From patchwork Thu Sep 20 00:21:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10607591 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4C4CC14DA for ; Thu, 20 Sep 2018 12:34:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A05E2C88F for ; Thu, 20 Sep 2018 12:34:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2DB622C9EB; Thu, 20 Sep 2018 12:34:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from ucol19pa13.eemsg.mail.mil (ucol19pa13.eemsg.mail.mil [214.24.24.86]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id F3A3E2C88F for ; Thu, 20 Sep 2018 12:34:34 +0000 (UTC) X-EEMSG-check-008: 625807426|UCOL19PA13_EEMSG_MP11.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.53,398,1531785600"; d="scan'208";a="625807426" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa13.eemsg.mail.mil with ESMTP; 20 Sep 2018 12:34:34 +0000 X-IronPort-AV: E=Sophos;i="5.53,398,1531785600"; d="scan'208";a="16048490" IronPort-PHdr: 9a23:LHP/YRHNzHz2PAo2aYAlNJ1GYnF86YWxBRYc798ds5kLTJ7+oM+4bnLW6fgltlLVR4KTs6sC17KJ9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa/bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7Sc8kaRW5cVchPUSJPDJ63Y48WA+YcIepUqo/wqFwMohSkBQmsA+TvxiZRinLq06A30vktHRja0AA9AtkCtGrYoMnwOKoUTOu7zrTHzS/bYv1I1zfz6IvGfB4vrv6DX71+bNLRxEsyGw7LklqeppLqPyiO2+QRsWWW9fZsWf6hhmI5rQx6vzihxt0rionMno8Y1ErL9T5nz4c1ONa2VVJ0Yd6+H5tNuSGaM5V5Qtk/SGxvpCk10KYGtoC7fSUR05Qo2x7fZOaac4iG5hLsSvyRLS5ki31/Yr6wmxGy8U25x+D6S8K6005KozJYntTDuX0BzRze5tWdRvdj8UqtxyyD2x3L5uxFI004j7fXJp8lz7Iql5cesV7PEjHolEj5iqKda18q9fKy6+v9Z7XrvpqcN4hphQ7gKqkugcm/AfggMggJQmib5fyw1L398k39R7VHluE2nbPDsJDbOMQbvbS1AxNV04k/6xa/CC2q0NIEknkcMF1JYheHj4ntO13WIfD4C+mwg0i0nTt2yP3LMaftD5XQInTZjrvscqhx51RBxAYryNBQ/ZNUCrUPIPLpXU/xscTVDgQnPAywwubnDsh914wHVW2UBa+ZLaXSvkOW6eI0OOSMeI8Utyr9K/gi/fLui2Q5lkUHcamm2psXdmi0Hu56LEWBfXrsntABHH8Ivgo5SuzlkkGCUT5JaHa0RK885DY7CISjDYjZXYCtnKKO3D2gHpFMYWBGEF+MG2/yd4qYQ/cMdD6SIsh5nzwGV7iuUZMu1RK1tA/9zbpnL/TU9zYWtZLnydh06PbclQw09TxoEsSRyWaNT3t7nmkQXT85wLh/oVBhyleEyaV5jf1YFdhW5/xXSAc3LpDcwPJnBND1QALOZM+JSEyhQtWkHz4+Us4xz8UJY0ZnFNWolgrD0DayA78Ji7yLA4Q5/b/A0Hj0IMZ9zWrG2LQ6glk4XMRPL2ymh6949wjVHYLJlVuWl7qyf6QGwCHN7HuDzXaJvExAUw5/S6bFXXcCZkbNrtT2/EDCT7izCbg9NQtB08GCILNQatL1lVVGWOvjONPGbm2rhmiwHxeIya2WbIfxYWoSwCDdBFIDkwAJ8naMLRI+CTu5o2LCEDxuEkribF/2/ul6tny7VVM0zgGNb0B6zLq65h8ViuKaS/MP37ILoj0tqzNqE1ahx9jWEcaPpxJ9fKVAZtMw+E1H2n/EuAFmMZygKq9jikQYcwtpo0Pkzw93BZlYkcg2sHMqyxJ/KbmW0FNbcDOYxozwN6bMKmn0+xCuZavW1UvY0NqM/KcA9ug4oU35vA61Dkoi72ln095N3nqS/JrKCBYSXozrUkYs7BV6ua/VYjMm6IPJ0H1gK660siXN29gxHusq1g6gf8tDMKODDALyFcwaB8yqKOM0gFikdQgLM/5I9K4zJc+mcOGG2KGzNuZ6gD2mlXhH4Jx60k+U6iV8VvTH34wezv6E2QuHUivzg026ssDrg4xEYy8dHnanwyj+GIFRfrFyfZoMCWq2Pc23x8lxh4LqW35C7lKsG1MG2MiveRqddFH92QxQ1UINrny9niu01Tt0kysmrqCHxizB3/zidAYbOm5MXGRiiVbsIZOoj9wDR0incQwplBqj5UbnyKlWv79/L3HSQUdOfij5M3piXrG2trWcf85F8IkovjlPUOSgfVCaTabwowEd0yPnG2tR2io7eC2tupT3hBF6k3+dI2porHbDfsFw3xjf7sTGRfFNxjoGWDV4iT7PC1i/Idap+86UmozAsu+gUWKhTZtTfjf3zY+asyu7/2JqCwWln/+vgt3nDRQ60Sjj2tlyTyrIsRL8bZfz16ugN+JnYldnBEXn5spnAYFxjJEwhIoK1XgBgZWV4GAHnnvtPtVV3qL+dnUNSiARz97T/gflxFVpLmiVyILhSnWd3sxhasGkYmMQxy0w9N5KCKGJ47xEhyd1pES3rR7Ja/hngjgd0ecu6GIdg+wRoAoi1DidArQJEEZEPCzsixSJ48mwrKpNYmaja7+w1FBxndq5FrGNvhlcWGrlepclBSJw4N9wMFTQ0H3074HpY9fQYswOuR2TiRfPlfBVKIg2lvoImyVoJX79sWciy+4hghxkxYu6s5SfK2Vx4KK5BQZVNjjvaMMX/jHik7pentqM0I+1BZhhHCsEXIfzTf20Cj0SreroOxyIEDIitneRAaDfEhOH6Ed6s3LPFIimN3+NJHYH0NpiXwOSJEpDgAATRzU3hYQ2GRyvxMD7d0d5/D8R7EbiqhRQ0uJoKwX/UmDHqQewdDg7U4aQLBxX7gFe4EfYKs2e4fxtEC5G5JGhqxaNKmODbQRSEW4JQlCEB0zkPrS2/tbP6O+UBu6/L/vVfbWOsvZSV+yWyp2zyIdm5CiDNsGOPnlkEv061VFOUmx5GsTDhjUPUDYblizXYM6Hvxe8/St3otq48PTxVwLl/ZGPBKdKMdVz5xC2hr+OOPWRhCZ2LjZY0IgBymLWx7cE3V4dkSdueyOqEbQaui7HVLjQlbNPDx4HdyNzM9NF76A83ghNIc7bjdf11r9kjvErEFpFUF3hmt2zZcMUOW29M0nHBEmTPrScOTLL2933Yb+7SbBIj+VVtxmwtiiAHk/mOTSDmTfpWA6zMeFQjCGbOxlet5+nfhZrF2fjUMrsagenP99vkT023bo0i2vUOm4EKzd8aUJNrqaL4CNAmPp/AW1B7mF9LemAgSmW8/fXJowRsftxDSR+j/ha72giy7tJ8CFEQ+R4mC3ModF0p1GrieqPyj18UBpSsDlLgpmLvUZjOanD8JlPR2rE9goX7WqMExQKu8dlCtr3tqBK1NfPj7z8Jy1Y893I/csRHNPbKMOdMHU8NhrpFibUDBEbQj+rL23fgVJSkO2K/H2Pspc6soTsmIYJSrJDSVM1EfUaCkJ4E9McJJd3XygpnqSFg84S4nqyth7RRN9VvprfTPKdHe3vKCqFjblDfxYH3Kn3LZoSNoLmwExvcUN1nJ7QG0rXU9FNuTNuYRMpoEVX8Xh+Um0y11jjagyz/H8ZDeS0kQIuigtifeQt8y/h41MwJlrQuiQwlkgwmdL+jDCedj7xMb28XYZMCyr7r0IxKI/0Qx5pbQ2umkxpLCzESKxVj7thc2BrlQDdtIBTFv5bSK1LfAUfxeqLZ/ky11RTtDmnz1dd5eTZEZtiiBcqcZm0onJc2gJjadk1JbDQJKtJ1VVfm6OOvy+y2e8q2gMeIVgC8H+Kci4SpEMILqUmJzav/uF08wOCnzpDd3QSWPUyp/Jr9kU9O+OGzy36yLNMMUGxOPaZL6+AtWjAiNSEQlUu2UMUj0NF56R50d8/c0qIUEAi1KCeGAoPNcfZMw5actRS+2bJfSaVq+rN25J0M5+6FuDyQu+ErLwUjV68HAY1A4QM6dwMHpax0EHZKcfnKKAKyRA26Qv2OlqKF/VJdwiNkDsdpMG/1pB315FHJj4BGWV9LTm35rHPqw8whvqDXcs5YncdXosALXI4QNS0lTNDsXlcCze6yf4WyA+H7zDgvCvQFyX8Y8BlZPiKeRNmEMu29ikn86iqlV7X9Y3TJ3vgOtR4vd/A8vgXp4qdC/xOU7lyrUPcm4heR3ylV27PENG1J5jsa4kid9P0EHO6Xka5iz0rU8f7JMytIbSQgQH0WYZUt5GW3T45OcChFjEeGhJwp+AZ66J/fgADYoQ0bgD2uAgkMKy/OgiY2M20Q2mxMTtWU+VfzeKiarxS1SUsdOy6x2U8TpE7yem3/lUARZ8QgRHY2fmjY45eUTXuFXxGYQnPozQ2l3R5POYo3ug/2A/IsUUbMz2TbuNpcnFEv9cmCVOROnh2C2s4R16AjYXY+AKs2a4d/zdFldZOzeJFqGT+voPYYD+0RKyrrpDVvjE8bdQ6pq1+KpbvIs2Yu5PChjbfVoXfshWZUC6mEPpXgtpQICVGT/RThG4qJ9cGtpRb6UotSMgxOqZDCK8yqbC2cTBkFzIdzTcFV4Oc2zwPmum826HAmReWbJsiMQcEvY5HgtsFUi56ezgepaG4V4nMkG+EUGcLKh8J7QtQ/AIAipNwfuf97YrUUZBD1j9WrOhwUibQCpZo8F77RX2MjljjVPWtieqp0hxOzPj0yNkURAZ/CVRBx+ZRjkYoMKp3K7UKsYHXrj+Fblj6vGXwyOu8OFZe18vUd0HiDIXfsWrwSCoc+WcbRYVX0nHQCYwSkxZlaKYsvFhDO46mdVri6zEm2ohkEaK1Wtysx1YgsXkJXTyqE8ZbB+Fgrl3XRCVvY4q3p5X9J5VSXmhQ9YWHq1hHjUptMzS2yYZHJsFJ5T4MQiZArSuBs9u1VcJMx9V6D5kSLddjo339Ar9LOICNo30qvbzi0mPZ+yoiv1ik2Tq+ALK4T+ZF/20EAAopOWWeqk4rD+Qy7mfe6FfNskp7/+1DHLiAkV1xoCphHpBJHjtJ12qqL050THldt+VVMrrVftdZQ/kvYR+vJx0+GuIn30OT+0F0hm31YytotgtV4yrdRRU7VTEJgrfxnj0TssOnNiUcS5JGdzUhaDrKJByAlCBLphlfbVpqW5cDDtZD5b4bwZNe/tDeRka0NSEFQBtiOxo+0fpbjkNDsUOYeSXHAQqpc/bPvAd3ct2KrM61NvT54RtIip/6sOAi6aoPXXqmmReiQdrGtY/zqsWKtleSdKf/K+C8Z37BQyTLjRC0n7gkFIPG/ynUMApcMJl60mEpYZ3uBG/EJxhGILgbJ0VDX6BgddpGuvxaZ9NjeKsR/a9tHReHSxP0FYyhsvZJM1HTRS7EICWZ6Oy/poDT4qLBRuj8fMCMwGzHQ61vNJdg9Tb7A6vq0ZNZ+kfu2Pdt90Z6REPDMy+frNXuOBkL5MikdkvtpJEpGy3ZAItomnr32k5Ab9YXQzGt8JkAyZNY6Wz/Rvhk3UXoq+1d6aVk5pcr7Lxzzse0P6jSI+xAsUB7GhiUGhlq9pI1DWdkRmBReeEQJ+3TfaQYkcDus/r4F7ET6BCO5+NZbsbIKF/blcmiEDGcTgZEkx0bpT4dNAuc2OaPm7VoRsa9uej5xkUt7kCmLhEc0LBi+YeE+6SPpO/NbBvd1KMEVbbuRsPyqLQspkyT6OY8lLEUZmx6fw2nEeYaVs4HxWfs16Mqwjw2E8PFAb3g/ORPV3UjnjLvg5p9BUkZGusIHbqX+oRThmg4lPLfNt0KdaBCnWGDFQW6Hb8GyH6r7TaXIWZ+jxHKzR7wW2Oy40XsoS9+XyTM08/pklBJWbmvGUdSQy2pNFdkvzONJgXnqMH6trgy7EEyNmzktcyClHG9OLxJA8L/JMaQIS4upFIYlJcxXMCg2ZgHGdqhJ9cc6HR+bvzY62O3nC9OvbxKh4/f4s6P/PXYA2WgjqOdq7WXxzBY0WI0vVch5dC8LvvO/cGFQ+y012YNSCdyowTBUAKuqrzAtlwaJEOF3kHKmIwMI9FY0mI11k7j5Oc5RtI86h9SFoHaZ/MNvTrzIif7wU6DY9IrUSmTyzlXHlX1EVl+AqQzxGLwvMbUlXjN+lwoR49wd1fkhRx2FIg4N0Mt6EYNzSoHDAcNaAqXDLe2CkT5NYEET1QMaQyb3Limfac6xUxzwq216+/VduF8A7cNOetcjg6Jh1hXAJUWsbcRQLhkYV9S6LbXphT+C4jgR/Xml2Q/NfO7QsBe6s0YuWEt4gChSBq885tD6agUiIyQfK5efZfMpNx871tg5TMXeSxNhB9/jh2nXuAYoODu+cPbsJ2u6uavSKkhXeMX+AYoB25mlZv/nEgjoc3L1+dbUoDVjIX/8ANOI36No4va0QNzKekJK4KtYrlg8W8LJy4AKHISJdCWceUz4zdxMDXP4FxPGtgDas0ePMrRgg1UkUnpWLZP9srHBF+XFZp8e9ov72rtxzA/6YE8Xfr46D+qOZDf6ElAP+tEjCVojt3CvuYUwf3WCCgZ+nSZbh91wiSZy5aTF/nw5+KMyMrPV1MHGC42XJ1RJD2Y+QyoXuC1jonmUhuI6s/vh5IzbEyQSWK1nKQEqqZDD/VNiyT63jhbE4D6meiVs96y52dNsV1HColz5wXfGKpDJpV7JQj4ls6zS0lyHiv/YsDUeQYwt+eNw+cM4vl+N1HgaoMBJRIE0b3642JPTgRyUL72okqZXeUJadthTPPLsGtY6ZpkK6AVJ1iduJ3qoStUqFAsHgAmdqU8rjpEeUnShAdVQbr7uKYcigsAVt50oUtMGWO2OGIj6DvLTKBVjKiKCPwJ6TWeVa0OXF9uMiN5WR+1349ue7Sxl/BdrmxGhj99oOQt0zF+QRuzozHjp6IM2TIm/7G1rysBuX1DTuqAlyfICFNDzOkFjKsGDHbi81O8amEZbITu+LlnOdjg9Y457nQ9exojfCoGUv+7BiHtiaOIHoyPsNVBhB6CuMXOcaW/LS4MObQh0RjjXWRy0hDCnBZ092sGWi6g7NEhJIqhOMsoxTGlGXbFe1YW46NIsczxtVgRQOswd1xh3DYr7s/SYhYoDJjLGmAonk0/ZG5ZapNf+FofEKU1hjugoKZL5EcXbS3SH4Dj/ZPfy4OA+3A4QMwi42XMvKyezsco1Xp/gdJvxiiHvXkTMevCXJkoSkPenqNez/HuL6G2v+QGTpZ24KiwW/8FdM+48C2534s8HgeB5ZA7Vw69Meke1vLYXj2jRGmwR+uGaS6Pkiw/P0q04gOneBl/SsBKqQcfNevLgIVRkUW1U7R0QGOSol/SyncuN8sRfgQxvoascghMR+kUMazUBuUj27UVD1wPJyvKECZtAOixsnamnJJ8PnR95AP9e+u7tkjaPceJBx5MMYfcopc5reS3QG2cOHklzxBoOkRw3+aaE1Mvu6lHepWMh9GWgdk90/ZTM79VODA58vsUnZhuod2M2dqOWQnY05K3INbSuPXeCPramQBiQX1XSroUZ0vO4ow+OtMoE+nIEaBxoQUXBa98RococWj26vcwZEl3cwjMdPG6mcXnuO+PToVbqmWQ7V8qKirY/RoZxbb8GQh6aY26wnvpLJ0uSzZpsdJgEF1lEZFJFsdGqBCoVdrcsaW2m9Kgs299sfULoKP2QqTD2NOzxYRgVp5y6kmCPTKXD65u1AAtq+W5gf5D1q7KAMfr7dVMAO16SUbJa7DHHYKzbDSDJpS4M3VP96CVzLVjX120aTv+RaONvWXwL7Nh7F480IVzdbON5DMo5rDfntD1YjcIiD2kqCuiPYBS/RTxDuzXQhxQRODNpG1sBqAGRZD/9O4TP9gv2p2X6k946zEUg5jNGLSoskKZghEzTpncNka8nndhA9NYKQmjMUYqnW7So2jcBnIZNMW/NM1xm4zJVU7w/0N9wDA1bzYaXGflQMyef20S2sb4YQyOp2cpR80bkbuRfkg1/ra3VfEuIo9MzO6jr7gWuc1iKyjSSsxXJWTbJfl9OT8Ca4eHv0AmNzgDtbV9QYIpfd6LKUIDPl2HzHb5xBDPwGXvfNylyaiNLTxT+XwBxLXAgl0u7xKht6O/hcvuGKvccImwXPPWN389USqGQD0pDUuz0UyjvfsP56LFZD5H5FsTZDmXEkgWr6Fr69LeVCnCkO1ke9sBg/XJPkK4RC55kf8qDz1Q/QCXQvUFHBXLdXKpnmdGuQKjK/MNtXLoZrGV3OxUDsQHC4tLdbuSRN7V X-IPAS-Result: A2CRAACWkqNb/wHyM5BbHAEBAQQBAQoBAYFQggUDgQhcKIwIX4tRgWiBHYFhk3UUgWInEwGFBIJ+ITQYAQMBAQEBAQECAWwcDII1JIJgAwMBAiQTBgEBDCAMAgMJAQFACAgDAS0UAREGAQcFBgIBAQEYBIMAgWoDFQOYXIocgWozgnUBAQWBBAEBdYJEA4JRCBeKWBeCAIESJwyCKoIJgncBEgGFVSKISIVwMY4HCYIMjhIdWIg5hhGObIdLOGRxTSMVO4JsghkMF4NGihwBVU97AQGKOoI9AQE Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 20 Sep 2018 12:34:33 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8KCYXTf025574; Thu, 20 Sep 2018 08:34:33 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8K0LbZd024250 for ; Wed, 19 Sep 2018 20:21:37 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8K0LarO020796 for ; Wed, 19 Sep 2018 20:21:36 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AtAADe56JblywbGNZcHQEBBQELAYFSggOBZyiDc4h0i1KBYAiBHYFhk3SBeoR3AkKCeSE2FgEDAQEBAQEBAhQBAQEBAQYYBkyFRQMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5luihxvezOCdQEBBYEEAQF1gkwDglEIF3SJYheCAIESJwyCKoIJhiuCNSKIQ4VuMY18CYIMjhEdWIg2hgyOaodQA4IDTSMVO4JsghkMDgkRgzSKHAFVT41sAQE X-IPAS-Result: A1AtAADe56JblywbGNZcHQEBBQELAYFSggOBZyiDc4h0i1KBYAiBHYFhk3SBeoR3AkKCeSE2FgEDAQEBAQEBAhQBAQEBAQYYBkyFRQMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5luihxvezOCdQEBBYEEAQF1gkwDglEIF3SJYheCAIESJwyCKoIJhiuCNSKIQ4VuMY18CYIMjhEdWIg2hgyOaodQA4IDTSMVO4JsghkMDgkRgzSKHAFVT41sAQE X-IronPort-AV: E=Sophos;i="5.53,396,1531800000"; d="scan'208";a="373942" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2018 20:21:23 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AqAAC15qJblywbGNZcHQEBBQELAYFSggOBZyiDc4h0i1KBYAiBHYFhk3SBeoR3AkKCeSE2FgEDAQEBAQEBAgETAQEBAQEGGAZMDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXKKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRInDIIqggmGK4I1IohDhW4xjXwJggyOER1YiDaGDI5qh1ADggNNIxU7gmyCGQwOCRGDNIocAVVPjWwBAQ X-IPAS-Result: A0AqAAC15qJblywbGNZcHQEBBQELAYFSggOBZyiDc4h0i1KBYAiBHYFhk3SBeoR3AkKCeSE2FgEDAQEBAQEBAgETAQEBAQEGGAZMDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXKKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRInDIIqggmGK4I1IohDhW4xjXwJggyOER1YiDaGDI5qh1ADggNNIxU7gmyCGQwOCRGDNIocAVVPjWwBAQ X-IronPort-AV: E=Sophos;i="5.53,396,1531785600"; d="scan'208";a="18452142" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa05.eemsg.mail.mil ([214.24.27.44]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 20 Sep 2018 00:21:22 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;c506196a-f7cb-41e2-8cb8-0777b507583d Authentication-Results: upbd19pa03.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic305-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 327123688|UPBD19PA03_EEMSG_MP3.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.133.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0C0AADy5qJbhzGFBkpcHgEGDIFRg2sog3OIdI0yCIEdgWGTdIF6hHcCQoJ5GQYGMRcBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZdoocb3szgnUBAQWBBAEBdYJLA4JRCBd0iXmCAIESJwyCKgeCAoYrgjUiiEOFbjGNfAmCDI4RHViINoYMjmqHSwGCCk0jFTuCbIIZDA4Jg0WKHAFVHzCNbAEB X-IPAS-Result: A0C0AADy5qJbhzGFBkpcHgEGDIFRg2sog3OIdI0yCIEdgWGTdIF6hHcCQoJ5GQYGMRcBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZdoocb3szgnUBAQWBBAEBdYJLA4JRCBd0iXmCAIESJwyCKgeCAoYrgjUiiEOFbjGNfAmCDI4RHViINoYMjmqHSwGCCk0jFTuCbIIZDA4Jg0WKHAFVHzCNbAEB Received: from sonic305-10.consmr.mail.bf2.yahoo.com ([74.6.133.49]) by upbd19pa03.eemsg.mail.mil with ESMTP; 20 Sep 2018 00:21:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537402871; bh=7+LvyD9KQCgGxiEVrIQ2ShHCTB7dQbmoq/+IlQ6E2dM=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=WEQQvRHDwRnEMcUHLmhzaSJn93QpXMEq2tZGBsrJsPPdz1AL/vdEjZ0VEjjf45pGVYPduBAvyBmFLKPpaTOg9P/WsIx5f+zoGD4JwA2+j/ReD1j3WBRGG0RapC03NmPUkdcOe8HDRK3nRLlCSEAdSUKz0RZ4C0gae804FXqUjFOFhwUtNBW4i3iztlEhzfpj4bDEN1AOMS6W7BdAP74wzd72bDcRMYHcwe+IReI4aCE9AnbbPB1zef+O0lRgW0yCds9l6+O096gFUA5IHRFybdDUOGUkwosYGJF8hv92/wqvgUp/5sEaVIgPEO/lsh7WRw3bEijONQ33Y7jqHLd4ng== X-YMail-OSG: BQE306kVM1ndeGvKf75SUW.Q61QeubU_UmMPh_d6eJBmWRagwuSZGKslTYIqsN2 EK_i68KVcASZNiGgy_QvRU9oLL0PD4MHg2.Ojw3o.hw9BIIxB8cYArAruxmsh3Hz4RQ98fY1oY1J mMcxg3rudxO6sSDwfEvTtXH.1ehGeqngX7eviBhxeDxiel3gDe39jgyuvLUBxE4aZnJr5ptZf8xd opjY2u_G6mZFwqxE9mvZvQaWiMAGwuc0kS2axlvWil.nPV8.jOfZZdHMh6KR5xB4v2vFkxV3J0OL oqkKKgkGcbyU_NXaPOlPG4Ff6zPZ1Z2R1oJo6Zp3FhphtkO6AiXYF79aAXnNWbxA5kjLvhj2xGde i.80bT19ywVxl6G_yg.bDkc79B7L5V3D6kHVWNw0Xr1wcwtD8vzZF5qOXKBQEHuc9mZ3h6z9OELJ McjXjjiBKnOsbpjHkyET8Lz6GVQYRldymYZdP.ehRjhZxwqdeeFsuV6xkZFMhaybiwz7aV55kg4r mLyoBsqtI5jrS6_gTWpnkvtFOeGLEorvDsLPLgQSpWfFasUt4eMYTVoRaAAS.qBCIjaw.LIzIJMX QVltD_3wWMXsSOm5SjNY1H83VxD4UcK4a5zTo7VIVtkKu3xbliFU856IVK5JRm88MFZFVNPclap. YlLidXUTi2stxbyIfW5QPVo_BITHpOf_H56mzibFDuql8OOCc7BLaPye.b2kIGeXEtEGOaEVPPgF KFD7jajyn.O.MD9KCdzkr4YJ2xupu.3QWzrmdggS4RAGBFId4mykHhOTUJ7E0ymWKzxmdA9gO5HP acimujsX3S1JoBil0DbAudkTNEtxHid.KNyanaDIGOMk9vuR0WjPPksWzrTJEHba.8mENTT0HbNQ IQNzG4LgE8GyCXkyIbIFgEfuGazHemRJ_UCoVxO.GN6ELzEyAutqQMLFeA3hCm9EiktHsvpRH0nk AajaGk6ury.a83SR9XpNjC5emk2pp9mbFt8Hq2IJeAJeejvv3JrtCu9bPPzgI_RqN0WE7e_YKt0X FQI_yDaQlFzrUXKKx_p.NohvaNPN.TRlApyECxH6FHWs- Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Thu, 20 Sep 2018 00:21:11 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp409.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 52a492aae4ff12a1f369889598189fe5; Thu, 20 Sep 2018 00:21:08 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <5b95b037-521f-3402-2097-c0f9c427d235@schaufler-ca.com> Date: Wed, 19 Sep 2018 17:21:04 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Thu, 20 Sep 2018 08:30:05 -0400 Subject: [PATCH v3 10/16] LSM: Infrastructure management of the file security blob X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP LSM: Infrastructure management of the file security blob Move management of the file->f_security blob out of the individual security modules and into the infrastructure. The modules no longer allocate or free the data, instead they tell the infrastructure how much space they require. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 19 +++++++------- security/security.c | 54 +++++++++++++++++++++++++++++++++++--- security/selinux/hooks.c | 25 ++---------------- security/smack/smack.h | 5 ++++ security/smack/smack_lsm.c | 26 +++++++----------- 6 files changed, 78 insertions(+), 52 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0bef312efd45..167ffbd4d0c0 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2029,6 +2029,7 @@ struct security_hook_list { */ struct lsm_blob_sizes { int lbs_cred; + int lbs_file; }; /* diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index c2566aaa138e..15716b6ff860 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -431,21 +431,21 @@ static int apparmor_file_open(struct file *file) static int apparmor_file_alloc_security(struct file *file) { - int error = 0; - - /* freed by apparmor_file_free_security */ + struct aa_file_ctx *ctx = file_ctx(file); struct aa_label *label = begin_current_label_crit_section(); - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); - if (!file_ctx(file)) - error = -ENOMEM; - end_current_label_crit_section(label); - return error; + spin_lock_init(&ctx->lock); + rcu_assign_pointer(ctx->label, aa_get_label(label)); + end_current_label_crit_section(label); + return 0; } static void apparmor_file_free_security(struct file *file) { - aa_free_file_ctx(file_ctx(file)); + struct aa_file_ctx *ctx = file_ctx(file); + + if (ctx) + aa_put_label(rcu_access_pointer(ctx->label)); } static int common_file_perm(const char *op, struct file *file, u32 mask) @@ -1131,6 +1131,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) */ struct lsm_blob_sizes apparmor_blob_sizes = { .lbs_cred = sizeof(struct aa_task_ctx *), + .lbs_file = sizeof(struct aa_file_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { diff --git a/security/security.c b/security/security.c index ff7df14f6db1..5430cae73cf6 100644 --- a/security/security.c +++ b/security/security.c @@ -40,6 +40,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); +static struct kmem_cache *lsm_file_cache; + char *lsm_names; static struct lsm_blob_sizes blob_sizes; @@ -92,6 +94,13 @@ int __init security_init(void) */ do_security_initcalls(); + /* + * Create any kmem_caches needed for blobs + */ + if (blob_sizes.lbs_file) + lsm_file_cache = kmem_cache_create("lsm_file_cache", + blob_sizes.lbs_file, 0, + SLAB_PANIC, NULL); /* * The second call to a module specific init function * adds hooks to the hook lists and does any other early @@ -101,6 +110,7 @@ int __init security_init(void) #ifdef CONFIG_SECURITY_LSM_DEBUG pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); + pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); #endif return 0; @@ -277,6 +287,28 @@ static void __init lsm_set_size(int *need, int *lbs) void __init security_add_blobs(struct lsm_blob_sizes *needed) { lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred); + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file); +} + +/** + * lsm_file_alloc - allocate a composite file blob + * @file: the file that needs a blob + * + * Allocate the file blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_file_alloc(struct file *file) +{ + if (!lsm_file_cache) { + file->f_security = NULL; + return 0; + } + + file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); + if (file->f_security == NULL) + return -ENOMEM; + return 0; } /* @@ -962,12 +994,28 @@ int security_file_permission(struct file *file, int mask) int security_file_alloc(struct file *file) { - return call_int_hook(file_alloc_security, 0, file); + int rc = lsm_file_alloc(file); + + if (rc) + return rc; + rc = call_int_hook(file_alloc_security, 0, file); + if (unlikely(rc)) + security_file_free(file); + return rc; } void security_file_free(struct file *file) { + void *blob; + + if (!lsm_file_cache) + return; + call_void_hook(file_free_security, file); + + blob = file->f_security; + file->f_security = NULL; + kmem_cache_free(lsm_file_cache, blob); } int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) @@ -1085,7 +1133,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) return rc; rc = call_int_hook(cred_alloc_blank, 0, cred, gfp); - if (rc) + if (unlikely(rc)) security_cred_free(cred); return rc; } @@ -1106,7 +1154,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp) return rc; rc = call_int_hook(cred_prepare, 0, new, old, gfp); - if (rc) + if (unlikely(rc)) security_cred_free(new); return rc; } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 641a8ce726ff..fdda53552224 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -148,7 +148,6 @@ static int __init checkreqprot_setup(char *str) __setup("checkreqprot=", checkreqprot_setup); static struct kmem_cache *sel_inode_cache; -static struct kmem_cache *file_security_cache; /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled @@ -380,27 +379,15 @@ static void inode_free_security(struct inode *inode) static int file_alloc_security(struct file *file) { - struct file_security_struct *fsec; + struct file_security_struct *fsec = selinux_file(file); u32 sid = current_sid(); - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); - if (!fsec) - return -ENOMEM; - fsec->sid = sid; fsec->fown_sid = sid; - file->f_security = fsec; return 0; } -static void file_free_security(struct file *file) -{ - struct file_security_struct *fsec = selinux_file(file); - file->f_security = NULL; - kmem_cache_free(file_security_cache, fsec); -} - static int superblock_alloc_security(struct super_block *sb) { struct superblock_security_struct *sbsec; @@ -3557,11 +3544,6 @@ static int selinux_file_alloc_security(struct file *file) return file_alloc_security(file); } -static void selinux_file_free_security(struct file *file) -{ - file_free_security(file); -} - /* * Check whether a task has the ioctl permission and cmd * operation to an inode. @@ -6855,6 +6837,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) struct lsm_blob_sizes selinux_blob_sizes = { .lbs_cred = sizeof(struct task_security_struct), + .lbs_file = sizeof(struct file_security_struct), }; static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { @@ -6925,7 +6908,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), - LSM_HOOK_INIT(file_free_security, selinux_file_free_security), LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), LSM_HOOK_INIT(mmap_file, selinux_mmap_file), LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), @@ -7128,9 +7110,6 @@ static __init int selinux_init(void) sel_inode_cache = kmem_cache_create("selinux_inode_security", sizeof(struct inode_security_struct), 0, SLAB_PANIC, NULL); - file_security_cache = kmem_cache_create("selinux_file_security", - sizeof(struct file_security_struct), - 0, SLAB_PANIC, NULL); avc_init(); avtab_cache_init(); diff --git a/security/smack/smack.h b/security/smack/smack.h index 01a922856eba..62a22ad8ce92 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -361,6 +361,11 @@ static inline struct task_smack *smack_cred(const struct cred *cred) return cred->security; } +static inline struct smack_known **smack_file(const struct file *file) +{ + return file->f_security; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a06ea8aa89c4..d1430341798f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1571,24 +1571,12 @@ static void smack_inode_getsecid(struct inode *inode, u32 *secid) */ static int smack_file_alloc_security(struct file *file) { - struct smack_known *skp = smk_of_current(); + struct smack_known **blob = smack_file(file); - file->f_security = skp; + *blob = smk_of_current(); return 0; } -/** - * smack_file_free_security - clear a file security blob - * @file: the object - * - * The security blob for a file is a pointer to the master - * label list, so no memory is freed. - */ -static void smack_file_free_security(struct file *file) -{ - file->f_security = NULL; -} - /** * smack_file_ioctl - Smack check on ioctls * @file: the object @@ -1813,7 +1801,9 @@ static int smack_mmap_file(struct file *file, */ static void smack_file_set_fowner(struct file *file) { - file->f_security = smk_of_current(); + struct smack_known **blob = smack_file(file); + + *blob = smk_of_current(); } /** @@ -1830,6 +1820,7 @@ static void smack_file_set_fowner(struct file *file) static int smack_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { + struct smack_known **blob; struct smack_known *skp; struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); struct file *file; @@ -1842,7 +1833,8 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, file = container_of(fown, struct file, f_owner); /* we don't log here as rc can be overriden */ - skp = file->f_security; + blob = smack_file(file); + skp = *blob; rc = smk_access(skp, tkp, MAY_DELIVER, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) @@ -4626,6 +4618,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, struct lsm_blob_sizes smack_blob_sizes = { .lbs_cred = sizeof(struct task_smack), + .lbs_file = sizeof(struct smack_known *), }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4663,7 +4656,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), - LSM_HOOK_INIT(file_free_security, smack_file_free_security), LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), LSM_HOOK_INIT(file_lock, smack_file_lock), LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),