From patchwork Mon Oct 16 20:37:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn via Selinux <selinux@tycho.nsa.gov>
X-Patchwork-Id: 10011777
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B2BAF600CC for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 17 Oct 2017 12:09:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A257928883
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 17 Oct 2017 12:09:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9582728885; Tue, 17 Oct 2017 12:09:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.7 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil
	[214.24.24.82])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F7D828883
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 17 Oct 2017 12:09:05 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.43,390,1503360000"; d="scan'208";a="549507267"
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3])
	by ucol19pa09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA;
	17 Oct 2017 12:09:05 +0000
X-IronPort-AV: E=Sophos;i="5.43,390,1503360000"; d="scan'208";a="4789071"
IronPort-PHdr: =?us-ascii?q?9a23=3A3V+6bxJ4bzlivpQNJtmcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgTI/76rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?=
	=?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPde?=
	=?us-ascii?q?RWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbY?=
	=?us-ascii?q?UwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiC?=
	=?us-ascii?q?cfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxcLndfdcHTmRfWMhfWTFKDoel?=
	=?us-ascii?q?Y4cSE+YNOOBVoI7hqlYArxazCxCgCP/yxjRVgnP70qk33+EnHArb3gIvAsgOvW?=
	=?us-ascii?q?zbo9v7N6kcVv67w7XVwzXbbf5axDnw5ojSch8/uvGBRq5wfdbLxEUzDQ7Jkled?=
	=?us-ascii?q?pIr4ND2VzOQNtG2b4vJnW+21l24ntwFxrSahx8wxi4fGnJgVykra+iVl3IY+OM?=
	=?us-ascii?q?O4SE9hbtW5DZVfqSWaN4pwQsM/TGBjpSE3yqYYtp6/fSgKzoknxhHEZvybc4mH?=
	=?us-ascii?q?/hLjVOGLLTd+n3JqYqizhxm18Ui+0+DxUNS/3lVSriddj9XBuX8A2wbT58SaUP?=
	=?us-ascii?q?dx4Eis1SiV2wzO8u1IP1w4mK7BJ5MiwrM8jIQfvVnAEyPsmkj7gqmbfVg+9Oey?=
	=?us-ascii?q?8eToeLDmq4eZN49zlw7xLLwjmte6AeQkKggOWHWb+fik2L3j40L5RLJKg+Uqkq?=
	=?us-ascii?q?bDqpDaJNkbprWjDw9J0ocs9xa/DzC83NQegXYHN05KdAiCj4joP1HCOPH4DfGh?=
	=?us-ascii?q?jFSwiDpn2v/LM7L7DpjNM3TPiqntcLlj50JG1QY/1dVf6IhVCrEFLvLzQEjxtN?=
	=?us-ascii?q?nAAx8iLQO0x+fnCNNg1oIRQG6AGaiZML7UsVCU+O0vOPKBZJMVuTnhK/gl4OTi?=
	=?us-ascii?q?jXkimVAHZ6Wp0pwXaG6gEvR8P0qZeWbsgssGEWoSvAo+S+rqh0eeUT5TfXmyWb?=
	=?us-ascii?q?kx5jM8CIKgCIfMXJutgKCf0yehBZ1afGdGCkqDEX3wbYWLR+8MaD6OIs9mijEE?=
	=?us-ascii?q?V7qhRJU92hGtrw/6zLxnLuvK+iADu5Lj0MV15uLImhEv8zx0E9md33uKT2FukW?=
	=?us-ascii?q?MCXyU207xnoUxh1leD1rB1gvJZFdxX4vNGTB06OIXSz+NkFt/yXRjBcc2RSFa8?=
	=?us-ascii?q?RdWmAy8+Qc4tw9MUZEZ9AdqihAjZ3yW2G78Vi6CLBJss/63Bw3fxIsF9y3Da1K?=
	=?us-ascii?q?U8lFQmXNVANXenhq9+8AjTAZTFk0OHmKa2ba4cxjLC9H+fzWqSu0FVSBN/Ubnf?=
	=?us-ascii?q?UnAFfUbZsdP55kbeQLC0ErQnLhFNycicJatWctfpl0lJRO//ONTCZGK8g2exBB?=
	=?us-ascii?q?ePxrOKd4fqfmEd0DzcCEgCiQwT+2yJNRI9BiegvWLREiZiFVTxbEPw6eN+sm+0?=
	=?us-ascii?q?TlcozwGWaE1sz7S1+gQPivyaV/wT36kEtTwkqzVsHVaxxsnWCtSbpwZ7e6Vce9?=
	=?us-ascii?q?w96k9d1W3Frwx9IoCgL6d6i14daQt3vETu1whsB4VDi8cqr3QqzBdoJaKfylNB?=
	=?us-ascii?q?eCuS3YrsNb3PNmny4BevZrbM1V7DytaW+7kA6O4jplr5oA6pE1Au83J909lay3?=
	=?us-ascii?q?Gc/InFDBIOUZLtVUY67wJ6qKzHbSQm6IPU0HJtPbOysjDcx9IjHPElxQq4f9dD?=
	=?us-ascii?q?LKOEExf/E9YUB8i0L+wqgESpYwkfPOBU8641McameOGA2KKxOuZvgi6mh3xd4I?=
	=?us-ascii?q?9hykKM6zZ8SunQ0pcL2f6Y2heHWCnmjFe6qc33h55LZSsJEWqizCjoHolRZrd9?=
	=?us-ascii?q?fYwTE2ehP9W3xslih57qQ3NY6EOsCE4H2MCzfRqfdEDy3QpV1UsLu3Ongje4wy?=
	=?us-ascii?q?Zykz43sqqVxDbOzPj6dBobJm5LQ3FvjVHtIYiwi9AVQlOoYhMzmxS7/0b6wLJX?=
	=?us-ascii?q?pKNlL2ncWU1IZTT5L3l+UqussbqPe9BP6JI0viVLV+S8e0qWRaL9oxsd1SPjEH?=
	=?us-ascii?q?BTxDQ6dzGsoJr5hRt6hHiaLHZpo3rTYdtwygvH5NzAWf5R2SILRC15iTnMGliw?=
	=?us-ascii?q?JsKp8suQl5fCtOC+Sm2gW4ZIcSnzzIOAsiq76nFxARGlmfC8hMHnGxAg0SDnz9?=
	=?us-ascii?q?lqSTnIrBHkb4nx0KS6NeZncVdyBFDg7Mp7FJpzkpAthJ4MwngWnJKV/WAIkW3r?=
	=?us-ascii?q?K9VUxbr+bGYRRT4M29PV4xbq2Et4Ln+SxIL2SHOdwtBnZ9akfmMawCU979pFCK?=
	=?us-ascii?q?2M9rxLgTN1okakrQLWefV9hi0SyeYq6HEEm+EGogwtzjmDDbAIBkRYIDfsmAqS?=
	=?us-ascii?q?79CltqlXf2GvcaWq1EVig9+hAraCohtTWHnnYJsiGzF/7tlnOlLWzHLz8p3keM?=
	=?us-ascii?q?XXbd8LqB2UlQrPgvNLKJI3i/UKhTBrOWTjsn050+Q7lwBh3YmmvIibLGVg5Lq5?=
	=?us-ascii?q?DQRFNj3xfM4c5jDtjbpen8qP0YCgBJNhFi8MXJvyQvKiCCgSuuj/NwaSDD08rW?=
	=?us-ascii?q?+WGbTFEg+Z9EdmqHfPHoulN36JOXYZys9iSwOFJExFhwAUXis1kYIlFgyww8zh?=
	=?us-ascii?q?akh57CgL5lHkshtM1v5oNx7nX2favgiobjM0R4aDLBpK9A5N/VzYMcqA4eJvBC?=
	=?us-ascii?q?FX4oeurBSTJWCBYQRHE30JUFSeB1//Jrmu+cXA8++AC+qkNffPb6+CqelEWPeM?=
	=?us-ascii?q?wpKu0pBr8CyQOcWKJHViCOc72kVbV3BjB8vZgykPSzAQly/VYc6bvgmz9TBsrs?=
	=?us-ascii?q?+l9vTrRAXv5ZCUBrRILdpv/gq6gaCZN+6fnCx5MypX1osQxX/Uz7gSxFgSizt0?=
	=?us-ascii?q?eDm1CbQNriDNTKPKmq9MEx4bZSJzNM1S4KI6wgZNONTUitfv2r5/lP41BE9PVU?=
	=?us-ascii?q?b9lcGxecwKP2a9OUvfBEmVL7uJOzvLw8DrYaO7UrBQjftbuAOutjqBFE/jJDuD?=
	=?us-ascii?q?nSHzVx+zKeFMkD2bPBtGtY6maRlhDmzjTNP9ah2nK997lyY2zqMoiX/QLm4TLz?=
	=?us-ascii?q?x8c0JLrr2N4iJVmelwGmxb7np4NumIgSiY4PPEKpYNtvtrBD54l+VA4HQ107FV?=
	=?us-ascii?q?9j1LRORpmCvOqd5ju0qpkuiAyjpgVhpDsStEi5yQskVjI6rZ8INMWXHe/BIC9W?=
	=?us-ascii?q?+QEQgFp8N5Ct3zvKBd0sLAlK3pJzdc7d3Z5swcB9DKJ8KBNXouKxvpGDrPAwsC?=
	=?us-ascii?q?Qj+nL2bfh1ZSkPuK7H2asoA6qoTwmJoJUrJbSFs1FvYABkR/G9wDIYl4XjU/nr?=
	=?us-ascii?q?6Bi84H+3m+oQLNS8Vdu5DISuidAe7zKDqDi7lLeQcIy6viLYsPLo37x1Bial5i?=
	=?us-ascii?q?kYTJG0vQWc5CrzZkbg8zrkVN/mZxTnEv20LlbQOt5WEcGeSynhEolgt0ef4t+y?=
	=?us-ascii?q?v041crOlrKozM9kE8vltr/hTCcaz3xLKCrXYFKESX0sVMxMpD6Qwpvaw29g1Bk?=
	=?us-ascii?q?Pi/eR71Nl7tgaXxriAjEtJtVB/FcVrNLbwUKxf6LZ/Ulyk9TqiS9xUBa4uvFB4?=
	=?us-ascii?q?NilBE0fp+stX5A3RxsbMItL6zKOKVJ1kRQhr6JviKwy+8xxwkeJ0AQ/2yMfC4I?=
	=?us-ascii?q?uVcFOaM4KCqy+exg8wuCmyFMeGIUTfolvupq9l8hO+SH1y/vzqRMKl6wN+OCNK?=
	=?us-ascii?q?OUoHLPldSSQlM32EIIjFdK8qRr0cc5ckqUS0AuwKGXFxsXKcrIMRtVYNZK9HjP?=
	=?us-ascii?q?YSaOtv3AwZZyP4WnCO/oS+6PtKEPj0KrGgYpAp4A7sMbHpmjyEvYN9voLKYZyR?=
	=?us-ascii?q?Ux4wTmPE6FA+pNeBKKljcHvs6+wYRr0olaIzESHX9yMT6r5rrNoA8lnuaDVs8s?=
	=?us-ascii?q?YngGRosEKm42WMqili5FvnRACT630v4ZyAmC9DLzuyXQDTnmYNV4fvuUYw1jCM?=
	=?us-ascii?q?2u8zUl76e2kULX8onZJ2ziL9tivt7P5v8EqJmfDvNVTb99s0Dam4ZCXHGlSG/P?=
	=?us-ascii?q?HsSzJ5TpZYkscMb4CnCkXVyjkzg1Vdv+PM6xLqiUhgHlXZ1bv5ed3D04L8CyCy?=
	=?us-ascii?q?8eFAlqp+EY/q18fw0Cb4A8YR7yuAQ0L7a/LxuA0tWyX2atLiNbT/ZCzeW7Y7xX?=
	=?us-ascii?q?yzQjbuqhxXQ9UJ411Oi3/lQLRJ0QiRHe3/mjbZFEUSfvAnxdZxnPpS0hmmh7MO?=
	=?us-ascii?q?Yyw/swwBPPsVkYKDCFbPVnZnFesdwgAl2fOml5Cm09R1CAl4XD+RKs06oU/yRD?=
	=?us-ascii?q?g9ZeyfdFv2Tmvp/DfDKsX7SmqY/PvCo6atgpuLZ8MZD5IsScqpPRgDjfTJjWsg?=
	=?us-ascii?q?2KVC66FvVamthMICJWWvZIg2QlNdYAuYVf9Uo7Tt0+KKBXCKkwurCqbiJpDCAI?=
	=?us-ascii?q?wSAFV4OA3TkCguam1LvZjRqQcYotPwIav5lYhdsdSSF2aDsEpKC/T4XWi3OESm?=
	=?us-ascii?q?8TLQgJ9wRM+QQAmpVzfu3+4YrITZ5MyyJNrP5uVCvECIVo/UPhSm6KmVj4VOmh?=
	=?us-ascii?q?k+ux0AJTyvLszscUWBphBkhY2elWilEoKbFsJqkXpo7FrDmIdUbgs2LszOupP1?=
	=?us-ascii?q?5RyMLOe13/ForFunL2UjcA9n0MWY9P1HbfGIwdkwpjcqkroklMLZunekb56T0k?=
	=?us-ascii?q?wZhpH7mmWsCqwVYlsWgJRz2wH9pHFe5mrErdWCd5bJCztJXlJ5JST3dM+J2arl?=
	=?us-ascii?q?dUi1ltPzK8yZVHMc1N5CADXCRXqzWHoNSyUNFD2dNxD5IUItdwoW39F7lAOJeM?=
	=?us-ascii?q?uHA5p6LgymfB+z8itFe12i+zF7W/T+JD8G0UAh8pKHiGqkkzE+ss9X/f8lLKsl?=
	=?us-ascii?q?9q5OpUG6aAjV5vrzZnApBBGCtG2WqjL1ttUHlMq/9aJ7jNc8xAX/kyYgeiNAcw?=
	=?us-ascii?q?FfE6w0CE/1x4kHnibiNusQta/jzSUBMvVSkJmLvtnyMRqt2/Mz8AV51IdSkhbz?=
	=?us-ascii?q?vCKw+DgyBYogtQa0FwVJAFGdtF/7Yb3ZVK8cbcVUmsLjwKUwJ4OgI+z/VfiVZJ?=
	=?us-ascii?q?sF+EdiDFEQqoafHPvwVvfceKsM6mNun2/Btch4P8t+A46r8DSGG4lg2rXdDetZ?=
	=?us-ascii?q?XzttmQukuJbqf4PPW2YWXdQzjUkRCwmbAkAoHW/yjJLgVUNYR1xGE5YZjlFW7L?=
	=?us-ascii?q?Jw5JJ7waJ0pcUaB1d8lGrvpdZ89+d6YD4bVtCQ6fRhPzBIyvq+FLLlTJSjTEKC?=
	=?us-ascii?q?WB6ei/rpjN7bHGTOjge8iMx2rGQ61rP5d18z/7G6zw3Y9Z4Er21e9n9llmRlje?=
	=?us-ascii?q?LyCBsNPhKxsJ5Ma4cEvisIcpHTTLD5hui3ft2ltPd8wMQy2t6pgYzo1W6GroQ+?=
	=?us-ascii?q?JizkfzqPFS96Vj6YQv5bBpzdy5JabUKfRfq0NnAx6UBgtw9po3G2h/W3pRYvIN?=
	=?us-ascii?q?J/fNYKQZl97hp/rwF6wN5x2f4/ZZZsffJ0Hdhsm/DSmRSRpFnAgdrj4aKhGT1+?=
	=?us-ascii?q?Wfl691TsalovP52lk27li7IRMHw6ph5YCe+qqHvOXXdQfezaAYWqj2QcP+tqgj?=
	=?us-ascii?q?tFmW5fI6j74OZmx0Ywq8HegGSsEdx3nvzaY2zSItCczPBbTg9+BfV3ghhDLvh4?=
	=?us-ascii?q?h9H0kKGvMTBbeL+Z9enmI4luHCON0ZbL1NmmGVFRG+Cr8C03mr6ymJL2Z5nhHC?=
	=?us-ascii?q?yRbwQXm87FXuty93XTPMz8v/kkpSTrS3B0ZSXy+yNE99rjyOPBTntMD2uaQz40?=
	=?us-ascii?q?E6KGrku8yRlGG5IrNYA9X/JMCAISkzvF8XjZwwSca11o8HAte9O8ke8G1gYfTC?=
	=?us-ascii?q?8W+rlDVBo6hfjYrE/s6V4unXHWWnj6CCsLqNxStYy3YislE969CgKunO6MeXQ/?=
	=?us-ascii?q?SszGseUyB/tBbfUBGvt7zbtVcUOVaR30vRn4wKJN5Z12Ei1k76/OgjXM4z9AJG?=
	=?us-ascii?q?G4bYffwCuSz8ODv6wFaYedI3VTCS0yBJEVLxEFl4HrU82W3rscLRj3jQ50EnRo?=
	=?us-ascii?q?l+dkzgnxx3DJ80KUEz51gNxCoMDwwNZQqcDLGyCkTvNZEEWlQbaRSbwLi6fb86?=
	=?us-ascii?q?3VFpwryx4O/cd+p8CLQWO/lAjw6Ok1lbGo4Mvq0FWr18YUJd+LTRpgf8F4jtR+?=
	=?us-ascii?q?LmmmYoNf2pXsBa9tgUt3Q47QalWRWg9ZdD4q0fiJCJaq5Lf5jMs9ph70d8/zIP?=
	=?us-ascii?q?cDJCgARnhROjTe8cvPzj4sTcsJew5eahSqAtR/kQ9xgzAGh+lIX/gFQiodHRyu?=
	=?us-ascii?q?ddRZbYiYDh/wBXI3+FopzW0x9iJuoSM4irZqpv920bJygCIHIDJcaZa/sm7CBx?=
	=?us-ascii?q?Kzjc+1tCAscIZdMZIsXNgxxUhVP1V7FT7MbbHUWYC4hrfcAy82X30Cw18Yc7Uu?=
	=?us-ascii?q?v47T+2Ipbf701CP/xdlyhskdPCq/ITwfXMFCgW736ZawJ2wiOZ0ZWNDej//fmU?=
	=?us-ascii?q?wtHOS1wGBjI2U5taJDea9gyoWvG1lI7wXg2J5cH9hpM+dESNRn2+h6kFvaNMHv?=
	=?us-ascii?q?RGiirlxDReEZr1h/2Nudq29GRXrkFHEJp07RDdGqVfOZV7ORLimsa3Rkh8Ajb/?=
	=?us-ascii?q?d9zVdxovvuqW3eQM4+RlOkvgZI8bPAgLy7bn5npUVAduTqD5vkqBV+ILeNRmUO?=
	=?us-ascii?q?/ErmxS6Y94Kq8PIkKSpJrxozdMtVA5HQ4paLgrrjBAcUnOhgJVUb7uuLEckgsc?=
	=?us-ascii?q?TcJ5uUhUFGKyJm0+6TTHVaBOgaifEvMV9CucTrAUX0VuLCx+Xwu/2I9ydLuxgf?=
	=?us-ascii?q?BHrmRGkztyoPgu1DxnSgWzuSnop68WwjIg/7e4tDQdtnBfSOWRjTvIA01ZzPsW?=
	=?us-ascii?q?laccF2ri6VukbXkBbIvz4KFnJcPk9Ykg/3Qwfw4ufygHXeS8ESH/kbmEAouVsN?=
	=?us-ascii?q?JTnBSNotnBbaevLSgOMbQw0Q7jR3l40gXFgBZo8XcEQja+498gPom9P9gqxjaw?=
	=?us-ascii?q?E2jBaFkM+r9JsNf2tVMTSes2aFBhwGZk0sWcRC0CXs/PG2Ezjgc6b2VIapRD5g?=
	=?us-ascii?q?EGF6MwmDaHorFG/h0IYDfTComq4ZffncHU2XQmVtdqwmXWprGZhpM0znJqhsl4?=
	=?us-ascii?q?7imUuHQdb+bYSdNjAmDv1odDzuzzf+2tsucDSIR80rSgXvgCMs2t+Wat3ZVqXU?=
	=?us-ascii?q?ilxq8AEFWlKu8DwazbUzykSW2eVuSHaW+Mnyw2MkTq/xmnMkU3aNtWr086KubC?=
	=?us-ascii?q?iIBTlwngUbNsWCqdvl7azG0mMeMfaQ02ooOndBIQQO4WfeicKvAkwOciB1sUc3?=
	=?us-ascii?q?/JASx2Bve4sF61hoh7Omlv7lvhbOTo8wDmLMGSFQceHY7dtJ5x9uSwRnidNn94?=
	=?us-ascii?q?0B1yIE50+v/YF1Q1qOBRaI6RndzKiNRgze4FdutiMTEnutENhI1v84+U39mWcR?=
	=?us-ascii?q?vJ1Jb9OcnVouSEA/3Y10kqfmBaUrwEYQL6/ok6Ot85W6bPHbtCphkcBLI1QJom?=
	=?us-ascii?q?N2vr86F0NgxzeBbLZLuomsnquv6LZpxMqn/N8F0wKCbcuxseyv27SgB1YIyqh3?=
	=?us-ascii?q?XsL5AqWD1Bt8diBwBlHIRRAcMAqRSoA5qPl6GmhN+94UR6u/UFsaDoEPDFyMy5?=
	=?us-ascii?q?35ltX5hd/UGLOSzeC7VrgkRkiOSyhezN0ofwCcPkZ9wEUOl7QmjYar7JBIm/LS?=
	=?us-ascii?q?iOOs3kcU5c77GcyK55UgmWZC3hXaqJri6kNPJ/7kgg14x4evbTzDwq77HG19vy?=
	=?us-ascii?q?Z31bqj2lrXGXKJtV9EbKCvDGXxJIVfqF935oHa8SbYvz7ucOK90iwMOH7gl19j?=
	=?us-ascii?q?tC1dWKI6m7ok/LwEJ7eorRLFH11CYhRYkKPBO/PFM3gW/Xr3TSHXVRI8u/JMlz?=
	=?us-ascii?q?ntmVFB3t5kh2mWErfGJBHHTnRcvCcVQcjse8a1Db3A1MCNkHkqi8fktrjKCqTf?=
	=?us-ascii?q?hUPcBgkPm2tLgY2flgMTvCWNQSayTSI+InFjVWCerLqR4jZRtS4JYvXYJgQJGS?=
	=?us-ascii?q?PEMKLw+vwDnowBfemVP1fpSX2aKIJjsGuiFcwrbE1yVcjxWosvaexMv4WfbWa4?=
	=?us-ascii?q?+gD62aCzYsSjzPHWd6Kk2u41rx/qRdsQ=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2CiAgCb8eVZ/wHyM5BdGwEBAQMBAQEJAQEBFgEBAQMBAQE?=
	=?us-ascii?q?JAQEBgwgsgVIng3qLE45Dij+OBIEbA1Upig9CFQEBAQEBAQEBAQEBaiiCOCSCS?=
	=?us-ascii?q?QIgBFIDAwkCEhICIgQCAgMBHRMBBQEsCQWIAIIAAxUDnSlAjAyBbTqEcIJUDYN?=
	=?us-ascii?q?oMhJ9gh+CBxCJNIU6gmEBBJJZjjY8j3KEbA2FcI0oSIw8iFg4gRU1Ik+BCioKA?=
	=?us-ascii?q?h8IIw9JgS0agR2CXByCB1YBingBAQE?=
Received: from tarius.tycho.ncsc.mil ([144.51.242.1])
	by emsm-gh1-uea11.NCSC.MIL with ESMTP; 17 Oct 2017 12:09:01 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9HC8Y2g011075;
	Tue, 17 Oct 2017 08:08:41 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v9GKbZsB024792 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 16 Oct 2017 16:37:35 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9GKbXSt001380
	for <selinux@tycho.nsa.gov>; Mon, 16 Oct 2017 16:37:35 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DAAgAdGOVZfykaGNZeHAEBBAEBCgEBg?=
	=?us-ascii?q?1yBVRQTg3qLE45AijuFMIg6gTUDeYoEQBcBAgEBAQEBAQETAQELFoYkBBkBATc?=
	=?us-ascii?q?BNAImAiMTAQUBLAmKBQMIDQOeP0CLIWuBbTqDCAEBBYQ6DYEfgkkqCBJ8gh+CB?=
	=?us-ascii?q?4lDhTqCYQGBMQEBkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIEVIQOBAoEKNCE?=
	=?us-ascii?q?lXoERgVOCTQ8cggdWAYshAQEB?=
X-IPAS-Result: =?us-ascii?q?A1DAAgAdGOVZfykaGNZeHAEBBAEBCgEBg1yBVRQTg3qLE45?=
	=?us-ascii?q?AijuFMIg6gTUDeYoEQBcBAgEBAQEBAQETAQELFoYkBBkBATcBNAImAiMTAQUBL?=
	=?us-ascii?q?AmKBQMIDQOeP0CLIWuBbTqDCAEBBYQ6DYEfgkkqCBJ8gh+CB4lDhTqCYQGBMQE?=
	=?us-ascii?q?BkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIEVIQOBAoEKNCElXoERgVOCTQ8cg?=
	=?us-ascii?q?gdWAYshAQEB?=
X-IronPort-AV: E=Sophos;i="5.43,388,1503374400";
   d="scan'208";a="85360"
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35])
	by goalie.tycho.ncsc.mil with ESMTP; 16 Oct 2017 16:37:35 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AM2L5oxS4MZnl0czbbNmXIm2OH9psv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa6zZReN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJ?=
	=?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?=
	=?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf?=
	=?us-ascii?q?5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbD?=
	=?us-ascii?q?VwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0li?=
	=?us-ascii?q?gIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwdWWdMUNpdWzFYDo+g?=
	=?us-ascii?q?cocEEu4NMftYooX4oVYFsBmwChS2BO731zFHiXH406493eohDw/JwBctH84SvH?=
	=?us-ascii?q?nOsNn4LrseXOKzwaLVzTvDdfRW2TLl5YbPaB8hve2MXbJufsvf1EIhFhnKjk+K?=
	=?us-ascii?q?qYP7IzOVyvkGvm+e7+piWuKii2oqphp+ojiowccshY3JiZwPxl/Y8iV5xZ84KN?=
	=?us-ascii?q?ulQ0B4ed6pCIVcuzyVOodsXM8vTHtktDg7x7EctpO3YTAGxIo7yxPbcfCKcIiF?=
	=?us-ascii?q?7gj9WOqMIjp0nnBodby5ih2v60av0Pf8WdOx0FtSripKjN3MtncV2hPd98aJSu?=
	=?us-ascii?q?Zw8lql1DiVyw3f9v9ILVoqmqXFLp4h2bEwmoAWsUvZHy/2nF/6jKqXdkUg4uSo?=
	=?us-ascii?q?6uLnbav6ppKEKYN4lw7zPr4wlsGwG+g0LAkDU3KU9OihzLHj+Ff2QLROjv04iK?=
	=?us-ascii?q?nZt5XaKNwVq662HgJV0IIj5BakATio1doVgHYGLElLdh+bjYXmO0vBLfL4A/m/?=
	=?us-ascii?q?gVmhjjdmy+rIM7PhDJvDKnjOnanlcLhy7UBS0Q89w8pR6p9XCr8NOv39VEvsuN?=
	=?us-ascii?q?DCDBI3Mwu6zv3pCNV5yIwfVnuDDracMKzIrV+I+uIvLPeCZY8aojn9MeIl6ODy?=
	=?us-ascii?q?jX8lg1MSZq6p3YYRaH+kAPtmOF+VYXXrgtcGHmcKuhQxQPb2h12FVD5ff2yyUL?=
	=?us-ascii?q?4k5jEnFIKmCp/ORpuzj7yF3Se7GIBWZ29dB1CQEXbna4WEW/AWZCKUOc9uiCYI?=
	=?us-ascii?q?VbemS48/hlmSs1r/ybU6f8Lb/SoXsZ+l399wtMPJkhRn0DVoE8SQzCmiRntuk3?=
	=?us-ascii?q?8UD2sz3q8i8GRyzVCM1aU+iPtdQ48Ar8hVWxs3YMaPh9dxDMr/D0eRI9o=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BTAgAwF+VZfykaGNZeHAEBBAEBCgEBF?=
	=?us-ascii?q?wEBBAEBCgEBgzGBVRQTg3qLE5h7hTCIOoE1A3mKRBcBAQEBAQEBAQEBARIBAQs?=
	=?us-ascii?q?WXYI4JIJrBBkBATcBNAImAiMTAQUBLAmKBQMIDQOePUCLIWuBbTqDCAEBBYQ6D?=
	=?us-ascii?q?YEfgkkqCBJ8gh+LSoU6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIE?=
	=?us-ascii?q?VIQOBAoEKNCElXoERgVOCTQ8cggdWAYshAQEB?=
X-IPAS-Result: =?us-ascii?q?A0BTAgAwF+VZfykaGNZeHAEBBAEBCgEBFwEBBAEBCgEBgzG?=
	=?us-ascii?q?BVRQTg3qLE5h7hTCIOoE1A3mKRBcBAQEBAQEBAQEBARIBAQsWXYI4JIJrBBkBA?=
	=?us-ascii?q?TcBNAImAiMTAQUBLAmKBQMIDQOePUCLIWuBbTqDCAEBBYQ6DYEfgkkqCBJ8gh+?=
	=?us-ascii?q?LSoU6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIEVIQOBAoEKNCElX?=
	=?us-ascii?q?oERgVOCTQ8cggdWAYshAQEB?=
X-IronPort-AV: E=Sophos;i="5.43,388,1503360000"; d="scan'208";a="4771645"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from uphb3cpa02.eemsg.mail.mil (HELO USFB19PA02.eemsg.mail.mil)
	([214.24.26.41])
	by emsm-gh1-uea11.NCSC.MIL with ESMTP; 16 Oct 2017 20:37:33 +0000
X-EEMSG-check-005: 0
X-EEMSG-check-006: 000-001;9e2a6bde-e468-4bec-87bb-d0955222fd07
X-EEMSG-check-008: 136062541|USFB19PA01_EEMSG_MP17.csd.disa.mil
X-EEMSG-SBRS: 3.4
X-EEMSG-ORIG-IP: 209.85.218.73
X-EEMSG-check-002: true
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A0CiAQDBFeVZhknaVdFeHAEBBAEBCgEBhTEUE4N6mVOKO4UwiDqBNQN5hSQChF5AFwECAQEBAQEBARMBAQEKCQsIKC+FRwQZAQE3ATQCJgIjEwEFASwJigUDCA2eQECLIWuBbTqDCAEBBYQ6DYEfgkkBKQgSfIIfggeJQ4U6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIEVIQOBAoEKNCElXoERgVOCTQ8cggcgNgGLIQEBAQ
X-IPAS-Result: 
 A0CiAQDBFeVZhknaVdFeHAEBBAEBCgEBhTEUE4N6mVOKO4UwiDqBNQN5hSQChF5AFwECAQEBAQEBARMBAQEKCQsIKC+FRwQZAQE3ATQCJgIjEwEFASwJigUDCA2eQECLIWuBbTqDCAEBBYQ6DYEfgkkBKQgSfIIfggeJQ4U6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJkiMO4hYOIEVIQOBAoEKNCElXoERgVOCTQ8cggcgNgGLIQEBAQ
Received: from mail-oi0-f73.google.com ([209.85.218.73])
	by USFB19PA01.eemsg.mail.mil with ESMTP; 16 Oct 2017 20:37:23 +0000
Received: by mail-oi0-f73.google.com with SMTP id e68so13093670oic.3
	for <selinux@tycho.nsa.gov>; Mon, 16 Oct 2017 13:37:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc;
	bh=5T03CgYWHni67lHaeWEfTktmyFxvfb15phNIjXIhC9Q=;
	b=SBrvMnA/EoE4FDcLbZiQKIMlC62bzlvENFn10MDg62g3noeDj3NwD1nAYKq9z6laAM
	8NSTktk+ynf/UlxtklBjiSj0HO3N1SGXdC2wV6GBlAwraEx7ExtWA6bl2YFyd5ajhzHH
	vd2BKsNmTURwaQa5FM4G/B2R+HwdDXvTSk9Be3cVgGh/8BickLNstKXtyU56WVpUTHAE
	7+/e2LP+UUncbUX1igtdKiTR5ndeEQ7lyKvhGSARVzrXvGAtv5WFi1WgUJSxfJGbN2EX
	t8VH0ocvpVLEbP4fbjvye/lM2DDNuTQvLqEN+t2P+B8ushRia69Gkyb6Adocqbc0PlH7
	+Rlw==
X-Gm-Message-State: AMCzsaV/v9kSt1oMefj5CH5jP/ijE4HWE/BmufjSr3NvtMHM0cAu9VI3
	1XJNRQlqSneFsWf+oQuV6JOZ+rRQ8z9/dtAeJ4o5pA==
X-Google-Smtp-Source: 
 ABhQp+RHQlJMPLvZDnGb1vr8ecT1aNMx2s0QmTlLpBuhTTNjLdGzhvfSgcN1lMej7lICj/wW5kOi362qzMmD8ciIoeFkaA==
MIME-Version: 1.0
X-Received: by 10.157.32.193 with SMTP id x59mr6686357ota.30.1508186240292;
	Mon, 16 Oct 2017 13:37:20 -0700 (PDT)
Date: Mon, 16 Oct 2017 13:37:08 -0700
Message-Id: <20171016203709.11199-1-mjg59@google.com>
X-Mailer: git-send-email 2.15.0.rc0.271.g36b669edcc-goog
To: mjg59@google.com
X-Mailman-Approved-At: Tue, 17 Oct 2017 08:08:32 -0400
Subject: [PATCH 1/2] security: Add a cred_getsecid hook
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
From: Matthew Garrett via Selinux <selinux@tycho.nsa.gov>
Reply-To: Matthew Garrett <mjg59@google.com>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

For IMA purposes, we want to be able to obtain the prepared secid in the
bprm structure before the credentials are committed. Add a cred_getsecid
hook that makes this possible.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: selinux@tycho.nsa.gov
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
Acked-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/lsm_hooks.h  |  6 ++++++
 include/linux/security.h   |  1 +
 security/security.c        |  7 +++++++
 security/selinux/hooks.c   |  8 ++++++++
 security/smack/smack.h     | 10 ++++++++++
 security/smack/smack_lsm.c | 14 ++++++++++++++
 6 files changed, 46 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ce02f76a6188..48a929fd47e6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -556,6 +556,10 @@
  *	@new points to the new credentials.
  *	@old points to the original credentials.
  *	Transfer data from original creds to new creds
+ * @cred_getsecid:
+ *	Retrieve the security identifier of the cred structure @c
+ *	@p contains the credentials, secid will be placed into @secid.
+ *	In case of failure, @secid will be set to zero.
  * @kernel_act_as:
  *	Set the credentials for a kernel service to act as (subjective context).
  *	@new points to the credentials to be modified.
@@ -1510,6 +1514,7 @@ union security_list_options {
 	int (*cred_prepare)(struct cred *new, const struct cred *old,
 				gfp_t gfp);
 	void (*cred_transfer)(struct cred *new, const struct cred *old);
+	void (*cred_getsecid)(const struct cred *c, u32 *secid);
 	int (*kernel_act_as)(struct cred *new, u32 secid);
 	int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
 	int (*kernel_module_request)(char *kmod_name);
@@ -1783,6 +1788,7 @@ struct security_hook_heads {
 	struct list_head cred_free;
 	struct list_head cred_prepare;
 	struct list_head cred_transfer;
+	struct list_head cred_getsecid;
 	struct list_head kernel_act_as;
 	struct list_head kernel_create_files_as;
 	struct list_head kernel_read_file;
diff --git a/include/linux/security.h b/include/linux/security.h
index 458e24bea2d4..8d969958c25e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -324,6 +324,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
 void security_cred_free(struct cred *cred);
 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
 void security_transfer_creds(struct cred *new, const struct cred *old);
+void security_cred_getsecid(const struct cred *c, u32 *secid);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
 int security_kernel_module_request(char *kmod_name);
diff --git a/security/security.c b/security/security.c
index 55b5997e4b72..0f5784880c94 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1009,6 +1009,13 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
 	call_void_hook(cred_transfer, new, old);
 }
 
+void security_cred_getsecid(const struct cred *c, u32 *secid)
+{
+	*secid = 0;
+	call_void_hook(cred_getsecid, c, secid);
+}
+EXPORT_SYMBOL(security_cred_getsecid);
+
 int security_kernel_act_as(struct cred *new, u32 secid)
 {
 	return call_int_hook(kernel_act_as, 0, new, secid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061305c4..e0828e9130c7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3829,6 +3829,13 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
 	*tsec = *old_tsec;
 }
 
+static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
+{
+	rcu_read_lock();
+	*secid = cred_sid(c);
+	rcu_read_unlock();
+}
+
 /*
  * set the security data for a kernel service
  * - all the creation contexts are set to unlabelled
@@ -6332,6 +6339,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
+	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 6a71fc7831ab..5af7b7e709bc 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -391,6 +391,16 @@ static inline struct smack_known *smk_of_task_struct(const struct task_struct *t
 	return skp;
 }
 
+static inline struct smack_known *smk_of_cred(const struct cred *c)
+{
+	struct smack_known *skp;
+
+	rcu_read_lock();
+	skp = smk_of_task(c->security);
+	rcu_read_unlock();
+	return skp;
+}
+
 /*
  * Present a pointer to the forked smack label entry in an task blob.
  */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 463af86812c7..f1710cf76f7f 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2080,6 +2080,19 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
 	/* cbs copy rule list */
 }
 
+/**
+ * smack_cred_getsecid - get the secid corresponding to a creds structure
+ * @c: the object creds
+ * @secid: where to put the result
+ *
+ * Sets the secid to contain a u32 version of the smack label.
+ */
+static void smack_cred_getsecid(const struct cred *c, u32 *secid)
+{
+	struct smack_known *skp = smk_of_cred(c);
+	*secid = skp->smk_secid;
+}
+
 /**
  * smack_kernel_act_as - Set the subjective context in a set of credentials
  * @new: points to the set of credentials to be modified.
@@ -4684,6 +4697,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(cred_free, smack_cred_free),
 	LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
 	LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
+	LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
 	LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
 	LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
 	LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),