From patchwork Wed Sep 26 21:57:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10617943 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4428E174A for ; Thu, 27 Sep 2018 12:12:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 330512B25B for ; Thu, 27 Sep 2018 12:12:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 271842B25E; Thu, 27 Sep 2018 12:12:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from usfb19pa16.eemsg.mail.mil (uphb19pa13.eemsg.mail.mil [214.24.26.87]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2AB672B28C for ; Thu, 27 Sep 2018 12:12:43 +0000 (UTC) X-EEMSG-check-008: 130846666|USFB19PA16_EEMSG_MP12.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by usfb19pa16.eemsg.mail.mil with ESMTP; 27 Sep 2018 12:12:41 +0000 X-IronPort-AV: E=Sophos;i="5.54,310,1534809600"; d="scan'208";a="18744861" IronPort-PHdr: 9a23:XeA/MhAOEQSTADz5x0EIUyQJP3N1i/DPJgcQr6AfoPdwSPn9ocSwAkXT6L1XgUPTWs2DsrQY07WQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDiwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6zTZ9MaQXdKUNhXWSJPH4iwa5IDA/cdMepdqYTyoFkBogG+BQmrA+Pj0yZEi2P40KA7zugtCB3K0BE9FN4KrnjYsND5OaEPWu630abI1y3OYe1Y2Tn964bGfB4urv6OUrxtacrcy1QjGg3ZgVuft4PlJCiY1vgPvmWB8+ZsSeyih3Ahpgpsojav3MAsiozRi48L0F/E7jt2wYYoLtOlVEF7YcSrEIZetyGeKYR2WN4pTmZ0tykg0b0Jp566cTMRyJs7xx7QceGHc4aM4h39TuadOCt3i2h/dL2jgBay9FGtx+vhXce3yFZHtjdJn9bDu3wX1xHf99KLRuVy80u/wzqDyhjf5+BGLEwuiKbWKposzqQxm5cTq0jPADH6lUrwgaSLbEsr4PKo5P7iYrj+o5+cMJJ7hR/mP6Q1n8y/Hfw4Mg8TX2iH4ei81KPs/Un+QLhSkv05iLPZsJHHJcQAvKK5Hw9U3Zoj6xa4FTum1sgXnWIbI15ffRKHjozpN0nPIPD+E/i/n0yhnCpkyv3JJLHsAojBImLdnLruY7px8VNQxBI2zd9F5pJUDr8BIOj0Wk/0rNHYFQE2Mwi1w+bhFdV82ZoSVnmIAq+ENqPdrUGH5vk0LumQZI4apDb9K/8/6/7oln82g0URfaau3ZsJcHy4BOhpI12FYXrwhdcMCWUKvg04TOPwlF2CUSRcZ3CpUqI+4TE7DoemAp3YRoCxnrOBxjy7EodRZmBcBVCGCW3oeJmcW/cQdCKSJddskj4GVbe7V4Ah1gqutAj8y7pmMOrZ4SMYtZb+1Nl6/OLTiBcy9SBpD8iH1GGNVW50lHsSRzAqxKB/vVB9ylCb3KhgnfNXDsJc5/VIUgcmMp7R1O16BM7sVQ3fZNuJT0ymQtq+CzErUt0x28MOY1p6G9i6kx/D2CyqA7kImLOVAJw087nR0GLvKMZnzHbKzq4hj0MpQsFXL22pmrZ/9xTPB47Oi0iWib6qer4G3C7M72eO1nKOs1tCUA5xSqXFRXQfaVHKotvn/E/CSKWuCbs/OAtb1cGCMrdKasHujVheSvbjOdDeY2evlGeqHhuIyK2DY5fte2UHxirdEFIEkwcR/XmYKQc+Gj2to2XEDDxhDVjveV/j8fFiqHOnSU851wKKYFdi17qy5x4Ynv+cROkQ3rIDpSctsTJ0HEyy39jOEdqPuxJhfLlAYdM6+FpIz3/WtxZ8PpO+NaBvnUQRfBhyv0/00BV3EIpAm9AwrHw21ApyNb6Y0FRZejyEx5/wPqPYKnLu/BGvbK7bwUre38qX+qgR7vQ4t1TjsxuzGkok7Xpnz8Ff02GA6ZXSEAoSTZXxX14t9xdnur7XeSY954bb1HF2N6m7rCPC0cozBOQ50hagY8tfMKScGQ/pHc0aHc+uKPc2m1WydRIEOudS9aAxP8y8cfuKwqirM/h8nDi+l2RI/Jh90l6Q9yp7UuPJ0YwKw/WE3gSZTTf8l0ysst7ploBefj4SA2+/xTLjBI5Laa14ZZwLBnu2I82r2tV+gIbgW3hZ9F6nA1MJxtSpdAGIYFPjxw1Q0l4boXu9mSu31zZ0iS0mrrKD3CzSxOTvbAcIOnJRS2l4llrjPY+0j9UGU0eydAgpiAGp5UDkyKhHvK5/NXXcQV9UfyjqKGFvSrWwtruebM5T75Moqz9bX/i8YVCdTL79rAAX0yfiH2tY3j87bTaqto/+nxxgh2KXNGxzo2bBecFs2Rff48TRRfpQ3jodWCl0kCLXCUa4P9mo+9WUipjCv/ulV2K5V51Tdyjrwp+btCeh421lHwG/leipmtL7CQg6zTP7195yWCXSqxb8Zo3r2LqgMe17eUlpCkTx69FnGo5iiYs8npYQ2WIVhp+N53oIjX/zMclH2aL5dHcNRiAEw9jO4AX+201sMHSJx5n/VnqD3sttfd66YnkZ2igl9cBFFL+U7KBYnStyule4tRjeYeV5njgD0fsh8ngag/0Xtwo31SidH6sSEldCPSz3jRiI9Ne+rLhNZGmzb7ew2k1+ncquDL6cuA1cXmj2eos6Fy9q8sp/KE7M0GH06oz8ZtnQa88cuwaKkxfGkudVKIg9lvwUiip7IWj9p2Eqy/YnjRxy2pG3pJCHJH9w/KK9GRNXKjz1Z98T+z30g6ZRhMCW05qoHpV7FTUBRIHoQu6wEDIOqfTnMB6DED48q3efB7XSBgqf6EBor3LBDZ+rK22XJHkezdVnWhaRPkpfjx4IXD8ihJ42ChiqxND9cEd+/j0R6ET3qh1QyuJvMhnySWnfqxm1ZTczUpiQNgJW7htF50fXL8OR8v5zEztf/p27owyHMnabaBhQDWEVRkyEAEjuPre05dbe7ueYHfCxL/3SYbWJsuxTTO2Hyo6q0od8+DaMLMqPNGF4D/InwkpDQWx5G8PBljoUUCMbkCbNb8+ApBeg4S17tNu//+r3Vw71/ouAFb9SMdRp+xCrjqaOLPKfhSZjKTZFzZMA33HJx6ID3F4JjCFucSOhEbMatS7CVKjQgLNYDwYHayNvM8tF97kz3ghCOc7cjNP4zaN3geAuBFdET1PhnNulZcsQI2GyLFnHHlqENKyaJT3XxMH6eaG8Sb1QjeVMsB2wvTebE1P9MTmYkjnpVgyvMftSgy2BOxxeoo69eA53CWf/VNLmdgG7MNhvgD0w37I7nHfKOHUfMTh7aENNsqef7SVDgvV8GmxN9HxlIveYmyyB9enXNo4Wsed3AiRzj+9a+mo1y6BL4y5eXvx6hCvSo8V1rFGniOmA1z1nUBRWqjZRmo2KvV9uOaPH+ZlcQXzE5g4C7X2MCxQWoNtoEsDgtLpOytjOia3zMyxP/MjO/csGAMjVJtmHP2Q9Phr0Aj7UDRcFTD6xOWHZmUNdjOmY9meJoZgitpjshJ0OR6dfVFwyDPMVFEJlHd0FIJpsUTMkl6ObgNQP5XqkoxnbXN9asYzfVvKOHfXvLy6UjaJaaBsMwLP4K5kTN4Lg1kN+bVl6mZjFFFDLXdBRuCFhaBE7oFlV+nhkUmIzw17lah+q4HILCPG7ghs2igx4YeQx6Tvh+Ek3KUTQpCsxkUgxntPljSqXcDHvMKe6RZtWBDbst0gtLpP7RB54bRGznUxhMzfEW7JRjrt7eG92iQ/duYFAFuVGQa1CfhAQ2emdZ+803lREtiWn2UhH6PPfBptmlQslbYCjoGpF2wNjat41IqrQK7BSw1dLh6KBpCmo2vk/wA8DPUoN9n2deDIQskwSKrYmPzao/vBr6QGagDRMZm4MWuEwrf136EMyJf6Azzn63L5ZKkG9LeufL7mWu2LYj86HXksw1l8Ul0lC5bV2y8Ejc0uIWEAvy7uREw8JO9LbJw9IdcRf6H/dcD2SvuXKxJJ6I5+yFvv0TeOUsqYbnF6kFh4zH4sQ9sQBAoWs0EbAIMj7Lr4K0wki6R/3K1WCCPRJfBOLnykdo8Gj0pB4wYldKisaAWVnPiW9/qzXqRMygPqfQNc2ZW8XXpEeOXIsX821gDVUv2haDDatzOIW1gyC7z76piTfCDn8btVjZPeIZRNiEt624zA//7KwiVHJ7pXUP3v6Osh6ut/T9eMaoI6KCv1OQbZhs0fcmoxYR32wXG7MCtO1Job/ZJcyYtDuDXa6SFO/gSovT8jtJNatMrSIgQbwSIZRqoabxjMjOtGhFjEfHRdwqPoO5axmag0Ff5U7ZRnotxkjOKykOguY1MuhQ3q1IztMU/Zf1fm6Z6BQzyc0du+6z38gQYsgz+i59k4NQJ8KgwrbxfakYIleSjb8FWBHewXIvio5jGlhNuA9wuslxxPIq1YcOSiRdON1cGxEo808BVSKLHpsEGo4WlmcgZDA4gO33rAS/ipdn8pP3uFftnjxoIPfaiq2WKO3sZXVrzYgbd8+rq1tNozjJ9CLtI/CkjzaV5bcqAuFXzCmF/BCgNhfPDpYQOVUmWEiIcEGu41B5lQqW8gjObNPE7cjpqq2aTV6ECEe1ykZWJ2c3DYamOezx6PalguMcJQlKBEEvo9CjcEbUyFqYyMev7SuV4DOl2+FU2QLOwkS7R9W6AIHjI9wcfjv4JDUQ59U1z5Wv/V0XzPXFpZ16lT7S3uZgVzjRfq9lOyp2B5dw+j30tkHQhJ/D1ZSx/pOnEsyNL53M7UQvpLNsjKQbUP6p37tx/G7K1lN0sDUbFr4DJfftWXgTCIc/2EURZVVx3HbD5gSlBB5aKkzrlVWPI+mYlr+5yAjx4lxBLa4W9yky0onoHobSSqnCMZOC+ZjsF3LQjJleIyrpI/jO5pMXm9a4IedpEtBkEVxLy65zoJRK9tT7TERXDhAuymdscC2SM1Ex895EYEALct4u3jgBqxIIp6RrGMqurb30H/W5yg8sEumxDW0A6K4U/hZ8HMAFQo0PGmet00vD/c28mjI7FDNs1d0/+NFCbiTl0lxpyx9Hp9WDDZTyX+lN0hzTGVBs+hCLaTaachcQ/0sah+zJxwxD+Qp0leP/U5qgXf5eDB9uRFC+y/DRQU0Uzcagqv1kz0Ets6nISMaS45PbTg5bSfKMRibmSdMvBZbcU5qRYsUAtNY+7EfwYtU/9bNSUe2JiEDRxxuLAU40eBQlURbqkWXZTjdDRa0dfbIqhB3f92erMinLPTj+wdIl53ovfsk96oZQX2mggqtTcrYr4Diqt2ArlGOe7vgM+2gfX/BSyDBjR+thbclC5nK+zbcMA9AJpZn13UrepnhBnTNPRhcIKIbPUVbX7hgadpauuBae9NkeKER9K9vBxKHQwjiGImxo/hGMFnTXzXeLyOO8uClp4Lc86DdQ/D6ZsOQ33bHX753PpBi5Dn9H7fnyo5e+kzz2vt390N6T1bGMzqbo9T6OgML/tSieVf+vp00BzPZHo18kH33xkFPb8AXWTGl8IwEyJNF73b9Ued40k/1sO1O+Llr95I647VoyciuI6fdN+hasEFgAhiOBQVq7Y8hAG5hSGBNeuURMuvefbwFjcDyrOD6D6gX6AaQ++FZctbHKV/OldS4CjGGUxNEhB0BqTkYLgSCy/GFh7V4ScG/pej2wkgt+USxLgYazLBx4oeJ4quIpe7NYBTL0bcJQbPqSd3vrrsyp0ye//oklKQBemZteQ2oDPAdVtIBxmfn1a0l1iMsE9jNHr36+v5DVm45nir6lJBgG1UbAe8bHb2W8otAhGg4hvbZNtoMcq9YgGqPEgSkErAaw36x9ySXOHVlgg3J0xzoWWO89kP2ojN4QSrCyNfjiElVWqCsBUhMWyqpOEl4sC6APQfzrNr4o7g14102Mm3qs9KNjmihNKlUH8LhPtycJzc7pFYNgJ02XNyv1pgRGcChL9cJ7HF+cvze5nutky9Av6hHgI7e7duO+vnNHHmgiKqaq66WxD1Dz3g1sl4+5sqnNvHU6N2AW+6o2HoJTydjpwvBWAa4qrPHoFAPIkyHyVrFloMMMNFY23k4y07n6fMsQNI27gpeEJjPa+kFpTDpNzv+2UyfbM4vVimCzztXGUr4EVt/GKg83mL8pt7GlXfU+101W4Zxdk3nhRpsD4U7KEIg80YXwisdEQcXbRCUEbCoCV7jLYQaSUgJcQ6H06SieqcrwU1zxaui5O7NbeNmAaoALfJdjhOTk1haHZIWqrcSQLVme19S7KTXvBTtC5D7X/j6kno9Lf+1Td5U8cAXs3sv+Qi+SACm6Zhd87YXkpaIebBYYZLUpsBz819n5SITdixKmBV/gBe5UecSpe/95tjbtIGl6v2pVKYrRuUY6wI4B2JggJvsmFoju83Y1/9ASo3JjoTy6AVNI3+JuIbZ1BlxMugOJJiofLZn8XUIOS4eK2gIPdWId/k2+zVtPynL51xeHsMMYssVM9HTlgBSlk3kQ6pT9s7cGl+EF4dzad4n4HftxDAy65s8Xf7q6CWqKpDH81FNI/RDgT1ilN3coOgVwOLSBzYM7HiYahh1xyaCxIeXC/b04+qA0tbUV0kJHiQuSYdSOCKC+RC7RuqyjJjoXBuU6tXygJ0iak2dXXmxnKUZsqZWD+FMkCL73iJRFortnfKar8Ks6HdLtl1ACItz6hnFF7tEM5VjPRT3jNKrRlR9BiTjZMHUbAQht/SMyucK/ep+K1P0ZZUHLRIc17L69X1VQxNqSL73uFaZQO0QaMJiSPPFtXBV9ZlgJrQOPFeHopzqqS1EqFcsAA8mcLUwtCBVdlHSnA1JXKb5oLsAhREAXt55uE9MH2WwNXkg5zrGU6Rakq2RCP0T8jWOQa0CSUJoMjlxQxmtwpVhZ6OpnexbsmNBhi59ouIl0z9hRBSnoiDsuqQN2S4g+LG/qTUBtnxFTvmEnyfOF1pD0OwAjb0ABHb69Vy8fH4DYZPp4LlpIMTv6Ygs7nckbBU9YSIGR+WgCiD3j6OOGICPtsxThALe8PnJOJuICGBGMrU71AKmXHV2zxLfgAct9WwHXzGtxMErKZ/7Oss/wCesX2/BewBIqoFAtcbq/XsMVvE3chs1wmBkyNKGXQULTcnCGiAylAdyLS1/Xdpn6BkHB+F8mTuMv69b7ikIcTzUFcKj4YCWksDWjz11afRO4yqCoqyDm4Nv03B/nd5wxjCBtW5UdOHCVcJoRH/p2dEbgc75Z/PlkOcHQY19xbLpBP0FMs/l+2y20ZNxV0mNzb0YGFy4O+YHgLzcVnHhAU6VVP/DWG+LnH5tMUP//hKvKV4fY8dQqEo8L+6EgYRTwUmpbb5oXTiX7X/SymAqebcCegQ5pYahPg8HVugcY8CdYOwp3vB4E1IPcmXAWy17Te2u5xrlpIFmPz1F5kLgbKy56gn7NPOKEwQAVIvdqYR8v/e9QzTFcUR8wQVyMU88zOLWE1A8p6cIaJqKtcTBjNR8l+gefrFiNjNr/pZZnoNl9JnR3tyGfA/cyr7sKtzP5PuVGfvSywItYG4QGu4dYAXo98A0JdI0RbDXNaVWsA5aBqUgRpElcWDr+/cwZCp3fx7cdfyYhcPwp/OCYNMArnPR5EgxPS7akxIGw/2wCwd8asbuz1DzK5M5xTZ2lNRpA49gVN9KGsgoowuoAp2TlOe9hsPnvwtBsusUuLb3EP2C8dmi2J94VJESsVfNOTvKA7NiiU080My9h/7B1t/6Dsa0Kv0eU+0uaWfeZ66OJY6/Iy+APs/mMxpN+qWRwZpiWRWYeS79UrDDvyTiP/JhtxZogrdkdfbemWR+p4rQ38H/MiQK/n35/3eUKJtS6kDLDuXCXhVSDOCI63thAbZNMdCmyd8iGocJ+PHEs09+4TFZ342AKqml6ErN3hEeF9rANEW8/SE/VMERJQind1M2iDrSo2/QEFxHJcitNMdpjczQBRWr7E50ygRPLnVZFD/OQtGccXMex9r4YQSL8AxRCNNWlOesdF8QraayQPRmPphf3O6j8r4AlIUMSWnUXMYPGSbWIfdtOyZJSOXCoF99ehkfr708QZs4f7CVJ0UGOxzZk2aonU3J1kvvcsbq0a+IJGAZ6ywB3rvF1j8KrA686pP7ysHgUbWMdJjtR7aSKysqUDiGWC4/WVik41aquvcI/bKYLG4Tr0pSY3e6GQcToacppt/VAw== X-IPAS-Result: A2CQAAAiyKxb/wHyM5BaHAEBAQQBAQcEAQGBU4IJA4EJXCiMaI5WgWGTeRSBXyoTAYUEgzwhNhYBAwEBAQEBAQIBbBwMgjUkgmADAwECJBMGAQEMIAwCAwkBAUAICAMBLRQBEQYBBwUGAgEBARgEgwCBagMVA5goihyBajOCdQEBBYEEAQF1gjwDglMIF4pnF4IAgRIngjYHhHkBEgGFd4hDCoV5MUaNVgmCDI4cHVqIQoYejwqHWQUsZHFNIxU7gmyCGQwXg0aKHAFVT3sBAYpwgj4BAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 27 Sep 2018 12:12:41 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8RCCd7s005819; Thu, 27 Sep 2018 08:12:40 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8QLvUwi000880 for ; Wed, 26 Sep 2018 17:57:30 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8QLvTYv011294 for ; Wed, 26 Sep 2018 17:57:30 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AXAACKAKxbly0bGNZaHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LUYFggSWBYZN2gXqEdwJCgzshNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOZBYocb3szgnUBAQWBBAEBdYJDA4JTCBd0iXAXggCBEieCNgeILYJXiEAKhXgxRo1QCYIMjhsdWYg+hh2PAodRgg1NIxU7gmyCGQwOCYNGihwBVU+NTwEB X-IPAS-Result: A1AXAACKAKxbly0bGNZaHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LUYFggSWBYZN2gXqEdwJCgzshNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOZBYocb3szgnUBAQWBBAEBdYJDA4JTCBd0iXAXggCBEieCNgeILYJXiEAKhXgxRo1QCYIMjhsdWYg+hh2PAodRgg1NIxU7gmyCGQwOCYNGihwBVU+NTwEB X-IronPort-AV: E=Sophos;i="5.54,307,1534824000"; d="scan'208";a="379597" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 26 Sep 2018 17:57:29 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AVAACQ/6tbly0bGNZaHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LUYFggSWBYZN2gXqEdwJCgzshNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5kOihxvezOCdQEBBYEEAQF1gkMDglMIF3SJcBeCAIESJ4I2B4gtgleIQAqFeDFGjVAJggyOGx1ZiD6GHY8Ch1GCDU0jFTuCbIIZDA4Jg0aKHAFVT41PAQE X-IPAS-Result: A0AVAACQ/6tbly0bGNZaHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LUYFggSWBYZN2gXqEdwJCgzshNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5kOihxvezOCdQEBBYEEAQF1gkMDglMIF3SJcBeCAIESJ4I2B4gtgleIQAqFeDFGjVAJggyOGx1ZiD6GHY8Ch1GCDU0jFTuCbIIZDA4Jg0aKHAFVT41PAQE X-IronPort-AV: E=Sophos;i="5.54,307,1534809600"; d="scan'208";a="18729399" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa06.eemsg.mail.mil ([214.24.27.45]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 26 Sep 2018 21:57:27 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;d09eb88f-571e-48b1-9b47-6acae65b9812 Authentication-Results: UPDC3CPA08.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic312-28.consmr.mail.gq1.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 46534950|UPDC3CPA08_EEMSG_MP24.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 98.137.69.209 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AhAACQ/6tbh9FFiWJaHQEBBQEHBQGBUYNyKIN0iBVfjTGBJYFhk3aBeoR3AkKDOxkGBjAYAQMBAQEBAQEBAQETAQEBCA0JCCkjDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZEYocb3szgnUBAQWBBAEBdYJDA4JTCBd0igeCAIESJ4I2B4gtgleIQAqFeDFGjVAJggyOGx1ZiD6GHY8Ch1GCDU0jFTuCbIIZDA4Jg0aKHAFVHzCNTwEB X-IPAS-Result: A0AhAACQ/6tbh9FFiWJaHQEBBQEHBQGBUYNyKIN0iBVfjTGBJYFhk3aBeoR3AkKDOxkGBjAYAQMBAQEBAQEBAQETAQEBCA0JCCkjDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZEYocb3szgnUBAQWBBAEBdYJDA4JTCBd0igeCAIESJ4I2B4gtgleIQAqFeDFGjVAJggyOGx1ZiD6GHY8Ch1GCDU0jFTuCbIIZDA4Jg0aKHAFVHzCNTwEB Received: from sonic312-28.consmr.mail.gq1.yahoo.com ([98.137.69.209]) by UPDC3CPA08.eemsg.mail.mil with ESMTP; 26 Sep 2018 21:57:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537999042; bh=Tdp1We+wEypbt3F1eaqEY5pAEm2ABPyQrs7MsfsqAmQ=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=TvvQ7xkM9qPMD1Cc5clCaaNzjKBPLfrQM91/guwBjaRygKA5FaxM/WjI4BcUByjyRwZeiRI1Ts83Lmz0LfTdAFMZjgNanTs9Rsqw9D4uiUEk5HUO06H8RfQqApdX4YqusXC+1SBDCtXICrEq78P8bAoOHXkfvsqlaV8C3lO6B1cLs7W4EiBXHboSTuFPq0cWV2jIr+m0l2/luIVB4MkhMWDGwoXMSznprdknHT+Inb91iMv1REl+nAL+ZJJcG45qdvZQFaC3g9OqRVAbcSiya4aT/PMGUgk+OD6dvc6bQb1v22UllkebSqcYqVPkK+AjP9omPseKmHnDEk939NkYPg== X-YMail-OSG: 0SsUm7kVM1mSbRWzyKgSAg8hqb7O6mITwUOLv66omgkUam_iw0fWgPNXVrrW3zJ nVE5aAnMKODstbRkpEhCLgqxOODzXmZP565IjEYzARsl01EcOv8qzzfQ0oLlSfwKdYmn4iZMjwhn eZSJI2tRxs75DxxMLC31jdianDEiMA84hnvnFdrLWBqhdskmXYBKh_tUuymg2mLM7fr4pCGNwq0C Z3YaHpeBcTDPpxdVGh_aENELrA5r0gNW03MwZ1eJ1mtb6nzdw.ZWA_KBaIrZYroaazt.P6BCdrKs N36IJo1POV7ArcFL0RC.elYwIujTQk4sgr5LsDDz_XYBYvQhUUmE5dmYwYF_OeICsZdZQ5VP3n90 5FoqcElUsiRF9WrMvPveoq4tMo9lQ1kHGWLgfLB2P9HdTdxgfJMna9jG9NEjGnmJit0En1PbXEO. jqPb99tjJ9qb1AHT6jaMV_rEQ3PIYT4uIAzx470pldQB05MmicDLRAQ57auJ9ueV61Yx6zLZnSo6 1YKNbYcOovyW8OUR_AdBMapaecB4uaS8AaR.a0r9kgaibfputswCOxmVumI5LLu0troxdXh0e33r G7XjDIHbc8YbrcCrNkQ8qz7PT1aekByDeNtLfCtlDk0aphRbhfyeuroC5H_hcPxBIP1j4QeORXFP XaeLlYMACfBnDi50_TuDv_z0hYaTD6myMaNEG1fH6bXRwKkIAEu2jexjT_RGlcp11iy38fnH_gXe 1OTw0AqzwgKC2V0qS7cmH4jBrjgvicNaiLdrF_WwxymRqE7OUm2y2xwYvuZ_Lvvyvcxoh80KKLy5 CrF2U2YA3Z9pGpRMYuYyoQ.sFh_yPo31_FXbu.v_meEZd2buMJykSUD1_A6MGq2JSgXBBKHaEr8G AJAfhcTaGtDtphzQ3YcRPLGlaMyCVzcQQ4554lxCMudAY1NUE1yZ4TjDzGVJxX.JEi5F05gf.eIS O.Ho34s5h7eSs9TpYw02hilur2T02OSUQneSp2.Ko_PVsp4CdD4I9tALR12Bc.bKF5GRNl5k2tU5 9qlVWNmIV_uR_Q6KjQf4xJSbCo.BxsH2UBU646g-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.gq1.yahoo.com with HTTP; Wed, 26 Sep 2018 21:57:22 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp422.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 0a43c3c0b1d4660336ba3c3c22c649da; Wed, 26 Sep 2018 21:57:19 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <8010a7d0-c6a0-b327-d5dd-6857d6d42561@schaufler-ca.com> Date: Wed, 26 Sep 2018 14:57:20 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mailman-Approved-At: Thu, 27 Sep 2018 08:08:35 -0400 Subject: [PATCH 21/19] LSM: Cleanup and fixes from Tetsuo Handa X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP lsm_early_cred()/lsm_early_task() are called from only __init functions. lsm_cred_alloc()/lsm_file_alloc() are called from only security/security.c . lsm_early_inode() should be avoided because it is not appropriate to call panic() when lsm_early_inode() is called after __init phase. Since all free hooks are called when one of init hooks failed, each free hook needs to check whether init hook was called. The original changes are from Tetsuo Handa. I have made minor changes in some places, but this is mostly his code. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 6 ++---- security/security.c | 27 ++++----------------------- security/selinux/hooks.c | 5 ++++- security/selinux/include/objsec.h | 2 ++ security/smack/smack_lsm.c | 8 +++++++- 5 files changed, 19 insertions(+), 29 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7e8b32fdf576..80146147531f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2095,13 +2095,11 @@ void __init loadpin_add_hooks(void); static inline void loadpin_add_hooks(void) { }; #endif -extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp); extern int lsm_inode_alloc(struct inode *inode); #ifdef CONFIG_SECURITY -void lsm_early_cred(struct cred *cred); -void lsm_early_inode(struct inode *inode); -void lsm_early_task(struct task_struct *task); +void __init lsm_early_cred(struct cred *cred); +void __init lsm_early_task(struct task_struct *task); #endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/security.c b/security/security.c index 76f7dc49b63c..d986045dd4c0 100644 --- a/security/security.c +++ b/security/security.c @@ -267,7 +267,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier); * * Returns 0, or -ENOMEM if memory can't be allocated. */ -int lsm_cred_alloc(struct cred *cred, gfp_t gfp) +static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) { if (blob_sizes.lbs_cred == 0) { cred->security = NULL; @@ -286,7 +286,7 @@ int lsm_cred_alloc(struct cred *cred, gfp_t gfp) * * Allocate the cred blob for all the modules if it's not already there */ -void lsm_early_cred(struct cred *cred) +void __init lsm_early_cred(struct cred *cred) { int rc; @@ -344,7 +344,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) * * Returns 0, or -ENOMEM if memory can't be allocated. */ -int lsm_file_alloc(struct file *file) +static int lsm_file_alloc(struct file *file) { if (!lsm_file_cache) { file->f_security = NULL; @@ -378,25 +378,6 @@ int lsm_inode_alloc(struct inode *inode) return 0; } -/** - * lsm_early_inode - during initialization allocate a composite inode blob - * @inode: the inode that needs a blob - * - * Allocate the inode blob for all the modules if it's not already there - */ -void lsm_early_inode(struct inode *inode) -{ - int rc; - - if (inode == NULL) - panic("%s: NULL inode.\n", __func__); - if (inode->i_security != NULL) - return; - rc = lsm_inode_alloc(inode); - if (rc) - panic("%s: Early inode alloc failed.\n", __func__); -} - /** * lsm_task_alloc - allocate a composite task blob * @task: the task that needs a blob @@ -466,7 +447,7 @@ int lsm_msg_msg_alloc(struct msg_msg *mp) * * Allocate the task blob for all the modules if it's not already there */ -void lsm_early_task(struct task_struct *task) +void __init lsm_early_task(struct task_struct *task) { int rc; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 44337d2349d9..e54b7dbac775 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -332,8 +332,11 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr static void inode_free_security(struct inode *inode) { struct inode_security_struct *isec = selinux_inode(inode); - struct superblock_security_struct *sbsec = inode->i_sb->s_security; + struct superblock_security_struct *sbsec; + if (!isec) + return; + sbsec = inode->i_sb->s_security; /* * As not all inode security structures are in a list, we check for * empty list outside of the lock to make sure that we won't waste diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index ee4471213909..8231ae02560e 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -180,6 +180,8 @@ static inline struct inode_security_struct *selinux_inode( const struct inode *inode) { #ifdef CONFIG_SECURITY_STACKING + if (unlikely(!inode->i_security)) + return NULL; return inode->i_security + selinux_blob_sizes.lbs_inode; #else return inode->i_security; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 784300406b97..b0b40454174b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -750,6 +750,13 @@ static int smack_set_mnt_opts(struct super_block *sb, if (sp->smk_flags & SMK_SB_INITIALIZED) return 0; + if (inode->i_security == NULL) { + int rc = lsm_inode_alloc(inode); + + if (rc) + return rc; + } + if (!smack_privileged(CAP_MAC_ADMIN)) { /* * Unprivileged mounts don't get to specify Smack values. @@ -818,7 +825,6 @@ static int smack_set_mnt_opts(struct super_block *sb, /* * Initialize the root inode. */ - lsm_early_inode(inode); init_inode_smack(inode, sp->smk_root); if (transmute) {