From patchwork Tue Aug 1 15:03:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9874829 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3241E603B4 for ; Tue, 1 Aug 2017 15:01:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2184E28643 for ; Tue, 1 Aug 2017 15:01:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 15EA2286C6; Tue, 1 Aug 2017 15:01:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from uhil19pa10.eemsg.mail.mil (uhil19pa10.eemsg.mail.mil [214.24.21.83]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2DC6B286BF for ; Tue, 1 Aug 2017 15:01:15 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by uhil19pa10.eemsg.mail.mil with ESMTP; 01 Aug 2017 15:01:14 +0000 X-IronPort-AV: E=Sophos;i="5.41,306,1498521600"; d="scan'208";a="699648" IronPort-PHdr: =?us-ascii?q?9a23=3A/2R7shGZuHLvSIiS/iTQjp1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7+rs29bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRp?= =?us-ascii?q?OOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+?= =?us-ascii?q?RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPC?= =?us-ascii?q?TQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjus9adrTALjhj?= =?us-ascii?q?kBOTA37WrbjtV8gLxHrB6koRF03ozab5yPNPdmfq3TY90US2lGUMhMTyxMAJ6w?= =?us-ascii?q?YoURAOoaJutUs5XxqkESoRakGQWgGOXiwSJIiH/s2q061vwsHxza3AM+B9IOsG?= =?us-ascii?q?rbrNPoP6kPVOC61q3IzTHdYPJWxDzw75PIfQ06ofyXQbJxcdbeyUkoFw/fiFWQ?= =?us-ascii?q?spbqMyma1uQKrWiW9uxtXv+shW4/swx9vzeiy8g2hoTJm44Z0E7I+CpnzIovON?= =?us-ascii?q?G1TlNwb8S+H5tKrS6aMpN7QsYlQ251pik30qYGuZunfCgSz5Qn2gLfZ+SHc4eW?= =?us-ascii?q?5hLjU/6cIStii3J/ebK/mg2y/VK8yuz8Ssa00FFKojBDktbQrXACywbf6s2GSv?= =?us-ascii?q?t55kuh2DCP2B7P6uxcPEw5mqXWJ4Qhz7ItjJYfr0vOEjHslEnrlKOWc18r+ums?= =?us-ascii?q?6+TpeLXmoZqcOpdvig7gNqQum8q/Afk3MwQXRGeb/vm81Lv/8kLnW7VHleE2k6?= =?us-ascii?q?nFv5DaIsQXvKi5AxRP3Yo55Ba/CCmm3MwCnXYbNFJFZA6Hj4/xNlHMJ/D4C+2w?= =?us-ascii?q?g0iskDhxwfDLJb/hApLLLnjGirjhZqp95FBGyAoo19xf4IhUCr4ZKvLpRkDxrM?= =?us-ascii?q?DYDgM+MwGswebnCs9y2Z8dWWKUBa+ZNqLSsUGT6+IhJ+mMeYAUty3gK/gj+/7u?= =?us-ascii?q?kGU1mVgHfammxZEXcmy3Hux6I0WFZnrhms8BHnkRsQUgSuzqiUGCUTlIanazQa?= =?us-ascii?q?0z+C80BJihDYfZSYCnmKaB0zujHp1KemBGDUiBHmrvd4WCXfcDdTydIstgkjEf?= =?us-ascii?q?T7euVZUh1Ra0uA/90bpnIfLe+jcEupL7yNh1++rTmAkv+jxoFcudyXqAQH1znm?= =?us-ascii?q?MNWzA5xrt/oVBnxleFz6d4n+RSFcZP6PNRTgc6KZncwvR7C9D0RgLOYNOJR0ij?= =?us-ascii?q?Qtq4HTExVNIwzsQJY0ZlBdqiiBXD0DCrA78RjLOLA5M1/rjb33jrKMZ302zG27?= =?us-ascii?q?U5j1k6XstPMnWrh65+9gjUAY7EiECZl6KzeaQd2i7B7mGDwnCUvEFbUQ5wT7vK?= =?us-ascii?q?UWoZZkTIsdTz/lnCQKO2CbQ7LgtBztaPJbVSatLzl1VGRezjNc/GY22rgWewBA?= =?us-ascii?q?2IxquIbIXwZ2oSwj/RCE8ekwAc5XyGLxQxBj+9o2LCCzxjDVzuY0Lo8el7tny7?= =?us-ascii?q?VFQ5zw+UYEJ80Lq14AQaheSGS/MU3LILpjsuqyluEFa6xdLWBMKKpxB9c6VEfd?= =?us-ascii?q?M9/FBH2HrXtwxnJJOgKbxthl8FcwlsukPuzxR3Bpxbkckkt3Mm1g1yKbiX0FlZ?= =?us-ascii?q?bTOXwYjwOqHLKmn15B2vaLTZ2lLZ0NaL4aoP6+43q1bkvAG0DEYi9G9n09ZN2X?= =?us-ascii?q?uG+prKFBYSUY72Uksv7Rd1uqvaYigj6IPOznBjK7W7sjrY19IuHuslxQ6qf81D?= =?us-ascii?q?P6OcCA/yD8oaCtCyJ+Mwn1imcAkEPPxS9a4zJM6mbOeJ2K+1M+ZmgDKmjH5I7J?= =?us-ascii?q?p70k2S6yp2UvTI0Iodw/GEwguHUC/xjE28vc/qgo1EajQSH2WlxSjiGoFRerV4?= =?us-ascii?q?fZwXBme2P8232tJ+iob2W35W7l6jAEgG2NOydBqJaVz92gNR1UENrnyhgye4yS?= =?us-ascii?q?J7ky0xpKqFwCPO2/jidAYAOmNTSmhtl1PsIZSqgNAAR0ildBYpmwW/5Unh2qhb?= =?us-ascii?q?ob5zL27JQUdHZyL2NX1tUrOstrqeZM5C8I8ovjhKX+S9e1+aTqXwrAcd0yPmA2?= =?us-ascii?q?RR3is7dy2wtpX/gRN6lHqXLGxvo3rBZcFw2RDf6cTCRf5QwjUGWC54iSPNCleg?= =?us-ascii?q?P9mp+tOUl5jYv+C6VmKhUIdccTPszY+asyu7/2JqCwWln/+vgt3nDRQ60Sjj2t?= =?us-ascii?q?luVCXItwr8bpDw16ukNeJnf09oBELz6sdhAYF+ioowhJcR2XcGnZWZ53wHnnnv?= =?us-ascii?q?Md9Dw6LxcGINRSIXw97S+AXlwkpjLnaNx43nTHWS3sxhZtehb2MNxyIy89tKBL?= =?us-ascii?q?2T7Lxekit/ukC4oh7JYfhhgjcdzuMj6H0EjOEPowog1SadDa4UHUlDOyzjiQiI?= =?us-ascii?q?48q5rKVNa2alaaKw21ZmndC9ELGCpRlRWG7jdZc/GS9/8N1/P0jK0H3v9I7kYs?= =?us-ascii?q?Ldbc8IthKKiRfAlPJZKIk2lvoXnypoJXzyvXMiy+4hghxhw4u2vI6ZJGVx5Ki5?= =?us-ascii?q?GAJXNiXpZ8MP/THglbhensCL0I20AJVhHCgEXJvyQfKuDj0SqeztNxySHz0ktn?= =?us-ascii?q?ebBb3fEBeH6Eh8snLPF4umOG2WJHkFzdRuXRedK1ZZgAwOWzU6hJE5HBiwxMP9?= =?us-ascii?q?aEd5+iwR5lngpxtPyuNoMwfwX3zapAevZDc0RoaQLAZK7gFC4EfVNNKR4vh1Hy?= =?us-ascii?q?5G4p2rtBaNJXCDZwRUEWEJXVSJB175Mbmo+dnA9O2YC/GwL/TQfLqOrvZeWO2Q?= =?us-ascii?q?xZK11Ytm/SiDOdmTPnV4CP07wEVDV2hjG8vFgzUPVzAXlyXVYs6Bvhu99Dd7rs?= =?us-ascii?q?Wl//TvXwLu5ZCCBKFOPtVq4Ry2hr2DN+GIjiZjNTlYzo8MxWPPyLUH0l4SkT9h?= =?us-ascii?q?eCS2Ebsasy7NUKXQmrRMAhEBdyxzMdFE76Um3glCIcTbkM/61qZkjv4pDFdITV?= =?us-ascii?q?rhmtuzaswSO2GwL13HBEeRNLSdOT3LzcD3YaWmRr1WkOpUtge/uTKBH0/kJDSD?= =?us-ascii?q?mCHjVwqzPuFUkCGbIBtetZmmfRl2DmTjSNPmaganMN9slzE22qM7iW/QOW4HLz?= =?us-ascii?q?d8d0JNrruN7SJXmfhwB2xA7mB4LemfgSqY4fPXKooNsftsBCR4jeVa4G41y7FN?= =?us-ascii?q?9iFLWOR1mDfOrt5pu1ymlOiPyj5jUBVQsTZGn5iEslt4OaXe7JVAXmzE/B0V52?= =?us-ascii?q?WKFxsKv8dlCsHou61I0dfPla3zKDBE89/P4MQTGdPbKMOdP3onKxbpHyTUDAQd?= =?us-ascii?q?Rz6xKW7fn1BdkO2V9nCNtJc6pYLjmIQQRbJAU1w1Du0VCkJgHNMYIZd3Wigrkb?= =?us-ascii?q?mUjcIS4nq+thbRTt1Avp/bTvKSHenvKDGBgLlYYBsIxKn0LZ4UNoz6xUNibEJ1?= =?us-ascii?q?nJ7NG0XOXtBAuTFubggxoEpR6nd+VXEz11jjagyz/H8ZDeS0kQIuigtifeQt8y?= =?us-ascii?q?/h41EpKVXQoCs9i0oxmdL+gTCNajHxKrywXYJXCybusUg+LI/7SR5vbQKuhUxk?= =?us-ascii?q?KCvER7VJgrt6a29rkxHTtoFVGfFATa1JewQfxfCNZ/o11lRcpD2nxVVZ6urFE5?= =?us-ascii?q?dikhUlcYK0pXJaxw1jdMI1JbDXJKdR01dfnLyOvi612eAq2wIRPVwN8HmVeC8G?= =?us-ascii?q?o0wHKKUpJzey/uxt9QyDmyFPeG4SWPo2uvhq7F8yO/yczyL81L5OMl2+N/eBIK?= =?us-ascii?q?yDtGjAj9SHQk0r20MTjUZF/qV20d05fEaOU0Av0b2RGA4TNcbbNQFVaMlS9XjU?= =?us-ascii?q?fSqUt+XC3451NZ2nFu/0Ve+OqLoUgkW8EQYtGIQM9NoOHp+t0UHfNsrnI7gFyQ?= =?us-ascii?q?g36ATsPlWFA+xDeAiXnzcfv8G/0Jh30JFGJj4DBWV9MCO35qvYpwIxnPWDW9I2?= =?us-ascii?q?bWsAUYsfKnI6Qsu6lDBFv35YFjm4zvoZyBSe7z/7vinfESXzb99kZPeSeRNgFc?= =?us-ascii?q?q7+Ssh/KisiF7W85LeJ2fgOdRkpNDP9fsQp4ybBPNMUbl9r0DclpFbR3ywU2/A?= =?us-ascii?q?C9i1J4Twa4Q3Ytz0DW66XUClhzIzUcjxIM6nLrKUjgHwWYZUrI6b0Sg/Nc+8Ez?= =?us-ascii?q?EeHAtwp+ED5a9neAIDYpo6bgTzuAgkMaywPhuY2M20Q2mxMTtWU+VfzeKiarxY?= =?us-ascii?q?1SojdOm6yGc7Q5E7yOm2/0gNRI0Kjh7AxPajYZVeXjbpGnBHfQXAuzY5nXB7Nu?= =?us-ascii?q?ku2uc/3A/IsV4EPj+RcOxpaXBLsM8kClOXIXR2DG04R1mGgofY+QGs3qod/y1E?= =?us-ascii?q?k9ZazO1Jqn7+sYHDYDi0QqyktY3VszY8bdghu6B+KpLsIs2duZzEgzPfUoffsh?= =?us-ascii?q?eeUCGgDfpbmsJcICVCQPlHgWslI9AJuZJd6UotUcczP6ZPCK8tpr+2aTpkCioS?= =?us-ascii?q?zTQBWY2ZwTIMmPux1bzBmxiMd5QiNQALv49ZgtsBSSJ2ZD0RpLO7XYXMi2CEUn?= =?us-ascii?q?QLIBsU7QlU+A0AlJV/cfz+7YXUS59MzzpWo/NqXSvRCpln6Uf0SmGMjVj/UvWh?= =?us-ascii?q?nPSj3RhOw/L0ztkbRBl/BFBHx+lMjEsoL6p4JrIMvo7QqDCIa131vGbsyOugK1?= =?us-ascii?q?lRzczUd1L4DIrZu2rzSDcc+XgOSY9J1n7fCYwYkxBlZ6YzuFVMPIemd17w5jA+?= =?us-ascii?q?24tpH7i4VcWqx1k/rnYLXCaqHMRfBO54ql7XXydlY5+zopX/J5pSWnNQ+IGaq1?= =?us-ascii?q?pBiEVtNCq5xoBGK8BD5T4MWDZPrC6YvNu1T81DwtF5AIMWItd4oHf9A6JEOJ6e?= =?us-ascii?q?o3Esvbzv0HDZ8SgmsFim3DWzB7O4T+VB8mIEAAUpOmKeplMsD+Y382fS81HNsk?= =?us-ascii?q?xv8OtBALiAk1lxqi5nHp9SHjZJyWylL1NrQXlatOVaLb/Yc9BAT/k3fhCjIRo+?= =?us-ascii?q?GuA630aR50F7gW/5YzButgtd4y3dXxM7VTMPjbfphDITsdyoNiECS5JQczohaz?= =?us-ascii?q?nKKxiBlSBQphZfZFlgW4oFDdZd57EbwYxU89LASUarNy4IRwFtORwj0fVBj05D?= =?us-ascii?q?rFuXdj3HAQqua/nPrgV9fd2No86xMPT54ABHh5v8v+A266oPW3+rlRCjTN3Fs4?= =?us-ascii?q?D8sdiKuVeUe6fjL+2we3nBQybQjRqon7crE4HK/zTPMApcM5R602QrboXhCWHR?= =?us-ascii?q?IRRLPKYbJ01FVa9kd9lJvudaaNJ6d6oT/69iGA6HTAv1GIOztPlGMkrTRTPGIi?= =?us-ascii?q?WZ6ey/vZjc4qHBSeX7fcyMwGvHQ7hrMZhk7zn7B63q3pVa+kbs3fdt7Ex6Q0Dc?= =?us-ascii?q?My+dtNThOh8L5M66e0v+pJ0mAy3ZD4prnXrwwkFAa9AXTDe08JQZz5NZ7Gj/Sf?= =?us-ascii?q?5i3kj0qu1S+KFu6ZMr7LBx1ce0OaDSJOxfsUB9BhiUAhtl9okxAGdlXW9ceekR?= =?us-ascii?q?J+nNfaQCkc/hsfj3GLIN5B2T5eNZdcPNJ1vdlcmnFjGcVRtEkR8DqTEANAuc0O?= =?us-ascii?q?WFm6tuRsa7vuX5318t41yiLh4H0L9t5J2L+qyTpOPNaBvR17cEULDwRszvtrQs?= =?us-ascii?q?p1+S5fo8mb4MYGN1ZQOnEPIaVsEA2Gjt1rwqwjgqE8PYGLLs4vhDWGwlnjj4gZ?= =?us-ascii?q?ByA00WGu8IHbqM5YlekXo4m+3dNt0SbK9Cn32CGgO6HbAZyH6k8S2XLHNighHU?= =?us-ascii?q?3BH6WXmz40PurS9kXSvMyM/ukkxRVrSsBEdSWS+pNVV5sDOJMgrorsD4ub8p7E?= =?us-ascii?q?EsL2zrqM6NlHa7OLxJBcH/I8acISYsrlINkJIxXsCv2ZwcGdelJdcR93d+bufR?= =?us-ascii?q?62y1iCJBpqZHiJDY4s6L5vXWE36gj7eZq7WW3jxYzGY3vU0n4NC6Kv7O/8GKQ+?= =?us-ascii?q?iv12sJSyd/oA7BUh6up7zVsV8bJEuL0F3Rl4wSJNFZ2ns42V/66+g/Wt4z8x9e?= =?us-ascii?q?FonYbfMYuT/zICf0wUqYY98vVCme0j5XE0nwEVZmGKkzxnjwvMPPlXff4VEoQJ?= =?us-ascii?q?d/d1D/jxxtE4o4MV4t6EQQwicbEAgMaAqUA6u0Ckn+NosLS1QDZgqb07Sgfac3?= =?us-ascii?q?x0JzyKu15ODPdex8G7YNNvFFgwGVnVhbAZwXvrccQLJ9Z19d7LTYphXmC4X8Q/?= =?us-ascii?q?fmkmc/OuOvTcBH68AZsGEi7RylSxqn85dD4K4RiIqUea5cfZjMoMd84l9/5TEV?= =?us-ascii?q?aixCnBh/jh2+UeAGp+Dv+8Pbv4Ss6uavUqYtWuoW+gMsB2tkk5v/nFAjoN/Q1+?= =?us-ascii?q?dGSY3Zk4f//x5XI36Mpona1wNwKe0UK4KkZLxg7WkIJzACJ3ISOtqbc+U84zVz?= =?us-ascii?q?PzXX/VNCBN0DaMgFM8rMlgBUi1HpV6tI9sXBAF+YFp1/d8Y24Grr0Do164czUv?= =?us-ascii?q?786D+qIpDS915NMOlZjCpyiNLCpPMYwf7TCCgL/3aZawJ6wj6Zy5WXDfb/4/mM?= =?us-ascii?q?wsnOV1waBi42T5tdJD2a9AyoWOW1konpUgST6sP0m5IxakaQRn23nKQYvadBCu?= =?us-ascii?q?pAhTvh3jleDI/5nfSVvMSw6GFPrF1IDJ5z7QHZGKVYJph7PxX4mdWsRkh4HCT/?= =?us-ascii?q?Y9vYdhspuOqR3ecM+P5zN07xaI4UOB4EzKj66XVNRAt0VLH2pkqZXf4WZNZ+R/?= =?us-ascii?q?PLsmtV6Zl5J6ESM1aTop3qrjFVqFE5GwIpZ7owoSZcdkbQhgFVXLz0uLEYgAsG?= =?us-ascii?q?TdF5oVNMGX63OG8m5TrHUqRVjK+LBPMJ8jWTSrEOXFhpMyN/RRO1w5Zue7qykP?= =?us-ascii?q?BZs2NGgDlyoPw33DxnXhe8vzPjp74V0zI65L64rCkBuWBCTuiGkifIF09MzPIR?= =?us-ascii?q?gKcYFnbt9F28YH4YbIfo57lnP8vg/5E743sjeRUjYzEGXeO4BiHykayIDIKPsN?= =?us-ascii?q?ZHiR+DosrOa6G8LTQIOrQ71x3jW2B30hLCkxZw7GsLXjKg4ccrJIW5PsYkyDSn?= =?us-ascii?q?GWzfdFsX+aNJt83xtV8XQ+csb1Nu3nlj2NCdRiIRXMzPB3o1jg88ZGVGcJJC6Q?= =?us-ascii?q?caF64sgjaJoqlJ4BoZYDLVEoS54Infg93E2X4nTddl3mjWvLGKhos20H15nNN5?= =?us-ascii?q?9jKOuHUXd+HDT89sA2T81oRBxuz6ffmttP4ISJd+wrS7TPACKtWj+Xex2JhyX0?= =?us-ascii?q?+lx7ceH1m+MOIYxLfUSSSlSWqeWeuVdWiAhTA5PVDu5ROwNF04dN9Kr1MhMuvF?= =?us-ascii?q?npNTjBPuUbVoRiiLvl/byGsjMf8GdwIopoioZhYGTOkLZ+iTPeIu2uExCEMQb3?= =?us-ascii?q?/VGit7E+G2vkCpnIh6I3Vv/173YOXs8gDjNdudBAMEEYrEoZJr/vy6XG2BM2d6?= =?us-ascii?q?zBJuJEl06/vfF1Mpu+5Sa5aRh9nQiMhl3uMecvdtMDE9usQNlY557omUysiKew?= =?us-ascii?q?nLzpnuPdHVvuSYA/rHwkQtfmFVTKEUYRvx54ogJd45R7zTEqdFvRQGG6c1XoYt?= =?us-ascii?q?N2Hv+6FoNAlzaBLeZKyogsn2oeKGfp9Up37Q7lItIybQohkDyv2vTQxndJCnnH?= =?us-ascii?q?TyL4o2RjJGtdFtDQFmHIRXEcMaswWnG4KUmL28i9Kp4EN1pesKsav2CvDX29W1?= =?us-ascii?q?2Ip/X4Ra5UOVJjbeGrFrjV5+g+SxnPjAyJ/xBt3medwfSeh7TXTJarjcHoWwMj?= =?us-ascii?q?iOIN7ze1Za876A17J0ShCRazrlUKqGtS2kMvJk7F4lyox5eurc0jgt77Dd2Nvv?= =?us-ascii?q?aGBXvCCjrWSGNJFH9lzFGfTeXw5ISfqC6GtlH7cYbYjz9OgVKtEi3d6c4xVz7D?= =?us-ascii?q?RFzcuFLKihrlPW1kJ9a53bMFPj2zwlVokSPBS/LUwsjHfbqnTYBnRcNNKkKch2?= =?us-ascii?q?gNuOCBzi/Uxxln8sZmJbHWroX9iRM3AB282ifA2K6B5LD9Ebku6sd044s7G9RO?= =?us-ascii?q?hrN5heh+Wlqq8HkddoKiHIQshWJSfQI6FqPmkZMuKav1UsYxgZo5ApS4w1Yt6I?= =?us-ascii?q?O0pBP0Cemg3oyg6X6lH5b9yh0u6yJS8S9nhWh+be3SNkuxiyufHfhNbqFr/ecs?= =?us-ascii?q?elD7bpLCM5W2TCFnwJGkGz9ALh4aIJ?= X-IPAS-Result: =?us-ascii?q?A2DNAwD1loBZ/wHyM5BcGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwQrgVEUE48BjwqaACyJTVcBAQEBAQEBAQIBaiiCMySCSQJ2A?= =?us-ascii?q?wMJAhcxCAMBbAWICU+BRQ2xSSICi16DKIICkToFiWWIbI0mlBwNi02GdJV5V4E?= =?us-ascii?q?KKAoCHwgiD4UQDEQcggNaii8BAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 01 Aug 2017 15:00:46 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v71EwvX6030218; Tue, 1 Aug 2017 10:59:20 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v71Ewpoq074136 for ; Tue, 1 Aug 2017 10:58:51 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v71Ewm3K030211; Tue, 1 Aug 2017 10:58:48 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Tue, 1 Aug 2017 11:03:31 -0400 Message-Id: <20170801150331.24572-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 Subject: [PATCH v3] selinux-testsuite: Add tests for transitions under NNP/nosuid X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Duplicate the existing tests for transitions under NNP for transitions on a nosuid mount, and then augment both the NNP and nosuid tests to also test the new support for allowing transitions based on nnp_transition and/or nosuid_transition permission if the nnp_nosuid_transition policy capability is enabled. Test NNP and nosuid independently and together. Signed-off-by: Stephen Smalley --- v3 fixes a few bugs in the test policy and code, and adds one further test. policy/Makefile | 6 +- policy/test_nnp.te | 34 ------- policy/test_nnp_nosuid.te | 85 ++++++++++++++++ tests/Makefile | 10 +- tests/nnp/test | 44 -------- tests/{nnp => nnp_nosuid}/Makefile | 0 tests/{nnp => nnp_nosuid}/checkcon.c | 0 tests/{nnp => nnp_nosuid}/execnnp.c | 40 ++++++-- tests/nnp_nosuid/test | 189 +++++++++++++++++++++++++++++++++++ 9 files changed, 314 insertions(+), 94 deletions(-) delete mode 100644 policy/test_nnp.te create mode 100644 policy/test_nnp_nosuid.te delete mode 100755 tests/nnp/test rename tests/{nnp => nnp_nosuid}/Makefile (100%) rename tests/{nnp => nnp_nosuid}/checkcon.c (100%) rename tests/{nnp => nnp_nosuid}/execnnp.c (57%) create mode 100755 tests/nnp_nosuid/test diff --git a/policy/Makefile b/policy/Makefile index b728a9e..1dafc65 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -16,7 +16,7 @@ TARGETS = \ test_entrypoint.te test_execshare.te test_exectrace.te \ test_execute_no_trans.te test_fdreceive.te test_file.te \ test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \ - test_nnp.te test_open.te test_ptrace.te test_readlink.te \ + test_nnp_nosuid.te test_open.te test_ptrace.te test_readlink.te \ test_relabel.te test_rename.te test_rxdir.te test_setattr.te \ test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ @@ -57,6 +57,10 @@ ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.sp export M4PARAM = -Dmap_permission_defined endif +ifeq ($(shell grep -q nnp_transition $(POLDEV)/include/support/all_perms.spt && echo true),true) +export M4PARAM += -Dnnp_nosuid_transition_permission_defined +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_nnp.te b/policy/test_nnp.te deleted file mode 100644 index 54ebfd3..0000000 --- a/policy/test_nnp.te +++ /dev/null @@ -1,34 +0,0 @@ -################################# -# -# Policy for testing NO_NEW_PRIVS transitions. -# - -# A domain bounded by the unconfined domain. -type test_nnp_bounded_t; -domain_type(test_nnp_bounded_t) -typeattribute test_nnp_bounded_t testdomain; -typebounds unconfined_t test_nnp_bounded_t; - -# The entrypoint type for this domain. -type test_nnp_bounded_exec_t; -files_type(test_nnp_bounded_exec_t) -domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t) -domain_entry_file(unconfined_t, test_nnp_bounded_exec_t) - -# Run it! This should succeed on v3.18 or later, fail on older kernels. -unconfined_runs_test(test_nnp_bounded_t) -unconfined_run_to(test_nnp_bounded_t, test_nnp_bounded_exec_t) - -# A domain that is not bounded by the unconfined domain. -type test_nnp_notbounded_t; -domain_type(test_nnp_notbounded_t) -typeattribute test_nnp_notbounded_t testdomain; - -# The entrypoint type for this domain. -type test_nnp_notbounded_exec_t; -files_type(test_nnp_notbounded_exec_t) -domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) - -# Run it! This should fail always. -unconfined_runs_test(test_nnp_notbounded_t) -unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te new file mode 100644 index 0000000..bf2b6ef --- /dev/null +++ b/policy/test_nnp_nosuid.te @@ -0,0 +1,85 @@ +################################# +# +# Policy for testing NO_NEW_PRIVS and nosuid transitions. +# + +# A domain bounded by the unconfined domain. +type test_bounded_t; +domain_type(test_bounded_t) +typeattribute test_bounded_t testdomain; +typebounds unconfined_t test_bounded_t; + +# The entrypoint type for this domain. +type test_bounded_exec_t; +files_type(test_bounded_exec_t) +domain_entry_file(test_bounded_t, test_bounded_exec_t) +domain_entry_file(unconfined_t, test_bounded_exec_t) + +# Run it! This should succeed on v3.18 or later, fail on older kernels. +unconfined_runs_test(test_bounded_t) +unconfined_run_to(test_bounded_t, test_bounded_exec_t) + +# A domain that is not bounded by the unconfined domain. +type test_notbounded_t; +domain_type(test_notbounded_t) +typeattribute test_notbounded_t testdomain; + +# The entrypoint type for this domain. +type test_notbounded_exec_t; +files_type(test_notbounded_exec_t) +domain_entry_file(test_notbounded_t, test_notbounded_exec_t) + +# Run it! This should fail always. +unconfined_runs_test(test_notbounded_t) +unconfined_run_to(test_notbounded_t, test_notbounded_exec_t) + +# A domain to which the unconfined domain is allowed nnp_transition. +type test_nnptransition_t; +domain_type(test_nnptransition_t) +typeattribute test_nnptransition_t testdomain; + +# The entrypoint type for this domain. +type test_nnptransition_exec_t; +files_type(test_nnptransition_exec_t) +domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nnptransition_t) +unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nnptransition_t:process2 nnp_transition; +') + +# A domain to which the unconfined domain is allowed nosuid_transition. +type test_nosuidtransition_t; +domain_type(test_nosuidtransition_t) +typeattribute test_nosuidtransition_t testdomain; + +# The entrypoint type for this domain. +type test_nosuidtransition_exec_t; +files_type(test_nosuidtransition_exec_t) +domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nosuidtransition_t) +unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition; +') + +# A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition. +type test_nnpnosuidtransition_t; +domain_type(test_nnpnosuidtransition_t) +typeattribute test_nnpnosuidtransition_t testdomain; + +# The entrypoint type for this domain. +type test_nnpnosuidtransition_exec_t; +files_type(test_nosuidtransition_exec_t) +domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nnpnosuidtransition_t) +unconfined_run_to(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; +') diff --git a/tests/Makefile b/tests/Makefile index f42fe7e..f9cc5ac 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -9,8 +9,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ rxdir sem setattr setnice shm sigkill stat sysctl task_create \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ - capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue mac_admin infiniband_pkey \ + capable_sys dyntrans dyntrace bounds nnp_nosuid mmap unix_socket \ + inet_socket overlay checkreqprot mqueue mac_admin infiniband_pkey \ infiniband_endport atsecure ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) @@ -32,15 +32,15 @@ SUBDIRS += prlimit endif ifeq ($(DISTRO),RHEL4) - SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) + SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL5) - SUBDIRS:=$(filter-out bounds inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) + SUBDIRS:=$(filter-out bounds inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL6) - SUBDIRS:=$(filter-out nnp overlay, $(SUBDIRS)) + SUBDIRS:=$(filter-out nnp_nosuid overlay, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL7) diff --git a/tests/nnp/test b/tests/nnp/test deleted file mode 100755 index 4c7e010..0000000 --- a/tests/nnp/test +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/perl - -use Test; -BEGIN { plan tests => 4 } - -$basedir = $0; -$basedir =~ s|(.*)/[^/]*|$1|; - -# Remove any leftover programs from prior failed runs. -system("rm -f $basedir/true"); - -# Set entrypoint type for bounded domain. -system("chcon -t test_nnp_bounded_exec_t $basedir/checkcon"); - -# Transition to bounded type via setexec. -$result = system( -"$basedir/execnnp runcon -t test_nnp_bounded_t $basedir/checkcon test_nnp_bounded_t 2>&1" -); -ok( $result, 0 ); #this should pass - -# Automatic transition to bounded domain via exec. -$result = system("$basedir/execnnp $basedir/checkcon test_nnp_bounded_t 2>&1"); -ok( $result, 0 ); #this should pass - -# Use true as an entrypoint program to test ability to exec at all. -system("cp /bin/true $basedir/true"); - -# Set entrypoint type for notbounded domain. -system("chcon -t test_nnp_notbounded_exec_t $basedir/checkcon $basedir/true"); - -# Transition to notbounded domain via setexec. -$result = - system("$basedir/execnnp runcon -t test_nnp_notbounded_t $basedir/true 2>&1"); -ok($result); #this should fail - -# Automatic transition to notbounded domain via exec. -$result = - system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t 2>&1"); -ok($result); #this should fail - -# Cleanup. -system("rm -f $basedir/true"); - -exit; diff --git a/tests/nnp/Makefile b/tests/nnp_nosuid/Makefile similarity index 100% rename from tests/nnp/Makefile rename to tests/nnp_nosuid/Makefile diff --git a/tests/nnp/checkcon.c b/tests/nnp_nosuid/checkcon.c similarity index 100% rename from tests/nnp/checkcon.c rename to tests/nnp_nosuid/checkcon.c diff --git a/tests/nnp/execnnp.c b/tests/nnp_nosuid/execnnp.c similarity index 57% rename from tests/nnp/execnnp.c rename to tests/nnp_nosuid/execnnp.c index d8f1986..78b5ab5 100644 --- a/tests/nnp/execnnp.c +++ b/tests/nnp_nosuid/execnnp.c @@ -2,36 +2,56 @@ #include #include #include +#include #include #include #include #include #include +static void usage(const char *progname) +{ + fprintf(stderr, "usage: %s [-n] command [args...]\n", progname); + exit(-1); +} + int main(int argc, char **argv) { bool nobounded; struct utsname uts; pid_t pid; int rc, status; + int opt; + bool nnp = false; - if (argc < 2) { - fprintf(stderr, "usage: %s command [args...]\n", argv[0]); - exit(-1); + while ((opt = getopt(argc, argv, "n")) != -1) { + switch (opt) { + case 'n': + nnp = true; + break; + default: + usage(argv[0]); + break; + } } + if ((argc - optind) < 2) + usage(argv[0]); + if (uname(&uts) < 0) { perror("uname"); exit(-1); } - nobounded = ((strcmp(argv[argc - 1], "test_nnp_bounded_t") == 0) && + nobounded = ((strcmp(argv[argc - 1], "test_bounded_t") == 0) && (strverscmp(uts.release, "3.18") < 0)); - rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if (rc < 0) { - perror("prctl PR_SET_NO_NEW_PRIVS"); - exit(-1); + if (nnp) { + rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if (rc < 0) { + perror("prctl PR_SET_NO_NEW_PRIVS"); + exit(-1); + } } pid = fork(); @@ -41,8 +61,8 @@ int main(int argc, char **argv) } if (pid == 0) { - execvp(argv[1], &argv[1]); - perror(argv[1]); + execvp(argv[optind], &argv[optind]); + perror(argv[optind]); exit(-1); } diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test new file mode 100755 index 0000000..accb3f2 --- /dev/null +++ b/tests/nnp_nosuid/test @@ -0,0 +1,189 @@ +#!/usr/bin/perl + +use Test; + +BEGIN { + $test_count = 8; + $test_nnp_nosuid_transition = 0; + + if ( + system( +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null" + ) == 0 + ) + { + $test_nnp_nosuid_transition = 1; + $test_count += 10; + } + + plan tests => $test_count; +} + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +# Remove any leftover programs from prior failed runs. +system("rm -f $basedir/true"); + +# Set entrypoint type for bounded domain under NNP. +system("chcon -t test_bounded_exec_t $basedir/checkcon"); + +# Create nosuid mount. +system("mkdir -p $basedir/testdir"); +system("mount -t tmpfs -o nosuid none $basedir/testdir"); + +# Set entrypoint type for bounded domain under nosuid. +system("cp $basedir/checkcon $basedir/testdir"); +system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon"); + +# Transition under NNP to bounded type via setexec. +$result = system( +"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" +); +ok( $result, 0 ); #this should pass + +# Transition on nosuid to bounded type via setexec. +$result = system( +"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" +); +ok( $result, 0 ); #this should pass + +# Automatic transition under NNP to bounded domain via exec. +$result = + system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); +ok( $result, 0 ); #this should pass + +# Automatic transition on nosuid to bounded domain via exec. +$result = + system("$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1"); +ok( $result, 0 ); #this should pass + +# Use true as an entrypoint program to test ability to exec at all. +system("cp /bin/true $basedir/true"); +system("cp /bin/true $basedir/testdir/true"); + +# Set entrypoint type for notbounded domain. +system("chcon -t test_notbounded_exec_t $basedir/checkcon $basedir/true"); +system( +"chcon -t test_notbounded_exec_t $basedir/testdir/checkcon $basedir/testdir/true" +); + +# Transition under NNP to notbounded domain via setexec. +$result = + system( + "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1"); +ok($result); #this should fail + +# Transition on nosuid to notbounded domain via setexec. +$result = + system( + "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" + ); +ok($result); #this should fail + +# Automatic transition under NNP to notbounded domain via exec. +$result = + system("$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1"); +ok($result); #this should fail + +# Automatic transition on nosuid to notbounded domain via exec. +$result = + system( + "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1"); +ok($result); #this should fail + +if ($test_nnp_nosuid_transition) { + + # Set entrypoint type for nnptransition domain. + system( + "chcon -t test_nnptransition_exec_t $basedir/checkcon $basedir/true"); + system( +"chcon -t test_nnptransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition under NNP to nnptransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Transition under NNP+nosuid to nnptransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" + ); + ok($result); #this should fail + + # Automatic transition under NNP to nnptransition domain via exec. + $result = + system( + "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1"); + ok( $result, 0 ); #this should succeed + + # Automatic transition under NNP+nosuid to nnptransition domain via exec. + $result = + system( +"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" + ); + ok($result); #this should fail + + # Set entrypoint type for nosuidtransition domain. + system( +"chcon -t test_nosuidtransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition under nosuid to nosuidtransition domain via setexec. + $result = + system( +"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Transition under NNP+nosuid to nosuidtransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok($result); #this should fail + + # Automatic transition under nosuid to nosuidtransition domain via exec. + $result = + system( +"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Automatic transition under NNP+nosuid to nosuidtransition domain via exec. + $result = + system( +"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" + ); + ok($result); #this should fail + + # Set entrypoint type for nnpnosuidtransition domain. + system( +"chcon -t test_nnpnosuidtransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition under NNP+nosuid to nnpnosuidtransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Automatic transition under NNP+nosuid to nnpnosuidtransition domain via exec. + $result = + system( +"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1" + ); + ok( $result, 0 ); #this should succeed +} + +# Cleanup. +system("rm -f $basedir/true"); +system("umount $basedir/testdir"); +system("rmdir $basedir/testdir"); + +exit;