From patchwork Tue Dec 6 13:55:51 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 9462625 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7E8FF60586 for ; Tue, 6 Dec 2016 13:57:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6AAA9283EB for ; Tue, 6 Dec 2016 13:57:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F5AF283F4; Tue, 6 Dec 2016 13:57:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5ED66283EB for ; Tue, 6 Dec 2016 13:57:14 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,310,1477958400"; d="scan'208";a="1319692" IronPort-PHdr: =?us-ascii?q?9a23=3AgkwjERz9xjlBYo3XCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?1e4eLPad9pjvdHbS+e9qxAeQG96KsLQZ06GM6OjJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMijexe7N/IAm5oQnPuMQdnJdvJLs2xhbVuHVDZv?= =?us-ascii?q?5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnM?= =?us-ascii?q?URGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LpsRxH1lS?= =?us-ascii?q?cHLCY5/3/LhcxsgqxbpxehqAZ+w47SfYqZMPVzc6fYcd4cS2VBRMJRXDFfDI26?= =?us-ascii?q?YYUEEu4NMf9Fo4XholcDqwa1CwuxC+P10jJGhmH407A03eoiFg/GxA4tE88AvX?= =?us-ascii?q?vbsNr7O7kdUfuuwanUzzjOde9a1C3h5ITWdB0qvPGCXah3ccrU0UQhCwLFgUmQ?= =?us-ascii?q?qYP/JTOay/kGvWqB4OphU+KglXUnoBx2rzi1x8cjlonJiZgPyl/Z7Sp23J46Jd?= =?us-ascii?q?2iR056Z96rDoBQujqBOItqQ8MiRX1otzggyr0Ap5G7YDIGx4ggxx7acvGKdZWD?= =?us-ascii?q?7BzkVOaUOzh4hXRldaq7hxaz70iv1O/8Vs6p0FZQqCpKiN3MumoR2BzU78iKTO?= =?us-ascii?q?Z28ES52TuXygze5e5JLVo0mKbGMZIt3LE9moQJvUjeBiP7m1j6gLWLekgq5OSk?= =?us-ascii?q?8evqb7T8qpOCOYJ5jgfzObk0lMOlG+Q3KA0OUnCe+eS7ybLs41X0QK5Pjv0qiq?= =?us-ascii?q?nZt43aJdgDqq65HQBV1oEj5g6jDzi8ytQYnGQHLElfdBKbj4nmJ1HOIPfiAfe5?= =?us-ascii?q?n1usiytky+rDPr3gBpXBNnnDkLH/crZh80NQ1QU+wN9F659UF70NOuz/V0DvuN?= =?us-ascii?q?DCExM1Kwm0zPzmCNV52IMeQ2WPAqqBPaPJr1CI4uMvI++RZI4aoTryMP8l5+Po?= =?us-ascii?q?jXAlh1AdZrKk3YcXaX+kHvRmJF+VYXz3gtgbC2sKsQ0+TPLyhF2YTTFTf2qyX7?= =?us-ascii?q?475jwjE42pFoDPRoSsgLyawCe7BYdaZntYBV+QC3vobJuLW/MNaCKUP89gnScJ?= =?us-ascii?q?WqShSo87yBGurxX2yrR9IerI4S0YspTj2MJy5+3JmhE47SZ0ANiF02GRU2F0mX?= =?us-ascii?q?sFSCEu3K9lu0x9y0yD3LNgg/NCD9xT5uhJUh8+NZHG0+N1Fcr+WgXbfteGUFym?= =?us-ascii?q?WMmpASktTtItxN8De0h9G8+4gRDFwyWqAqQVmqeOBJws86LQxmPxJshmy3rc06?= =?us-ascii?q?khlVYmSNNVNWK6nq5/6xTTB4nRnkWajamqdqMc3DPW+WeA12WOv0ZYUBNqXaXC?= =?us-ascii?q?R3AfaVPcrc7l6UPaU7+uFbMnPxNbxsGfMKtKa8PmjU9dSfj5JNveZni9m2CqBR?= =?us-ascii?q?aH3rmMdpble30B3CXBD0gJiwAT8miCNQg6ASesuGbeDCFyFVLoZkPj6/NyqHSh?= =?us-ascii?q?Tk871wuKdVFu16Kp+h4JgvyRU+gT3rweuCcmsDV0AE2w38nQC9qHqQtheb9TYd?= =?us-ascii?q?Un7FdBy23ZqxR3Poa8IKB6ml4ebwN3slvg1hptDoVAjdYlrGkxzAdpN6KXzklB?= =?us-ascii?q?eCiF3ZD1ILHXLXPy/B+3Ya7Mxl7eyMqW+rsI6Pkgt1XsoRymFks4/HVjyNRaz3?= =?us-ascii?q?yc5pDWAwUISpLxTlw79x5kqLHGeiM9/Z/b1WVwMamotT/Pw9QpBOohyhakYdhf?= =?us-ascii?q?K7iJGxXsHM0AAMiiMusqm0KmbhgcJuBd6LY0P9+6d/uBwKOkIfxvnC68gmtZ7o?= =?us-ascii?q?B83VmB+DZ8SuHSxZYF3++X3hGdWzf6klihrtj9mZpYajEKAmq/1S/kCZZPZq1z?= =?us-ascii?q?YYkLFWCuI9etytpih57tXHhY9FG4ClMC2c+pfwCdb0b63QFK0kQXu3OnkzOizz?= =?us-ascii?q?NoizEpsraf3CvWzuTmdRoHIXJLSHB5jVjyJYi0jtYaXFWnbgUyjxul/Uf6x65a?= =?us-ascii?q?pKtjNGnfW0FIcDbqL2t6SKu/qqKCY9JT6JMvqShXSuO8YVSeSrHjuRsVzyTjHm?= =?us-ascii?q?VFyTAgajGlpo75kwZ9iGKHI3Z5tGDZdt1oxRfD+NzcQuZc3iIcSylljTnbHEKz?= =?us-ascii?q?M8Oy8tWTk5fDrue+V2S6W51WbSXry4SAuzeh6W1sHxK/g+i5msf7HggizS/7y9?= =?us-ascii?q?5qWD3NrBb4e4XkyaK6PPl5fkZ2AF/879R1Gptknos2mp4QxWAQho+J8nofjWfz?= =?us-ascii?q?LdJb1Lr9bHUTQz4L2MXY4Av7101lNXKJwZz2VmmHzstmfdm6bXsc2jgh4MBSFK?= =?us-ascii?q?eU8LtEkDNrolq+sA3ceuZ9njEAxvsu8nIahf8GuBY1xCWHHr8SBVVYPTDrlxmQ?= =?us-ascii?q?99CxtrhXZGK0fLes1Up+gdCgAKiMog5GXnb1YJAiHTV/7s9nKlLDzGXz6p34eN?= =?us-ascii?q?nXdd8TrACbnArbguhaLZIwmeAGhSx5NmLhpXcl0fI0jQRy3ZGmu4iKM31t87ik?= =?us-ascii?q?Ah5cKDL1f9kc+jfxjalAhMabxJ2vHo5/FTURR5vkV+moEDUPtfT9KwmBDjM8qn?= =?us-ascii?q?CBGbrQAwCT8kFmoGzTE5qzLXGYOGEZzcl+RBmaPEFfjhobXDMmnp4+EwCn38Lh?= =?us-ascii?q?f1lk6TAW/F73sANMyvhvNxn9TGjQuBuoZi0zSJiFIxpc9htC6FvNMcyC8uJzGD?= =?us-ascii?q?lV/pKhrAORMGyaZxxIDX0OWkGfAVDsIKWu5cLc/OeCHuqxMeHCYbOQpuxCT/2I?= =?us-ascii?q?346g0pN6/zaQMcWCJnxiAOc/2kpHQ395B9jZlC8VRCEMkSLCcdKbpAyg9SJtts?= =?us-ascii?q?Cw7u7nWATx6ouTE7FSK8lg+wiqgaefMO6dnDx5JSxW158WwH/H0rwf3FkSiix1?= =?us-ascii?q?bTaiDbEAuTTKTKLKla9dFwQbZD9rNMtU86I82RFAOcjBitzvzr54luU4C1lEVV?= =?us-ascii?q?z7gcGpecIKI2C7NFzdAkaEKLWGKifPw83tZqO8U7JQhv1OtxKsoTabD1PjPjOb?= =?us-ascii?q?mjnxSR+gKv9DjCeaPBxCv4GwaRdtBnb9Q934cBG7N8V3jTIuy70umnzKLXIcMS?= =?us-ascii?q?R7c05Vs7KQ9j1Xje9wG2xb9HVlM/KJmz2D4OnbN5YWq+FkDj5wl+JH5nQ10aFV?= =?us-ascii?q?4DhYRPxymyvTrtlur0ugkuaR1jptSABOpSpThIKXoUViPr3U9oJaVnba5h0N4n?= =?us-ascii?q?ufCw8Rqtt+ENLvpbpfytfRm6LoMjtC9czb/dcEDcjONM2HKGYhMQbuGDPMFwQF?= =?us-ascii?q?TDGrNWbZh0FGjf6d6GaarpkgpZjqgpYOTaVbVFMtHPMAFktlBMACIItwXj48i7?= =?us-ascii?q?Gbg9QH5WSgoxTKQ8Vapo7IVvSXAfr1KTaZiaJLZxwHwL/iKoQTLIL70VR4alZm?= =?us-ascii?q?hITKB1bQXddVry19aQ80pV9B8GJ5TmwyxU3lbBii4GUUFfGqnR47kRdxYeMo9D?= =?us-ascii?q?jw+Vg3PUbKqDE2kEYvhdXvmSqRfyLpLKesQYFWDDL5t0sxM5P/XQl4dgiynUtq?= =?us-ascii?q?NDfKWb1Rk6dgdWBsiA/Zp5RDA/hcQrNYYBUI3/GYe+0o0UhAqiWg3UJH5O3FCY?= =?us-ascii?q?d8mwsub5GsqmxP2x55bN81PqHQI7JJwUZWhqKLpCCo1+QxzxQZJ0cC6m+SfzQI?= =?us-ascii?q?uEMQPLk8OyWo5vBs6RCFmzZbfmgDSeAlovZx+0M+POSA1D7g3KRFKkCqNOyfLr?= =?us-ascii?q?mVu27ems6UWlkwzF8Hl1FZ/bhq1scua1CUWF40zLSPDRsJL9bNKQFOYsVJ9XjT?= =?us-ascii?q?ZzuBseLDwZJtJYWyCODpQfWItKkKnkKuBBwpEJgU7sQdApms11nVItrgLL4Dzx?= =?us-ascii?q?Ui+RrkJFGEDPlSYh2Eji0Ho8alwJ9wx4ldKSkXAX9hPiWv+rbXuggqjeKeU9gs?= =?us-ascii?q?fHcaX5YLNmktVcKggS5ZpXNADTes0u0H1AeC8iX8piXMDDj8ddZjYumbZQ90At?= =?us-ascii?q?Gs5To/67S2iULQ8pjGKWH6L8pttcLU6ewAoZaHF/RUTaJmvkjGh4ZYQmamU2nV?= =?us-ascii?q?Ed66P5LwcZUjbcToCnamVVyykzY1T8DrPNmzKKiJgAboSJ1bsImdwTAvL8i9Fi?= =?us-ascii?q?sRGx1oveEM+Lp8ZREfY5o8eRPorBoxN6i+IAeez9WvTH2gJidRT/la0eq1fadX?= =?us-ascii?q?zzY2Yu+81nQgUokwz/Or/k4VWJEKkhbeyO6gZ4lEUSn8AHpdexnPpScimGhhMf?= =?us-ascii?q?4yzfslzBPOr1YcLyiBdPZ1Z2xco9E8GVSSLG1qCmo5Ql+cipbD4g6s3r0J4iRd?= =?us-ascii?q?ntZV3vdev3TkuJ/Qfi6sUrSxqZrJqyogccQmo6ppPIP5JsuGtY/RkSLHQ5nVsg?= =?us-ascii?q?yFVim6F/xAldVLOy1YQeNHmWc8NcwIpIpN80wxWdkiJ7ZXEqkjuqiqaSZ4DS4V?= =?us-ascii?q?1SIWTJ2P3DoZj+imxrTaiAmfcI45MBMeqpVDgsERUylsYiMRvKWjTZnZl3eYSm?= =?us-ascii?q?gXJwce9QtM5B8Blo90euDq/o/IQYRRxDFIuP10UzHEFp9y+1v8UGGWjkDySO+9?= =?us-ascii?q?nOyxwQJS0PXs38EBWB55CEhS2+ZWlkwsKLFsM6cep5PEvCWUeE39p2/i1OymJF?= =?us-ascii?q?xNxsLObF34EJDJtWziXS0A4XcUX5NAyGnDFZQOlAp0cLokpFdWL4+6YUvx+zsk?= =?us-ascii?q?x4BtH7m5S8+r3UolomgaSCeqCdZBDPtmsF3PUj1/f5+rsInlO4lVQmJI4p2SsU?= =?us-ascii?q?1ZkEJ2PCOi1ZpcMdtC4iASUzhLoDWdutSySMlC2c95D58MPtl/tG3nGKNBIpSR?= =?us-ascii?q?pWM5uqD3wH/D5z88qEu6xCm0G6KgT+NW5XYeFR8sJ2SfrEkiFOos8nvI/VDWrl?= =?us-ascii?q?975f1XBr6RgkVtuDx9BIxBBi5V1XC5KFR+VHdHv/9GJ6TVcsxcRvgyagWsOxEl?= =?us-ascii?q?FP4pwVKG8l9ukXf+eSxyuRNQ+zrBUAksSSkVnrDtlCUEpcG9JD8aTYhEbTY6Yi?= =?us-ascii?q?fEKgKbmDxXsw1FZ0FsRZ8ZHs5P+6sH0otM4srCVUGsJDkKXBx4LA041+ZfmFVC?= =?us-ascii?q?sEWfdyHdCxaodfbRvR12e8eRsNCmLO7j8AdBlIznrPgy978fSH2+hQ2tXdfeop?= =?us-ascii?q?fgtt2Ns0uDb7v4P/G5YXDaVjTMiw6/has8BZnQ4yfTKBZbK4V9yXc8YZjuE3TL?= =?us-ascii?q?Mg5CJ60GPEdUSL51ac1eou9EY89rZrwJ9bVqBhKdSRPlAJavo+VeLlbPWTTeKD?= =?us-ascii?q?2M8u64oY3N9rHSVPbvZteSyHbdX6J4IIp15SP9G7j0zY9U4lD21et19kNmVVjG?= =?us-ascii?q?NDiMo8/vJgwX+MWvdFbus5MyEDzKB5dwlWbiyVtbd8oLWSGq9ooXyI9B4nbqVe?= =?us-ascii?q?14ylTzsPFV97R884k4/a1myceuKqfOMvlatUhnAgaKCQl06potB3VwSH5Lbu8X?= =?us-ascii?q?NvjRYbwTjdrypODvC6wX9BqV9vRBadvcO0HOgNSwCi2HRBxfmwcBtCQaIReC2P?= =?us-ascii?q?6Dh690U9yqpezj1kIq+Vi+IQYMzKpx6oec5qqIuOjXYgPNzbgeRKflWN78o68x?= =?us-ascii?q?u0OW+f0kjqQBenJ0Yw2gFOgSSNIdyn3nzaAwwiImC9nDEK74+P5fS3I5mSrtlI?= =?us-ascii?q?17H1oMAf4bALyL8p5Ekmc/gezZOcUccrpelWaXCR6kDrgCxGap6ySNOmllhQrO?= =?us-ascii?q?0xXqTmOt91L2qDJ4QS/Qz9fijkVVV6O4BUFJXyazPk94qjyPNhLytNXroaQ18F?= =?us-ascii?q?02Mmv8udKPjmShPr1XH9f4JNOBPyY5v04Xg4c3Rty03oAXA9y9L8kN8HtmdPvR?= =?us-ascii?q?93urkzNdo6dAn4fe5MWV9+7WHXmmiq2WsbSNxDZWyngip14/8cygNuvT59KWX/?= =?us-ascii?q?SoynwRQDlltwvGRR61paTRr0oINkyTzEfLhIsKM8lf3Xk5yk7m4+wjT8go9AlE?= =?us-ascii?q?F4bAYPQCpSvoODbvxFaSbN02WjOZ0ztNEVL/CUN4F7Qk2GLsoMLJkm/d9EEySY?= =?us-ascii?q?l0aUPnngB3DoU/KU8281gY3isDHhYLaRCHDbGnH17pLY0aWkgfcR6HxqS1er8r?= =?us-ascii?q?3U1vxbOi/OvTbfd5B6cNLftdgBCBk0VcGpIMq6IeWKh8e1hf9KHJugfiF5LrX/?= =?us-ascii?q?/8lXo/Lfe1WNxV8dgFt3s+5QayXx+g6ZNd4LYej5CHaKpEbIPDvM9i6Edn/iYP?= =?us-ascii?q?eTZRgBh+lRy5VeEcpOb/4tfFtJqo7ueuVKkzSOUR6xc7GX5yj53uj1A/udvXzf?= =?us-ascii?q?tTSpXJiYTj9wBAO3yKuIff0xRnLOoBNYKqc6h693UGISgeKGgCPdyIZPkg+yVt?= =?us-ascii?q?Kinc50ReAsMQYtMVJMvNmAFOhULzRL5e7dHbFUGEC4hta88k9W33yCo68ZEkSO?= =?us-ascii?q?bv9Ce2JYzD71FKJ/5MlyRslMnMpecPw/rSCTQX4WGDZBhoxiOP0IWCC/Ht8uqS?= =?us-ascii?q?0t7USkkGHiksU4hHPjaC/hanRuWtnpXzTgyU8tPzgI45dE+IXny+hrgFvbpMEe?= =?us-ascii?q?9OjSX7xDteGpnuh/2Lt9qs6W1XtkBIEYto9R3KArlfMYl7ORX2kcmrXEt8CjH8?= =?us-ascii?q?eM7KbBouvvSZxuMW7+V5LUv+apcRIggYxLLi9XpVUgxuRabqvlaDQ+0RYMFpSP?= =?us-ascii?q?XaoX1O9I1gKqAPPFmBpJPwtTdHsko2ABIzZL82sDNaalHEnBdJVKbspL4Algwc?= =?us-ascii?q?XMZ2uUBWA2K/Jn4+5zrcWKRRjamRFOIa8jWJQawTSEVkKCV+TA2p2J92Ybumge?= =?us-ascii?q?hHsn9aniN6uPUq3CJpRB2guS3roKIB3ikg96+8tDUAv3xFU+qfnjzMCVpd1vQL?= =?us-ascii?q?jb0TB2zk6VOifHkJdJHy76V/JcT86Ykh5GwyYRAkfy0AQeSgBD//griNAoyOqt?= =?us-ascii?q?1cggCCuNnAbL+0NygSNa89xQjlR3djzgjUhAxo/3cTQjW88N8kI52wOck5ySqz?= =?us-ascii?q?AmjXbUsC7KxPvsvws14LUeQ3ZEhuwGVmyMeHQDMCSNbIG2YvgQgucX9Ef45b6R?= =?us-ascii?q?8GC6kohS6FvqtB/gEUZjfYCJiq+onUncfVxHY8TNZqxmTNpq2Gh5Mny2Nlm9Jq?= =?us-ascii?q?7iGUvHQdau3YX9VqAnftyodV0fb+aOm1suAbVItmz6ysUP4cMsa5/2u7w5FqWl?= =?us-ascii?q?K4ybQfGFq5K/UPxrDBUyeqUWeYQ/iEc3CQnzYlNU7//RuoIUM5aMdEq08wKeXD?= =?us-ascii?q?iYRalwL/TbN4XCOQqkHHzGY7K+MVaxo2uJu7ewwNVOMRaOycJe8gwfIgDFsMa2?= =?us-ascii?q?TEHTBxC++wsF6igJJ3O3N+7kXmee7t6BzpMMOOGhkYFo7Xtpxx+fy6R2KZPn9g?= =?us-ascii?q?yBxyPFVq+OrEElQxt/Ncc4yPktTKgNR7y+EFfe93MSIhot4Thp5j6Y6M3ceFbB?= =?us-ascii?q?HRz4v9JdbOr/iEGf3Q0UIqen1AXbodewz14Zk1Pt8jVLHJG7tWowgcD7AgQJM9?= =?us-ascii?q?L2fx6L10LARrfw7NZbS0h9Lnpv6KZpRIpH/Z8FYwID3auxId1vy+VRZ7YIyyh3?= =?us-ascii?q?XuPJAwQSpMr9hsChtlH4tPHNgNrwi9DJ6Xn6G7jcG++0Vgt+8Mr6XwFujA1M6l?= =?us-ascii?q?0IVpQ5ha+UuLMS7KC6Z1hERlkv+/guzE0pn2FcPiZc0EW/ZmTWLfbb/GBIq/IC?= =?us-ascii?q?qUOs3gY05G76Kc0LVhXxWJYyD5W7CJtDeqNfVj5UU7xJd1fO/UzDwq9LHUxsf9?= =?us-ascii?q?Z3tcpie4tn6JNZ1f7FPQCezZRRJURuKP8Hx5Eq0PcYv06OAOPMQswNeC5wlz7S?= =?us-ascii?q?xC39WeLqmgr0/M30d7eozBLEvtxSk1Q44KIA6wMUE0m2/WtmzdAWhALsijMcRt?= =?us-ascii?q?gMqVDhzq50l0g24tfXVMGm/pRdeNI2gUxdiyZAqQ9AJEF9wDhfK4eVYktq2uTu?= =?us-ascii?q?llIptEmf2wtLUGjdlmNTrCRM1bPyHMNr95ICBdDuLVpFgnehQEqaQ6Wp8pZZiS?= =?us-ascii?q?J0MKKECAySfswgbZyU30c8aj1L2VICYX7npH06jF3iZSqAWjv/aWnNHjWqjDbJ?= =?us-ascii?q?7qRP7SLDYlVjaCSDQ2EEap/0qkuvUdsPqcIGcfuUwUYjmJBQ4SvK9vq9/QAnXU?= =?us-ascii?q?me15c50AnOqaVDzoSC1kiKoyAT5GtVuSTPoHFAnWaWLhgWVbtAKtOv9M/Wzqb6?= =?us-ascii?q?eGyapNQeMbGYhMfeODQ9veZ/9eIywnligWOOqmeN3ctbk52ErSTWQFC6nI6EGe?= =?us-ascii?q?TEmOT/yYxjLrRpkVspM1uyox/NLfhDV7E6LWMLaDvzSu6JK3jD6Eue3CUWkge0?= =?us-ascii?q?k1j/geD2mBwRlALmYEBsoLuEHsRK6PeUJM1HMvieJz1B4AYgNzUmdh0ndOhvay?= =?us-ascii?q?BtVZSUIIjGOpWPAGbkp4DDA3/UCR+QDyfNoAudzTR29Z67sMRoodLOUy5InRJq?= =?us-ascii?q?QQ3O4j3Ch6rywiryWdE1RdgxqK86XKB6183LxC6nc8//xtQEGPRynQcnPGyoq7?= =?us-ascii?q?Ec5PwzlhoWz83crOou9tLKdap51+AFoSAyJ2I9fd/SpbUWH1wwu/pBC7Ey6bID?= =?us-ascii?q?0H4TYHPysFdvx6z+VjqhbHas7B6V+Mt6ImsEarEgiLCr+o15FKCczkzhu4ZjdR?= =?us-ascii?q?cTWqFpF2rfBNmMwUYaw5eYi0G0rBIRTmDgKEpyAM8wDnorasDcpMxmUTiaAsJ8?= =?us-ascii?q?/0UIkECtnZxi13zGhSyJoJ02KRHoCXWpqs8MF8BHcTJrGhWHLrZ9TPJDy0u/cd?= =?us-ascii?q?gbk0EEPHUuQRPGtBv9YWn2bsYkjgrZ3x9S+ENK2Pfgu5McAIPY+AgXVPhLrMLI?= =?us-ascii?q?Xj+7pJDn9Rrvt0st/JqX2L8mfUWt2wZHKrmUQk?= X-IPAS-Result: =?us-ascii?q?A2ESBACSwkZY/wHyM5BeHBgHDBgHgwMBAQEBAR9agQa7FkA?= =?us-ascii?q?hC4V5giFTAQEBAQEBAQECAQJfKIIzChkEPQoDLwEBAQEBAQEBAQEBAQEBARoCC?= =?us-ascii?q?AREASECFw0TBgENIAwCAwkCBRIpCAgDAS0VHwsFGASIMwEDFwQKq0o9KgKCYQW?= =?us-ascii?q?BAoRTgwIDCIQviTKBSAoRAQYvhUgFmmaGTIo/glCHZoYUApIRVmEXRIJnAQsBR?= =?us-ascii?q?RyBXXIBhlINFweCEAEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 06 Dec 2016 13:57:12 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB6Du4w6026614; Tue, 6 Dec 2016 08:56:21 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uB6Du3Sv247701 for ; Tue, 6 Dec 2016 08:56:03 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB6Du355026610 for ; Tue, 6 Dec 2016 08:56:03 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BXAAAkwkZYh5QAFEFeHAEBBAEBCgEBgzkBAQEBAXmBBrdDhBYLHoV5giFTAQIBAQEBAQITAQEBCA0JCR2FOQ0ZATgBFYE7iFQBAxcECqtSPYMNBYEChFOCXCYDCIQviTKBSCKCYguDCgWaZoZMij+CUI16ApIRgU5EgmdDDxELgV1yAYZSDRcHghABAQE X-IPAS-Result: A1BXAAAkwkZYh5QAFEFeHAEBBAEBCgEBgzkBAQEBAXmBBrdDhBYLHoV5giFTAQIBAQEBAQITAQEBCA0JCR2FOQ0ZATgBFYE7iFQBAxcECqtSPYMNBYEChFOCXCYDCIQviTKBSCKCYguDCgWaZoZMij+CUI16ApIRgU5EgmdDDxELgV1yAYZSDRcHghABAQE X-IronPort-AV: E=Sophos;i="5.33,310,1477972800"; d="scan'208";a="5862908" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 06 Dec 2016 08:56:02 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3ABZAEuhFBytW9cNRlEqs5pJ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7zr8ywAkXT6L1XgUPTWs2DsrQf2rGQ7virAzdIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZb1/IA+2oAnNucUan4VvIbstxxXUpXdFZ/?= =?us-ascii?q?5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnM?= =?us-ascii?q?VhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1jy?= =?us-ascii?q?gJKiM58HrPisNukK1bvByvpxt6w4HOYYGVMud1cqfScN4eQGZMWNtaWS5cDYOm?= =?us-ascii?q?d4YBD/QPM/tWoYf+oFUDtgeyCRW2Ce/z0DJEmmP60Ksn2OohCwHG2wkgEsoSvn?= =?us-ascii?q?TVsNr1NL0dUfqow6LVzzvMdfJW2THj54jTbxsspuuMXbNsfsrR00YvDR7KgU2M?= =?us-ascii?q?poP9PzOazOUNs26F4Op7Tu+gkHInqwB3ojiz2MgskI/JiZwJylze6Sp5x4M1KM?= =?us-ascii?q?S+RUVmb9CkF55QuDubN4twWs4iR2BouDgkxb0Evp67YTIKyJI9yB7bcfCIb4+I?= =?us-ascii?q?4hflWe2MIjl4nGpodbO/ihqo70Ss1vfwWtWu3FpXoSdIkcHAu3MQ2xDJ98SKRO?= =?us-ascii?q?Vx8l2u1DuOzQzf9O9JLEQymKHGMZAu2KQwmYAWsUnbHi/5hkH2jKiOe0U+9eio?= =?us-ascii?q?7PnnYqn6qpKfK4N4lxvyPb8ymsClBeQ4NQ4OUmiB9eugzL3s4Un5QLJXjvIriK?= =?us-ascii?q?XWrJfaKd4Gpq66GwNV04Aj5AijDzq+0dkVnWMLIExZdB6dk4TlIUzCLf/7APun?= =?us-ascii?q?hlSjijZrx/TIPr37BZXNK2DOkK3gfblh605T0hAzws1H6J1IEr4BIOj8Wk73tN?= =?us-ascii?q?PGFR80KBe7w/rmCNV7yoMRR3iPAqmHP6POq1OH+uUvI+yUaI8PpDn9M+Ql5+Lp?= =?us-ascii?q?jXIhgl8SY62p3ZoRaHClEfVrOFmZYHrwjdcBFmcGpAw+TPfwh1GYXj5TYGiyDO?= =?us-ascii?q?oA4WQgBYanC5rTbpy8i7yGmiGgF9tZYX4VJEqLFCLSdo6EUu0AIAKbI8lsiXRQ?= =?us-ascii?q?T7mqS4Y72Salgw/zyrxqNcLe5iweqZ/50tVpoebUkEdhpnRPE82B3jTVHClPlW?= =?us-ascii?q?QSSmpqja0=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0G8AACSwkZYh5QAFEFeHAEFAQsBGAYMg?= =?us-ascii?q?xABAQEBAXmBBrdDg1NDCx6FeYIhUwEBAQEBAQEBAgECEAEBAQgNCQkdMIIzChk?= =?us-ascii?q?EPQoDLwEBAQEBAQEBAQEBAQEBARoCCAREAToNGQE4ARWBO4hUAQMXBAqrSj2DD?= =?us-ascii?q?QWBAoRTglwmAwiEL4kygUgigmILgwoFmmaGTIo/glCNegKSEYFORIJnUhELgV1?= =?us-ascii?q?yAYZSDRcHghABAQE?= X-IPAS-Result: =?us-ascii?q?A0G8AACSwkZYh5QAFEFeHAEFAQsBGAYMgxABAQEBAXmBBrd?= =?us-ascii?q?Dg1NDCx6FeYIhUwEBAQEBAQEBAgECEAEBAQgNCQkdMIIzChkEPQoDLwEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBARoCCAREAToNGQE4ARWBO4hUAQMXBAqrSj2DDQWBAoRTglwmAwi?= =?us-ascii?q?EL4kygUgigmILgwoFmmaGTIo/glCNegKSEYFORIJnUhELgV1yAYZSDRcHghABA?= =?us-ascii?q?QE?= X-IronPort-AV: E=Sophos;i="5.33,310,1477958400"; d="scan'208";a="1319644" Received: from rgout0801.bt.lon5.cpcloud.co.uk ([65.20.0.148]) by emsm-gh1-uea11.nsa.gov with ESMTP; 06 Dec 2016 13:56:00 +0000 X-OWM-Source-IP: 81.132.46.239 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=10/50, refid=2.7.2:2016.12.6.130315:17:10.202, ip=, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __TO_IN_SUBJECT, __KNOWN_FREEWEB_URI1[http://paulmoore.livejournal.com/ [livejournal.com] [livejournal.com]], __ANY_URI, __URI_WITH_PATH, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __CP_URI_IN_BODY, __FRAUD_CONTACT_ADDY, __STOCK_PHRASE_7, __FRAUD_MONEY_CURRENCY_DOLLAR, __URI_IN_BODY, __NO_HTML_TAG_RAW, BODY_SIZE_10000_PLUS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, __FRAUD_MONEY_CURRENCY, __FRAUD_WEBMAIL, __PHISH_SPEAR_STRUCTURE_1, KNOWN_FREEWEB_URI, __FROM_DOMAIN_IN_RCPT, TO_IN_SUBJECT, __MIME_TEXT_P, NO_URI_HTTPS, __CC_REAL_NAMES Received: from localhost.localdomain (81.132.46.239) by rgout08.bt.lon5.cpcloud.co.uk (9.0.019.07.01-1) (authenticated as richard_c_haines@btinternet.com) id 581B4AB30328CDFF; Tue, 6 Dec 2016 13:55:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1481032560; bh=4PsNLRiWcebQr7yDjRF7kDrmsXZiOXztUwkf2rFilF0=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=OgSG1Vxb0js6l6GBawb52Rbj/ayk7IsDxN6xi/efugODmnE3GIzlGDYzEan7fhbxXoK+oXu3GxQyhssDl+1FI28nDYjVRJ7SrD5mbSDY4muBaAF2pZUqTp0fizt92oe7EaahurrwyP1LxUW5I62MNXFRZPZ85EUzSoA5WdN+FxY= From: Richard Haines To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: Add IPv6 client/server support plus tests Date: Tue, 6 Dec 2016 13:55:51 +0000 Message-Id: <20161206135551.16697-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Added support for IPv6 and split the Netlabel tests into two, one for CIPSO4 full labeling and the other for plain CIPSO4. Signed-off-by: Richard Haines --- Changes since RFC patch: Removed two tests as requested. Removed the port checks from client.c/server.c as will be validated by the call to getaddrinfo(3). Removed INET6 entry from ToDo list. README | 1 + ToDo | 1 - .../inet_socket/{netlabel-flush => cipso-fl-flush} | 0 tests/inet_socket/{netlabel-load => cipso-fl-load} | 2 +- tests/inet_socket/cipso-flush | 5 + tests/inet_socket/cipso-load | 11 ++ tests/inet_socket/client.c | 94 ++++++++-------- tests/inet_socket/ipsec-load | 6 + tests/inet_socket/iptables-flush | 2 + tests/inet_socket/iptables-load | 20 ++++ tests/inet_socket/server.c | 73 ++++++------ tests/inet_socket/test | 122 ++++++++++++++++++--- 12 files changed, 234 insertions(+), 103 deletions(-) rename tests/inet_socket/{netlabel-flush => cipso-fl-flush} (100%) rename tests/inet_socket/{netlabel-load => cipso-fl-load} (89%) create mode 100755 tests/inet_socket/cipso-flush create mode 100755 tests/inet_socket/cipso-load diff --git a/README b/README index 69b4839..8dbbbda 100644 --- a/README +++ b/README @@ -16,6 +16,7 @@ test SELinux: CONFIG_AUDIT=y CONFIG_NET=y CONFIG_INET=y +CONFIG_IPV6=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y diff --git a/ToDo b/ToDo index 3f4cb29..afa910b 100644 --- a/ToDo +++ b/ToDo @@ -1,6 +1,5 @@ unix_socket, inet_socket: test individual failure (denial) of common socket permissions (create, bind, ...). unix_socket, inet_socket: test setsockcreatecon. -inet_socket: generalize tests to cover INET6 as well as INET. inet_socket: test individual failure of netif ingress/egress. inet_socket: test individual failure of node recvfrom/sendto. inet_socket: test packet forward_in/forward_out (requires peer labeling + secmark configuration). diff --git a/tests/inet_socket/netlabel-flush b/tests/inet_socket/cipso-fl-flush similarity index 100% rename from tests/inet_socket/netlabel-flush rename to tests/inet_socket/cipso-fl-flush diff --git a/tests/inet_socket/netlabel-load b/tests/inet_socket/cipso-fl-load similarity index 89% rename from tests/inet_socket/netlabel-load rename to tests/inet_socket/cipso-fl-load index 35898d3..3fbc928 100755 --- a/tests/inet_socket/netlabel-load +++ b/tests/inet_socket/cipso-fl-load @@ -7,7 +7,7 @@ # CIPSOv4 only supports passing MLS labels across the network). # Define a localhost/loopback doi and apply it to the loopback address -# so that we get full SELinux labels over loopback connections. +# so that we get full SELinux labels over IPv4 loopback connections. netlabelctl cipsov4 add local doi:1 netlabelctl map del default netlabelctl map add default address:0.0.0.0/0 protocol:unlbl diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush new file mode 100755 index 0000000..2ac8523 --- /dev/null +++ b/tests/inet_socket/cipso-flush @@ -0,0 +1,5 @@ +#!/bin/sh +# Reset NetLabel configuration to unlabeled for all. +netlabelctl map del default +netlabelctl cipsov4 del doi:16 +netlabelctl map add default protocol:unlbl diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load new file mode 100755 index 0000000..662747d --- /dev/null +++ b/tests/inet_socket/cipso-load @@ -0,0 +1,11 @@ +#!/bin/sh +# Based on http://paulmoore.livejournal.com/7234.html. +# +# Modifications: +# - Defined a doi for testing loopback for CIPSOv4. + +netlabelctl cipsov4 add pass doi:16 tags:5 +netlabelctl map del default +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl +netlabelctl map add default address:::/0 protocol:unlbl +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 diff --git a/tests/inet_socket/client.c b/tests/inet_socket/client.c index cf274cf..5c471f0 100644 --- a/tests/inet_socket/client.c +++ b/tests/inet_socket/client.c @@ -2,6 +2,7 @@ #include #include #include +#include #include #include #include @@ -18,51 +19,59 @@ void usage(char *progname) { fprintf(stderr, - "usage: %s [-n] [stream|dgram] port\n", - progname); + "usage: %s [-e expected_msg] [stream|dgram] addr port\n" + "\nWhere:\n\t" + "-e Optional expected message from server e.g. \"nopeer\".\n\t" + " If not present the client context will be used as a\n\t" + " comparison with the servers reply.\n\t" + "stream Use TCP protocol or:\n\t" + "dgram use UDP protocol.\n\t" + "addr IPv4 or IPv6 address (e.g. 127.0.0.1 or ::1)\n\t" + "port Port for accessing server.\n", progname); exit(1); } -int -main(int argc, char **argv) +int main(int argc, char **argv) { - char byte, label[256]; - int sock; - int result; - struct sockaddr_in sin; - socklen_t sinlen; - int type; - char *mycon; - unsigned short port; + char byte, label[256], *expected = NULL; + int sock, result, opt; + struct addrinfo hints, *serverinfo; struct timeval tm; - int opt; - bool nopeer = false; - while ((opt = getopt(argc, argv, "n")) != -1) { + while ((opt = getopt(argc, argv, "e:")) != -1) { switch (opt) { - case 'n': - nopeer = true; + case 'e': + expected = optarg; break; default: usage(argv[0]); } } - if ((argc - optind) != 2) + if ((argc - optind) != 3) usage(argv[0]); - if (!strcmp(argv[optind], "stream")) - type = SOCK_STREAM; - else if (!strcmp(argv[optind], "dgram")) - type = SOCK_DGRAM; - else - usage(argv[0]); + memset(&hints, 0, sizeof(struct addrinfo)); - port = atoi(argv[optind + 1]); - if (!port) + if (!strcmp(argv[optind], "stream")) { + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + } else if (!strcmp(argv[optind], "dgram")) { + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + } else { usage(argv[0]); + } + + result = getaddrinfo(argv[optind + 1], argv[optind + 2], &hints, + &serverinfo); + if (result < 0) { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(result)); + exit(1); + } - sock = socket(AF_INET, type, 0); + sock = socket(serverinfo->ai_family, serverinfo->ai_socktype, + serverinfo->ai_protocol); if (sock < 0) { perror("socket"); exit(1); @@ -70,23 +79,13 @@ main(int argc, char **argv) tm.tv_sec = 5; tm.tv_usec = 0; - result = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tm, sizeof tm); + result = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tm, sizeof(tm)); if (result < 0) { perror("setsockopt: SO_SNDTIMEO"); exit(1); } - bzero(&sin, sizeof(struct sockaddr_in)); - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - if (inet_aton("127.0.0.1", &sin.sin_addr) == 0) { - fprintf(stderr, "%s: inet_ntoa: invalid address\n", argv[0]); - close(sock); - exit(1); - } - - sinlen = sizeof(sin); - result = connect(sock, (struct sockaddr *) &sin, sinlen); + result = connect(sock, serverinfo->ai_addr, serverinfo->ai_addrlen); if (result < 0) { perror("connect"); close(sock); @@ -101,7 +100,7 @@ main(int argc, char **argv) exit(1); } - if (type == SOCK_DGRAM) { + if (hints.ai_socktype == SOCK_DGRAM) { struct pollfd fds; fds.fd = sock; @@ -125,15 +124,8 @@ main(int argc, char **argv) } label[result] = 0; - if (nopeer) { - mycon = strdup("nopeer"); - if (!mycon) { - perror("strdup"); - close(sock); - exit(1); - } - } else { - result = getcon(&mycon); + if (!expected) { + result = getcon(&expected); if (result < 0) { perror("getcon"); close(sock); @@ -141,9 +133,9 @@ main(int argc, char **argv) } } - if (strcmp(mycon, label)) { + if (strcmp(expected, label)) { fprintf(stderr, "%s: expected %s, got %s\n", - argv[0], mycon, label); + argv[0], expected, label); exit(1); } diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load index c72d4b9..21e2dfe 100755 --- a/tests/inet_socket/ipsec-load +++ b/tests/inet_socket/ipsec-load @@ -9,3 +9,9 @@ ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx $goodclient ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required + +# IPv6 loopback +ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 +ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 +ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush index 8371648..c168d89 100755 --- a/tests/inet_socket/iptables-flush +++ b/tests/inet_socket/iptables-flush @@ -2,3 +2,5 @@ # Flush the security table. iptables -t security -F iptables -t security -X NEWCONN +ip6tables -t security -F +ip6tables -t security -X NEWCONN diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load index c55e427..5be94f4 100755 --- a/tests/inet_socket/iptables-load +++ b/tests/inet_socket/iptables-load @@ -27,3 +27,23 @@ iptables -t security -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNSECMA # Label UDP packets similarly. iptables -t security -A INPUT -i lo -p udp --dport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 iptables -t security -A OUTPUT -o lo -p udp --sport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 + +##### IPv6 entries +ip6tables -t security -F + +# Create a chain for new connection marking. +ip6tables -t security -N NEWCONN + +# Accept incoming connections, label SYN packets, and copy labels to connections. +ip6tables -t security -A INPUT -i lo -p tcp --dport 65535 -m state --state NEW -j NEWCONN +ip6tables -t security -A NEWCONN -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 +ip6tables -t security -A NEWCONN -j CONNSECMARK --save +ip6tables -t security -A NEWCONN -j ACCEPT + +# Common rules which copy connection labels to established and related packets. +ip6tables -t security -A INPUT -m state --state ESTABLISHED,RELATED -j CONNSECMARK --restore +ip6tables -t security -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNSECMARK --restore + +# Label UDP packets similarly. +ip6tables -t security -A INPUT -i lo -p udp --dport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 +ip6tables -t security -A OUTPUT -o lo -p udp --sport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c index a53e346..2801397 100644 --- a/tests/inet_socket/server.c +++ b/tests/inet_socket/server.c @@ -1,6 +1,8 @@ #include #include #include +#include +#include #include #include #include @@ -18,23 +20,25 @@ void usage(char *progname) { - fprintf(stderr, "usage: %s [-n] [stream|dgram] port\n", progname); + fprintf(stderr, + "usage: %s [-n] [stream|dgram] port\n" + "\nWhere:\n\t" + "-n No peer context will be available therefore send\n\t" + " \"nopeer\" message to client, otherwise the peer context\n\t" + " will be retrieved and sent to client.\n\t" + "stream Use TCP protocol or:\n\t" + "dgram use UDP protocol.\n\t" + "port Listening port\n", progname); exit(1); } -static const int on = 1; - -int -main(int argc, char **argv) +int main(int argc, char **argv) { - int sock; - int result; - struct sockaddr_in sin; + int sock, result, opt, on = 1; socklen_t sinlen; - int type; + struct sockaddr_storage sin; + struct addrinfo hints, *res; char byte; - unsigned short port; - int opt; bool nopeer = false; while ((opt = getopt(argc, argv, "n")) != -1) { @@ -50,23 +54,31 @@ main(int argc, char **argv) if ((argc - optind) != 2) usage(argv[0]); - if (!strcmp(argv[optind], "stream")) - type = SOCK_STREAM; - else if (!strcmp(argv[optind], "dgram")) - type = SOCK_DGRAM; - else - usage(argv[0]); + memset(&hints, 0, sizeof(struct addrinfo)); + hints.ai_flags = AI_PASSIVE; + hints.ai_family = AF_INET6; - port = atoi(argv[optind + 1]); - if (!port) + if (!strcmp(argv[optind], "stream")) { + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + } else if (!strcmp(argv[optind], "dgram")) { + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + } else { usage(argv[0]); + } + + result = getaddrinfo(NULL, argv[optind + 1], &hints, &res); + if (result < 0) { + printf("getaddrinfo: %s\n", gai_strerror(result)); + exit(1); + } - sock = socket(AF_INET, type, 0); + sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (sock < 0) { perror("socket"); exit(1); } - result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); if (result < 0) { perror("setsockopt: SO_PASSSEC"); @@ -76,23 +88,18 @@ main(int argc, char **argv) result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); if (result < 0) { - perror("setsockopt: SO_PASSSEC"); + perror("setsockopt: SO_REUSEADDR"); close(sock); exit(1); } - bzero(&sin, sizeof(struct sockaddr_in)); - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - sin.sin_addr.s_addr = INADDR_ANY; - sinlen = sizeof(sin); - if (bind(sock, (struct sockaddr *) &sin, sinlen) < 0) { + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { perror("bind"); close(sock); exit(1); } - if (type == SOCK_STREAM) { + if (hints.ai_socktype == SOCK_STREAM) { if (listen(sock, SOMAXCONN)) { perror("listen"); close(sock); @@ -105,8 +112,7 @@ main(int argc, char **argv) socklen_t labellen = sizeof(peerlabel); sinlen = sizeof(sin); - newsock = accept(sock, (struct sockaddr *)&sin, - &sinlen); + newsock = accept(sock, (struct sockaddr *)&sin, &sinlen); if (newsock < 0) { perror("accept"); close(sock); @@ -117,12 +123,14 @@ main(int argc, char **argv) strcpy(peerlabel, "nopeer"); } else { peerlabel[0] = 0; - result = getsockopt(newsock, SOL_SOCKET, SO_PEERSEC, peerlabel, + result = getsockopt(newsock, SOL_SOCKET, + SO_PEERSEC, peerlabel, &labellen); if (result < 0) { perror("getsockopt: SO_PEERSEC"); exit(1); } + printf("%s: Got peer label=%s\n", argv[0], peerlabel); } @@ -183,7 +191,6 @@ main(int argc, char **argv) } } } - result = sendto(sock, msglabel, strlen(msglabel), 0, msg.msg_name, msg.msg_namelen); if (result < 0) { diff --git a/tests/inet_socket/test b/tests/inet_socket/test index e97151e..8391744 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -6,14 +6,14 @@ BEGIN { if (system("ip xfrm policy help 2>&1 | grep -q ctx") != 0) { plan skip_all => "ctx not supported in ip xfrm policy"; } else { - plan tests => 20; + plan tests => 33; } } $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; -# Load NetLabel configuration. -system "$basedir/netlabel-load"; +# Load NetLabel configuration for full CIPSO4 labeling over loopback. +system "$basedir/cipso-fl-load"; # Start the stream server. if (($pid = fork()) == 0) { @@ -23,11 +23,11 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client stream 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; ok($result); # Kill the server. @@ -41,18 +41,64 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok($result); # Kill the server. kill TERM, $pid; # Flush NetLabel configuration. -system "$basedir/netlabel-flush"; +system "$basedir/cipso-fl-flush"; + +# Load NetLabel configuration for CIPSO4 over loopback. +system "$basedir/cipso-load"; + +# Start the stream server with a defined level. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; +} + +sleep 1; # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using level. +$result = system "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that authorized client can communicate with the server using level. +$result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that authorized client cannot communicate with the server using different level. +$result = system "runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Kill the server. +kill TERM, $pid; + +# Start the dgram server with a defined level. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; +} + +sleep 1; # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using same levels. +$result = system "runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that authorized client cannot communicate with the server using levels dominating the server. +$result = system "runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# Kill the server. +kill TERM, $pid; + +# Flush NetLabel configuration. +system "$basedir/cipso-flush"; # Verify that authorized domain can bind UDP sockets. $result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1"; @@ -97,11 +143,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client stream 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; ok($result); # Kill the server. @@ -115,20 +169,38 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok($result); +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; +ok($result); + +# Kill the server. +kill TERM, $pid; + +# Start the dgram server for IPSEC test using IPv6 but do not request peer context. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; +} + +sleep 1; # Give it a moment to initialize + +# This test now passes. +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; +ok($result eq 0); + # Kill the server. kill TERM, $pid; # Flush IPSEC configuration. system "$basedir/ipsec-flush"; -# Load iptables configuration. +# Load iptables (IPv4 & IPv6) configuration. system "$basedir/iptables-load"; # Start the stream server. @@ -139,11 +211,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t -- $basedir/client -n stream 65535"; +$result = system "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -n stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; ok($result); # Kill the server. @@ -157,11 +237,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client -n dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -n dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1"; ok($result); # Kill the server.