From patchwork Fri Jan 5 21:15:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10147095 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 74DFA60155 for ; Fri, 5 Jan 2018 21:18:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB01C28935 for ; Fri, 5 Jan 2018 21:18:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DE5CA28944; Fri, 5 Jan 2018 21:18:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil [214.24.24.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B5D9928935 for ; Fri, 5 Jan 2018 21:18:05 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.46,320,1511827200"; d="scan'208";a="604501188" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 05 Jan 2018 21:18:04 +0000 X-IronPort-AV: E=Sophos;i="5.46,320,1511827200"; d="scan'208";a="7352989" IronPort-PHdr: =?us-ascii?q?9a23=3A6lCmcxyGMvSUWanXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?1u0eLfad9pjvdHbS+e9qxAeQG9mDsrQb1KGP7/yocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= =?us-ascii?q?KeTpAI7SiNm82/yv95HJbAhEmCexbalwIRi0ogndq8YbjIR/Iast1xXFpWdFdf?= =?us-ascii?q?5Lzm1yP1KTmBj85sa0/JF99ilbpuws+c1dX6jkZqo0VbNXAigoPGAz/83rqALM?= =?us-ascii?q?TRCT6XsGU2UZiQRHDg7Y5xznRJjxsy/6tu1g2CmGOMD9UL45VSi+46ptVRTlkz?= =?us-ascii?q?kMOSIn/27Li8xwlKNbrwynpxxj2I7ffYWZOONjcq/BYd8WQGxMUchLVyxFH4iy?= =?us-ascii?q?cY0BAeQcNupctoXxukcCoR64CAKxBu3g1yVIi2f50qM00OovFh/I0xA9EdIWsn?= =?us-ascii?q?nYsdv4OqcIUe+r16nF1inDY+9M1Dvh8oXEbhIsrPeRVrxwa8rRzkwvGhvCgFqK?= =?us-ascii?q?tYzlIzOV2foDsmOG7uRvT/ivi3Q5pAFtvjik29ksiojTiYkI117L6yF5wIczJd?= =?us-ascii?q?2lR09wfNmpEIBOuCGeNot2RN4iQm5ztSYmyrwJpZ67fC8QxJQh3B7QceaLc4eP?= =?us-ascii?q?4hL9TeucJypzinF9eL+nmhq//ketxvf8W8WpylpGsCVInsfWunwQzxDe6MeKRu?= =?us-ascii?q?Fg8ku/2TuDzQPe5v9eLUwqiabXNpgsyaMqmJUJq0TMBCr2lV3zjK+Ra0or5PCl?= =?us-ascii?q?6//iYrX6vp+cMJJ0ih3mPqQuhMO/BeM4PxASX2eB4+S81aDj/VbjTLVWjvw5jq?= =?us-ascii?q?nZsJfAKcQduqG5GBNa3pwm6xa+CzeqyNUYnX8ZI1JZYB+LkofkNl7ULP34EPuz?= =?us-ascii?q?mUqgnTh1y/zcI7HtGpDNIWLCkLflc7Z98UlcyA8rwNBE+Z1UDrABIPTuWk7+rd?= =?us-ascii?q?DXFRg5MxGyw+n7Ftp9zZgTWX6PA6CFMKPStkWE5uQ0I+aWfoMVtzH9K+Y96/70?= =?us-ascii?q?kXA5gUMdfbWu3ZYPanC4GfJmLF+FYXrsmNgBF3wHvgg5TOzsjV2NSyVTZ2qsUK?= =?us-ascii?q?Im/TE3EoWmDZ3MRoq1mryOwD+7HoFKZmBBEl2ME3XoeJ+YVPcPcyKSJclhkj0a?= =?us-ascii?q?VbW6RY8h0QyutQDhxLp6KOrU5jAYuYjk1Nhv6O3ZjQsy+iBsD8SBz2GNSHl5n2?= =?us-ascii?q?0JRz8y2aBwv1Z9x0yN0admnvNYEsZT6OlRUgcgMp7czfJ1BMzuWg7bedeJUlmm?= =?us-ascii?q?SM28AT4tVtIx38MOY0FlFtq/kh/D2i2qA7kJl7CWH5E07LzT32LwJ8d8zHbG0r?= =?us-ascii?q?Mtj184TctTLWemnLJw9xDPB47VlEWUj7uldbgG0y7X72qM0W2OvEREXwFqSqXF?= =?us-ascii?q?QWoTZk3IotTl/knCVaOhCaw7Mgtdzs6PMqtLa9zujVVAX/rjPdDeb3uwm2e2Hx?= =?us-ascii?q?qIwKmDbJDpe2UcwiXSFlIIkwYN8naaLQI+HDuuo3rCDDxyElLie03s8fNkp3O9?= =?us-ascii?q?UkA0zhqKYlZk17qt+x4ZnOecSv0I3r4evychsTp0Fk6n393KE9qAuxZhfKJEbN?= =?us-ascii?q?M++lhH1mXZtxFmM5yjNa9ihVkecxlts0PpzRV3BZ1KkdI2o3My0ApyNaWY3Utb?= =?us-ascii?q?eDyFx5DwO6PYKnPp8R+1d6HW30vS0NGM+qcA8P44sUnsvBm1Fko+9HVqy8NV3G?= =?us-ascii?q?aB6ZjRAwoSVJ3wXlwx9xdku7HQejM96J/M1X1wLam0tSfP28knBOs/zRagZMtf?= =?us-ascii?q?PbifFA/0FM0bCc2uJ/Ysm1SzaBILIvxS/rYuP8y6b/uGxLKrPOF4kTOol2tH5J?= =?us-ascii?q?x93VyW9ypnUePIwYgKw+uD0QuaUjfwllChstr4mYpcfzEdAnK/yTT4BI5WfqBy?= =?us-ascii?q?e4cLCWOqI8Kp3dVznITiVGBC9F6kHV8G39WpeRWKZVznwQJQzVgXoWCgmSag0T?= =?us-ascii?q?x0ki0mrraY3CzU2ejtaBoHOmlNRGltllrsJYm0j9YAU0iyaAgljhyl5Vz1x6JD?= =?us-ascii?q?vqRwM3HTQVtUfyjxN2xiVqqwtqGeY8JW85MnryFXUOW6YVCHRb/wuAAa0zviH2?= =?us-ascii?q?tYxTA0ayqqto//nxNklGKXNGxzo2bBecFs2Rff48TRReRW3joCQCl3lyPXCUS7?= =?us-ascii?q?P9in5tiUjIrDvfylV267UZ1Taybrx5uatCSn/W1qHQG/n/erl93kDwc61zT72s?= =?us-ascii?q?JpVSrWqhb8eY/r2LqmMe59eUloHlD84dJgGo5iioswmI0Q2X8Ci5WN53UHjGPz?= =?us-ascii?q?PstD2a3kanoNWSAEw8TO7Qj4w01sMGiJx5njWnWGxcthesO6bX8I1SIz6MBKEq?= =?us-ascii?q?iU46JekStzvFW4sRrbYeJhkTcF1fsu9HkajvkXuAor0yqQGa4SHU9FMizsjRiI?= =?us-ascii?q?6c6xrLlPbma1bbewzFZ+ncymDLyaugFTQmv5epM5ECBs78V/LFLN3GT96o7+ft?= =?us-ascii?q?ncd9UTtgebkx3YlehaNIoxluYWhSpgIW/9s2cqy+gnjRxp2JG3p4aHJHtw86K+?= =?us-ascii?q?GB5XLCX1Z9kU+jHvk6lRgtqW05qoHpV7FTUBRIHoQu6wEDIOqfTnMB6DEDgmpX?= =?us-ascii?q?efHbrQAxOf6Ft8oH3VCJ2rMW+YJGUCzdp+XhadPFJQjBoSXDokgp4zDhqqy9D5?= =?us-ascii?q?cEdl+jAR4Ub1qgFWxuNmLRX/V33QpAOvajY0U5WQNgZZ7gRY60fSK8ye4fp5Hz?= =?us-ascii?q?tE8Z25sAyNNmubahxGDWETREOLGkvjMaOo5dnc9OiYHfGzIOHSbrWLs+BeUO2I?= =?us-ascii?q?xZ232It84zmMLtmPPmVlD/Aj3EpDR2p2G9zBmzgURSwXljjNb9WHpBey+y13qN?= =?us-ascii?q?qw8PL3VwLu/4SPD6FeMdJ1+xC5ma2DLfKfhD5lKTZE0ZMB3WfIx6YE01EMjSFu?= =?us-ascii?q?diWtEbMbuC7MUq3fhLFYAwQcayNpO8tC97g80RVVOc7HltP10aZ1geUuBFtCUV?= =?us-ascii?q?zhm9qpZdARI22nL1PIGlqEOK6dJTLVx8H3YKW8SaBfjehPqxKxuSybE1L4PjiZ?= =?us-ascii?q?mTjmTQyvMfpLjCGdJhBev5u9chl1A2j5UN3mcgG7MMNwjTAu2rI0h3zKNWkaMT?= =?us-ascii?q?VnbkxCsKaf7SJCjfV5AWBB6WBlLeackSaD8+bYMooWsedsAilsje1a7241y6VL?= =?us-ascii?q?4yxfQ/x1gDXdrthro168k+mPziFoUB1BqzpRg4KLp0piM73D9pZcQXbE4A4N7W?= =?us-ascii?q?KIBhQWoNtlD8fju7pXytnOiq3zLixN88jT/cQCBMjZM96IMH0kMRX1AjHUFxcF?= =?us-ascii?q?QSStNW7Bm0xXiOuS+WGNrpgmtpjsn4IDSrxbVVwxCPwXEUFlHNsMIJd5QDwkja?= =?us-ascii?q?KbjM4P5Xq7shbdXsNasY7bVviKG/XgNC6ZjaVYZxsP2b74K5ocOZf/20F5aVl6?= =?us-ascii?q?m5/KG1bKUtBLuS1hbQ40rF9L8HdgUm05w1jlZR+14H8PCf60mQY7ihFgbuQ26j?= =?us-ascii?q?jj+U03KUbKpCYri0YxmM/lji2WcD7/NKewR59ZCiruu0g3LJz7Xx5/bReukkx8?= =?us-ascii?q?KDfEW7VRgqN9emBsjg/cv4ZAFuBYTa1FexIf3++YZ+8v0VhGrSWn30BH7/PfCZ?= =?us-ascii?q?R+jAsqbYKsr3VY1g1+dtE1O63QK7dSzlVLnK2OpDWo1uc/wQ8FOUkC7H6SeDQJ?= =?us-ascii?q?uEwUNrgqPSyo8fJw6QaagTtMZHAMV+Y2ovJt7k49P+OAzzj+3L5FK0GxMPeSL6?= =?us-ascii?q?yfu2jdj8KIRUkw1kwQnUlf4bd2ydsjc1aTV00317ueCRAJNcvEKQFIYMtf72Tc?= =?us-ascii?q?fSGLserR2511JJm9GvruTeCQqKYemlikExoxH4QQ8sQBGYGh0F3ZLcfiK74F1R?= =?us-ascii?q?Ut5QTwKVqYDfRIeAiEnywdr8G50pB3wZFXJisBDmVlLSW3+rHXqxcwj/qHXdc5?= =?us-ascii?q?fmkVUZMBNnM2Xs26nChZsG5bATas0+IW0g6C4ybypiTNFjX8acRsZOuMbxN2FN?= =?us-ascii?q?624Sk/87SxiVPP6ZrROWf6OM94tdDS9+MVuYyHC+hOQrlns0bQgY5YR2alU2TX?= =?us-ascii?q?C966O4Dwa5UwbdzzEnu6XUG/izMxT8f1ItmtK7OFjhz2SolPsYmUxjYjOdW6Fj?= =?us-ascii?q?EEFBd6v/sD675kZQ0ff5o7Zgbltx44N6y+PAiY0tKuQ2K2KTVOVvdR0P+0aqBQ?= =?us-ascii?q?wSc3cuC6z34gQY0gwOms7U4BXpcKgQ/Cxfy7fYlRTTDzGmBBewXIvSc5jXJuNv?= =?us-ascii?q?w1wugk2x7IrUMcPCqVdON3bGxEvtc8BVyWIXV3BWo4R0OcjYTZ7Q622rAe5S1d?= =?us-ascii?q?kMhI0eddqnjxooffYC6wWKyssZjUvTAsYsQmo61wNIzjI9GJtJDFkzzeUpbfrB?= =?us-ascii?q?OKXDS9F/pAldhaODhYT+VQmWE5JcwGvpJM6U8rWcckJLxAFrUsprGsaTprFiMT?= =?us-ascii?q?wzUWV4Wc0zwGhee8xqbVlgyKfJQkLhMErI1IgsEBXC5ufiMeuKijWp3MmG+eV2?= =?us-ascii?q?gLJh0f7QdX6QIBl49wf/zl75HSQJ9K1TFWv+p+UjHXGZlw61v7VmaWjED5SPWn?= =?us-ascii?q?j+ymwwZSw+zp0tYFRB5/E0hcyv1RlkswNr53LawQsZTLsj+Mbkz6u23sxPGhJF?= =?us-ascii?q?lLxs3eb0f4A5bdtWrgTi0c/mUZRZNIyHHaDpkSjxZ1aKMwq1lWJoCpZFr+7SQ+?= =?us-ascii?q?x4t1B7m4Sdyrx1E9oHYGXSiqCcBOC+V7v1/MRTJqfYirqI37NJVWXGBQ4oeRq1?= =?us-ascii?q?BDkEViKyS504ZTK9lR4j4QWzhCuTedvNysR8BYxMB5EYQMLcllu3fhBqxLJYKd?= =?us-ascii?q?o3sotbzz0nXZ4SwzsE+mxDWvHK+1V/5Z8HADFQUoPWuerlIiAPcr8mfX7l/CqE?= =?us-ascii?q?t0//tBCriJk0pxvC53HopSCTZRyXClM1NzQWFdvOVUNKvZb85RT+Q8aBK0JxM+?= =?us-ascii?q?Evsm0FCT8kFvgXf1eSpyuRVG+yrFRQk7STEVgqvxmT0ZssynIyEVRI9IbTo7cy?= =?us-ascii?q?fIMAabmSdJvBlBdU1lR5cZDctb9L0B24tb4NbCQ162KS4ZRBxiKh440f1HmE5b?= =?us-ascii?q?q0WYZTrSAhe0dfvUqR13etqRrNS1I/vn+gdHlpnnv/o896kZQH2mgwKtS8jEr4?= =?us-ascii?q?Dgrt2KqleOdKDgPu2ge3/OUibDgg2riLc5C5nK4zLTPxBFK5l7znokZYbuCXLR?= =?us-ascii?q?MRRBPaIbKFJRVbpmZtVevuBae8hkdb4L+aB3HBKHQQjvGIi1o/lYNVvTQCneLy?= =?us-ascii?q?Gd8uy+vY3T7KbSSe77ZsCWwHbHWa13NI9g6TbnA7fqzZNe+k3u1/dv7Ex6T1bG?= =?us-ascii?q?MzqGrNv8OAwG/9WieVHkvp0yGjPaGpFwn2TxxktYbcoYXzWq8IgEyJNe8HvwT+?= =?us-ascii?q?Z431PysO1U8rlo84g347ZnyceuP6jSMuhasVV6AheIGgVq648tD3ZlS2BWeO8R?= =?us-ascii?q?J+/bfb4FgsD2t+D3C6sX5QWT++xYddTHIEXBldOkCj2GSBxEmwABqSUBLgaH0v?= =?us-ascii?q?6IlKB1Rdyipejj1UIn+0K+IQIezLBx+YeE/bKFq/PNYBvV07cEQbTqR8P0rrk3?= =?us-ascii?q?oEOd+fwkm6AIemxpYg2oCvIRVsgDyWf81aoq1z4jE9vfH7L8//5OT3Y5ninlm5?= =?us-ascii?q?19BFgWFO0bEqeM/YREhGg4g/bZNtoUcq9chmmPCQSoErgYyX6k8yGXOnVqggnS?= =?us-ascii?q?0xHsRmO+9F32rS59QSbXytfsjEpUWaetBUdTWSqpNlV0sDWRMwr0rND3o7g67F?= =?us-ascii?q?kqMmz4s9KAjGqhObJNEMLlONOROjI0q0wLjJIvWtOjw4cbGcCyIN0J6nFxcuPe?= =?us-ascii?q?63+3ky9Gu6pInIve4tqb+/rNH3mgjrGaq62XyzBFzng1pk0w6te9Of7Q/dKKXu?= =?us-ascii?q?6o12ELTyhloQfBWAS1qrPDpVAOJUOLyFvLmJANPtxBxXk3zF3m6/QjQNM98wVe?= =?us-ascii?q?DIXAa+oZpT/tPDv0wFCfY884VySFyztYBE71HkV4GKky32LwpsHJmW3T+1I2XI?= =?us-ascii?q?lwcVLohRhtA4U/M0It50AdwjAfHggVdRCbELaoCFzqLYQeT0gMdwiH3Lihd6cz?= =?us-ascii?q?3E1z3q2g5O/JYuxhHKoBLPBdgRCSnFJDAJIZrbUeQK5ge19a7KPXqRbtC477X/?= =?us-ascii?q?jhkno8Mua1Td5e8cAYsXsi/wm+SgGk6Zhd9bYaiIqHerRCYZfSoMB2911n6iIX?= =?us-ascii?q?dixRnBh/iAu0XvwepO/5/tfWq4an6uGqVKYpRuUY6QI0B3hggJTsgFAvu9bX1/?= =?us-ascii?q?1TSofNk4Tw7BhNI2KWuIbdyxR8LO0OK4S3fLZv6XoKPC0eJ3MUMtqQdfY8/yFs?= =?us-ascii?q?MDLJ51xBGcMAf9UYM9TRmQpMkE3mRKlT9tbHGl+fE4pzeNwn73HsyDws7JUyXe?= =?us-ascii?q?Du6D6wJZDC4FBAJPxDjCB2m9LEuucZ2/3SCDIY4XOBcRh63juCy4WRC/b35eiM?= =?us-ascii?q?ytbUV1MAHiIsT4hdJD6C+RG6Seu0lZXpVBiU6szygJ8lakKQR2Kxk74BsqlREO?= =?us-ascii?q?5MkCP70SZCFortnfKar8Ks6HdLtl1ACItz7APFF79ZPphgPRT4i9SkRkl7Bivk?= =?us-ascii?q?Ys3UcQAuuOWOzOcW/+p+L1f+ZZMcIh8cybL193RVTgVqSLPtsFeWR+QRa8V6SP?= =?us-ascii?q?/eqHBa955gIbcVPFeBvJzqsitIqFcuDQ8mbL8wqTJbeVfKnA1RQKv0o7kAig0d?= =?us-ascii?q?UdFlo0NMH3y/OH4m7TrdSatVlLWRCOAS8jiLTKwOU0VpMjt5QxOx2ZVuZ6WmkO?= =?us-ascii?q?tCsmNHgiN9uuYl3yZhRBumti3mv7gN1i44+LGkqDUBvmRITvmfkyfNElhD0PUK?= =?us-ascii?q?grsfC3n87Vywen8DY5Xu4LN/P8Tv6ZEh42gjYRUkZyAGWOWgCyLzj6OPGYGPss?= =?us-ascii?q?hThB2KuMXIc7CzKzIeNrIjxhL/X3J9yBTRnA508GsXRTWt9MQrK5u7OcY53Seo?= =?us-ascii?q?AmzbdFEQ4qNVrsv+q0MEQPExaVN7z2VpytKHSTEVRMzTB2Y1iRApaX1DcJJH8x?= =?us-ascii?q?AaDacpgjGMvqlI5QwUZTDUEoO++obOgcjIw349TcxxxmLXoK2FiYkm0Hp/m9N7?= =?us-ascii?q?9iSOomgdd/TEU89wBXj+zolfxvL6Z/WsquAIVpBrybWgUP8HN8ms53G22JF0VU?= =?us-ascii?q?O/wbQeBVW5OvcZxrjHSyelVXGYWeOTfmmChzY5KE/y6gW2IVAsbcdKrlM9MvHc?= =?us-ascii?q?iZJGkA3hS7x0TD2KpVDH1GwjLf8adwUutYegfwwFUvUcZ/CYJec02/0+FFoMYG?= =?us-ascii?q?PVHStsFeC5r0ShnI5lNHV8+U/6e/ji8hj6MNuOHRkJCYrarp93+fynSWONIHtg?= =?us-ascii?q?zBxpPElo7OfSDFUxufVac5aWh9TQgM570eEdffd3LSI9osITmp5k6YSM1ceFaw?= =?us-ascii?q?3ezpbzJdHTpfiVGOPfz0Usem5EVroZYAX155g1P9IjXL3TB7RZtwwGBacmWJwh?= =?us-ascii?q?K3vx9KZsIQNxaAHRZ7O0jdLxq+KWYJtUu3/W7lUtLCfTux0D1ua4TQplYJC2n3?= =?us-ascii?q?/yOow/Ripdr91xDRtrBIlPG8YHrwq9GZ6Umbq7hsS3+0xgvu8Fr6vwBurN1NSj?= =?us-ascii?q?0IV7R4Ja6lCTPDbNGKlrhVxojv+8gvfFzpb8CMDvdMgaVOdlWG7Fa77HHoK5Kj?= =?us-ascii?q?6UPMLzZVJGoPag1+d9UxOMdGX4WbaLuzelKORM/0o20Mp7cfDVwThr6KvUi+H/?= =?us-ascii?q?f2VKmiD2iHeVKJtS8xTlDPbEUg5IAa6A8mk4TIUYaoz78OpIOtsnlouy+Q52uR?= =?us-ascii?q?FLzNeFLrfpgUbWwE9nadrFLUKh4Cs9WI8XMFzrKkYogGnEulzBEH9cKY6iMsAr?= =?us-ascii?q?j9GLWE++r3JtkH0gMzYSUlHjQs2cbC1Cgpqz?= X-IPAS-Result: =?us-ascii?q?A2AkAwBF609a/wHyM5BcGgEBAQEBAgEBAQEIAQEBAYMSLIF?= =?us-ascii?q?aJ4QHixiNdosKjkCBGANVKYlWQxQBAQEBAQEBAQEBaiiCOCQBgk4CIARSAwMJA?= =?us-ascii?q?hISAiIEAgIDAR0TAQUBLAkFiAWCDQMVA6Q+QIwRgW06hHOCVA2CcDISfYMFghU?= =?us-ascii?q?Qgy+GGUWFBYJlBZM4j2c9kDyEcw2GB41/SI0oiQ85gRc2IjKBHioIAhgIIQ89g?= =?us-ascii?q?RcaeYJUHIIIVwGJbAEBAQ?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 05 Jan 2018 21:18:03 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w05LHaLg001020; Fri, 5 Jan 2018 16:17:42 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w05LFoKk012259 for ; Fri, 5 Jan 2018 16:15:50 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w05LFnPZ031853 for ; Fri, 5 Jan 2018 16:15:51 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1AaNgBL6k9aWyUaGNZcHQEBBQELAYM7A?= =?us-ascii?q?yOBNyeEB4sYjXZCAQEEBoo8hUyKDAN5iVtCFQEBAQEBAQEBAQYaFYYrBBkBATc?= =?us-ascii?q?BNAImAiMTAQUBCCQJihcDCA0DpDdAiyNugW06gwoBAQWENg2BKoFGKggSfYMFg?= =?us-ascii?q?hWBDoIxhhlEAYUFgmWBMgEBkgmPZzMIAQGGC4oxhHMNhgeNf0iNKIkPOYEXNVW?= =?us-ascii?q?BHjIaI1KBBIEmgkUPHIIIVwGJbAEBAQ?= X-IPAS-Result: =?us-ascii?q?A1AaNgBL6k9aWyUaGNZcHQEBBQELAYM7AyOBNyeEB4sYjXZ?= =?us-ascii?q?CAQEEBoo8hUyKDAN5iVtCFQEBAQEBAQEBAQYaFYYrBBkBATcBNAImAiMTAQUBC?= =?us-ascii?q?CQJihcDCA0DpDdAiyNugW06gwoBAQWENg2BKoFGKggSfYMFghWBDoIxhhlEAYU?= =?us-ascii?q?FgmWBMgEBkgmPZzMIAQGGC4oxhHMNhgeNf0iNKIkPOYEXNVWBHjIaI1KBBIEmg?= =?us-ascii?q?kUPHIIIVwGJbAEBAQ?= X-IronPort-AV: E=Sophos;i="5.46,320,1511845200"; d="scan'208";a="166761" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 05 Jan 2018 16:15:50 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3AJENsPRU5UnO+1SM6dvs/SCHaffzV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYbRSGt8tkgFKBZ4jH8fUM07OQ7/i5HzRYqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjWwba9vIBmssQndqtQdjJd/JKo21hbHuGZDdf?= =?us-ascii?q?5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXM?= =?us-ascii?q?TRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlD?= =?us-ascii?q?kIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZH42z?= =?us-ascii?q?YIUBAekGM+hYsYfyu0ADrQeiCQS2GO/i0CNEi33w0KYn0+ohCwbG3Ak4EtwJqn?= =?us-ascii?q?vUsMn1NKcMXuG70aLGzC/Mb+lM2Tjj9IjIbg0qrPaJXbJyfsrcyU0iGhjKjlWX?= =?us-ascii?q?rozlMDeV2foXv2eH6OpgUPuihmg6oA9yujii3tkghpTGi44P1FzJ+j91zJg0KN?= =?us-ascii?q?GiRkN2Y8aoHZlfui2AKod6XMMvT3trtSok0LEKp4K3cDUMxZ863RDQceaHfJKN?= =?us-ascii?q?4h/7VOaePzN4hHV9db2xmhi88VWtxvD4W8euzFtGsilInsPSuX8T0hzT8ceHRu?= =?us-ascii?q?F4/ki72DaP0xrf6uRFIUAwjabbKpghzaAslpcLr0jPAyD7lF/ogKKZbEko5Oml?= =?us-ascii?q?5/7pb7jkvpOcMpV7igD6MqQggMy/BuE4PxAAUmeD4Oi8zKft8k32QLpEi/M7j7?= =?us-ascii?q?DVsZ7AKssaqKG5HwBU3Yg/5BmjATip08kWkWMcIl1ZYh2HgJXnNFLOL//jDPe/?= =?us-ascii?q?h1SskDJwyf/JIrLtGI7CLnfanrv7c7ly90xcxRE9zdBb+Z1VBagNLOv2WkDrqN?= =?us-ascii?q?zYEh85PBK6wuboEtp9zJkeVnyTAq+FKq/dqliI5v8pI+aQeoAVoyzxK/ci5/7p?= =?us-ascii?q?gn85nUEScbO10psQbXC0Bu5mLFmBYXrwntcBFn8HvhEgQ+zuiV2CVyNTZnmpUq?= =?us-ascii?q?Ig5jA0FIKmDYDZSoCrm7yOxj23HpJRZmBYWRiwFiLsdoOZS7INbj6fLdVgji0s?= =?us-ascii?q?S7esUcki2AuouQu8zKBofcTO/ShNkJv/yNh4+KX8nAso+CBoR5CY0W7QHkl7mW?= =?us-ascii?q?QHQzJw16d69x8ugmyf2LR11qQLXedY4OlEB0JjbcbR?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BpFwDX6U9aWyUaGNZdHQEBBQELAYM7J?= =?us-ascii?q?oE3J4QHixiOOAEBBAaKPIVMigwDeYodFQEBAQEBAQEBAQEFGhVegjgkAYJwBBk?= =?us-ascii?q?BATcBNAImAiMTAQUBCCQJihcDCA0DpEFAiyNugW06gwoBAQWENg2BKoFGKggSf?= =?us-ascii?q?YMFgyOCMYYZRAGFBYJlgTIBAZIJj2czCAEBhguKMYRzDYYHjX9IjSiJDzmBFzV?= =?us-ascii?q?VgR4yGiNSgQSBJoJFDxyCCFcBiWwBAQE?= X-IPAS-Result: =?us-ascii?q?A0BpFwDX6U9aWyUaGNZdHQEBBQELAYM7JoE3J4QHixiOOAE?= =?us-ascii?q?BBAaKPIVMigwDeYodFQEBAQEBAQEBAQEFGhVegjgkAYJwBBkBATcBNAImAiMTA?= =?us-ascii?q?QUBCCQJihcDCA0DpEFAiyNugW06gwoBAQWENg2BKoFGKggSfYMFgyOCMYYZRAG?= =?us-ascii?q?FBYJlgTIBAZIJj2czCAEBhguKMYRzDYYHjX9IjSiJDzmBFzVVgR4yGiNSgQSBJ?= =?us-ascii?q?oJFDxyCCFcBiWwBAQE?= X-IronPort-AV: E=Sophos;i="5.46,320,1511827200"; d="scan'208";a="7786396" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uphb19pa05.eemsg.mail.mil (HELO USFB19PA08.eemsg.mail.mil) ([214.24.26.37]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 05 Jan 2018 21:15:49 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;da596051-5cab-4aa9-928b-98f3b509cced Received: from localhost.localdomain (localhost [127.0.0.1]) by USFBF3ID05.oob.disa.mil (Postfix) with SMTP id 3zCyBV5N0Hz1b8n for ; Fri, 5 Jan 2018 21:15:46 +0000 (UTC) Received: from USFB19PA09_EEMSG_MP5.eemsg.mil (unknown [192.168.16.6]) by USFBF3ID05.oob.disa.mil (Postfix) with ESMTP id 3zCyBV4P6Zz1b8V for ; Fri, 5 Jan 2018 21:15:46 +0000 (UTC) X-EEMSG-check-008: 21362539|USFB19PA09_EEMSG_MP5.csd.disa.mil X-EEMSG-SBRS: 3.4 X-EEMSG-ORIG-IP: 74.125.82.201 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CgAgDX6U9ahslSfUpdHQEBBQELAYUYJ4QHmQ5IBoo8hUyKDAN5hSQChDVDFAEBAQEBAQEBARMBAQEKCQsIKC+FTQQZAQE3ATQCJgIjEwEFASwJihcDCA2kRECLI26BbTqDCgEBBYQ2DYEqgUYqCBJ9gwWCFYEOgjGGGUQBhEgMMYJlgTIBAZIJj2czCAEBhguKMYRzDYYHjX9IjSiJDzmBFzZUgR4yGiNSgQSBJoJFDxyCCCA3AYlsAQEB X-IPAS-Result: A0CgAgDX6U9ahslSfUpdHQEBBQELAYUYJ4QHmQ5IBoo8hUyKDAN5hSQChDVDFAEBAQEBAQEBARMBAQEKCQsIKC+FTQQZAQE3ATQCJgIjEwEFASwJihcDCA2kRECLI26BbTqDCgEBBYQ2DYEqgUYqCBJ9gwWCFYEOgjGGGUQBhEgMMYJlgTIBAZIJj2czCAEBhguKMYRzDYYHjX9IjSiJDzmBFzZUgR4yGiNSgQSBJoJFDxyCCCA3AYlsAQEB Received: from mail-ot0-f201.google.com ([74.125.82.201]) by USFB19PA09.eemsg.mail.mil with ESMTP; 05 Jan 2018 21:15:45 +0000 Received: by mail-ot0-f201.google.com with SMTP id m2so2921717otd.22 for ; Fri, 05 Jan 2018 13:15:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=71HgBaqTKJtnIXGnIO2QmqbwN1Lj/QQqd08w/uYTqn8=; b=sCPrym/eDPG/Drouvgwwm1keb2SgR9scSZoBPCukbdYAl1uf3qCbPHRxusM5/y2b9P juNrBmzvL+C4F8mRUm2napmBjTGwe48DQRXkpT0pZpCxoPdDjpqmlo/ijeBVZzqnNieZ qbjpqR9svEdcNPhM/Q1qtRAZWwU/7myVCC9QXpJZc9fPCWonWxWg7KAGAwT/J/qXi8Lt 2j+AuU//rwvx2mYqF4ggwFQjp2LvuWplZXB7/7tN4TzE0UnsUf4LKsyu9tp7DVEM490F RQt5YUtDfxQ+ZASWmccsHKtLVbQOJemo19Pm0fz0OWsPnp0Z+lWX43wgfL1Ca+c5qoVk wd9Q== X-Gm-Message-State: AKwxytfw5n2lX1K160X8NyLUxIfkFxs9L0oRResS/9O80uO7H5D72QOA niwZCJIZAa5/ColM3adt/JyrW6qG4q0A/+vAyCazoA== X-Google-Smtp-Source: ACJfBovO35+1nmfcUInn2bfXOT+BRFJRUyan4es9jLHfDYd71yjSVPGRN6Ew3agXzntiPiVR4FKNusMw0tRc9N7/yLMfnQ== MIME-Version: 1.0 X-Received: by 10.157.68.193 with SMTP id p1mr2215747otg.108.1515186943958; Fri, 05 Jan 2018 13:15:43 -0800 (PST) Date: Fri, 5 Jan 2018 13:15:35 -0800 Message-Id: <20180105211536.11611-1-mjg59@google.com> X-Mailer: git-send-email 2.16.0.rc0.223.g4a4ac83678-goog X-EEMSG-check-009: 444-444 To: linux-integrity@vger.kernel.org X-Mailman-Approved-At: Fri, 05 Jan 2018 16:17:33 -0500 Subject: [PATCH V5 1/2] security: Add a cred_getsecid hook X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Matthew Garrett via Selinux Reply-To: Matthew Garrett Cc: Matthew Garrett , linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Dmitry Kasatkin , Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP For IMA purposes, we want to be able to obtain the prepared secid in the bprm structure before the credentials are committed. Add a cred_getsecid hook that makes this possible. Signed-off-by: Matthew Garrett Acked-by: Paul Moore Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: selinux@tycho.nsa.gov Cc: Casey Schaufler Cc: linux-security-module@vger.kernel.org Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org --- Ok, I'm taking a slightly different approach and just passing in the secid - for everything other than the CREDS_CHECK case this will be the task secid, for CREDS_CHECK it'll be the one associated with the BPRM structure. I believe that this results in zero functional change other than when dealing with the new functionality, and we can come back and rework this once we have a better idea about how IMA should be using secids in the first place. include/linux/lsm_hooks.h | 6 ++++++ include/linux/security.h | 1 + security/security.c | 7 +++++++ security/selinux/hooks.c | 6 ++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 5 files changed, 38 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7161d8e7ee79..72932dabbaed 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -554,6 +554,10 @@ * @new points to the new credentials. * @old points to the original credentials. * Transfer data from original creds to new creds + * @cred_getsecid: + * Retrieve the security identifier of the cred structure @c + * @c contains the credentials, secid will be placed into @secid. + * In case of failure, @secid will be set to zero. * @kernel_act_as: * Set the credentials for a kernel service to act as (subjective context). * @new points to the credentials to be modified. @@ -1541,6 +1545,7 @@ union security_list_options { int (*cred_prepare)(struct cred *new, const struct cred *old, gfp_t gfp); void (*cred_transfer)(struct cred *new, const struct cred *old); + void (*cred_getsecid)(const struct cred *c, u32 *secid); int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(char *kmod_name); @@ -1824,6 +1829,7 @@ struct security_hook_heads { struct list_head cred_free; struct list_head cred_prepare; struct list_head cred_transfer; + struct list_head cred_getsecid; struct list_head kernel_act_as; struct list_head kernel_create_files_as; struct list_head kernel_read_file; diff --git a/include/linux/security.h b/include/linux/security.h index 73f1ef625d40..5cfff15ac378 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -324,6 +324,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); +void security_cred_getsecid(const struct cred *c, u32 *secid); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); diff --git a/security/security.c b/security/security.c index 1cd8526cb0b7..35cbd75844c2 100644 --- a/security/security.c +++ b/security/security.c @@ -1005,6 +1005,13 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } +void security_cred_getsecid(const struct cred *c, u32 *secid) +{ + *secid = 0; + call_void_hook(cred_getsecid, c, secid); +} +EXPORT_SYMBOL(security_cred_getsecid); + int security_kernel_act_as(struct cred *new, u32 secid) { return call_int_hook(kernel_act_as, 0, new, secid); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8644d864e3c1..d3009c027de8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3844,6 +3844,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old) *tsec = *old_tsec; } +static void selinux_cred_getsecid(const struct cred *c, u32 *secid) +{ + *secid = cred_sid(c); +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -6479,6 +6484,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_free, selinux_cred_free), LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), + LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 14cc7940b36d..b27327ebb031 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2049,6 +2049,23 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) /* cbs copy rule list */ } +/** + * smack_cred_getsecid - get the secid corresponding to a creds structure + * @c: the object creds + * @secid: where to put the result + * + * Sets the secid to contain a u32 version of the smack label. + */ +static void smack_cred_getsecid(const struct cred *c, u32 *secid) +{ + struct smack_known *skp; + + rcu_read_lock(); + skp = smk_of_task(c->security); + *secid = skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -4727,6 +4744,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_free, smack_cred_free), LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), + LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),