From patchwork Mon Nov 27 19:31:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 10080311 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D5F8F6056A for ; Tue, 28 Nov 2017 13:26:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C800C28991 for ; Tue, 28 Nov 2017 13:26:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BCF42288E7; Tue, 28 Nov 2017 13:26:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from UCOL19PA10.eemsg.mail.mil (ucol19pa10.eemsg.mail.mil [214.24.24.83]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CDABF28878 for ; Tue, 28 Nov 2017 13:26:09 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.44,468,1505779200"; d="scan'208";a="388174680" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by UCOL19PA10.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 28 Nov 2017 13:26:05 +0000 X-IronPort-AV: E=Sophos;i="5.44,468,1505779200"; d="scan'208";a="6200167" IronPort-PHdr: =?us-ascii?q?9a23=3AEVRPwhP7t9AytmEuc1wl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0L/T5ocbcNUDSrc9gkEXOFd2Cra4c0qyO6+u7AyQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7?= =?us-ascii?q?Ovr6GpLIj8Swyuu+54Dfbx9HiTahfL9+Ngm6oRneusQYn4dpN7o8xAbOrnZUYe?= =?us-ascii?q?pd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbY?= =?us-ascii?q?VguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLmhy?= =?us-ascii?q?cdMz4y7X/ZhMp+gqlGpB6tvgFzz5LRbIyTKfFwfL7SfckCSGRBQMhfWS9PDISh?= =?us-ascii?q?YYsXDecNIOhVoJfmp1YVsReyGROhCP/1xzNUmnP727Ax3eQ7EQHB2QwtB84AsH?= =?us-ascii?q?XIo9X1LqgSS/26x7TKwzrZbvNW3yny6JPVeR0mu/GMXK5/ccrLxkk1CgzKlkmf?= =?us-ascii?q?ppTlPzyP1+QNtXaU7/F7WO20l24nqgdxoiSxycc2jInGmJ4VxkrY+iV+xYY4PN?= =?us-ascii?q?u1Q1N4b968CJZcqi6XOoRsTs4iXm1kojg2x7IYtZKhYSQG0JcqywPFZ/CafYWE?= =?us-ascii?q?/AjvWemTLDtimX5odrKyihCv+ka60OL8TNO70FNSoypAldnDq24C2gTI6siCVv?= =?us-ascii?q?t95kCh2SuT1wzL6uFLP0Q0la3DJp492LEwjJsTsVnYHiPshEX3jLOZdkUj+uSy?= =?us-ascii?q?7eTofq7mqYOGO49xiwH+Nrwims25AesmLggDR3WX9Ouz2bH5/UD1Xa9GguM5n6?= =?us-ascii?q?XHqpzWONwXpqujDA9U1oYj5Qy/DzCj0NkAhnkIMlZFeBOBj4j0NFDCOev3DfCi?= =?us-ascii?q?g1SqjDhk2evGM6b9ApTNMnfDkLDhcax7605H0gU/199f55VKCr0ZOvL8RlfxtM?= =?us-ascii?q?DEDh8+KwG0weHnCNNn2YMCWWKAGKmZPbjQsV+P4OIvJvODZJQJuDnjMfgl/OTi?= =?us-ascii?q?jXgjmV8SZaOpx4cYaGikHvR6JEWUeXjsgtUbHmgWvQo+V+vqiFuDUT5NfHuyUa?= =?us-ascii?q?Y85iw0CY29EIfDQJytgKGb0Ce8BJ1WaXhMCkqQHnfwa4WER/AMZTqKIsB/iTML?= =?us-ascii?q?S76hS4491RGprwL6yqRoIfTK9SECspLjztd17fXJlR4u7Tx0E9id02aVQm5pmW?= =?us-ascii?q?MIQTk2071hrkx5y1eOyrJ3jOJCFdxU/f9JVR06NZHExexgF9/yQh7BfsuOSFu+?= =?us-ascii?q?X9qmHSs+TsgqztASZEZ9HsmtgQrY3yq2GbMVkaKEBIAs+KLGw3fxP9p9y2rB1K?= =?us-ascii?q?Q5jlkmRNdPOnOihqFh8gjcGZLJk1+ZlquxcqQcxDDC9GGGzWWUvUFYVBV/UaLK?= =?us-ascii?q?XHwFYUvWt9v57FvYT7CyEbQnLhdBycmaJ6pKa9zpilNGSezmONTaem6xmmGwCQ?= =?us-ascii?q?yOxryWdorqeGQd3DvDB0QelQAc42qGPxAkBii9u2LeECBuFVX3bkLi8Ol+rHa7?= =?us-ascii?q?QVEuzwyRYU1uyae6+hkPhfOGU/MTxLUEuCU/pDpoAFaxxdXWC8CPpwB5ZqVTfc?= =?us-ascii?q?s94Etb1WLerwF9MIagILpkhlECcgR3pFjj1xBvCoVBiMQqt30rzBFoJaKfylNB?= =?us-ascii?q?eCuS3YrsNb3PNmny4BevZrbV2l7E09aW/boP5e87q1r5vwGpEVci/29g09lP3H?= =?us-ascii?q?uW/o/KAxYKUZLtTkY38AB3qKvHbSkn5oPby2dsPLKuvTDe3tIlHuwlygyvf91H?= =?us-ascii?q?KqOLCBfyE9EGB8ipMOElh0KmbhYaM+BJ6K41P8SmeuCd2KG3PeZvgjSmjXhG4I?= =?us-ascii?q?9nyE6M8TRzSvLQ1ZYf3/6YxheHVyv7jFq5qMD4hJ1LaCodHmq6xinoHohRabNu?= =?us-ascii?q?fYwTE2ehP9W3xslih57qQ3NY71CjB0kB2M+yZRqfdEf93QtX1UUZpHyogy24wy?= =?us-ascii?q?Zykz43sqqVxDbOzPj6dBobJm5LQ3FvjFn2Loiwk9AVQlKobxMymRu7+0n63bNU?= =?us-ascii?q?pLl6L2XJRkdIZSf2JXl4UqSsrrqCf9JP6JQwvCVLTeuzfFGaRaT5oxYBzyzjGG?= =?us-ascii?q?5eyywheDGxppX1hRp6h3yBLHxrtnrWZdlwxQvD5NzbXfNRwDsGSzVkiTnQHFiw?= =?us-ascii?q?JcWm/dWTl5fFveCzTGahVpxVcSbx14OAszG35WpwAR2wh/qzgMHoERAm0S/n0N?= =?us-ascii?q?lnTSHIrBfnYon3zqi6Kvxofk1pBF/69sp7FZpzkpAohJER33gah4ma/WEdnWf1?= =?us-ascii?q?L9pbxbr0bGARSj4T397V/A/l1VV5LnKOw4L5UmuSwtF9aNm9bGIbwTk9791WB6?= =?us-ascii?q?eP9rBEmjF1olWgpwLLffd9hisdyecp6HMCgOEGpgwtzj6GD7ARA0ZYOzfslxKW?= =?us-ascii?q?4NCitqlXY3yvcbeo3kpkgd+hFK2Coh1bWHvhYpctBzJw7sFhP1LUynLz7J3kd8?= =?us-ascii?q?fKbd8Iqx2UiAnPj/JOKJ4rjfoKgjdnOXjhsnI7xe47igZu3Z6ks4SdLWVi4r65?= =?us-ascii?q?CAZCNjLpf8MT5i3tjaFGk8aI2YCgA45sGisNXJT1TfKkCjQSuur7NwyWCj0ztm?= =?us-ascii?q?+bGabDHQ+Y8Epmt2jAE42vN3yMOHYZzMliRRmEKExRmg8UWi82npkjFgCl3Mbh?= =?us-ascii?q?alt25igN5l7krRtB0uFoNhn7UmjBvwqobzA0SJaRLBVI8gFC+0fVMcub7u1tBS?= =?us-ascii?q?1Y+IOurBCVIGyBewtIFX0JWlCDB137MLmh/9/A8/SfBuq7NPbOb6uBpvFZV/eS?= =?us-ascii?q?352vypFm/zGONsqRInZiE+c32k1ZXXB2A87ZgSkASzQLlyLRaM6WvA289jd5r8?= =?us-ascii?q?yl9fTkQgbv5YyPCrZJK9pg5xW2jb2EN+6KiyZzMSxY2Y8UxX/U1Lgf20Yfiy90?= =?us-ascii?q?dzazDLsArjTCTKTMmq9QFB4WcDl8O9dN764m2QlNI8HbgMvv1rFklv41F0tFVV?= =?us-ascii?q?v5l8Gvf8wFOXm9NEvcCUaFNbSGPybLw935YaO9T71fluNUuAGxuTmBF0/vJDOD?= =?us-ascii?q?lyPmVxq3K+FDkDmbPABCuIG6ahtiEnPsQNXiah26K993kSY2zacvhnzUKWEQKy?= =?us-ascii?q?N8fF1Jrr2R6yNYn/p+Fndd4XtlN+mEhj2Z4/PWK5kMrftrGSN0l+RA7HQ90btV?= =?us-ascii?q?4zlOROZplyvKst5uv1amn/GJyjpmVBpOrihEhJmQsEp4J6rZ7J5AVWzD/BIX4m?= =?us-ascii?q?WaEw4KqMd9Ct3zp6BQzcDCm7nyKDdN9NLU+9ARCNXKJ82cMXouKxzpFCTTDAsf?= =?us-ascii?q?Qj6hLXvfiFBFkPGO6n2VqYA3pYLjmJUUVL9USkc4FvQCCkt7GtwCJY14XjIgkb?= =?us-ascii?q?GAi84J6mCyrB7LRMVVpprHTO6dAe3zKDaFirlJfwcIwbT9LYgJLI373E1jZUd8?= =?us-ascii?q?nIvRAUrQWs5Coi56YwAop0VN9WRxQXco20L5cA+t5mEcFeKslB4slgR+efgt9C?= =?us-ascii?q?vr41ovIFrFujE/kE0qlNXmhjCRayLxI722XYFNCCr0tlI9MpXlTAZpdQeyh1Br?= =?us-ascii?q?NC/YR7JNiLttbXprhxHHuZRRA/FcV7FLYB8LyP6MZvUoy0lTqiKpxU9f/+vKF5?= =?us-ascii?q?tjmBEscZGys3JKwxhjY8ItJazMOKpJyUBdib+UsS+21+A+3RQeKl0X/2OIYi4I?= =?us-ascii?q?v0IJNqI4KCW04+xs8w2CmydDeWQWUfolvO5q/FsnO+uc1yLgz6JDKkepOuybKK?= =?us-ascii?q?OZoXbPlciJQ1M3zU4ImE9F/aVs3cckaUqUWFglzKGNGBQRKcrCNQZVYtJJ9HfN?= =?us-ascii?q?eSaOsOPNwY96PoimCu/oSuqOu7oOjUK/AAYlBYIM4dodHpO0ykHXMd/nLKIZyR?= =?us-ascii?q?Uq/AnkOUmKDPFOeBKNjDcLvtqyzIFp0olHJzEcAGJ9MSOt6rbRuAAqnOKJXM0q?= =?us-ascii?q?bXcCQosEKnU2VdWmmy5YunRACyW30uIZyQWZ8jD8pyTRAyPnYNZ5Yvebew9sAs?= =?us-ascii?q?ms+Toj66i2lULX8pLGKm7gMdRiu8PA5v0CqJaCC/JUS759s0HGlIRDXHOqUnTA?= =?us-ascii?q?EdisK5j+dokgd9r0BWimUlankTI6U9/xPMqxLqiPmQznXphbsI+A0T85KMC9CC?= =?us-ascii?q?8RGw1rp+4Z/qJ9ZRcPY50hYR7nrw4+LbCwIB+E0tWyRGagMSFWT/9ezeqmZ7xX?= =?us-ascii?q?yC4sbvSixnU5U5801fW6/0kWSZ4WiRHewOqsaJNFUSjvAHBdfRvApTYhnWh7Ku?= =?us-ascii?q?ky2vs/wA/PsVQELz+LdvZmZ3Bfst4gAlOSJXF2CmsmSF+GkYrM/BKj37AI8yta?= =?us-ascii?q?hdZU3vVPsGLisZ/HfDKsRKurpI3PsyU6d9gmpLZ+PJf/IsucrpzegCLQTJ3Rsg?= =?us-ascii?q?2DXy66E/tamtdQICJETvlHg3slOckctYpH90UxSt80J6ZTB6k0urCqdT1kADYc?= =?us-ascii?q?zCMDS4yA3D0CguK927TAlReda5UiPwIav5pcmNcdVDR2YiwGrq+5S4rWj3OESn?= =?us-ascii?q?QMIAoL6ARD/hgAloxuceD54YrISpBMxiVYov1uVCvECp1o91zmSm6Lmlj0UvOh?= =?us-ascii?q?nPK13QhK1vLjzsEbWAJjCUha3+tWjkwoKLVtJKkKsI/KtTuIdU3hsWLoz+umI0?= =?us-ascii?q?JRxtPIeF3iC4rFrnH8Uiwa+X0bX4NPz2vfFZsKmQpjdKkrvElMIJyhekvm/TMk?= =?us-ascii?q?3ZlpH7+iWcCo3FslrHcGRya2E9VaEe1mtkzYWCF9aZCxtJrlI4lSQnNX+JCFt1?= =?us-ascii?q?dZl0BtPjWlyZZALsFC+SQAXD5RrjWBpNGyUtFM2ddqD58QJddyo3f9F7leOJeL?= =?us-ascii?q?p305p6fixWLH9DAkqFe12jGzFLGiT+5D+G0eAAopLXyEqkYzF+ss7nvS8lfVv1?= =?us-ascii?q?B2+OdUGKOCglhvrzZmAJ9OHCpJ2m64IFhpSnlJrflaIrzPc8NAW/kyeQOvOxsm?= =?us-ascii?q?GPE90UyG4V14kHXkbyF8rQZV5yfdXwwoWiYPmbfthScSqse5Nj8GU5hIdykubz?= =?us-ascii?q?/ZKwKHniBapAxfZF93VJAZGNlF56oW3Y9T/srcV0mgNz0KXBt/OQ0my/Zfk1BM?= =?us-ascii?q?sFmAcyDHEQWoberPsgFwfcqJtM6pN+j58x1ahYP7q+047KIDR2C8mQKxX9/eqZ?= =?us-ascii?q?P8tseQuUuKbqv4NPe8YXDZRjjWkR+wnaskD4XN/yXLLApbMYd1xmQ5bpX6FG7L?= =?us-ascii?q?OQhGJ7gBKEpFVKB6btFGrf5GZ8N+f6YJ46BtDAqdRhzzAIyvsOVGLlHLSDTbNS?= =?us-ascii?q?qB9ui/rpzP7bzBU+fvfNeBx3DZTKJrJZd19SP0G6/03oNE/Er5xOtt/FtgSVfa?= =?us-ascii?q?KyCBsMjhJgQT6cmgbETipJopHSjSAJhqjnrg3URAd9cTQy228ZQX1JJZ52z2Se?= =?us-ascii?q?JjyETzt/dS97Z844kt/79p0du0JbvVKflCs09oGB6UBgtw9pUqHWdwWXtcYvML?= =?us-ascii?q?J/fXZqQZitriq+bpGKwL8BeV4fBWacPbJ0HdncmyEj6cSQFFnAcFrT4VMA6c2u?= =?us-ascii?q?WYlKBqUsmlpPL22kQ371i5NB4Gw6hn5Z2Y9aqQuO/XcxzRwKAGWqjrQ8P+tbEs?= =?us-ascii?q?tF2S5PI6jr4Oe2p1YwK9HOgbSMEd2n/qzbo2wiI0D8PDA7Xg9eZFV3I9hT/gmp?= =?us-ascii?q?Z9H1AMFvMVG7qL855ekX0jm+zFLN0Wb7xNmnqSFR6+DLAO03mr6zGYIGN9mBHB?= =?us-ascii?q?zwnwQX+v7F/xtSJ4RCzMz9H/kkpaSLa6HkJSXyuzNk9+rjyPIATptN3tuaQ290?= =?us-ascii?q?E6KGrku8yRlGG5IrNYA9X/JMCAISkzvF8XiIYxRtmv1I0AF9qyPsoe8HZkbvTE?= =?us-ascii?q?82OriShBo6VZiIXC/sGZ4PLXHWOvj6eCsbWC2ChYymQkvVE48t2gN/DP6MeQTP?= =?us-ascii?q?u0zGsRVDlwuxffUBGpsLDbqEoUOUOT2kfRhIMKJs1Z3WU/1kz+/+cjQckz9QtE?= =?us-ascii?q?GYbCZvMCuSjzNyHpwVabeN84Si6e3CZJEV3vDFl4Aq882Hjqs87TknfQ4VIoTJ?= =?us-ascii?q?Fqd0P7nRx3E5k4KUU15VgP2CUDDRQCaRCVDbGvH0TlLpIIVVMdZhSD3bi6fLo3?= =?us-ascii?q?3EJoz7O3/uDTcfBzB6oDN/ZalA6On0JXGpEIvq0ERrJzZVtd+LTQpgj4BIjtR+?= =?us-ascii?q?LmmmYoNf2pXsBa9tgUt2c44gmhQxqv85FD4KgAhZ+Vd65EbpnMvNxm4Ed8/zEP?= =?us-ascii?q?bDFNjAJ5jxynTeAWvPrj7cTDsJq09uauU74gR+oN+BguGWt+k5vwjUsnodHWy+?= =?us-ascii?q?dTVI3Vhp7i8ABWOXKKvpjV0wVkI+oUN42rZKpg92kAJyUGKHIBI9yWa+U74y9q?= =?us-ascii?q?NznT/EJNAscNZdMeIcrMlhtZikn3V7FJ9svUAEWUC4FteMA092D30iw68YMgUu?= =?us-ascii?q?b87z+7PZbf71BRMPNEiCVjjsnCqPIUwfrVDygX+mKZZgNwwi6NxJiBEfHw/f+D?= =?us-ascii?q?yNvMTVMJAjY2U5tBJDqF4QGnSfa6lI7yUg+N98H9j5QwdEOWRnysk6UIqalMEe?= =?us-ascii?q?tahSX9wDdSDIf1h+ias9C08mtYqkVHEJpv7R3CAKhfPJJ7ORT+lsWxWkd8Bi//?= =?us-ascii?q?eNzJeRsvueqWwPwM4+Z/N0ble48bIwwExKj+6XVITwtiUrj2sUiFXegJfttpVO?= =?us-ascii?q?vErmxJ6YJnM6IPPUadq4bsrjpTrFA2HRImaL43rjxBbEXOmxdVW6nssr4algQc?= =?us-ascii?q?ScJ5uVNLGW+oOmIx+TTHVapRjKSKBv0a6DOTQbISU0lyNCNxXQ+10o10e7S1hf?= =?us-ascii?q?BHrn9GniRlrfgl1zxmQxW9tjPop6IJwj8g47a4tDMAuXNZVOmelTnHCUlbxvQQ?= =?us-ascii?q?kagcE2ri6UC7YHQbbovy4LlmJdzn9Ykl4nQ/fQsscjYDXeShFyHwlb2HDpaIsN?= =?us-ascii?q?JGix6HoN/OYqOrLSgOKrQ9zgruR2R80gjbhxto7GoLTSmj7NA6IIWxI8AlyTS0?= =?us-ascii?q?GWLDblYD/rtJsNfttV4MVOY2bFJhwGZg0siAXSANRtbAG2Uyjggid2pEdohP6R?= =?us-ascii?q?kEGKk0mjyIpLVJ/hkIYDfIFYSo4pLfktnO2XkhVtpq3WbWpqqZhpM2zn1qhc57?= =?us-ascii?q?4jSJuHQIeOzSS9VsDWTr1odD1ez+YO2gsu4ZR4tiybShSOENP9Ki+Gu33ZVqX1?= =?us-ascii?q?Gqxq4aH1WnKuMDwa3bUyi9Q22CReuLa3SMnyo+MkPq6xioNkc3aMZWoEAjKebC?= =?us-ascii?q?g59clxH7UbxqXCmQokXbzGM7O+MAaw02oJunexANTOMJYOicIfYhzeYmCFsIdX?= =?us-ascii?q?DJBjd2C+6qvl6xhoh0JWtv7V/8Yevz7gDsKMGSFQUcEY7Gsp5x/uS3RmaAOX9m?= =?us-ascii?q?0R1zM1B49+PeF1Qqqu9caI2cndnKiNR91u4JbfBtMTcyutQLgIJs9ZGU0NuWcR?= =?us-ascii?q?HW1pvyIMvareSYA/3eyUQqfXpXUqQYYQPz+Yo6Ot85W7vOHbpWpxgcArI6QJM5?= =?us-ascii?q?PWfr6K50NB9zchLWZLmsgMnlvOGLZpxPqHLN81IwKjvcux0EyvypQgx7b4yqi2?= =?us-ascii?q?/0IJ8uWjJLt8dtBQd+HItTB8MAqBKqA5yRmKG8kd+x4UJ6u/QRvKr2EP/K0cq2?= =?us-ascii?q?34RrU5hd/0yLMy7bBLN3jUR9kuSynvDA34HqCcPsfNMLSOl2T23eZ7/YAIq/MD?= =?us-ascii?q?OOO8P7e05A6bKc1qx2UgnCLBz+CrGLsCyiKeVM/VQwyos+evHaijMq8fWT3tbu?= =?us-ascii?q?a2xFjjmsoGTPN5ZF6lHOQ+vEUFYcTfuD7XYgBqYLdaPq++oUd98v2t6R50909j?= =?us-ascii?q?sGmM+EJbWx61TB0V9hdI7KaU7u1zs9VKEULxmld0ghm2nUrjLaG3sPANKjLJxX?= =?us-ascii?q?gd2VBwbhr2l4mGcgfSYVAGvjRd6LNV8Q7MK3ZQuH7ypBE9cFg+Otf0Mk8Ka1TL?= =?us-ascii?q?87ad1+hey2ueBfwp5SICbVSZ0fZnnd?= X-IPAS-Result: =?us-ascii?q?A2CRAgDMYh1a/wHyM5BdGwEBAQEDAQEBCQEBAYMQKQOBVCe?= =?us-ascii?q?PE44imH+BfSaKJ0MUAQEBAQEBAQEBAWoogjgkgksCJBkBOAECAwkCBTIRCAMBW?= =?us-ascii?q?hIFiE2BNwEDFQMBqUA6gwoFgQKEUIJEBAiDPIE2U4M+hhaBbw52hTkFokmVAII?= =?us-ascii?q?jkTmKOI1BNiKBUTIaI4J4ggJBDxyBZ3eIHQIlB4IZAQEB?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 28 Nov 2017 13:26:04 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vASDQ34d021591; Tue, 28 Nov 2017 08:26:03 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id vAS7Juog025847 for ; Tue, 28 Nov 2017 02:19:57 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vAS7JuiS010944; Tue, 28 Nov 2017 02:19:56 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1ASBgAPDR1aWyUVGNZdHAEBAQQBAQoBA?= =?us-ascii?q?YMQKQOBVCePE44gmGsQggEPhTaEekEWAQEBAQEBAQEBBhoVhisZATgBFTJcGxK?= =?us-ascii?q?IUoE3AQMVAwGpFTqDCgWBAoRMgh4BJQQIgzqBNlGDPoYWgWwOdoU5BaJJlH+CI?= =?us-ascii?q?5E5ijiNQSYKgXgyGiOCd4ICQQ8cgWd3h1UCJQeCGQEBAQ?= X-IPAS-Result: =?us-ascii?q?A1ASBgAPDR1aWyUVGNZdHAEBAQQBAQoBAYMQKQOBVCePE44?= =?us-ascii?q?gmGsQggEPhTaEekEWAQEBAQEBAQEBBhoVhisZATgBFTJcGxKIUoE3AQMVAwGpF?= =?us-ascii?q?TqDCgWBAoRMgh4BJQQIgzqBNlGDPoYWgWwOdoU5BaJJlH+CI5E5ijiNQSYKgXg?= =?us-ascii?q?yGiOCd4ICQQ8cgWd3h1UCJQeCGQEBAQ?= X-IronPort-AV: E=Sophos;i="5.44,467,1505793600"; d="scan'208";a="128393" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 28 Nov 2017 02:19:55 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3AEI4nHBP05TAyygWTcSQl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0I/38rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPde?= =?us-ascii?q?RWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbY?= =?us-ascii?q?UwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhS?= =?us-ascii?q?kaNzA37m/ZhM93gq9AvB6tuwZyz5LObY2JKPZzeL7Wc9MARWpGW8ZcTzBPAoKg?= =?us-ascii?q?YIsPFeUBJ/tXpJT/qVQUrBu+AxejBPjywTJPnH/23LE10+Q7HgHcwQMvB84Bv2?= =?us-ascii?q?zUrNrvNacSV/66zLLTwDrYc/NW2DH96JTWfRA7p/GDQ65wfdDNxkkoEgPIl1Od?= =?us-ascii?q?opHmMTONzukBrXWX4uV6We6xhGMrsR99riW1ysoiiITFnoEYxk3e+Slkzos5O8?= =?us-ascii?q?e0RUF5bNK+DZdduSGXOo1rSc04WW5oojw1yrgetJ67YicKzJMnygbCa/yHcoiI?= =?us-ascii?q?5g/vWeKJIThimH5oeaiziAis/ki7z+38WdO40FNQoSpEltnArHUN1x3X6sSfS/?= =?us-ascii?q?t9+Fmu2SqX2gzN9+1JLlo4mbTUJpI73LI8i4AfvErBEyPunUX5lq6WdkEq+uiy?= =?us-ascii?q?7OTnZ63rpoWdN4BoigHxKL4uldGnDuskKgcOX3KU+eW61LL95k30W65FjuE3kq?= =?us-ascii?q?nfrJDVO94bpqinDA9JyIos9xG/DzK+3NQCgXYHNE5FeA6Aj4XxIFHBPev4AOyj?= =?us-ascii?q?g1WsjDhrx/fGMqfnApXWNHfPirjhfbFj60RE0go80chf545ICrEGOP/zQVH+tN?= =?us-ascii?q?jZDh8/Lgy1zP3qCMl914wCWWKPBbWVMKXJsVCS/O4vLO6MZJFG8Ar6fuMo4//o?= =?us-ascii?q?kG8RhU4Wfa7v24AeLn+/ALAuJUiFbXfyqskOHH1MvQckSuHuzlqYXnobY3e0Qr?= =?us-ascii?q?J5/TonEKq4AorZAIOgmrqM2GG8BJISLmRHDE2cVGzlfJieWusdLSeVLtJlnxQa?= =?us-ascii?q?WrW7DYwszxejsEn90bU0APDT/3gitJnj3cJ5r83alBc/7nQgFcWW02iXQ1Z/qW?= =?us-ascii?q?MBRjk7x4h1vU171lqZ16VkxfdfEIoAtLtyTg4mOMuEnKRBANfoV1eZcw=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CKBQDbDR1aWyUVGNZdHAEBAQQBAQoBA?= =?us-ascii?q?YMQKYFXJ48TpwsQggEPhTaFPBYBAQEBAQEBAQEBBRoVXoI4IoJzGQE4ARUyXBs?= =?us-ascii?q?SiFKBNwEDFQMBqRQ6gwoFgQKETIIeASUECIM6gTaED4YWgWwOdoIZDIMUBaJJl?= =?us-ascii?q?H+CI5E5ijiNQSYKgXgyGiOCd4ICQQ8cgWd3h1UCJQeCGQEBAQ?= X-IPAS-Result: =?us-ascii?q?A0CKBQDbDR1aWyUVGNZdHAEBAQQBAQoBAYMQKYFXJ48Tpws?= =?us-ascii?q?QggEPhTaFPBYBAQEBAQEBAQEBBRoVXoI4IoJzGQE4ARUyXBsSiFKBNwEDFQMBq?= =?us-ascii?q?RQ6gwoFgQKETIIeASUECIM6gTaED4YWgWwOdoIZDIMUBaJJlH+CI5E5ijiNQSY?= =?us-ascii?q?KgXgyGiOCd4ICQQ8cgWd3h1UCJQeCGQEBAQ?= X-IronPort-AV: E=Sophos;i="5.44,467,1505779200"; d="scan'208";a="6402700" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil19pa06.eemsg.mail.mil (HELO uhil19pa06.eesmg.mail.mil) ([214.24.21.37]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 28 Nov 2017 07:19:53 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;ae488672-f0b6-4ef4-9435-c18a39fdd5bd Authentication-Results: uhil19pa06.eesmg.mail.mil; dkim=permerror (key too small [TEST]) header.i=@btinternet.com X-EEMSG-check-008: 246175986|UHIL19PA06_EEMSG_MP4.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 65.20.0.129 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DVAQBbsRxah4EAFEFcg0GCAI86pxmCAQ+FNoU4FQIBAQEBAQEBEwEBAQgNCQgoL4VmATgBFTJ3iGSBNwEYBKkcgwoFgQKESoJEBAiDOoE2jBEOdoIZDIMUBaJGlH+CI5E4ijeNPTWBczIaI4VZgXOIWwIlB4IZAQEB X-IPAS-Result: A0DVAQBbsRxah4EAFEFcg0GCAI86pxmCAQ+FNoU4FQIBAQEBAQEBEwEBAQgNCQgoL4VmATgBFTJ3iGSBNwEYBKkcgwoFgQKESoJEBAiDOoE2jBEOdoIZDIMUBaJGlH+CI5E4ijeNPTWBczIaI4VZgXOIWwIlB4IZAQEB Received: from rgout0602.bt.lon5.cpcloud.co.uk (HELO rgout06.bt.lon5.cpcloud.co.uk) ([65.20.0.129]) by uhil19pa06.eesmg.mail.mil with ESMTP; 27 Nov 2017 19:32:04 +0000 X-OWM-Source-IP: 81.132.47.135 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2017.11.27.190016:17:8.317, ip=, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __NO_HTML_TAG_RAW, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, __FRAUD_WEBMAIL, __FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES, MULTIPLE_RCPTS, __PHISH_SPEAR_STRUCTURE_1, __MIME_TEXT_P, NO_URI_HTTPS Received: from localhost.localdomain (81.132.47.135) by rgout06.bt.lon5.cpcloud.co.uk (9.0.019.13-1) (authenticated as richard_c_haines@btinternet.com) id 5A025DDB0206EDC5; Mon, 27 Nov 2017 19:32:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1511811126; bh=dAp+0oUa3UI4CTRbtdY98NlgcchxPhZ/Ud8v3Kw2Duw=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=nDMBeAt26vXxZ4p3ZEleOVM/ygRCOjTQKrYGKG/ks8+exbYEVA66/V/7nHeDs/hk9PS7SBYXyTBAmwBiZvyizERfU4qHbUsUjocyfuHf6HePRIEgZJNmCk8rXFjXvvqLg69jwKPCmdre5bSbWQFL2O+l9nzN93SH+Wn9KYK+kx8= X-EEMSG-check-009: 444-444 From: Richard Haines To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org Date: Mon, 27 Nov 2017 19:31:54 +0000 Message-Id: <20171127193154.2719-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.14.3 X-Mailman-Approved-At: Tue, 28 Nov 2017 08:24:06 -0500 Subject: [PATCH 3/4] sctp: Add LSM hooks X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: marcelo.leitner@gmail.com, nhorman@tuxdriver.com, vyasevich@gmail.com, sds@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add security hooks to allow security modules to exercise access control over SCTP. Signed-off-by: Richard Haines --- include/net/sctp/structs.h | 10 ++++++++ include/uapi/linux/sctp.h | 1 + net/sctp/sm_make_chunk.c | 12 +++++++++ net/sctp/sm_statefuns.c | 18 ++++++++++++++ net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 101 insertions(+), 1 deletion(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 7767577..6e72e3e 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1270,6 +1270,16 @@ struct sctp_endpoint { reconf_enable:1; __u8 strreset_enable; + + /* Security identifiers from incoming (INIT). These are set by + * security_sctp_assoc_request(). These will only be used by + * SCTP TCP type sockets and peeled off connections as they + * cause a new socket to be generated. security_sctp_sk_clone() + * will then plug these into the new socket. + */ + + u32 secid; + u32 peer_secid; }; /* Recover the outter endpoint structure. */ diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h index 6217ff8..c04812f 100644 --- a/include/uapi/linux/sctp.h +++ b/include/uapi/linux/sctp.h @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t; #define SCTP_RESET_ASSOC 120 #define SCTP_ADD_STREAMS 121 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122 +#define SCTP_SENDMSG_CONNECT 123 /* PR-SCTP policies */ #define SCTP_PR_SCTP_NONE 0x0000 diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 6110447..ca4705b 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr, &asconf->source, sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_ADD_IP, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address * request and does not have the local resources to add this * new address to the association, it MUST return an Error @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_SET_PRIMARY, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + peer = sctp_assoc_lookup_paddr(asoc, &addr); if (!peer) return SCTP_ERROR_DNS_FAILED; diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index b2a74c3..67c6a7d 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net, sctp_unrecognized_param_t *unk_param; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -899,6 +904,9 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net, */ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + /* Set peer label for connection. */ + security_inet_conn_established(ep->base.sk, chunk->skb); + /* RFC 2960 5.1 Normal Establishment of an Association * * E) Upon reception of the COOKIE ACK, endpoint "A" will move @@ -1428,6 +1436,11 @@ static sctp_disposition_t sctp_sf_do_unexpected_init( sctp_unrecognized_param_t *unk_param; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -2089,6 +2102,11 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net, } } + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Set temp so that it won't be added into hashtable */ new_asoc->temp = 1; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index f2d9c84..3e1db9a 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -1014,6 +1014,12 @@ static int sctp_setsockopt_bindx(struct sock *sk, /* Do the work. */ switch (op) { case SCTP_BINDX_ADD_ADDR: + /* Allow security module to validate bindx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out; err = sctp_bindx_add(sk, kaddrs, addrcnt); if (err) goto out; @@ -1223,6 +1229,7 @@ static int __sctp_connect(struct sock *sk, if (assoc_id) *assoc_id = asoc->assoc_id; + err = sctp_wait_for_connect(asoc, &timeo); /* Note: the asoc may be freed after the return of * sctp_wait_for_connect. @@ -1336,9 +1343,17 @@ static int __sctp_setsockopt_connectx(struct sock *sk, if (__copy_from_user(kaddrs, addrs, addrs_size)) { err = -EFAULT; } else { + /* Allow security module to validate connectx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out_free; + err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); } +out_free: kfree(kaddrs); return err; @@ -1604,6 +1619,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) struct sctp_transport *transport, *chunk_tp; struct sctp_chunk *chunk; union sctp_addr to; + struct sctp_af *af; struct sockaddr *msg_name = NULL; struct sctp_sndrcvinfo default_sinfo; struct sctp_sndrcvinfo *sinfo; @@ -1833,6 +1849,24 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) } scope = sctp_scope(&to); + + /* Label connection socket for first association 1-to-many + * style for client sequence socket()->sendmsg(). This + * needs to be done before sctp_assoc_add_peer() as that will + * set up the initial packet that needs to account for any + * security ip options (CIPSO/CALIPSO) added to the packet. + */ + af = sctp_get_af_specific(to.sa.sa_family); + if (!af) { + err = -EINVAL; + goto out_unlock; + } + err = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT, + (struct sockaddr *)&to, + af->sockaddr_len); + if (err < 0) + goto out_unlock; + new_asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL); if (!new_asoc) { err = -ENOMEM; @@ -2865,6 +2899,8 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, { struct sctp_prim prim; struct sctp_transport *trans; + struct sctp_af *af; + int err; if (optlen != sizeof(struct sctp_prim)) return -EINVAL; @@ -2872,6 +2908,17 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, if (copy_from_user(&prim, optval, sizeof(struct sctp_prim))) return -EFAULT; + /* Allow security module to validate address but need address len. */ + af = sctp_get_af_specific(prim.ssp_addr.ss_family); + if (!af) + return -EINVAL; + + err = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR, + (struct sockaddr *)&prim.ssp_addr, + af->sockaddr_len); + if (err) + return err; + trans = sctp_addr_id2transport(sk, &prim.ssp_addr, prim.ssp_assoc_id); if (!trans) return -EINVAL; @@ -3193,6 +3240,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr)) return -EADDRNOTAVAIL; + /* Allow security module to validate address. */ + err = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR, + (struct sockaddr *)&prim.sspp_addr, + af->sockaddr_len); + if (err) + return err; + /* Create an ASCONF chunk with SET_PRIMARY parameter */ chunk = sctp_make_asconf_set_prim(asoc, (union sctp_addr *)&prim.sspp_addr); @@ -8025,6 +8079,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, { struct inet_sock *inet = inet_sk(sk); struct inet_sock *newinet; + struct sctp_sock *sp = sctp_sk(sk); + struct sctp_endpoint *ep = sp->ep; newsk->sk_type = sk->sk_type; newsk->sk_bound_dev_if = sk->sk_bound_dev_if; @@ -8067,7 +8123,10 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) net_enable_timestamp(); - security_sk_clone(sk, newsk); + /* Set newsk security attributes from orginal sk and connection + * security attribute from ep. + */ + security_sctp_sk_clone(ep, sk, newsk); } static inline void sctp_copy_descendant(struct sock *sk_to,