From patchwork Sat Dec 30 17:20:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 10140523 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8342C601A1 for ; Tue, 2 Jan 2018 13:27:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 78B7D203B9 for ; Tue, 2 Jan 2018 13:27:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D8DD285B7; Tue, 2 Jan 2018 13:27:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from USFB19PA14.eemsg.mail.mil (uphb19pa11.eemsg.mail.mil [214.24.26.85]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 379E2203B9 for ; Tue, 2 Jan 2018 13:27:38 +0000 (UTC) Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA14.eemsg.mail.mil with ESMTP; 02 Jan 2018 13:27:36 +0000 X-IronPort-AV: E=Sophos;i="5.45,497,1508803200"; d="scan'208";a="7209348" IronPort-PHdr: =?us-ascii?q?9a23=3Alk5P4h9S6u59f/9uRHKM819IXTAuvvDOBiVQ1KB6?= =?us-ascii?q?1OwQIJqq85mqBkHD//Il1AaPAd2Cra0dwLaH+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZLebxlViDanY75+MRq6oArVu8ILnYZsN6E9xwfTrHBVYe?= =?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?= =?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qlkSAXsiC?= =?us-ascii?q?waKTA39m/ZgdF0gK5CvR6tuxlzzojJa4+XKfV+ZLvQc9MES2RPXchfUDFPApu+?= =?us-ascii?q?YocSAecOI/1YopLhq1cStxayGROhCP/zxjJOm3T43bc60+MkEQzewAIgHs4BsH?= =?us-ascii?q?TOo9XvKagZTOK7w7PJzTXFcfxWwir25Y/SchAgvf6MXah/cdDMxkY3CwzKllWQ?= =?us-ascii?q?ppbkPzOTyOsNqHOW4PF8VeKujW4ntx9+oiKpxsgylonFnJ4aylfB9Shgxos+ON?= =?us-ascii?q?62SFZjbNK5H5ZduDuWOotrTs84XW1ltzg2xqcbtZKjfyUHyY4rywPQZvGIaYSE?= =?us-ascii?q?/x3uWeeLLTp5hX9ofq+0iQyo/ki60OL8U9G50FNNriVYjNbBrmsN1xnP6sifTf?= =?us-ascii?q?t941uh1S6P1w/N7uFEJlg5lbbBJJ47w74wi4ETvV7fHi72hEr2jKiWel8i+ue0?= =?us-ascii?q?8OTofq/qppqdN49wkg3+M6IuldKjAekgLwQDUGeW9f682bH+50H1XrpHguMsnq?= =?us-ascii?q?XEqJzaIN4Upq+9Aw9byIYj7BO/Ai+90NsGmXkHLVRFeA+IjoTwIF7OJ+34DfGj?= =?us-ascii?q?jFuyizdm3OzGP739DZXNKXjPirHhfa1n5EJGxwozys5f64pOCr4dOPLzRlPxtN?= =?us-ascii?q?vAAx87NAy0xfzoCMl91owEX2KCGa2ZMKTUsV+N/O0vOPWMa5EPuDbmMfQl4OTu?= =?us-ascii?q?jXAhk18HYaapxYcXaGy/Hvl+IUWZY2DjjcsCEWcRuQo+Su3qiEOZXD5dY3ayQq?= =?us-ascii?q?096SomCIKgEYfDW5qhgLub3Ce0BpdWfHxJCkiQEXf0cIWJQ/kNaCOWIs9kjDME?= =?us-ascii?q?T6OsS4E/2h6zsw/60aBoLvLO+i0ft5LsysR65/HJmRE17zx0ANyX03uRQGFsgm?= =?us-ascii?q?MIWzg20bhirkNhz1eD1q54g+BFGdFI+fNGTB06NZ/dzux9DdD+QATBccmVSFy+?= =?us-ascii?q?WNWpHSkxTs4tw98Je0tyBsmigQrZ3yexH7AVkLmLC4Au/aLHw3j9PcB9xGja1K?= =?us-ascii?q?M5lVkpXtNPNXG6hq547wXSB4/Ik0Kfl6uxcKQc2DfB9GaFzWaUukFXShRwUabE?= =?us-ascii?q?XXABeETat9L56V3eT7W2E7QoLhNBydKeKqtNctDpg09GS+3lONvCYmKxgHy9BR?= =?us-ascii?q?OQxrONdYbqYGsc3D7HBEgDiQAT8m6MNRIiCSe5v2LeEDtuGErsY0z28ul+r267?= =?us-ascii?q?Q1Q3zw6QbE1h0Ke19gQShfyGRPMZxqgEtzs5qzVoAFa92MrbBMCdqAp7faVTf8?= =?us-ascii?q?k97Uxd2m3FsgxxJJugL7pthlQGaQR4o1vu1wlrCoVHicUqtm4lwxdpJKKX1VNA?= =?us-ascii?q?eCmU3ZbuNb3LMmPy5gyga7bK2lHC19ab4rwP6Poiq1XkpwGpClEv825h09lS3X?= =?us-ascii?q?qc44/FDAwIXZL3TEk36wBwp6vGbSkl+4PUyXpsPLG6szDY39IpGPUqygy7f9pE?= =?us-ascii?q?LqOLChXyHNYHB8irMuAqnEKpbh0cNuBI6KE0J9+md+eB2KOzOuZgnTamjWBZ74?= =?us-ascii?q?BmyU+D7TRzSvTP35ofxPGYxASHXS/mjFi9qsD3hZxEZTYKE2qhyCjrGJJRZqpo?= =?us-ascii?q?fYoRFWiuI8q3xtNxh5P2X35Y9VijCEkc2M+uYxaSaEb93QJI30QNvXOngTe4zy?= =?us-ascii?q?Bzkzwxqqqf3TfOw/j7eBocJGFLQGhijVHxIYm7lN0aR1CobwkvlBuk+Un63LJX?= =?us-ascii?q?pKJhIGnPWU1IZTT5L3l+UqussbqPe9RP6JQssSVTTuu8e0yVSrnzohYByCPjAn?= =?us-ascii?q?dRxCshezGtoJX5kARwiHiBI3ZrsHrZZcZwyA/c5NPCQ/5RxSELRCpmhjnRHVi8?= =?us-ascii?q?Ocem/cmOm5fEqOC+WHqrVodPfinz0YOAqCy76HVyARKlgvCznsPoERAg3i/9y9?= =?us-ascii?q?llSz/IoQ3hYonwyau6K/lnclNzBF/79sp6AJ1xnZU+hJEXw3gaiYua8WABkWjt?= =?us-ascii?q?LdVRwbj+Y2YVRT4X397V5xDo2FNlLn2U3I/5SHOdzdZhZ9WgZGMZxD495dhQCK?= =?us-ascii?q?iI9LxEgTd1ol2goALJe/d9gzMdxOAy534bn+EIuBMhziuHDbAUB0VYOjbslxuQ?= =?us-ascii?q?5dCksKpXfHqvcaS31Edmk9CuFreCoh1bWHb8YZoiEzF/4dh4MFLWynLz8pvkeN?= =?us-ascii?q?7Sbd0NqhKUjw3Mj+9PKJI+jvAKnzZoOXrhvX05zO42lRlu0ou+vIiDNWpt4L65?= =?us-ascii?q?DQRCOTDuYcMc5C3tjb1CkcmMx4CgAI9tGjMVU5v0VfioCi4dtez7NwaSFz0xsm?= =?us-ascii?q?2bFaDRHAOF7UdptXbPE5erNnyMPnYW0dBiSAOaJExFjwAeRC86kYIhFgC22Mzh?= =?us-ascii?q?d1905j4L5lHmtxRM0fhnNx/jUmfYvwelcS07R4SaLBZM6QFC/UjVO9SE7u1vBy?= =?us-ascii?q?FY4oGhrAuVJ2ydfQRHF3kJWlSfClDtP7mu/8LA8/SWBuq/KfvBe7OOpvBfV/iS?= =?us-ascii?q?wZKjyIxm/yyDNs+XJHltE+U72lZfXXB+A8nZgysARDcJmCLLbs6buBC89zZ2rs?= =?us-ascii?q?+h7vvkRhjj5YyVC7tdKd9v4Qy5gb+fN+6MgyZ0MS1X2YgLyX/Mybgfx0ISizp0?= =?us-ascii?q?ezm2D7sPqTTBTLnOla9TDh4bbT5zNcRT4q0g3ghNI9Pbisjv2r92lPE1F0xFVV?= =?us-ascii?q?vnms2zYswKOW69PkvdBEmXLLSGOSHLw8bvbKynSL1Qg+JUtxurtDmGDUDsJTWD?= =?us-ascii?q?mCPvVxy1NuFMli6bNgREuI6hahZtFXTjTNX+ZxKhP994lyM2zqMvi3PNLW4TLz?= =?us-ascii?q?58c0ZXob2R6SNXmfJ/GmNb4npiN+mElD6T7/PEJZYOrftrHiN0mvpG4HQ9zrtZ?= =?us-ascii?q?9jtERPt0mSTMqN5huEumku6RxTpkSxdBtjFLhIeXskp4IqXZ6oNMWXDa8xIR9W?= =?us-ascii?q?+QEQgFp8N5Ct3zvKBd0tvPlaL3KDhc6N/U+MwcB8baKM2ZLHohLRrpGDnRDAQb?= =?us-ascii?q?VzKrM3/Qh1BFmvGI6nKVtoQ6qoTrmJcWTL9USkY6FvcBB0RmG9wCO4t3USkikb?= =?us-ascii?q?6Aj84I5GCyrB/PS8VGpprHTO6dAe3zKDaFirlJfwEIzq3jLYsNLIL7wVBtallh?= =?us-ascii?q?kYvRGkrQR81Coipvbg8sukVC7nh/Qnc12037dgOn+GUTGuKsnh4qlgt+Zvwg+y?= =?us-ascii?q?rr41cxIFrFuTU/kE0wmdj+mz+ebiTxLKCqUYFRESr0uFA7MonnTAZtcQ2ygUtk?= =?us-ascii?q?OS/ZSL1LkbtgdH1kiBTHtJRVA/5cV6pEYRELxf6Je/oozE5cqiS7xU5H/+fFD4?= =?us-ascii?q?VtlBcye562s31Awx5jbMIyJaHIIKpJyUJQibyIvi6p0eA82wAeJ0AQ8G+Ify4I?= =?us-ascii?q?okMIPKE8JyW05uxs9RCCmzxbdWgXSfUqpvNq9kUgO+WP1C/vz7lDKkWtOOOFNK?= =?us-ascii?q?OZp3LMlciWTVMszkkIjVVK/aBq0cc/dEqZT1wvzLqUFxQOKcrCKQFUYtFP+3jS?= =?us-ascii?q?fSeBq/7CzYhzP4qjCuDiVfWOu7oMgkK4AAYpGJwB4d4FHpmtzE7XM9/oLLsFyB?= =?us-ascii?q?Ur4wTrIk+KAe9SdxKKijgHpdizzJFq3YVHIDESH3l9Oz2t5rnLvg8qnOaDXNAu?= =?us-ascii?q?b3gBQIQEMGk7V9enlC5HoXtAFiK33fgDyAmC9TP8oT7QDDbkZdp5ePiUfQ9sCM?= =?us-ascii?q?2x+Tgn/Ki2lF/X8pHaJ27kMNRvocLA5v0BqJaGEfxUS6Nxs0DGm4lXX3aqSXLA?= =?us-ascii?q?EcapJ5jsbIkhdcb0CnC7UlOjizI1SMPxPM21IKaRnA/mX5pZvo6A0T8/Ms+9Ey?= =?us-ascii?q?0RFA1rp+Ef/q58YxMMY4Yjax7yqws+L7C/IBuf0ti2WWaiMyFWT/5Ewuihe7xX?= =?us-ascii?q?1TAjbvGkx3skT5E6yea38UoMRJEFjhHe2fijaJNEUSj2AHBdfRvApTYhnWh7Ku?= =?us-ascii?q?ky2vs/wA/PsVQEPTGHbvBmaGxFv9E5BFOdO3Z2B3E5R1CCk4XM/BSg37cI/ytS?= =?us-ascii?q?h9xUy/FKsGDivp/DZzKhQKmrpo/Psyojc9cmv6xxMYrsIsadupLRhDrfQ4XUsg?= =?us-ascii?q?2CTS61CuFalsJWIC1GXPlCgXslNtAeuYpd9UoxUd8zKKZVCKkxoLCmczlkADUT?= =?us-ascii?q?zS8YVoOAwCcNjv2627TEiheaaI4iPwAcsJVentsdVDZ7YiIYpK+/SYrWk3GLSm?= =?us-ascii?q?0VLwcP9wRN5BkNlohofu/75orISYVDyz9So/1vVSvKGYNk91zhSmGZmVL4Uumu?= =?us-ascii?q?k/S13QJOy/LhysUbWBl6CUVG2+Zaik4oJ6ptJ6kWoIHKrieCdVnms2L11OumOF?= =?us-ascii?q?5RxNXUd1LiForKr278XTAH9HIJW4BP0GnfGooWkwVncqYnvlJMIJqpekzm/Twr?= =?us-ascii?q?25xpH6WkVcCs31slr3EGSDmxHtVcFe5mq0zYWCd5Y5+1tZrpIZNSTXFM+JeFsV?= =?us-ascii?q?dWjF1tMzKlyZpbM8xN/iMDUyVOoTqHuNu/U9FM2chzD5AQONh/oGv9FLlCOJeP?= =?us-ascii?q?v308oqbvxWPB+zAgrFe6wy2+FLS2T+1F42ETGBglKmqFp0YzCOss93vd/UrWsl?= =?us-ascii?q?Bo5etbAKaAjVlpqjZnAp9OHipJ1WyiL1lrVnlJrfhVKKTPfMxAWPQyYRivOwIg?= =?us-ascii?q?GvI4w0OJ+lx7kmnjbyx0qARa5zjXXxMoWikNnrfthToep9m/OT8BV5JHdygubz?= =?us-ascii?q?veJgKAniBXoQxfZF10VJAfHtZF4asU3Y9O8srFU0asJjkPXAZ+OQIgzfpfiUlD?= =?us-ascii?q?vV2EeSDHEwWna+vAvwZqfceVsM6pNu72/BlGioPgtOA36bkDS2ehmQ23TtDUt5?= =?us-ascii?q?X8ucGStkuSaKf4NPWxYX3bQzjWihCwnrMkAIPU/yXINQpbNp16yWYlYZf9CG7E?= =?us-ascii?q?JxJGJ7kBK0pcT6B6Zs1MovpGaM98ZKYJ5ahtCwqFRhz1HoyvouNGLlHOSjvANC?= =?us-ascii?q?iB7vawoYTI7bzaU+TgYNKDx2rfSaJtIph68SX7G6vt0YJG/Er23uxg9kJ8SVjD?= =?us-ascii?q?KSyBrdLhJg0R5Ma4bUvioocpHS7KD5dsjXrt3F9Pe9AQQy2w/5QS0IlZ52roSe?= =?us-ascii?q?Jkzkjzt/Vf979l6YYr5LBpzd27JbzIJfRbtk9nBQOUBh5x+5UoD2V+SHpdYugL?= =?us-ascii?q?KPfeZa4Zl9zhq/jrF6wL7x2Y4/BWZsHDJ07fgcm/FjGdSRtfkQcatTEaLxWT1/?= =?us-ascii?q?iZm691U8mpv+751Vwx41KmNB4J0Kht5ZuY+qqPvOLXawDRzb0EV6XxSMP8sKkj?= =?us-ascii?q?u0SI5fI+jL4OYGt1Yw+5H+cBSs4R3GDgzbolzSg0CcPMA6rg+OJfV3I+hj/gmZ?= =?us-ascii?q?F9H1ANF/MRA7WK/ZpRnn05m+zfOd0aaKZClXiTFRS8CL8N1War6zeLIGlimhzO?= =?us-ascii?q?0hDxTnmp41DqtiJ4WjXDz8v9nUVJTLW3Al1SXyWxM09irDyPJBbotMbwuakt90?= =?us-ascii?q?42M3fktdyXm2ujObNXA9X/K8aBISkwv18YkJoxScGx1o8BBNq9OtAR8GtkYffE?= =?us-ascii?q?7GOriSBBqb9dh4XC+sGV5unXHX64gq2CsbqN2CxXyng2vFE48NCgNejC58aUTP?= =?us-ascii?q?Ss1mYRSTp/ugTaUh6tsLPbs0wbOUyF0UfMgowKPctV3Xom2UH84ugsXtYz+B9Z?= =?us-ascii?q?FobaaPMIvSrzNyfswVaDf9I3UTGT0zRNEVLvD1Z4BKg81Xn0vMLIiXff5V0oSZ?= =?us-ascii?q?Ntd0z8nxB3CZs3KV414lgN3iUDCRQNaQycDLywCkTqM40EVVQEaRSA27S6Ybk4?= =?us-ascii?q?3UlywrOp+e/SYvdxB64TOfZHjg+BhkJXGpQIvq0CWLh8YUNS9LbLpgj+DIjqR+?= =?us-ascii?q?TplXgqOvKpWc1V7ccZt38m4ga+WRWg84tD4KgHh5CIbKJEZoLMvM9k5Ud9+TEP?= =?us-ascii?q?bjBNgAR4jx6hVOAco+bj4sTUsJW28euuUactSP8R9xcqG2R/gZzwgEogodHMze?= =?us-ascii?q?tcTJPaiZjn+gBXP3GKoJra0wV7KecWJIKkYK1g924eKyYDKHwAO9uWa/8h4y5i?= =?us-ascii?q?KzjT6FlCDdkKZdwGJsbNnhpUikLxUrFJ6sXbAkOYC5t0d80w7Wr3zzA18Z0mXu?= =?us-ascii?q?n86D+2IY3f4ExMPvNCiiVsj9HCpOkOzPrMCSgX/2OWaxxozSOD0ZWNDej//fmU?= =?us-ascii?q?wtHOS1wGBjI2U5taJDea+AynWPC6lJPyXwOQ98/8nZM+dEWLRnCrm6QFqKlMG/?= =?us-ascii?q?ZaiirnxjheCpz1h/WNvtqu9mRXuFNHEIJo4BzLAqpfOIt0OQjimsmtWEd8GjP1?= =?us-ascii?q?eNvIeRo2pOqW2uAM7v1xN0v6Yo8aLAwLy7b+6XdOVQtuT7j2vleFUu4LYttpVu?= =?us-ascii?q?/EpGhP6Y18M68PIESdpJvyozdKqFA3ABcpaLg0rjxbaknBghZYW6P1uL4ckAsT?= =?us-ascii?q?T8R1uUhWGWK/IGg+/SbIVbxJjKmND/wY6imTTq0LU0hzLiN+Qg+62JZwdLuth/?= =?us-ascii?q?xHtH1Jnj9lqvgwzzNmXAe8uTHrp68V3DIg+bK4tDYGuXFeTOWRiSTICVJFzPsU?= =?us-ascii?q?i6cQEXDi5kKgYHMbdov9/KFnJdj89Ykm+3kwegssfysaXem7ECHwi6SIApCTsN?= =?us-ascii?q?JCmhGCpd/CbbipLSgdLr490w7sR2Bh0gjCmxZl6HMLQjKk7NA+PoW8N8Elxi6m?= =?us-ascii?q?GWXAcVYM5aRJsNDvulEXVus2bkhhwH5i0siBSS0BXsvPG3w6jgI8c2VLbIpD6Q?= =?us-ascii?q?MGF6kvmjuIsLdJ/gUVYDfMDIuo4YjRncbN2Xk4U9hq3GbWqbOfipMtyn1llMt+?= =?us-ascii?q?7jSSt3QKa+zYT8hsD2D914dH0+z+Zumivf4cRYtjybShTOUCPde59WuxwpVqVV?= =?us-ascii?q?evxq4CEFqhLO8D2rDbXj+iSW2cR+uGaHCMnzIjPU7p+RmoL0E4aNtQr0AjLOTO?= =?us-ascii?q?nJhcmBP9UblsXCWfuUfbzHA/MeMdbw82vIanewoXTO8efuScIekuwOYiCFsXdH?= =?us-ascii?q?LJHDF5C+mxsVK3m4h7IXpg613gYevx6gDmLMeSGh4cHI7ftJF+5fy6RmOHOX9n?= =?us-ascii?q?1xByIkh09+HBGFQ1t+9cdYuRnNfKi9R8y+4FeO9nMTchtd4LhoJj9Y6U3d+IcR?= =?us-ascii?q?7LzZbyIsrar+OFA/3Z00QqemZaUqcWYQP1+4U2JNg5VKPPHbFBpxQTGbA6QIA9?= =?us-ascii?q?N2f27Kx0LgZzcgnLZLSug8nqvfmGZp1OqH/T8F0wLT3QuxoZyvy7VQZ7dYylh2?= =?us-ascii?q?3uIJAsQTJMt8ZtChVjHIRTGs4NrBGqA4CKl6Ghit+w+kR6u+kQvar2FP/KyIfx?= =?us-ascii?q?44IkRJVe5EqWLB7NFaJrhQJjle30jfDeltH3BN/udM0sSud2WCjGZ6XAE4H5LS?= =?us-ascii?q?iBfor4ekhb4/uH265hegueaTq/XKecsiCgcvJ+7gFzzo1+YfqW1zEm8qvaxMq3?= =?us-ascii?q?YmZXuyOuhWCGOYEZ71HQA+HaGRVORqmr6mFgSJcWZov97utGEdUjxtWHq11p7T?= =?us-ascii?q?9C2dGJFKOWrkbN3E9gXZjHLU311jw/VJVMKxO6Zxh/yVTFo2jQVCwPZvOvLtNg?= =?us-ascii?q?1ZPMVhE=3D?= X-IPAS-Result: =?us-ascii?q?A2DSAwBuiEta/wHyM5BdGwEBAQEDAQEBCQEBAYMSKQOBWie?= =?us-ascii?q?PH44kmT+BfSaJVUMUAQEBAQEBAQEBAWoogjgkgk8CJBkBOAECAwkCBTIRCAMBW?= =?us-ascii?q?hIFiFeBOQEDFQMBs3Y6IQKCaAWBAoRagWwECIQMgTZcgz+GGUWBKQ52hT0Fo0y?= =?us-ascii?q?VKIIkihmHTYpUjWs2IoFPMhojgnuCBEEPHIFneIY1AiUHghwBAQE?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 02 Jan 2018 13:27:36 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w02DRZjM013989; Tue, 2 Jan 2018 08:27:35 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id vBUHKRqO091623 for ; Sat, 30 Dec 2017 12:20:27 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vBUHKRPi027644; Sat, 30 Dec 2017 12:20:27 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DVBgDlyUdaf3UYGNZcHgEGDIMSKYFdJ?= =?us-ascii?q?51CmT6CAQ+FNoQyQxQBAQEBAQEBAQETAQELFoYuGQE4ARUydxKIXIE5AQMVAwG?= =?us-ascii?q?qajohAoJoBYEChFiBRgElBAiEDIE2XIM/hhlFgSkOdoU9BaNMlSiCJIoZh02KV?= =?us-ascii?q?I1rNoFxMhojgnuCBEEPHIFneIZGAiUHghwBAQE?= X-IPAS-Result: =?us-ascii?q?A1DVBgDlyUdaf3UYGNZcHgEGDIMSKYFdJ51CmT6CAQ+FNoQ?= =?us-ascii?q?yQxQBAQEBAQEBAQETAQELFoYuGQE4ARUydxKIXIE5AQMVAwGqajohAoJoBYECh?= =?us-ascii?q?FiBRgElBAiEDIE2XIM/hhlFgSkOdoU9BaNMlSiCJIoZh02KVI1rNoFxMhojgnu?= =?us-ascii?q?CBEEPHIFneIZGAiUHghwBAQE?= X-IronPort-AV: E=Sophos;i="5.45,481,1508817600"; d="scan'208";a="161680" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 30 Dec 2017 12:20:26 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3A5KZr0xyuyVfrI0TXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?2ukWIJqq85mqBkHD//Il1AaPAd2CrawZwLuG+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZLebxlViDanYL5/LBq6oAHSu8ILnYZsN6E9xwfTrHBVYe?= =?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?= =?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qFmQwLqhi?= =?us-ascii?q?gaLT406HzZhMxugqxVoxyvoAdyz5LIbIyPKPZzZL/Rcc8cSGFcXshRTStBAoak?= =?us-ascii?q?YoUTDuoOIeZYoJPnp1QTsBCwBxOjBOLpyjBWnX/9wKo30/4gEQ7a3AwvBcgOv2?= =?us-ascii?q?nMo9rpLKgSUfq6zKjOzTrddPNbwizy6JTJchAnvfGDQ6hwcczPxkkzDQ/KklKQ?= =?us-ascii?q?qYn8Mj6Ty+8DsHCb4vJ+We6yhGMrsR99rze1yssyhYTFnJ8Zxk3G+Clhw4s4JM?= =?us-ascii?q?e0RFN0bNOrCpdcqi6XOopsTs4jQmxlvjsxxKcctp6hZicKzYwqxx7BZPyDdIiF?= =?us-ascii?q?+g/jW/qWITd8mX5ofKq/iAyv/UWu0OHzSNe70FNRripKiNXMs2oC1x3X6sSdT/?= =?us-ascii?q?t9/0Oh1S6O1wDV9O5EPVg5mbTGJ5Mu2LI8iJUevV7dEiL5gkn6kbKae0c89uit?= =?us-ascii?q?8evnY7HmppGGN49zjwHzKr4ums2jDuQ4KAcORXWU9vyg27L7/U32WrRKjvsona?= =?us-ascii?q?nCq53VPtgbpq+/Aw9JzIkj8RC/ACm60NgCgXYHK1dFdAqdj4f1I1HOPOz4DfCn?= =?us-ascii?q?jlS3jThr3OvLPqHhA5rRLnjDl63tfbBm60FG0gYzwtdf54xMALEbPP3zQlPxtM?= =?us-ascii?q?DfDhIhKAy73eLnCNR71oMDVmOCGbOZMaPOvl+I4eIjOe+MZJQPtzrnJPgl4ODu?= =?us-ascii?q?3jcFngoGcK2o24YHQGypFfRhZUOCaDzjhclFWWEHogYzUsT0h1CYFz1efXC/W+?= =?us-ascii?q?Q7/D5/QIanC5rTA5umnKSpwii2BNtVa3pAB1TKFm3nM82AWvEReGeJL8R8iD0Y?= =?us-ascii?q?RP2kTIM80RyGqgD30fxkI/DS9ylesojsh/Zv4OiGrxA59TVuA4y92mCLQno8yn?= =?us-ascii?q?kJTD8/xqxIqnt9w1aF3LNQieBZE8Be/fVETkExMpuKnL8yMMz7Rg+UJoTBc12h?= =?us-ascii?q?WNjzWTw=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BVBgC6yUdaf3UYGNZcHQEBBQELAYMSK?= =?us-ascii?q?YFdJ51CmT6CAQ+FNoQyQxQBAQEBAQEBAQEBEgEBCxZdgjgigncZATgBFRIgdxK?= =?us-ascii?q?IXIE5AQMVAwGqajohAoJoBYEChFiBRgElBAiEDIE2XIM/hhlFgSkOdoIbDIMWB?= =?us-ascii?q?aNMlSiCJIoZh02KVI1rNoFxMhojgnuCBEEPHIFneIZGAiUHghwBAQE?= X-IPAS-Result: =?us-ascii?q?A0BVBgC6yUdaf3UYGNZcHQEBBQELAYMSKYFdJ51CmT6CAQ+?= =?us-ascii?q?FNoQyQxQBAQEBAQEBAQEBEgEBCxZdgjgigncZATgBFRIgdxKIXIE5AQMVAwGqa?= =?us-ascii?q?johAoJoBYEChFiBRgElBAiEDIE2XIM/hhlFgSkOdoIbDIMWBaNMlSiCJIoZh02?= =?us-ascii?q?KVI1rNoFxMhojgnuCBEEPHIFneIZGAiUHghwBAQE?= X-IronPort-AV: E=Sophos;i="5.45,481,1508803200"; d="scan'208";a="7188464" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from unknown (HELO ucol19pa13.eemsg.mail.mil) ([214.24.24.117]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 30 Dec 2017 17:20:26 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;d7d1aa29-a57c-46f2-bef5-8fc0477681f6 Authentication-Results: UCOL3CPA08.eemsg.mail.mil; dkim=permerror (key too small) header.i=@btinternet.com X-EEMSG-check-008: 2598697|UCOL3CPA08_EEMSG_MP23.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 65.20.0.179 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DDAAA+yEdah7MAFEFcHQEBBQELAYMSggYntwCCAQ+FNoQyQxQBAQEBAQEBAQETAQEBCgsJCCgvhVEZATgBFTJ3EohcgTkBAxUEqm46gwsFgQKEWIFGJgQIhAyBNoQbhhlFgSkOdoIbDIMWBaNMlSiCJJFmilSNazaBcTIaI4J7ggQBQA8QDIFneIZGAiUHghwBAQE X-IPAS-Result: A0DDAAA+yEdah7MAFEFcHQEBBQELAYMSggYntwCCAQ+FNoQyQxQBAQEBAQEBAQETAQEBCgsJCCgvhVEZATgBFTJ3EohcgTkBAxUEqm46gwsFgQKEWIFGJgQIhAyBNoQbhhlFgSkOdoIbDIMWBaNMlSiCJJFmilSNazaBcTIaI4J7ggQBQA8QDIFneIZGAiUHghwBAQE Received: from rgout02.bt.lon5.cpcloud.co.uk ([65.20.0.179]) by UCOL3CPA08.eemsg.mail.mil with ESMTP; 30 Dec 2017 17:20:22 +0000 X-OWM-Source-IP: 86.144.146.66 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2017.12.30.165416:17:8.317, ip=, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __NO_HTML_TAG_RAW, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, __FRAUD_WEBMAIL, __FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES, MULTIPLE_RCPTS, __PHISH_SPEAR_STRUCTURE_1, __MIME_TEXT_P, NO_URI_HTTPS Received: from localhost.localdomain (86.144.146.66) by rgout02.bt.lon5.cpcloud.co.uk (9.0.019.13-1) (authenticated as richard_c_haines@btinternet.com) id 59D91D94086434BE; Sat, 30 Dec 2017 17:20:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1514654423; bh=TevXlyhYoMfgdyrYZstZ0Cs6BA5tgeXnRuVD+vmZp0E=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=rM4otgV8IDod5/7XRokpFBRxIgj3vQxIlZanSG0fVABTWv5ABGFsLKofwt1QmtnlucXk8q0o3LYy1kugwzDTxXPIXftf6u3VbXxih3S3PAFpVzO19k/Dcqp6p22h8IFgNHTO8aOvivaygj6JWHXlWG7nclvijTZ1JS8LXpFvg+4= X-EEMSG-check-009: 444-444 From: Richard Haines To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org Date: Sat, 30 Dec 2017 17:20:13 +0000 Message-Id: <20171230172013.15788-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.14.3 X-Mailman-Approved-At: Tue, 02 Jan 2018 08:24:19 -0500 Subject: [PATCH V4 3/4] sctp: Add LSM hooks X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: marcelo.leitner@gmail.com, nhorman@tuxdriver.com, vyasevich@gmail.com, sds@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add security hooks to allow security modules to exercise access control over SCTP. Signed-off-by: Richard Haines Acked-by: Marcelo Ricardo Leitner --- include/net/sctp/structs.h | 10 ++++++++ include/uapi/linux/sctp.h | 1 + net/sctp/sm_make_chunk.c | 12 +++++++++ net/sctp/sm_statefuns.c | 18 ++++++++++++++ net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 101 insertions(+), 1 deletion(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 9942ed5..2ca0a3f 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1271,6 +1271,16 @@ struct sctp_endpoint { reconf_enable:1; __u8 strreset_enable; + + /* Security identifiers from incoming (INIT). These are set by + * security_sctp_assoc_request(). These will only be used by + * SCTP TCP type sockets and peeled off connections as they + * cause a new socket to be generated. security_sctp_sk_clone() + * will then plug these into the new socket. + */ + + u32 secid; + u32 peer_secid; }; /* Recover the outter endpoint structure. */ diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h index cfe9712..cafac36 100644 --- a/include/uapi/linux/sctp.h +++ b/include/uapi/linux/sctp.h @@ -123,6 +123,7 @@ typedef __s32 sctp_assoc_t; #define SCTP_RESET_ASSOC 120 #define SCTP_ADD_STREAMS 121 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122 +#define SCTP_SENDMSG_CONNECT 123 /* PR-SCTP policies */ #define SCTP_PR_SCTP_NONE 0x0000 diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 514465b..269fd3d 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -3054,6 +3054,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr, &asconf->source, sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_ADD_IP, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address * request and does not have the local resources to add this * new address to the association, it MUST return an Error @@ -3120,6 +3126,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_SET_PRIMARY, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + peer = sctp_assoc_lookup_paddr(asoc, &addr); if (!peer) return SCTP_ERROR_DNS_FAILED; diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 8f8ccde..a2dfc5a 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -318,6 +318,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -905,6 +910,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, */ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + /* Set peer label for connection. */ + security_inet_conn_established(ep->base.sk, chunk->skb); + /* RFC 2960 5.1 Normal Establishment of an Association * * E) Upon reception of the COOKIE ACK, endpoint "A" will move @@ -1433,6 +1441,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -2103,6 +2116,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( } } + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Set temp so that it won't be added into hashtable */ new_asoc->temp = 1; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 4373e2a..b40db2d 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -1045,6 +1045,12 @@ static int sctp_setsockopt_bindx(struct sock *sk, /* Do the work. */ switch (op) { case SCTP_BINDX_ADD_ADDR: + /* Allow security module to validate bindx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out; err = sctp_bindx_add(sk, kaddrs, addrcnt); if (err) goto out; @@ -1254,6 +1260,7 @@ static int __sctp_connect(struct sock *sk, if (assoc_id) *assoc_id = asoc->assoc_id; + err = sctp_wait_for_connect(asoc, &timeo); /* Note: the asoc may be freed after the return of * sctp_wait_for_connect. @@ -1367,9 +1374,17 @@ static int __sctp_setsockopt_connectx(struct sock *sk, if (__copy_from_user(kaddrs, addrs, addrs_size)) { err = -EFAULT; } else { + /* Allow security module to validate connectx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out_free; + err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); } +out_free: kfree(kaddrs); return err; @@ -1636,6 +1651,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) struct sctp_transport *transport, *chunk_tp; struct sctp_chunk *chunk; union sctp_addr to; + struct sctp_af *af; struct sockaddr *msg_name = NULL; struct sctp_sndrcvinfo default_sinfo; struct sctp_sndrcvinfo *sinfo; @@ -1865,6 +1881,24 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) } scope = sctp_scope(&to); + + /* Label connection socket for first association 1-to-many + * style for client sequence socket()->sendmsg(). This + * needs to be done before sctp_assoc_add_peer() as that will + * set up the initial packet that needs to account for any + * security ip options (CIPSO/CALIPSO) added to the packet. + */ + af = sctp_get_af_specific(to.sa.sa_family); + if (!af) { + err = -EINVAL; + goto out_unlock; + } + err = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT, + (struct sockaddr *)&to, + af->sockaddr_len); + if (err < 0) + goto out_unlock; + new_asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL); if (!new_asoc) { err = -ENOMEM; @@ -2904,6 +2938,8 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, { struct sctp_prim prim; struct sctp_transport *trans; + struct sctp_af *af; + int err; if (optlen != sizeof(struct sctp_prim)) return -EINVAL; @@ -2911,6 +2947,17 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, if (copy_from_user(&prim, optval, sizeof(struct sctp_prim))) return -EFAULT; + /* Allow security module to validate address but need address len. */ + af = sctp_get_af_specific(prim.ssp_addr.ss_family); + if (!af) + return -EINVAL; + + err = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR, + (struct sockaddr *)&prim.ssp_addr, + af->sockaddr_len); + if (err) + return err; + trans = sctp_addr_id2transport(sk, &prim.ssp_addr, prim.ssp_assoc_id); if (!trans) return -EINVAL; @@ -3233,6 +3280,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr)) return -EADDRNOTAVAIL; + /* Allow security module to validate address. */ + err = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR, + (struct sockaddr *)&prim.sspp_addr, + af->sockaddr_len); + if (err) + return err; + /* Create an ASCONF chunk with SET_PRIMARY parameter */ chunk = sctp_make_asconf_set_prim(asoc, (union sctp_addr *)&prim.sspp_addr); @@ -8084,6 +8138,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, { struct inet_sock *inet = inet_sk(sk); struct inet_sock *newinet; + struct sctp_sock *sp = sctp_sk(sk); + struct sctp_endpoint *ep = sp->ep; newsk->sk_type = sk->sk_type; newsk->sk_bound_dev_if = sk->sk_bound_dev_if; @@ -8126,7 +8182,10 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) net_enable_timestamp(); - security_sk_clone(sk, newsk); + /* Set newsk security attributes from orginal sk and connection + * security attribute from ep. + */ + security_sctp_sk_clone(ep, sk, newsk); } static inline void sctp_copy_descendant(struct sock *sk_to,