From patchwork Tue Jul 25 22:59:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 9864025 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9A48C600F5 for ; Tue, 25 Jul 2017 23:10:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D2B9286E2 for ; Tue, 25 Jul 2017 23:10:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 711E2286EE; Tue, 25 Jul 2017 23:10:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from uhil19pa10.eemsg.mail.mil (uhil19pa10.eemsg.mail.mil [214.24.21.83]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AEBFE286E2 for ; Tue, 25 Jul 2017 23:10:23 +0000 (UTC) Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by uhil19pa10.eemsg.mail.mil with ESMTP; 25 Jul 2017 23:10:19 +0000 X-IronPort-AV: E=Sophos;i="5.40,412,1496102400"; d="scan'208";a="428243" IronPort-PHdr: =?us-ascii?q?9a23=3AutbAVhxc6HK3gJzXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?1esRI/ad9pjvdHbS+e9qxAeQG96Ku7QZ1aGM6OjJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMhzexe7N/IRS5oQnPuMQdnJdvJLs2xhbVuHVDZv?= =?us-ascii?q?5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnM?= =?us-ascii?q?URGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LplRx/yjC?= =?us-ascii?q?cMKiA3/mfZhMdtiK5XuQ+tqwB6z4PSZ46YKPRzcr/Acd8DWWZNQ9taWyhcDo68?= =?us-ascii?q?aocCCfcKM+RFoInnv1YAsxWwCwqrCuzgxTFGm2f20K8n3+kvEQ/GxhIvH8kVvX?= =?us-ascii?q?jItdX4LrseXPqpwKXUyzjIcvNY2S366IjNah0vv/aMXbdtesfPyUkgCRnFjk+Q?= =?us-ascii?q?qIf4ITOV1/4CuHWG4eV+UeKvimgnqxx+ozOywcoskZfGhoYUylDC6CV4z504Jc?= =?us-ascii?q?G4SUFnYd6kF4FctyeBN4RsWM8iTGZouDgjx7AApJW1fzAKxYw6yxPQZPGLaYiF?= =?us-ascii?q?7g/5WOqPLjp0mmhpdK+nixqs7UStzvfwW8q03VpQsyZIlsfAumoQ2xHR7sWKTO?= =?us-ascii?q?Z28F271jaVzQ/T7/lJIUUzlaXGNZEs2qUwlp8PsUTbGS/2hVn2gLeWdko6/uio?= =?us-ascii?q?7PzqYqn8qZ+GNo90lxr+Pr4yms2/Hes4Mg8OU3Kd+eugz73s4Vf1QLBLjv0yiq?= =?us-ascii?q?XZsZbaKtoHpqOhHgNY3Yku5wy/Aju7ytgUg3YKIExfdB6al4TpPkvBIPH8Dfex?= =?us-ascii?q?mVSslzJryujdPrL/BpXNL37DkKrufLpk8EFczxczzdZD6J1KEbEMO+7zW0/tu9?= =?us-ascii?q?zYCR81KQq0w/39B9ln2YMeXnyPDreDMKzOqV+I+v4vI+6UaY8Xvzb9LeIq5+Lu?= =?us-ascii?q?jXAjn18QZqup3ZwRaHC9BPtmOFmZbmT2gtcaC2sKuRA+TOPygl2YTTFTf2qyX7?= =?us-ascii?q?475jwjCoKmD53MSZyugLya2ye7GJxWZn5dB1CCFXfoaoqFVOwRaCKUPs9hjyYI?= =?us-ascii?q?Vb+7S48uzRuurhP1y6J7LurI/S0VrZzi1Nlx5+3Wix4y7yd5D8qD3G6QSGF0hH?= =?us-ascii?q?kHRycs3KB4o0xy1EuM0bRij/xfD9xT6OtDUh0mOp7E0+x6F9fyVxrccdiVTVam?= =?us-ascii?q?RdOmAS0sQt8q3d8BfVx9G9SjjxDE2SqmGbkVmKKXBJYs6KLTw2DxJ9phy3bBzK?= =?us-ascii?q?QukkUmTdFVNWC9mqF/8A3TCJLTnEWCi6amb6Ic0zDR9G2b12qBoFlYUBJsUaXC?= =?us-ascii?q?RX0eZkrXrdP/5k7ZSr+uDa0rMgpHycKYLKtFcMfpjVZHRPf9JtvSeWSxlHmsBR?= =?us-ascii?q?yQ3LODcJLqe3kB3CXaEEULjRgT8mycNQg/HSesuHreAyZ0FVLueEPs6e1+p2mn?= =?us-ascii?q?QUAq1Q2KaFdh17Wt8B4PmfOcU+8T3q4DuCo5pTV0Bkyy39TKBNqBvApsZ6BcYc?= =?us-ascii?q?s84FtezmLYuRd9MoanL6B4iV4Uax53sF/21xVrFoVAltAnrHAwwwpxLqKYzUhM?= =?us-ascii?q?dzCC0pDzPb3XN3P+/Be1a67ZwlveysqZ+r8T6PQkrFXupBumGVc483VmzdZVyW?= =?us-ascii?q?CR6Y/WAwoXS57xVVw39xdirbHAfiY9/5/U1WFrMaSsqD/Nxs8mCfAqyhalcNZT?= =?us-ascii?q?KqWEGxHuE8cCHcihNPQqm0S1bhIDJO1S76A0P9mhd/udxK6mJ/1gnDShjWVJ5Y?= =?us-ascii?q?ByyESM+zB6SuHWw5YP2+uY0RefVzfgkFehtdj6mI5eajEWAmqw1zLkBJVKa61s?= =?us-ascii?q?Y4kLE3yhI9CyxtlkgJ7tQXFY/ka5B1wawM+pZQaSb1vl0A1MyEsYvH2nljG8zz?= =?us-ascii?q?Fvjz4pqa+f0zDUzOT5aBoLIGhLS3d+jV30O4i7k8gaXFS0bwgujBal40f6x6xf?= =?us-ascii?q?pKthNGneWl1HcDbsL2FlSKewsaCCY8FX4pMyrSpXSPi8YUydSrPlvRsa0j/sH3?= =?us-ascii?q?dZxDAhbT2lppX5nxt8iGKSN3tzqHvZecdqyhfF49zQX/lR3iAJRCNgkznYGkC8?= =?us-ascii?q?P8W1/dWTj5rDtuG+V3m9VpFKaink04eAtCq95W13DhyyhOuzmsXmEQg80C/0y8?= =?us-ascii?q?JqWT/OrBnifonhz766Pv5/fkl0GF/87NJ3Gpt5kos0gJEfx2IaiYmS/XsJimrz?= =?us-ascii?q?Kshb1r7lbHYXQj4L2dHV6hD/2EJ/NnKJ2575VnKFz8t5fda6f2cW1jgn4MxQE6?= =?us-ascii?q?iU67hEnTdyolq+tg/RZORxnjEayfQy8nIahf8GuBY1xCWHHr8SBVVYPTDrlxmQ?= =?us-ascii?q?7NCxsqNXZH20fLizykV+m8uhDLecrQFAQnr5fY0iHSBo5MVlLF3MyGHz6p3jeN?= =?us-ascii?q?TIddIcrACUkxPegOhNMp0xkOYKijR9OW/moH0l0PA0jQZ13Z2gp4iHLHht/Lil?= =?us-ascii?q?DRFGOD31YNkT+j7zgqpEmMaZwZyvFI17GjoXRJvoUe6oEDUKuPT5MQaBDSYxqm?= =?us-ascii?q?mdGbXCHQ+T8kFmoGzTE5qzLXGYOGEZzcl+RBmaPEFfmBobXCg+npMiCg+qxdDh?= =?us-ascii?q?cUdg6jAf/FH4rAFAyuVyNxnwSm3fvhunai8oSJiDKxpb9g9C6F3TMcyC6eJzGj?= =?us-ascii?q?pV/pO/owOQLWybfR5HDXkTWkyDBVDsIKWh5cXa/+ifHOq+IOPEYa+SpuxGS/eI?= =?us-ascii?q?2ZWv35Nj/zmWMsWPOmdtD+En2kVZR390AMLZlCsTSywMiy3Cddabqwmm9i1xsM?= =?us-ascii?q?+/7OzhWBjz6ouXF7tSLdJv9gisgauZOe+cniN5Jixc1pMLxX7F06IQ00IXiy10?= =?us-ascii?q?cDmtC7sAvzbXTK3Mgq9XEwIbayRrOctG9aIzwBRCOdXBhdPzyr54ieU1BkxfWl?= =?us-ascii?q?P9n8Glf8sKI3uyNFnfHkaEKKyGJSHXw8Hwea68T6dQg/9Mtx2oojubHU7jPi6Y?= =?us-ascii?q?lzn1WRCvMOdMgzudPBNCuYGyaBJtBXLkTNL8ZR2xKMV3giEuwb0omnPKMnYRMS?= =?us-ascii?q?BifExWsLKQ6yJYgul4G2Fa73pqM/eLlDiD4+nfMJYWvuNhAj5omOJC/HQ617xV?= =?us-ascii?q?4TlZS/xuhiTdtNFuo0u8nemR0TdnSwBBqjVWhIKRp0puI6HZ9oRGWXne5hIB9H?= =?us-ascii?q?mQCxMJp9plDd3joaZQxcbTlKjrMjdN78rU/dcAB8jTMM+HK2AuMQTzFz7bEgQF?= =?us-ascii?q?ViWmNXrFiExDiv6S+WOaroMgppjqhpUOVqdRVEYpGfMCFkRlANsCLY9sUTMlnr?= =?us-ascii?q?6bi8gI6GGjoxbPX8pav4rIVvSIDfXoMjaZgqFOZwEUzrPgMYQTKor71lR4ZVl1?= =?us-ascii?q?hovKBVTfUMtKoi15cAA0pkBN/2J/Tm03wE3lbQys7GUUFf6ukR48khF+bvg19D?= =?us-ascii?q?fw/1c3IULHpDc3kEk0g9nlmzeRcT/vI6e2Ro5WES30uFYyMp7gXwl1agiyklB+?= =?us-ascii?q?OzffW7Jdlb1gen53iAXEo5tABeZcTbFYYB8X3fyXZPUp0VBCpSi8wE9H4uXFCZ?= =?us-ascii?q?V8mws2bZ6sr3VA2wd9Y9IvI6zfOrZJxEBKhq2Spi+oyvwxwAgGKkYL7mydYioI?= =?us-ascii?q?tVcLNrkhPCqo4vZj6QqZmztAeWgATfwqrex29kklIeSP0zrg06JfKkC2L+GfNb?= =?us-ascii?q?2Wu3PemsGSWFM/ykMImlJe8rh3y8csbk2UV043zLuLCRsINdDOKQdLYMpO7HLT?= =?us-ascii?q?ZzqBsf3RwZJpOIWwDv3nTeiItKYSn02rAgIpH4UX48sbAJasykbYId3gLL4fxh?= =?us-ascii?q?Un/B7rK0mdDPRVZBKLly8KrNylw59p3IlSOyodDH5nPiWt/LbXoQErgOGdU9gq?= =?us-ascii?q?f3caRIoENm42WcGgnS5WoWhABiGt0u0F0AiC8yP8piPIATn4aNpjfumbZRVtCd?= =?us-ascii?q?Gx4jg//K62iUPN/pXZPWH6OsxousXT5uMCu5aHF/RUQKFms0jCn4lYRnqqU3PA?= =?us-ascii?q?ENOuO5fwbIwsYsDuBXahTlyzkTQ1QNntPNy1NKiHnRnoRZpIsImcxD0jNtW9Fz?= =?us-ascii?q?EEFBd2u+ED5LlxZQIEY5ojfRHkrQI+OLKjIA2AyNWhX36tKSdKT/lY1ei6e71X?= =?us-ascii?q?zy8rbu+myHshToo3wPS28U8NXp4FlQvSxfC9aIlCSSLzAGBSex3TpSolkGhsLv?= =?us-ascii?q?w9wuM+wBzUr1YTKzWLdexvaGxDudEzH0ifLm53CmUiQV+QlITD4hO207AU4SRd?= =?us-ascii?q?g85e0fdZv3jmop/ffDWsVbSwpprLtSotdsIprLBvMYP9OMuGr4nRnibfTZXKtQ?= =?us-ascii?q?2FSiG6HeJAmtdMOCJYXOVImWY9NMwJpIpB6E4xVsMgKLxKE6Qju66lZiFlDSEI?= =?us-ascii?q?yy8VTYSA3CYNgu2kwbvVig+QcIg+MBwDqJhCmN0dUy9qbSMeo6+jU57WmXedRG?= =?us-ascii?q?YWOgke8QNC6RkcmY93e+Dq/JDHTIRQyzJMpfJ7TDfLHIFy91TnUmGWnUT4SPK5?= =?us-ascii?q?nuyzxw1S1vXs3cIAVR5jE0hS3fhWmVUsKLF2LakQsYrKsj6HdUP6oGLtxvGpJE?= =?us-ascii?q?NUycHOcV33EpbFv3LmUiIA4X0UWZNPyHbHGJUciQZ2dKYrpFRJIICnYEn+5Ccp?= =?us-ascii?q?x4V3ELamS8+n3VElrWwJRy2yCdpOF/lmsE7LWD1ie52kso/lO4hUQmNK+52QsF?= =?us-ascii?q?ZZkERsMy6l0pVQMcdN7SAQXDJXuzWSoMOySNFf2c9xF5IMI9F/u2vjF6NAJpeR?= =?us-ascii?q?pmM5uqD1yn7Z4D08t0+6yyu1G6+9Ve1Z/mkeFR4uJ2WRsEUvCPEs8mjK+FDXrl?= =?us-ascii?q?905/tbBqSIjUhprzZ9BIpBBjBV1X2+LlRzS3dHs+NGKKTVbcNcQv8yZQOxNBwk?= =?us-ascii?q?D/Im2VKG/V1sl3fjfyNyrhda+zzaXwQsSSkVhbLtlCYCqs27PD8VUIhEbTM/YC?= =?us-ascii?q?fZMwibgzxYvA5Da0F2XJAUGtZF9KsB3YRO+srNVF2hJjwbUxx6LgI3z/5fmlBZ?= =?us-ascii?q?sEmCfiDdFwWof+7VshJrZceRsNKpLPPh8QdFjYPorvs1+LgdSH29hwKtW8zeoJ?= =?us-ascii?q?HhudGQsEuBarv4OfWmYXDdVDjMkQywhbA8ApbR8SjcLBZXJptnxXcqepXuFWnL?= =?us-ascii?q?PRFaKK0BPEpbSbp2adNYreBGf8VkYroG+bdxBhKbQRPiAJavo+dbIVbTXzveMz?= =?us-ascii?q?6M8ui4oYLN87PRV/TvZsuRyHnZWa53OIl16SXjEbfwzYBe4lb22utq9k5iUVjG?= =?us-ascii?q?KDyBo878KQMX/8SibUzivoAzHTzKHphwlmbtxltaeMoTWSGq944YyJxB4nbqVe?= =?us-ascii?q?14ylTzsPFV97R89Yk3+a5mxtmpKqrJNPRatVNnAgKOCQV095UtB2x/SH5NYuML?= =?us-ascii?q?L/fRZ6sZh9j0q+/rD6wX9AGV++tBZNvFPU7BgM6/CiqYSRNeggcMsjsaLhaY1/?= =?us-ascii?q?6Zmq97VcelqvL/2kI2+VS+KQQGzL9174ee5qWIvPPXbwfWzbUcWKjlXMXzrro2?= =?us-ascii?q?u0OV+PIriqUDenBvbA2hC+gdUdQRxmH+wqA21SgsCd/MH6r8+P5fUHI0hjTgm5?= =?us-ascii?q?RmElUXHPMUGKCH/YVYnmc2gezWLMYWcrxYmmaSCRGkDqICyWS15CeNJ2llmB7O?= =?us-ascii?q?2QnqQWyv9F/2sTN4QSzUwtflk0paSr63BUNIUCqyI0N4sTSPPA3ztNrsoqk16U?= =?us-ascii?q?47M2P+uNKKjmuhN6tdH9fjK9yEPSk0uFUXgYUtSdO13YAUB8G9IMsR8XF5dfbe?= =?us-ascii?q?8H+kky5frKdBm4re49ua9u/RHXa+k62Qs6+NyyxAyngkoVE/7citNvXV592PQ/?= =?us-ascii?q?mlzGgRQDlitAvGRR66sKTbr0oTOUyJzkjEhJAKMste3Xki2UHs/PIjT84r9AVC?= =?us-ascii?q?CobAYOsPpTLyODvx2lufZsw4VymA3DtNH1L1F1Z4FLI62G3uoMLDjW3Q9EEwRo?= =?us-ascii?q?lsa0znggR6D4Q5KE038lcY3jEOERMTZhCHEr6nGV7pLYweVUgMcR6HxqS1er8r?= =?us-ascii?q?3U1vxbOi/PTcbe1nB6sDLPldjA+OnERDGp0MrK0eRKlxdENa9KHKuAftEZXnX+?= =?us-ascii?q?LhlXoqL/K5WMda8doWt3E6+AawWwKg6Ytf77YckJ2IbrRLYYTQs8B84UZn4iQP?= =?us-ascii?q?di9UjBhkkRy5VeEcpOb+4tnUq5eo8vyhVLoxSOUX+Rk0AH5+j5jqjFAgv97Xze?= =?us-ascii?q?FcRZPRiYjl9wBNOXGKsp7A0xZgMeoON56rfLF4+nUbPSgROXYOMsCQa/Yi+CJi?= =?us-ascii?q?LTTT51NDAsMQf9wYJ9DCmRpJikHzXrFc6NbbEEeCC4hvb8Ao83b3yDct/JszSO?= =?us-ascii?q?ng8iG5JYzf71xWO/NDjTlsm8zCpOcP3PrSEzIb4X+HZBhp2imC0YWCC+7s/eWQ?= =?us-ascii?q?z9HZT1wGETAwU4dBIzqC/gurRvGrm5XtUwOU7NLzgZ0leUKUWHOxhqQEvbxWHe?= =?us-ascii?q?5GlCr7wiBUFprpiPKNr9qs9GxXu0VbH4Zx9xLKBL5SMYl8ORT8ksmrR1ZzBjHj?= =?us-ascii?q?eM7KahUuuPCaxuAW4+VxL0H+f5MUIgoYy7Lm7npYVg5uSLnwvlaFUuIeesBrSP?= =?us-ascii?q?bFrn9P74JvNbMPPVaapJzwrTdIs0o6AAk3Z78stjZabFXBnBVJW6bov74NkgQc?= =?us-ascii?q?XsJiuU9XAG6+JW0w6TzGVaRTkamQB+cY8jqWTqMUVUVnLDlyQxSv2JVhY7Gph+?= =?us-ascii?q?xIsntaniNhp/gnyz5mRBy8uS3qva4CxTIg+LWltDocuH1FT+OekzzLCVVC1/kK?= =?us-ascii?q?k6YcC2j45ly4fXYDbZH+4L95KsT87YMh+WgwYQ0/fy0aWuStEyDwj72SDYyJq9?= =?us-ascii?q?9cgAONt9jPbb+0NigeLLM9yQjsR3JlyAjRgA5o8HcXQjWn9NIkJpuyOcgrxiqs?= =?us-ascii?q?AmXaekwD4qVXv8vtr1ILSvU5aU95ymV5zseHXjENRNDIG2stgQgkbWJEcZxd5h?= =?us-ascii?q?8eE6klmS2Ivq5A/gEVfDjYCIKl9ZfMnc3Qw3kyUc9qxn7Kpq2Cnp4q0n1lmtNs?= =?us-ascii?q?7i6JvHQSdvDYXNF3D3j214df1fb+aOu3vuAAUotmx6yrUOUePcm75Wu2xJJqV1?= =?us-ascii?q?e5xrQfGlq0K/MDxrbHXCemV2KYXf6Hc26SkDYlKkTy/wWnLkUraMdWqE8wKu7C?= =?us-ascii?q?hp9flw3iVrN5XSeQqkXYzGwkN+MVaQQ2tJ2hewMUUO4bf/KcKvQ2wP0iFFsMaG?= =?us-ascii?q?fEEjBoBO+wrV6gh5N7O3Fn4UXmfeTt7B7pP8aIFhkDC47aoYZ7+eamSWKZJX9g?= =?us-ascii?q?0BpyMVFs9+fYE1Q+rPVccpiWndjUidR2yusFd/BqMS0mpNEchphj6Y6P0MeRcB?= =?us-ascii?q?HRyJnyKcvSoviCDP3V114qdX1CUroFfQP14J03PtAnVL3XHLtZpQoTCLM7QZwg?= =?us-ascii?q?Mmfx8b97LBl3cgHPfri0hdPqpu2TbJtOu3DW9k4wLDvbuxAbxP20VRZ7b5G2iH?= =?us-ascii?q?rsO50wQzNBr8F3ChR4BodPHNkArwW/CZ6OhK67k8Ox+199u+IStqrwDu7F2c+h?= =?us-ascii?q?34V1RZda/lCLPDfNC6l3mERqkPq9ju3G0pbvFcPoYckEW/RjQm7Zdr/GGZ2yKj?= =?us-ascii?q?aPOsL6Zk5H/KeQ0LZ4UhWKeCD5RLGLtCy+O/Vi5kU30It4fPDczDY19bHUxMPy?= =?us-ascii?q?Z31HpiektXOJL4VQ7FjLBezYQhJVRv2J/ml5Ha0Xc4T07vkBMcQ4z9WH4Al88i?= =?us-ascii?q?5C0M2bLKiltUDMx017eYjcLEvz1CYzQZMKLwinMUswnW/ZrWzQAXFGIce4Kclt?= =?us-ascii?q?gdCVDhv26klvmGEtYHBOGm7pRdeXJGga1NiyZAqQ9AJEF9wDhfK4eVYktq2uTu?= =?us-ascii?q?llIpdFlv+ptLUAitlkMDzPRM5GPyHQK792IzVRDuXTpFQyZB4LraQ1UJ8vZZeS?= =?us-ascii?q?OEMHLFuAySTqwATZykL4cNis1KeSICYK6XVL1anF3iZQqAWjovaWnMnjULHfbJ?= =?us-ascii?q?HrU//fKzYqVzGARTQvCkal41mltOAYvPqDJmcfpEoYYiWICA4cvqpvt8TfDnfP?= =?us-ascii?q?me1/e50HnPKaWyX3SC1ijqoyBz1LuFuKQ/UZEAnZcX7hjHBbuAy4Kf9G5WjlYK?= =?us-ascii?q?GAxqpJR+wWBZNBcuaXQ9vdZf9TJjQlmy4HOOmiZd3crrc40lXOTWcDFanH6kGe?= =?us-ascii?q?HwaqRamHyjbqW5gFl5QlsSovvNTLl2l4FLqbBbuHoy+S9duEiyPQku3TTHM8Kx?= =?us-ascii?q?gph+cJAGSb2ghoJ2YDBNUY/krqR/jTSVxL0ScVjucm8B8BYh5iGmNv2zVtkfK8?= =?us-ascii?q?HNBJAQoPgWevRuAWRExmBzM3u0mR60v9ZsJW6pObfHNX6rZZEdlVF/Iv8oSCZa?= =?us-ascii?q?Y=3D?= X-IPAS-Result: =?us-ascii?q?A2CJAQCpz3dZ/wHyM5BdGQEBAQEBAQEBAQEBBwEBAQEBFQE?= =?us-ascii?q?BAQECAQEBAQgBAQEBgwQrkHenFIp7VwEBAQEBAQEBAgFqKIIzDIJhAiRVAwkCE?= =?us-ascii?q?gUxCAMBMAEFATqICQwBQoFSA6NxP412OiIChEuHDRKDFoUujgsFkW6NaYsZiHk?= =?us-ascii?q?NiyAohm8CSJNZM4EVV4EKKAwfKg+BWxqDJkQcggeKCAMBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 25 Jul 2017 23:10:10 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PN9LKk010241; Tue, 25 Jul 2017 19:09:32 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6PN9JWN004065 for ; Tue, 25 Jul 2017 19:09:19 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PN9IaG010239 for ; Tue, 25 Jul 2017 19:09:18 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1AdAQBrzndZfSQWGNZdHAEBBAEBCgEBg?= =?us-ascii?q?y8ogXuODKdvgTMDXByFK4M6PxgBAgEBAQEBAQETAQELFAiBGQ4BhHUZAQE3AYE?= =?us-ascii?q?UAQUBiE8BQoFSA6N9P4sfglc6gwgBAQWIOwEBCCAIEoMWgTKCG4FhiCyFX5Fzj?= =?us-ascii?q?WmFXoU7iHkNiyCHGUiTWTOBFR+BQlMkhWUPHBmBblaBFogfAQEB?= X-IPAS-Result: =?us-ascii?q?A1AdAQBrzndZfSQWGNZdHAEBBAEBCgEBgy8ogXuODKdvgTM?= =?us-ascii?q?DXByFK4M6PxgBAgEBAQEBAQETAQELFAiBGQ4BhHUZAQE3AYEUAQUBiE8BQoFSA?= =?us-ascii?q?6N9P4sfglc6gwgBAQWIOwEBCCAIEoMWgTKCG4FhiCyFX5FzjWmFXoU7iHkNiyC?= =?us-ascii?q?HGUiTWTOBFR+BQlMkhWUPHBmBblaBFogfAQEB?= X-IronPort-AV: E=Sophos;i="5.40,412,1496116800"; d="scan'208";a="36745" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 25 Jul 2017 19:09:15 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A8qzQLhNKKgbBDvDiZF8l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0Lf3+rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPde?= =?us-ascii?q?RWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbY?= =?us-ascii?q?UwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhS?= =?us-ascii?q?kaNzA37m/ZhM93gq1UrxysvABzw5fObY2JLvdyYr/RcNUHTmRBRMZRUClBD5ui?= =?us-ascii?q?YYsICuoKIPhVr4njqFsUtxu/BRSnCeTzyj9Pg3/5wa063Po7EQHc3A0tBN0OsH?= =?us-ascii?q?PTrNX6MKcdT/q5w7XPzTXGdv5b3yr25ovQch05v/2AQL19fdDPxUQgDQ/JkEuc?= =?us-ascii?q?pZbrMj6UzugBrXSX4u56We+si2MrsRx9rzyxyss2l4XEhIYYx1bZ/itj2ok1P8?= =?us-ascii?q?e3SEtjbN6kDpRQsyaaOpNrQsMhXW5ovDs2x7keuZGhYCQHyY4ryADBZPyCaIiI?= =?us-ascii?q?7QjvVOOLLjd5gHJpYre/hxe28US4y+38UNe70EpSoyZbj9XBuWoB2wLc58SdVP?= =?us-ascii?q?dx4F2t1DiO2gzL7+FLO0E0la7VK547xb4wk4IesVjEHi/zhEr2jLGZdl8++umo?= =?us-ascii?q?8OnnbbLmppiTN49wlA7yKLghmsu6AeggKAgBQ3Cb+fig1L3k5UD5W6tFjvk3kq?= =?us-ascii?q?nfrZDbKt8WprK5AgBJ0oYj7AyzDzG90NsCh3UHI1VFeAzUx7TubkrDJPH+EOeX?= =?us-ascii?q?n0WnkDAtwevPeLLmHMbjNH/GxYvmeP5W60NG0ht7mcxY4plUB6sbMdr8XUj+sN?= =?us-ascii?q?GeBRg8ZV/ni937Aclwg9tNEVmEBbWUZfvf?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DlAgCozndZfSQWGNZdHAEBBAEBCgEBF?= =?us-ascii?q?wEBBAEBCgEBgwQogXu3LgNcHIUrgzpXAQEBAQEBAQECARIBAQsUCFdCDgGBYiK?= =?us-ascii?q?CcRkBATcBgRQBBQGITwFCgVIDo30/ix+CVzqDCAEBBYg7AQEIAgEdCBKDFoEyg?= =?us-ascii?q?huBYYgsgkEMgxKRc41phV6FO4h5DYsghxlIk1kzgRWBYVMkhWUPHBmBblaBFog?= =?us-ascii?q?fAQEB?= X-IPAS-Result: =?us-ascii?q?A0DlAgCozndZfSQWGNZdHAEBBAEBCgEBFwEBBAEBCgEBgwQ?= =?us-ascii?q?ogXu3LgNcHIUrgzpXAQEBAQEBAQECARIBAQsUCFdCDgGBYiKCcRkBATcBgRQBB?= =?us-ascii?q?QGITwFCgVIDo30/ix+CVzqDCAEBBYg7AQEIAgEdCBKDFoEyghuBYYgsgkEMgxK?= =?us-ascii?q?Rc41phV6FO4h5DYsghxlIk1kzgRWBYVMkhWUPHBmBblaBFogfAQEB?= X-IronPort-AV: E=Sophos;i="5.40,412,1496102400"; d="scan'208";a="485172" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ukel19pa06.eemsg.mail.mil ([214.24.22.36]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 25 Jul 2017 23:09:14 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;ba9b76d8-4b28-4ec9-bf23-5fda254047cc X-EEMSG-check-008: 257740634|UKEL19PA05_EEMSG_MP2.csd.disa.mil X-EEMSG-SBRS: 2.8 X-EEMSG-ORIG-IP: 209.85.192.179 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DAAAAUz3dZgLPAVdFdGwEBAQMBAQEJAQEBgy+CI44Mp2+BMwNcHIUrgzo/GAECAQEBAQEBARMBAQkNCQgmMUIOAYR1CwENAQE3AYEUAQUBiE8BQoFSo3s/ix+CVzqDCAEBBYg7AQEIAgEdCAkBCIMWgTKCG4Fhim0MgxKRc41phV6FO4h5DYsghxcCSJNZM4EVH4FCUySFZQ8cggcgNoEWiB8BAQE X-IPAS-Result: A0DAAAAUz3dZgLPAVdFdGwEBAQMBAQEJAQEBgy+CI44Mp2+BMwNcHIUrgzo/GAECAQEBAQEBARMBAQkNCQgmMUIOAYR1CwENAQE3AYEUAQUBiE8BQoFSo3s/ix+CVzqDCAEBBYg7AQEIAgEdCAkBCIMWgTKCG4Fhim0MgxKRc41phV6FO4h5DYsghxcCSJNZM4EVH4FCUySFZQ8cggcgNoEWiB8BAQE Received: from mail-pf0-f179.google.com ([209.85.192.179]) by ukel19pa05.eemsg.mail.mil with ESMTP; 25 Jul 2017 23:08:53 +0000 Received: by mail-pf0-f179.google.com with SMTP id q85so63759651pfq.1 for ; Tue, 25 Jul 2017 16:08:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kgdoJ8wB6+rbGheTMp6jh+y5hd/k7W4N490urN+uR+0=; b=exDTcyphP0ne6ny5RRCTByCOqTtx/EU3qeoKIbr1SLwDLNHc/B3F4poJlUmRVPQyfu 5/tpfbDUBjVPZhZvEKfLtLSvcVJcnA353vM673/zbdsFl6NB6C8O/w2OOmANi4dgtgcq d3iimCglKomB5lmzDJNg6qGipes9l+sN/4l58GilkCh11DGT0PnVT910sYh0D+0qWPu8 WVC5CeCvhpW7WOsY9dFhpTvjSFw38n2WpixX+GdfKD0vVr0F3hIs91HbuzGBnRZlM+Wr QKUBJjGl0CXy8M4uzufl1Uz7jIG7BVT6O0eFAF37zbjXIrpBOzTbHfIgZcgb0vL3JsJx Kt8A== X-Gm-Message-State: AIVw113shrFQyE8aUgxKOLTH/1XJHn3F5DqnVQhMsaq1wLbct0/Q5i96 lrSec/IHKJ27geckdrspQw== X-Received: by 10.84.130.108 with SMTP id 99mr22626979plc.76.1501024131722; Tue, 25 Jul 2017 16:08:51 -0700 (PDT) Received: from tomcherry-gbuntu.mtv.corp.google.com ([172.22.120.118]) by smtp.gmail.com with ESMTPSA id a11sm30306102pgn.94.2017.07.25.16.08.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Jul 2017 16:08:50 -0700 (PDT) To: selinux@tycho.nsa.gov Date: Tue, 25 Jul 2017 15:59:44 -0700 Message-Id: <20170725225944.12336-1-tomcherry@google.com> X-Mailer: git-send-email 2.14.0.rc0.400.g1c36432dff-goog MIME-Version: 1.0 Subject: [PATCH] libselinux: fix thread safety issues with lookup_common() X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Tom Cherry via Selinux Reply-To: Tom Cherry Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP There are two problems with lookup_common() and therefore selabel_lookup() and related functions that this patch fixes: 1) A race with the lazy compilation of regexes. Since the struct regex_data is allocated and assigned immediately to the parent struct spec, it's possible for a second thread to see that this pointer is non-NULL before the regex compilation has finished. This typically results in a -1 return from selabel_lookup() with ENOENT as errno. This is fixed by adding synchronization in compile_regex(). 2) A race with PCRE2 regex_match(). A struct pcre2_match_data is created once and used for all regex matches for a given regex. This is problematic if two threads are attempting to evaluate the same regex simultaneously. This typically results in a successful return from selabel_lookup() but with an erroneous selabel. This is fixed by adding a pthread_mutex within regex_match() for PCRE2. Note, on my system, creating new matchdata takes roughly an order of magnitude more time than locking a non-contended pthread_mutex. I don't believe programs will have enough contention on this lock to justify that cost. Bug: 63861738 Test: ueventd unit tests Change-Id: I13bf782d81d0a0b896d444e396f307ad0dbacb6a --- libselinux/src/label_file.c | 3 +++ libselinux/src/label_file.h | 32 ++++++++++++++++++++++++++++++-- libselinux/src/regex.c | 18 ++++++++++++++++-- libselinux/src/selinux_internal.h | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 81 insertions(+), 4 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index f84d470b..6300758e 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -393,6 +393,8 @@ end_arch_check: if (rc < 0) goto out; + __pthread_mutex_init(&spec->regex_lock, NULL); + spec->regex_compiled = true; data->nspec++; } @@ -810,6 +812,7 @@ static void closef(struct selabel_handle *rec) free(spec->lr.ctx_trans); free(spec->lr.ctx_raw); regex_data_free(spec->regex); + __pthread_mutex_destroy(&spec->regex_lock); if (spec->from_mmap) continue; free(spec->regex_str); diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h index de804aed..aa576d8e 100644 --- a/libselinux/src/label_file.h +++ b/libselinux/src/label_file.h @@ -2,6 +2,7 @@ #define _SELABEL_FILE_H_ #include +#include #include #include @@ -16,6 +17,7 @@ #include "callbacks.h" #include "label_internal.h" +#include "selinux_internal.h" #define SELINUX_MAGIC_COMPILED_FCONTEXT 0xf97cff8a @@ -42,6 +44,8 @@ struct spec { char *regex_str; /* regular expession string for diagnostics */ char *type_str; /* type string for diagnostic messages */ struct regex_data * regex; /* backend dependent regular expression data */ + bool regex_compiled; /* bool to indicate if the regex is compiled */ + pthread_mutex_t regex_lock; /* lock for lazy compilation of regex */ mode_t mode; /* mode format value */ int matches; /* number of matching pathnames */ int stem_id; /* indicates which stem-compression item */ @@ -339,9 +343,27 @@ static inline int compile_regex(struct saved_data *data, struct spec *spec, struct stem *stem_arr = data->stem_arr; size_t len; int rc; - - if (spec->regex) + bool regex_compiled; + + /* We really want pthread_once() here, but since its + * init_routine does not take a parameter, it's not possible + * to use, so we generate the same effect with atomics and a + * mutex */ + regex_compiled = + __atomic_load_n(&spec->regex_compiled, __ATOMIC_ACQUIRE); + if (regex_compiled) { return 0; /* already done */ + } + + __pthread_mutex_lock(&spec->regex_lock); + /* Check if another thread compiled the regex while we waited + * on the mutex */ + regex_compiled = + __atomic_load_n(&spec->regex_compiled, __ATOMIC_ACQUIRE); + if (regex_compiled) { + __pthread_mutex_unlock(&spec->regex_lock); + return 0; + } /* Skip the fixed stem. */ reg_buf = spec->regex_str; @@ -354,6 +376,7 @@ static inline int compile_regex(struct saved_data *data, struct spec *spec, if (!anchored_regex) { if (errbuf) *errbuf = "out of memory"; + __pthread_mutex_unlock(&spec->regex_lock); return -1; } @@ -374,10 +397,13 @@ static inline int compile_regex(struct saved_data *data, struct spec *spec, sizeof(regex_error_format_buffer)); *errbuf = ®ex_error_format_buffer[0]; } + __pthread_mutex_unlock(&spec->regex_lock); return -1; } /* Done. */ + __atomic_store_n(&spec->regex_compiled, true, __ATOMIC_RELEASE); + __pthread_mutex_unlock(&spec->regex_lock); return 0; } @@ -439,6 +465,8 @@ static inline int process_line(struct selabel_handle *rec, /* process and store the specification in spec. */ spec_arr[nspec].stem_id = find_stem_from_spec(data, regex); spec_arr[nspec].regex_str = regex; + __pthread_mutex_init(&spec_arr[nspec].regex_lock, NULL); + spec_arr[nspec].regex_compiled = false; spec_arr[nspec].type_str = type; spec_arr[nspec].mode = 0; diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index ec1b0c4a..97f0fdb0 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -1,10 +1,12 @@ #include +#include #include #include #include #include "regex.h" #include "label_file.h" +#include "selinux_internal.h" #ifdef USE_PCRE2 #define REGEX_ARCH_SIZE_T PCRE2_SIZE @@ -63,6 +65,7 @@ struct regex_data { * pattern in pcre2 */ pcre2_match_data *match_data; + pthread_mutex_t match_mutex; }; int regex_prepare_data(struct regex_data **regex, char const *pattern_string, @@ -199,6 +202,7 @@ void regex_data_free(struct regex_data *regex) pcre2_code_free(regex->regex); if (regex->match_data) pcre2_match_data_free(regex->match_data); + __pthread_mutex_destroy(®ex->match_mutex); free(regex); } } @@ -206,9 +210,11 @@ void regex_data_free(struct regex_data *regex) int regex_match(struct regex_data *regex, char const *subject, int partial) { int rc; + __pthread_mutex_lock(®ex->match_mutex); rc = pcre2_match( regex->regex, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0, partial ? PCRE2_PARTIAL_SOFT : 0, regex->match_data, NULL); + __pthread_mutex_unlock(®ex->match_mutex); if (rc > 0) return REGEX_MATCH; switch (rc) { @@ -244,6 +250,14 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) return SELABEL_EQUAL; } +struct regex_data *regex_data_create(void) +{ + struct regex_data *regex_data = + (struct regex_data *)calloc(1, sizeof(struct regex_data)); + __pthread_mutex_init(®ex_data->match_mutex, NULL); + return regex_data; +} + #else // !USE_PCRE2 char const *regex_arch_string(void) { @@ -472,13 +486,13 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) return SELABEL_EQUAL; } -#endif - struct regex_data *regex_data_create(void) { return (struct regex_data *)calloc(1, sizeof(struct regex_data)); } +#endif + void regex_format_error(struct regex_error_data const *error_data, char *buffer, size_t buf_size) { diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index 54949c13..dfc421cc 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -144,6 +144,38 @@ extern int selinux_page_size hidden; pthread_setspecific(KEY, VALUE); \ } while (0) +/* selabel_lookup() is only thread safe if we're compiled with pthreads */ + +#pragma weak pthread_mutex_init +#pragma weak pthread_mutex_destroy +#pragma weak pthread_mutex_lock +#pragma weak pthread_mutex_unlock + +#define __pthread_mutex_init(LOCK, ATTR) \ + do { \ + if (pthread_mutex_init != NULL) \ + pthread_mutex_init(LOCK, ATTR); \ + } while (0) + +#define __pthread_mutex_destroy(LOCK) \ + do { \ + if (pthread_mutex_destroy != NULL) \ + pthread_mutex_destroy(LOCK); \ + } while (0) + +#define __pthread_mutex_lock(LOCK) \ + do { \ + if (pthread_mutex_lock != NULL) \ + pthread_mutex_lock(LOCK); \ + } while (0) + +#define __pthread_mutex_unlock(LOCK) \ + do { \ + if (pthread_mutex_unlock != NULL) \ + pthread_mutex_unlock(LOCK); \ + } while (0) + + #define SELINUXDIR "/etc/selinux/" #define SELINUXCONFIG SELINUXDIR "config"