 files changed, 319 insertions(+), 33 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9102a8fecb15..5f2af9dd44fa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -48,6 +48,8 @@ #include #include #include +#include +#include #include #include #include @@ -439,24 +441,23 @@ static inline int inode_doinit(struct inode *inode) } enum { - Opt_error = -1, - Opt_context = 1, + Opt_context = 0, + Opt_defcontext = 1, Opt_fscontext = 2, - Opt_defcontext = 3, - Opt_rootcontext = 4, - Opt_labelsupport = 5, - Opt_nextmntopt = 6, + Opt_rootcontext = 3, + Opt_seclabel = 4, + nr__selinux_params }; -#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) +#define NUM_SEL_MNT_OPTS (nr__selinux_params - 1) static const match_table_t tokens = { - {Opt_context, CONTEXT_STR "%s"}, - {Opt_fscontext, FSCONTEXT_STR "%s"}, - {Opt_defcontext, DEFCONTEXT_STR "%s"}, - {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, - {Opt_labelsupport, LABELSUPP_STR}, - {Opt_error, NULL}, + {Opt_context, CONTEXT_STR "=%s"}, + {Opt_fscontext, FSCONTEXT_STR "=%s"}, + {Opt_defcontext, DEFCONTEXT_STR "=%s"}, + {Opt_rootcontext, ROOTCONTEXT_STR "=%s"}, + {Opt_seclabel, SECLABEL_STR}, + {-1, NULL}, }; #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" @@ -615,15 +616,11 @@ static int selinux_get_mnt_opts(const struct super_block *sb, if (!selinux_state.initialized) return -EINVAL; - /* make sure we always check enough bits to cover the mask */ - BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); - tmp = sbsec->flags & SE_MNTMASK; /* count the number of mount options for this sb */ for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { - if (tmp & 0x01) + if (tmp & (1 << i)) opts->num_mnt_opts++; - tmp >>= 1; } /* Check if the Label support flag is set */ if (sbsec->flags & SBLABEL_MNT) @@ -1154,7 +1151,7 @@ static int selinux_parse_opts_str(char *options, goto out_err; } break; - case Opt_labelsupport: + case Opt_seclabel: break; default: rc = -EINVAL; @@ -1259,7 +1256,7 @@ static void selinux_write_opts(struct seq_file *m, break; case SBLABEL_MNT: seq_putc(m, ','); - seq_puts(m, LABELSUPP_STR); + seq_puts(m, SECLABEL_STR); continue; default: BUG(); @@ -1268,6 +1265,7 @@ static void selinux_write_opts(struct seq_file *m, /* we need a comma before each option */ seq_putc(m, ','); seq_puts(m, prefix); + seq_putc(m, '='); if (has_comma) seq_putc(m, '\"'); seq_escape(m, opts->mnt_opts[i], "\"\n\\"); @@ -2753,11 +2751,11 @@ static inline int match_prefix(char *prefix, int plen, char *option, int olen) static inline int selinux_option(char *option, int len) { - return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || - match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || - match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || - match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || - match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); + return (match_prefix(CONTEXT_STR"=", sizeof(CONTEXT_STR)-1, option, len) || + match_prefix(FSCONTEXT_STR"=", sizeof(FSCONTEXT_STR)-1, option, len) || + match_prefix(DEFCONTEXT_STR"=", sizeof(DEFCONTEXT_STR)-1, option, len) || + match_prefix(ROOTCONTEXT_STR"=", sizeof(ROOTCONTEXT_STR)-1, option, len) || + match_prefix(SECLABEL_STR"=", sizeof(SECLABEL_STR)-1, option, len)); } static inline void take_option(char **to, char *from, int *first, int len) @@ -2972,6 +2970,284 @@ static int selinux_umount(struct vfsmount *mnt, int flags) FILESYSTEM__UNMOUNT, NULL); } +/* fsopen mount context operations */ + +static int selinux_fs_context_alloc(struct fs_context *fc, + struct dentry *reference) +{ + struct security_mnt_opts *opts; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + + fc->security = opts; + return 0; +} + +static int selinux_fs_context_dup(struct fs_context *fc, + struct fs_context *src_fc) +{ + const struct security_mnt_opts *src = src_fc->security; + struct security_mnt_opts *opts; + int i, n; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + fc->security = opts; + + if (!src || !src->num_mnt_opts) + return 0; + n = opts->num_mnt_opts = src->num_mnt_opts; + + if (src->mnt_opts) { + opts->mnt_opts = kcalloc(n, sizeof(char *), GFP_KERNEL); + if (!opts->mnt_opts) + return -ENOMEM; + + for (i = 0; i < n; i++) { + if (src->mnt_opts[i]) { + opts->mnt_opts[i] = kstrdup(src->mnt_opts[i], + GFP_KERNEL); + if (!opts->mnt_opts[i]) + return -ENOMEM; + } + } + } + + if (src->mnt_opts_flags) { + opts->mnt_opts_flags = kmemdup(src->mnt_opts_flags, + n * sizeof(int), GFP_KERNEL); + if (!opts->mnt_opts_flags) + return -ENOMEM; + } + + return 0; +} + +static void selinux_fs_context_free(struct fs_context *fc) +{ + struct security_mnt_opts *opts = fc->security; + + if (opts) { + security_free_mnt_opts(opts); + fc->security = NULL; + } +} + +static const struct fs_parameter_spec selinux_param_specs[nr__selinux_params] = { + [Opt_context] = { fs_param_is_string }, + [Opt_defcontext] = { fs_param_is_string }, + [Opt_fscontext] = { fs_param_is_string }, + [Opt_rootcontext] = { fs_param_is_string }, + [Opt_seclabel] = { fs_param_is_flag }, +}; + +static const char *const selinux_param_keys[nr__selinux_params] = { + [Opt_context] = CONTEXT_STR, + [Opt_defcontext] = DEFCONTEXT_STR, + [Opt_fscontext] = FSCONTEXT_STR, + [Opt_rootcontext] = ROOTCONTEXT_STR, + [Opt_seclabel] = SECLABEL_STR, +}; + +static const struct fs_parameter_description selinux_fs_parameters = { + .name = "SELinux", + .nr_params = nr__selinux_params, + .keys = selinux_param_keys, + .specs = selinux_param_specs, + .no_source = true, +}; + +static int selinux_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) +{ + struct security_mnt_opts *opts = fc->security; + struct fs_parse_result result; + unsigned int have; + char **oo; + int opt, ctx, i, *of; + + opt = fs_parse(fc, &selinux_fs_parameters, param, &result); + if (opt < 0) + return opt; + + have = 0; + for (i = 0; i < opts->num_mnt_opts; i++) + have |= 1 << opts->mnt_opts_flags[i]; + if (have & (1 << opt)) + return -EINVAL; + + switch (opt) { + case Opt_context: + if (have & (1 << Opt_defcontext)) + goto incompatible; + ctx = CONTEXT_MNT; + goto copy_context_string; + + case Opt_fscontext: + ctx = FSCONTEXT_MNT; + goto copy_context_string; + + case Opt_rootcontext: + ctx = ROOTCONTEXT_MNT; + goto copy_context_string; + + case Opt_defcontext: + if (have & (1 << Opt_context)) + goto incompatible; + ctx = DEFCONTEXT_MNT; + goto copy_context_string; + + case Opt_seclabel: + return 1; + + default: + return -EINVAL; + } + +copy_context_string: + if (opts->num_mnt_opts > 3) + return -EINVAL; + + of = krealloc(opts->mnt_opts_flags, + (opts->num_mnt_opts + 1) * sizeof(int), GFP_KERNEL); + if (!of) + return -ENOMEM; + of[opts->num_mnt_opts] = 0; + opts->mnt_opts_flags = of; + + oo = krealloc(opts->mnt_opts, + (opts->num_mnt_opts + 1) * sizeof(char *), GFP_KERNEL); + if (!oo) + return -ENOMEM; + oo[opts->num_mnt_opts] = NULL; + opts->mnt_opts = oo; + + opts->mnt_opts[opts->num_mnt_opts] = param->string; + opts->mnt_opts_flags[opts->num_mnt_opts] = ctx; + opts->num_mnt_opts++; + param->string = NULL; + return 1; + +incompatible: + return -EINVAL; +} + +/* + * Validate the security parameters supplied for a reconfiguration/remount + * event. + */ +static int selinux_validate_for_sb_reconfigure(struct fs_context *fc) +{ + struct super_block *sb = fc->root->d_sb; + struct superblock_security_struct *sbsec = sb->s_security; + struct security_mnt_opts *opts = fc->security; + int rc, i, *flags; + char **mount_options; + + if (!(sbsec->flags & SE_SBINITIALIZED)) + return 0; + + mount_options = opts->mnt_opts; + flags = opts->mnt_opts_flags; + + for (i = 0; i < opts->num_mnt_opts; i++) { + u32 sid; + + if (flags[i] == SBLABEL_MNT) + continue; + + rc = security_context_str_to_sid(&selinux_state, mount_options[i], + &sid, GFP_KERNEL); + if (rc) { + pr_warn("SELinux: security_context_str_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + mount_options[i], sb->s_id, sb->s_type->name, rc); + goto inval; + } + + switch (flags[i]) { + case FSCONTEXT_MNT: + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) + goto bad_option; + break; + case CONTEXT_MNT: + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) + goto bad_option; + break; + case ROOTCONTEXT_MNT: { + struct inode_security_struct *root_isec; + root_isec = backing_inode_security(sb->s_root); + + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) + goto bad_option; + break; + } + case DEFCONTEXT_MNT: + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) + goto bad_option; + break; + default: + goto inval; + } + } + + rc = 0; +out: + return rc; + +bad_option: + pr_warn("SELinux: unable to change security options " + "during remount (dev %s, type=%s)\n", + sb->s_id, sb->s_type->name); +inval: + rc = -EINVAL; + goto out; +} + +/* + * Validate the security context assembled from the option data supplied to + * mount. + */ +static int selinux_fs_context_validate(struct fs_context *fc) +{ + if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) + return selinux_validate_for_sb_reconfigure(fc); + return 0; +} + +/* + * Set the security context on a superblock. + */ +static int selinux_sb_get_tree(struct fs_context *fc) +{ + const struct cred *cred = current_cred(); + struct common_audit_data ad; + int rc; + + rc = selinux_set_mnt_opts(fc->root->d_sb, fc->security, 0, NULL); + if (rc) + return rc; + + /* Allow all mounts performed by the kernel */ + if (fc->purpose == FS_CONTEXT_FOR_KERNEL_MOUNT) + return 0; + + ad.type = LSM_AUDIT_DATA_DENTRY; + ad.u.dentry = fc->root; + return superblock_has_perm(cred, fc->root->d_sb, FILESYSTEM__MOUNT, &ad); +} + +static int selinux_sb_mountpoint(struct fs_context *fc, struct path *mountpoint, + unsigned int mnt_flags) +{ + const struct cred *cred = current_cred(); + + return path_has_perm(cred, mountpoint, FILE__MOUNTON); +} + /* inode security operations */ static int selinux_inode_alloc_security(struct inode *inode) @@ -6918,6 +7194,14 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), + LSM_HOOK_INIT(fs_context_alloc, selinux_fs_context_alloc), + LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), + LSM_HOOK_INIT(fs_context_free, selinux_fs_context_free), + LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), + LSM_HOOK_INIT(fs_context_validate, selinux_fs_context_validate), + LSM_HOOK_INIT(sb_get_tree, selinux_sb_get_tree), + LSM_HOOK_INIT(sb_mountpoint, selinux_sb_mountpoint), + LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), @@ -7185,6 +7469,8 @@ static __init int selinux_init(void) else pr_debug("SELinux: Starting in permissive mode\n"); + fs_validate_description(&selinux_fs_parameters); + return 0; } diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 23e762d529fa..7c100283b66f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -50,20 +50,20 @@ /* Super block security struct flags for mount options */ /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */ #define CONTEXT_MNT 0x01 -#define FSCONTEXT_MNT 0x02 -#define ROOTCONTEXT_MNT 0x04 -#define DEFCONTEXT_MNT 0x08 +#define DEFCONTEXT_MNT 0x02 +#define FSCONTEXT_MNT 0x04 +#define ROOTCONTEXT_MNT 0x08 #define SBLABEL_MNT 0x10 /* Non-mount related flags */ #define SE_SBINITIALIZED 0x0100 #define SE_SBPROC 0x0200 #define SE_SBGENFS 0x0400 -#define CONTEXT_STR "context=" -#define FSCONTEXT_STR "fscontext=" -#define ROOTCONTEXT_STR "rootcontext=" -#define DEFCONTEXT_STR "defcontext=" -#define LABELSUPP_STR "seclabel" +#define CONTEXT_STR "context" +#define FSCONTEXT_STR "fscontext" +#define ROOTCONTEXT_STR "rootcontext" +#define DEFCONTEXT_STR "defcontext" +#define SECLABEL_STR "seclabel" struct netlbl_lsm_secattr;