From patchwork Mon Jul 16 18:24:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10527573 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 327806037E for ; Mon, 16 Jul 2018 18:42:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 61AA628F29 for ; Mon, 16 Jul 2018 18:42:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5584428F52; Mon, 16 Jul 2018 18:42:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, NO_RDNS_DOTCOM_HELO, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from uhil19pa09.eemsg.mail.mil (uhil19pa09.eemsg.mail.mil [214.24.21.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C34CD28F29 for ; Mon, 16 Jul 2018 18:42:34 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by uhil19pa09.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:42:34 +0000 X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="15798783" IronPort-PHdr: =?us-ascii?q?9a23=3AjfEoSh21hZgrf5ohsmDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8Zse8eLPrxwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD?= =?us-ascii?q?4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFA?= =?us-ascii?q?nhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0A?= =?us-ascii?q?HJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L2?= =?us-ascii?q?81/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUj?= =?us-ascii?q?q+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfVwZKPdec4RS3?= =?us-ascii?q?RHUMhfSidNBpqwY5YTA+YEO+tXqIvyqEEOrRu5AgmgHfrjxyNGi3L3wKE2yv?= =?us-ascii?q?gtHRzb1wAkAd4CrHHYodPoP6kQTO+11rHFwyvNb/1W2jnz5obHfR8jrv+RRb?= =?us-ascii?q?J9c9fdxEczGA3KkFqQspfoPy+X2+kXr2SX8+RtWfyphmU6qw9xuD+vxsI0h4?= =?us-ascii?q?TXnI0V0U7L9CVky4goOdK4SFR0YcOqEJtUqS6aLZZ9T8Q+TG5yoyY11L0HtI?= =?us-ascii?q?WgfCcWyJQo3QPfa/KDc4eW+BLvTfqeLi1iiH15f7K/gg+//E69weP/Tsm5yE?= =?us-ascii?q?tGoyVKn9XWtn0Bygbf5taIR/dj5EutxC6D2gHR5+1ePEw5lK7WJ4Qgz7MwjJ?= =?us-ascii?q?Yfr1rPEyDwlU7rlqGZbF8k9fKt6+n/Z7XmoYKTOJFshwHlN6QuhtS/AeMlMg?= =?us-ascii?q?gSR2Sb+fqz1Lnk/UDhXLVFlOc2kqjEsJDBP8gbp6i5AwFS0oY49RmwEy2q0M?= =?us-ascii?q?gYnHYbLFJFfwiLj471NFHVPP/0F/K/g1WokDtzxvDGOKPuAonVI3Ten7rscq?= =?us-ascii?q?xx5k5BxAYp09xS6IxYBqscLP7rX0/+rt3YDhs3MwyuxObnDc1w1pgAVmKLA6?= =?us-ascii?q?+ZNr7SsFCR6u00JOmMeYkVtyrjJPg+/PPukX84lkMdfamux5cXbmu4Ee58L0?= =?us-ascii?q?WWZnrsnM8NEX0WsQomUOzqlFqCXCZRZ3a1WaIz/C07CIK8AofFXY2tgruB3C?= =?us-ascii?q?G+HpJMfWBGFk6DEW3zd4meXPcMci2SKNd7kjMYTbihV5Mh1Ra2uQ/4ybpoNP?= =?us-ascii?q?bb+i4DtZLk0th15vPTmAo89TxwEsSc3HqCT3xynmMUWj86xqd/oVZyyl2by6?= =?us-ascii?q?h3n+RYFcBP5/NOSgo7NYPcz/ZmBNDyXQLBZMyESEulQtW8Gz0xSMw+w8MWaU?= =?us-ascii?q?ZnB9qilgzD3zatA7INj7yEGoc7/bza33jwO8Z9zG3L1Kg/gFY4XMRDL2qmhr?= =?us-ascii?q?Rw9wLLHY7Gj12Zl7q2daQbxCPC6WCDzWyIvE5FTgFwVaTFUGsFaUTIt9T54V?= =?us-ascii?q?nOT7i0CbQoKgFB09KNKrNWat31ilVLXOrsOMjEbGKrgGq/GRGIxraQY4XwYG?= =?us-ascii?q?UdwD/RCE4anAAP5XyGLxQxBj+9o2LCCzxjDVPvY0Xw8eZgrHO0UEo0wB+Wb0?= =?us-ascii?q?1717u44RkVheSCRPMV27ILoiYhqzFvE1a60NPaEd2ApxBufK9Ee9My/E9H1X?= =?us-ascii?q?7Ftwx6JpGvMbhiiUQEcwR2pEPjzA13BZ9akcgrt3Mq1A5yJriE31xfbT+Y2o?= =?us-ascii?q?rwOrLPIGno4B+vc7LW2k3Z0NuO9KYP6fA4q1D9swGzDUci/Wto3MRS03uG/J?= =?us-ascii?q?rKFBASUZXzUkkp6xd6u6vWYi4n54PbzXdsK7W7sife29I1A+so0hWgcM1cMK?= =?us-ascii?q?ODCQ//CM4aCNKtKOwthlildBUEPPpd9KQsJcOpa+OG2LK3POZnhD+pl3lI4J?= =?us-ascii?q?p80k2S7SpxUfTH0IoAw/2C2QuHTTj8hk+7ss/rgYBEeS0SHm2nxCf4HoFRYr?= =?us-ascii?q?N9fZ0XCWauJM263c5+iILsW3FG8l6jG1IG19WzdRqUcVP9wRVa1V4Lrny/hS?= =?us-ascii?q?u40zt0nikzrqWCwSPD2OvidB8IO2JRQmltk0vsK5Cuj98GREiocxQplBy96E?= =?us-ascii?q?bhyahbvqN/L3LPQUpTZCj2KWZiU6W1trWYZc5D8pUovjtLUO6ke1CVVqb9ow?= =?us-ascii?q?cG0yPkB2Zfyio0dzW2uprnhRx6k3mQLGhto3rDYs5w2BLf6MbbRf5L0ToMXD?= =?us-ascii?q?N4hiXPBligI9mp+s2Zl5HCsuC6U2KuSIZTfDLxwoyeriu74ndmARqln/C8gt?= =?us-ascii?q?fnCxQ10Tfn19l2UiXFtAj8Yoj32KSmNuJnZFNkC0P868p9HIF+nZA9hJUR2X?= =?us-ascii?q?gcnJqV530HnX30MdVB1qL0dGANSiITw97J/Ajl31VuLnaIx4LiSnWR29BhaM?= =?us-ascii?q?e+YmMX3CI98s9LBbyP7LxcnCt1pFu4oh7KYfRnmDcS1+cu4mYAg+4VoAot0j?= =?us-ascii?q?mdArcKEElCOizskxCI4M6krKpLY2auf6O91FFjnd+9F7GOuAZcWGz2ep06By?= =?us-ascii?q?9/8t1/ME7Q0H308ozke8ffbdQIthCPkBfPke5VKIk3lvUUmSprI2X9vWcqy+?= =?us-ascii?q?QjlxxhwYm6vJSbK2Vq5K+5GgRXNiDxZ8wN4jHil6BentqI0IC1BZhhBy4LU4?= =?us-ascii?q?XyTfKzCj4SrvPnNxuUEDIgtHibF73fHRWQ6Eh4tX7PFY6kN22PLnkD0dpiXA?= =?us-ascii?q?WdJFBYgA0MQjU6mIM2Gxu0xMznbUh55iod5ljmpRtQ0uhoLQXwUn/DpAe0bT?= =?us-ascii?q?c5UICfIwBL7gFG/EraLc2e7v5zHi1B8J2utgqNJnacZwRSAmEDQlaECEz7Pr?= =?us-ascii?q?my+dnA9PCVBum+LvvKf7qDsuleV/CGxZKhzIRm4yqMNsWIPnlnEfI3wExDUm?= =?us-ascii?q?5lG87BgTUAVzQXlz7Rb86cvBq89Dd4rsaj8PTsXQLi/oWPBKVPPtVo4RC5m7?= =?us-ascii?q?+DN/SXhCZ7NzlXyo8MyWXPyLgF014YkztueCW1EbQcqS7NS7rdmqFNDxEFdi?= =?us-ascii?q?xzL9FH76Qg3glKIs7Wkcn62aJ9jvIvDFdFT1PhkNmzZcMWO2G9KE/HBEGTOb?= =?us-ascii?q?udPjLHxMX3YaKnSb1Ml+VYrQawtiiHHEP5JTSMiT3pVxGpMeFRgyCWJwBRuY?= =?us-ascii?q?GnchZwEmjvVtznZQenMN9sij02x6c4hnTQNW4TKTJ8aV9CrqWM7SNEhfVyA3?= =?us-ascii?q?dO7ntqLemDnSaU9PTXJYgNvvtqGCt0kfhW4HMgy7ta9CtEXuB6mDPOrt5ypF?= =?us-ascii?q?GrivOAyjV9XxpQtDlGn4WLvV18NqXf85lPQ3fE/BYW4mWXBBUGvdxlCsfgu6?= =?us-ascii?q?pI0NjAiLrzKCte89LT5cYcG8/UKMedPHo7NhroGSDbDA0eQj6xMmHQmU9dne?= =?us-ascii?q?qO+X2Sq5g1toLjmIESSrNBUlw6CO8aAFx/HNMeOJd3Qi8kkbmDgc4K5Xq/rA?= =?us-ascii?q?HRRMJevpDGSvKdH+7iKDOYjblYfRsH36n0LYMJNo30w0ZicEV1nJzWG0rMWt?= =?us-ascii?q?BAuithYREur0VJ63V+TWoz21n5agy35n8TDv20nh8shgt4f+st6C/m400rKV?= =?us-ascii?q?rSuCswjE4xlM3/gT+Paz7+Mr2/XZtKBCr0rEU+KZL7QxxoYg21k0xkLC3ESK?= =?us-ascii?q?xRjrd6c2BklhPcs4NVGfFAVa1EfAMQxfaPavo1y1tctCSnylJc5ebeE5Rijh?= =?us-ascii?q?EqcZmirnJbxQ1scMM1JbbRJKpVzllcnKSOsTG01uop2g8RO14N8H+OeC4PoE?= =?us-ascii?q?EIMr4mJzC28exq6A2CnCBOeGcKV/o3uP5q8Vk9O+uYxSL6z7FDMlyxN/CYL6?= =?us-ascii?q?6BoGjPi8qIQlI21kMVmEhI5qR50cAmc0WITU8v16eRGw4PNcXcNQFfd9BS+2?= =?us-ascii?q?TLfSaSreXNxop4MJihGeDtSu+OsroUjl+/EQY3AYsM9MUBH5ir0EHeN8vnKq?= =?us-ascii?q?AKyQk17gTxOFqFFOhJeA6MkDofv8G/zZp33Y5BJjEdAWRwKji45rfXpwAwm/?= =?us-ascii?q?WPRtE2bWkGXoEcLHI5RNW6mzJFv3RHFDS4yOYZyAme4DDivivQCTn9b9xkZP?= =?us-ascii?q?eSfxxhE8q5+TQl/KiwkFLX/IjeK3v8Ndt8pt/F8fkaqIqfC/NIUbl9tF/RlJ?= =?us-ascii?q?JGSHysSGPAC8O6J4buZIk2dtz7EGy6U1ylhzIyVcfxM86nLrKUjgHwWYZUrI?= =?us-ascii?q?6b0Sg5Nc+7FzERBxdwp+YH5KJnfQMNeoc1bwT0ugo5LKGwPACY0tCyTGm3Mj?= =?us-ascii?q?tWU+NTzeOkaLxL1yAsdPO1yGM8TpEmyOm66VICRJMQgR7C3vuse45eUSz3Gn?= =?us-ascii?q?xcZQrPvzY5mHZ9OeYy2Os/xwnIsVYEOTCRaONpcHBEv807BV6KO3V5EHA4R1?= =?us-ascii?q?iHgofY/g6sxaod/zVDkNZQ0O1Ftnf+vpveYDKjWKyrtZvVvDA6bdgjuaFxN5?= =?us-ascii?q?LsIteevpPEgjPfVIXQshGCUCOiGftWgMRfICJZQPlNmGEqI88GtJFA6UUvSM?= =?us-ascii?q?gxOaZDCK42prClcTBkFzIdzTcFV4Oc2zwPmuK81KHAlheTbpsiLB0EsJNNgt?= =?us-ascii?q?YGXS95eCUeq7OnV4XRim+LV3MLLB0V7QtS+AIKjpVwcfz94IrUUJ9MzCZbo+?= =?us-ascii?q?pzUivPDJZo7VX6SmaSgVj2U/ihluup3QVJzP3yztYbQhl/CVNGx+ZXkEsoJ6?= =?us-ascii?q?t7K64Kvo7FqjWIb1/1vHrxyOu6I1lc0dfbd0flDIrDr2b8UTYR+XwVRY9O1H?= =?us-ascii?q?HQDo4ekwxnZ6Y3vF9MOpypel7i5zw4wIRkB6W4Vceux1s+sXYKWyKqHMFbB+?= =?us-ascii?q?Fgrl3XRCVvY4q3p5X9J5VSXmhQ9YWfq1dejkpgKDO2xoRHK85T+D4MQCZAri?= =?us-ascii?q?iHsNu0VsJDxdd8D4UQLddnp3f9BKRENYCfo30soLPvzGPW+zEnsFqhwTWzA6?= =?us-ascii?q?64Q/tC/2wQAQUlPWOeqlMgD+E06Gfd7kjNskxo/+dcHrWPkVh+ryt8Hp9UAj?= =?us-ascii?q?ZEzmyqL1N2THZaqepaM7jVf9ZaQ/YseR+lIwY+GuI+30yV4UF0mm/0YzRptg?= =?us-ascii?q?tG4S/SQhU0WDIOgrfqhD0esN2oNiEcS5JUdzUudSPFJxicmSBNsxZVc1tqVI?= =?us-ascii?q?wBAtZZ57Eb2pNZ8dHMSUmwNS0IXgFuOwwj3PVDkk5DtVmXdjrGDQq0b/rPtA?= =?us-ascii?q?N4fduJps6zMPv55BtHip/gsO0g7aUMWWCpmQ23TtDCtIL8stqKtlWQe6vmL+?= =?us-ascii?q?K8ZmLOQybWgRC2m7gkE4HA/zLPPwpDN5l61X0kbID9CW7RIxtJOb8UKlFGVa?= =?us-ascii?q?B+ddVGuPpVZ9FleKYO/a9iGA6HSgnoGIy1o/lMNkzTSijGLyWd7uy/ppre7b?= =?us-ascii?q?nHRujkYsyD2WrHQ75tMZhg8jT7Hanl0ZNF+kXqwPht7l11RULAMy+fsNTrPh?= =?us-ascii?q?kL69W6dkv+op0pGivbAJVqn3r3wUFAbM4XTDe08JkDzZNZ9XLwSf550kfvse?= =?us-ascii?q?1d7b9k6ZIt77Bu08e0Kr/YKe5Gvk9/HhiUGgJq+40vAGdlQWBRbPURKPDMcq?= =?us-ascii?q?sHls3ut/r4F6oM6B2S4eBZb8XIJ13ZkMmlFj6cUQBEnBsGqTMCIQucyv+Fm6?= =?us-ascii?q?twScm7oOj0wV8i7EalIR4H1r9t452I+q2SpO/YdxHR16QLWrD2RsPvqbQho0?= =?us-ascii?q?GS5fwhlLMVf2x6fQ2mH/YHVs4cwGfgwromzSQyHMPfB7jg4uJMV2olnjL8nJ?= =?us-ascii?q?BwB1MWGvcPELqK+4Rem300m+3fNt0YaKBNgH2PFQK+Er8f1XGr9zaXIHN7jR?= =?us-ascii?q?3U1BHwW2yz5kfsrSBkWSvM08vjkk1NW7myAkdSWTapOUBmvz6UOQrotcD4ua?= =?us-ascii?q?Ir40EqPG3ks8iNlGi6OL9NGc3wOsCcKzEupF0LlJ0xWsCv2YcDFNq5O9cR9X?= =?us-ascii?q?FzY+DQ62y1jiBBpL1HiJDG4sGP/fXXH2evgLGGq7mXwzBY0Hc4t0kl6t+8Lv?= =?us-ascii?q?HO+8GKQ/Ow2mYQTiZwoRHOUAKup7zAsV8UJVKE31vRlIwNJNFZ0mEy1lv66+?= =?us-ascii?q?g7XNIz6AJeG57baPMDvjDyNiH7wVSeY9IrTimRySZXHlbuHFZkH6gzxXz/s9?= =?us-ascii?q?jUlXfK/F0oXJN/e1bghRxtAIUyMVgt50QPwiofDQgNbgiWDKmyCkT5MYQEVU?= =?us-ascii?q?YCaROd3Li5Y6s3xlN8wreu5O/VcOx9CLEANu5HgQ6SgFdbGpwXsaoEQLJ/YV?= =?us-ascii?q?Nd97DYphLkC4f5W/jqj30wNee6QspC68AWq2Mi4hqjRxqn8ZpD4KgUiJaUdq?= =?us-ascii?q?5DZpjAu9t84Flj5T4OcCxNnRd+ggi9Ue8CvuDi4sLUvICu6umwSKYnX/8X+A?= =?us-ascii?q?QsB2Rik5vwh0guodfW1+hATY3VjZ7w8BtXL36Lv4ba1AJ8KfEVJoKuc7th+G?= =?us-ascii?q?8LJy8EJ3IBJdCWceUz4zdxMDXP4FxPGswMas8DPMrWgAxal0LnVrdS9srdB1?= =?us-ascii?q?+ZBJx+d88t72XtzjA674EwUuH66D+5PZrf9U1CP+tfjCVwk9LPvOoVwf3SCC?= =?us-ascii?q?gR+3WWdxh1wiefy5aQCvfw/OOMyMrXV1MHBSM2TYZdJCSY9gyjW+W1lY/lUg?= =?us-ascii?q?WK5c/vmJg+bl6fRmStnKQZtaZBCe9Aijvh0ThYDY31g++VvMet6GtQrV1LCo?= =?us-ascii?q?Fz7QfKGK9HJJV0JQz4ltW3Rkh7Hib/et/bdhQguOqS3eoN7f9xN03gao8HOB?= =?us-ascii?q?4Ezaz16WZNRAt0VLH2pkqZXf4WZNZ+R/PEqndV6Ix+JK8LOFiQv4fqrjBOqF?= =?us-ascii?q?A3HAAlcrkwoSJGdkPWhg1aR770uKIcigsbSdN5vE5MGWGzOGI5/DfHV75ajK?= =?us-ascii?q?qWCPwT7DqTSLYCU0N2PSNiWxm1wolhe6O1nfBbtWNLhjhyr+Ys0zx6Xxa8oi?= =?us-ascii?q?nsp6UR2TI85rG3qigOtWZCTuWEnCfCEU9Dw+gSjacAF3bi7kSxYHcdY4v24b?= =?us-ascii?q?lnPdrv+JIg4nQ+ZBUjejMJXf6kCy7ula+IBZaPsN1Ejh6XpMrOdaOzLTQVNr?= =?us-ascii?q?klxxPjX2J90gnCkxl262YLRzSg7MM+JIqjI8olwTCoGWfDflYW/qxJqNfxtU?= =?us-ascii?q?IMTOYublNhxHts39OfRi0JXsPPAHo1jgk4ZmVYapJM9wEVG7MugjmWoqlM5h?= =?us-ascii?q?sUbyvMEoS55onQmt/F2X08Tdds22LXqbSJhpcr0H1+h9N09TWDuHUIeOzeVM?= =?us-ascii?q?9gGH/z1p1QyebmffWirvgHSJd6yLSmSPICN9Os9ne22JVrXE+lwa8TH0S4MO?= =?us-ascii?q?8F2LjbVyalSWuFWeWEaWSMmCw5MkHq7xmyMlI3cNtKr1M6MubahJ5TjQ7hUb?= =?us-ascii?q?RvSSiLuF/bynAjMeMddwIrt4enexAKQPQXZ+eCOegk2Oc+B0cUb3/VASt2DP?= =?us-ascii?q?e7sUWjnIh+J3pt4Eb3bP/z8g/4KtuSGxgFEYncrpJr//y1WH6Bajdcy0hWB2?= =?us-ascii?q?w8o+PeEUkh8/RReIuLnMTBwtF83fMBet9zPiAn/N0egIRu7c+TysjcNVn17b?= =?us-ascii?q?LXbYXRo/6FE7jcwl4sd2VyTLUUe0X26p88M9p/XKfcS/8RhR0BAeAfR5s7Oi?= =?us-ascii?q?+l7KhpKCtrexPVIbGzhdPn4OmMY80Q70TK40owISGUgBgKzvi5XEQvdJyxr2?= =?us-ascii?q?njK5A3ADRapptiDQUwWMN0Noskrgy6E9bAg6y/itms62tmquQKtuz2EfmM29?= =?us-ascii?q?OnicE5FaN/zGeoeTrQH6J2mV9NiuWpnuyGisC3DtntM5tQb81SaU2AZr7dFZ?= =?us-ascii?q?ikMRqKO9ngYAgeqvibyr0vFl2zYyD/F4iBtCSiL/hiqRE5zYx+OujUzDUr9L?= =?us-ascii?q?zd8ND7YWZdpyyqqTiCM54JqBTpCOHFFzlTTvnNpGVoELYcaoz33OwOK9snwc?= =?us-ascii?q?WZpQ5p42IGmPeIP7O8qQfs00R3fNqPNEbv1Ds4X8wJLQ65PE8EgCrdrWrQR2?= =?us-ascii?q?9VLdW+II9rjZCXFkqpr2t4nGw2LktGAHDpXp/FO20cwdi/fyWM/QdGDpAEhe?= =?us-ascii?q?HhKmAisajnYuBzN4QNou6qvagJldtzY3XETdNXLgnLJ79/IzRVA/+Kr1FuaR?= =?us-ascii?q?kB5etmErwpbISDdRtUeHyLzjn/mE6TiReuJdWxyKaEJjoX+XxbzrXDlCJBvB?= =?us-ascii?q?S9pe3D3paxbYvwUMrdZNeLaGwoWzSBSnI3GEetv1Klv6lh3rKDOWlKhFcSb2?= =?us-ascii?q?qJDRIL4Lh1pI3bB3TeiMV4d50Dmf6eVjq1QyQ+n603VUMp/VuUTa8lEg/bJ2?= =?us-ascii?q?TknHIavQWjIvFW+newZLSDy7t9QOcWC5ZCdvCDBtDRP/tZImRN9H0CIOjpWd?= =?us-ascii?q?raov4i107QC2sUF66d7FqFUEufWeCR3RrwWoMUtNNs4G9yqpTbmSlsFr6OOr?= =?us-ascii?q?+eo3ih69f+nS+YvuqYXW4oMClXyO4BAWzU2BBbMylEENAavkjxX7SNL1hBzn?= =?us-ascii?q?MniO9imlcMdQ1/X2co0yh+jf+9HcofQlkRgQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2C6BwBw5kxb/wHyM5BcGwEBAgMBAQoBAYMgJ4EJShIoj?= =?us-ascii?q?F+NPYMAknmBWDEUhQSCQDcVAQIBAQEBAQECAWwcDII1JIJeAwMBAiQTBgEBD?= =?us-ascii?q?CALAQIDCQEBQAgIAwEtFAERBgEHBQYCAQEBGASCNEuBaAMVA54/ihuBaTOCc?= =?us-ascii?q?QEBBYECAQFfgjUDgycIF4dUgy2BESeHMgESAYV1h2eFLy6MGgmPIWqHVYUsj?= =?us-ascii?q?D+HLCJhcU0jFTuCaYIlF4NFihwBVU98imCCOQEB?= Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 16 Jul 2018 18:42:33 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIgUpE023807; Mon, 16 Jul 2018 14:42:31 -0400 Received: from tarius.infosec.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w6GIPhVN024414 for ; Mon, 16 Jul 2018 14:25:43 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIPoa5020946 for ; Mon, 16 Jul 2018 14:25:51 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1ClBgDq4kxblywWGNZcHAEBAQQBAQoBA?= =?us-ascii?q?YMfJ4FlKIN8iGOLXYFggwCUX4R3AkKCHyE3FQECAQEBAQEBAhQBAQEBAQgWBky?= =?us-ascii?q?FQwMDIwQZAQE3AQ8lAiYCAkUSBgEMBgIBAYJRS4FoAxUDnkSKG257M4JxAQEFg?= =?us-ascii?q?QIBAV+CNAODJwgXdIZggReCFoERJ4pmglWHZ4UvLowaCY8haodVhSyMP4csgXR?= =?us-ascii?q?NIxWDJIIZDA4JEYM0ihwBVU+OFQEB?= X-IPAS-Result: =?us-ascii?q?A1ClBgDq4kxblywWGNZcHAEBAQQBAQoBAYMfJ4FlKIN8iGO?= =?us-ascii?q?LXYFggwCUX4R3AkKCHyE3FQECAQEBAQEBAhQBAQEBAQgWBkyFQwMDIwQZAQE3A?= =?us-ascii?q?Q8lAiYCAkUSBgEMBgIBAYJRS4FoAxUDnkSKG257M4JxAQEFgQIBAV+CNAODJwg?= =?us-ascii?q?XdIZggReCFoERJ4pmglWHZ4UvLowaCY8haodVhSyMP4csgXRNIxWDJIIZDA4JE?= =?us-ascii?q?YM0ihwBVU+OFQEB?= X-IronPort-AV: E=Sophos;i="5.51,362,1526356800"; d="scan'208";a="324750" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 16 Jul 2018 14:25:48 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AGquk1xcgPKAae92k4qOGlcV6lGMj4u6mDksu8p?= =?us-ascii?q?Mizoh2WeGdxc24ZRCN2/xhgRfzUJnB7Loc0qyK6/6mATRIyK3CmUhKSIZLWR?= =?us-ascii?q?4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBx?= =?us-ascii?q?rwKxd+KPjrFY7OlcS30P2594HObwlSizexfbJ/IA+qoQnNq8IbnZZsJqEtxx?= =?us-ascii?q?XTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM3?= =?us-ascii?q?0u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xy?= =?us-ascii?q?mp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwdR2?= =?us-ascii?q?VORMZRVytGAo+ldocCE+QMMOdFo4Xku1cCsAa1CQ2yCO/zzzNFgGL9068n3O?= =?us-ascii?q?Q7CQzIwRIuH9wOvnrXotv6OqgdXuKpw6fH1jjDc/Fb1C3h5ITUfB0so/eBVq?= =?us-ascii?q?9wf8rLzkkvEhvIg0uKpoz+ITyU1vkGvXWH4OpgT+2vlmAnqwVvrTi128whjZ?= =?us-ascii?q?XGiZgOyl/a9SR02501KsG4SEFhfN6kHp9QuD+AN4dvXswtWXtktzo9yr0DoJ?= =?us-ascii?q?O2ejUBxpc/xxPHdfCLboeF7gj9WOueOzt0mmxpdKiwihu96USty+/xWtOp3F?= =?us-ascii?q?tLqidJiNjBu3AX2xDN9MSKRf1w9Vq71zmVzQDc8ORELFg0laXFL54hxaY9mZ?= =?us-ascii?q?QOv0nfACH7llv7grWKe0k4++Wk8frobavjpp+HOI94kAT+Pb4vmsy7G+g4Nw?= =?us-ascii?q?kOX2yD9eS90r3s41H5Ta1UgvErnaTVqo7WKMsBqqKnHQNZyIku5hmnAzejyt?= =?us-ascii?q?sYnH0HLFxfeBKAiojkI03BL+rjDfihg1WhiyxryOzGPrL7H5XNIHzDn6n7fb?= =?us-ascii?q?pk90FT0hA/wsxY55JREr0BOu78WlfttNzECR80Kxe0zPjjCNV80IMeRG2OD7?= =?us-ascii?q?SFMKLSrVCI5uUvL/OKZI8OojnxMfcl5/nwjSxxpVhIWZKMlc8TaXalDrF9Lk?= =?us-ascii?q?6Ee3vwk5IEFmsXugcWUuPnkhuBXCRVanL0WLgzsHVzLKGCKM+XQoGrnazE3y?= =?us-ascii?q?qhGJBSTn5JB0rKEnrycYiAHfAWZ3TWavdojzhMcL+mUYJpgQmnqQvS07N6Kq?= =?us-ascii?q?/R/SoCuNTo090jo6XoiRwq9TFyR/+Y2mWJQnA8yngEXBcqzat/pgp70V7F3q?= =?us-ascii?q?9m1bgQLvEbw/JPTxdyYYXRy+18FsDaRhPKftDPTk2vBNqhH2d1BpgK5vYlQA?= =?us-ascii?q?NxGs6pkwvY9y6rGKMO0eTSQpsu/eiUi0PUDu1ejnrHz6I8lEIORspUKXbg3v?= =?us-ascii?q?c58BLcUcqBsUKZke6IcqQV2jXA8i/Xz22OugdaVw55V77IW1gUb03Rq9Xy70?= =?us-ascii?q?eERLirX/BvEQZM0oapLaxJIonqgFhdT/DkO/zVY3i2nmatAFCP3LzaKMLWdn?= =?us-ascii?q?kGwSKVKEECnwlbqW6LMwcjByHkoG/ECjFqPVOqZ0Ty/K9loXCmVEZyyQzMbV?= =?us-ascii?q?U3k/KX8xsYnrS5TOkJ36lM7CUkrC9uHU2V2dvTBtvGoBBuKvZye9Q4tXxOzm?= =?us-ascii?q?/I/zd2PpW9IaRvnBZKeA1sslLGzB53A5hOlcUw6XgjigF1LPTLgxt6azqE0M?= =?us-ascii?q?WoafXsIW7o8UXqO/aMgAPXzcqW96ET6f8xt1TkukSzG1E/92l8iYIIgUanz6?= =?us-ascii?q?mRJzI7CMq3X0sy7Bc8orjbZm845oeHnWZ0P/yStTnPk8ksGPNj0gypKtxWK6?= =?us-ascii?q?6VPBT5E8QHCcyjMqkhkh6iaRdXdPtK+vsSOMWrP+CDxLbtOe9hmDy8imES64?= =?us-ascii?q?lm31Ok7CF8Q/PG25sfhvqRmACAUmS0l0+v5+bwn40MfjQOBiy/xCzjUZZWfb?= =?us-ascii?q?F3dJ0XBH2GOMqxx94l38SoAS4e/1mlHFYcnsqgeB7UYEWkmxxZ1UMQ53egnH?= =?us-ascii?q?jwwz91lmQxp7GElGzVwuvkfQYaIGMDWmR4jFntLIT1x9AXVUSldU4owTO07E?= =?us-ascii?q?b9wO5Qo6Fy?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AnBgBg4kxblywWGNZcHAEBAQQBAQo?= =?us-ascii?q?BAYMfJ4FlKIN8iGOLXYFggwCUX4R3AkKCHyE3FQECAQEBAQEBAgETAQEBAQE?= =?us-ascii?q?IFgZMDII1JIJeAwMjBBkBATcBDyUCJgICRRIGAQwGAgEBglFLgWgDFQOePoo?= =?us-ascii?q?bbnszgnEBAQWBAgEBX4I0A4MnCBd0hmCBF4IWgREnimaCVYdnhS8ujBoJjyF?= =?us-ascii?q?qh1WFLIw/hyyBdE0jFYMkghkMDgkRgzSKHAFVT44VAQE?= X-IPAS-Result: =?us-ascii?q?A0AnBgBg4kxblywWGNZcHAEBAQQBAQoBAYMfJ4FlKIN8i?= =?us-ascii?q?GOLXYFggwCUX4R3AkKCHyE3FQECAQEBAQEBAgETAQEBAQEIFgZMDII1JIJeA?= =?us-ascii?q?wMjBBkBATcBDyUCJgICRRIGAQwGAgEBglFLgWgDFQOePoobbnszgnEBAQWBA?= =?us-ascii?q?gEBX4I0A4MnCBd0hmCBF4IWgREnimaCVYdnhS8ujBoJjyFqh1WFLIw/hyyBd?= =?us-ascii?q?E0jFYMkghkMDgkRgzSKHAFVT44VAQE?= X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="13851017" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from usat3cpa06.eemsg.mail.mil ([214.24.22.44]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 16 Jul 2018 18:25:47 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;9de91618-a428-4993-b5f1-96c2bce3ead4 Authentication-Results: USAT3CPA10.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic302-28.consmr.mail.gq1.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 20191613|USAT3CPA10_EEMSG_MP25.csd.disa.mil X-EEMSG-SBRS: None X-EEMSG-ORIG-IP: 98.137.68.154 X-EEMSG-check-002: true IronPort-PHdr: =?us-ascii?q?9a23=3AhElgSR0y8+ETYYiwsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sesULv7xwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ou?= =?us-ascii?q?JSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgpp?= =?us-ascii?q?POT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+?= =?us-ascii?q?RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLd?= =?us-ascii?q?QgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD?= =?us-ascii?q?8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfV5fKzSZ9MaRW1GXspITiBMHo2x?= =?us-ascii?q?YooSA+YYIepUspT2q18QoReiAAWhAv7kxD1ViX/sxaA0zvovEQ/G0gIjEdwBvn?= =?us-ascii?q?vbo9fpO6kdSu210KvFwC/fY/9K1zrw6o7FeQ0hr/GWWrJwdNLcxFc1GAPekFqR?= =?us-ascii?q?qZHuMS6J2eQNqWeb8uRgVeaxhG49tgp8pSSgyd03iobXhoMY0UvE+jl5wIkvON?= =?us-ascii?q?24Rkp7bsC+EJdJqy6VLZF6Td8lQ2FtoSs3zKANt52jfCUSzJkqxATTZ+GJfoWK?= =?us-ascii?q?+B7uVeWcLS1liH9ld7+znxe//Eq6xuHhV8S51ExGoytFn9XWqHwByRPe586aQf?= =?us-ascii?q?Vn5EihwyyA1wXL5+FEP080ka3bJoY6wr43kJoTsFjMEyHqlEnolaOaaEYp9vK0?= =?us-ascii?q?5OTgZLXmvZqcN5VuhgH7KKsum8i/Df43MggXQmSX4+S926fj/U3+R7VGlOE5kq?= =?us-ascii?q?7csJzCJMQboLC2AxNN34sn6BuzFSqq3doakHUdLV9IewiLg5XpNlzBOPz4CO2w?= =?us-ascii?q?g1WokDdl3fDGObjhD43RIXfZi7fuY7Z85lVHyAUvzdBQ/Y9UCr8FIP3tQE/9rc?= =?us-ascii?q?DXAQUjPwOoxObnDc1x1pkCVmKXHq+ZLKTSvEeT5u0xJ+mMZYkVuCvyKvU++/7v?= =?us-ascii?q?jWM2mV8afaWz25sXc2q3Eu5pI0Wef3q/yusGREMxm0JqSO3slU3HSjNYemyzQ7?= =?us-ascii?q?N54zY3FYarJZnMS5rrg7Gb2iq/WJpMaTYCQnSvNVKgI4GFXeocLSGfOMlslhQa?= =?us-ascii?q?WrW7DYwszxejsEn90bUxaqLs8zAc/bfk08J4r7nLnAw23SR9EsDY1maKVWwylW?= =?us-ascii?q?QNEXt+57xyuUxwzB+41KF8h/FJXYhI6+hhThYxNZmayfdzTd/1RFSFNuykAHKn?= =?us-ascii?q?RMi2SWUqQ9YwxcIeS1psENWlyBbY1mylBKFD0/TBP7kd2YGZ03nqLNtm0F7C1b?= =?us-ascii?q?I9lB9+G41IL2LszvpE0iH4JMvFkl6Sir2xXaAdxzLWsj/ai22UsxccGCx3UaON?= =?us-ascii?q?f3cfb03NoNKxskHFT7noC7MnOw1axMiqIaJMbdvohlxCAvzkPYKaK0G8lnz4Lh?= =?us-ascii?q?GPxfvYb4fnYG4a2yb1A0gelAUS4HPAMhIxUGPpn2/CFyFpXXLmZU/lub1mpXW0?= =?us-ascii?q?U04yigKHdUts05K0vxoSm/HaUPoQw6gN/iEs7TdsShL1/dvTBsHIgg17ZqRHKY?= =?us-ascii?q?c/5VBdz2PCnwp0O5Ghaad4iQhNXR5wuhbF3g56G817msgjsX0uwRA6famRy15Q?= =?us-ascii?q?XyiT3ZntNLnaMCz59VakbKuAiQKW68qf5qpasKdwkF7kpgz8Uxp6qiQ145xuy3?= =?us-ascii?q?KZo67yIk8XWJP1XFww8kEq9arRYiAg6YfZzzhnOO+/tTqQg4t1Vttg8Q6pepJk?= =?us-ascii?q?CI3BDBX7Sp1IHMOuIfEkn1WzKxkNeutV8fxsZp70R769wKeued1YsnemgGBAu9?= =?us-ascii?q?EvyUWK9iEnErSNhcZDyPaexQ6dETL1jVPnvdmu35FNZTYVWGG4zHq8CQ=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D9CgBg4kxb/5pEiWJcHAEBAQQBAQoBA?= =?us-ascii?q?YMfKoFiKIN8iGONPYMAkmWBeh6EWQJCgh8ZBgYyFgECAQEBAQEBAQEBbBwMgjU?= =?us-ascii?q?kgl4GIwQZAQE3AQ8lAiYCAkUSBgEMBgIBAYJRS4FoAxWeQYobbnszgnEBAQWBA?= =?us-ascii?q?gEBX4I0A4MnCBd0hmCDLYERJ4I8iCqCVYdnhS8ujBoJjyFqh1WFLIw/hx0NJIF?= =?us-ascii?q?STSMVgySCGQwXg0WKHAFVHzCOFQEB?= X-IPAS-Result: =?us-ascii?q?A0D9CgBg4kxb/5pEiWJcHAEBAQQBAQoBAYMfKoFiKIN8iGO?= =?us-ascii?q?NPYMAkmWBeh6EWQJCgh8ZBgYyFgECAQEBAQEBAQEBbBwMgjUkgl4GIwQZAQE3A?= =?us-ascii?q?Q8lAiYCAkUSBgEMBgIBAYJRS4FoAxWeQYobbnszgnEBAQWBAgEBX4I0A4MnCBd?= =?us-ascii?q?0hmCDLYERJ4I8iCqCVYdnhS8ujBoJjyFqh1WFLIw/hx0NJIFSTSMVgySCGQwXg?= =?us-ascii?q?0WKHAFVHzCOFQEB?= Received: from sonic302-28.consmr.mail.gq1.yahoo.com ([98.137.68.154]) by USAT3CPA10.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:24:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1531765463; bh=YT4XtPaYorTY1lx0k8H0Qyb4L8QIc4WROnciGp7eUwc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=CZO3lTCG7X3PqDv0CnVYtVyJeRUdLrMR5OuJ+cOZW4cPelLPAcDZrBXy/YpJxn5x1hV8HZ0hP+V8QN8UiNOZd9bASGkPD3x8MvglBmxwrNvKWALW9IbChTL0jHcIc4SbymfmNYb2XqxjfIJVnAaOVu8Ik/uZcxsZs787eJn1gLMoN1i7FI9OioltfMGiu+sRZvn3BaPnfggiSkYXGoGQTwfCz2W362PfIhKbfsfqnjf9Bphm+bDE/NFjFFc+kovOnAJiGP6PXSw5XUpd316N7Gv/bH5d7CsVAOeVRtJbcN5Pxot4VoA5Ym1tlTE6jOv2AqL9HUIcUiMLMaaVuo/q7w== X-YMail-OSG: SjmZeegVM1n2ICC7iSoOGPB6uUMnE_FZMLVtMuKkxZSD69Wuf.TO1e4ux5WrtKV DyGUJv_49MW0Z6N92AM8rSG5DuN65_qNbRBn73esqdi06TNeAPNdrgSZTf4lh8zlw_eRRmiOmygK kbc6S8JeYFzKxz7v7E35wDhYj4bSGBZA_RcJN3mBJxVmRTTilYH22aoY0jFrH1yP1qioMbkTh_Dn Ul.v9je7REmeewa_4rHO6HOoRfRgpLwEliWMnlTlXa3yI28oH3azJmm0uoI73530dmHqcmkR4XFO rhe8VBwjICYDdgjLxeu_nc2traOsKciZusyRY1s33Ze.XsoNDConG.2d6wU70gxQS6mG7.b1UT3D eIo_8B6j1q9P4am4l2FIaZ2HFm1I_WC04y29lYmfdHwFxcE5LsMjhOzfPEsR9_AaAiuTjaKtu4BC RkqEJS_HiVmlOiSfPTgNrJzbZx5Rhv8cjgyskip5Zo2xcMZgdPm00FnlKEZNZhXJQDF2cjSM21CW v7_uY1h5T3zGOKwoCipSJJZqqcdfFSS_ToCLq0lNH5Eh1AozeLhweNhBE9mraoUM4ckb83GpUKlL LMqkMFokKxhTux2KnJCOTSHdLHPF10h7F0H_YjfSxwVjbORrzZvm5fGIqemyYRvPUfoRv8Od7nio Kz1aL_HChFHWSEg9LIluGiUx_lj161SdvfnRvWueM2A7xdyORDMglSyO6E_i0buAqLXbMx4zqeuk S9S6AcGPRjkVVa3.WBWMzrTJvv2oewTRHyed096z_NCcpsWHtkF1_nnOHrycJjInG2HYbeJn87Au UTAV8G7xgxTwAUwS2ZwXegJ4jneCJRBkX4LuXH45mXYPiRNmtjAkAp8pbB0VGWum1pAuDxnvSia3 pbRn_CnLzoBQO6.73YN7kDjLaKSslxY95KDdcOR_FxlhBKjOjWRZjZpBRp10mK9Ap4cLbTiRq.hi Spz9X7CegU7N_3qAAECKa6eLSAbpTyqfV3d4ikVW7YpUfDOFuxKj9dJCMws9TBkre5Y4MNZUMPHk Cua3YG_5G6ivTh_irLPw9_tIR6TGSitc- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.gq1.yahoo.com with HTTP; Mon, 16 Jul 2018 18:24:23 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.100]) ([67.169.65.224]) by smtp404.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID fd4c14c77ada1fa0657ebb2422e4f129; Mon, 16 Jul 2018 18:24:21 +0000 (UTC) To: LSM , LKLM , Paul Moore , Stephen Smalley , SE Linux , "SMACK-discuss@lists.01.org" , John Johansen , Kees Cook , Tetsuo Handa , James Morris References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <3e09ee96-6d54-bceb-e780-06e3244b7f2b@schaufler-ca.com> Date: Mon, 16 Jul 2018 11:24:18 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Mon, 16 Jul 2018 14:38:37 -0400 Subject: [PATCH v1 17/22] LSM: Allow mount options from multiple security modules X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: "Schaufler, Casey" Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP LSM: Allow mount options from multiple security modules Both SELinux and Smack use mount options that apply to filesystems generally. Remove the failure case where the security modules don't recognize an option. SELinux does not recognize Smack's options, and vis versa. The btrfs code had some misconceptions about the generality of security modules and mount options. That has been corrected. Signed-off-by: Casey Schaufler --- fs/btrfs/super.c | 10 ++--- include/linux/security.h | 45 ++++++++++++++----- security/security.c | 14 ++++-- security/selinux/hooks.c | 90 +++++++++++++++++++------------------- security/smack/smack_lsm.c | 54 ++++++++++++----------- 5 files changed, 122 insertions(+), 91 deletions(-) diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index 81107ad49f3a..100cd32d5e16 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -1490,15 +1490,15 @@ static int setup_security_options(struct btrfs_fs_info *fs_info, return ret; #ifdef CONFIG_SECURITY - if (!fs_info->security_opts.num_mnt_opts) { + if (fs_info->security_opts.selinux.num_mnt_opts != 0 || + fs_info->security_opts.smack.num_mnt_opts != 0) { /* first time security setup, copy sec_opts to fs_info */ memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts)); } else { /* - * Since SELinux (the only one supporting security_mnt_opts) - * does NOT support changing context during remount/mount of - * the same sb, this must be the same or part of the same - * security options, just free it. + * Since no modules support changing context during + * remount/mount of the same sb, this must be the same + * or part of the same security options, just free it. */ security_free_mnt_opts(sec_opts); } diff --git a/include/linux/security.h b/include/linux/security.h index 9bdb23799b03..ea875e761d14 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -161,34 +161,55 @@ typedef int (*initxattrs) (struct inode *inode, #ifdef CONFIG_SECURITY -struct security_mnt_opts { +struct lsm_mnt_opts { char **mnt_opts; int *mnt_opts_flags; int num_mnt_opts; }; + +struct security_mnt_opts { +#ifdef CONFIG_SECURITY_STACKING + struct lsm_mnt_opts selinux; + struct lsm_mnt_opts smack; +#else + union { + struct lsm_mnt_opts selinux; + struct lsm_mnt_opts smack; + }; +#endif +}; + int call_lsm_notifier(enum lsm_event event, void *data); int register_lsm_notifier(struct notifier_block *nb); int unregister_lsm_notifier(struct notifier_block *nb); static inline void security_init_mnt_opts(struct security_mnt_opts *opts) { - opts->mnt_opts = NULL; - opts->mnt_opts_flags = NULL; - opts->num_mnt_opts = 0; + memset(opts, 0, sizeof(*opts)); } static inline void security_free_mnt_opts(struct security_mnt_opts *opts) { int i; - if (opts->mnt_opts) - for (i = 0; i < opts->num_mnt_opts; i++) - kfree(opts->mnt_opts[i]); - kfree(opts->mnt_opts); - opts->mnt_opts = NULL; - kfree(opts->mnt_opts_flags); - opts->mnt_opts_flags = NULL; - opts->num_mnt_opts = 0; + + if (opts->selinux.mnt_opts) + for (i = 0; i < opts->selinux.num_mnt_opts; i++) + kfree(opts->selinux.mnt_opts[i]); + kfree(opts->selinux.mnt_opts); + opts->selinux.mnt_opts = NULL; + kfree(opts->selinux.mnt_opts_flags); + opts->selinux.mnt_opts_flags = NULL; + opts->selinux.num_mnt_opts = 0; + + if (opts->smack.mnt_opts) + for (i = 0; i < opts->smack.num_mnt_opts; i++) + kfree(opts->smack.mnt_opts[i]); + kfree(opts->smack.mnt_opts); + opts->smack.mnt_opts = NULL; + kfree(opts->smack.mnt_opts_flags); + opts->smack.mnt_opts_flags = NULL; + opts->smack.num_mnt_opts = 0; } /* prototypes */ diff --git a/security/security.c b/security/security.c index 878f0848b3f4..eea36930f6f3 100644 --- a/security/security.c +++ b/security/security.c @@ -782,9 +782,17 @@ int security_sb_set_mnt_opts(struct super_block *sb, unsigned long kern_flags, unsigned long *set_kern_flags) { - return call_int_hook(sb_set_mnt_opts, - opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb, - opts, kern_flags, set_kern_flags); + int nobody = 0; + + /* + * Additional security modules that use mount options + * need to be added here. + */ + if (opts->selinux.num_mnt_opts != 0 || opts->smack.num_mnt_opts != 0) + nobody = -EOPNOTSUPP; + + return call_int_hook(sb_set_mnt_opts, nobody, sb, opts, kern_flags, + set_kern_flags); } EXPORT_SYMBOL(security_sb_set_mnt_opts); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ab8a134d9945..fcdf1ea3c438 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -568,21 +568,23 @@ static int selinux_get_mnt_opts(const struct super_block *sb, /* count the number of mount options for this sb */ for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { if (tmp & 0x01) - opts->num_mnt_opts++; + opts->selinux.num_mnt_opts++; tmp >>= 1; } /* Check if the Label support flag is set */ if (sbsec->flags & SBLABEL_MNT) - opts->num_mnt_opts++; + opts->selinux.num_mnt_opts++; - opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); - if (!opts->mnt_opts) { + opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts, + sizeof(char *), GFP_ATOMIC); + if (!opts->selinux.mnt_opts) { rc = -ENOMEM; goto out_free; } - opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { + opts->selinux.mnt_opts_flags = kcalloc(opts->selinux.num_mnt_opts, + sizeof(int), GFP_ATOMIC); + if (!opts->selinux.mnt_opts_flags) { rc = -ENOMEM; goto out_free; } @@ -593,8 +595,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb, &context, &len); if (rc) goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; + opts->selinux.mnt_opts[i] = context; + opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT; } if (sbsec->flags & CONTEXT_MNT) { rc = security_sid_to_context(&selinux_state, @@ -602,16 +604,16 @@ static int selinux_get_mnt_opts(const struct super_block *sb, &context, &len); if (rc) goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = CONTEXT_MNT; + opts->selinux.mnt_opts[i] = context; + opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT; } if (sbsec->flags & DEFCONTEXT_MNT) { rc = security_sid_to_context(&selinux_state, sbsec->def_sid, &context, &len); if (rc) goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; + opts->selinux.mnt_opts[i] = context; + opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT; } if (sbsec->flags & ROOTCONTEXT_MNT) { struct dentry *root = sbsec->sb->s_root; @@ -621,15 +623,15 @@ static int selinux_get_mnt_opts(const struct super_block *sb, &context, &len); if (rc) goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; + opts->selinux.mnt_opts[i] = context; + opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT; } if (sbsec->flags & SBLABEL_MNT) { - opts->mnt_opts[i] = NULL; - opts->mnt_opts_flags[i++] = SBLABEL_MNT; + opts->selinux.mnt_opts[i] = NULL; + opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT; } - BUG_ON(i != opts->num_mnt_opts); + BUG_ON(i != opts->selinux.num_mnt_opts); return 0; @@ -675,9 +677,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, struct inode_security_struct *root_isec; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 defcontext_sid = 0; - char **mount_options = opts->mnt_opts; - int *flags = opts->mnt_opts_flags; - int num_opts = opts->num_mnt_opts; + char **mount_options = opts->selinux.mnt_opts; + int *flags = opts->selinux.mnt_opts_flags; + int num_opts = opts->selinux.num_mnt_opts; mutex_lock(&sbsec->lock); @@ -1038,7 +1040,7 @@ static int selinux_parse_opts_str(char *options, char *fscontext = NULL, *rootcontext = NULL; int rc, num_mnt_opts = 0; - opts->num_mnt_opts = 0; + opts->selinux.num_mnt_opts = 0; /* Standard string-based options. */ while ((p = strsep(&options, "|")) != NULL) { @@ -1105,41 +1107,39 @@ static int selinux_parse_opts_str(char *options, case Opt_labelsupport: break; default: - rc = -EINVAL; printk(KERN_WARNING "SELinux: unknown mount option\n"); - goto out_err; - + break; } } rc = -ENOMEM; - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); - if (!opts->mnt_opts) + opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); + if (!opts->selinux.mnt_opts) goto out_err; - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), + opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_KERNEL); - if (!opts->mnt_opts_flags) + if (!opts->selinux.mnt_opts_flags) goto out_err; if (fscontext) { - opts->mnt_opts[num_mnt_opts] = fscontext; - opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; + opts->selinux.mnt_opts[num_mnt_opts] = fscontext; + opts->selinux.mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; } if (context) { - opts->mnt_opts[num_mnt_opts] = context; - opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; + opts->selinux.mnt_opts[num_mnt_opts] = context; + opts->selinux.mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; } if (rootcontext) { - opts->mnt_opts[num_mnt_opts] = rootcontext; - opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; + opts->selinux.mnt_opts[num_mnt_opts] = rootcontext; + opts->selinux.mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; } if (defcontext) { - opts->mnt_opts[num_mnt_opts] = defcontext; - opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; + opts->selinux.mnt_opts[num_mnt_opts] = defcontext; + opts->selinux.mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; } - opts->num_mnt_opts = num_mnt_opts; + opts->selinux.num_mnt_opts = num_mnt_opts; return 0; out_err: @@ -1184,15 +1184,15 @@ static void selinux_write_opts(struct seq_file *m, int i; char *prefix; - for (i = 0; i < opts->num_mnt_opts; i++) { + for (i = 0; i < opts->selinux.num_mnt_opts; i++) { char *has_comma; - if (opts->mnt_opts[i]) - has_comma = strchr(opts->mnt_opts[i], ','); + if (opts->selinux.mnt_opts[i]) + has_comma = strchr(opts->selinux.mnt_opts[i], ','); else has_comma = NULL; - switch (opts->mnt_opts_flags[i]) { + switch (opts->selinux.mnt_opts_flags[i]) { case CONTEXT_MNT: prefix = CONTEXT_STR; break; @@ -1218,7 +1218,7 @@ static void selinux_write_opts(struct seq_file *m, seq_puts(m, prefix); if (has_comma) seq_putc(m, '\"'); - seq_escape(m, opts->mnt_opts[i], "\"\n\\"); + seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\"); if (has_comma) seq_putc(m, '\"'); } @@ -2807,10 +2807,10 @@ static int selinux_sb_remount(struct super_block *sb, void *data) if (rc) goto out_free_secdata; - mount_options = opts.mnt_opts; - flags = opts.mnt_opts_flags; + mount_options = opts.selinux.mnt_opts; + flags = opts.selinux.mnt_opts_flags; - for (i = 0; i < opts.num_mnt_opts; i++) { + for (i = 0; i < opts.selinux.num_mnt_opts; i++) { u32 sid; if (flags[i] == SBLABEL_MNT) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index feff5290c839..2d1a3fba40eb 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -601,7 +601,7 @@ static int smack_parse_opts_str(char *options, int num_mnt_opts = 0; int token; - opts->num_mnt_opts = 0; + opts->smack.num_mnt_opts = 0; if (!options) return 0; @@ -651,43 +651,45 @@ static int smack_parse_opts_str(char *options, goto out_err; break; default: - rc = -EINVAL; pr_warn("Smack: unknown mount option\n"); - goto out_err; + break; } } - opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL); - if (!opts->mnt_opts) + opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), + GFP_KERNEL); + if (!opts->smack.mnt_opts) goto out_err; - opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), - GFP_KERNEL); - if (!opts->mnt_opts_flags) + opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), + GFP_KERNEL); + if (!opts->smack.mnt_opts_flags) { + kfree(opts->smack.mnt_opts); goto out_err; + } if (fsdefault) { - opts->mnt_opts[num_mnt_opts] = fsdefault; - opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; + opts->smack.mnt_opts[num_mnt_opts] = fsdefault; + opts->smack.mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; } if (fsfloor) { - opts->mnt_opts[num_mnt_opts] = fsfloor; - opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; + opts->smack.mnt_opts[num_mnt_opts] = fsfloor; + opts->smack.mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; } if (fshat) { - opts->mnt_opts[num_mnt_opts] = fshat; - opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; + opts->smack.mnt_opts[num_mnt_opts] = fshat; + opts->smack.mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; } if (fsroot) { - opts->mnt_opts[num_mnt_opts] = fsroot; - opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; + opts->smack.mnt_opts[num_mnt_opts] = fsroot; + opts->smack.mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; } if (fstransmute) { - opts->mnt_opts[num_mnt_opts] = fstransmute; - opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; + opts->smack.mnt_opts[num_mnt_opts] = fstransmute; + opts->smack.mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; } - opts->num_mnt_opts = num_mnt_opts; + opts->smack.num_mnt_opts = num_mnt_opts; return 0; out_opt_err: @@ -726,7 +728,7 @@ static int smack_set_mnt_opts(struct super_block *sb, struct inode_smack *isp; struct smack_known *skp; int i; - int num_opts = opts->num_mnt_opts; + int num_opts = opts->smack.num_mnt_opts; int transmute = 0; if (sp->smk_flags & SMK_SB_INITIALIZED) @@ -760,33 +762,33 @@ static int smack_set_mnt_opts(struct super_block *sb, sp->smk_flags |= SMK_SB_INITIALIZED; for (i = 0; i < num_opts; i++) { - switch (opts->mnt_opts_flags[i]) { + switch (opts->smack.mnt_opts_flags[i]) { case FSDEFAULT_MNT: - skp = smk_import_entry(opts->mnt_opts[i], 0); + skp = smk_import_entry(opts->smack.mnt_opts[i], 0); if (IS_ERR(skp)) return PTR_ERR(skp); sp->smk_default = skp; break; case FSFLOOR_MNT: - skp = smk_import_entry(opts->mnt_opts[i], 0); + skp = smk_import_entry(opts->smack.mnt_opts[i], 0); if (IS_ERR(skp)) return PTR_ERR(skp); sp->smk_floor = skp; break; case FSHAT_MNT: - skp = smk_import_entry(opts->mnt_opts[i], 0); + skp = smk_import_entry(opts->smack.mnt_opts[i], 0); if (IS_ERR(skp)) return PTR_ERR(skp); sp->smk_hat = skp; break; case FSROOT_MNT: - skp = smk_import_entry(opts->mnt_opts[i], 0); + skp = smk_import_entry(opts->smack.mnt_opts[i], 0); if (IS_ERR(skp)) return PTR_ERR(skp); sp->smk_root = skp; break; case FSTRANS_MNT: - skp = smk_import_entry(opts->mnt_opts[i], 0); + skp = smk_import_entry(opts->smack.mnt_opts[i], 0); if (IS_ERR(skp)) return PTR_ERR(skp); sp->smk_root = skp;