From patchwork Wed Jan 3 01:20:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10142539 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 74A7D60594 for ; Wed, 3 Jan 2018 15:55:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6676A24603 for ; Wed, 3 Jan 2018 15:55:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 573ED292B9; Wed, 3 Jan 2018 15:55:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from upbd19pa07.eemsg.mail.mil (upbd19pa07.eemsg.mail.mil [214.24.27.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A275D292A7 for ; Wed, 3 Jan 2018 15:55:29 +0000 (UTC) Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by upbd19pa07.eemsg.mail.mil with ESMTP; 03 Jan 2018 15:55:29 +0000 X-IronPort-AV: E=Sophos;i="5.45,501,1508803200"; d="scan'208";a="7253047" IronPort-PHdr: =?us-ascii?q?9a23=3APAUGiBSc3HlmnGTcsw1MmN2tDNpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa6/YxyDt8tkgFKBZ4jH8fUM07OQ7/i5HzNbqsbZ+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?= =?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAmroQnLtMQbj4RuJ6UtxhDUvnZGZu?= =?us-ascii?q?NayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnD?= =?us-ascii?q?VhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0ji?= =?us-ascii?q?oMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipPDYOm?= =?us-ascii?q?a4sEEvQPM+BWoYLgo1cCtAayCRWpCO7p1zRGhGL53bci3usuHw/I3wsuEcwSv3?= =?us-ascii?q?rJtNX4NroeXO61wqnS0zrDdOhb2Svh5IXSbhwsu+2AULB2fMHMyUcvDQTFjlCI?= =?us-ascii?q?pILiJTyVyvgNs2iF4OtuSOmhinQoqxtrojex2scslpTChpwUyl/e6C533Zg6Jd?= =?us-ascii?q?m5SE59fN6lH4ZbuiaBN4RoRsMiQmdouDs1y7AdpZ66fDQFyJQgxxLFbfyHaJKH?= =?us-ascii?q?7gjsVOaWPzd1nXRoc6+8iRaq6UWs1+LxW8au3FtKsyZJiMfAu38T2xDJ98SLUv?= =?us-ascii?q?lw80i71TqSyQze6vtILEMqmabBNZIt3qA8m5wOukrZBCD2gl/5jKqOe0Uh/ein?= =?us-ascii?q?9vrob639pp+ZK490kgb+MrkymsCnAeQ3LAwOX2+D9OSgzrLj50z5QKhRjvEsjq?= =?us-ascii?q?nYsIzVJcQcpqKjBQ9azp0j5AqlAzej0dQYmWELLFNDeB2Zk4jkI0zCLf/3APul?= =?us-ascii?q?g1mgjS1ny+7JM7H/GJnBM2DPkLL7crZ8705cxhAzzdda559MEbEOPvbzWk73tN?= =?us-ascii?q?zFAR41Khe7w+H6CNV7yowRR3mPD7SFMKLSrVCI5uUvL/OKZI8OojnxMfcl5/nw?= =?us-ascii?q?jXMhg18SYbGp3YcLaHC/BvlmIUKZYXz2jdcdEWcFpAw+QffoiF2FVz5TYmy9X7?= =?us-ascii?q?kg5j4lEoKmFp3PRoe3gLyOxC27BIFZZnhaClCQFnflb4eEW/UWZy2OIc9hiTsE?= =?us-ascii?q?Vb6gS48/zhyuugv6y6doL+XP5y0Ys47j1MVv6+3UjxEy+iR+D96B3GGVU2F0gm?= =?us-ascii?q?QISic43aB+pUx9z0mM0bJjjvxWC9Nc+vRJUh0gOp7E1ex6DNLyVRzdcdeVUlqm?= =?us-ascii?q?Rc+mAT4pRNIr39AOe1p9G8mljh3bwiWlH7oVl7uNBJwo767RxGbxKNhny3bH1a?= =?us-ascii?q?ghiF8mTtFJNWK4mq517xLTCJLRk0WFi6aqcrwR0zPR9GiZ12qDp11XUAl1UarZ?= =?us-ascii?q?R38ffVfWoc7/5kzcU7+kEa4nPRdZyc6eNqtKbcXkjFVHRffkPtTTeGexm2OpCR?= =?us-ascii?q?aJwLOAdozqdH8H3CXeCUgEjR4c8WyANQcgGieru3jeAyB2FVLzf0Ps9vFzqH2h?= =?us-ascii?q?TkAuyQGFc0xh16Gu9x4QnfycSuof3qkKuSc6sTl0G0y9393OAdqauwVhZLlcYc?= =?us-ascii?q?864Fpf1mLWrQ99Ppu9L615hV4RaQd3v0Tz1xltDYVAi8cqpmswzAVuMaKYzE9B?= =?us-ascii?q?dzSA0J/qJ7LXMGjy8w61a6PNwF7RzNOW9r0I6PQipFXppBupGVY683V7z9lV1G?= =?us-ascii?q?OR5o/XAwUPSp/xXUM39hdgq7HcfCY9+5ve1WdwPqmsrj/Cx9UpCfM+yhauZddf?= =?us-ascii?q?N7iEFBPpHs0BAciuL+Irm12zYRICJuxS8rA7P9++ffucxKGrJPpgnC6hjWlf7o?= =?us-ascii?q?FyyEaM9zZiRe7SxJYI2O+Y0RWdVzjnkVeht9r7mYdeZTEdBmC/0zTrBJZNZq1u?= =?us-ascii?q?eoYGEWGuI8yzxtV6mZHtQGVV+0S9CFMc38+lYx2Sb0by3QdIz0QYvWSnmTekzz?= =?us-ascii?q?xzizwpsKuf0zDSw+TlbhoLIHJERGlljVfqLoi5lNQaXEmubwczjhul4lz2x69B?= =?us-ascii?q?pKRwN2PTW1tHfzDqL2F+Vau9rr6CY89U6JM0qClXS/qzYVSbSr77vhsb3DjuH3?= =?us-ascii?q?BGxDA6cTGqu4n2nwdghGKbMnlzsGLTedtsyhfH+NzcWflR0yIcRCl/jTnXAkaz?= =?us-ascii?q?P8O18tWTmZbOqfu+V3+9WZ1IayXrypmAtCSj721wHRK/h+yzmsHgEQUi0i/0yd?= =?us-ascii?q?9qVT7ToRb/fIbr0b+6MeR5cUl0HlP87NB6Go5mmIsqmJ4QwWQahomS/XcfiWf8?= =?us-ascii?q?K8hb2abgY3oVXzELxcLV7xb/2EB4M3KJ3Jz2Vm+Gwsd7fNm6ZX4W2jgh4M9UBq?= =?us-ascii?q?eU66ZEnSRrrVaiqwLef+R9lC8HyfQy8H4an/0JuA01wyWDBLAdAFJVPTLqlxuV?= =?us-ascii?q?79CytqNXa3izcbKozkpxgcihDK2eogFbQHv5Yo0tHTJ07shkLF3M0WHz64H9dN?= =?us-ascii?q?ned90TsAeYkxDaj+haMJgxjOYFhTJ7OWLhun0o0+A7ggZo3ZGmu4iHLn5g/Kyn?= =?us-ascii?q?DRFFMT31fdkc+in3jaZZnMaZwZygHol7FjUMRpvoQuqiECgOuvT/KwaODDo8p2?= =?us-ascii?q?+eGbXFGQ+f7Flpr27TE5+xLX6aP38Zwst+RBmGOENQmhgUUysgkp4/CA+q2NTr?= =?us-ascii?q?cF1l6TAJ+l74thxMx/pyNxXlXGbTvgKoZS0wSJiYLBtb9RtN6FvQMcCE6eJzBS?= =?us-ascii?q?5Y9IW7rAORMmybexhIDWYRV0yKHVDsIKSh5cLa/OieGuq+KODObK6UpuNCUveE?= =?us-ascii?q?35Wv0pFp/zyULMWAImFiD+En2kpERX15Hd7ZlC8XSywPjC/NYc+bpA2n+i1roM?= =?us-ascii?q?C/8fLrVxjp5YSTCrtdK9Fv9wqxgaeZOO6anDx5JipA1pMQ2X/Iz6AS3EYMhC51?= =?us-ascii?q?aTatF7UAtTLKTK/Lm69YEQAUZD1pOMtP9aI80RFHOdTHhdPtyr54kvk1Bk9eWl?= =?us-ascii?q?P6nc2pYc0KI3qhNFPcHkqLL6qJKiHRz8Hsf6y8TbxQjONJtxy/ojuUD0/iPi6e?= =?us-ascii?q?lznyTRyuP/tDjD2APBxZvoGxaBFtCXLsTNj+cB20LMd3jSEqwb0znn7FLm8cMT?= =?us-ascii?q?d7c0NLtbCf8D1Xje5+G2Nb6HppN+6EmzyW7+PAMJYZreNrAjhol+Jd+Hk10bRV?= =?us-ascii?q?4ztaRPNrgybSqcZurE+gkumK0DVnUR5OpS1MhIOEp0liPr/Z9pZYU3be4B0N9X?= =?us-ascii?q?mQCwgNp9Z9Ft3vvKVQxsLVlKL0KTZN7dTU8tAGB8jTNs2HM2EsPgbuGD7REAQK?= =?us-ascii?q?VyWrNX3Fi0xbjv6S6mWfroImpZj0hJoOVrhbWUQ2FvIaDkRqAscPIJJwXjMqn7?= =?us-ascii?q?6UktII5Wa+rBnWQcVVoIrLVvSMDvXzMDyZl6VLZwMUwbPkKoQeLov71FJ4ZVl+?= =?us-ascii?q?h4nKGE3QXctRoiJ7aA80u0ZN8HlkQm01xU3ldhun4GUPGv6sgh42lgx+bPw39D?= =?us-ascii?q?jy+Fc4OEDFpDEsn0kxgtjqmjGRcCTsI6e3U4FWEzD0uFYxM5/hRQZ6cxGyl1R+?= =?us-ascii?q?NDjYX7JRk6dgdWdzhQDBvptPH/hcQrBabx8UxPGafO8n3kpGqiWg30NH4vHFCZ?= =?us-ascii?q?R6ngswbZGst25A2x5kbNMtOKPfPrRJzllNiaKVpSKnzPoxwBUZJ0cD62OdZjIH?= =?us-ascii?q?uFESNrknOyqp/vZg6QqclDtfYGIMTeYloup29kMhPOSN1ybg07lZKk+vMeyeLq?= =?us-ascii?q?SZtnPPlc6OX1M8zEQIl1NK/bJuy8csb1KUV1wzzLuWDxkJLtTNKQVUb8pU6XjS?= =?us-ascii?q?cj2DvvnKwZJwI4qyDPvoTfOUuKYSnE2kAB4jH54Q4cQZApmszEbYIN/7LL4EzB?= =?us-ascii?q?Ut4xjrJFWFDflSZR2LkTcGrNukw5Nt24lSOC0dC31nMSqr/rbXuhMqgP2bUdgs?= =?us-ascii?q?ZncaX5cLOWwuV82/my9ZuXNADD+t3e8C0weC7iXzpiLJADnyctpvfvGUag1wCN?= =?us-ascii?q?uu4zUw77C2iULL8pXZP2z1LsptutnU5OwAupmHFe1bTaNms0jGgYlZR2amU2nV?= =?us-ascii?q?Ed66P5LwcZUjbcToCnamVVyykz01T9rwPNapKqiHnwToSJ1Jv4aFxz8jNNWyFj?= =?us-ascii?q?cEFxd3veED67p2ZRcfbJojfR7oqwM+OrSlIAee09WhX2atKTxST/lE1eu0fqFZ?= =?us-ascii?q?wTAwY+G903YvUpY6z+yr/kEXX5EKkgvSxfC9aIlCSSLzAGBSex3TpSolkGhsLv?= =?us-ascii?q?wyzf0lwBPPqlYRKCyLdPZzZ2xaod48AVKSIXN5Cmo8Rl+cgorD4hKi378I5Std?= =?us-ascii?q?msxY0etbv3jippXfei6jWLS3qZXJtCotddYnr7dtPozjI8uGsZLekSbcTJTLsw?= =?us-ascii?q?2KTjC1GORAlthXOiJYT+FCmXs5NswepYpB9U0xW987J7NVEqkspa6laSZlDS4U?= =?us-ascii?q?wi8UTI2B0yYEguig37vakQqQf4k5MBAetpVNnMcdWTZsYiwCvK+jS5nWl2icR2?= =?us-ascii?q?cROgcT8AJM6BgDloJrf+Dl4YvITINXxDJMpfJ7TDfLHIFy91TnUmGWnUT4SPK5?= =?us-ascii?q?nuyo2wJS0Ozj0t0FVx56F0dd2/xWl0szJbFwM6kfoIjKsjqSekP7uGLi0+ymJV?= =?us-ascii?q?ZLxc3TbV34A5LPtXDgXS0E5X0UWYhPxWnDFZQVlgp0c7orqElJII+9YEr+4SIr?= =?us-ascii?q?x5hxFbmiSc+r30olrWoBRyqyE9pOEftmv0jTWDJ4eJ2ktYvqO41KQmBO/J2StU?= =?us-ascii?q?1ZnF9qMy6jxppWM9tN7SIUXDhTvTWdu8O/SM9E2cBoFJIDP8lwu2zjF6NeJJie?= =?us-ascii?q?vWA5tqbpynDH5zA2qE26yymrG6+kU+JZ+HUTGhk0KGuDq0kgFe8s/3zO/VDKt1?= =?us-ascii?q?B74/1UBqOTjUlrpjZyAIxODC5T1X+5N1RzUGVGs+JCJavOfcxTX+U+aB2yNxEw?= =?us-ascii?q?DvMpw0uJ/URoknjjeCxyqhFW+ybDUAkoTSMVmKvimSUCqsG7Pj8XU4hIYis8YC?= =?us-ascii?q?fFMQ2bhTtavBJYa0F0RZ8VHMpK+7YG0oRK5MbCT1ijKT0dVhx4Kg04yeZflVJE?= =?us-ascii?q?sEiAYSDdFhaoeuzSvR1rZsqRt8mpLOnj/AhblIzntvw4978ZSH2igwGtRsrer4?= =?us-ascii?q?DkvN2QqkSObLv4M/G7YXLZUDjMlw6/iqk5AJTR4ijTNBZbK4Ngxno6YJjhDmrL?= =?us-ascii?q?MgpaJ64BIEpbT696Y81cou9Gf89kZLoJ+ah1CxKFXBzvAouvrOJCLlnJWzTTNC?= =?us-ascii?q?CB8vG7oYLP7LzSVengadaKx3bcWa53OY166TbjEbfwzYBe4lb22utq9k5iS1jJ?= =?us-ascii?q?KSaBrNr7JgMM+cataFDvvoEzEjPQG5dwl2DhxkdeeMoLWyeq6ogXyItF6HbsTu?= =?us-ascii?q?J1yk7zsOlJ+rll74k35qplycayJafcM/RVq1RnAgSOBgV36potHHV/R3pPbeML?= =?us-ascii?q?L/fRZ6sZh9j0q+/rD6wX9AGV++tBZNvBJkHOhs6/CjWGRhxfhgsBqDkaLgyH1/?= =?us-ascii?q?6egKJ0TMmopOfj1kIq+Vi+IQYMzKpx6oec5qqIuOjXYgPNwrceXqjlWNjzrqgs?= =?us-ascii?q?ukOV/vAkj6IBem1rbA2hDOgdV9QSyn3mza800SImC9nDEK74+P5fS3I5mSrtm5?= =?us-ascii?q?RmH1UTGv4ZBrSL8ppDkWc/gezWLMUWcrpFmmaNCxGrDqMCxWSs6yuNL2lvmgvO?= =?us-ascii?q?3A3oQWOv8F/2qjd1QSnNz9fmiUdVU6e4BEdMUCqzOE94tjyPMBDutNXppaQ/9F?= =?us-ascii?q?s2PXD8tNKRiGuhP6taH8z+JdOGOyY7uEkajIYvSdyzx48UBcCxINAL8HFxdvHe?= =?us-ascii?q?8X+kkzddo6dbgIrT+tqa+vTMHXiulaKaqbSNxCxAyncioFE/7sutOe3J59KXXf?= =?us-ascii?q?unzXsRTz14uwvbRRG5sLvbr0obOUaTykfEhJQKPs1F3Xk/zkzm/PIsQM4v+wVe?= =?us-ascii?q?GIfAYOkCpTPqNDvv31mfZ9M3Vi+D0zpYBV/1CUN3GLQg12LwssPJkm3Q+14ySo?= =?us-ascii?q?lzaUPnnxp3AJs8KU4371gX2CUDGxAXaR+HFLGoGVjlLYwcWEgMcxuHxqa1ers3?= =?us-ascii?q?3UBoxrOv5fPTYvJ8B6UXK/ZdlRSCnF5FFZIKqaceWq5ze0dB9K7LoQjvE4fnUO?= =?us-ascii?q?bglXosMv21RcdW8dsHuHsm4wa/QQeg6JhY4rYflp+IbK5FboLWsMB68Uhn+SYF?= =?us-ascii?q?djZRjxhnkxO5Teccqfj/7djZqpWn9v2jW7oqR+UT8xg0Bnpxj4HsgF89vd7X1/?= =?us-ascii?q?1QSorPiYTw6ApNOWKFuJ7G0xlgLuoDM4erfLFm93UbKCgROWkDPd+Xa/Ym5S9i?= =?us-ascii?q?LinT5lJFAsMWZtMYJ9DBmQZKhU31QLtT7NbUGkeEC4dvcMAl92X3xywu8ZsnS+?= =?us-ascii?q?ru9TC4K5be71FLIvNCgz5hlN3HpOcPx/rdFjIb4X6Daxh62imC0YWCC+7s/eWQ?= =?us-ascii?q?z9HZT1EGHik2U4dbPjaN5QynRu6olJr0UwKU68nzgIk9dEKRXXGxgqUFsrhWHu?= =?us-ascii?q?5Elyr73yJSFobriPKJq9Cs8ndYtkVbEIZv6h3IAKRfPothNhT+jcSrQlV8CTb+?= =?us-ascii?q?eMHTbRoiou2Wxv0D4+9mLUvxeZcbIg4Yy7L98XdVTBVhSLD4vladRu8QasFpSP?= =?us-ascii?q?XaoXBJ845gLbEAPESFrpzwsjhIsEw2ABMuaLIooTxack7OnQNLVKbwvL4NkRAc?= =?us-ascii?q?Udl/uU9NBW28ImQ+6CTbVa5NlqmeFOQV8imPTqwJS0hoMCN+QhOt2JVpf7upnO?= =?us-ascii?q?xHvX1dkyN4ofgqzyZmSwWmtS3rvaIN1ioq+KukuzUZpXxFUuKenj/UCVVCyfQH?= =?us-ascii?q?lrscC3f+5ly/fnYDaJH+4L95KsT87YMh+WgwYQ0/fy0aWuStEyTwj6KLAoyMt9?= =?us-ascii?q?JRnxyNt9/Nbb+0KygdKLI9xQjlR3djzgjUhAxo/3cTQjW88N8kI52wNt07ySqu?= =?us-ascii?q?BWjWb00M4qdOsMvtqV4LUvU5Zk57zGVkyMiHSTUHRNbTFGYtkggkdWJEfYpb6R?= =?us-ascii?q?8dE6knmCyIv6dB/gEQbjfZCYGl+o7XncfTx3YyUc1qxmXNpq2eh5Mq1nJll8lz?= =?us-ascii?q?7i6Ut3QYb/bYXNN0AnjvyodfzvTzZ/uzveADSYtm0KquXeQDM8mi/Gu23YtlWl?= =?us-ascii?q?WhxrsABVa5N/UDxrjDWSe/VWKYQfiLc3SLnzshPE/y/QOoLlwrZ8hUtEI9N+rC?= =?us-ascii?q?hoJGlwL/S790QT+QpVDDxmw5Lewabx42uJugewESS+4RY/aTKPM2wP06ElQMdG?= =?us-ascii?q?PJHSpqBO+qq16igpZ0N29m4UrkfeTn6hrmP8eKGhkYDY7aqYZ8+fi7RmKHJH9h?= =?us-ascii?q?wwR+PE119+fEC1QxrfRRc5eLktjWgNR3y+kFd+1iMScloN4chppj6ZWI0MeNaR?= =?us-ascii?q?zRy4z9Ks3VoviZBf3fyF8nen9bUroffwz144Q6PtgkW7zcB7dZug4cBaciSpw7?= =?us-ascii?q?K2jx7L10LB90cgPJZrS7mMrqpuWQaZZPun/W6E4wLCfbux0exfy0TRB7Y4qsh3?= =?us-ascii?q?rsPJA6XihBoMF1Cht6AItPHNsNrwiiA56TgqG7kd6x+1hhtu8Mq6XwD+7F1NWj?= =?us-ascii?q?04V2RZha6lSBPCzNC6lznkRlkuOyj+/b0pn/DMPtZdIJWetgT27bdLDGBIS/Kz?= =?us-ascii?q?OJOsL6YUJG9aCT0K4qGimWMST4WbeW8SyiKPhr+0Qn26Rmc+fJij8g9bfW3J31?= =?us-ascii?q?fW4InCq7qW+1M8565UDWBeHBFz1dU+CI7HotSagVYtal3OgJNtMmzZ6X5Awlvx?= =?us-ascii?q?pY187QBqG9sk/BxQpUfIjBIVf1kzg4UMExLRC+N1Y8yTvCp3DcB2lMBtS1Islq?= =?us-ascii?q?xtCOB1ri4FcnyjJlXXJIBme9HYTZAmMcwc/rIVTTrA8=3D?= X-IPAS-Result: =?us-ascii?q?A2BCAgCK/Exa/wHyM5BcGgEBAQEBAgEBAQEIAQEBAYMSLIF?= =?us-ascii?q?aJ4QHixiOJYsJjkCBGANVKYlVQxQBAQEBAQEBAQEBaiiCOCQBgk4CIARSAwMJA?= =?us-ascii?q?hISAiIEAgIDAR0TAQUBLAkFiAWCDAMVA6RTQIwQgW06hHOCSw2CcDISfYMEghI?= =?us-ascii?q?QiUhFhQWCZQWTNY9fPZA4hHENhgeNekiNHYkNOYEXNiIygR0qCAIYCCEPPYEXG?= =?us-ascii?q?niCVByCCFcBiVIBAQE?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 03 Jan 2018 15:55:21 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w03FtKLd031064; Wed, 3 Jan 2018 10:55:20 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w031KaDV145461 for ; Tue, 2 Jan 2018 20:20:36 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w031KbC0006334 for ; Tue, 2 Jan 2018 20:20:37 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DLEgCfL0xa/ywVGNZdHQEBBQELAYM7A?= =?us-ascii?q?4FaJ4QHmT5HBoo8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBa4V1BBkBATcBNAI?= =?us-ascii?q?mAiMTAQUBLAmKFgMIDQOlPECLIm6BbTqDCgEBBYQuDYEqgUYqCBJ9gn2CEoEOi?= =?us-ascii?q?EpEAYUFgmWBMgEBkgOPXTMIAQGGCYouhHENhgaNd0iNGokNOYEXIAE3MoEdMho?= =?us-ascii?q?jUoEEgSWCRQ8cgghXAYhzAQEB?= X-IPAS-Result: =?us-ascii?q?A1DLEgCfL0xa/ywVGNZdHQEBBQELAYM7A4FaJ4QHmT5HBoo?= =?us-ascii?q?8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBa4V1BBkBATcBNAImAiMTAQUBLAmKF?= =?us-ascii?q?gMIDQOlPECLIm6BbTqDCgEBBYQuDYEqgUYqCBJ9gn2CEoEOiEpEAYUFgmWBMgE?= =?us-ascii?q?BkgOPXTMIAQGGCYouhHENhgaNd0iNGokNOYEXIAE3MoEdMhojUoEEgSWCRQ8cg?= =?us-ascii?q?ghXAYhzAQEB?= X-IronPort-AV: E=Sophos;i="5.45,499,1508817600"; d="scan'208";a="163391" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 02 Jan 2018 20:20:26 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3AGf2b7B9DUw/Tq/9uRHKM819IXTAuvvDOBiVQ1KB2?= =?us-ascii?q?0+scTK2v8tzYMVDF4r011RmVBdyds6oMotGVmpioYXYH75eFvSJKW713fDhBt/?= =?us-ascii?q?8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1?= =?us-ascii?q?Ifn+FpLPg8it2O2+54Dfbx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+?= =?us-ascii?q?RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTF?= =?us-ascii?q?UACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMNboRr4oRzut86ZrSAfpiC?= =?us-ascii?q?gZMT457HrXgdF0gK5CvR6tuwBzz4vSbYqINvRxY7ndcMsHS2VOUMhfVCtPDIOi?= =?us-ascii?q?YYQTFOcBIfpUopPhq1YUsRezBw+hD/7vxD9SgX/22LU33eM7HgHawAwgH8wBsX?= =?us-ascii?q?rJp9v0LqgSS/q1w7fUzTXfcvhb3jL96IrHch0hpfyBRr1wcc3WyUkgEwPKkE+c?= =?us-ascii?q?ppDiPzOQz+kAtXWQ4el4Ve+3lWIrtg58riKxysojkIXFmJ8ZxkrL+Ch22Io4J9?= =?us-ascii?q?K1RFRmbdK6EJZcrSKXO5VsTs88X21kpiA3waAct5GhZigF0pEnygbfa/OZd4iI?= =?us-ascii?q?5QruW+iTLzl7gnxodqyyiQyu/ES8yuDwTNe730hPripendnArHUN2AbS6siDUP?= =?us-ascii?q?d9+0ah2TKX2wDS7OFLP1w0mLLFJ5I8zbM8jIQfvEvZEiPohUn6lqCbe0o89uit?= =?us-ascii?q?8evnY7HmppGGN49zjwHzKqojltG+Aek8NQYBX2eb9uq52rD+/Ez0Q7NKjv42kq?= =?us-ascii?q?TYrJ3aJdwbpra5Aw9Q3IYv8QuwDy+g0NQEk3kHKVBFeBWZj4npJlHPIe33Dfan?= =?us-ascii?q?g1i2lzdr2+vJMqfhApXVIHnOi7nhfbJj5E9T0QY/1NVf6IhICrEdIPL8REHwtN?= =?us-ascii?q?PCAR8jKQy73frnCMln2owFXmKPH6mZP7/Mvl+T/O4vLO6MZIgauDb5Nfcp/eLh?= =?us-ascii?q?jXg8mVMFZ6mmwYMXaGykHvRhO0iZemTjgtMAEWcMowo/Q/fniEGCUDFPZ3ayWL?= =?us-ascii?q?gw5jcgCI28F4vDSYetgKLSlBu8S5lXYH1WT1GKDXrnbYSYSt8SZy+IZMxsiDoJ?= =?us-ascii?q?Uf6mUYBy+wupsVrfwqZ7LufLsgIRr4juyMQ9s+jRmkxj3TNzCMuZ3ieGSGQizT?= =?us-ascii?q?BAfCM/wK0q+R818VyEy6UtxqUATdE=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AIDwDpLkxa/ywVGNZdHQEBBQELAYM7A?= =?us-ascii?q?4FaJ4QHmT5HBoo8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBAWoogjgkAYJwBBk?= =?us-ascii?q?BATcBNAImAiMTAQUBLAmKFgMIDQOlWUCLIm6BbTqDCgEBBYQuDYEqgUYqCBJ9g?= =?us-ascii?q?n2CEoEOiEpEAYRIDDGCZYEyAQGSA49dMwgBAYYJii6EcQ2GBo13SI0aiQ05gRc?= =?us-ascii?q?gATcygR0yGiNSgQSBJYJFDxyCCFcBiHMBAQE?= X-IPAS-Result: =?us-ascii?q?A0AIDwDpLkxa/ywVGNZdHQEBBQELAYM7A4FaJ4QHmT5HBoo?= =?us-ascii?q?8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBAWoogjgkAYJwBBkBATcBNAImAiMTA?= =?us-ascii?q?QUBLAmKFgMIDQOlWUCLIm6BbTqDCgEBBYQuDYEqgUYqCBJ9gn2CEoEOiEpEAYR?= =?us-ascii?q?IDDGCZYEyAQGSA49dMwgBAYYJii6EcQ2GBo13SI0aiQ05gRcgATcygR0yGiNSg?= =?us-ascii?q?QSBJYJFDxyCCFcBiHMBAQE?= X-IronPort-AV: E=Sophos;i="5.45,499,1508803200"; d="scan'208";a="7642030" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil3cpa05.eemsg.mail.mil ([214.24.21.44]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 03 Jan 2018 01:20:25 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;5dbc729b-f60e-4359-9503-006d936cba8b X-EEMSG-check-008: 259872141|UHIL19PA04_EEMSG_MP2.csd.disa.mil X-EEMSG-SBRS: 3.4 X-EEMSG-ORIG-IP: 74.125.82.202 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0D8AQCwLUxahspSfUpdHQEBBQELAYUYJ4QHmT5HBoo8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBEwEBAQoJCwgoL4VNBBkBATcBNAImAiMTAQUBLAmKFgMIDaVWQIsiboFtOoMKAQEFhC4NgSqBRioIEn2CfYISgQ6ISkQBhEgMMYJlgTIBAZIDj10zCAEBhgmKLoRxDYYGjXdIjRqJDTmBFyEDZoEdMhojUoEEgSWCRQ8cggggNwGIcwEBAQ X-IPAS-Result: A0D8AQCwLUxahspSfUpdHQEBBQELAYUYJ4QHmT5HBoo8hUyIVoE2A3mFJAKENEAXAQEBAQEBAQEBEwEBAQoJCwgoL4VNBBkBATcBNAImAiMTAQUBLAmKFgMIDaVWQIsiboFtOoMKAQEFhC4NgSqBRioIEn2CfYISgQ6ISkQBhEgMMYJlgTIBAZIDj10zCAEBhgmKLoRxDYYGjXdIjRqJDTmBFyEDZoEdMhojUoEEgSWCRQ8cggggNwGIcwEBAQ Received: from mail-ot0-f202.google.com ([74.125.82.202]) by uhil19pa04.eemsg.mail.mil with ESMTP; 03 Jan 2018 01:20:23 +0000 Received: by mail-ot0-f202.google.com with SMTP id x4so111028otg.5 for ; Tue, 02 Jan 2018 17:20:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=yFkA8kZUtFc3lwkAH/v8NU12xy+x/kiOmNR1m9dlcAI=; b=YG2sgk4zcJfLyLeXTJBJbjI2qGRiRq6uXp2RZ9jrU3FLXFovVCjrQsffee9E8+oWfe PtoKTGtvA9fFcJY7l8ehn+DnUQchK8GAJdTNX+7IL3X7pgKEh+LkkDtnMsDCdT1VuFvi +tv3V/Iw80WVa2WEN/S9ZMt4DENcGO70efJp9udTyi7nWVLNYTC/GpNNjzWr8+kc1jVz JJn6Y1jsuhMsd4ahfTAhdLtQgggbkNe1+x8c1JzgTa4/6xcLD4rhTUN+B95i+hdvGYpI udHmtarkw0nf4LRuPewTt6rqogcaJRckKN4QJYTe+dtKti1G/wQPXDTrLpoNLlZOYljF KcSA== X-Gm-Message-State: AKGB3mL2ASchnEr2JHVui5mtovhqIecK14Q+tk3UXY5FlVdu9p4YHESN ECaqzBAEhBa1h2jCYI5XuO6evtoy0lSsO1N2XayxKQ== X-Google-Smtp-Source: ACJfBou/dRZeM/My3yGDeW6KM/HigwAXUZP4HvtQMX19CCG1D7MlV6spV8yYO0WbrWwl7hHeWLttaXdsfqRxwjqLFu+hhg== MIME-Version: 1.0 X-Received: by 10.157.68.35 with SMTP id u32mr25343667ote.82.1514942422363; Tue, 02 Jan 2018 17:20:22 -0800 (PST) Date: Tue, 2 Jan 2018 17:20:15 -0800 Message-Id: <20180103012017.7022-1-mjg59@google.com> X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog X-EEMSG-check-009: 444-444 To: linux-integrity@vger.kernel.org X-Mailman-Approved-At: Wed, 03 Jan 2018 10:53:17 -0500 Subject: [PATCH V4 1/3] security: Add a cred_getsecid hook X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Matthew Garrett via Selinux Reply-To: Matthew Garrett Cc: Matthew Garrett , linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Dmitry Kasatkin , Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP For IMA purposes, we want to be able to obtain the prepared secid in the bprm structure before the credentials are committed. Add a cred_getsecid hook that makes this possible. Signed-off-by: Matthew Garrett Acked-by: Paul Moore Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: selinux@tycho.nsa.gov Cc: Casey Schaufler Cc: linux-security-module@vger.kernel.org Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- include/linux/lsm_hooks.h | 6 ++++++ include/linux/security.h | 1 + security/security.c | 7 +++++++ security/selinux/hooks.c | 6 ++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 5 files changed, 38 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7161d8e7ee79..72932dabbaed 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -554,6 +554,10 @@ * @new points to the new credentials. * @old points to the original credentials. * Transfer data from original creds to new creds + * @cred_getsecid: + * Retrieve the security identifier of the cred structure @c + * @c contains the credentials, secid will be placed into @secid. + * In case of failure, @secid will be set to zero. * @kernel_act_as: * Set the credentials for a kernel service to act as (subjective context). * @new points to the credentials to be modified. @@ -1541,6 +1545,7 @@ union security_list_options { int (*cred_prepare)(struct cred *new, const struct cred *old, gfp_t gfp); void (*cred_transfer)(struct cred *new, const struct cred *old); + void (*cred_getsecid)(const struct cred *c, u32 *secid); int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(char *kmod_name); @@ -1824,6 +1829,7 @@ struct security_hook_heads { struct list_head cred_free; struct list_head cred_prepare; struct list_head cred_transfer; + struct list_head cred_getsecid; struct list_head kernel_act_as; struct list_head kernel_create_files_as; struct list_head kernel_read_file; diff --git a/include/linux/security.h b/include/linux/security.h index 73f1ef625d40..5cfff15ac378 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -324,6 +324,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); +void security_cred_getsecid(const struct cred *c, u32 *secid); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); diff --git a/security/security.c b/security/security.c index 1cd8526cb0b7..35cbd75844c2 100644 --- a/security/security.c +++ b/security/security.c @@ -1005,6 +1005,13 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } +void security_cred_getsecid(const struct cred *c, u32 *secid) +{ + *secid = 0; + call_void_hook(cred_getsecid, c, secid); +} +EXPORT_SYMBOL(security_cred_getsecid); + int security_kernel_act_as(struct cred *new, u32 secid) { return call_int_hook(kernel_act_as, 0, new, secid); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8644d864e3c1..d3009c027de8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3844,6 +3844,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old) *tsec = *old_tsec; } +static void selinux_cred_getsecid(const struct cred *c, u32 *secid) +{ + *secid = cred_sid(c); +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -6479,6 +6484,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_free, selinux_cred_free), LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), + LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 14cc7940b36d..b27327ebb031 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2049,6 +2049,23 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) /* cbs copy rule list */ } +/** + * smack_cred_getsecid - get the secid corresponding to a creds structure + * @c: the object creds + * @secid: where to put the result + * + * Sets the secid to contain a u32 version of the smack label. + */ +static void smack_cred_getsecid(const struct cred *c, u32 *secid) +{ + struct smack_known *skp; + + rcu_read_lock(); + skp = smk_of_task(c->security); + *secid = skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -4727,6 +4744,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_free, smack_cred_free), LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), + LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),