From patchwork Mon Jul 16 18:24:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10527577 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7D35C600D0 for ; Mon, 16 Jul 2018 18:42:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E159028DCE for ; Mon, 16 Jul 2018 18:42:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D4E4428F50; Mon, 16 Jul 2018 18:42:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, NO_RDNS_DOTCOM_HELO, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from uhil19pa09.eemsg.mail.mil (uhil19pa09.eemsg.mail.mil [214.24.21.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A9FA628DCE for ; Mon, 16 Jul 2018 18:42:44 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by uhil19pa09.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:42:43 +0000 X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="15798807" IronPort-PHdr: =?us-ascii?q?9a23=3AHWf4NR2yGBzf2WSxsmDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8Zse8eLPrxwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD?= =?us-ascii?q?4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFA?= =?us-ascii?q?nhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0A?= =?us-ascii?q?HJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L2?= =?us-ascii?q?81/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUj?= =?us-ascii?q?q+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfVwZKPdec4RS3?= =?us-ascii?q?RHUMhfSidNBpqwY5YTA+YEO+tXqIvyqEEOrRu5AgmgHfrjxyNGi3L3wKE2yv?= =?us-ascii?q?gtHRzb1wAkAd4CrHHYodPoP6kQTO+11rHFwyvNb/1W2jnz5obHfR8jrv+RRb?= =?us-ascii?q?J9c9fdxEczGA3KkFqQspfoPy+X2+kXr2SX8+RtWfyphmU6qw9xuD+vxsI0h4?= =?us-ascii?q?TXnI0V0U7L9CVky4goOdK4SFR0YcOqEJtUqS6aLZZ9T8Q+TG5yoyY11L0HtI?= =?us-ascii?q?WgfCcWyJQo3QPfa/KDc4eW+BLvTfqeLi1iiH15f7K/gg+//E69weP/Tsm5yE?= =?us-ascii?q?tGoyVKn9XWtn0Bygbf5taIR/dj5EutxC6D2gHR5+1ePEw5lK7WJ4Qgz7MwjJ?= =?us-ascii?q?Yfr1rPEyDwlU7rlqGZbF8k9fKt6+n/Z7XmoYKTOJFshwHlN6QuhtS/AeMlMg?= =?us-ascii?q?gSR2Sb+fqz1Lnk/UDhXLVFlOc2kqjEsJDBP8gbp6i5AwFS0oY49RmwEy2q0M?= =?us-ascii?q?gYnHYbLFJFfwiLj471NFHVPP/0F/K/g1WokDtzxvDGOKPuAonVI3Ten7rscq?= =?us-ascii?q?xx5k5BxAYp09xS6IxYBqscLP7rX0/+rt3YDhs3MwyuxObnDc1w1pgAVmKLA6?= =?us-ascii?q?+ZNr7SsFCR6u00JOmMeYkVtyrjJPg+/PPukX84lkMdfamux5cXbmu4Ee58L0?= =?us-ascii?q?WWZnrsnM8NEX0WsQomUOzqlFqCXCZRZ3a1WaIz/C07CIK8AofFXY2tgruB3C?= =?us-ascii?q?G+HpJMfWBGFk6DEW3zd4meXPcMci2SKNd7kjMYTbihV5Mh1Ra2uQ/4ybpoNP?= =?us-ascii?q?bb+i4DtZLk0th15vPTmAo89TxwEsSc3HqCT3xynmMUWj86xqd/oVZyyl2by6?= =?us-ascii?q?h3n+RYFcBP5/NOSgo7NYPcz/ZmBNDyXQLBZMyESEulQtW8Gz0xSMw+w8MWaU?= =?us-ascii?q?ZnB9qilgzD3zatA7INj7yEGoc7/bza33jwO8Z9zG3L1Kg/gFY4XMRDL2qmhr?= =?us-ascii?q?Rw9wLLHY7Gj12Zl7q2daQbxCPC6WCDzWyIvE5FTgFwVaTFUGsFaUTIt9T54V?= =?us-ascii?q?nOT7i0CbQoKgFB09KNKrNWat31ilVLXOrsOMjEbGKrgGq/GRGIxraQY4XwYG?= =?us-ascii?q?UdwD/RCE4anAAP5XyGLxQxBj+9o2LCCzxjDVPvY0Xw8eZgrHO0UEo0wB+Wb0?= =?us-ascii?q?1717u44RkVheSCRPMV27ILoiYhqzFvE1a60NPaEd2ApxBufK9Ee9My/E9H1X?= =?us-ascii?q?7Ftwx6JpGhIaFihlobcwtppUPjzBt3BZtdnsgttnMl1hJyKbif0FNDaTyXwY?= =?us-ascii?q?zwNqfQKmno8xClc7TW1U3G0NaK5qcP7+w1q1v5vA6zEEot73Rn08JO3nuZ/p?= =?us-ascii?q?XKDRMeUYn/U0Ys7RR6oKvaYiYl7YPOyXJsKbW0siPF298xB+sq0BWgf9BCMK?= =?us-ascii?q?6fFw/9Cc4aB8+zKOAwnFipdB0ENvhI9KEoJ8Oma+eG2KmzMel6gT2ml2VH75?= =?us-ascii?q?5n0k+X7SVzVuvI04wCw/GC0QuNTy38g0u5ssDrhYBEYikfEXalxijgGoFRfb?= =?us-ascii?q?FyfIYMCWq1OM242tR+iIDrW35E9V6sHUkK2Mm3dhqOd1b9xxFf1VwLoXy7ni?= =?us-ascii?q?u11yZ0nCw0oaeE0yzOxuvjeAABOmFVWGlolU3sLpSsj9AGQEioaBAklACr5U?= =?us-ascii?q?bgwKhbv7h/InLIQUdOeCj3IWRiXbG2traYZc5A9o8ouz1NUOugeVCaVqL9ox?= =?us-ascii?q?wC3iLtBWRewCw7eC+wupXihBF6lnySLGxoo3rEfMF83xDf5MbTRfRJxDoJWD?= =?us-ascii?q?F4iSXLBli7J9Sp+9SUl5PHsu+gTGKsTYdcfjfxzYOHrie74ndqARKnlfCpht?= =?us-ascii?q?LnCRQ60TP819RySyXIrQrzYpXs16SgK+5oYkloBFj668p1AYx+loowhJcK1n?= =?us-ascii?q?gAgZWZ530HkX38Md9Dw6LxcGINRSIXw97S+AXl3ExjLmmVx47gTXWS3M9hZ9?= =?us-ascii?q?i8YmML1SMw9NtKCL+V7LxCnCt6vkG4oRjXYfdjgjcX0eEu52ICg+EVpAotyT?= =?us-ascii?q?2QAqoVHUlcOSzjiQ6I4My5rKRZf2uvaqWw21Zlndy7C7GCuA5cUm7jepg+BS?= =?us-ascii?q?9w8tl/MFXU3X3w9I7kfsLQYMkQthKKlRfAlO5VJ4wtlvYQgipnI239t2U/y+?= =?us-ascii?q?EnlRxuwY26vI+fJmV15q25HxpYOSPtZ8wJ/DHtkbhRntyN0oCyBZVuBC8LXI?= =?us-ascii?q?DyQfKzFzISqO7nOBqQHz0yrXebA7XfEhGF5EdgsX3PD4ihN2uLK3kB0dViWB?= =?us-ascii?q?6dKVRBgAASQTo3hYA5Fga3y8zhakt54C4e5kLgoBtW1u1oLwX/UnvYpAqwcj?= =?us-ascii?q?c7UoWfLB5N4w5e5kfVLcyf4vt9Hy5C+J2ttguNKnaUZw5QF2EGRlSEB0z/Pr?= =?us-ascii?q?mp/dTA8OiZBu6gIPbVZLWOruJeV/mWypKzzotm/zGMNsCRMXV4Cf00xFZDV2?= =?us-ascii?q?hjG8vFgzUPVzAXlyXVYs6Vvhi8/DF3rse68PnwVgLg+5aAC7xIMdp14xC2m6?= =?us-ascii?q?CDN+yOiyllNTZUzJQMxWXHyLIHxl4dlzludyWxEbQHrSPNQrjQlbFKAB4AcS?= =?us-ascii?q?xzMtdI76Un3gRWI8HUltb12qR/jv4vBFdPTUbhld2xZcwWP2G9M0vKC12QO7?= =?us-ascii?q?iBIT3Lwtr3Yb+nSbFKl+VbqQG/tSyAE0D9OjSDlj/pVw2gMOxXkC6aPAZeuJ?= =?us-ascii?q?ymchp3B2nsVs7maga8MN9xlzE2xqc0hnzSP24GLTd8a19NrqGX7S5Amfp/Gm?= =?us-ascii?q?NB7n1jLeSfhimW8fLXKpcMvvttGCh0kPha4HsiwbtP8C5EXOB1mDfVrtN2uV?= =?us-ascii?q?6mnfOAyiR5XxdVrTZLnJyEvUNnOarD95lAXW3L/BUC7GmKDBQKvdRlAMX1u6?= =?us-ascii?q?9M0tjPiL7zKDBa/tLI+sscAtLYKNiAMHsgLxXpHiXbDBECTTG1NmHSnFBSkP?= =?us-ascii?q?aX9nKJtJc6sYTslIAISrBFSFw/DukaBVh9HNwePJd3WSspkbybjM8I/Xq+qx?= =?us-ascii?q?3RRMRGvp/ZTf+SBPTvKCqDjbZafRcIxqn4LYsLPI3hx0NickV6nJjNG0fIQ9?= =?us-ascii?q?9NujdubhU1oEVW63V+Vnc821jkagO2+H8TEeS7kQIohQdkZuQt7jjs6U8tJl?= =?us-ascii?q?XWvCswjFUxmdL9jDCXbjH+NqOwUJpVCyrzrEgxLon0QwBubQ2xnExoLjHESK?= =?us-ascii?q?xNj7F4b2BklBfcuYdTGf5bVaBEegEfxeqJaPoyy1RTtiWnyFRc6uvEE5ttiQ?= =?us-ascii?q?wqcZC0r3JaxQ1ibMQ5JarOK6pV1lJQnL6Bvje01uAtxw8TP1sC/3mMeC4JpU?= =?us-ascii?q?MILaIrKDCy/ux27gyDlSBDd3YQWPo3uPJq9189OuSawyLmzbFDNli7N/aDIK?= =?us-ascii?q?OBp2jAicmIT0s01kMPjUlK47520MYkc0ePWEAvyqaRGw4ONcrYJgFfd9BS+2?= =?us-ascii?q?TLfSaSreXNxop4P56jGeDsTO+OsrsUg02/EQk1GIQM69gOEYO30EHEN8vnKq?= =?us-ascii?q?AKyQk17gTxOFqFFOhJeA6MkDofvs6w0Jp33Y5bJjEBHGlwKju36ajNpg8rgf?= =?us-ascii?q?uDW9E2bm0cXoQaKnI8QNe6lDJBv3RcEDm31foUyBSD7z/5oSTQEDn8btp4af?= =?us-ascii?q?iJZBNtCMu59i4l/6iwl1HX7o3UJ3vmOtR6pt/P9eQaqo6dBPNQTLlyr1nTlJ?= =?us-ascii?q?FdR32qVW7PFti1KILrZoY3bNz7EHC6XkWxizIoVcvxOsiiLrSQiwHyWYlUqJ?= =?us-ascii?q?Wb3CwkNcKlDT4RBRFwqvoZ661hew0MfYA7YQXyuAQkN62zOgCY0s+hQ2y1Mz?= =?us-ascii?q?tZU+FfzfmmZ7xQ1ycsdOm6yHo8QZE6yOm39VUNSokTgB/D3/iue45QXDPvFX?= =?us-ascii?q?xafgXAuTA2l3N9NuooxOcw3g/Iu0EGMz+XbOxpdHBEv9YkCFyOI3V5EHY3Sk?= =?us-ascii?q?SAgorE5g6s27ES8DVHn9ZIz+JKrHj+soXYYDK2V6yhsY/VvDY4bdg6v61xNp?= =?us-ascii?q?TuItGcu5PEmTzQV4LdshGfUCGgCfpVhNxQICNeQPlHnWElOMMGuYpd6Uo/TM?= =?us-ascii?q?g+PblPBLMqpr+0dTpuFTQSwjMBV4OcwDwChf+x2rXAmhiMcJQiMRkEsJRYjd?= =?us-ascii?q?seSCN2Yz0Rq7G9WInMkG+EUGcLKh8J7QtQ/AIAipNwfuf97YrNVpBM0T1WrO?= =?us-ascii?q?xoUivKEJlo+ED2S2+Mjlj+VPqhl+up3R9Pw/L3yNUbXgBwCVRFzeZMikQoMK?= =?us-ascii?q?13K7UXvoPSqj+Ickf6s3j3yOqoI1lRzcPUekb9DIrCsmr8STMT9mEORY9I03?= =?us-ascii?q?HfDpUSkwx2aKoxo1VMOo+mcF7k5zM434RpA6W4Vcezylk/t3YGWiGqH8BCC+?= =?us-ascii?q?x9sVLXWTxlY4ywp5n/PZVdXHNQ8oWHq1hFiEVtLzK5yZ1EJsFR5T4MWSNCoS?= =?us-ascii?q?mBsNu3U8JPw8l2AIEQIt1noXfyBLtEOISNo30xorHvyHjZ9C4nvVin2jqzAL?= =?us-ascii?q?G3T/hF/2IABwolPWKepVczD+E06Gfd7kjNskxo/+dcHrWPkVh+ryt8Hp9UAj?= =?us-ascii?q?ZEzmyqL1N2THZaqepaM7jVf9ZaQ/YseR+lIwY+GuI+30yV4UF0mm/0YzRptg?= =?us-ascii?q?tG4S/SQhU0WDIOgrfqhD0esN2oNiEcS5JUdzUudSPFJxicmSBNsxZVc1tqVI?= =?us-ascii?q?wBAtZZ57Eb2pNZ8dHMSUmwNS0IXgFuOwwj3PVDkk5DtVmXdjrGDQq0b/rPtA?= =?us-ascii?q?N4fduJps6zMPv55BtHip/gsO0g7aUMWWCpmQ23TtDCtIL8stqKtlWQe6vmL+?= =?us-ascii?q?K8ZmLOQybWgRC2m7gkE4HA/zLPPwpDN5l61X0kbID9CW7RIxtJOb8UKlFGVa?= =?us-ascii?q?B+ddVGuPpVZ9FleKYO/a9iGA6HSgnoGIy1o/lMNkzTSijGLyWd7uy/ppre7b?= =?us-ascii?q?nHRujkYsyD2WrHQ75tMZhg8jT7Hanl0ZNF+kXqwPht7l11RULAMy+fsNTrPh?= =?us-ascii?q?kL69W6dkv+op0pGivbAJVqn3r3wUFAbM4XTDe08JkDzZNZ9XLwSf550kfvse?= =?us-ascii?q?1d7b9k6ZIt77Bu08e0Kr/YKe5Gvk9/HhiUGgJq+40vAGdlQWBRbPURKPDMcq?= =?us-ascii?q?sHls3ut/r4F6oM6B2S4eBZb8XIJ13ZkMmlFj6cUQBEnBsGqTMCIQucyv+Fm6?= =?us-ascii?q?twScm7oOj0wV8i7EalIR4H1r9t452I+q2SpO/YdxHR16QLWrD2RsPvqbQho0?= =?us-ascii?q?GS5fwhlLMVf2x6fQ2mH/YHVs4cwGfgwromzSQyHMPfB7jg4uJMV2olnjL8nJ?= =?us-ascii?q?BwB1MWGvcPELqK+4Rem300m+3fNt0YaKBNgH2PFQK+Er8f1XGr9zaXIHN7jR?= =?us-ascii?q?3U1BHwW2yz5kfsrSBkWSvM08vjkk1NW7myAkdSWTapOUBmvz6UOQrotcD4ua?= =?us-ascii?q?Ir40EqPG3ks8iNlGi6OL9NGc3wOsCcKzEupF0LlJ0xWsCv2YcDFNq5O9cR9X?= =?us-ascii?q?FzY+DQ62y1jiBBpL1HiJDG4sGP/fXXH2evgLGGq7mXwzBY0Hc4t0kl6t+8Lv?= =?us-ascii?q?HO+8GKQ/Ow2mYQTiZwoRHOUAKup7zAsV8UJVKE31vRlIwNJNFZ0mEy1lv66+?= =?us-ascii?q?g7XNIz6AJeG57baPMDvjDyNiH7wVSeY9IrTimRySZXHlbuHFZkH6gzxXz/s9?= =?us-ascii?q?jUlXfK/F0oXJN/e1bghRxtAIUyMVgt50QPwiofDQgNbgiWDKmyCkT5MYQEVU?= =?us-ascii?q?YCaROd3Li5Y6s3xlN8wreu5O/VcOx9CLEANu5HgQ6SgFdbGpwXsaoEQLJ/YV?= =?us-ascii?q?Nd97DYphLkC4f5W/jqj30wNee6QspC68AWq2Mi4hqjRxqn8ZpD4KgUiJaUdq?= =?us-ascii?q?5DZpjAu9t84Flj5T4OcCxNnRd+ggi9Ue8CvuDi4sLUvICu6umwSKYnX/8X+A?= =?us-ascii?q?QsB2Rik5vwh0guodfW1+hATY3VjZ7w8BtXL36Lv4ba1AJ8KfEVJoKuc7th+G?= =?us-ascii?q?8LJy8EJ3IBJdCWceUz4zdxMDXP4FxPGswMas8DPMrWgAxal0LnVrdS9srdB1?= =?us-ascii?q?+ZBJx+d88t72XtzjA674EwUuH66D+5PZrf9U1CP+tfjCVwk9LPvOoVwf3SCC?= =?us-ascii?q?gR+3WWdxh1wiefy5aQCvfw/OOMyMrXV1MHBSM2TYZdJCSY9gyjW+W1lY/lUg?= =?us-ascii?q?WK5c/vmJg+bl6fRmStnKQZtaZBCe9Aijvh0ThYDY31g++VvMet6GtQrV1LCo?= =?us-ascii?q?Fz7QfKGK9HJJV0JQz4ltW3Rkh7Hib/et/bdhQguOqS3eoN7f9xN03gao8HOB?= =?us-ascii?q?4Ezaz16WZNRAt0VLH2pkqZXf4WZNZ+R/PEqndV6Ix+JK8LOFiQv4fqrjBOqF?= =?us-ascii?q?A3HAAlcrkwoSJGdkPWhg1aR770uKIcigsbSdN5vE5MGWGzOGI5/DfHV75ajK?= =?us-ascii?q?qWCPwT7DqTSLYCU0N2PSNiWxm1wolhe6O1nfBbtWNLhjhyr+Ys0zx6Xxa8oi?= =?us-ascii?q?nsp6UR2TI85rG3qigOtWZCTuWEnCfCEU9Dw+gSjacAF3bi7kSxYHcdY4v24b?= =?us-ascii?q?lnPdrv+JIg4nQ+ZBUjejMJXf6kCy7ula+IBZaPsN1Ejh6XpMrOdaOzLTQVNr?= =?us-ascii?q?klxxPjX2J90gnCkxl262YLRzSg7MM+JIqjI8olwTCoGWfDflYW/qxJqNfxtU?= =?us-ascii?q?IMTOYublNhxHts39OfRi0JXsPPAHo1jgk4ZmVYapJM9wEVG7MugjmWoqlM5h?= =?us-ascii?q?sUbyvMEoS55onQmt/F2X08Tdds22LXqbSJhpcr0H1+h9N09TWDuHUIeOzeVM?= =?us-ascii?q?9gGH/z1p1QyebmffWirvgHSJd6yLSmSPICN9Os9ne22JVrXE+lwa8TH0S4MO?= =?us-ascii?q?8F2LjbVyalSWuFWeWEaWSMmCw5MkHq7xmyMlI3cNtKr1M6MubahJ5TjQ7hUb?= =?us-ascii?q?RvSSiLuF/bynAjMeMddwIrt4enexAKQPQXZ+eCOegk2Oc+B0cUb3/VASt2DP?= =?us-ascii?q?e7sUWjnIh+J3pt4Eb3bP/z8g/4KtuSGxgFEYncrpJr//y1WH6Bajdcy0hWB2?= =?us-ascii?q?w8o+PeEUkh8/RReIuLnMTBwtF83fMBet9zPiAn/N0egIRu7c+TysjcNVn17b?= =?us-ascii?q?LXbYXRo/6FE7jcwl4sd2VyTLUUe0X26p88M9p/XKfcS/8RhR0BAeAfR5s7Oi?= =?us-ascii?q?+l7KhpKCtrexPVIbGzhdPn4OmMY80Q70TK40owISGUgBgKzvi5XEQvdJyxr2?= =?us-ascii?q?njK5A3ADRapptiDQUwWMN0Noskrgy6E9bAg6y/itms62tmquQKtuz2EfmM29?= =?us-ascii?q?OnicE5FaN/zGeoeTrQH6J2mV9NiuWpnuyGisC3DtntM5tQb81SaU2AZr7dFZ?= =?us-ascii?q?ikMRqKO9ngYAgeqvibyr0vFl2zYyD/F4iBtCSiL/hiqRE5zYx+OujUzDUr9L?= =?us-ascii?q?zd8ND7YWZdpyyqqTiCM54JqBTpCOHFFzlTTvnNpGVoELYcaoz33OwOK9snwc?= =?us-ascii?q?WZpQ5p42IGmPeIP7O8qQfs00R3fNqPNEbv1Ds4X8wJLQ65PE8EgCrdrWrQR2?= =?us-ascii?q?9VLdW+II9rjZCXFkqpr2t4nGw2LktGAHDpXp/FO20cwdi/fyWM/QdGDpAEhe?= =?us-ascii?q?HhKmAisajnYuBzN4QNou6qvagJldtzY3XETdNXLgnLJ79/IzRVA/+Kr1FuaR?= =?us-ascii?q?kB5etmErwpbISDdRtUeHyLzjn/mE6TiReuJdWxyKaEJjoX+XxbzrXDlCJBvB?= =?us-ascii?q?S9pe3D3paxbYvwUMrdZNeLa2woWzSBSnI3GEetv1Klv6lh3rKDOWlKhFcSb2?= =?us-ascii?q?qJDRIL4Lh1pI3bB3TeiMV4d50Dmf6eVjq1QyQ+n603VUMp/VuUTa8lEg/bJ2?= =?us-ascii?q?TknHIavQWjIvFW+newZLSDy7t9QOcWC5ZCdvCDBtDRP/tZImRN9H0CIOjpWd?= =?us-ascii?q?raov4i107QC2sUF66d7FqFUEufWeCR3RrwWoMUtNNs4G9yqpTbmSlsFr6OOr?= =?us-ascii?q?+eo3ih69f+nS+YvuqYXW4oMClXyO4BAWzU2BBbMylEENAavkjxX7SNL1hBzn?= =?us-ascii?q?MniO9imlcMdQ1/X2co0yh+jf+9HcofQlkRgQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2DgBQBw5kxb/wHyM5BSAQkaAQEBAQECAQEBAQgBAQEBg?= =?us-ascii?q?0aBCUoSKIxfjT2BIYFfkmUUgWMmFIUEgkA1FwECAQEBAQEBAgFsHAyCNSSCX?= =?us-ascii?q?gMDAQIXAQwTBgEBDCALAQIDCQEBQAgIAwEtFAERBgEHBQYCAQEBGASCf4FoA?= =?us-ascii?q?xUDnj+KG4FpM4JxAQEFgQIBAV+CNQODJwgXh1SDLYERJ4I1B4R2AQcBCgGFd?= =?us-ascii?q?YdnhHI9LowaCY8haodVhSyMP4JahD4CNGFxTSMVO4JpghkMF4NFihwBVU98i?= =?us-ascii?q?mCCOQEB?= Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 16 Jul 2018 18:42:41 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIgfMs023834; Mon, 16 Jul 2018 14:42:41 -0400 Received: from tarius.infosec.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w6GIQ7Mn024430 for ; Mon, 16 Jul 2018 14:26:07 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIQHWX020970 for ; Mon, 16 Jul 2018 14:26:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1ClBgDq4kxbly0WGNZSAQkcAQEBBAEBC?= =?us-ascii?q?gEBg0aBZSiDfIhji12BYIEhgV+SZYF6hHcCQoIfITUXAQIBAQEBAQECFAEBAQE?= =?us-ascii?q?BBhgGTIVDAwMaAQgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIFoAxUDnkSKG257M?= =?us-ascii?q?4JxAQEFgQIBAV+CNAODJwgXdIZggReCFoERJ4I1B4R+AYMrglWHZ4RyPS6MGgm?= =?us-ascii?q?PIWqHVYUsjD+CWoQ9AYIITSMVO4JpghkMDgmDRYocAVVPjhUBAQ?= X-IPAS-Result: =?us-ascii?q?A1ClBgDq4kxbly0WGNZSAQkcAQEBBAEBCgEBg0aBZSiDfIh?= =?us-ascii?q?ji12BYIEhgV+SZYF6hHcCQoIfITUXAQIBAQEBAQECFAEBAQEBBhgGTIVDAwMaA?= =?us-ascii?q?QgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIFoAxUDnkSKG257M4JxAQEFgQIBAV+?= =?us-ascii?q?CNAODJwgXdIZggReCFoERJ4I1B4R+AYMrglWHZ4RyPS6MGgmPIWqHVYUsjD+CW?= =?us-ascii?q?oQ9AYIITSMVO4JpghkMDgmDRYocAVVPjhUBAQ?= X-IronPort-AV: E=Sophos;i="5.51,362,1526356800"; d="scan'208";a="324753" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 16 Jul 2018 14:26:15 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AXNSnABKvvCGo4tA++dmcpTZWNBhigK39O0sv0r?= =?us-ascii?q?FitYgXKP3/rarrMEGX3/hxlliBBdydt6oazbKO+4nbGkU4qa6bt34DdJEeHz?= =?us-ascii?q?Qksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPER?= =?us-ascii?q?vjKwV1Ov71GonPhMiryuy+4ZLebxlJiTanfb9+MAi9oBnMuMURnYZsMLs6xA?= =?us-ascii?q?HTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKH?= =?us-ascii?q?w65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz?= =?us-ascii?q?+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxeaHScskaRW?= =?us-ascii?q?pGWcZdTjVND5+yYoYOEuYNJPpUo5TgrFcKsxeyGQygCeXywTFKm3D2x7U33f?= =?us-ascii?q?k/HwHI3AIuHNwAv3rbo9r3KKgcXvu4zLXKwDjZc/9axTnw5YrOfxs8of+MR7?= =?us-ascii?q?Vwcc/JxEQxDQzFlUufqIz4ND2IyusNs3KU7/duVeKrlWEnsRx6rz+zycg2kY?= =?us-ascii?q?nGmIIUx0vf9SplwIY6P8C4SEB/YdG6Cptcrj2VOJFsTsw+RGFovT83x7sbsp?= =?us-ascii?q?C4ZCgH0IorywPQZvCdbYSF7QjvWPiPLTtii39oeKqzihew/ES61+HxV8253E?= =?us-ascii?q?xLoydFiNXAqG4B2hPV58OaUPVy5F2h1iyK1w3L6uFLP0Q0la3DJpEv37A9io?= =?us-ascii?q?QdvErdEyHshEj6kK2bel869ee27uTnebrmqoWZN4BuiwH+Nr4imsm+AeQ8Kg?= =?us-ascii?q?QOXm6b9vqg1LD740H1XbpHguconqTWqpzWO9oXqrS2DgJVyooj7gywDzai0N?= =?us-ascii?q?QWh3kHK1dFdQqbgIfzIFHBPvD5AOykg1uwkDdk3e3GPrPlAprTNHjPiavucq?= =?us-ascii?q?xn50FAzwozyMhT54hIBbEZPPLzRkjxucTDDhAnNwy0wuDnCMhy144FRWKOAr?= =?us-ascii?q?OWMKPVsVOS4OIvOPODaJUauDb6Nfh2r8Lp2FsCvBdJeaivwItSc32zA+5nP1?= =?us-ascii?q?TcZH3gn9MMOXkFsxB4T+HwjlCGFzlJaCD2F4YfwhRzXIanC5rTA4OgmrqM2A?= =?us-ascii?q?+lEZBMIGNLEFaBFTHvbYrSH780YT+WaupmlSYJHey5QpIl/QmnqQu/zr1gNO?= =?us-ascii?q?eS8Sod49ar78R4/+3ek1kJ8DVwC8mMmzWWQ3pcgnIDRzhw2rt250N61AHHmZ?= =?us-ascii?q?NVy9hZE8FDr6dSXwM7M4PM5/BrAND1HATad5GGT0jwBp3sOhQYZfF0z94VaF?= =?us-ascii?q?tmAP2mjwvfxGzyWvkSjbPBTMgP14v3/D39Jt121m3d/K0glEU9BJMWc2q8if?= =?us-ascii?q?g7vyrUB4iBsUKZnqCxeKJUiCzK9GHFz22OtUdDXQhYWqzDWnYebULS69/+4x?= =?us-ascii?q?WGB5yjBK9vGQxGyobWKaZHcdbuilZuT/f5P9Hffmf3nH2/U1LA+r6Qd5ftM0?= =?us-ascii?q?UU2inUQBwcngYc4HeAcAszHCGsp0rfSThpC1+peErv7PN37nW2CE0smUXCTU?= =?us-ascii?q?Rk2qH93xkPn/2HA6cR27UeoiY6gzN9GVu8mdXMBIzTiRBmefB3aMgw8R983m?= =?us-ascii?q?LQqgJ5M4boe6trnVMPWx98v0rz2RF6EMBLmI4hq3Z8n1k6Er6RzF4UL2DQ5p?= =?us-ascii?q?v3ILCCbzmqpkr9YrPK2lzYzNed87sO7/J9sVj4oQW1DRB5rida6PBpiFCkz8?= =?us-ascii?q?yRSgcfVIn+FEM+9hw8orDeMWEm/42B83pqPOGvtyPancozDb4uww2tbv9EO6?= =?us-ascii?q?ONCQH2HtdfDMHoI+svyBCydhxRGudU+eYvOt++Mf6P2aqlJuFlyTmvlmlWyJ?= =?us-ascii?q?t20kuR+S5xUKvD1tAOxPTLlhCfWWLai1Gs+tvyhZgCZTwWGT+nzjP4AYdKeq?= =?us-ascii?q?BoVZ0MD2aleJXtg48uwZXqXWVd7himDlICnsCwIFyDZlz62ktb0kFE6XCkmC?= =?us-ascii?q?7t1zVviHlptauQ2iXS3v7vPAQKIG9FRWRuzB/sLIG4gspcXR2AfgEpkxzj7k?= =?us-ascii?q?H/yg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AmBgD44Uxbly0WGNZSAQkcAQEBBAE?= =?us-ascii?q?BCgEBg0aBZSiDfIhji12BYIEhgV+SZYF6hHcCQoIfITUXAQIBAQEBAQECARM?= =?us-ascii?q?BAQEBAQYYBkwMgjUkgl4DAxoBCAQZAQE3AQ8lAiYCAkUSBgEMBgIBAYMcgWg?= =?us-ascii?q?DFQOePYobbnszgnEBAQWBAgEBX4I0A4MnCBd0hmCBF4IWgREngjUHhH4Bgyu?= =?us-ascii?q?CVYdnhHI9LowaCY8haodVhSyMP4JahD0BgghNIxU7gmmCGQwOCYNFihwBVU+?= =?us-ascii?q?OFQEB?= X-IPAS-Result: =?us-ascii?q?A0AmBgD44Uxbly0WGNZSAQkcAQEBBAEBCgEBg0aBZSiDf?= =?us-ascii?q?Ihji12BYIEhgV+SZYF6hHcCQoIfITUXAQIBAQEBAQECARMBAQEBAQYYBkwMg?= =?us-ascii?q?jUkgl4DAxoBCAQZAQE3AQ8lAiYCAkUSBgEMBgIBAYMcgWgDFQOePYobbnszg?= =?us-ascii?q?nEBAQWBAgEBX4I0A4MnCBd0hmCBF4IWgREngjUHhH4BgyuCVYdnhHI9LowaC?= =?us-ascii?q?Y8haodVhSyMP4JahD0BgghNIxU7gmmCGQwOCYNFihwBVU+OFQEB?= X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="15797681" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from usat3cpa07.eemsg.mail.mil ([214.24.22.45]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 16 Jul 2018 18:26:14 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;ca76ed18-b058-410b-adaa-3d68690db9c3 Authentication-Results: USAT3CPA13.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic302-28.consmr.mail.gq1.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 20160191|USAT3CPA13_EEMSG_MP28.csd.disa.mil X-EEMSG-SBRS: None X-EEMSG-ORIG-IP: 98.137.68.154 X-EEMSG-check-002: true IronPort-PHdr: =?us-ascii?q?9a23=3AUT+m+BI0ESkkxMz6lNmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgXKP//rarrMEGX3/hxlliBBdydt6oazbKO+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZLebxlJiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPde?= =?us-ascii?q?RWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbY?= =?us-ascii?q?UwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiC?= =?us-ascii?q?cfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxeaHScskaRWpGWcZdTjVND5+y?= =?us-ascii?q?YoYOEuYNJPpUo5TgrFcKsxeyGQygCeXywTFKm3D2x7U33fk/HwHI3AIuHNwAv3?= =?us-ascii?q?rbo9r3KKgcXvu4zLXKwDjZc/9axTnw5YrOfxs8of+MR7Vwcc/JxEQxDQzFlUuf?= =?us-ascii?q?qIz4ND2IyusNs3KU7/duVeKrlWEnsRx6rz+zycg2kYnGmIIUx0vf9SplwIY6P8?= =?us-ascii?q?C4SEB/YdG6Cptcrj2VOJFsTsw+RGFovT83x7sbspC4ZCgH0JAqyh3FZ/CafYWF?= =?us-ascii?q?4AjvWeeSLDtimX5oeL2yiw6z/EWi0OHwS8i53VJQoidEktTArG4B2wLc58WBV/?= =?us-ascii?q?Bz5F2u2SyV2ADW8uxEIV47la7cK5M52b4wkZwTsUXfESL4hEn6kraaelsn9+Sy?= =?us-ascii?q?9+vnZbPmpoSZN49ukA3+N74hms27AegiPQgORnWX9f681bL5/U35R7JKgucqna?= =?us-ascii?q?netZDWPcUbpqinDA9Jyosu7xWyAy273NkWn3QLNlNIdRGdg4T0O1zDL+j0DfKl?= =?us-ascii?q?jFStlDdryerGPrrkApjVMnfMiqzhcqh96kNH0wo80dBf6IhJCrEPJPL8RFXxuM?= =?us-ascii?q?XEARAjKQC73+HnCNBl2oMERW2PGrOZML/VsVKQ/eIgPvKMaZQJuDf9N/cl5/nu?= =?us-ascii?q?gWU/mV8GZ6alx5QXaHemHqcuH0LMRUHJyoMFEGEXrk8lQef3klyeQHtWYHqvW6?= =?us-ascii?q?8U+D42EsSlAJ3FS4Trh6aOimPzOr5yQygSDlGKDGetdIieXfoIQDydL9UnkTEe?= =?us-ascii?q?U7WlDYg72kfq/Dfz1r4vC+3T4CBQ4Yrqydxd/+TOkVQ38jtuAoKW1GTbCylPgm?= =?us-ascii?q?4QRzIwlJt6qEh5x0bLhbN0mNREBNdT4LVPSQ58OpnCmagyMP26fgPHY8fBHE2r?= =?us-ascii?q?RtSgHCEZUsM6w9hIZV10XdqlkEaHl2CRJpY+tPmHBYc/77nH93zwPNpmjS6fkq?= =?us-ascii?q?47gBNuFvBqHEaFw6J+7APOHJXhl0SCi73sLf1a2zTCoiPL722Ougl6Vw55V77I?= =?us-ascii?q?WzhLZEzWq5L74UPLSaSjD5wsOw1Gz8+JI68MYdrs2xEOZ/ruI5z1ZGWy0zOzCB?= =?us-ascii?q?uTzbSLb6Lhe38a2STADQ4DiQ9FuT66OBQlGyDpg2vYADUmQUriZUzx8O87q36h?= =?us-ascii?q?SEIw5wDPa0p/2vyu8x0In/XaTf5V3KpS/G8DojB5Bx6Y2MjMCsHI8whke79GYM?= =?us-ascii?q?gV5l5C2GOfsBZyaM+ONadn03UXaAlm93jl1xxqBIFNi4B+p3oxwRtaMqmY2U5P?= =?us-ascii?q?cz6CmJv5fLbQLz+hr1iUd6fK1wSGg56t8aAV5aF9+w267VOZU3E6+nAi6OF7ln?= =?us-ascii?q?6V55HEFg0XCMKjSU03/gV0o7zAJyI0oYjT0C80aPXmgnr5w9ssQdAd5FO4Zd4G?= =?us-ascii?q?YPGfHw/7DsMeCtLrI+VskF+sPEpdYbJisZUsNsbjTMOona6mOOE7zWC9imJG69?= =?us-ascii?q?sliAfWp2x3TejT2oxDxviZ2k2ITm66nV6htcexkodBN2kf?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D+CgBg4kxb/5pEiWJSAQkcAQEBBAEBC?= =?us-ascii?q?gEBg0mBYiiDfIhjjT2BIYFfkmWBeh6EWQJCgh8ZBgYxFwECAQEBAQEBAQEBbBw?= =?us-ascii?q?MgjUkgl4GGgEIBBkBATcBDyUCJgICRRIGAQwGAgEBgxyBaAMVnkGKG257M4JxA?= =?us-ascii?q?QEFgQIBAV+CNAODJwgXdIZggy2BESeCNQeEfgGDK4JVh2eEcj0ujBoJjyFqh1W?= =?us-ascii?q?FLIw/glqEPQE2gVJNIxU7gmmCGQwXg0WKHAFVHzCOFQEB?= X-IPAS-Result: =?us-ascii?q?A0D+CgBg4kxb/5pEiWJSAQkcAQEBBAEBCgEBg0mBYiiDfIh?= =?us-ascii?q?jjT2BIYFfkmWBeh6EWQJCgh8ZBgYxFwECAQEBAQEBAQEBbBwMgjUkgl4GGgEIB?= =?us-ascii?q?BkBATcBDyUCJgICRRIGAQwGAgEBgxyBaAMVnkGKG257M4JxAQEFgQIBAV+CNAO?= =?us-ascii?q?DJwgXdIZggy2BESeCNQeEfgGDK4JVh2eEcj0ujBoJjyFqh1WFLIw/glqEPQE2g?= =?us-ascii?q?VJNIxU7gmmCGQwXg0WKHAFVHzCOFQEB?= Received: from sonic302-28.consmr.mail.gq1.yahoo.com ([98.137.68.154]) by USAT3CPA13.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:25:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1531765483; bh=83vA/99kuJbWBegZvTYevSnBGPY8oBUUIu2sF3S7ERI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=bc4UjxYoF2hzCa9MJGbLTpU8U4iN/UARwbM14X+ujqfdDhUAvGDKfZWfnntHmi4UEOZrKFGB0SMn/Bzj5AMkxqI35g4KNLkFFvULEq83p0V8zAXhBSMVjtzjOu3S7XNYjsLqjsLWzMo9Y3RTuLJdZgc0iH24e8koTNBlMe6mlEL6vw8UwpXIh2a8OhpMf07JbhoNsv5qPpEAGQSD9zgUXDV8jn6r64ocn6YHvrFbi14i6gHwME0eZDCE7NtRluePFICW+80QXtDWtZAudDaDUCQuxDYdIx88biLy2PDodmb6sasbRhey8X+6K23j4s81Qf+0tAyhOvWUpXucff7IWQ== X-YMail-OSG: OcRHZC8VM1lgvfFJQI0kj24APcc8vKfEteazLZWRL6sBnucQLgMPMN8wJLI8bp8 1ue4YJv.8731YhsDRt5UBqSAwrEDx3orseyEa6bIoIDbrLoqvO4ncZIuX.KyqFt.PVsMSzU6Kd9E cGXg65JmwrfmC2GxZ7xh4WuirTTpcEh1l26zm3k93UgrgwIxTwbAdivt_rkkgAc6f5aARLFKs5UB t6qy5kqPBFK6T5ejT.ArDysQOZOAqIH0cGYfludnDthqcg1c4qzPHbAhScuPnPs9j.YVflgBytKj aFB.hgYRNLE2w9UF5gai2CuN1cV8eO_Ju_N8rzPPplWZYhJhLzTgr0WAmrN.MJBTmHQ_6UM76oXk sIHmSIM0fmr2fWShpDVmGABpIbztdxZhQVxkldH_gZUOpZGmIEfcC3viMkmTOWhqf0mGi5YKE8nF xlObFMKG1s2kG3UDlC_GKvF5zdmM8JjgQ1Lq0teDKto8yTiOmu6xqSYkKPN8pXbyAKI0fSvitNYK 8nEPDBtvvpe3Qwt8gHwt8GToTytcjjt8N7MSakVq2YEa7_q4PLkcbbrXAPMMZ1aw0KmvpAYTY2ks LFJ4YT1k2xVTggQ3M1I8Un9cREoc7IyqfMMfKBufg3zAMt288QZIXK.s6eHy2x1QuyRACMbZza4W fY3DiDP50WfV4kMXGSK2BFkPvf_tflz7mDLDe8afFk9MgwH1UM19WROLU087RDPU4yJOAfkbLW2y 76qjlqflwkDX04DDYeQHrFkgsryPG.jPSvjL6FLkxlLqnHWwW9gHbIbbQIHJVikuDgClZW8pcfCx vQI13MeqeoVPDp.kdh1i3P6.ng4W6bxyJaIt1EQ_gWLPIJu9UmJ4QuTAnD4hvMYPjqqns9cJu9AF gSvlxKhP_rmnxOm1Qo.271qQn_yofn6AiPWYEl4mPUW7Uk4GpMJ6PVK0K31hoU5ZfCUowiqby6Xw uR4zuZlvBspgLYXMML3e5CkBeg4dgJmkrWPTjNdJUmlVR5yAvuaSOyg776FgSkAUSvlpZRsY2ptE WOP0sxY_QTUoKHMptczj7VOPsUcPtAPE- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.gq1.yahoo.com with HTTP; Mon, 16 Jul 2018 18:24:43 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.100]) ([67.169.65.224]) by smtp430.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 980bf3b2ebe6aeb17742e30f6c43fdba; Mon, 16 Jul 2018 18:24:41 +0000 (UTC) To: LSM , LKLM , Paul Moore , Stephen Smalley , SE Linux , "SMACK-discuss@lists.01.org" , John Johansen , Kees Cook , Tetsuo Handa , James Morris References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <63ea9488-d2e2-22c9-7cf3-b3358511593b@schaufler-ca.com> Date: Mon, 16 Jul 2018 11:24:38 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Mon, 16 Jul 2018 14:38:37 -0400 Subject: [PATCH v1 19/22] LSM: Use multiple secids in LSM interfaces X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: "Schaufler, Casey" Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP LSM: Use multiple secids in LSM interfaces This is the second of two parts required to change the security module infrastructure from using a u32 to identify extended security attributes. There's a little bit of stubbing at this point because the "struct secid" is in fact a union of u32 entries, and you can only use one at a time. Because the security API is used in many interesting ways (audit, file systems, and a variety of networking) the change hits a lot of places. Signed-off-by: Casey Schaufler --- include/linux/cred.h | 3 +- include/linux/security.h | 75 ++++++++------ include/net/scm.h | 4 +- kernel/audit.c | 23 ++--- kernel/audit.h | 9 +- kernel/auditfilter.c | 4 +- kernel/auditsc.c | 42 ++++---- kernel/cred.c | 6 +- net/ipv4/ip_sockglue.c | 6 +- net/netfilter/nf_conntrack_netlink.c | 12 ++- net/netfilter/nf_conntrack_standalone.c | 6 +- net/netfilter/nfnetlink_queue.c | 9 +- net/netfilter/xt_SECMARK.c | 7 +- net/netlabel/netlabel_kapi.c | 2 +- net/netlabel/netlabel_unlabeled.c | 31 +++--- net/netlabel/netlabel_unlabeled.h | 2 +- net/netlabel/netlabel_user.c | 2 +- net/netlabel/netlabel_user.h | 2 +- net/unix/af_unix.c | 6 +- net/xfrm/xfrm_policy.c | 6 +- net/xfrm/xfrm_state.c | 2 +- security/integrity/ima/ima.h | 10 +- security/integrity/ima/ima_api.c | 5 +- security/integrity/ima/ima_appraise.c | 4 +- security/integrity/ima/ima_main.c | 22 ++--- security/integrity/ima/ima_policy.c | 11 ++- security/security.c | 124 ++++++++---------------- 27 files changed, 221 insertions(+), 214 deletions(-) diff --git a/include/linux/cred.h b/include/linux/cred.h index 631286535d0f..217814eb1925 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -23,6 +23,7 @@ struct cred; struct inode; +struct secids; /* * COW Supplementary groups list @@ -161,7 +162,7 @@ extern const struct cred *override_creds(const struct cred *); extern void revert_creds(const struct cred *); extern struct cred *prepare_kernel_cred(struct task_struct *); extern int change_create_files_as(struct cred *, struct inode *); -extern int set_security_override(struct cred *, u32); +extern int set_security_override(struct cred *cred, struct secids *secid); extern int set_security_override_from_ctx(struct cred *, const char *); extern int set_create_files_as(struct cred *, struct inode *); extern void __init cred_init(void); diff --git a/include/linux/security.h b/include/linux/security.h index 6e8e98237a79..9095f63c65a9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -331,7 +331,7 @@ int security_inode_killpriv(struct dentry *dentry); int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct secids *secid); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_file_permission(struct file *file, int mask); @@ -356,8 +356,8 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); -void security_cred_getsecid(const struct cred *c, u32 *secid); -int security_kernel_act_as(struct cred *new, u32 secid); +void security_cred_getsecid(const struct cred *c, struct secids *secid); +int security_kernel_act_as(struct cred *new, struct secids *secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); @@ -368,7 +368,7 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid(struct task_struct *p, u32 *secid); +void security_task_getsecid(struct task_struct *p, struct secids *secid); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -385,7 +385,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -414,8 +414,9 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); @@ -820,9 +821,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct secids *secid) { - *secid = 0; + secid->secmark = 0; } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) @@ -935,7 +937,8 @@ static inline void security_transfer_creds(struct cred *new, { } -static inline int security_kernel_act_as(struct cred *cred, u32 secid) +static inline int security_kernel_act_as(struct cred *cred, + struct secids *secid) { return 0; } @@ -986,9 +989,10 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid(struct task_struct *p, + struct secids *secid) { - *secid = 0; + secid->secmark = 0; } static inline int security_task_setnice(struct task_struct *p, int nice) @@ -1059,9 +1063,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, + struct secids *secid) { - *secid = 0; + secid->secmark = 0; } static inline int security_msg_msg_alloc(struct msg_msg *msg) @@ -1181,14 +1186,15 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct secids *secid, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct secids *secid) { return -EOPNOTSUPP; } @@ -1238,7 +1244,8 @@ int security_socket_shutdown(struct socket *sock, int how); int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len); -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid); +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + struct secids *secid); int security_sk_alloc(struct sock *sk, int family, gfp_t priority); void security_sk_free(struct sock *sk); void security_sk_clone(const struct sock *sk, struct sock *newsk); @@ -1251,7 +1258,7 @@ void security_inet_csk_clone(struct sock *newsk, const struct request_sock *req); void security_inet_conn_established(struct sock *sk, struct sk_buff *skb); -int security_secmark_relabel_packet(u32 secid); +int security_secmark_relabel_packet(struct secids *secid); void security_secmark_refcount_inc(void); void security_secmark_refcount_dec(void); int security_tun_dev_alloc_security(void **security); @@ -1376,7 +1383,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __ return -ENOPROTOOPT; } -static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +static inline int security_socket_getpeersec_dgram(struct socket *sock, + struct sk_buff *skb, + struct secids *secid) { return -ENOPROTOOPT; } @@ -1422,7 +1431,7 @@ static inline void security_inet_conn_established(struct sock *sk, { } -static inline int security_secmark_relabel_packet(u32 secid) +static inline int security_secmark_relabel_packet(struct secids *secid) { return 0; } @@ -1519,14 +1528,16 @@ void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx); int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); int security_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid); + struct xfrm_sec_ctx *polsec, + struct secids *secid); int security_xfrm_state_delete(struct xfrm_state *x); void security_xfrm_state_free(struct xfrm_state *x); -int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); +int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir); int security_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, const struct flowi *fl); -int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid); +int security_xfrm_decode_session(struct sk_buff *skb, struct secids *secid); void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl); #else /* CONFIG_SECURITY_NETWORK_XFRM */ @@ -1559,7 +1570,8 @@ static inline int security_xfrm_state_alloc(struct xfrm_state *x, } static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) + struct xfrm_sec_ctx *polsec, + const struct secids *secid) { return 0; } @@ -1573,7 +1585,8 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x) return 0; } -static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) +static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir) { return 0; } @@ -1584,7 +1597,8 @@ static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, return 1; } -static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) +static inline int security_xfrm_decode_session(struct sk_buff *skb, + struct secids *secid) { return 0; } @@ -1720,8 +1734,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - struct audit_context *actx); +int security_audit_rule_match(struct secids *secid, u32 field, u32 op, + void *lsmrule, struct audit_context *actx); void security_audit_rule_free(void *lsmrule); #else @@ -1737,8 +1751,9 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule, struct audit_context *actx) +static inline int security_audit_rule_match(struct secids *secid, u32 field, + u32 op, void *lsmrule, + struct audit_context *actx) { return 0; } diff --git a/include/net/scm.h b/include/net/scm.h index 903771c8d4e3..292575f75201 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -32,7 +32,7 @@ struct scm_cookie { struct scm_fp_list *fp; /* Passed files */ struct scm_creds creds; /* Skb credentials */ #ifdef CONFIG_SECURITY_NETWORK - u32 secid; /* Passed security ID */ + struct secids secid; /* Passed security ID */ #endif }; @@ -96,7 +96,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + err = security_secid_to_secctx(&scm->secid, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index e7478cb58079..1d3e0aa10cdf 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -141,7 +141,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ kuid_t audit_sig_uid = INVALID_UID; pid_t audit_sig_pid = -1; -u32 audit_sig_sid = 0; +struct secids audit_sig_sid; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1420,20 +1420,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + if (secid_valid(&audit_sig_sid)) { + err = security_secid_to_secctx(&audit_sig_sid, &ctx, + &len); if (err) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (secid_valid(&audit_sig_sid)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (secid_valid(&audit_sig_sid)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2165,12 +2166,12 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { + if (secid_valid(&n->osid)) { char *ctx = NULL; u32 len; if (security_secid_to_secctx( - n->osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", n->osid); + &n->osid, &ctx, &len)) { + audit_log_format(ab, " osid=%u", n->osid.common); if (call_panic) *call_panic = 2; } else { @@ -2208,13 +2209,13 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; + struct secids sid; security_task_getsecid(current, &sid); - if (!sid) + if (!secid_valid(&sid)) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + error = security_secid_to_secctx(&sid, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/audit.h b/kernel/audit.h index 214e14948370..246a4721577d 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -89,7 +90,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct secids osid; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -146,7 +147,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct secids target_sid; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; @@ -163,7 +164,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct secids osid; int has_perm; uid_t perm_uid; gid_t perm_gid; @@ -328,7 +329,7 @@ extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); extern pid_t audit_sig_pid; extern kuid_t audit_sig_uid; -extern u32 audit_sig_sid; +extern struct secids audit_sig_sid; extern int audit_filter(int msgtype, unsigned int listtype); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index eaa320148d97..8f69463c32ae 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1325,7 +1325,7 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; pid_t pid; - u32 sid; + struct secids sid; switch (f->type) { case AUDIT_PID: @@ -1356,7 +1356,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { security_task_getsecid(current, &sid); - result = security_audit_rule_match(sid, + result = security_audit_rule_match(&sid, f->type, f->op, f->lsm_rule, NULL); } break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ceb1c4596c51..1dc426b2793d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -112,7 +112,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct secids target_sid[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -450,10 +450,11 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; + struct secids sid; unsigned int sessionid; - cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); + cred = rcu_dereference_check(tsk->cred, + tsk == current || task_creation); for (i = 0; i < rule->field_count; i++) { struct audit_field *f = &rule->fields[i]; @@ -636,7 +637,8 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid(tsk, &sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + result = security_audit_rule_match(&sid, + f->type, f->op, f->lsm_rule, ctx); @@ -653,13 +655,17 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find files that match */ if (name) { result = security_audit_rule_match( - name->osid, f->type, f->op, + &name->osid, f->type, f->op, f->lsm_rule, ctx); } else if (ctx) { - list_for_each_entry(n, &ctx->names_list, list) { - if (security_audit_rule_match(n->osid, f->type, - f->op, f->lsm_rule, - ctx)) { + list_for_each_entry(n, &ctx->names_list, + list) { + if (security_audit_rule_match( + &n->osid, + f->type, + f->op, + f->lsm_rule, + ctx)) { ++result; break; } @@ -668,7 +674,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + if (security_audit_rule_match(&ctx->ipc.osid, f->type, f->op, f->lsm_rule, ctx)) ++result; @@ -976,7 +982,7 @@ static inline void audit_free_context(struct audit_context *context) static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + struct secids *sid, char *comm) { struct audit_buffer *ab; char *ctx = NULL; @@ -1198,17 +1204,17 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct secids osid = context->ipc.osid; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { + if (secid_valid(&osid)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", osid); + if (security_secid_to_secctx(&osid, &ctx, &len)) { + audit_log_format(ab, " osid=%u", osid.common); *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); @@ -1431,7 +1437,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_sid[i], axs->target_comm[i])) call_panic = 1; } @@ -1440,7 +1446,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_sid, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1585,7 +1591,7 @@ void __audit_syscall_exit(int success, long return_code) context->aux = NULL; context->aux_pids = NULL; context->target_pid = 0; - context->target_sid = 0; + secid_init(&context->target_sid); context->sockaddr_len = 0; context->type = 0; context->fds[0] = -1; diff --git a/kernel/cred.c b/kernel/cred.c index fa2061ee4955..362de31fcc5b 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -650,7 +650,7 @@ EXPORT_SYMBOL(prepare_kernel_cred); * Set the LSM security ID in a set of credentials so that the subjective * security is overridden when an alternative set of credentials is used. */ -int set_security_override(struct cred *new, u32 secid) +int set_security_override(struct cred *new, struct secids *secid) { return security_kernel_act_as(new, secid); } @@ -668,14 +668,14 @@ EXPORT_SYMBOL(set_security_override); */ int set_security_override_from_ctx(struct cred *new, const char *secctx) { - u32 secid; + struct secids secid; int ret; ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); if (ret < 0) return ret; - return set_security_override(new, secid); + return set_security_override(new, &secid); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index fc32fdbeefa6..0b9bb302e5b6 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -131,14 +131,16 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { char *secdata; - u32 seclen, secid; + u32 seclen; + struct secids secid; int err; + secid_init(&secid); err = security_socket_getpeersec_dgram(NULL, skb, &secid); if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + err = security_secid_to_secctx(&secid, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 20a2e37c76d1..9b4f56e7f2cd 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -312,8 +312,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct secids secid; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + secid_init(&secid); + secid.common = ct->secmark; + + ret = security_secid_to_secctx(&secid, &secctx, &len); if (ret) return 0; @@ -592,8 +596,12 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct secids secid; + + secid_init(&secid); + secid.common = ct->secmark; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + ret = security_secid_to_secctx(&secid, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index b642c0b2495c..2c808149938b 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -181,8 +181,12 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct secids secid; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + secid_init(&secid); + secid.common = ct->secmark; + + ret = security_secid_to_secctx(&secid, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 4ccd2988f9db..14935dd445bf 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -308,13 +308,18 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct secids secid; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + secid_init(&secid); + secid.common = skb->secmark; + security_secid_to_secctx(&secid, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 4ad5fe27e08b..afc61be750ef 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -52,12 +52,15 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) static int checkentry_lsm(struct xt_secmark_target_info *info) { int err; + struct secids secid; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &secid); + info->secid = secid.common; + if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -71,7 +74,7 @@ static int checkentry_lsm(struct xt_secmark_target_info *info) return -ENOENT; } - err = security_secmark_relabel_packet(info->secid); + err = security_secmark_relabel_packet(&secid); if (err) { pr_info_ratelimited("unable to obtain relabeling permission\n"); return err; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 592ec7ba8822..cb8a2c790081 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -244,7 +244,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid->common, audit_info); + secid, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 92744f4791c4..9bf98d54b7e9 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -379,7 +379,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct secids *secid, struct netlbl_audit *audit_info) { int ret_val; @@ -389,7 +389,6 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; - struct secids ids; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -422,8 +421,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ids.common = secid; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, &ids); + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -436,8 +434,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ids.common = secid; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, &ids); + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -511,7 +508,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid.common, + security_secid_to_secctx(&entry->secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -572,7 +569,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid.common, + security_secid_to_secctx(&entry->secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -897,7 +894,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct secids secid; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -926,7 +923,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, return ret_val; return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, + dev_name, addr, mask, addr_len, &secid, &audit_info); } @@ -948,7 +945,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct secids secid; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -975,7 +972,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, return ret_val; return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, + NULL, addr, mask, addr_len, &secid, &audit_info); } @@ -1087,7 +1084,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; void *data; - u32 secid; + struct secids secid; char *secctx; u32 secctx_len; @@ -1127,7 +1124,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid.common; + secid = addr4->secid; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1141,10 +1138,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid.common; + secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&secid, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1546,7 +1543,7 @@ int __init netlbl_unlabel_defconf(void) /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid(current, &audit_info.secid.common); + security_task_getsecid(current, &audit_info.secid); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index 3a9e5dc9511b..2c68e9f9de13 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h @@ -225,7 +225,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct secids *secid, struct netlbl_audit *audit_info); int netlbl_unlhsh_remove(struct net *net, const char *dev_name, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 415643011499..e4360d03706a 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -113,7 +113,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (audit_info->secid.common != 0 && - security_secid_to_secctx(audit_info->secid.common, + security_secid_to_secctx(&audit_info->secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 782ee194fdbd..4a397cde1a48 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -48,7 +48,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - security_task_getsecid(current, &audit_info->secid.common); + security_task_getsecid(current, &audit_info->secid); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 95b02a71fd47..925aa2f34d94 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -141,17 +141,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr) #ifdef CONFIG_SECURITY_NETWORK static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) { - UNIXCB(skb).secid = scm->secid; + UNIXCB(skb).secid = scm->secid.common; } static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb) { - scm->secid = UNIXCB(skb).secid; + scm->secid.common = UNIXCB(skb).secid; } static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb) { - return (scm->secid == UNIXCB(skb).secid); + return (scm->secid.common == UNIXCB(skb).secid); } #else static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 63fa1ff1a71d..41345fc902d3 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1070,7 +1070,7 @@ static int xfrm_policy_match(const struct xfrm_policy *pol, match = xfrm_selector_match(sel, fl, family); if (match) ret = security_xfrm_policy_lookup(pol->security, - fl->flowi_secid.common, + &fl->flowi_secid, dir); return ret; @@ -1183,7 +1183,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, goto out; } err = security_xfrm_policy_lookup(pol->security, - fl->flowi_secid.common, + &fl->flowi_secid, dir); if (!err) { if (!xfrm_pol_hold_rcu(pol)) @@ -2366,7 +2366,7 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, return -EAFNOSUPPORT; afinfo->decode_session(skb, fl, reverse); - err = security_xfrm_decode_session(skb, &fl->flowi_secid.common); + err = security_xfrm_decode_session(skb, &fl->flowi_secid); rcu_read_unlock(); return err; } diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 30086d2eaf6f..7a58c6365bb5 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1012,7 +1012,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, memcpy(&x->mark, &pol->mark, sizeof(x->mark)); error = security_xfrm_state_alloc_acquire(x, pol->security, - fl->flowi_secid.common); + &fl->flowi_secid); if (error) { x->km.state = XFRM_STATE_DEAD; to_put = x; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 354bb5716ce3..b28a0a99bffd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -191,8 +191,9 @@ enum ima_hooks { }; /* LIM API function definitions */ -int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, - int mask, enum ima_hooks func, int *pcr); +int ima_get_action(struct inode *inode, const struct cred *cred, + struct secids *secid, int mask, enum ima_hooks func, + int *pcr); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -212,8 +213,9 @@ void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ -int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, - enum ima_hooks func, int mask, int flags, int *pcr); +int ima_match_policy(struct inode *inode, const struct cred *cred, + struct secids *secid, enum ima_hooks func, int mask, + int flags, int *pcr); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a02c5acfd403..7f64aa20086d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -175,8 +175,9 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, - int mask, enum ima_hooks func, int *pcr) +int ima_get_action(struct inode *inode, const struct cred *cred, + struct secids *secid, int mask, enum ima_hooks func, + int *pcr) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bd7a0733e51..2afe49caad38 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -50,13 +50,13 @@ bool is_ima_appraise_enabled(void) */ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct secids secid; if (!ima_appraise) return 0; security_task_getsecid(current, &secid); - return ima_match_policy(inode, current_cred(), secid, func, mask, + return ima_match_policy(inode, current_cred(), &secid, func, mask, IMA_APPRAISE | IMA_HASH, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dca44cf7838e..3b18196a2b16 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -167,8 +167,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func, int opened) + struct secids *secid, char *buf, loff_t size, + int mask, enum ima_hooks func, int opened) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -333,11 +333,11 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct secids secid; if (file && (prot & PROT_EXEC)) { security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, + return process_measurement(file, current_cred(), &secid, NULL, 0, MAY_EXEC, MMAP_CHECK, 0); } @@ -360,16 +360,16 @@ int ima_file_mmap(struct file *file, unsigned long prot) int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; + struct secids secid; security_task_getsecid(current, &secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, + ret = process_measurement(bprm->file, current_cred(), &secid, NULL, 0, MAY_EXEC, BPRM_CHECK, 0); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, + return process_measurement(bprm->file, bprm->cred, &secid, NULL, 0, MAY_EXEC, CREDS_CHECK, 0); } @@ -385,10 +385,10 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask, int opened) { - u32 secid; + struct secids secid; security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + return process_measurement(file, current_cred(), &secid, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK, opened); } @@ -468,7 +468,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct secids secid; if (!file && read_id == READING_FIRMWARE) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && @@ -492,7 +492,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, + return process_measurement(file, current_cred(), &secid, buf, size, MAY_READ, func, 0); } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cdcc9a7b4e24..dd7021129fe7 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -258,7 +258,7 @@ static void ima_lsm_update_rules(void) * Returns true on rule match, false on failure. */ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, - const struct cred *cred, u32 secid, + const struct cred *cred, struct secids *secid, enum ima_hooks func, int mask) { int i; @@ -298,7 +298,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; + struct secids osid; int retried = 0; if (!rule->lsm[i].rule) @@ -309,7 +309,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: security_inode_getsecid(inode, &osid); - rc = security_filter_rule_match(osid, + rc = security_filter_rule_match(&osid, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule, @@ -379,8 +379,9 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * list when walking it. Reads are many orders of magnitude more numerous * than writes so ima_match_policy() is classical RCU candidate. */ -int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, - enum ima_hooks func, int mask, int flags, int *pcr) +int ima_match_policy(struct inode *inode, const struct cred *cred, + struct secids *secid, enum ima_hooks func, int mask, + int flags, int *pcr) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); diff --git a/security/security.c b/security/security.c index 785cd38b1245..90e741db0a42 100644 --- a/security/security.c +++ b/security/security.c @@ -1248,12 +1248,10 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct secids *secid) { - struct secids ids; - - call_void_hook(inode_getsecid, inode, &ids); - *secid = ids.common; + secid_init(secid); + call_void_hook(inode_getsecid, inode, secid); } int security_inode_copy_up(struct dentry *src, struct cred **new) @@ -1461,22 +1459,16 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } -void security_cred_getsecid(const struct cred *c, u32 *secid) +void security_cred_getsecid(const struct cred *c, struct secids *secid) { - struct secids ids; - - ids.common = 0; - call_void_hook(cred_getsecid, c, &ids); - *secid = ids.common; + secid_init(secid); + call_void_hook(cred_getsecid, c, secid); } EXPORT_SYMBOL(security_cred_getsecid); -int security_kernel_act_as(struct cred *new, u32 secid) +int security_kernel_act_as(struct cred *new, struct secids *secid) { - struct secids ids; - - ids.common = secid; - return call_int_hook(kernel_act_as, 0, new, &ids); + return call_int_hook(kernel_act_as, 0, new, secid); } int security_kernel_create_files_as(struct cred *new, struct inode *inode) @@ -1533,13 +1525,10 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid(struct task_struct *p, u32 *secid) +void security_task_getsecid(struct task_struct *p, struct secids *secid) { - struct secids ids; - - ids.common = 0; - call_void_hook(task_getsecid, p, &ids); - *secid = ids.common; + secid_init(secid); + call_void_hook(task_getsecid, p, secid); } EXPORT_SYMBOL(security_task_getsecid); @@ -1619,13 +1608,10 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return call_int_hook(ipc_permission, 0, ipcp, flag); } -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid) { - struct secids ids; - - ids.common = 0; - call_void_hook(ipc_getsecid, ipcp, &ids); - *secid = ids.common; + secid_init(secid); + call_void_hook(ipc_getsecid, ipcp, secid); } int security_msg_msg_alloc(struct msg_msg *msg) @@ -1802,26 +1788,18 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen) { - struct secids ids; - - ids.common = secid; - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, &ids, secdata, + return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata, seclen); } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid) { - struct secids ids; - int rc; - - ids.common = 0; - rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &ids); - *secid = ids.common; - - return rc; + secid_init(secid); + return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); } EXPORT_SYMBOL(security_secctx_to_secid); @@ -1956,16 +1934,11 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + struct secids *secid) { - struct secids ids; - int rc; - - rc = call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, &ids); - *secid = ids.common; - - return rc; + return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, + skb, secid); } EXPORT_SYMBOL(security_socket_getpeersec_dgram); @@ -2032,12 +2005,9 @@ void security_inet_conn_established(struct sock *sk, } EXPORT_SYMBOL(security_inet_conn_established); -int security_secmark_relabel_packet(u32 secid) +int security_secmark_relabel_packet(struct secids *secid) { - struct secids ids; - - ids.common = secid; - return call_int_hook(secmark_relabel_packet, 0, &ids); + return call_int_hook(secmark_relabel_packet, 0, secid); } EXPORT_SYMBOL(security_secmark_relabel_packet); @@ -2174,12 +2144,10 @@ int security_xfrm_state_alloc(struct xfrm_state *x, EXPORT_SYMBOL(security_xfrm_state_alloc); int security_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) + struct xfrm_sec_ctx *polsec, + struct secids *secid) { - struct secids ids; - - ids.common = secid; - return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, &ids); + return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid); } int security_xfrm_state_delete(struct xfrm_state *x) @@ -2193,12 +2161,10 @@ void security_xfrm_state_free(struct xfrm_state *x) call_void_hook(xfrm_state_free_security, x); } -int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) +int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir) { - struct secids ids; - - ids.common = fl_secid; - return call_int_hook(xfrm_policy_lookup, 0, ctx, &ids, dir); + return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir); } int security_xfrm_state_pol_flow_match(struct xfrm_state *x, @@ -2225,22 +2191,19 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x, return rc; } -int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) +int security_xfrm_decode_session(struct sk_buff *skb, struct secids *secid) { - struct secids ids; - int rc; - - rc = call_int_hook(xfrm_decode_session, 0, skb, &ids, 1); - *secid = ids.common; - - return rc; + secid_init(secid); + return call_int_hook(xfrm_decode_session, 0, skb, secid, 1); } void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) { - int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid, - 0); + int rc; + + secid_init(&fl->flowi_secid); + rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid, 0); BUG_ON(rc); } EXPORT_SYMBOL(security_skb_classify_flow); @@ -2300,13 +2263,10 @@ void security_audit_rule_free(void *lsmrule) call_void_hook(audit_rule_free, lsmrule); } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - struct audit_context *actx) +int security_audit_rule_match(struct secids *secid, u32 field, u32 op, + void *lsmrule, struct audit_context *actx) { - struct secids ids; - - ids.common = secid; - return call_int_hook(audit_rule_match, 0, &ids, field, op, lsmrule, + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, actx); } #endif /* CONFIG_AUDIT */