From patchwork Tue Feb 13 20:56:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10217621 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 642BF60329 for ; Tue, 13 Feb 2018 21:36:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5516228C17 for ; Tue, 13 Feb 2018 21:36:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 491FB28D6D; Tue, 13 Feb 2018 21:36:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil [214.24.24.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5FD5828C17 for ; Tue, 13 Feb 2018 21:36:09 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="444953615" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by UCOL19PA11.eemsg.mail.mil with ESMTP; 13 Feb 2018 21:36:08 +0000 X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="8659291" IronPort-PHdr: =?us-ascii?q?9a23=3ACb1hExwFdWTpVBjXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?1u0eKPad9pjvdHbS+e9qxAeQG9mDsLQe26GP7/GocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= =?us-ascii?q?KeTpAI7SiNm82/yv95HJbAhEmDSwbalsIBi1ogndq8YbjI9/Iast1xXFpWdFdf?= =?us-ascii?q?5Lzm1yP1KTmBj85sa0/JF99ilbpuws+c1dX6jkZqo0VbNXAigoPGAz/83rqALM?= =?us-ascii?q?TRCT6XsGU2UZiQRHDg7Y5xznRJjxsy/6tu1g2CmGOMD9UL45VSi+46ptVRTnhj?= =?us-ascii?q?0HNzok+2/JjMJ+gr9QrBa4qxBi34LYZYeYP+d8cKzAZ9MXXXRPUMhSWSJGH428?= =?us-ascii?q?d4kCA/cPMOhYtYnyuUAOoACiCQWwHu7j1iVFimPq0aA8zu8vERvG3AslH98WrH?= =?us-ascii?q?rUrcn6NKcIXuCv0abD0DfNYOlX2Tf79ofIaQ0qoe+NXb1qbMHf1FcgFwfEjlWW?= =?us-ascii?q?tIzkMC6e2+MWs2eF6+pgVOSvi3MoqgxqvjiuxtsjionOho4PzFDE7j92zJw6Jd?= =?us-ascii?q?2/Vk52eNipG4ZTuSGCL4Z6X8wvTm5ytCs617EKo4C3cScUxJg92hLTc/+KfomS?= =?us-ascii?q?7h7+WuucLi10iXJ7dL6lhhu+706twfDmWMauylZFtC9Fn8HJtnAKyhPc9NCKSu?= =?us-ascii?q?B4/ke9wTaP0B3T6v1cLUA0i6XbL5khz6YslpUJq0TDHzL2mF7sgK+KdkQr5uio?= =?us-ascii?q?6+P9brXgupCcLJN7hhv7MqQvnsyzGeU4Mg4QUGiH4emwybLu8ELjTLhKk/E6iL?= =?us-ascii?q?fVvZ/EKcgBu6K1GwpV3Zwi6xa7ATemytMYnXwfIVJeZh2Hi4npO1fTIPH3FPuw?= =?us-ascii?q?mFOskCptx//aILLhGY7ALmTDkbj9fbZ97FRQyAwozd9F/Z5UBbYBIOzrVk/rqN?= =?us-ascii?q?PYFgM5MxCzw+v/CtV90YUeVniTAq+ZKqzSt0SF5uAoI+mKYY8aoi39K+Q76P70?= =?us-ascii?q?ln81g1gdfbOm3ZEPcnC3AuxmI1mFYXrrmtoBE2UKsRAiQ+zpk12CVjhTZ3esX6?= =?us-ascii?q?8n6DE7DJ+mDIjYSYCwhryBwDq7EodRZmBcBVCGCW3oeJmcW/cQdCKSJddskzIF?= =?us-ascii?q?VbilTo8uywuuuRT0y7V5M+XU/TcYuoj71Nhv4O3Tlw89+iBoD8iH1GGNVW50lH?= =?us-ascii?q?sSRzAqxKB/vVB9ylCb3Kdln/NYENtT5/VVUgsnLpPc0fJ1C8rzWgPAedeJTkyq?= =?us-ascii?q?QtO4DjEtVtgx2cMBY15hG9W+iRDOxzelA6MPmLyRH5E77qXc333tKMln0HbGyL?= =?us-ascii?q?Mtj184TctTLWemnLJw9xDPB47VlEWUj6ardKUb3C7L72qDyG6OsFhZUA52S6nF?= =?us-ascii?q?W2oQZlHVrdT4+EPNUaWiCbI5PQtd0cSCMLdFasX1jVVaQ/fuINreY3irlGe2GR?= =?us-ascii?q?mIx6iMYZHve2UF3SXREVMEkg4I/XqcMgg+HCihqXrEDDNyDVLvf1/s8e5mpXO4?= =?us-ascii?q?VEA0zAaKb1B62rq24BEVhvucS+4J0rIDoichpC1+HEyh0NLOF9qAuw1hcb1Gbt?= =?us-ascii?q?wg+ldH1HzWtxZmM5O6M69ig0QScwNtv0Phzx93EJlPkdA2rHM2ywp/MbiY305c?= =?us-ascii?q?eD6D0pDwP7LWJnP0/B+xd67cwkve38qO+qcT9PQ4rE3uvBqnFko49HVnyMVV3m?= =?us-ascii?q?CH5pXMCwoTX5fxXVwx9xRgobHVfDU97ZvO1XJwKam0riPC29UxCeor0Bmge8tf?= =?us-ascii?q?P72eFA/pCMAaGdahKPYxlFi0axIIJudS9LQ7P8m+bfuJxLarPPp8nDKhlWlH5o?= =?us-ascii?q?F90kaI9yViUe7FxIwKzO+C3guATTv8i02hss/vk4BeeT4SBna/yTTjBINJeK1y?= =?us-ascii?q?fJoECXupI82t3Nlxm57tW3le9F6sHF4G3M6peRyIYFzn2g1cz0MXoWaomSGg1T?= =?us-ascii?q?x7jykprraD3CzJ2+nicBsHOnVXRGV7llfjP4y0j9EcXEi1YAkkjwCl5V77x6hd?= =?us-ascii?q?paRwM3LTTV1OfyfoM2FoSrGwuaaaY85T9JMotj1aUP67YVCeTr7yvQEa3D/kH2?= =?us-ascii?q?pQ3z07bCyqtYninxBgj2KdNnlzpmLDec5s3Rff+MDcRflJ0zoFWiZ4jyLXC0O/?= =?us-ascii?q?P9a3+9WUjJHDvf6iV267UZ1Taybrx5uatCSn/W1qHQG/n/erl93/Cwc6zCv72M?= =?us-ascii?q?dyVSrSqhb8fpfk176hPOJ6ZUlnGkX869FgFoFllYswmYsQ1mQEiZWb+noHi2jz?= =?us-ascii?q?PstB1aL4cnUNWSYBw8TJ7wj9xE1jMnWJyprnVnWb38RsfMe6YmUL1SI99cxKDr?= =?us-ascii?q?mb7KBclytvvlW4tR7RYeR6njoF0fsh8mMag+UStQUxzyWdHrATEVBWPSP2kRSE?= =?us-ascii?q?9de+rL9YZGy3a7i/yFJ+ncy9DLGFugxcVmz2epE+HS9368VyK1zM32Pu5YHjYt?= =?us-ascii?q?nfd8oTtgeTkxfCkedaNI4xmuANhSp9NmL3pWclxPIjjRxywZG6u5CKK2B386K9?= =?us-ascii?q?Bh5XKCH1Z98J9T73lqtemNiZ35y0Hpp9ADoLRIXnQeiuED0MqfTtLxyOHyEkqn?= =?us-ascii?q?eHBbrfGheS6El8r33RDp+rLGuYJH8FzdVlXxmQP1ZQjxwRXDkgmZ45DA+qztT7?= =?us-ascii?q?cEhl/jAR+kL4qhxUx+JuLRnwSH/fpB+zZzc6SZifNgFW7h1M50fUN8yR9ORzED?= =?us-ascii?q?1Z/pK7qAyBMGubZx5HDWsRQEyLG0jjPqWy5dnH6+WYHvSxIODQbrWIqOxeS/CI?= =?us-ascii?q?yImu0oR44TmDKN+DPn54D/00wkBDR2x2G9zFmzUTTCwajznCYNWcqBe4+y13td?= =?us-ascii?q?y/8O/xVAL0+4SAF6FeMc5x9BCygKeDMfOQhSliJDlE1pIM32LIyKMF0F8ckS5u?= =?us-ascii?q?ayKtEbMGtSLXS6LQgKBXBQYBayxvLMtI87483g5VNMHAi9P12bl4jvguBlhYS1?= =?us-ascii?q?PugcCpatYMI22nM1PHHkmLPqycJTLX28H3fb+8SbpIgepOuB2/oyibHFH4MzSE?= =?us-ascii?q?jznmSRavMeRWgyGaOBxRo4a9cxl3BWjkVtLmZQWxMMVrgj0u3b00mnTKOHYAMT?= =?us-ascii?q?h7dkNBtKeQ7SRZg/phHWxO9WBlLe6alCaa9OTXNpEWsf53DStujOJa/G42y71L?= =?us-ascii?q?4yFYXPZ1gjfdrsZyo1G6lemC0jhnUBpOqzZTg4KLuURiObnH+ZRbXHbE/Q4N7X?= =?us-ascii?q?+OBBgQoNtlENLvsbhKytfTjKLzNCtC89XM8MsfB8nULNyIPWEkMRruFj7UAhUK?= =?us-ascii?q?TSK3NWHfgExdle+d+meTrpcktpjmgIAORaNDVFwpCvMaDVxoHNocL5htWjMpir?= =?us-ascii?q?2bjMkT5XqithbRQt5avpPGVv6IB/XgNiqZh6FeZxQU2bP4MZgTNorj1kx4dFZ6?= =?us-ascii?q?h5rFFFDKXd9Roi1sdRQ7oERX8HdjSW0z1Vrlahmz734TD/K0mAA5ihdma+Q36D?= =?us-ascii?q?js+0s3JkbNpCYojUYxntPlgTaMfzHvKKewXJpbBDDquEgrNZP3WQF1bRe9nUZ8?= =?us-ascii?q?LjfLW6pRj6d8dWBskALTpIFAGeBdTaJZex8d3uuYZ+8y0VRbpCSn3lFI6vfYCZ?= =?us-ascii?q?t4lQsqbZ6to2hG2w19cN4/PbbQK7ZRzlhMmqKOuTel1uQ2wA8EOUkN9mKTeCkT?= =?us-ascii?q?tUwHMLkmOjCk/ut26QyNgzFDYnQDV+I2ovJ28UMwI/+AwDzk075CLECxKuOeIr?= =?us-ascii?q?iFtGjHkM6HXkk/1lgUl0Vf+7h5z9sjeVKOV08z1LuRCwgJNc3aJAFJbspS8X/T?= =?us-ascii?q?fTqOseTN2p96IoS9F+DyQuCVrqoUhFyrHBoxFYQW8ssBBoWs0F3fLcr/NrEFzR?= =?us-ascii?q?Qt6xj1K1qdCfRIeBSLkDABo86l15J4xohdKSsbAWlkPyW3+6zbpgk0j/qfRN02?= =?us-ascii?q?eGsVXpMYNnIqX823gzVWsGpGDDSsyO0W1RaC4CHmpiTLFjb8ddpiaO2TZRN2B9?= =?us-ascii?q?G84S8//LSuiV7L7pXeIHn3Ndt/ut/O7eMao4iIC/ZPQLZgrUjTgIhYSGasU2LV?= =?us-ascii?q?Ft61PZfwYZE2bdPoEna6TkC/izUtQsfrOtatL7SHgQHvRYZQq4mVxCktO9KnGD?= =?us-ascii?q?wCHBl9vP0M5KV5ZQIfeZU7egLoux44N6OhPAeSys+uTHq1KTtKU/lfyv23Z6ZN?= =?us-ascii?q?wCo2ae+102AtTo0gz+at704CWpUKjhDYxfasY4leUCfzGnxBewXBvyU5jW1hOv?= =?us-ascii?q?w0wugh3BPCqUMcPCyTdOx1dGxEuMkxBF2ILXpqCmo4RlqcjYvZ7Q6vxL0S/jVS?= =?us-ascii?q?kMhK3uFft3j+pJDfaiq2WKO3sZXVrzYgbd8+rq10K4PjOMiGu43CnjzeSpnQvR?= =?us-ascii?q?aIUSCgGPpchtdQJCVYQORVlmE+I8AGv5RO6VYpXMckO7NPELUspqytaTd8FyES?= =?us-ascii?q?1zIZV4Wa0DwBmeq82rralhaMcJs5KhAEtotNgscFWS5sfiwevLOjV5nRl2KcS2?= =?us-ascii?q?gLJhsT4hpI5A0ek49/YPzl4JDITZJXzD5Wu+x7Ui3OFpZy9lv7TnqZgV/3Sfm7?= =?us-ascii?q?lOypxw1Sxur20tYHQB5/FVRdx+FOm0s0L7F3LrIdvpLWvj+Nbkz2pmTtx/W6JF?= =?us-ascii?q?NJ083ba0X4DJbZtWr7SiAc+WcbRZVVx3HbCJsfiBd2Z7gzpFVUPo+mfljx5yY+?= =?us-ascii?q?y4RuBbm4Wtihx0w5onYeWyeqD91BBvlksFLQRjJoeI2kp4v+O5pMWG9Q5IOSpE?= =?us-ascii?q?pDnEVrLSG51YJWK9tR7T4UQDhPvTKdscOuSMJexMB2DoUDItNktnjhH6NEPYSe?= =?us-ascii?q?rGcturzz0HPZ/S4zsEuizjWpB6C4V/5Z/3EZGggxPGuepFUgA/cu/2vP/F3AqU?= =?us-ascii?q?x7/+BeBreTl0pxuyp9EopIBjlXyXCvN05zQ2Ves+VGNKTVdNRRQ+MsahCyOxwx?= =?us-ascii?q?D+Im0leN/UFzg3f2fTJ+uRdd+y/AQQY4Ty8VjanxmTcGsMGoJScaS45UbTUmdy?= =?us-ascii?q?rFMxmbmTxNsxlCd0FnQIsZAtFY+7EBwYRb4MzCSVq2KS4fWBxuLAU40eBQlURb?= =?us-ascii?q?qkWXZTjdDRa0dfbIqhB3Yd2Ro9C3I/vk5wpHl4fnsPwi96oZWX2mmAqtQdTAoI?= =?us-ascii?q?/grNGKsVGOdKjgOe2mfXDBVCTMjQy3hbo8DZnF5TLTMA1AK5l+03Ukf4PsCWvW?= =?us-ascii?q?PRRCO6IbJlZUVaFgZtVAueBWfchkeLwG+aV1HBKIWgvvGJCzrPlBNlvTRy7RLy?= =?us-ascii?q?OP8uylpoLc8KLSRPP8ZsOWwXbHWKV3Mo186TblB7fgyZVe9Vbu2vdx6kN6TkDL?= =?us-ascii?q?MyaFrNn6JwML4syielHjvp0vEzPWGo1/kGHxxkFaasoYXzGq8IkCyJxH8nrwTv?= =?us-ascii?q?h40kfruu1I67Zk8ZU346xuycqsI6fSKOhVsUhjAheOHQVm7JQtAG94R2BKee8c?= =?us-ascii?q?M/LRcKsWjMz0rOD3DaMX4gWP++NFcdvHO13Bms6nBz6AUxNEmBkOqSUGLgqc0P?= =?us-ascii?q?6IgLR0Rtqkpefn3EIt/1m+IQQcwLBr+4iE5rKCpPXLYBvJ0bgERq/qS9v3rrQ3?= =?us-ascii?q?vkOf5eYplLAQdWNoZA2nCvISVtYHxmfnz6Al0z4jE9/ZE7Ln4v5DWGoznij8lJ?= =?us-ascii?q?BlA1UWBvQUEKKJ/YRfm2c1gOnZOcMWc69cgGaPFBikErAYxX6t9SSXPHFvggvS?= =?us-ascii?q?3BHoXWOz8Fj2oDd5QSrN1djsiFZaW6KsBUhMQyqmJ1N3vCmIPAryu9r9ob4141?= =?us-ascii?q?0uMmz4qNKNk3OsN6hWH83kKt2TOys0pFMLjJ0pXNOvxIQbFMGhL9cW7X5xcOHR?= =?us-ascii?q?636xky9GuadInZDS4saP+vXYBXOglbGVq62RxDBEzXg1pUk/5cq8Nv7S592LTf?= =?us-ascii?q?Oo13wSTytmoAvOQRq1qr3dr1AJNk2Gy1/Ll5YWPt5F3Xk52Ebm5PIgQN4p9wVR?= =?us-ascii?q?CJzAZ/UcqjD3Ijf0xkyfY90vXCmEzzRXBk71EUV/GKUk12L/ptjJmmnM+10oXY?= =?us-ascii?q?Rwc03nhQBpAIU4M00t9UMXzjAFEQcTdRCRFKuoClj9LYsYSUgDbgyK3Lekdacx?= =?us-ascii?q?wU1zxbSv6OjIbeNiA6oNN/BdjhOBnVVAHpIZr7ceQbJmdFNH8q7YuBTiAZD9X/?= =?us-ascii?q?f6jXowKeG1QsdC/M8FtXst+BqwSgG85pdE67YbjJGIebBeYZjQos9z80dn6SQI?= =?us-ascii?q?dixXjxh1lwm5XvwEpOD//tjbt4Kl6uOpVKYrW+UX+AY7Cn97j5vxml8jp8/Y1/?= =?us-ascii?q?tSS43Sk4T/8xtNL2SMuInEzxl2MfAOJJ6zfLZ863UHIDATJ30SMtqNcPkw+jJj?= =?us-ascii?q?PjrV6VxDBMMMeNwZMdHCmQBRkELpXq9c+tDcGl+CBId5b9oo4HbvyDAp7Zs8Vf?= =?us-ascii?q?7t6D2xJZDf6VFBJe9MjCVolNLfuecUwPvSCC4M4Xmaahh42T2Cy5iTC/nq+eWD?= =?us-ascii?q?1dDUW0kAHiEoT4dXPCCC9hC/RuqpiJXpVRuZ6s7tgJ0kckKdXXixnLkYvaZNFu?= =?us-ascii?q?5AkT/33j9EFoD6n/iVqcaj6HNLtl1bF4Z+9R/FF7tRPpV1PRT1jceqSVJ6BiTh?= =?us-ascii?q?ZMHYbBwut/SKxu0U+eVxK1P+ZZMHIhID07/65n5VTgxgSbHoulaZWfkcZMBhSP?= =?us-ascii?q?PCr3Ba9ZhsK6kRM1iBvJbqtCtHqEgqAA81b789tiBadkjLnABOR6b0uaIPiggC?= =?us-ascii?q?Xt59o0NMH3y/OH4m7TrdSatVlLWRCOAS8jiLS6wOUkZoMiB5Qx6u2pVhYbipnf?= =?us-ascii?q?dBsmxYmCNxuv4q3CJ6RBGkoy3ju7oN2S48+LG/rDgOomJKTuOCkyrTElVDyPMK?= =?us-ascii?q?jbsAC3b891OzfWMPbIzo4LloPc7g75Uu42wjYRU/eC0LRfygCyb0j6ySGIyOvt?= =?us-ascii?q?VchBqDuMjVaL+zKi8SNq8jxh3/XXh91RPenA1p8GsNTTWs9tgkJJ+yOcw93Cqn?= =?us-ascii?q?BXDbdEoQ4qNOqMbxu0AETO83aVN53mpuycmGRiwIRMzKBWk1lAwkZntefJJE8x?= =?us-ascii?q?8aGLEigiyUsale4gEUfDDUH5yr+4nIh8fI2GUyQslxy2LTp62Fmokq32N/l9Nz?= =?us-ascii?q?9C6Ot2wYd/bEXM90HnjzyoBfxPT5Z/WprO8KU5NmyLC7X/8ZLsmj+He52IlwWk?= =?us-ascii?q?C72LsSBVy5P/Efxr3DSSeqVXWYWfiXc2iLhzs5Nk/y5R+1Llw4cctKq049MvDe?= =?us-ascii?q?hp5HjADhUKl7RiOXpVPBy2wjK+wafRosuIi7YwwKUPIRZ++EKOgr2vIxFFsMb3?= =?us-ascii?q?7PHStxEOK2r1+tnI5lNHVk4EX6Z/nt8w/8PNuVABkEHpbQroRt9vyiWmKBJXhg?= =?us-ascii?q?wQVwPEZu9OffEE8+u/RBc5aXgdjQh9N70fMKd/dtLS0xoNgTlZx/6YOMyseFbQ?= =?us-ascii?q?nRzoruJdHSuvWYAfjfz0MwemFAU7oZehj454MgMd48RbLTHKFVvRMGBag1WJYh?= =?us-ascii?q?LXv+9LloLANvdQ7cfK+0gsfvpu2XZ5ZZpGTb7kwuIyfGuh0Cy/u0TQphY5CsmX?= =?us-ascii?q?ryPMN4ejUUtNBpCx17DKNTCsgAqEyhGJfSl6alz5e39l92tvEir6X9ELbJ2c6/?= =?us-ascii?q?0oE3WIJVoQSPPTDMFOxwiVh9pvq9j+2G0ZTrD87mP9QeW6wzRm/Dd6+DBYi0Ny?= =?us-ascii?q?iPJtO5fklK7rqR+Kx2Xw/XZy3jWaeC8iq+O6Ze7F0/27B/KdDSxzwk9b2T+NLz?= =?us-ascii?q?YWxA7nO5rHWJPYFT21f9BeXfWR9PYfCZ8WB5ELcRYJey/+ALZ48M2t+ZtjNy5z?= =?us-ascii?q?RLysfNA6GgqELXklx6fNrgIU/o3TspEd0RLRC+N1Y8qXPIoXTaR3JHJ46rLtc7?= =?us-ascii?q?04XdNQDk+0QkwTJlXWVGAGe9AI7JNA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2CDBgAsWYNa/wHyM5BdHAEBAQQBAQoBAYMlLYFWKI59jTK?= =?us-ascii?q?DGZZWC4F0JogNWBQBAgEBAQEBAQIBaiiCOCSCTwIkUgMDCQI3EQgDAVoSBYgHV?= =?us-ascii?q?YE8AQEBFQMBshE6hBNhhAqCQ4UBghUQgy+GGYFyDnaFPQWkLgmVd4IskiWLFI5?= =?us-ascii?q?ANiKBUCsIAhgIIQ+BcBp5ggVQHIIGeIwRAiUHgh0BAQE?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 13 Feb 2018 21:36:07 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1DLa6a2000714; Tue, 13 Feb 2018 16:36:07 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w1DKufUE048418 for ; Tue, 13 Feb 2018 15:56:41 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1DKui0f018887; Tue, 13 Feb 2018 15:56:44 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1BHAwB7UINalywVGNZdHgEGDIMlKoFZK?= =?us-ascii?q?I59jTKDGZZWggOFRYJqWBQBAgEBAQEBAQITAQEBAQEGGAaGKBkBOAEVMncSiGG?= =?us-ascii?q?BOwEDFQMBshA6gwwFgQKEYweCEQElBAiFAYE2X4M/hhmBcg52hT0FpC4JlXeCL?= =?us-ascii?q?JIlixSOQDaBcjMaI4MYggVBDxAMggZ4jBECJQeCHQEBAQ?= X-IPAS-Result: =?us-ascii?q?A1BHAwB7UINalywVGNZdHgEGDIMlKoFZKI59jTKDGZZWggO?= =?us-ascii?q?FRYJqWBQBAgEBAQEBAQITAQEBAQEGGAaGKBkBOAEVMncSiGGBOwEDFQMBshA6g?= =?us-ascii?q?wwFgQKEYweCEQElBAiFAYE2X4M/hhmBcg52hT0FpC4JlXeCLJIlixSOQDaBcjM?= =?us-ascii?q?aI4MYggVBDxAMggZ4jBECJQeCHQEBAQ?= X-IronPort-AV: E=Sophos;i="5.46,509,1511845200"; d="scan'208";a="199210" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 13 Feb 2018 15:56:41 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3Aa96fmBGWnms+KP+tG30c451GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7ypcuwAkXT6L1XgUPTWs2DsrQY07GQ6fCrADBbqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjWwba98IRmsswnctcYajZZtJ6s/1xDEvmZGd+?= =?us-ascii?q?NKyG1yOFmdhQz85sC+/J5i9yRfpfcs/NNeXKv5Yqo1U6VWACwpPG4p6sLrswLD?= =?us-ascii?q?TRaU6XsHTmoWiBtIDBPb4xz8Q5z8rzH1tut52CmdIM32UbU5Uims4qt3VBPljj?= =?us-ascii?q?oMOjgk+2/Vl8NwlrpWrg+hqRJhzYDaY4abOeFicq/BZ94WWXBMUtpNWyFHH4iy?= =?us-ascii?q?b5EPD+0EPetAs4f9pkcBrRukCgm2Gezk1z1GiWX33a08zeshChzN0Qs6H9IPrH?= =?us-ascii?q?vUrM/6NL0PXu+t0KbH1TXDYOlX2Tf79ofIaQssruqQXbJxd8rR1VcgFxnDjlqO?= =?us-ascii?q?tYzpJS+a1uMIs2WC6edrSOGhi3Y/pg1vvzSiyd0ghpfGi44P1FzI6D91zYk6KN?= =?us-ascii?q?GgS0N2YMSoHIZeuiyVLYd7Qt0uT3tptSokzLANpIS1czIQyJs9wh7Sc/yHfJaM?= =?us-ascii?q?4hLkTOueLzV2inFjdr+xmRu861StxvH8W8WuzllFsC9FksLDtnwX0hzc8MmHSv?= =?us-ascii?q?9n8kek2DaP0xjf6uBCIU8qiarWM4AtzqM/m5YJr0jOETX6lFvrgKOMeUgp9fCk?= =?us-ascii?q?6+H9bbXnop+cOZV0igb7Mqk2gMy/APg3MggUUGiB5OuzzKHs8lX5QLpQj/02lL?= =?us-ascii?q?fWsIvBKMsAuq65AglV0po95BalCTepzsgYkWMbI1JCfRKLl5LpNE3WIPDkEfe/?= =?us-ascii?q?hEyhkCx2yPDdJbDhHpXMIWTDkLfmZ7p97VVcxxApwdBQ4JJUFKkLIOjvVU/pqN?= =?us-ascii?q?zYEhg5PhSvw+n5DNV914UeWX+AA6KCLKPTsUOH5uIoI+WWYo8VoyzyJ+Iq5/7p?= =?us-ascii?q?k39q0WMaKLKk2ZoRdWCQAuVtI0LfZ2HlxNgGDyNCuAciQOH0oEONXCQVZHuoWa?= =?us-ascii?q?84oDYhB8buCYbFW5Dom7edxA+lEZBMIGNLEFaBFTHvbYrAE/MNbj+CZ9RsmSEe?= =?us-ascii?q?VKSwDoom2QyquSfkxLd9aOnZ4CsVsdTkztcmyffUkEQI9Dd0Bt6Rm0GETmd5hS?= =?us-ascii?q?tcXT493KllrXt2/VeK0K51mNRSCd1V+/5TVAomc5XbyropWJjJRgvdc4LRGx6d?= =?us-ascii?q?SdK8DGRpQw=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BIAwDdT4NalywVGNZdHgEGDIMlKoFZK?= =?us-ascii?q?I59jTKDGZZWggOFRYJqWBQBAgEBAQEBAQIBEgEBAQEBBhgGV4I4IoJ3GQE4ARU?= =?us-ascii?q?ydxKIYYE7AQMVAwGyEzqDDAWBAoRjB4IRASUECIUBgTZfgz+GGYFyDnaCGwyDF?= =?us-ascii?q?gWkLgmVd4IskiWLFI5ANoFyMxojgxiCBUEPEAyCBniMEQIlB4IdAQEB?= X-IPAS-Result: =?us-ascii?q?A0BIAwDdT4NalywVGNZdHgEGDIMlKoFZKI59jTKDGZZWggO?= =?us-ascii?q?FRYJqWBQBAgEBAQEBAQIBEgEBAQEBBhgGV4I4IoJ3GQE4ARUydxKIYYE7AQMVA?= =?us-ascii?q?wGyEzqDDAWBAoRjB4IRASUECIUBgTZfgz+GGYFyDnaCGwyDFgWkLgmVd4IskiW?= =?us-ascii?q?LFI5ANoFyMxojgxiCBUEPEAyCBniMEQIlB4IdAQEB?= X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="8657305" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil3cpa05.eemsg.mail.mil ([214.24.21.44]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 13 Feb 2018 20:56:40 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;e09daa2b-113e-4dce-951b-abe39c75c922 X-EEMSG-check-008: 462316374|UHIL3CPA02_EEMSG_MP18.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 65.20.0.212 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CpAQDdT4Nah9QAFEFdHQEBBQELAYMlggMojn2QS5ZWggMPhTaDQhQBAgEBAQEBAQITAQEBCgsJCCgvhVEZATgBFTJ3EohhgTsBAxUEshM6gwwFgQKEYweCESYECIUBgTaEHoYZgXIOdoIbDIMWBaQuCZV3giySJYsUjkA2gXIzGiODGIIFAUAPEAyCBniMEQIlB4IdAQEB X-IPAS-Result: A0CpAQDdT4Nah9QAFEFdHQEBBQELAYMlggMojn2QS5ZWggMPhTaDQhQBAgEBAQEBAQITAQEBCgsJCCgvhVEZATgBFTJ3EohhgTsBAxUEshM6gwwFgQKEYweCESYECIUBgTaEHoYZgXIOdoIbDIMWBaQuCZV3giySJYsUjkA2gXIzGiODGIIFAUAPEAyCBniMEQIlB4IdAQEB Received: from rgout0306.bt.lon5.cpcloud.co.uk (HELO rgout03.bt.lon5.cpcloud.co.uk) ([65.20.0.212]) by UHIL3CPA02.eemsg.mail.mil with ESMTP; 13 Feb 2018 20:56:38 +0000 X-OWM-Source-IP: 86.134.52.62 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2018.2.12.93316:17:8.707, ip=, rules=NO_URI_FOUND, NO_CTA_URI_FOUND, NO_MESSAGE_ID, NO_URI_HTTPS, TO_MALFORMED Received: from localhost.localdomain (86.134.52.62) by rgout03.bt.lon5.cpcloud.co.uk (9.0.019.21-1) (authenticated as richard_c_haines@btinternet.com) id 5A5E1A2E0B66119C; Tue, 13 Feb 2018 20:56:35 +0000 X-EEMSG-check-009: 444-444 To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org Date: Tue, 13 Feb 2018 20:56:24 +0000 Message-Id: <20180213205624.4617-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.14.3 X-Mailman-Approved-At: Tue, 13 Feb 2018 16:34:04 -0500 Subject: [PATCH V6 3/4] sctp: Add LSM hooks X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Richard Haines via Selinux Reply-To: Richard Haines Cc: marcelo.leitner@gmail.com, nhorman@tuxdriver.com, vyasevich@gmail.com, james.l.morris@oracle.com, sds@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add security hooks allowing security modules to exercise access control over SCTP. Signed-off-by: Richard Haines --- include/net/sctp/structs.h | 10 ++++++++ include/uapi/linux/sctp.h | 1 + net/sctp/sm_make_chunk.c | 12 +++++++++ net/sctp/sm_statefuns.c | 18 ++++++++++++++ net/sctp/socket.c | 62 +++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 102 insertions(+), 1 deletion(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index ead5fce..7a23896 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1318,6 +1318,16 @@ struct sctp_endpoint { reconf_enable:1; __u8 strreset_enable; + + /* Security identifiers from incoming (INIT). These are set by + * security_sctp_assoc_request(). These will only be used by + * SCTP TCP type sockets and peeled off connections as they + * cause a new socket to be generated. security_sctp_sk_clone() + * will then plug these into the new socket. + */ + + u32 secid; + u32 peer_secid; }; /* Recover the outter endpoint structure. */ diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h index 4c4db14..64736ed 100644 --- a/include/uapi/linux/sctp.h +++ b/include/uapi/linux/sctp.h @@ -126,6 +126,7 @@ typedef __s32 sctp_assoc_t; #define SCTP_STREAM_SCHEDULER 123 #define SCTP_STREAM_SCHEDULER_VALUE 124 #define SCTP_INTERLEAVING_SUPPORTED 125 +#define SCTP_SENDMSG_CONNECT 126 /* PR-SCTP policies */ #define SCTP_PR_SCTP_NONE 0x0000 diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index d01475f..70274ae 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -3071,6 +3071,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr, &asconf->source, sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_ADD_IP, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address * request and does not have the local resources to add this * new address to the association, it MUST return an Error @@ -3137,6 +3143,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (af->is_any(&addr)) memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_SET_PRIMARY, + (struct sockaddr *)&addr, + af->sockaddr_len)) + return SCTP_ERROR_REQ_REFUSED; + peer = sctp_assoc_lookup_paddr(asoc, &addr); if (!peer) return SCTP_ERROR_DNS_FAILED; diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index eb7905f..42659ab 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -321,6 +321,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -908,6 +913,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, */ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + /* Set peer label for connection. */ + security_inet_conn_established(ep->base.sk, chunk->skb); + /* RFC 2960 5.1 Normal Establishment of an Association * * E) Upon reception of the COOKIE ACK, endpoint "A" will move @@ -1436,6 +1444,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( struct sctp_packet *packet; int len; + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. @@ -2106,6 +2119,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( } } + /* Update socket peer label if first association. */ + if (security_sctp_assoc_request((struct sctp_endpoint *)ep, + chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Set temp so that it won't be added into hashtable */ new_asoc->temp = 1; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 8307968..a5519d2 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -1043,6 +1043,12 @@ static int sctp_setsockopt_bindx(struct sock *sk, /* Do the work. */ switch (op) { case SCTP_BINDX_ADD_ADDR: + /* Allow security module to validate bindx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out; err = sctp_bindx_add(sk, kaddrs, addrcnt); if (err) goto out; @@ -1252,6 +1258,7 @@ static int __sctp_connect(struct sock *sk, if (assoc_id) *assoc_id = asoc->assoc_id; + err = sctp_wait_for_connect(asoc, &timeo); /* Note: the asoc may be freed after the return of * sctp_wait_for_connect. @@ -1347,7 +1354,16 @@ static int __sctp_setsockopt_connectx(struct sock *sk, if (unlikely(IS_ERR(kaddrs))) return PTR_ERR(kaddrs); + /* Allow security module to validate connectx addresses. */ + err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX, + (struct sockaddr *)kaddrs, + addrs_size); + if (err) + goto out_free; + err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); + +out_free: kvfree(kaddrs); return err; @@ -1615,6 +1631,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) struct sctp_transport *transport, *chunk_tp; struct sctp_chunk *chunk; union sctp_addr to; + struct sctp_af *af; struct sockaddr *msg_name = NULL; struct sctp_sndrcvinfo default_sinfo; struct sctp_sndrcvinfo *sinfo; @@ -1844,6 +1861,24 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) } scope = sctp_scope(&to); + + /* Label connection socket for first association 1-to-many + * style for client sequence socket()->sendmsg(). This + * needs to be done before sctp_assoc_add_peer() as that will + * set up the initial packet that needs to account for any + * security ip options (CIPSO/CALIPSO) added to the packet. + */ + af = sctp_get_af_specific(to.sa.sa_family); + if (!af) { + err = -EINVAL; + goto out_unlock; + } + err = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT, + (struct sockaddr *)&to, + af->sockaddr_len); + if (err < 0) + goto out_unlock; + new_asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL); if (!new_asoc) { err = -ENOMEM; @@ -2909,6 +2944,8 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, { struct sctp_prim prim; struct sctp_transport *trans; + struct sctp_af *af; + int err; if (optlen != sizeof(struct sctp_prim)) return -EINVAL; @@ -2916,6 +2953,17 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval, if (copy_from_user(&prim, optval, sizeof(struct sctp_prim))) return -EFAULT; + /* Allow security module to validate address but need address len. */ + af = sctp_get_af_specific(prim.ssp_addr.ss_family); + if (!af) + return -EINVAL; + + err = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR, + (struct sockaddr *)&prim.ssp_addr, + af->sockaddr_len); + if (err) + return err; + trans = sctp_addr_id2transport(sk, &prim.ssp_addr, prim.ssp_assoc_id); if (!trans) return -EINVAL; @@ -3248,6 +3296,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr)) return -EADDRNOTAVAIL; + /* Allow security module to validate address. */ + err = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR, + (struct sockaddr *)&prim.sspp_addr, + af->sockaddr_len); + if (err) + return err; + /* Create an ASCONF chunk with SET_PRIMARY parameter */ chunk = sctp_make_asconf_set_prim(asoc, (union sctp_addr *)&prim.sspp_addr); @@ -8347,6 +8402,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, { struct inet_sock *inet = inet_sk(sk); struct inet_sock *newinet; + struct sctp_sock *sp = sctp_sk(sk); + struct sctp_endpoint *ep = sp->ep; newsk->sk_type = sk->sk_type; newsk->sk_bound_dev_if = sk->sk_bound_dev_if; @@ -8389,7 +8446,10 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) net_enable_timestamp(); - security_sk_clone(sk, newsk); + /* Set newsk security attributes from orginal sk and connection + * security attribute from ep. + */ + security_sctp_sk_clone(ep, sk, newsk); } static inline void sctp_copy_descendant(struct sock *sk_to,