From patchwork Tue Jul 25 15:55:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9862425 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 31751601A1 for ; Tue, 25 Jul 2017 15:51:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 13938286E1 for ; Tue, 25 Jul 2017 15:51:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0808D286E7; Tue, 25 Jul 2017 15:51:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from upbd19pa10.eemsg.mail.mil (upbd19pa10.eemsg.mail.mil [214.24.27.85]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC0DB286E1 for ; Tue, 25 Jul 2017 15:51:23 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa10.eemsg.mail.mil with ESMTP; 25 Jul 2017 15:51:20 +0000 X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208";a="463192" IronPort-PHdr: =?us-ascii?q?9a23=3AS2qbZBK4SExcx59pm9mcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgQKv/4rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPde?= =?us-ascii?q?RWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbY?= =?us-ascii?q?UwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr86QzSi67pgRgHuhi?= =?us-ascii?q?kJKjU19HjbhtJsgK5eph+quh5xzJPOYIyNNPRwYK3Tc9AdS2RcRsZcVTFND42i?= =?us-ascii?q?YIsUFOcNIfpUopPhq1YUsReyGQ+hD/7vxD9SgX/22LU33fk9EQ7YxAwgH8wBsH?= =?us-ascii?q?LJp9voMacdS+S1zK3WwjTDcvhb3iz955XTch06vfGNXa5/ccrWyUU1EQPFlU+f?= =?us-ascii?q?pZbqPzOSyOQAqm6W5PdjW+K3k2Mrtg58rze1ysosl4XFnJwZx1/a+Slj3Yo4I8?= =?us-ascii?q?CzRlRhbt6+CpRQsjmXN45xQsw/XW5loD06yrgauZ6jeygK1Ygnywbfa/OZd4iI?= =?us-ascii?q?5QruVPqLLjdihXJlZam/iwyu8Umg1uL8Vs603ExMriVZidnDqmoB1xnS6siDUv?= =?us-ascii?q?d9/0Gh1iiT1w3L9+1JLk85mbDbJpI82LI8iJUevVrZEiPrgEn2ibWZdkQg+uim?= =?us-ascii?q?8eTnZbDmq4eHN4BqjgH+M6IumtGwAOghKQcOWHWb+eKg27L95k30W6lKj/0qna?= =?us-ascii?q?nZt5DWP8IbprWjDANP3YYj7Ai/Ay+80NsEhXkHME5FeBWfgojrPFHOJur3Deu/?= =?us-ascii?q?g1u2ljdm3PLGPrrnApXINHfDi6vhcqhn605H0gYzyspf551MALEbPP3zQlPxtM?= =?us-ascii?q?DfDhIhMQy0wfzoB8l+1oMFXmKPBK6ZML3JvF+G4uIvPuaNa5QIuDb7N/gl+uTi?= =?us-ascii?q?jXgjmV8SZaOpx4cYaGikHvR6JEWUeWLsjckaHmgUuAo+TfDqiFqZXD5SeXm9Qb?= =?us-ascii?q?wz6is8CIK8AofJXpqtj6CZ3CenAp1WYXhLBU2LEXfucYWLRukDaCaTIsJ6iDML?= =?us-ascii?q?S6KhS4g72RGprg/6xKJtLvDI9S0AqZLjyN916vXOmhEu7zN0Fd+Q3H2KT2Fxgm?= =?us-ascii?q?wHXSQ23LxlrUx71FiDzbByg+ZEGtxL+/NJTgA6OIbdz+x8F9D9RAbBccmMSFm4?= =?us-ascii?q?XtWmGzEwQ8k2w98WfUl9HdCigQrC3yquGLAVkLOKCIYz8qLG0Hj7P9x9xGre1K?= =?us-ascii?q?k9k1kmRdNCNG2nh6548QjeHIvJk0GAm6arc6QQxijN+32ZzWqNvUFYThB/Xb/D?= =?us-ascii?q?XX8Bekvctc756V/aT7+yFbQnNRNMxtCaKqRQcN3pjE5GSez7ONvEeWKxmnywBQ?= =?us-ascii?q?6MxryWcIXlZX8R3CLHCEgLiwoT52qJNRAiBie9pGLTFDJvFVPrY0Pp7+Z+smi2?= =?us-ascii?q?TkEqwA6XaE1hzaC6+gYPhfybSfMcwK4LuDs7pzVzBla90MrcC8CcqAp5YKVcfd?= =?us-ascii?q?Q97U9J1WLDrQN9OICvL6F5hlMFdgR3p0Lu2wxsCoROisgmtnQqzBB9KaiAylNO?= =?us-ascii?q?ayuY3YzsOr3QMmTy/wqga63R2lHDy9uW+b0A6Pc/q1X+pg2pEVAi83p/2dlPz3?= =?us-ascii?q?Sc/onKDBYVUZ/pSEk46gJ6p7DEbSkn/I7bz2FjMayuvj/FwdIpC/Mvygy8cNdH?= =?us-ascii?q?LKOECAjyHtUGCMe0LOwlhUOpbg4EPeBV76M0JN+pd/qY166tIOZgnSipgX5B4I?= =?us-ascii?q?9jzkKG7zB8RfLQ35YZ3/GY2ROKVy3hg1i8qc33loVEZD4IEmq51yfkGJZbZrdu?= =?us-ascii?q?coYTFWeuP8q3y81lh57jQX5Y80WjB08d1c+yfxqSaFL83QhK2kQRu3CnnzW3zy?= =?us-ascii?q?BsmTEzsqWfxDDOw/jldBcfNG9EXm1ijUvyLoiulNAXR1aoYBYzlBS++Eb6wrJX?= =?us-ascii?q?pKNlL2ncWU1IZTT5L3l+UqussbqPe9JP5441viVWSuu8ZUuXRaL6oxsfzyzsBX?= =?us-ascii?q?BexCwhezGspJr5gwRwiHiBI3ZrsHrZZcZwyA/B5NzdWfFRwj0GRDNihTbLBli8?= =?us-ascii?q?ON+p/dqPmpfHs+C+UXiuVodUcSXxyoOAriS773VwARKjh/CzhsHnEQ8i3C//1t?= =?us-ascii?q?lqTjnIoA/nYob106S6MORnflRnBVLn8Mp6AoB+ko0xhJ4MwngWnJOV8mQbkW3r?= =?us-ascii?q?K9VUxbr+bGYRRT4M29PV+g/l2ElnLn2X3YL2SnKdw8V6atmhf2MZxjk949pNCK?= =?us-ascii?q?eO47xOhTF1rUagrQLNffh9mS8QyeM0534Hh+EFohAiwj+GDbAVGUlYISvslxKT?= =?us-ascii?q?4tC7sKlXYmGvfqSq2Ep4g9+hEKmIohtAV3bhZpciAShw4918MF3S1n3z8ZrpeN?= =?us-ascii?q?rOYtIVrR2UlQnPj/RPJJI2jPoKijJtOXjhsn091+47kRtu0ImivIedNmVt+Ly2?= =?us-ascii?q?AgZCOT3ze8Mc5CvtgL1DnsaNwY+vBI5hFi8QXJvvUPKoCi4duurpNwaJCj08pW?= =?us-ascii?q?mUFaDZHQCB9Edst2jPHIyzN3GLOHkZys1vRAebJENCmw0UQjM6kYM5Fgywwszu?= =?us-ascii?q?blt57CgL5lHkshtM1v5oNx7nX2fHvgiodzM0RYODIxpX8gFD517ZMcKE4eJ1BS?= =?us-ascii?q?1Y+YehrAOVIGyBewtIFX0JWlCDB137Pbmv5d3A/PaDC+q7KPvOb7uOpvJCV/eU?= =?us-ascii?q?xZKv1Y5m8CiWOsWJIHZiE+Ux2lBfUnBhB8TZhzIPRjQZly3Xac6buBC8+ihso8?= =?us-ascii?q?Cx7vvkRQXv5ZGVBLtKK9Vv/BK2jrmfOO6Mnip5LixY1pwUz3/S1LcfxEISiz1p?= =?us-ascii?q?dzS1C7QMryDMQLjVmqBNCx4bbCNyOdBS4K0g2wlBI8nbisn61rRglP46F09FVU?= =?us-ascii?q?D9msGufcEKLXu9O03aC0aQLruGIyHLw8bsYa6nU7JfkOBUuwe3uTaBHE/pJi6D?= =?us-ascii?q?mCXxVxCzLeFMizmWPBpEuI6nahZtEXPuTNznah2hK993kTM2wbwyhnzQM24TLT?= =?us-ascii?q?l8fFlJrrGK6iNYmPp/EXRb7nV5NemEhzqZ7+7AJ5kNqvRnBSB0l+NB4HQm0LtZ?= =?us-ascii?q?9jpES+JplyfItd5hvVWmkuiJyjp6XxtDsSpEhYKRvUV/IqXV7JdBVmzY/BIW6m?= =?us-ascii?q?WQDQ4Gp9x/Ct3go6pQ0MTAlLrvKDde9NLZ5c0cB8nQKMKDLnUhKgHkFyTKAwsf?= =?us-ascii?q?Sj6nL2bfh1ZSkPuK7H2asoA6qoTwmJoJUrJUT101FvwdCkRjB9ENPYl4USglkb?= =?us-ascii?q?GBis4E/32+rAPeRM9CpJDISuqSAenzKDaelbRLfRQIzqnmLYsNLYD73FRiZUd8?= =?us-ascii?q?nITPAUXQXNRNrTZmbg47uklN92J+TmIr0UL/dgyt+GMTFeKznhMulgt+ZuEt+C?= =?us-ascii?q?3241cwJ1vFui0wn1IrmdXinz+RcyX8I7u3XYFTFyX7rVMxMo/hTwZzcwKygVRu?= =?us-ascii?q?NC3YSLJJk7tgaWdrhRfauZRRA/FcSbZJYBwXxfGMe/Uny1Jcqj6kxU9G/+fFD4?= =?us-ascii?q?VtlBcye562s31Awx5jbMIyJaHIPqpG0ENQibyUsS+yyu8xwBQTKF0M8GOIZSEI?= =?us-ascii?q?v0IINqE8JyW2/u1g8wqClCVfeGIUTfolvupq9l8hO+SH1y/vzqRMKl6wN+OCNK?= =?us-ascii?q?OUoHLPldSSQlM32EIIjFdK8qRr0cc5ckqUS0AuwKGXFxsXKcrIMRtVYNZK9HjP?= =?us-ascii?q?YSaOtv3Azo9uP4qjDO/oQvWOu7wKgk+/BwYmBYcM7tkbHpa2yk3YKdrnLLgfxh?= =?us-ascii?q?U3/QjrOFKFDPdJeRKMijsHpd+wzINv14lHOj4dGXl9MTmw5rvPog8qh+CDU8kw?= =?us-ascii?q?YnYbWYsJLX02WMunmyJDuHRAFja32PoDyAee9z/8ujjQDD7kYtp4eviUYRJsCN?= =?us-ascii?q?er+TQw6KW5lVnX8pDCKG7gLtRipsXD6eUEqJabE/lUV6Vys1/Am4lEQHynS3PA?= =?us-ascii?q?HsKwJ5j3bYksccH4B22kUlOhkTI1TsbwPNGrLqSShwHnW5pUupGB3D8/Lc+9Ci?= =?us-ascii?q?0eGxBoquEA/qJ9ZRcMY5wnYR7orAk+OKu/IB+E3dm0RWaiNydWReFFzeqmf7xX?= =?us-ascii?q?0zYsbuiixXs8T5E6yu638VINRJAKlRzR2PejZolEXifoAHBdfRvApTYhnWh7Ku?= =?us-ascii?q?ky2vs/wA/PsVQEPDCLbvZmaGpYv9wnBFOSJnt3CmwkR1+ck4XD4wis36wM8CtH?= =?us-ascii?q?hdpU1/NKsGTmtJ/FfD2sQLCrqYnSsyc4d9cmp6xxPpD9LcSesZPfnjrfTJ7Wsg?= =?us-ascii?q?KfSyO1DPtalcJWIC5BTvlIhHspOcoYtopd8UAxTNsxJ6RTCKkwobCncSFrAjAU?= =?us-ascii?q?zSICTYyPwSICjfmm27vBjBiQapQjPAYDsJVYjdsXSzR2bT8GpK+/S4XWkHeJSn?= =?us-ascii?q?INIAcS8QtM5AUAlotrfu79+YTGUYVCxiJRrf9vTiTLEZxo+EfhRWGNnVj0UvOh?= =?us-ascii?q?nPK13QhK1vLjzsEbWAJjCUha3+tZikkoJ6trJKQLooHKtTuIdUf7vG3z0uumOE?= =?us-ascii?q?dextHUd1HiC4rFr2X8WDUG+XIIXY9P1G3fFZMKngpjcqkrvlJML5u9d0bi/Twr?= =?us-ascii?q?3ZppEKe8VcCqwVYlonIGRyalE9pBF+FmvkjYWCdgY5yxrpXqJYlSSHdK+JKBs1?= =?us-ascii?q?dZjFltMymhxJtSMc1C/j4MXDlKoTWcptSyS9ZO2c5oAJASPNhzoXD9GLlLOJKJ?= =?us-ascii?q?uX05pqTvymPF+zA7qFq63DKzG6uiQOJD8WweHQEpJ2qFp0kqCOss9XzS/U7RvV?= =?us-ascii?q?Bu+OdbHaOPjUR3oDZyBJxOASxJ1X+9JVRpUHZGq/laKLjSc8FEWfYyfwKvOxok?= =?us-ascii?q?Gf4lxEGJ/EB0nXblYyNprAda/T7SXxUsXykPnrjtgSEeqt2gOTICV5JIajAhYj?= =?us-ascii?q?zZKw6HnCBYpwxTa0d0VJAFGtxF4a0U3ZNI/sreTkahMSEFUwZ4Ng0i1fpQiFVO?= =?us-ascii?q?v1iGdiDFFQqna/LPvQNtfcuLq86pNvv59h9dioz7qOA467kDR3q+lA2vRtDRsZ?= =?us-ascii?q?TxucCUuUuVaqj4KfG8bmHcQzTWixC/m6skBYHQ/yfPKApbN4V6yX08bJf6B27E?= =?us-ascii?q?IQhKKqAGK0dVTq11ddJGouVGaMB+Y6YJ5bVhBhSZSRPzAIavtuVJLk7PRTTCKC?= =?us-ascii?q?WM6va/rpzO4rzdU+fgeteBx3LAQ6JpIJh29yX0G7D33oBA4Eb23Oli9l9iQ1jc?= =?us-ascii?q?Ly+BtMjhJh8M5MS6bkvipYEpEinLD5dsi3ft3UZAd9cNQyK27psYzo9Z6GzqRu?= =?us-ascii?q?J8yETzt/dS97Z844kt/79p0du0JbvVKflCrU9nGAabCRt3+Zg2HWh/Q3xRYvUL?= =?us-ascii?q?J/fPfKQZisTupP7rF6AN7x2V4eNZY8PdJ07dgsm/Fi2cSRtckQcEszEaKg+c2O?= =?us-ascii?q?CZm69oU8mqv/P02kQz7FiiNR4J0Kpi5Z+a9aaSou/YcQfRx6AeWqf2XsPzsqgs?= =?us-ascii?q?u0SK6P0mjrEOYGt1YxajEOcHSM4Q3WLgzb0uzSIwEsPMA7Pg9+RFV3IihD7gnI?= =?us-ascii?q?p9H1oOEPMOAbWL5Zhenns/m+HBNN0ZaKZCmmiVFR6jD7AN12Wm6zeNL2ljmRHO?= =?us-ascii?q?1Av8QWWt41/qtSV4WzfDz8//kkpJUbm6HUhSXzeoOU98tDOAIg/oucHqtqsr90?= =?us-ascii?q?42M3brtNSXmGumIrNXENX1JMaALiksuFIXkJoxS8Sp2YAfAte9IdER8HRkYvvf?= =?us-ascii?q?7WOrnTVBrL1ch4rC+MGV5+nYHWW9j62AtbqB3jdYymI3vVsn8NCvKunO58GWQ/?= =?us-ascii?q?Svz2sRSiB/uw3dXx66tLPWtFUUOU2R30fNhoMKIt9Y3X4i1kHl/+gvWtQz+xtC?= =?us-ascii?q?FozYffMNuSjzOCfowVaYe983UjKe0z5XE1/uH1l3BrUz2GXqvM3TjXfQ4VooRo?= =?us-ascii?q?tueEP7mRx7FYI4KVgi6FIP2CoMDRANaQyHDLGvHUnlNpELVVYZZhSIwre6Ybw6?= =?us-ascii?q?3VZpzbOx/uDTYvJzB7EXOvZbkAGOgEBRGogKvq0GXLJ8Z1hd+bbVpgjjDojqRP?= =?us-ascii?q?3mmmQwNPKrWMBa8MYZt3Q47ga5WRWg9Y9J76wHh5CQaq5EfZ/Msdh970Zm/zEA?= =?us-ascii?q?bDBCjQNkjxynTeATuvzs7sLcsJqy5eakTLwtSPkP9xgoG2R+iIP9j0siodHM2e?= =?us-ascii?q?ZTUI/ViYXj8ABVOXGKpYLa3gJgJuoJNo2kYqxv92gdJygZPXIBJ8Caa/4m4y9i?= =?us-ascii?q?KD/T/UBNAtsQZdMEO8rAgRhUhVf1WL5P9sraFFiYC51wd8wx9Gr41jQ18Zo6Uu?= =?us-ascii?q?b95z67Pojf4EtRP/xfjCVtmtXCpPIWwfbICygY/2OZax5rzSOG0ZWNDOzw/eqU?= =?us-ascii?q?wtHOS1wGBjI2U5taJDea5QynXPS6lJHzXQOS9MD+m48xdEOfRnywgKQKqL1MHv?= =?us-ascii?q?RaiiXmxDReEJ76h+6Nudq29GRXrkFHEJp07RDdF6VQJI97NgrklsmrXUV8Air/?= =?us-ascii?q?eN3KeRououWW2/wM7/94N0TgeY8ROggExK7i6XpJUgtuT6b7vlmHUuIXeNtmT/?= =?us-ascii?q?TEondO6Y1+L68PPV6dpIHlrzpTrFA5HhUpab8qoTBAcEnBghFVUb7uuLEckgsc?= =?us-ascii?q?TcJ5uUhUFGK2OWIx+z3HVaBPg6mKEvAV8zKTTqsVU0VzKS5+Rhy42Zp0d7uuh/?= =?us-ascii?q?BHvXtMnjlhr/gyzzxmWBy8tDXjp60RwjIg46i0uigOt3JDT+WelTrICFpYwfQF?= =?us-ascii?q?iKcTEXDi5kKmbHkEdovy76FtJd78+ok5/3Q/fRIjcjUEXeSnCyHwibmEDZCPsN?= =?us-ascii?q?JYmR6CpcTPbb61LSgJNbQ9yAnuR2Z80gjAhhlo9HYEQjS64N8iOoq9Jd4vxjC0?= =?us-ascii?q?FmjDaFYM/qRJvdPwtV4VVuQ2b0hswGF+0seaRy0NQ9fPF3wyjgg+ZmVOaIhD5g?= =?us-ascii?q?MCF6k0njaIubFL/gMKbzfaHISl/pLdnMnS1nk7U9hq2njapqubiZM2yHdlgc97?= =?us-ascii?q?7jaSuHQOcOzVS8BsAnz01oZR1+P+Y/Gtv/scSIthzrShUeMNPtOl+WSoxJVgQl?= =?us-ascii?q?WlyagGH1qlLO8Dwa/WUyWlSWyYQeSLdGyMnzclMkHs/hSoK1w3aNtQr0AjKOfC?= =?us-ascii?q?gYRclwL5W7NuWiqQvUPbzHAkMe4CawI2uYKndhcWTO4Qe+ecJvYhwPkkBFsKcX?= =?us-ascii?q?DJATN8C/Wqvl61gIh7J3Jg7F3/YeTs8QDmM9ySFwIGEYHArZ5x/vq6SXyHOXN6?= =?us-ascii?q?yh19IlV0/f/FF1stru9cb4qRnd/Iittgz+EFcettPDYmut4XnYJj9ZWU0NmUfh?= =?us-ascii?q?7M1JryIsvVoveACf3F00sqYn1aUqYeYQ7t6YU1INo5W7zLHbRHphkdBKk6QJkk?= =?us-ascii?q?N2jv7qF0KB18fhTWZLSujcngvviLaYdMp3/K8lIwKz/RuhMbyvyuTAx0c46lim?= =?us-ascii?q?73IJAxWjJBtcNiBgFhHItVFMMKtxCnDIKMmKGnl9+x/Ft3u+gOsaXuEf3KzNC5?= =?us-ascii?q?0J9qX5hG5EyEICrRBLN1jUt7lOiyhOnP0oXpA8P4ZdwETPR7QnLCarLeGoW/Kz?= =?us-ascii?q?SOOt/zekJf976c0al5UgmKZC3iXqqJriukNPJ+7UU80Ix4c/LZzCYx4LHDxNvy?= =?us-ascii?q?e2Zbqz+4rXGXMJtf7VrKBfHRXh5TRvSF7GZlErMNbYTq7OcBK8cvwNuC7Alp6j?= =?us-ascii?q?RNzs+FLLO8rk/DwE57cojbLETx0SYjRYYKOAi/MVcrgWLBr3TSG2hTLsilKclr?= =?us-ascii?q?h9aYFQLt50h3mW4zYm5BG2zoRcqeOGQB3MK+fgKK/hpRD9kfh+63ZVI4tqqqRO?= =?us-ascii?q?lqIJpFmuKqu64cnNZ0LSHPWMhaPybNLL95PjpREv/DpF42bR4Yq7I1QJs6ZYCS?= =?us-ascii?q?IEMbN0eN0SHyzQ7F0U3ubdys1b2JLT0Q8npdyrLKzzlMqxO+ufaDjc3pSKrZY4?= =?us-ascii?q?3uXP7OLColUSmXRS88EUas5VipuvkJseGGIWgBuFAUYyOTCAkVpqx1q9jfEHPT?= =?us-ascii?q?yqVfe8gRifSbXT3gYDFpn6o1QCBQvAaDRORQOxPRairanGdEuAGkbsRJ9HbhYq?= =?us-ascii?q?zQkrFZQMQKE4BMdbufWNKedvdAcWR73g4FMfqxKoWP540y1UjFGC5DS6Q=3D?= X-IPAS-Result: =?us-ascii?q?A2DmAQBtaHdZ/wHyM5BeGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwQrgWUTjn+pCSWIX1cBAQEBAQEBAQIBaiiCMySCSQJ2AwMJA?= =?us-ascii?q?hcxCAMBbAWICU+BRQ2zdiICi0WDKIUujgsFn1eUEg2LSIZvApVpV4EKKAoCHwg?= =?us-ascii?q?iD4VfHIIDWok1AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 25 Jul 2017 15:51:10 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFp4XU025003; Tue, 25 Jul 2017 11:51:07 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6PFp3Ch026440 for ; Tue, 25 Jul 2017 11:51:03 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFp1mq024787; Tue, 25 Jul 2017 11:51:01 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Tue, 25 Jul 2017 11:55:42 -0400 Message-Id: <20170725155542.32496-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 Subject: [PATCH] selinux-testsuite: Add tests for transitions under NNP/nosuid X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Duplicate the existing tests for transitions under NNP for transitions on a nosuid mount, and then augment both the NNP and nosuid tests to also test the new support for allowing transitions based on nnp_transition and/or nosuid_transition permission if the nnp_nosuid_transition policy capability is enabled. Signed-off-by: Stephen Smalley --- policy/Makefile | 6 ++- policy/test_nnp.te | 17 +++++++++ policy/test_nosuid.te | 51 ++++++++++++++++++++++++++ tests/Makefile | 2 +- tests/nnp/test | 40 +++++++++++++++++++- tests/nosuid/Makefile | 7 ++++ tests/nosuid/checkcon.c | 41 +++++++++++++++++++++ tests/nosuid/execnosuid.c | 55 ++++++++++++++++++++++++++++ tests/nosuid/test | 93 +++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 309 insertions(+), 3 deletions(-) create mode 100644 policy/test_nosuid.te create mode 100644 tests/nosuid/Makefile create mode 100644 tests/nosuid/checkcon.c create mode 100644 tests/nosuid/execnosuid.c create mode 100755 tests/nosuid/test diff --git a/policy/Makefile b/policy/Makefile index b728a9e..7cdee96 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -23,7 +23,7 @@ TARGETS = \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \ - test_ibpkey.te test_atsecure.te + test_ibpkey.te test_atsecure.te test_nosuid.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te @@ -57,6 +57,10 @@ ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.sp export M4PARAM = -Dmap_permission_defined endif +ifeq ($(shell grep -q nnp_transition $(POLDEV)/include/support/all_perms.spt && echo true),true) +export M4PARAM += -Dnnp_transition_permission_defined +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_nnp.te b/policy/test_nnp.te index 54ebfd3..b99e406 100644 --- a/policy/test_nnp.te +++ b/policy/test_nnp.te @@ -32,3 +32,20 @@ domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) # Run it! This should fail always. unconfined_runs_test(test_nnp_notbounded_t) unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) + +# A domain to which the unconfined domain is allowed nnp_transition. +type test_nnp_nnptransition_t; +domain_type(test_nnp_nnptransition_t) +typeattribute test_nnp_nnptransition_t testdomain; + +# The entrypoint type for this domain. +type test_nnp_nnptransition_exec_t; +files_type(test_nnp_nnptransition_exec_t) +domain_entry_file(test_nnp_nnptransition_t, test_nnp_nnptransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nnp_nnptransition_t) +unconfined_run_to(test_nnp_nnptransition_t, test_nnp_nnptransition_exec_t) +ifdef(`nnp_transition_permission_defined', ` +allow unconfined_t test_nnp_nnptransition_t:process nnp_transition; +') diff --git a/policy/test_nosuid.te b/policy/test_nosuid.te new file mode 100644 index 0000000..0d3d2ab --- /dev/null +++ b/policy/test_nosuid.te @@ -0,0 +1,51 @@ +################################# +# +# Policy for testing nosuid transitions. +# + +# A domain bounded by the unconfined domain. +type test_nosuid_bounded_t; +domain_type(test_nosuid_bounded_t) +typeattribute test_nosuid_bounded_t testdomain; +typebounds unconfined_t test_nosuid_bounded_t; + +# The entrypoint type for this domain. +type test_nosuid_bounded_exec_t; +files_type(test_nosuid_bounded_exec_t) +domain_entry_file(test_nosuid_bounded_t, test_nosuid_bounded_exec_t) +domain_entry_file(unconfined_t, test_nosuid_bounded_exec_t) + +# Run it! This should succeed on v3.18 or later, fail on older kernels. +unconfined_runs_test(test_nosuid_bounded_t) +unconfined_run_to(test_nosuid_bounded_t, test_nosuid_bounded_exec_t) + +# A domain that is not bounded by the unconfined domain. +type test_nosuid_notbounded_t; +domain_type(test_nosuid_notbounded_t) +typeattribute test_nosuid_notbounded_t testdomain; + +# The entrypoint type for this domain. +type test_nosuid_notbounded_exec_t; +files_type(test_nosuid_notbounded_exec_t) +domain_entry_file(test_nosuid_notbounded_t, test_nosuid_notbounded_exec_t) + +# Run it! This should fail always. +unconfined_runs_test(test_nosuid_notbounded_t) +unconfined_run_to(test_nosuid_notbounded_t, test_nosuid_notbounded_exec_t) + +# A domain to which the unconfined domain is allowed nosuid_transition. +type test_nosuid_nosuidtransition_t; +domain_type(test_nosuid_nosuidtransition_t) +typeattribute test_nosuid_nosuidtransition_t testdomain; + +# The entrypoint type for this domain. +type test_nosuid_nosuidtransition_exec_t; +files_type(test_nosuid_nosuidtransition_exec_t) +domain_entry_file(test_nosuid_nosuidtransition_t, test_nosuid_nosuidtransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nosuid_nosuidtransition_t) +unconfined_run_to(test_nosuid_nosuidtransition_t, test_nosuid_nosuidtransition_exec_t) +ifdef(`nnp_transition_permission_defined', ` +allow unconfined_t test_nosuid_nosuidtransition_t:process2 nosuid_transition; +') diff --git a/tests/Makefile b/tests/Makefile index f42fe7e..3edf73c 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -11,7 +11,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ task_getpgid task_setpgid file ioctl capable_file capable_net \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ overlay checkreqprot mqueue mac_admin infiniband_pkey \ - infiniband_endport atsecure + infiniband_endport atsecure nosuid ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) diff --git a/tests/nnp/test b/tests/nnp/test index 4c7e010..6dcb5dc 100755 --- a/tests/nnp/test +++ b/tests/nnp/test @@ -1,7 +1,23 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 4 } + +BEGIN { + $test_count = 4; + $test_nnp_transition = 0; + + if ( + system( +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null" + ) == 0 + ) + { + $test_nnp_transition = 1; + $test_count += 2; + } + + plan tests => $test_count; +} $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -38,6 +54,28 @@ $result = system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t 2>&1"); ok($result); #this should fail +if ($test_nnp_transition) { + + # Set entrypoint type for nnptransition domain. + system( + "chcon -t test_nnp_nnptransition_exec_t $basedir/checkcon $basedir/true" + ); + + # Transition to nnptransition domain via setexec. + $result = + system( + "$basedir/execnnp runcon -t test_nnp_nnptransition_t $basedir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Automatic transition to nnptransition domain via exec. + $result = + system( + "$basedir/execnnp $basedir/checkcon test_nnp_nnptransition_t 2>&1"); + ok( $result, 0 ); #this should succeed + +} + # Cleanup. system("rm -f $basedir/true"); diff --git a/tests/nosuid/Makefile b/tests/nosuid/Makefile new file mode 100644 index 0000000..239e0f0 --- /dev/null +++ b/tests/nosuid/Makefile @@ -0,0 +1,7 @@ +TARGETS=execnosuid checkcon + +LDLIBS += -lselinux + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/nosuid/checkcon.c b/tests/nosuid/checkcon.c new file mode 100644 index 0000000..d8a1e15 --- /dev/null +++ b/tests/nosuid/checkcon.c @@ -0,0 +1,41 @@ +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + char *con = NULL; + context_t c; + const char *type; + int rc; + + if (argc != 2) { + fprintf(stderr, "usage: %s expected-type\n", argv[0]); + exit(-1); + } + + if (getcon(&con) < 0) { + perror("getcon"); + exit(-1); + } + + c = context_new(con); + if (!c) { + perror("context_new"); + exit(-1); + } + + type = context_type_get(c); + if (!type) { + perror("context_type_get"); + exit(-1); + + } + + rc = strcmp(type, argv[1]); + exit(rc); +} diff --git a/tests/nosuid/execnosuid.c b/tests/nosuid/execnosuid.c new file mode 100644 index 0000000..4324937 --- /dev/null +++ b/tests/nosuid/execnosuid.c @@ -0,0 +1,55 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + bool nobounded; + struct utsname uts; + pid_t pid; + int rc, status; + + if (argc < 2) { + fprintf(stderr, "usage: %s command [args...]\n", argv[0]); + exit(-1); + } + + if (uname(&uts) < 0) { + perror("uname"); + exit(-1); + } + + nobounded = ((strcmp(argv[argc - 1], "test_nosuid_bounded_t") == 0) && + (strverscmp(uts.release, "3.18") < 0)); + + pid = fork(); + if (pid < 0) { + perror("fork"); + exit(-1); + } + + if (pid == 0) { + execvp(argv[1], &argv[1]); + perror(argv[1]); + exit(-1); + } + + pid = wait(&status); + if (WIFEXITED(status)) { + if (WEXITSTATUS(status) && nobounded) { + printf("%s: Kernels < v3.18 do not support bounded transitions under NNP.\n", + argv[0]); + /* pass the test */ + exit(0); + } + exit(WEXITSTATUS(status)); + } + + fprintf(stderr, "Unexpected exit status 0x%x\n", status); + exit(-1); +} diff --git a/tests/nosuid/test b/tests/nosuid/test new file mode 100755 index 0000000..cd46109 --- /dev/null +++ b/tests/nosuid/test @@ -0,0 +1,93 @@ +#!/usr/bin/perl + +use Test; + +BEGIN { + $test_count = 4; + $test_nosuid_transition = 0; + + if ( + system( +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null" + ) == 0 + ) + { + $test_nosuid_transition = 1; + $test_count += 2; + } + + plan tests => $test_count; +} + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +# Create nosuid mount. +system("mkdir -p $basedir/testdir"); +system("mount -t tmpfs -o nosuid none $basedir/testdir"); + +# Set entrypoint type for bounded domain. +system("cp $basedir/checkcon $basedir/testdir"); +system("chcon -t test_nosuid_bounded_exec_t $basedir/testdir/checkcon"); + +# Transition to bounded type via setexec. +$result = system( +"$basedir/execnosuid runcon -t test_nosuid_bounded_t $basedir/testdir/checkcon test_nosuid_bounded_t 2>&1" +); +ok( $result, 0 ); #this should pass + +# Automatic transition to bounded domain via exec. +$result = system( + "$basedir/execnosuid $basedir/testdir/checkcon test_nosuid_bounded_t 2>&1"); +ok( $result, 0 ); #this should pass + +# Use true as an entrypoint program to test ability to exec at all. +system("cp /bin/true $basedir/testdir/true"); + +# Set entrypoint type for notbounded domain. +system( +"chcon -t test_nosuid_notbounded_exec_t $basedir/testdir/checkcon $basedir/testdir/true" +); + +# Transition to notbounded domain via setexec. +$result = + system( +"$basedir/execnosuid runcon -t test_nosuid_notbounded_t $basedir/testdir/true 2>&1" + ); +ok($result); #this should fail + +# Automatic transition to notbounded domain via exec. +$result = + system( +"$basedir/execnosuid $basedir/testdir/checkcon test_nosuid_notbounded_t 2>&1" + ); +ok($result); #this should fail + +if ($test_nosuid_transition) { + + # Set entrypoint type for nosuid domain. + system( +"chcon -t test_nosuid_nosuidtransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition to nosuid domain via setexec. + $result = + system( +"$basedir/execnosuid runcon -t test_nosuid_nosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Automatic transition to nosuid domain via exec. + $result = + system( +"$basedir/execnosuid $basedir/testdir/checkcon test_nosuid_nosuidtransition_t 2>&1" + ); + ok( $result, 0 ); #this should succeed + +} + +# Cleanup. +system("umount $basedir/testdir"); +system("rmdir $basedir/testdir"); + +exit;