From patchwork Mon Oct 16 20:37:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10011781 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E0050600CC for ; Tue, 17 Oct 2017 12:11:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D11E428883 for ; Tue, 17 Oct 2017 12:11:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C5DAD28888; Tue, 17 Oct 2017 12:11:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil [214.24.24.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3361428883 for ; Tue, 17 Oct 2017 12:11:56 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.43,390,1503360000"; d="scan'208";a="356974136" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UCOL19PA11.eemsg.mail.mil with ESMTP; 17 Oct 2017 12:11:56 +0000 X-IronPort-AV: E=Sophos;i="5.43,390,1503360000"; d="scan'208";a="4789194" IronPort-PHdr: =?us-ascii?q?9a23=3An4S7pBwjdscP5v3XCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?1uMUL/ad9pjvdHbS+e9qxAeQG96Ku7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuro?= =?us-ascii?q?EopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZv?= =?us-ascii?q?JuTyB4Xek9m72/q89pDXYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+?= =?us-ascii?q?VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfM?= =?us-ascii?q?QA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okC?= =?us-ascii?q?YHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYO/RkfqPZYNgUW2xPUMhMXCBFG4+w?= =?us-ascii?q?cpcDA+8HMOlfs4TwqVkDoBWnCQWwGe/k1ztEi3Dy0KE/1ekqDAPI0xE6H98Wv3?= =?us-ascii?q?vaotf6OqQcUe6y0qfH0SjNb+tU1Dvg5oXGcgohru+XXb9rbcrd1VMiGx/fg1mM?= =?us-ascii?q?q4HoOS6e2OQXs2ic6uptTeWhhHQ7qwFtojig2MktgZTIiI0P0FDE7zt2wJopJd?= =?us-ascii?q?alVk57YMSrG4ZNuS6EM4t2Q8UiQ3xnuS0nzbAGooC0fCwLyJQh2h7eZOeKc5SI?= =?us-ascii?q?4x3/VOaRJi10hHR+eL2lnRqy/k+gyvPlW8SyzV1ErTJFn8HRun0C2BHf8MiKRu?= =?us-ascii?q?Zn8ku/1juDyRrf5vxcLUwqiabWL4Qtz70wm5YJr0jPAyz7lF/0gaKZcEgv5/Km?= =?us-ascii?q?5P79Yrr8o5+RL4p0igbjPaswgsG/GuE4MhQWX2ic5OS8yKXv/U3nT7VOif07ir?= =?us-ascii?q?XZv4rAJcQau665GBVZ0poj6hmjDzem184UnX8bI1JeZB2LlY3pO1DKIPzgDPe/?= =?us-ascii?q?hUqjkCtzyvzbMbDsDY/BI3jenLv7Y7pw5FBQxBAuwdxH4pJbELABIPb9Wk/rs9?= =?us-ascii?q?zYCwc0MxeqzObjCdV90J4eWG2WDqCCN6PSrFmI6f4xLOmXf4IVpDb8JOQl5/7p?= =?us-ascii?q?l3M5n0QdcrOz0ZsYb3C4AOxqI1+Fbnr0ntcBDWAKsxI8TOztjl2NSyJTZ3aoUK?= =?us-ascii?q?I6/Tw7CoWmDYHGRo+3m7yBwDm0HodNZmxcDVCMC3jofZ2eW/gQcCKSPtNhkjsc?= =?us-ascii?q?WLijSY8uzw2htAzhy7pgKOrU+zMYuInt1Nhx+u3Smgo99SFyD8SBzmGBVWZ0nn?= =?us-ascii?q?kHRzUuxqBwvVR9ykuf0ah/m/FYDcJc6OhXXQc8NJ7c0+t6BsvzWg3fYNiGVkyq?= =?us-ascii?q?QtK8ATE+Vtgx2cMBY15hG9W+iRDOxzelA7gTl7yNGZM77Kbc33nqKsln1XnGzq?= =?us-ascii?q?4hg0MhQstVOm2snrR/+BTLB47Vj0WZkL6nerkA3CHX7meO1naBvEZdUAFsS6rF?= =?us-ascii?q?RmwfalHQrdvn+kPIV6WuBqg/Mgtd1c6CLbNHatzvjVVaWvjjPMrRY2evlGesHx?= =?us-ascii?q?aJxqiBbI3ye2oD2iXdDVILkwEX/XmdMgg/CT2to2XEDDxhDVjveV/j8fFiqHOn?= =?us-ascii?q?SU851wGLbkxm17qz4RMVgPicR+oS3rICoishrS97HEy+39LXFdqPuRBtfKNCbt?= =?us-ascii?q?Mh+F1Hz37WtxRhPpy8KKBvnlAfcwVzv0PryRp3EJ5NkcY0o3w3ywpyM7iX0Etb?= =?us-ascii?q?dzOf35D/JKHYKnXo8BCoca7W1UnU0MyK9acX9PQ4t1LjsRmnFko46Xpn1cVa03?= =?us-ascii?q?qH5pjRCQoSSZPxXl8s9xl0vLHWeC4955nb1Xd0K6m7rifC2841BOsi0hugfM1Q?= =?us-ascii?q?MKCDFA/vCMAaBNKhKO8tm1i0dB4EO/pS9KEsNcO8a/SGwLKrPPpnnD++l2tI/Z?= =?us-ascii?q?p90kOS+CpmUePHxYoKw/SC0guATTf8g0+rstrrloBceTESAm2/xDD4C4FLYq19?= =?us-ascii?q?Y50LCXuuIs2w3dh+nILiW39G+16lG1MG2dWmdQCUb1PjwQ1azV4XrmC/mSuk0z?= =?us-ascii?q?x0lCkkrrCC0yPT2Oniex8HO2FRSGlkk1jsPZC+j8oGU0iwcwgpiByl6F7hx6hV?= =?us-ascii?q?vqR/KHLTQVtTcijtKWFiVaWxtr+YbM5J8p8otztYUPika1CAVrH9uwca0z/kH2?= =?us-ascii?q?ZGyjE0bTWquonnkBxgk2KQN2hzo2TDec5r2Bff4cbQRflL3joJXCN4kyXYBkCg?= =?us-ascii?q?P9m1+tWZj4vDvf2jWGKgTJJTdTLmwp+HtCu++WJlGwa/n+yplt3hDwc6zTfx18?= =?us-ascii?q?N2WiXQsBb8fo7r2rykMeJmYkZoGFj869BgFo5ikoswg5cQ2XcBi5WR/HoHl338?= =?us-ascii?q?Mc9c2a7ka3oNXzELycbP4Af5wE1jMm6Jx4XhW3WZw8thfMW6bnoN2i0j68BKCa?= =?us-ascii?q?GU7KFLnCZuuVq4tQPRYf58njgB0vsi8ngajP8VuAA11CWSHqgSHVVEPSzrjxmI?= =?us-ascii?q?9de+rKFTZGmxa7i/yE1+nN66AbGZvwFTRG35do0lHS9q4cV1KEjM32Hr6oH4ZN?= =?us-ascii?q?nQasoeth6KnBfGlOhYM5ExmeQMhSp8P2Lyo2Elx/Q8jRx00pGwpJKHJHl1/KKl?= =?us-ascii?q?Hh5YMSX4Z9sJ9THwiaZRgN6W0JqpHpV9BDoLRoDlTe+zED0Mr/TnLByCECY7qn?= =?us-ascii?q?eGA7rQARGQ6Elhr3LVHJCkKWubJH8HwtV+XBOdPlBQgBgIXDUmmZ40Dh6qxMr8?= =?us-ascii?q?f0pi+DAR4EP3qhtWxuJuKRb/Tn/VpB20ZTcsVJifMB1W4xla50jPLMye6vl+ED?= =?us-ascii?q?1Z/p29rA2BM2KbaB5ODW0TXUyEHV/jNKG05dbc6+iYGva+L/zWbLWNqe1eU+mH?= =?us-ascii?q?yImq0oth8TaMONuAPmV+D/073UpDWG52F97fmzoRVywdjzjNYNKDpBeg5i13qd?= =?us-ascii?q?iy8PrxVwLp+YuPDL5SPM5h+x+onKiDMPSQizxhKTZC0ZMMx2HHx6QD3FIIjCFu?= =?us-ascii?q?bTatG6watSHRVKLQhrNXDxkDZiNpLsdJ4bgw3gxXNs7fjdP01qV1geQpBFdAT1?= =?us-ascii?q?DhndupZcMSKWGnKFzHHFqLNKiBJTDTzcH3e72zRqBLjOpOsR2wpTGbE1T4MzuZ?= =?us-ascii?q?izbpUgqjMeZWjCGUJBZeop2ycg5xCWj/S9Lrchu7MMVtgj0u2b05nX3KNW8GMT?= =?us-ascii?q?hnb0NNoLyQ7SVCjfV5B2NB72BqLe2elyae9enYJY4cseF3DSRsi+Ja/HM6xqNO?= =?us-ascii?q?4y5fQ/B1nCrSrsVyo1G9iOWP0SRoXwZUpjZQmo2LuURiOaPE9phPQnvL4BIM7X?= =?us-ascii?q?+NCxQRvddkBMfgu7xLytjIkqL/MjBC88jb/cEEHcjbNNqHMGY9MRruADPUCgoF?= =?us-ascii?q?TTqvNW7BnExQi+ud+WOPrpg9sJTsn4AOSrBDXlwvCvwaElhlHMAFIJpvRTwkkL?= =?us-ascii?q?GbjMkO5XelsRbeWt5VvpHdWfKUG/nvLyyZjbZcbRsS3bz4NZgTNpH820F6cFZ6?= =?us-ascii?q?k57FG1TOUt1WpS1hdhE7oENI8HdkT20z31nqagSi4XMJEv60hBE2gBNkYesx7D?= =?us-ascii?q?fs/0s3Jl3SqSssl0kxnM/pgSqWcD/wMqiwW5pZCzDzt0cvMZP2WBp6bQq3nUN4?= =?us-ascii?q?LjjEXK5Rg6FmdW91lA/WoYFPFuJETa1YfB8QwumaZ/M23ltGriWq3kxH5ezeCZ?= =?us-ascii?q?t+jgQqd4Wsr3FB2w55at46O7DQLrJTzldMnqKOojOo1ucpzQ8EOUkN632ddzQS?= =?us-ascii?q?uEMUNrkrPDGn/u126QOfnDtDdnAMV+A0rfNq7E89PfqPzz742b5ZNk+xL/CfL7?= =?us-ascii?q?+eu2XYiMGHWE0w1kIVmEle5rV5y90jc1CTV0Eh17ueCQgGNdfYKQFUc8pT9GLf?= =?us-ascii?q?fSCQvuXR2Zh1JZmyFvj0Te+Ss6YZmkakHAEzH4sS6MQAH56s3VrXLcfhMb4J0x?= =?us-ascii?q?It5B7kJF+dFvRGZAqLkCsbo8G41JJ3xpdSJjUcAWV7LCW26a3aqRMtgPqGQNg5?= =?us-ascii?q?eGwaXpceOnIwRsK6hzZTv25cAzmvzuIZ1A+C4ifhqSvMCTn8aNxjZOuJaR53Ft?= =?us-ascii?q?G55y8/86m3iF7Q9JXSPWf6Osp+utXX8+MVu46HC+9ITbl6q0rch4hYR3mtU27T?= =?us-ascii?q?Ed60J4P9ZJQtbd30EHm1SUazizQrQMftJNytNLSHgRn0RYZIt4mWxD8jNdWnGT?= =?us-ascii?q?EYBxd9vOAD5KVyZA0Ff5o7YQDntwU4N6yjPgiYyM+iQ2CzJjtKV/Nf1/m1Z6RL?= =?us-ascii?q?zyowae+30GEvTpU7z+ar70ECXJQKjxHYxfakYYlRSzP+FWdcewrVoyo1jmZhNv?= =?us-ascii?q?sozuc53hzIrUEWMyqXe+xxdGxEo9Y8CEuJLnpoDGo1XEWTgpfd4gGyxbAS5DFS?= =?us-ascii?q?n8xU0OFft3j+pJDfaiq2WKO3sZXVrzYgbd8+rq1rN4zjI9eJtJPZnjzbV5neqh?= =?us-ascii?q?SLXjOgGfdGndZdOz5XQP5NmW45I8MGopZB5VA3VsggO7xFELMsqayyaTp4ES4S?= =?us-ascii?q?yjcUWJ+C3DMYnuixwKfVlhCUcJQmMRwLro9CgscDXCFqYiMSvqijV5/Zl2WcUG?= =?us-ascii?q?gEPB8T7RhQ5AIHjoJwZPrq4JDPTJBX0DNWv+h0XTHVFpZ281v7S2eWgVf8SPWg?= =?us-ascii?q?nOyp3R5SzPz23dkBXR5zE05dyPhKlkEwMrF4N7EQvpLWsj+PbU77snjhx/emJF?= =?us-ascii?q?lQzM3Udkf3DIneuGr9TCIT52MbSZVIyHHFGpQYixB5Z7ozpFVQPICmfV7z5yQj?= =?us-ascii?q?x4RtBba4T86qx1EhrXYIXCqqFt1BC+Z9sF3JRDJleZerqI7+O5VTRG9Q94eRq1?= =?us-ascii?q?BDkEViKyS504ZTK9lR4j4QWzhCuS+SvMGvSM1Fw8N2DIQBItZ+u3f8BKNLI4Kd?= =?us-ascii?q?o3sotbzz0nXZ4SwzsE+mxDWvHK+1V/5Z/2obGggyO2SStkwvAPA2/mfU7F/Nrk?= =?us-ascii?q?h+//1HCbiXkUVxvDF9E4hOBjlTz3CqNVBzQ2RdvupHNqvVa9RcTOc2ZRCxIRwy?= =?us-ascii?q?D/km31aG/Utsh3f2fzRythdG+yDaRwQ0Vy4Vjan2lDIDtM6nIiEVS4hUbTo/ci?= =?us-ascii?q?jJMQSblj5LvBxHcUFlR4gZAspZ+7EcxYZb5cTCRlqwJSwHQRBvOBk13uZYlU5G?= =?us-ascii?q?rEqXYzvdDRayefbJrBJ3Yd+brNS1I/Th4AdHloTnvfgi96odWnKmmReiQczFoo?= =?us-ascii?q?/4sd2KqFWBeLnkPO27fHDOUiLAjRauirc4F5PK5TTcMBJHK5lmznopeYDhCXXX?= =?us-ascii?q?PRtcOq0bO1FWVbt9adVbuOBVe9FreKAV+a93HB2HQgnjGIu1rPlJNlzTXyjRLz?= =?us-ascii?q?2d8uyjpoLe9aDdSfL+acOS2nnKWL93PpNm6TnhAbjqz45e+k3y2vhz6kN2U1/G?= =?us-ascii?q?MzqOrN75PAME+NGidlf+vp0uBT7WBY1/kH7pxk5ea8oXXzel/44DxZNf9nnwVf?= =?us-ascii?q?l43VTpv+1K6bZo84837K51yc2sP6fdNexasVN7AhiTHghq9I8iAHJ4R2BKZu8e?= =?us-ascii?q?MunRcL8cjcDzr+D3C60X5wGU++NDb9vHPFvNms6lCjGTURZEhhsOqSYGLguA0P?= =?us-ascii?q?6Ig610Rtyjpej3wEIt5EWxIQAdwbBx/4iE/LGIpOjNYxvX07cERrDgRtnvobQ0?= =?us-ascii?q?p0OS+fokmaYBemxoYg2nFOwdWdAYxmr70K8l0zkjE8LZELLm4vJDUGg5nj34kZ?= =?us-ascii?q?BnA1oWAu8UHaaM/YlGmGc4n/fUNtwQcqBHgGqPFBikErEYyXGx8CuXPHNlggzS?= =?us-ascii?q?3BHsXGOz9kH5oTV/QSvWwNfpilBVWaWvBUdOQyqpPld1sDaIPAruqNr3tro64V?= =?us-ascii?q?ozMmzlrt2NknWuOK9ZHs34PtycIjI0qEgRjJIvWtylwZobFsalINcN7HF+aePT?= =?us-ascii?q?62ewky9Eo6pKnITe7d+I9fXQB3mvlbWaq6+KxDBa1Hc3oU0/5sqnNvHU6N2AW+?= =?us-ascii?q?6o2HoJTydjpwvBWAa4qr7ar1ARIkGL1VnEmYwUMdFD3Hk40E7m6PIlQN0t6AVU?= =?us-ascii?q?DpzAaO8apTDvJDv0xk6SY9M2VyaEyTRYAkn4EUJmF6ggxm3/oNjFlXDK+10nXo?= =?us-ascii?q?NwbVDohQRrD4UkLkIg8EMYwisYEQkDcx+bDrCoBVj9LYQeSEgDbQ+K06S9eqgq?= =?us-ascii?q?w0J82K6v5PXUbexmHaUBLPFdjhSBnFJDAJIZrbUeQK5ge19a7KPXvhLtC5T7UP?= =?us-ascii?q?jmm3swMue1QsND/cACqXQi5ge/Rxy96ZZM9LsbkIqHdrJYbpjMssF86F1n5T0V?= =?us-ascii?q?eixOnhd/lRW5Xv4YpOz55djbqpWo4P60VKkxX+UX6wQ0B2NmgpvsmlAsv9XX2P?= =?us-ascii?q?1aSoLLkonw7QFNI3GLuIbGyRZ8MvABK5i2fLp68XUIOTQeLWoUPdWKc/k8/zNt?= =?us-ascii?q?MDLL6lxNGMwMf80XPNbNmQ1Pjk3pWa1T+dTbGlCCFodzbNok72zpxzAp6ZE8SP?= =?us-ascii?q?rv6CeqJZDD6FFAJ/xDgztqlNLeo+gVxv3eCDMJ7nmdahh1xD6CypaWBvb04+qM?= =?us-ascii?q?0tHVWEkcEi4wTYhdOCKI+Ra7SeqtiJXpTgSU59f1gJI/aE2QQXixk74esqpWEO?= =?us-ascii?q?5AjSL73iNFFo3ugvKYvNWt5HFQtl1dH4Z59QfFF7lHPpVnJRT4kdGmRkdgCSvk?= =?us-ascii?q?Y8HYbwcgtuWQyOcN5eV+KkT/aJQUIhIB0b3672RaQhFpSL7ssVaTRfgRa8d+SP?= =?us-ascii?q?PYsnBV7pptK60IPFidopzmtCtHqFAyAA80dbAxrz1adk/VnA1WWqb5o6AAigoC?= =?us-ascii?q?UdFjvU9DBGOwNHg45zXZSaRflLORB+AN8jWPUqwOVF1lMiJgQxyv3pVjYL+pne?= =?us-ascii?q?1avWNHmSN9u+Im0zt8RBuzoSfsvb4C2So8+LGkszUMoX5FQfuQkyfGDVVO1/oL?= =?us-ascii?q?gr0aC3n89Vywen8DY5Xu4LN/P8Tv6ZEh42gjYRUkZyAGUuCgCyb+jqyWBoyPtM?= =?us-ascii?q?lRhAWKuMXIbL+8MTIeNrIjxhL/X3J9yBTRnA508GsXRTWt9N0kJIW9OMY9wSqo?= =?us-ascii?q?HWnbdEoS7a5StcvxtEILTPEoZl97x2VjyMeHTDUXRMPTA2Y1khQkaWJcfZJf6B?= =?us-ascii?q?8aErIlgiqJvqZa/QEbfjPUHp6j+obOgcfCwWM9QstyxmLKuq2FgYsn0Hhkm9N3?= =?us-ascii?q?7S6Ov28fd+7CXM9vBXjz0JlQyerka/WrrO8HVJNsyK69X/8aLsmj5Wy21Y1xVU?= =?us-ascii?q?C7wLQeA0G0MPQHxrfcTyelVXOYVvqWfGSWmDY5KEHy7wGyLlIrcMdKs1M9Muza?= =?us-ascii?q?i55SiQLhVbJ0Rj2OqlLAzW0jMOYadwcot4e9fwwFUvQdZ++GJegh2Pc+EkcDb2?= =?us-ascii?q?fVHStqDO+7qVCsnJBhO3Vh/Ur1f//g8gXnMNuOABkLD5TWrplr+fy1XmiBI2Nv?= =?us-ascii?q?zAVuPElo8OfSD1MxtutCfJuKhdjQg8500fUZd/dsLSI9psQTlZx95oWO1seFbw?= =?us-ascii?q?3RxI7oJd7JuviYH+Hfz0Myd2FeU7oZZx715oojMt49Wr3TBqdZvQ8HCKg7WpMh?= =?us-ascii?q?MWDx+LtzLANpfQ7bfK60jdXypuKXeptUoGfb7kkuIyfYuh0DzOG0TAN8Y56lm3?= =?us-ascii?q?XyII4/RihfoN11EBRrB4hPFN0arwqhHZGUnLq0i8K++09gvO8Kq6XwAOjQ1Nul?= =?us-ascii?q?x4VxQ4Ra5UuTMTbUHqZknkRljuW0gvfHyZTxF8LiedUaW+h/Q27FbKLGH4qlJj?= =?us-ascii?q?KJIML8dFZM86SA37JhThWReCf5UrKEtCK+N/Vk5l40x5dlfOrV0Dwt77bb2Mb9?= =?us-ascii?q?Z2Fbuievt3iJO4VD7FbSH+zRQwpUSeaZ8GZiBaAXb4709OAUMdw4wdic+BJ+7D?= =?us-ascii?q?JY38uAPaehr1XA2kVhdZLUNEHpwTo2WZEWIBSjNkshmXTZqnrYAXtAL8WpKtJg?= =?us-ascii?q?gMiLARz35klwmGYtZmhbFmruW9iRJTtT58XrYQ+FqVNjANEEkOq6P0U/s/6IRP?= =?us-ascii?q?FsK6lCzMCjqKkHnMkhBCjVXsVGI2mEKb15Y2t5AeLIq1wlJBUDtu5mdJ0yYM2r?= =?us-ascii?q?KV8bMEqfgQz71xHPzVG8ad2lnJ2EJCcQ72UPm6nI1TlKuhmRpeeSgsqlVqvQKp?= =?us-ascii?q?7xQqiBY2IeSjiGSGFqQg6S8lC+tq9B4qOV?= X-IPAS-Result: =?us-ascii?q?A2D/AQDO8uVZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFgEBAQM?= =?us-ascii?q?BAQEJAQEBgwgsgVIng3qLE45DgnGHTo4EgRsDTjCKD0IVAQEBAQEBAQEBAQFqK?= =?us-ascii?q?II4JIJCAwMBAiAEUgMDCQEBEhICIgQCAgMBHRMBBQEcGQWIAIIAAxUDnS1AjAy?= =?us-ascii?q?BbTqEcIJUDYNoDCYSfYIfggcQgyuCdoMThTqCYQEEklmONjyPcoRsDYVwjSiNB?= =?us-ascii?q?IhYOIEVNSJPgQoqCgIfCCMPSYEtGoEdglwcggdWAYg2LIIWAQEB?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 17 Oct 2017 12:11:53 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9HCBoZ6013183; Tue, 17 Oct 2017 08:11:51 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v9GKc7XF024798 for ; Mon, 16 Oct 2017 16:38:07 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9GKc7RY001652 for ; Mon, 16 Oct 2017 16:38:07 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1AaAgAdGOVZ/yMWGNZeHAEBBAEBCgEBg?= =?us-ascii?q?1wDe1cUE4N6ih+PNIJvh0yFMIg6gTUDeYUkAoRePxgBAgEBAQEBAQFrhUYGIwQ?= =?us-ascii?q?ZAQE3AQ8lAiYCAiETAQUBHBmKBQMIDQOeP0CLIWuBbTqDCAEBBYQ6DYEfgkkBA?= =?us-ascii?q?QgCHggSfIIfggeDO4J1gxOFOoJhAYExAQGRKY40MggBAYVuigSEbA2FcI0mjQO?= =?us-ascii?q?IWDiBFR84T4EKNCElXoERgVOCTQ8cggdWAYhfLIIWAQEB?= X-IPAS-Result: =?us-ascii?q?A1AaAgAdGOVZ/yMWGNZeHAEBBAEBCgEBg1wDe1cUE4N6ih+?= =?us-ascii?q?PNIJvh0yFMIg6gTUDeYUkAoRePxgBAgEBAQEBAQFrhUYGIwQZAQE3AQ8lAiYCA?= =?us-ascii?q?iETAQUBHBmKBQMIDQOeP0CLIWuBbTqDCAEBBYQ6DYEfgkkBAQgCHggSfIIfgge?= =?us-ascii?q?DO4J1gxOFOoJhAYExAQGRKY40MggBAYVuigSEbA2FcI0mjQOIWDiBFR84T4EKN?= =?us-ascii?q?CElXoERgVOCTQ8cggdWAYhfLIIWAQEB?= X-IronPort-AV: E=Sophos;i="5.43,388,1503374400"; d="scan'208";a="85363" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 16 Oct 2017 16:38:06 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A2u8q3BXICrVELEMtQuguWWw1rZTV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYbRaOt8tkgFKBZ4jH8fUM07OQ7/i4HzVaqs/d4TgrS99lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBo?= =?us-ascii?q?KevrB4Xck9q41/yo+53Ufg5EmCexbal9IRmqsQndrNQajZVtJqosxRbEpmZDdv?= =?us-ascii?q?hLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfM?= =?us-ascii?q?TQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklD?= =?us-ascii?q?sLOjgk+2zMlMd+kLxUrw6gpxxnwo7bfoeVNOZlfqjAed8WXHdNUtpNWyBEBI6z?= =?us-ascii?q?aJcCAuQdMepFtoXxu0YCpga6CQWxBO7jzzlFjWL006InyeQsCRzI0wMuEd0Ms3?= =?us-ascii?q?rUotL7OqcMX++p16TI0SnPYulK1Trn9ITFcBYsquyMU7JqdsrRzFEiGQTfgVWM?= =?us-ascii?q?tYzlPy2a1+oQuGaa9eVgT/ivhHA7qwFtvzOiwcIsiovGho8Vzl3J7ip5wIEyJd?= =?us-ascii?q?23TE50f8SoH4dXtyGfLoZ7RN4pTWJwuCsi1LEKpJG2cDIUxJko3RLTdeKLf5KG?= =?us-ascii?q?7x/jTOqdPyt0iXZ/dL+8hxu+61asxvD/W8Wu0ltHoSxImcTWuH8XzRzc8M2HR+?= =?us-ascii?q?N9/ki/3TaP0Bje6vxHIU8qkarXNposwqYqmZYPsUnPBDH5l1vzjK+NeUUo4O2o?= =?us-ascii?q?5P7mYrXivJOcMo50igXmPqQvnMywH/g4PxAQU2SG9umwzqPv8ELjTLlUkPE6iK?= =?us-ascii?q?fUvZDCKcQevKG5AgtV0og56xa4CjeryNoVnXYHLFJHfBKIj5PnNF/LLv3lAvaz?= =?us-ascii?q?n1SinSlvyv/EIrLsBpfDIHrHnbnuf7tx8U5Rxggzw95Z5Z9aBawMLvPrVEHqs9?= =?us-ascii?q?LWEh80PhC2zer9Cdtz0I0TVXiLD6GbKa3fqlGI5uYxLOiDfYMZoTP9JOI55/7y?= =?us-ascii?q?jX82h1Ecfaaz0psNcnC3AOhmI1mDbXX3hdcBDGEKsRYgQ+zxklGCXjlTZ3G9X6?= =?us-ascii?q?I4+D43Ep6pDYDGRoy1mryOwD+7HoFKZmBBEl2MCmnnd4GFW/cKdSKTLdRskiAE?= =?us-ascii?q?VLe9S48h0guitAnhy7V9NObU9SoYtYywnORysujRmkxj3TNzCMuZ3ieGSGQnsH?= =?us-ascii?q?kPQmoT1bxjoUFigniKy7J1n+AQQdlR6K4Yegg9MpHYwqpxDNWkCVGJRcuAVFvz?= =?us-ascii?q?GobuOjo2VN9kho9Tbg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DwAQCgF+VZ/yMWGNZeHAEBBAEBCgEBF?= =?us-ascii?q?wEBBAEBCgEBgzEDe1cUE4N6ih+PNIJvh0yFMIg6gTUDeYUkAoRePxgBAQEBAQE?= =?us-ascii?q?BAQEBAWoogjgkgkIGIwQZAQE3AQ8lAiYCAiETAQUBHBmKBQMIDQOePkCLIWuBb?= =?us-ascii?q?TqDCAEBBYQ6DYEfgkkBAQgCHggSfIIfggeDO4J1gxOFOoJhgTIBAZEpjjQyCAE?= =?us-ascii?q?BhW6KBIRsDYVwjSaNA4hYOIEVHzhPgQo0ISVegRGBU4JNDxyCB1YBiF8sghYBA?= =?us-ascii?q?QE?= X-IPAS-Result: =?us-ascii?q?A0DwAQCgF+VZ/yMWGNZeHAEBBAEBCgEBFwEBBAEBCgEBgzE?= =?us-ascii?q?De1cUE4N6ih+PNIJvh0yFMIg6gTUDeYUkAoRePxgBAQEBAQEBAQEBAWoogjgkg?= =?us-ascii?q?kIGIwQZAQE3AQ8lAiYCAiETAQUBHBmKBQMIDQOePkCLIWuBbTqDCAEBBYQ6DYE?= =?us-ascii?q?fgkkBAQgCHggSfIIfggeDO4J1gxOFOoJhgTIBAZEpjjQyCAEBhW6KBIRsDYVwj?= =?us-ascii?q?SaNA4hYOIEVHzhPgQo0ISVegRGBU4JNDxyCB1YBiF8sghYBAQE?= X-IronPort-AV: E=Sophos;i="5.43,388,1503360000"; d="scan'208";a="4795856" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ukel19pa05.eemsg.mail.mil ([214.24.22.35]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 16 Oct 2017 20:38:05 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;2758c953-c578-473e-99f0-12497ee0f1fe X-EEMSG-check-008: 265513661|UKEL19PA20_EEMSG_MP13.csd.disa.mil X-EEMSG-SBRS: 3.4 X-EEMSG-ORIG-IP: 209.85.218.74 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0ChAAD4FeVZhkraVdFeHAEBBAEBCgEBhTEUE4N6ih+PNIJvh0yFMIg6gTUDeYUkAoRePxgBAgEBAQEBAQETAQEBCgkLCCgvhR4GIwQZAQE3AQ8lAiYCAiETAQUBHBmKBQMIDZ5AQIsha4FtOoMIAQEFhDoNgR+CSQEpCBJ8gh+CB4M7gnWDE4U6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJo0DiFg4gRUfgQeBCjQhJV6BEYFTgk0PHIIHIDYBiF8sghYBAQE X-IPAS-Result: A0ChAAD4FeVZhkraVdFeHAEBBAEBCgEBhTEUE4N6ih+PNIJvh0yFMIg6gTUDeYUkAoRePxgBAgEBAQEBAQETAQEBCgkLCCgvhR4GIwQZAQE3AQ8lAiYCAiETAQUBHBmKBQMIDZ5AQIsha4FtOoMIAQEFhDoNgR+CSQEpCBJ8gh+CB4M7gnWDE4U6gmGBMgEBkSmONDIIAQGFbooEhGwNhXCNJo0DiFg4gRUfgQeBCjQhJV6BEYFTgk0PHIIHIDYBiF8sghYBAQE Received: from mail-oi0-f74.google.com ([209.85.218.74]) by ukel19pa20.eemsg.mail.mil with ESMTP; 16 Oct 2017 20:37:33 +0000 Received: by mail-oi0-f74.google.com with SMTP id s185so12926812oif.16 for ; Mon, 16 Oct 2017 13:37:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id :references:subject:from:to:cc; bh=GoINYJWiBf3W+A5jbbfje7wii4ytP9kacFufvTN73vI=; b=BFAC1GIIu+2kusRDWGU0kLY/d+88kdAbPIcy1iOBNTOiEL7Q1/KR8ODyeh14/e4mhk j8zFDwCbGZvgTPOhcTJvGVP1dW5k6h+w8v14k0r4hbHF4M//SUAuD1kYcCgYAvH4ZIEg CqwqkgE5otVn9nWRJpgeJ/LAMV0i77StUAdcyJZITzmCpDMe7Qisc2/G7c5PUl9O5zUd CjQ1+Uacn9Pbx9ZOKEp4ut04dT96VAPMqJ7IQo0j/VQqQqLxJt8skcm/W0KPZcuXN/Vz OEV2dc31rB4lgm3XwbWq5CoaMZdnogMksUOIvd9kC54huZLEuLvj1X7tx7gqI6iI9WrE kNBA== X-Gm-Message-State: AMCzsaVUqJy3SrH1QL+PaKZl1L9jr1V4ySlJb4mEP6V/FyUW1/mqd1TP Ph7X2nDt6V0LTrFpgAgAtME8Ym30KIPKXXIBHyAXzQ== X-Google-Smtp-Source: AOwi7QAc3l3rflL8y6Ep4WPZ3kp01ifwmGmIzOjEwBN6QlF5/x90C1YFlndg/hNwlVgLbz1d2p4yDgU5XEqxhpRiqRqYdw== MIME-Version: 1.0 X-Received: by 10.157.56.185 with SMTP id p54mr5967121otc.77.1508186242555; Mon, 16 Oct 2017 13:37:22 -0700 (PDT) Date: Mon, 16 Oct 2017 13:37:09 -0700 In-Reply-To: <20171016203709.11199-1-mjg59@google.com> Message-Id: <20171016203709.11199-2-mjg59@google.com> References: <20171016203709.11199-1-mjg59@google.com> X-Mailer: git-send-email 2.15.0.rc0.271.g36b669edcc-goog X-EEMSG-check-009: 444-444 To: mjg59@google.com X-Mailman-Approved-At: Tue, 17 Oct 2017 08:08:32 -0400 Subject: [PATCH 2/2] IMA: Support using new creds in appraisal policy X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Matthew Garrett via Selinux Reply-To: Matthew Garrett Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Dmitry Kasatkin , linux-integrity@vger.kernel.org, Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP The existing BPRM_CHECK functionality in IMA validates against the credentials of the existing process, not any new credentials that the child process may transition to. Add an additional CREDS_CHECK target and refactor IMA to pass the appropriate creds structure. In ima_bprm_check(), check with both the existing process credentials and the credentials that will be committed when the new process is started. Signed-off-by: Matthew Garrett Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: selinux@tycho.nsa.gov Cc: Casey Schaufler Cc: linux-security-module@vger.kernel.org Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- Documentation/ABI/testing/ima_policy | 2 +- security/integrity/iint.c | 1 + security/integrity/ima/ima.h | 7 ++++--- security/integrity/ima/ima_api.c | 8 +++++--- security/integrity/ima/ima_appraise.c | 10 +++++++++- security/integrity/ima/ima_main.c | 26 +++++++++++++++++--------- security/integrity/ima/ima_policy.c | 19 ++++++++++++------- security/integrity/integrity.h | 9 +++++++-- 8 files changed, 56 insertions(+), 26 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index e76432b9954d..5dc9eed035fb 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -25,7 +25,7 @@ Description: [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [permit_directio] - base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] + base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 6fc888ca468e..ad30094a58b4 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -78,6 +78,7 @@ static void iint_free(struct integrity_iint_cache *iint) iint->ima_mmap_status = INTEGRITY_UNKNOWN; iint->ima_bprm_status = INTEGRITY_UNKNOWN; iint->ima_read_status = INTEGRITY_UNKNOWN; + iint->ima_creds_status = INTEGRITY_UNKNOWN; iint->evm_status = INTEGRITY_UNKNOWN; iint->measured_pcrs = 0; kmem_cache_free(iint_cache, iint); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d52b487ad259..0703a96072b5 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -177,6 +177,7 @@ static inline unsigned long ima_hash_key(u8 *digest) hook(FILE_CHECK) \ hook(MMAP_CHECK) \ hook(BPRM_CHECK) \ + hook(CREDS_CHECK) \ hook(POST_SETATTR) \ hook(MODULE_CHECK) \ hook(FIRMWARE_CHECK) \ @@ -191,7 +192,7 @@ enum ima_hooks { }; /* LIM API function definitions */ -int ima_get_action(struct inode *inode, int mask, +int ima_get_action(struct inode *inode, const struct cred *cred, int mask, enum ima_hooks func, int *pcr); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, @@ -212,8 +213,8 @@ void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ -int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, - int flags, int *pcr); +int ima_match_policy(struct inode *inode, const struct cred *cred, + enum ima_hooks func, int mask, int flags, int *pcr); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c2edba8de35e..ff33b7e65a07 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -157,6 +157,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, /** * ima_get_action - appraise & measure decision based on policy. * @inode: pointer to inode to measure + * @cred: pointer to credentials structure to validate * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -165,20 +166,21 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. - * func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK + * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK * mask: contains the permission mask * fsmagic: hex value * * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr) +int ima_get_action(struct inode *inode, const struct cred *cred, int mask, + enum ima_hooks func, int *pcr) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; flags &= ima_policy_flag; - return ima_match_policy(inode, func, mask, flags, pcr); + return ima_match_policy(inode, cred, func, mask, flags, pcr); } /* diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 809ba70fbbbf..137b8d1708c6 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -53,7 +53,8 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) if (!ima_appraise) return 0; - return ima_match_policy(inode, func, mask, IMA_APPRAISE, NULL); + return ima_match_policy(inode, current_cred(), func, mask, + IMA_APPRAISE, NULL); } static int ima_fix_xattr(struct dentry *dentry, @@ -86,6 +87,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, return iint->ima_mmap_status; case BPRM_CHECK: return iint->ima_bprm_status; + case CREDS_CHECK: + return iint->ima_creds_status; case FILE_CHECK: case POST_SETATTR: return iint->ima_file_status; @@ -106,6 +109,8 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, case BPRM_CHECK: iint->ima_bprm_status = status; break; + case CREDS_CHECK: + iint->ima_creds_status = status; case FILE_CHECK: case POST_SETATTR: iint->ima_file_status = status; @@ -127,6 +132,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, case BPRM_CHECK: iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); break; + case CREDS_CHECK: + iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); + break; case FILE_CHECK: case POST_SETATTR: iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2aebb7984437..f41aa427792b 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -155,8 +155,9 @@ void ima_file_free(struct file *file) ima_check_last_writer(iint, inode, file); } -static int process_measurement(struct file *file, char *buf, loff_t size, - int mask, enum ima_hooks func, int opened) +static int process_measurement(struct file *file, const struct cred *cred, + char *buf, loff_t size, int mask, + enum ima_hooks func, int opened) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -178,7 +179,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(inode, mask, func, &pcr); + action = ima_get_action(inode, cred, mask, func, &pcr); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) @@ -282,8 +283,8 @@ static int process_measurement(struct file *file, char *buf, loff_t size, int ima_file_mmap(struct file *file, unsigned long prot) { if (file && (prot & PROT_EXEC)) - return process_measurement(file, NULL, 0, MAY_EXEC, - MMAP_CHECK, 0); + return process_measurement(file, current_cred(), NULL, 0, + MAY_EXEC, MMAP_CHECK, 0); return 0; } @@ -302,8 +303,14 @@ int ima_file_mmap(struct file *file, unsigned long prot) */ int ima_bprm_check(struct linux_binprm *bprm) { - return process_measurement(bprm->file, NULL, 0, MAY_EXEC, - BPRM_CHECK, 0); + int ret; + + ret = process_measurement(bprm->file, current_cred(), NULL, 0, + MAY_EXEC, BPRM_CHECK, 0); + if (ret) + return ret; + return process_measurement(bprm->file, bprm->cred, NULL, 0, + MAY_EXEC, CREDS_CHECK, 0); } /** @@ -318,7 +325,7 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask, int opened) { - return process_measurement(file, NULL, 0, + return process_measurement(file, current_cred(), NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK, opened); } @@ -413,7 +420,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - return process_measurement(file, buf, size, MAY_READ, func, 0); + return process_measurement(file, current_cred(), buf, size, MAY_READ, + func, 0); } static int __init init_ima(void) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 95209a5f8595..c9d5735711eb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -247,10 +247,9 @@ static void ima_lsm_update_rules(void) * Returns true on rule match, false on failure. */ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, - enum ima_hooks func, int mask) + const struct cred *cred, enum ima_hooks func, + int mask) { - struct task_struct *tsk = current; - const struct cred *cred = current_cred(); int i; if ((rule->flags & IMA_FUNC) && @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - security_task_getsecid(tsk, &sid); + security_cred_getsecid(cred, &sid); rc = security_filter_rule_match(sid, rule->lsm[i].type, Audit_equal, @@ -339,6 +338,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) return IMA_MMAP_APPRAISE; case BPRM_CHECK: return IMA_BPRM_APPRAISE; + case CREDS_CHECK: + return IMA_CREDS_APPRAISE; case FILE_CHECK: case POST_SETATTR: return IMA_FILE_APPRAISE; @@ -351,6 +352,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) /** * ima_match_policy - decision based on LSM and other conditions * @inode: pointer to an inode for which the policy decision is being made + * @cred: pointer to a credentials structure for which the policy decision is + * being made * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend @@ -362,8 +365,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * list when walking it. Reads are many orders of magnitude more numerous * than writes so ima_match_policy() is classical RCU candidate. */ -int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, - int flags, int *pcr) +int ima_match_policy(struct inode *inode, const struct cred *cred, + enum ima_hooks func, int mask, int flags, int *pcr) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -374,7 +377,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, inode, func, mask)) + if (!ima_match_rules(entry, inode, cred, func, mask)) continue; action |= entry->flags & IMA_ACTION_FLAGS; @@ -691,6 +694,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = MMAP_CHECK; else if (strcmp(args[0].from, "BPRM_CHECK") == 0) entry->func = BPRM_CHECK; + else if (strcmp(args[0].from, "CREDS_CHECK") == 0) + entry->func = CREDS_CHECK; else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 0) entry->func = KEXEC_KERNEL_CHECK; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 0a721c110e92..8d532c3557b5 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -48,10 +48,14 @@ #define IMA_BPRM_APPRAISED 0x00002000 #define IMA_READ_APPRAISE 0x00004000 #define IMA_READ_APPRAISED 0x00008000 +#define IMA_CREDS_APPRAISE 0x00004000 +#define IMA_CREDS_APPRAISED 0x00008000 #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ - IMA_BPRM_APPRAISE | IMA_READ_APPRAISE) + IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \ + IMA_CREDS_APPRAISE) #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ - IMA_BPRM_APPRAISED | IMA_READ_APPRAISED) + IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \ + IMA_CREDS_APPRAISED) enum evm_ima_xattr_type { IMA_XATTR_DIGEST = 0x01, @@ -109,6 +113,7 @@ struct integrity_iint_cache { enum integrity_status ima_mmap_status:4; enum integrity_status ima_bprm_status:4; enum integrity_status ima_read_status:4; + enum integrity_status ima_creds_status:4; enum integrity_status evm_status:4; struct ima_digest_data *ima_hash; };