From patchwork Fri Apr 13 10:13:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10339741 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2BDF860329 for ; Fri, 13 Apr 2018 10:15:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16D7E28754 for ; Fri, 13 Apr 2018 10:15:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0B3D028757; Fri, 13 Apr 2018 10:15:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from uhil19pa12.eemsg.mail.mil (uhil19pa12.eemsg.mail.mil [214.24.21.85]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB37728754 for ; Fri, 13 Apr 2018 10:15:10 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by uhil19pa12.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 13 Apr 2018 10:15:09 +0000 X-IronPort-AV: E=Sophos;i="5.48,444,1517875200"; d="scan'208";a="11998915" IronPort-PHdr: =?us-ascii?q?9a23=3APJJzuRCS6Xcy3bat9vM4UyQJP3N1i/DPJgcQr6?= =?us-ascii?q?AfoPdwSPr6oMywAkXT6L1XgUPTWs2DsrQY07GQ6/iocFdDyK7JiGoFfp1IWk?= =?us-ascii?q?1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBA?= =?us-ascii?q?j0OxZrKeTpAI7SiNm82/yv95HJbAhEmDSwbaluIBmqsA7cqtQYjYx+J6gr1x?= =?us-ascii?q?DHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PG?= =?us-ascii?q?Au+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/Vj?= =?us-ascii?q?O/4ad2Ux/okDkIOCIl8G/ZjcxwibhUoBOnpxdix4LZb4WYOP94c6zTZ9MaQX?= =?us-ascii?q?dKUNhXWSJPH4iwa5IDA/cdMepdqYTyoEcDoBWiCQWxHe/j1iJEjWLy0aEn0+?= =?us-ascii?q?ktFAfL1xEiEd0TqnTZtNX7OrkPX+67z6fGyi7OY+9K1Trn9ITFaAwtre2KUL?= =?us-ascii?q?ltccTR004vFwbdg1uMqIzqIzOV2f4Xs2eG8uFuV/igi28hqw5vuTik29ksio?= =?us-ascii?q?jTiYkI117L6yF5wIczJd2lR09wfNmpEIBOuCGeNot2RN4iQm5ztSYmyrwJpZ?= =?us-ascii?q?67fC8QxJQh3B7QceaLc4eP4hL9TeucJypzinxieLK6nRmy8E6gx/X4Vsm1zl?= =?us-ascii?q?ZFsChFkt7RtnAX0Rzc8MyHRuFh8Uem3DaDzw/T6uBYIUA0iKrUMIQtzaI3lp?= =?us-ascii?q?oWt0nIAyz4mF3ugaOLeUgp9fKk5uT6brn8uJOROJF4hhvjPqg2mcGyAP40Ph?= =?us-ascii?q?UAUmWU4+ix1LPu8VfkTLhIivA7lLTSvorAKsQBvKG5BhdY0oMk6xmiETiryM?= =?us-ascii?q?8YnXwbLFJdfxKHkpTpN0nOIP/mCfe/hEyhkCtxyPDcP73hH47NImLfkLbhYb?= =?us-ascii?q?l960lcxBA1zd9D/JJbFqsNIPfyWk/1rNDYDxk5PBKow+v/Fdlw2YwTVXiPD6?= =?us-ascii?q?OEKq/er1CF6vw1L+WRfIMVvSzyK/kh5/7gl385nlodcLGy3ZQJbHC4H/JmI1?= =?us-ascii?q?iWYHb1mdgBFnoKvgwiQ+P0k12PSiJTZnauUKI84TE3EoSmDZzZSYy3j7yB2z?= =?us-ascii?q?m7EoVMZm9aElCMDWvod4KcVvcObyKSJNVukiAEVbe7TY8szhOutAj8y7piNO?= =?us-ascii?q?XU4TEYuoz51Nhu/eHTkgsy9TNsBcSHz26NV310nn8PRzIu3qB/o1ZyxUuA0a?= =?us-ascii?q?hjhPxYE91T5+1SXwc0MZ7c0uN7BMvvWgLHYteJVUyqQtK8ATE+Vtgx2cMBY1?= =?us-ascii?q?5hG9W+iRDOxzKqDKEOmLOVApw0877c33/qKsZ81XnJyrcug0MhQstVOm2snr?= =?us-ascii?q?R/+BTLB47Vj0WZkL6nerkb3C7L8meM0HSBvEVZUANrS6rKQ2ofZkzModT+/E?= =?us-ascii?q?PCQKekCa47PQtZ1c6CNqxKZ8X0glVaXvjjIs/TbH62m2e1GRmH3KiMbJbwd2?= =?us-ascii?q?UbwirdFFAOkxoP8naeKQg+GiChrnrfDDxoCVLgfUfs/vd7qHylUk801QGLYl?= =?us-ascii?q?Zm17qt5BEVg/mcROkS3rIAoyghrDp1EEy639LMBNqKvxBhc7lEYdMh/FdH0n?= =?us-ascii?q?rUtgx8P5ynKaBvnVsecwBus0Pv0RV7EINAntIwrHMpzQpyN7yX3ElHdzyGwZ?= =?us-ascii?q?D6IqfXJXXq/BCzd67W3UnT38iO+qgV8vQ4qk7jsRqxFkU46XVn0sJV02OY5p?= =?us-ascii?q?rQEAUdT4j9UkEt9xh1v7vaeDUy55vI1X1wNqm5qjHD29MtBOsg1BmgZcxSMK?= =?us-ascii?q?2aGwDvFM0aHdKhKPQwm1iubBILIvxd9LIuM8OhbfuG17ahPPx8kzK+kWRH/I?= =?us-ascii?q?d931qC9ypmUOHI2YoKw/CD3gacUjf8lFahvtnsmYFKfjEeBG2/yTLrBIRJfK?= =?us-ascii?q?19YZ4LCXuyI82w3th+hITiW31f9F6+HF4G29WmeRmVb1zgxwFQ0l4XoXO/ky?= =?us-ascii?q?ui0zN0iy0prraY3CHW2evtaQAHOm9VS2l4llrjO5S7j9UAUEivdQgpmwOv5V?= =?us-ascii?q?zmyKhDuKR/M27TTF9UcCfsK2FtTLCwtqaCYs5I854oqjlYUOWiblCcVr79og?= =?us-ascii?q?EV3znlH2RA2DAxbyuqtYnhnxxmlGKdK25+rGDEds5t3hrf69ncRPFL0joAWi?= =?us-ascii?q?Z4lSHdBkKgMNmx4dWUi5DDv/ilV2KvTJ1TdjLrzZ+buSug421qBhO+n/Wpld?= =?us-ascii?q?3hCwQ61zH018VyXyXSsBn8epXr17i9Me9/cEhnHlv869ZkFYFkiYs9n48Q1m?= =?us-ascii?q?YAhpqO4HoHlH3/MdJB2aLxdHANXyIEw8bJ4Aj5301uNmyJx4PlWXWBxcthfc?= =?us-ascii?q?O2bX8W2iI66cBKB7yZ7LhFnStzuFW4twXRbeJ6njcHxvsk8GQajP0RuAox0i?= =?us-ascii?q?WdBagfHU1ZPSz3ixSE9su+o7tTZGaud7iwyUV/kMu6DLGaowFcXnf5dYs5HS?= =?us-ascii?q?Nq6MVwLk7M2mXp6o74YNnQcc4TthqMnhfaiOhVLJYxmeQQhSV7PmL8s2Yoy/?= =?us-ascii?q?UmjRNyxpG2po+HK39i/KihGB5XKiX1Z98P+jHqlatendiZ34a0Hph6GTUEQp?= =?us-ascii?q?3oTemuED0MqfTrLQGOECczqn2DA7rQARef6Ft6r3LIC52rL2uYJGQdzdp8XB?= =?us-ascii?q?mSPkpfgBwKUzUghZM5Cxuqy9L7cEdi/DwR/Vn4qgZWyu10KRb/XGDfpB2naj?= =?us-ascii?q?gqUpSfKgRZ7h1a7UfPLcOe9v5zHz1f/pC5sgyNLHGUah9WDWEPR0OEB0rvPr?= =?us-ascii?q?+w6tnc6+KYHPaxL+PSYbWSruxTT++Iyoiy0oti5DuDKsSPPmViDvEi1EpMR3?= =?us-ascii?q?Z5F97emzUVRCwdjzjNYNKDpBeg5i13qdiy8PfrWQLr+4SCEL5SMdJh+xC4n6?= =?us-ascii?q?iDK/KQhCZ+KTZdyJwA33nIx6YD3FQKkSFhayGtEagctS7KVK/QlLVYDxgHay?= =?us-ascii?q?N0MctF9Kw80RdQNs7ckNP6zKZ4juQyC1dHS1Puht2padYNI2GnO1PNHFyLO6?= =?us-ascii?q?ieJT3X38H3ZruxRqBMg+VRsB2wvyqbH1L4MzSdiTbpTRGvMOBLjCGdJhBevp?= =?us-ascii?q?+ycgp1A2j5UN3mcgG7MMNwjTAuz700nG3FOnMHMTdmdUNNsrqQ7ThDj/plB2?= =?us-ascii?q?NB62BpLe6emyaW9+PYMIoZseN3AiRokOJX+HI6y6FP4yFcXPx4gyXSrt90o1?= =?us-ascii?q?G9jumPxDtnUBxUpTZNmI2LvF9tOaHD+plHQ3bE8woH7X+MBBQSu9tlFtrvtr?= =?us-ascii?q?hLxdfUk67zLDZC88nI/csHHcTUM9yIP2Y7PRryBjHUCAoFTTi2NWDQnEFSjP?= =?us-ascii?q?GT9meIrpghsJTtloABSqNAVFwyEPMWEENlHMYNIJ1vRDMrjaabjNIU5Xq5tB?= =?us-ascii?q?TRQsRavpTDVv2MGvXiMyyWgqdeZxsP27/4Kp4TNoLj0Ux4dlZ6hJjKG1bXXd?= =?us-ascii?q?1VuSJhbwA0oEJL8HVlU2I8xVnqagK3738VD/K0mQQ2igRma+Q36Djs+0s3Jk?= =?us-ascii?q?bNpCYoikYxls/qgS6PfzPqK6ewRZ9ZCyzxt0crM5P7Rx16bQq9nEB+MzfEXb?= =?us-ascii?q?1RhaN6dW93kA/cpYdPGflEQK1YZx8QwOubZ+8v0VVdtCqnw1RI5fHCCZR8lw?= =?us-ascii?q?snaoKjr3VF2w1/dtE1PrDQKLBPzldOmqKEpjWo2fwpwA8CO0YN93ufeCwIuE?= =?us-ascii?q?0ILrkmIC6o/u1w6QOcgDZDfWkMV+Ywov107E89PP6Azy342b5ZNk+xL/CfL7?= =?us-ascii?q?+eu2XYk86HXEk/1kcTmklG+rh2ytsjfFCSV0A0z7uRFg4FNczcJgFJd8BS7m?= =?us-ascii?q?TcfT6SseXRxpJ4J5+9Gf7zTeCQrqkUmF6rHAYyEosX78QBBISj0EbWLcf/Nr?= =?us-ascii?q?4K1xUs6B7tJFqbEPRDYAiLnysfo8Gj0J932pFQKSwHDmVjMCW4+63XqxQwj/?= =?us-ascii?q?qZRtc2ZXkbXpAaOX0qRc26gS9Zv2hADTWt1OIW1hSC5SfmpivMFDn8c8ZjZP?= =?us-ascii?q?CMaBNoD9G24ysw8663iF7Q6ZjeKGf6Ncl4tt/I8+MaqI6NC+lIQrllr0fch4?= =?us-ascii?q?5YSmSxU2HRFd61Jp7wa5QjbNHvFnm6VVm/hC4vQMfqINahNK6Ijh/0RYxMqo?= =?us-ascii?q?mUwCgjNdOhFjEZAxpwu+AD5Kd7ZQ0fY5o6YQXluBk/N62/OgiXyc+iQ2CzJj?= =?us-ascii?q?tKV/Nf1/m1Z6RLzyowae+30GEvTpU7z+ar70ECXJQKjxHYxfakYYlRSzP+FW?= =?us-ascii?q?dcewrVoyo1jmZhNvsozuc53hzIrUEWMyqXe+xxdGxEo9Y8CEuJLnpoDGo1XE?= =?us-ascii?q?WTgpfd4gGyxbAS5DFSn8xU0OFft3j+pJDfaiq2WKO3sZXVrzYgbd8+rq1rN4?= =?us-ascii?q?zjI9eJtJPZnjzbV5neqhSLXjOgGfdGndZdOz5XQP5NmW45I8MGopZB5VA3Vs?= =?us-ascii?q?ggO7xFELMsqayyaTp4ES4SyjcUWJ+C3DMYnuixwKfVlhCUcJQmMRwLro9Cgs?= =?us-ascii?q?cDXCFqYiMSvqijV5/Zl2WcUGgEPB8T7RhQ5AIHjoJwZPrq4JDPTJBX0DNWv+?= =?us-ascii?q?h0XTHVFpZ281v7S2eWgVf8SPWgnOyp3R5SzPz23dkBXR5zE05dyPhKlkEwMr?= =?us-ascii?q?F4N7EQvpLWsj+PbU77snjhx/emJFlQzM3Udkf3DIneuGr9TCIT52MbSZVIyH?= =?us-ascii?q?HFGpQYixB5Z7ozpFVQPICmfV7z5zk+yIRzHLm3S9yrx1cjrXYJXCqrHcBOC+?= =?us-ascii?q?d6v1LTXz1lfo2kqI7/N5VUXGBQ5IWXq01Fn0V1Ly651Z1cJtlV4j4LWDhAuy?= =?us-ascii?q?+dvdW1SM1H1897FJoMItB4u3fmBqxLJIKRo3oturz0y3/Z/T88vE29xDWpFK?= =?us-ascii?q?+yV/hZ8HEGGgU1O2SerVEiAPE28mfP9FDBqFN08vxaBriOjEVxvC1yEopIBj?= =?us-ascii?q?lXyXCvN05zQ2Ves+VGNKTVdNRRQ+U1ZR+qIBE+CeIq30mS8k1um3f2fTByvB?= =?us-ascii?q?NA+y/BRwk0STUVgrD1lD0esM6nIyUVS5ZVYjg6cijKNRqbmThJsxZbdU5qQY?= =?us-ascii?q?oVAtFf+7EUxYFU5NbNSV6wKSEZWxxvLgA40f1BmkNYrUqXZzvdAhSydfbTrB?= =?us-ascii?q?J4YN2drMi3I/Tl5A1HkJ/osPgk96UfQH2rgRGtTs3DoI/9rNKKslCDe7v/M+?= =?us-ascii?q?25fXDOViPMjQyqibciEZbK4zDZMBBHJJli1XokfZ/hBHbQMhRIO60XO0hWWb?= =?us-ascii?q?10ZNhdvu9aYMpkd7oT9q92GhKLXBXvF5KzrPNeNFbcWSzeLzmd8uy4uY/T96?= =?us-ascii?q?LSRvXgZsOW23bKWKZ3PpBk6TblBbvlzYhe9Vfo1ft38EN1V0TGOTibrNv9Pg?= =?us-ascii?q?ML+NWidkz6s50xBjPWHI1/n2fxxkxbbMoXRDCq8I4Ex5xH7nbwVfh43VL3sO?= =?us-ascii?q?FI8Llk84Y36ahzycioPafSNehasUh/DxiIHAVl6IsiD3VkSmBMZu8RNO3Rcr?= =?us-ascii?q?4HjcDvrOD3E7IY6AGP9+xec9vHKFnLmtOjBTGEVRxEgAABpCYfLgSG0/6Fn7?= =?us-ascii?q?F7Sdq5pefjwE0g+F6+IQAazLB2+YiL4LKIq/HNYxvX07cERrDgRtnvobQ0p0?= =?us-ascii?q?OS+fokmaYMemNveQ2nF/MdVsoHyWf+1q0qyD8sE8ffH7Lh5PFDVmg2njT7m5?= =?us-ascii?q?xnGFUWAPwUF6KR/YtChmc4h/DZNtoOf6BAgGmPExCkEqUFyXG29SSaO3VljQ?= =?us-ascii?q?vI0xHrRmO/9ln2ojFkQSHU1dfsjlJVVqWrBUdVRyepNlJ4sDKLPArsqtX3vL?= =?us-ascii?q?8441woPWP/tdKCjm2hNKlQH83lK9yWOTM0q04PjJ0tWtyv3pgWGdi8INcU63?= =?us-ascii?q?x+a+XR6mO1nC9boqdHgYXe7tuT+vrJAXmql7eapKmVxDBE1ng4ukky6takNv?= =?us-ascii?q?zV5t2KRfGo23wQTyd5tQvBRQS6qqfHr1AOJEyEzFvLmJEQPt5Hx3U40Vvm5O?= =?us-ascii?q?c7StIp6ApeDprAZ+8FpT3rPTv0xlCfY844ViaAyDZXG1P1HkN+GKcixGLxss?= =?us-ascii?q?XJlW3T+10zXIVwcVLohQBvBYUiNU0t8EQXwjYEEQUVbRCbF7SoCET+IIsKS0?= =?us-ascii?q?cMdBOH3KKgdacvx01zxbGv6/HPYuxgHaYNMexdjgGWllhBBp0WqbEeQK57e1?= =?us-ascii?q?JF9a7WpxLtBJL7UPX9jno/K+G1Td5G/swDsHsi+Am/TQK66Zhf97YblIyIdq?= =?us-ascii?q?lcbJfXvcB89Elm6iQNdixMnBh/lwm2Uf0YpO34/tfbt4en5fi0W6YwXeUX8A?= =?us-ascii?q?I0CH5kg5v3mlAjrsnd1/1ARY3NlYT/7AdNLmaSuInAzxlzNeoOKoysfLZ69H?= =?us-ascii?q?ULPjMeKGwKPdqXbfk8/iBsPS7L51NYHsMDedMYPcTKmQBOiU3lQrJT+dTBGl?= =?us-ascii?q?+eFYhzc9ok723tyDA66ZE8SPrv6CeqJZDD6FFAJ/xDgz92lN3cuOgVweHfCC?= =?us-ascii?q?wW4XmFdRd1wjmNy4SWC/rq++WD1s3UXUscHiEqS4ddOCaC+Qu/S+q6iprpVB?= =?us-ascii?q?+U6sj0gJ45b0KfWHixnKUDsqZRHu9NkSH70SZEFoH1nf2Zqdys53VLtldfCo?= =?us-ascii?q?Z88QXFGLlDPpV8IRn4kMirSVR7Biv7Ys7UbQAiuOuRxucL+OV+LFDzZYoULx?= =?us-ascii?q?ML0b767mBVTgR2Qr7solmZRf4RZMdhSP7coXBa9ZlgK7QWMFaAq5LkqDZIqF?= =?us-ascii?q?YrAA4mc7IwoTlaeVPInAJLQar0v6QAigQEW95jpUBMAX6wOH455zffV6RVi6?= =?us-ascii?q?mRCPoP/jqPTqwOV1hoPT5/QhO03pVuYLipnfFcv2NYnyN9vuIl0zh7Sxu9oy?= =?us-ascii?q?HsobwC2S448rGiqDoBoWBFTvmZkyrQCFVD0u4FjaEHBnbm9FyzfXgDbIzp4L?= =?us-ascii?q?V9IsTg74Yh6WwlYRo/Zy0GQfigCybogqOKHIOPvtxchBqWtcTAd7CzKzYdNq?= =?us-ascii?q?gnxRLlWXd9zhDUnAx0/2sTXjWg8NgkKZ2yOcYhwSqpF3bUdFII4q5Sq8vxsl?= =?us-ascii?q?gLTOoqZl97xmVszNSHTDUXRMPTA2Y1khQkaWJcfZJG6B8aFKoogjGTs6lE5A?= =?us-ascii?q?4UYzDUEoK79YnWh8vI32cyTctyzGLMuqKFno8q0GFim95s9SGBpnISd/DDXs?= =?us-ascii?q?93Bnjz0ZtfyfDgZ/qzr+8LUoxmyK6uUPUaKMms5XO22Il2Wk+i3rkeEUS2MO?= =?us-ascii?q?sCxrfDTSioUmyZWeWOc2iJgTk5KEry6geyIl0wcsdKoFc3MvHeiZ5Eiw3hTb?= =?us-ascii?q?R0Sz2epF/D1mwjMP8VeBwttYeiegwKUPQRaPaGKegp2v0+B0MGb2XVEituF+?= =?us-ascii?q?+2rVmtkZB8O3Vk/0r3evzt8gT8P9uJBhkEEJLVroJr+fOkWG2NI3lgwwNuPE?= =?us-ascii?q?Ns7efQC0wxtvNAc5aWhdXQg9V70egYd/ZiKCE9vt8Tmpl/6YmPy8qKcAvezp?= =?us-ascii?q?D1Jd3PpfiYGfLfxVwwem5GSroZfR/154IiM948QbLcAbtZvRUaBag9W5EhKW?= =?us-ascii?q?bx9KdqIwN3cw7RYqm0g8bwquKMfJtUqGfc7kgsIyfEpx0D1vu0QBR5b5+whH?= =?us-ascii?q?XyJ4s/Sylcr91rFhtmHIxPG94PrwqnH56Ygqe7hMGt+0lioe8FrbLwCuzW1N?= =?us-ascii?q?S+x4hxXZ1a5UuRPDbLBalrmV9ojuKojffFzJbxCNnuedQeVOh0WmTFcKPJHp?= =?us-ascii?q?2jKjKSPcLxY1VG87CZ0L1lUxicZzv0X7SYuy2+NfVl4EI7yopicOrV0jMt86?= =?us-ascii?q?nX2NvsaGFfoSeutXqJNJxD41PQAezeXxVUSeGZ8Gp/Ga0Xapf7+/0KMdM/x9?= =?us-ascii?q?ic5hN87DVE0MedIqihqFHD2l5jeJ/YLUblwTs1VIcFLRilMUYhj3XVpmnfDH?= =?us-ascii?q?lYNsSkLNNigNeRDhzj/UlxnmQta3ZGF2ryRNeeJWgb1NikZAKX7A1EE84Mn+?= =?us-ascii?q?6tdk45sK29V/JoN45eluW2tbUHl8ppJD/VRMhcIS7QMKV6MSZWDuXKvVUkeg?= =?us-ascii?q?QEvKQtWocpeZiOJ1sKPUCaySPz0QTC0Vf7d8ax26mRPCkZ6nVHwKjE0ThKuQ?= =?us-ascii?q?a5ou2Ujdb/ULDYapH2QODdMDAjVj6EWTQ+C1qm+VChu/cdpPaYO3sQokgIYi?= =?us-ascii?q?KODw4evqdircPOAW/XmO1jeoAKhf+BViDsSCx3iKoyBiFRuUCKWPoMDxPab3?= =?us-ascii?q?DmgGpCoQGvIOJH8Gzhb72F3apVR/IZApFRfP2YQtrXZ+hTKyt73gkebf2xe9?= =?us-ascii?q?zasqYRzkPDTWxfFbLBslKZUh2sT+SY1g7sCL8UtIg9oCZg2tvRmCJsW/DSPr?= =?us-ascii?q?2friSixYWPjC+Zv+DFfmMxYkopjfgEDXXHyx5FfjIqEdYQ7XvsSa6JfUoE9H?= =?us-ascii?q?soj+91kwENcUxIX3lv1GBG1KKmF8lYT0MEpH+/S/0BKlZsBXU/+lHcsV66Ws?= =?us-ascii?q?AJpc2GHzwWzbALU4dIcaUl?= X-IPAS-Result: =?us-ascii?q?A2BEEwAegtBa/wHyM5Bcg0grYXoVE4xEjDRkgh+SfAuBW?= =?us-ascii?q?SYLhwohOBQBAgEBAQEBAQIBaxwMgjUMDIJdAhdiAwkCSAgDAWwFgldagT8BA?= =?us-ascii?q?QEVAwELqT6Dc1aDfIIvh30OggWGaUICAYFIAYVqApdeCIVYiFeBeYpYASuIe?= =?us-ascii?q?ogXMyGBUisIAhgIIQ+Bahp5CQmCDheDRYpTbgGOdwEB?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 13 Apr 2018 10:15:07 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w3DAEdFU020501; Fri, 13 Apr 2018 06:14:44 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w3DAEVMT009046 for ; Fri, 13 Apr 2018 06:14:31 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w3DAEZwr020488 for ; Fri, 13 Apr 2018 06:14:36 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DvAQBYgtBalywbGNZcg0goZHoojESMN?= =?us-ascii?q?IMDknyBZy6EYIIqITgUAQIBAQEBAQECFAEBAQEBBhgGS4VPJgE4ARWBO4M2gT4?= =?us-ascii?q?BAxUDAQupP4JvBX9kg2cHgiMECIcBfIIThmlCAgGBSAGFagKXXggFhVOIV4F5i?= =?us-ascii?q?lkriHqIFzOBczMaI4MSCQmCDg4Jg0WKU24BjncBAQ?= X-IPAS-Result: =?us-ascii?q?A1DvAQBYgtBalywbGNZcg0goZHoojESMNIMDknyBZy6EYII?= =?us-ascii?q?qITgUAQIBAQEBAQECFAEBAQEBBhgGS4VPJgE4ARWBO4M2gT4BAxUDAQupP4JvB?= =?us-ascii?q?X9kg2cHgiMECIcBfIIThmlCAgGBSAGFagKXXggFhVOIV4F5ilkriHqIFzOBczM?= =?us-ascii?q?aI4MSCQmCDg4Jg0WKU24BjncBAQ?= X-IronPort-AV: E=Sophos;i="5.48,444,1517893200"; d="scan'208";a="250706" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 13 Apr 2018 06:14:32 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A85VZlhw2+1MjALPXCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd0ugVLfad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndi?= =?us-ascii?q?QuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBg?= =?us-ascii?q?vwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0B?= =?us-ascii?q?vJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PG?= =?us-ascii?q?Av5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb5Sq06WS?= =?us-ascii?q?m576dzVhDnlDsHOTA+8GHSkMNwjaRbqw+lqxFwx4PYZYeYP+d8cKzAZ9MXXW?= =?us-ascii?q?pPUNhMWSJPAY2yaJACA/YdMetCs4XwvUcCoQe4CAKxBO3v0DhIhnru0KMm0u?= =?us-ascii?q?QuDQHG0xY6H90TrX/ars/6NKYUUe+r16nD0DLOb+lX2Tjh6IjHaAohruyUUr?= =?us-ascii?q?1sacXRyVMgFwLDjlqOsozoJCia1vgMs2id8+pvS/ivi2g5pAFtuDSg2sAsio?= =?us-ascii?q?zQi48T11vK+yJ5wIMvKt25Tk52edqkEJpOty6ENYt2Rd4iQ3tuuCkgzr0Ko4?= =?us-ascii?q?K0fC8PyJg/yB7fauCHc4iV4h34TuqePTB4hHdjdbmihBiy6VCtxvPhWsS7yl?= =?us-ascii?q?pGsCVInsPSun0PzRDe5ceKRuN+80qgwzqDyg7e5+5eLU00m6fXMYMtz7w0m5?= =?us-ascii?q?cVrE/NBDX5mF/sg6+Tbkgk+van6+DgYrj+qJCSLYF6hx/wP6kwgMKyHfg0Pw?= =?us-ascii?q?gUU2eF5+u80abj/ULjTLVPlPI2k63ZvIrfJcQaoq61Gw5V0oA95BajFzqqzs?= =?us-ascii?q?kUkHYdIF5bdx+LlZblNlPULP33Avqzm1Gsny1qx/DCML3hGJLNLn3bnbf7fL?= =?us-ascii?q?Zy905cxxApzd9C/51bFqkOIPLpVU/wstzXEAQ5PhevzOb7CdV90J8eVnyVAq?= =?us-ascii?q?+fLqzSrUWE6f4oI+mJfIMVoiryK+A55/7yin80gUQdcret3ZsWbnC4A/tnLl?= =?us-ascii?q?6FYXvsntgBEWAKshA4TOzxklKOSzFTZ3GsX64k5jE0FoamDYDbS4Cph7yOwD?= =?us-ascii?q?20HplWZmBBEVCMDW3kd4GDW/gQci2SJtJukjsBVbe7So8h0wmitA78y7V5Mu?= =?us-ascii?q?rZ4i4VuJP52NRo6eDemgs++Dx6AsiHzm2ATWV5knsNRzAs3aB/pUJ9yk2E0a?= =?us-ascii?q?h9m/FVEsZT5/JVXQc6L5Hc1fF1BMjuVQ3ZfteGUlemQtO4DjEqVd8+2MMOY0?= =?us-ascii?q?d7G9W+kB/DxSyqDKEJl7CRGJM09afc0mHpK8Zn13nGzLUhj0UhQsZXMmCmnK?= =?us-ascii?q?9/+BTTB4HTiUWWir6lergE0y7N7miDzGyOs19DUANrSqrFQXEfZk3Krdvn/E?= =?us-ascii?q?PCSaGhCag9PgRdzs6CL7JHZsXzjVpaXPfjJMjeY2Wplmq3HhaH2LeMbIvse2?= =?us-ascii?q?UA0yTQE1QEkgAP8naGMggyHCGho3nEAzB0GlLvZF3s/PB4pXimUEI0yxyKb1?= =?us-ascii?q?Z917Wr4B4bmP2cSvIN0b8cpCty4wlzSU2w29PQFsqouxtqfKIaZ8g0plhAyz?= =?us-ascii?q?H3rQt4a6ahJKBrnFJWUw12uU71n0FtC45AmNImm3gdzANzL6+D+FlddjWE0I?= =?us-ascii?q?r2N6GRIW73qkP8I5XK003ThY7FspwE7+41/gmy5lv7H1c+83hhz9he2med4Z?= =?us-ascii?q?OPFgcJTJbtSRZtpQVirb2DMzE0v9iS2HBpKqbytzbD35QsBe92ghqjftIKKK?= =?us-ascii?q?6eEQLoCcoAT4itJf1ih1+uJgkBNeRWteY0MsqqeuHA2fuDNvphmi6rl2JK/M?= =?us-ascii?q?Z21UeB?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DwAQAegtBalywbGNZcg0goZHoojES?= =?us-ascii?q?MNIMDknyBZy6EYIIqITgUAQIBAQEBAQECARMBAQEBAQYYBksMgjUMgwImATg?= =?us-ascii?q?BFYE7gzaBPgEDFQMBC6k+gm8Ff2SDZweCIwQIhwF8ghOGaUICAYFIAYVqApd?= =?us-ascii?q?eCAWFU4hXgXmKWSuIeogXM4FzMxojgxIJCYIODgmDRYpTbgGOdwEB?= X-IPAS-Result: =?us-ascii?q?A0DwAQAegtBalywbGNZcg0goZHoojESMNIMDknyBZy6EY?= =?us-ascii?q?IIqITgUAQIBAQEBAQECARMBAQEBAQYYBksMgjUMgwImATgBFYE7gzaBPgEDF?= =?us-ascii?q?QMBC6k+gm8Ff2SDZweCIwQIhwF8ghOGaUICAYFIAYVqApdeCAWFU4hXgXmKW?= =?us-ascii?q?SuIeogXM4FzMxojgxIJCYIODgmDRYpTbgGOdwEB?= X-IronPort-AV: E=Sophos;i="5.48,444,1517875200"; d="scan'208";a="11998886" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa05.eemsg.mail.mil ([214.24.27.44]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 13 Apr 2018 10:14:31 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;aff3e221-300b-4ef7-9b9c-bb4b7df2ff7a Received: from localhost.localdomain (localhost [127.0.0.1]) by UPDCF3IC12.oob.disa.mil (Postfix) with SMTP id 40MttG2rwsz1pFV5 for ; Fri, 13 Apr 2018 10:14:30 +0000 (UTC) Received: from UPBD19PA03.eemsg.mil (unknown [192.168.18.4]) by UPDCF3IC12.oob.disa.mil (Postfix) with ESMTP id 40MttG0VMfz1pFTd for ; Fri, 13 Apr 2018 10:14:30 +0000 (UTC) X-EEMSG-check-008: 295517466|UPBD19PA03_EEMSG_MP3.csd.disa.mil X-EEMSG-check-001: false X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 65.20.0.228 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AMAQCbgtBah+QAFEFcHgEGDIMXgQx6KIxEjzeSfIFnEB6EYIJLOBQBAgEBAQEBAQIUAQEBCgsJCCgjDIVDJgE4ARWBO4M2gT4BAxUEC6lBgm8Ff2SDZweCIwQIhwGDD4ZpQgIBgUgBhWoCl14IBYVTiFeBeYpYASuIeogXM4FzMxojgxIJCYICDA4Jg0WKU24BjncBAQ X-IPAS-Result: A0AMAQCbgtBah+QAFEFcHgEGDIMXgQx6KIxEjzeSfIFnEB6EYIJLOBQBAgEBAQEBAQIUAQEBCgsJCCgjDIVDJgE4ARWBO4M2gT4BAxUEC6lBgm8Ff2SDZweCIwQIhwGDD4ZpQgIBgUgBhWoCl14IBYVTiFeBeYpYASuIeogXM4FzMxojgxIJCYICDA4Jg0WKU24BjncBAQ Received: from rgout0507.bt.lon5.cpcloud.co.uk (HELO rgout05.bt.lon5.cpcloud.co.uk) ([65.20.0.228]) by upbd19pa03.eemsg.mail.mil with ESMTP; 13 Apr 2018 10:14:28 +0000 X-OWM-Source-IP: 86.134.53.179 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-RazorGate-Vade-Classification: clean X-RazorGate-Vade-Verdict: clean 49 X-VadeSecure-score: verdict=clean score=49/300, class=clean X-SNCR-VADESECURE: CLEAN X-RazorGate-Vade-Verdict: clean 49 X-RazorGate-Vade-Classification: clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedtgedriedvgddvhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffvufffkffosedttdertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucffohhmrghinheplhhivhgvjhhouhhrnhgrlhdrtghomhdpghhithhhuhgsrdgtohhmnecukfhppeekiedrudefgedrheefrddujeelnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirddufeegrdehfedrudejledpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeoshgvlhhinhhugiesthihtghhohdrnhhsrgdrghhovheqnecuvehluhhsthgvrhfuihiivgeptd Received: from localhost.localdomain (86.134.53.179) by rgout05.bt.lon5.cpcloud.co.uk (9.0.019.26-1) (authenticated as richard_c_haines@btinternet.com) id 5ACB9541005F3717; Fri, 13 Apr 2018 11:13:23 +0100 X-EEMSG-check-009: 444-444 To: selinux@tycho.nsa.gov Date: Fri, 13 Apr 2018 11:13:15 +0100 Message-Id: <20180413101315.21749-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.14.3 Subject: [PATCH] selinux-testsuite: Enhance inet_socket tests X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: Richard Haines via Selinux Reply-To: Richard Haines Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Enhance the tests as follows: 1) Determine number of tests to run with current config. 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]). 3) Add support for CIPSO TAGS 1 & 2. Closes [2]. 4) Run scripts using /bin/sh. 5) Shorten sleep time as more tests. [1] https://github.com/SELinuxProject/selinux-kernel/issues/24 [2] https://github.com/SELinuxProject/selinux-testsuite/issues/1 Signed-off-by: Richard Haines --- tests/inet_socket/calipso-flush | 5 + tests/inet_socket/calipso-load | 7 + tests/inet_socket/cipso-fl-flush | 0 tests/inet_socket/cipso-fl-load | 0 tests/inet_socket/cipso-flush | 0 tests/inet_socket/cipso-load-t1 | 11 + tests/inet_socket/cipso-load-t2 | 11 + tests/inet_socket/{cipso-load => cipso-load-t5} | 0 tests/inet_socket/ipsec-flush | 0 tests/inet_socket/ipsec-load | 0 tests/inet_socket/iptables-flush | 0 tests/inet_socket/iptables-load | 0 tests/inet_socket/server.c | 16 +- tests/inet_socket/test | 348 ++++++++++++++++++------ 14 files changed, 310 insertions(+), 88 deletions(-) create mode 100644 tests/inet_socket/calipso-flush create mode 100644 tests/inet_socket/calipso-load mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush mode change 100755 => 100644 tests/inet_socket/cipso-fl-load mode change 100755 => 100644 tests/inet_socket/cipso-flush create mode 100644 tests/inet_socket/cipso-load-t1 create mode 100644 tests/inet_socket/cipso-load-t2 rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%) mode change 100755 => 100644 mode change 100755 => 100644 tests/inet_socket/ipsec-flush mode change 100755 => 100644 tests/inet_socket/ipsec-load mode change 100755 => 100644 tests/inet_socket/iptables-flush mode change 100755 => 100644 tests/inet_socket/iptables-load mode change 100755 => 100644 tests/inet_socket/test diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush new file mode 100644 index 0000000..5143962 --- /dev/null +++ b/tests/inet_socket/calipso-flush @@ -0,0 +1,5 @@ +#!/bin/sh +# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests. +netlabelctl map del default +netlabelctl calipso del doi:16 +netlabelctl map add default protocol:unlbl diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load new file mode 100644 index 0000000..4bb9c7f --- /dev/null +++ b/tests/inet_socket/calipso-load @@ -0,0 +1,7 @@ +#!/bin/sh +# Define a doi for testing loopback for CALIPSO/IPv6. +netlabelctl calipso add pass doi:16 +netlabelctl map del default +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl +netlabelctl map add default address:::/0 protocol:unlbl +netlabelctl map add default address:::1 protocol:calipso,16 diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush old mode 100755 new mode 100644 diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load old mode 100755 new mode 100644 diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush old mode 100755 new mode 100644 diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1 new file mode 100644 index 0000000..974e746 --- /dev/null +++ b/tests/inet_socket/cipso-load-t1 @@ -0,0 +1,11 @@ +#!/bin/sh +# Based on http://paulmoore.livejournal.com/7234.html. +# +# Modifications: +# - Defined a doi for testing loopback for CIPSOv4. + +netlabelctl cipsov4 add pass doi:16 tags:1 +netlabelctl map del default +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl +netlabelctl map add default address:::/0 protocol:unlbl +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2 new file mode 100644 index 0000000..9892f81 --- /dev/null +++ b/tests/inet_socket/cipso-load-t2 @@ -0,0 +1,11 @@ +#!/bin/sh +# Based on http://paulmoore.livejournal.com/7234.html. +# +# Modifications: +# - Defined a doi for testing loopback for CIPSOv4. + +netlabelctl cipsov4 add pass doi:16 tags:2 +netlabelctl map del default +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl +netlabelctl map add default address:::/0 protocol:unlbl +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load-t5 old mode 100755 new mode 100644 similarity index 100% rename from tests/inet_socket/cipso-load rename to tests/inet_socket/cipso-load-t5 diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush old mode 100755 new mode 100644 diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load old mode 100755 new mode 100644 diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush old mode 100755 new mode 100644 diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load old mode 100755 new mode 100644 diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c index 2801397..c8383b4 100644 --- a/tests/inet_socket/server.c +++ b/tests/inet_socket/server.c @@ -79,11 +79,17 @@ int main(int argc, char **argv) perror("socket"); exit(1); } - result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); - if (result < 0) { - perror("setsockopt: SO_PASSSEC"); - close(sock); - exit(1); + + /* Allow retrieval of UDP/Datagram security contexts for IPv4 as + * IPv6 is not currently supported. + */ + if (hints.ai_socktype == SOCK_DGRAM) { + result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); + if (result < 0) { + perror("setsockopt: IP_PASSSEC"); + close(sock); + exit(1); + } } result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); diff --git a/tests/inet_socket/test b/tests/inet_socket/test old mode 100755 new mode 100644 index 0bda2a4..6684260 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -2,27 +2,43 @@ use Test::More; BEGIN { - # check if ip xfrm supports ctx parameter - if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) { - plan skip_all => "ctx not supported in ip xfrm policy"; + $basedir = $0; + $basedir =~ s|(.*)/[^/]*|$1|; + + $test_count = 38; + + $test_ipsec = 0; + if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) { + $test_count += 8; + $test_ipsec = 1; } - else { - plan tests => 33; + + # Determine if CALIPSO supported by netlabelctl(8) and kernel. + $test_calipso_stream = 0; + $netlabelctl = `netlabelctl -V`; + $netlabelctl =~ s/\D//g; + $kvercur = `uname -r`; + chomp($kvercur); + $kverminstream = "4.8"; + + $rc = `$basedir/../kvercmp $kvercur $kverminstream`; + if ( $netlabelctl gt "021" and $rc > 0 ) { + $test_count += 3; + $test_calipso_stream = 1; } -} -$basedir = $0; -$basedir =~ s|(.*)/[^/]*|$1|; + plan tests => $test_count; +} -# Load NetLabel configuration for full CIPSO4 labeling over loopback. -system "$basedir/cipso-fl-load"; +# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback. +system "/bin/sh $basedir/cipso-fl-load"; # Start the stream server. if ( ( $pid = fork() ) == 0 ) { exec "runcon -t test_inet_server_t $basedir/server stream 65535"; } -sleep 1; # Give it a moment to initialize. +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. # Verify that authorized client can communicate with the server. $result = @@ -42,7 +58,7 @@ if ( ( $pid = fork() ) == 0 ) { exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; } -sleep 1; # Give it a moment to initialize +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize # Verify that authorized client can communicate with the server. $result = @@ -58,32 +74,90 @@ ok( $result >> 8 eq 9 ); kill TERM, $pid; # Flush NetLabel configuration. -system "$basedir/cipso-fl-flush"; +system "/bin/sh $basedir/cipso-fl-flush"; + +# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over loopback. +system "/bin/sh $basedir/cipso-load-t1"; + +# Start the stream server with a defined level. +if ( ( $pid = fork() ) == 0 ) { + exec +"runcon -t test_inet_server_t -l s0:c20.c250 $basedir/server stream 65535"; +} + +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using level within T1 range. +$result = system +"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify that authorized client cannot communicate with the server using different level. +$result = system +"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 5 ); + +# TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device) +$result = system +"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 5 ); + +# Kill the server. +kill TERM, $pid; + +# Start the dgram server with a defined level. +if ( ( $pid = fork() ) == 0 ) { + exec + "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; +} + +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using same levels. +$result = system +"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify that authorized client cannot communicate with the server using levels dominating the server. +$result = system +"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 9 ); + +# Kill the server. +kill TERM, $pid; + +# Flush NetLabel configuration. +system "/bin/sh $basedir/cipso-flush"; -# Load NetLabel configuration for CIPSO4 over loopback. -system "$basedir/cipso-load"; +# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over loopback. +system "/bin/sh $basedir/cipso-load-t2"; # Start the stream server with a defined level. if ( ( $pid = fork() ) == 0 ) { exec - "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535"; } -sleep 1; # Give it a moment to initialize. +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. # Verify that authorized client can communicate with the server using level. $result = system -"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535"; +"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1 65535"; ok( $result eq 0 ); # Verify that authorized client can communicate with the server using level. $result = system -"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535"; +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1 65535"; ok( $result eq 0 ); # Verify that authorized client cannot communicate with the server using different level. $result = system -"runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1"; +"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 5 ); + +# TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device) +$result = system +"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 5 ); # Kill the server. @@ -92,26 +166,95 @@ kill TERM, $pid; # Start the dgram server with a defined level. if ( ( $pid = fork() ) == 0 ) { exec - "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; + "runcon -t test_inet_server_t -l s0:c0.c14 $basedir/server dgram 65535"; } -sleep 1; # Give it a moment to initialize. +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. # Verify that authorized client can communicate with the server using same levels. $result = system -"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535"; ok( $result eq 0 ); # Verify that authorized client cannot communicate with the server using levels dominating the server. $result = system -"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; +"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 9 ); # Kill the server. kill TERM, $pid; # Flush NetLabel configuration. -system "$basedir/cipso-flush"; +system "/bin/sh $basedir/cipso-flush"; + +# Load NetLabel configuration for CIPSO/IPv4 using TAG 5 over loopback. +# TAG 5 allows a maximum of 7 ranges in exchange, if greater then ENOSPC (No space left on device), however +# note from kernel net/ipv4/cipso_ipv4.c comments: +# * You may note that the IETF draft states that the maximum number +# * of category ranges is 7, but if the low end of the last category range is +# * zero then it is possible to fit 8 category ranges because the zero should +# * be omitted. */ +system "/bin/sh $basedir/cipso-load-t5"; + +# Start the stream server with a defined level. +if ( ( $pid = fork() ) == 0 ) { + exec + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535"; +} + +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using level. +$result = system +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify that authorized client can communicate with the server using level. +$result = system +"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify that authorized client cannot communicate with the server using different level. +$result = system +"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 5 ); + +# Verify ok with the 8 entries when cat c0: +$result = system +"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify fail with the 8 entries when cat !c0: +$result = system +"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 5 ); + +# Kill the server. +kill TERM, $pid; + +# Start the dgram server with a defined level. +if ( ( $pid = fork() ) == 0 ) { + exec + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server dgram 65535"; +} + +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using same levels. +$result = system +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1 65535"; +ok( $result eq 0 ); + +# Verify that authorized client cannot communicate with the server using levels dominating the server. +$result = system +"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram 127.0.0.1 65535 2>&1"; +ok( $result >> 8 eq 9 ); + +# Kill the server. +kill TERM, $pid; + +# Flush NetLabel configuration. +system "/bin/sh $basedir/cipso-flush"; # Verify that authorized domain can bind UDP sockets. $result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1"; @@ -151,91 +294,96 @@ $result = system "runcon -t test_inet_no_name_connect_t -- $basedir/connect 65535 2>&1"; ok($result); -# Load IPSEC configuration. -system "$basedir/ipsec-load"; +if ($test_ipsec) { -# Start the stream server. -if ( ( $pid = fork() ) == 0 ) { - exec "runcon -t test_inet_server_t $basedir/server stream 65535"; -} + # Load IPSEC configuration. + system "/bin/sh $basedir/ipsec-load"; -sleep 1; # Give it a moment to initialize. + # Start the stream server. + if ( ( $pid = fork() ) == 0 ) { + exec "runcon -t test_inet_server_t $basedir/server stream 65535"; + } -# Verify that authorized client can communicate with the server. -$result = - system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; -ok( $result eq 0 ); + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. -# Verify that unauthorized client cannot communicate with the server. -$result = system + # Verify that authorized client can communicate with the server. + $result = + system + "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; -ok( $result >> 8 eq 5 ); + ok( $result >> 8 eq 5 ); -# Verify that authorized client can communicate with the server. -$result = - system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; -ok( $result eq 0 ); + # Verify that authorized client can communicate with the server. + $result = + system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; + ok( $result eq 0 ); -# Verify that unauthorized client cannot communicate with the server. -$result = system - "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; -ok( $result >> 8 eq 5 ); + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); -# Kill the server. -kill TERM, $pid; + # Kill the server. + kill TERM, $pid; -# Start the dgram server. -if ( ( $pid = fork() ) == 0 ) { - exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; -} + # Start the dgram server. + if ( ( $pid = fork() ) == 0 ) { + exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; + } -sleep 1; # Give it a moment to initialize + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize -# Verify that authorized client can communicate with the server. -$result = - system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; -ok( $result eq 0 ); + # Verify that authorized client can communicate with the server. + $result = + system + "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; + ok( $result eq 0 ); -# Verify that unauthorized client cannot communicate with the server. -$result = system + # Verify that unauthorized client cannot communicate with the server. + $result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; -ok( $result >> 8 eq 8 ); + ok( $result >> 8 eq 8 ); -# Verify that unauthorized client cannot communicate with the server. -$result = system - "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; -ok( $result >> 8 eq 8 ); + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; + ok( $result >> 8 eq 8 ); -# Kill the server. -kill TERM, $pid; + # Kill the server. + kill TERM, $pid; # Start the dgram server for IPSEC test using IPv6 but do not request peer context. -if ( ( $pid = fork() ) == 0 ) { - exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; -} + if ( ( $pid = fork() ) == 0 ) { + exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; + } -sleep 1; # Give it a moment to initialize + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize -# This test now passes. -$result = system - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; -ok( $result eq 0 ); + # This test now passes. + $result = system + "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; + ok( $result eq 0 ); -# Kill the server. -kill TERM, $pid; + # Kill the server. + kill TERM, $pid; -# Flush IPSEC configuration. -system "$basedir/ipsec-flush"; + # Flush IPSEC configuration. + system "/bin/sh $basedir/ipsec-flush"; +} # Load iptables (IPv4 & IPv6) configuration. -system "$basedir/iptables-load"; +system "/bin/sh $basedir/iptables-load"; # Start the stream server. if ( ( $pid = fork() ) == 0 ) { exec "runcon -t test_inet_server_t -- $basedir/server -n stream 65535"; } -sleep 1; # Give it a moment to initialize. +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. # Verify that authorized client can communicate with the server. $result = system @@ -265,7 +413,7 @@ if ( ( $pid = fork() ) == 0 ) { exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; } -sleep 1; # Give it a moment to initialize +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize # Verify that authorized client can communicate with the server. $result = system @@ -291,6 +439,40 @@ ok( $result >> 8 eq 8 ); kill TERM, $pid; # Flush iptables configuration. -system "$basedir/iptables-flush"; +system "/bin/sh $basedir/iptables-flush"; + +if ($test_calipso_stream) { + + # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback. + system "/bin/sh $basedir/calipso-load"; + + # Start the stream server. + if ( ( $pid = fork() ) == 0 ) { + exec +"runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; + } + + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. + + # Verify that authorized client can communicate with the server. + $result = system +"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535"; + ok( $result eq 0 ); + +# Verify that authorized client can communicate with the server using different valid level. + $result = system +"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535"; + ok( $result eq 0 ); + +# Verify that authorized client cannot communicate with the server using invalid level. + $result = system +"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); + + # Kill the stream server. + kill TERM, $pid; + + system "/bin/sh $basedir/calipso-flush"; +} exit;