From patchwork Sat Sep 22 00:18:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10612361 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5DA9F174A for ; Mon, 24 Sep 2018 12:29:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4A31D29EA6 for ; Mon, 24 Sep 2018 12:29:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3E7E829EAA; Mon, 24 Sep 2018 12:29:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil [214.24.24.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2F3B629EA6 for ; Mon, 24 Sep 2018 12:29:46 +0000 (UTC) X-EEMSG-check-008: 592935122|UCOL19PA11_EEMSG_MP9.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="592935122" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by UCOL19PA11.eemsg.mail.mil with ESMTP; 24 Sep 2018 12:29:44 +0000 X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="16142243" IronPort-PHdr: 9a23:/TtEzxNWHg6yea9wS9Ql6mtUPXoX/o7sNwtQ0KIMzox0L/v4pcbcNUDSrc9gkEXOFd2Cra4c1KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhjexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzca3HfdMeWGFPQMBfWSJcCY+4docDEvYNMeNeoob6pVQBtxu+BQ6rBO/20zNFmnH70Kwn3+g4DQ3KwRErE9YQvHjIqdn4MroZX+Kow6nS1TjNcf1W1zf+5obGfB8urvODU69occfT1EUiGR/KgFqOpoz+JD6VyuYAvnKH4+Z8W++jlWgqoBxxrDi1wccsj5HEi5wPxVDf6yp4wJs+K8CkR057e9GkDZVQtyWEOItsX8gvRH1ntzwhyrIYuZ+2ZzMKx4gnxxHFdvyHfYyI7Qz5VOqIPTh3nmhpd664hxa36EWtzPD3WMqs0FtSsyZIndbBumoN2hDO8MSLVPRw8lm71TqSzwze6+NJLVopmafaL5Mt2L89m5oJvUjdACP7l0P7h7KMeEo+4Oin8eHnb63jpp+bKoB7lBnzMr8rmsyjGeQ4NRUOX3SD9eS8yrLj+Ur5Ta1WjvIsiKnZsY3aJd8Bqq6lAw5azoYj6xGlAzegzNsYhmUIIEhAeBKGi4jlI1DOIPbmAvejm1mgjThmyv/cMrDhH5nBNGbPnbj/cbpn9kJQ0A8zwspe55JQBLEBOvXzWkrpudzDEBA5Nw20w+D6CNRyz48RQmWPArKfMKzOr1CI/fkiI/WMZYAJuDb9LOIp5/j1jXAjg1Mdcq6p3YUPZHCiAvtmO1mZYWbrgtoZE2cKuQw+Q/b2iF2CSzFTYW2/X6A75jE9DYKpF5zDRpyzj7ybxye3BJpWZnpJClqUC3fna52EW+sQaCKVOsJhkD4EWqK9RI8izhGuswn6y7t5LufP9C0YsY/j1ddu6O3OkxEy6SF0A96a02GXQGF+hnkISCMu3KBjvUx9zU+O0KZ5g/xcENxc+elJXxw0NZHC0uN6DMryVRjZfteTT1amQMupDi0tTt4rxN8OeUl9Ec24jh/fxyqqH6MVl7uTCZMp7q3c2n/xJ8Bhy3rbz6QhkUcpQtFONWynga5/8RLfB4jXnEWFj6yqb7gT3DbR9GefymqDpF9XUBZqXqXfXHAffVDbrczj6UPYTr+uEqwnMg9bxsGeNKRGcNrpjU9JRP37ItTRf3qxm3usBRaP3r6Mb5Dle2Ya3CXAE0UEkBoc/XWBNQgjHCuhpHjeDDN2H1L1f0zs6fV+qG+8TkIs1Q6Fcldh17ur9R4PnvGTUe8c3rcetCcmsTV0E06338jKBNqYuwphYKJcbMsh71hd0WLWqRd9PoCgLqBlnVMeaBh4v0Lw2BVxFoVAkNIloGkszAVsNaKSyElBeC+A3ZDsJr3XLXH//AqyZKHLwVze39OW+6gV5PQ+tVrjoBmjFlA+/HV/z9lVz3yc643RDAocS5LxVV039wRhqrHBZCk94I3V1Xh2PqmyqDPC3cwmBPc9wBa6Y9hfKL+EFBP1E8ACCcmhMugqm0S3YRIeJ+Bf77A0MN28d/Sdxa6rOfxsnDW8jWRI+Ip9yF6D9zJgSu7U2JYI2/eY3gqDVzf4klihqdv6lppaajEIGWqz0y/kBJReZqdqZ4YEFX+uI9GrxtV5n5PiRmJY+0S5B14dxMCpfh+SYEDn0g1LyUQbu3qnljWkzzZsiTEmsrKf3DDSw+TlbBcHJG9LS3V+jVfrO4i4lcwVXEivbwgvmxuo/kL6x6ldpKtlNWnTRl1Efy/sL2FtSqGwrKaNY9ZT6JM0tiVaSOC8YVGBSr7huhcayD3sH29fxDA9ajGrtY70nwdiiGKcKnZzrWbWedpqyRfZ+tPcWeZb3iAaSylglTnXGl+8MsGz/dWTk5fDtv6xV3i9WZ1Ufyjm1piAtDan6m1xGxG/mOqzmtL/GwggzSD7z8VqVTnPrBvkYYnkyaK6Mfl8c0lrGlD87dF6GodgnYssnp0Q3mIahpqN93odjWjzKclb2b75bHcVXT4E2cPV4Az71017NH2JwZ75WWuHwsZ6etm6eX0Z2jgm78xQE6eU66FEnTFprVWmowLRZuJ9njgDxvc07n4Vnf0JshI3ziqBGrASAVVYPSv0mhSW6dCxsb5aZHipcbet1Epyh9ahA6+eogtEQnb2Zo8iHTNs7sV4KF/MyGf86pzgeNTLcd0TtwGUkhfZg+hbMp0xkOAGhS19OWLypXcl0fI0jQRy3ZGmu4iKM2tt87i/Ah5EMT31Ytge+j/zgqlDmcaWxZqgHo17GjUMXpvnU+6nEC4IufTgLQaOHyU2qm2HFrrHAQ+f9EBmomrKE5+xM3GXIGcWzcl+RBaHPkNSmwYUUysmnp4iCg+l3tThf1lj6jAX+FH4tgNGyvh0OBnnTmffuACoZy86SJiFMhVZ8xpC6F3TMcyC6eJzBDpV8Ye9owyIMGCbYB5IDW4RUEyeG1/jJqWu5cXH8+WAHuqxMeDBbquIqexfS/eIwomi0op48DmSKMqDJH5iD+c02kBbR3B2B9zZmykTSywQjy/CdNWUqBC4+i12tcC/7O/rVBj05YSRF7ReK85v9A6ygaeCMe6QmSl4JC1E2ZIM33/I1aMf0EQcii50azmtCrMAtSjXQKLXgK9XAAYRazlvO8tQ86I8wg5NNNbAhdP02b54ifg1BkxYWlP/gc6pZNYFI2enOFPAHkaLO6yMJSfXzMHvfaO8VbpQgf1Wtx2wuTebC0jjPjCClzn1SR+iKuRMjCCHPBxEpo6xaBFtCXLsTNj+cB20LMd3jSEqwb0znn7KNm4dMTxifE5Wq72Q6i1YgvthFGxd8nplLe6EmyOH4OXCLJYZr+drCDxul+1G+HQ616dV7CZcSfxzhiTdtNpurkqlkumI0TpnTABBqjBQhIKIvEVuI6PZ+YdcWXzc5hIC8X2QCwgWp9tiEtDvob5fysPRm63pMjdN79LU8NAHCMjVMsKILX0hMRTxGD7OEgQETSSnNWfBiExBiPuS7GGaroAmqpjwn5oDUqJUVFszFvMcF0tqAtgCIJZsUzw+j7GblskI6WC5rBnLS8VQporHWe6KAfXzNDaZiqFJaAYSzrPmLIQcK5b71ld4ZVlghoTKHETRXctTrSJ9cw80ukRN8GR+T2Ep3ULqdB+t6mcJFfGohh42lhd+YeM1+Tfo5Fc3PETFpC0xkUk2gtjljjaRcCPrIKe3R4FWBDL+t1ItPZPjXwZ1cQqykFR/NDjaQ7JRjr1gdX1kiQLHpZRPHvtcQrFebx8L2fGbffMo3kpAqi+/309I+fPFCYd+lAstaZOss3NA2wdkbN4pJazRJLFEwUVRhqOOpCCnzfo9wAkAKEYR6GmSYjIHuFQUNrk6ICql5vZj6QiDmzRfZmcDT/8qo/Js9kM6PeSP1Tnt3KVCKk+rMeyTNq2Zu3Xamc6OXFwwylsCl1NZ8rhuzccjb02UWlg0w7SPERQELtDNJhxLb8VM7njTZjyBsf/NwJ5vOIW9DO/oR/eUtKkImkKkABopH4MU48QOA5ms0UXYLcP5I74A0hgi+RrkK06EDPtTfhKHijAHo9uwzJVvx4lSOikdAXlhMSWw/rvXvAkqgPufU9c2ZXcaWpAEOGovVsOngSBUo3NOASKr3eIezQiN8yXzpj/MDDXmadpseuuUbwt2CN6q4TU/77S2iVnP/5XEPW76L9NitcTU5OMGvZaIEe1UQqd5s0fdnYlYSHiqU2/AEd61O5jwZZMjbcbxCnqgVFywlS41Rd/rPNmxNqiInR3oRYFMvYiVxjwsKc+9FjAbGxdxve4D57lxZQwdbJUlfxHkrQM+N7awIA2AyNWhX36tKSdKT/lY1ei6YqZYzzAvbuCk1HsgT5c6z+as/E8DXp4KiA3RxfKkZ4lDTCfzAWZRewPRqiolj2JhLPo9wv8jwBPUtlkRKyqEdPZ0aGxCpd08BkifIXR3Cmo5W1+TlpDP4giy0LAO5yFdhcpb0fVZsHjiuZ/SeC6sWKuuqZjOryoscd0mrLZrPYzlPMSGqIvUnibDQ5nIrg2FTCm6GuJYmthXPi1VW+RHln8+OcMYo4pB9VQ+WdokK7xJFqYsuqigaSB4Ai4K0S8ZS4SA0SQeguihxrTalw2fcJA5PRMYt5VCh8cSXDRtYiMCvqOjUZvZl3OcQGgRPAgT9RhM5B4HloJoZuDl+5bIQ4VRxD5KuP90SSzLFoRy91TnVG6Wh0T4SO+7nOytxw5Sy+js0tYDUh5lFUdd3/pWllcvKLxvMKYQsJLFviOKeE/nsm/g0/epJF5UycLIbVL4F5bFuXD6UiIC5X0eXZVPx23HFZQOjwp5b74mpE9SL4+7ekbx/SAkyp9tH7m/S8Ck2UgpomoBRyi3DdVNEedmv0zLWDd9eZCktI3lO4lOQm9X4JCdt01Zn1tzPCGk0pdcNsVN4iIWXDdVvzWdvdyySMld1s9qFZMMJc1/u3jlEqNeJJeRu2E2uqDoynLB+TAzqk26xDKoG6+8Ve1Z4XYTGgA0J2SatkkvDvcj8mbI/VDLqVB45eBbBqKAjU9pujZyAohOBipV1XCiN1lzTmNJs+NUKKTPdMxTXuc9aASzOxMkE/4mxEuJ8VtynXjnfyx4rhFa9DzFXwkoSSkVha/gmTsaqsy8OD8aTZdIYS8gbyfDJQKbgzpYvA1Da0FwRpAWHspF+6wB3YRK5MbCTlysKS4dVhx4Kg04yeZflVJEsEiAfyDdDBandfHLshJtZsedts+pLPP+/AdckYPqq+U4+qoMRnG8ng2tW9/epZfmttKWrkuOaLv4M+qkbH/FVzjMiBC9iKwqD5bU4ifTNxBbJINiyXo+ZpjhC3DEMghaJ64BIEpbT696Y81cou9Gf89kZLoJ+ah1CxKFRxPvHZeirPxYIVfTWzveNSSB8uqwoY7J67zSV/TgbNSWx3nbW6J3Iot66T7jFrfr0I5R4FD51et2+0NhV1fGLz6Oo8j7KgMM/smieVPovoc1EjPOHJdwjH3ty1lbeMoWWC2r/o4XyJFY6HbsUeJ3yFXzsOlJ+rZ47ok4/q5mxt2pJafILvRaq1VoDgKTBgVw+ZUnGHJ/SHxJYu8NNPfRerwUjdj0pODrC6MX6BOU++tDadvEPk3BgdewCjWdSRxCgQcApiUXLhOG2P6Zh6B0Scikpe/j2kIu+VS+LQAJzKpr5Yia/qqEvujXbwHezbIcQKjlWtvzrqgwu0OV/fAkm6ABemppYw2gF+gRUdUdyXnkzaAryyIsDszCEqnk+PFdTXI4nijvl4p7H1oIBvMeBaCL8phGnmckh+zZMcUbfbxAmmmVCRGpCaMNyXmv6yuTIWlqnAvO0w3uTmyv7F/6tyh4QTHDz937iEpaSqG3BVtOXyquIUJ4tTSPPAz0tNr4p6s490Q2Mm3+u9KLimShJL1WH8rlJNyfOik4vlQXg4MtRta3w4AUBcK9IMsN8HF5dvbe5H+kkzRao6temoTQ7ceb+vTRHXm9gKyXsLqNxDVCxXg+o14z8NegNuvB59eSWfSny34RTztjuwvGRxO1qLvbr1ASOUCRzEjLmIgKPsxE0ng510Hm4vMjQNEy9AhFCIbAZu0Cqir3ODTpwFaTedQ3WTeC0zFPBFL6DUF4GLQg2GL3pM/JlGnQ9EcuRoRrc0znmAF4D4Q/KUI28lQXxTADEQcVYxCBEL6oHVjlLZcDVUUbaxSIwra6eqkz3UBozLKg/unTYvJgB6YXMPZSkBKOlkBBGp0Kqa0eXK58e1hF+a7YogjiDIbmUObilXo0LvC1Wcda8cYYt3Q++Aq/QQSv6Ytb5bYBlJ+IbrJEYYTLvM1k4Udn/yQAdipRjxh+lBO0SuUcpPji4tTCq5qp5P2uWLwqR+UN+Bg+H35+gIfogFA/vdHX0P9RSojUiYT88wBNJGWHuITA3Bl/LuoOLZykfLB6+3UBOSceO2oEPcCKZPkk/y9tLDLT6kRZDcwSY9MYINHAmRtQik3uRLFT6tTbFUGFBItpcMAo9WX3wigv8ZQgSubg9CO2JZfH4lFVOPNDiD9jlMjMpegSxfrSBjMa4Xyeaxhy2SON1YWCC+z3/eWX09HUVlUGHiEsX4daPjqC9hStRvCpm5XxTgOU9sjzjYowdE2OQnyxnbwFvbhXHO9BiyX72z1eGZ7vh/KRrdWg8mxXtkdIEIxr9x3KBL1fPolnORT/jsSqSFB8BjH+eM7IaBUjo++WxuYQ4+VkKUTyf4gbIggLy7ji83paUhNuSKLqvlaeRe8RY99mR+3fo3BN7YJvMbQPPEScpJP2sjdIsk45DxEzZL82sDNaalHEnBdJVKbspL4AlgwcXMZ9uU9NH2KwJW0/6yPDVaRUl6mRFOcV/y6STqMUVUVoNTlyQxSv2JVhY7Gph+xIsntaniNhp/gnyzlmSwGgti3spqIN3zUg9aqmtDUAv3xKUOGekybOCVVew/UGl6AcC2zt6VakenkMcJPy4KV7JcTn7YQh4W4wYRYkfyIdRumgFifwj7+IAoyIrdJcix6NuNnUYb+1MycSKqw3yQj/SHhlzgjegBFo/XMQQjWu6d8rOISwNMU+yyq2B2fbblcM46JOsMv3r1ILSvU5aU8yiFlkh+y8Y2VZQM3JBnZwlQUvdH9FbIMG7BgWCq0lqiiHs7MA/QwOZjrQVIO/9d+U1eXB3HQmBfJt3HjXveXRhJYtymdkgPty5yuDuTIVbeOOF4dXLzDX14FC2aSqfPips+YaWKN62b+hV7kEKcDl9myojtEifmyB4/xKG1u/Lf9GxbrBVSqhYXOXVP7NcGWWmTs9dEno6k/sZn8waMECjUg9O+3Zi5gUww/mUbUyRCKQrFnAwWoLOuoccAQ3s46jPQcNSbhVL8uRKPNm6/o5CxNYbHLEBiBxDOyeul63m416JnAm5l/1N6Clzg36K8aVUjkNF4LT5spp9Pq1W2OHfHxt1ht/OGF1suPYCVl3reZfboyY297dwdZjh6pNT/5wNWUYvdkJl8o38YCJ1O+SeAzVi5P1IsvY5POfBqubh382d3laX7xRWgb844E3L5ZtQLHINadIthQbQ64hSdouMHmnsOk+KAJ1bx6Uaq+4j9fnosqVaZZO4Xzb9FQ9KGHboRJJgqiwTApmf9WknHn/Pp00bixOoscrCRZ8GoZLXcQaoFzjS7eQlbG2mped/Elguv4Dt+KkA/zN3s64zox3d5df7E2Pej3WAf8vymFkhee7AfP36ZD1AFfkMYcBVeNTTm/Ka7zBEsO5Jy7YforHckpY+qKbyr8xdxiKYzrwVKPO4DbiMfh/5l8ywYUhIsLcyTUs6/fQ396kNE9BoSL2hneSOYoX11fKDPHQWx9OAa6O+X1oDIUMZov96ekKPMZny9Ha6A52umcRmPCZKrSs+xefknlwcojWeQ64g3xjC4AXPBSyN1ctimbFq3PbRG5RNdWgNdI33I3HMyTBzBJaoUh1PShMF2/zSpGUMGkfnce/YF7vlkpQF9hWuemxdAYjs7GqD/FyM8BOkP6npZ0cmtZgNi/LSdIfNCiWJ7hzbV8zRv7Xqg0OZRgJ+6MwRp9zYJGPJE0dN0LVwirpwBrqykb0fsGi0KuTZS0ftH5AyuGgs3BXvwfsn/Gfj4X4VazBKpH7WPmHKC0+SjSTXig/C26y/lGlsKFc4b/BeSEUpVYPZzjUDQcSouZlo4KWH2bTnuold5oP15X4EyzzSSgtjKMpHW4LrkGDRfMfCBPbJ2HsmmtSuQGuZ7dM8HvpYqfex/99SuUWBYwKefqcTg== X-IPAS-Result: A2AMAgDM16hb/wHyM5BaHQEBBQEHBQGBU4IJA4EIXCiMaItJgwWBYZN2FIFfKhMBhQSDFiE2FgEDAQEBAQEBAgFsHAyCNSSCYAMDAQIkEwYBAQwgDAIDCQEBQAgIAwEtFAERBgEHBQYCAQEBGASDAIFqAxUDlxGKHIFqM4J1AQEFgQQBAXWCMAOCUwgXimEXggCBEieCNgeEeQESAYV3jX9BMY4QCYIMjhcdWWyHT4YYiG+GDIdXBC1kcU0jFTuCbIIZDBeDRoocAVVPewEBiX2CPQEB Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 24 Sep 2018 12:29:45 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8OCThfv028733; Mon, 24 Sep 2018 08:29:44 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8M0IUun018253 for ; Fri, 21 Sep 2018 20:18:30 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8M0ISkX009846 for ; Fri, 21 Sep 2018 20:18:29 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AUAAD5iaVblywbGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4MFgWGTdoF6hHcCQoMEITQYAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmB2KHG97M4J1AQEFgQQBAXWCPgOCUQgXdIllF4IAgRIngjYHiC2CV419QTGODQmCDI4XHVlsh0+GFIhthgqHTIINTSMVgyeCGQwOCYNGihwBVU+OVAEB X-IPAS-Result: A1AUAAD5iaVblywbGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4MFgWGTdoF6hHcCQoMEITQYAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmB2KHG97M4J1AQEFgQQBAXWCPgOCUQgXdIllF4IAgRIngjYHiC2CV419QTGODQmCDI4XHVlsh0+GFIhthgqHTIINTSMVgyeCGQwOCYNGihwBVU+OVAEB X-IronPort-AV: E=Sophos;i="5.54,287,1534824000"; d="scan'208";a="375822" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 21 Sep 2018 20:18:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0ASAACWiaVblywbGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4MFgWGTdoF6hHcCQoMEITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOYIIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iWUXggCBEieCNgeILYJXjX1BMY4NCYIMjhcdWWyHT4YUiG2GCodMgg1NIxWDJ4IZDA4Jg0aKHAFVT45UAQE X-IPAS-Result: A0ASAACWiaVblywbGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4MFgWGTdoF6hHcCQoMEITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOYIIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iWUXggCBEieCNgeILYJXjX1BMY4NCYIMjhcdWWyHT4YUiG2GCodMgg1NIxWDJ4IZDA4Jg0aKHAFVT45UAQE X-IronPort-AV: E=Sophos;i="5.54,287,1534809600"; d="scan'208";a="16120214" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa05.eemsg.mail.mil ([214.24.27.44]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 22 Sep 2018 00:18:16 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;74cab12e-792b-4a41-99df-aa44f692e48b Authentication-Results: UPDC3CPA03.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic305-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 500969508|UPDC3CPA03_EEMSG_MP19.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.133.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BcAABFiaVbhzGFBkpbHgEGBwaBUYNyKINziHSOUIFhk3aBeoR3AkKDBBkGBjAYAQMBAQEBAQEBAQETAQEBCgsJCBsOIwyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVmCmKHG97M4J1AQEFgQQBAXWCPgOCUQgXdIl8ggCBEieCNgeILYJXjX1BMY4NCYIMjhcdWWyHT4YUiG2GCodMgg1NIxWDJ4IZDA4Jg0aKHAFVHzCOVAEB X-IPAS-Result: A0BcAABFiaVbhzGFBkpbHgEGBwaBUYNyKINziHSOUIFhk3aBeoR3AkKDBBkGBjAYAQMBAQEBAQEBAQETAQEBCgsJCBsOIwyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVmCmKHG97M4J1AQEFgQQBAXWCPgOCUQgXdIl8ggCBEieCNgeILYJXjX1BMY4NCYIMjhcdWWyHT4YUiG2GCodMgg1NIxWDJ4IZDA4Jg0aKHAFVHzCOVAEB Received: from sonic305-10.consmr.mail.bf2.yahoo.com ([74.6.133.49]) by UPDC3CPA03.eemsg.mail.mil with ESMTP; 22 Sep 2018 00:18:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537575493; bh=6JJNFyJJ4Jpz53edXUHhY0H9rbQ4SAcIBu2Nx3cW1Js=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=Ab6hHfVAA5LqUBgumrqtE0ldbQb4aiDltAs3jjaSI10c8cy6suZEv9+oO4uCBrRMZaCKvno1/D3Q6/D5QqJlCUfZKlPyNgyLeROQYnqApUvY6Ho391BZBhZ/cAuFH4Btio8bZqsunW9ozz/+KgV6mSXX27yMumBM/6G+40qvBzZy0AN5zRv94XhDw3e9m6NdzEvHaVdcztrITeYoqlLofb/eO60nirF2B+aVIk+q+ScSQ+Jrf5TF4zS5oMDi/5s9kUIWqStjTzDb02QE4ZBJzV/3iI4rAzGVrgVj5d28pXvcqyhJyYRETmNVkrzbkIxjx0t8nFlCzYMisdFvCdJuow== X-YMail-OSG: 2VpBGYsVM1laD_3_kM_3MMYuG2nCmFymCUJ8EZFeHNJu5c5MI3Jd6Uc.iL.lOFr 69ZFCUOzO7zI_MY3k.RLMpatzjm70wiJm6qK_Ol3ZzY.mXJCpQOSpp4I55erGKmi78HIGP93Fl5X T_rI23UvHNovwbp86p0vldbGYvSScJ54vr54dwk88frf_K3zrSPD6lfU_Tex.lIL0Me0hj1XPaO6 qBpB8CGwSf5LTZjtIgYY94jD9NytNuUEpVwWr.1jaRejthpF.p5rDTibf8_je0OxGvE1Jql1pDZY crXM_fW_qTnVCLFpRqQ8uzEbOwjxliGZxFbD28Dl8Z6ztdDBIklWdHjA0mkRGNeFRRtB4_aSgr4J XEj7gVpvpT4bOLKqNTOgFCUDQL0q1mEtHHG27cFSif9xkt6Z_tmzVBkNkK4rHfeOtaw6FQdSF.1p QNUk9LColQiDICCRZSEtuKUaRoACHy0WVNnavbyNIauxDdF3f66o8XkDvr6rfdivX.xP4nG4ND_I 1BKlSpcT9Gc377mK8q5IMZFb1SM0Ds3ofu2rncxQhnHh08CoI00N1c5phdvPFmOeyXyqU_5TrZ9E IqCZ0M4HpysAZ.wdoCqXUSO_MypBIbWibxXqJYOUcGOeamoKHyUdfy8u_Q0kU_ktln.EbKTRdTKg 7x39apv5x_KJ5SEXS1W5xvsDjnY0hjkLla7SKRjLNvAIQqk30RNwurihfRqQaGpWaw1Q63lLGRsm L3SidwvqYxK9ApNfW3XdjfzYGnzDfp1S6a3LxQr2vVJdW67F79v7qMcq..ppsBByl_X2BCzgoXh9 ZqLB5rmRTnNgcpBtdVAY5orKpSkIgphNMO_dQNt2cHBrgBvqE9a75byEMs1voOc5vNYzm8XZDs0f xELUZHrcHmgMTcYZHM2ftiuIIRYjMY3Z71WC0kjp6wag4lFe.aLx9kCRu_aEEjDNoRH6iPYX5_D3 B88jG1_NyjeGr_HfRz32lX9hi3qLEmalLAQegiMDE08HpaoxY6x9BR4D4CGYlwjgsaIpsSZn5osA Fok2Jaq9wMbwHzR_CpbnlKg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Sat, 22 Sep 2018 00:18:13 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp422.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 220edde72bbc0d15c564ef59d15296bc; Sat, 22 Sep 2018 00:18:12 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: <8ea966f7-924e-b805-56e8-9ad74e7f9d86@schaufler-ca.com> Date: Fri, 21 Sep 2018 17:18:07 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mailman-Approved-At: Mon, 24 Sep 2018 08:26:06 -0400 Subject: [PATCH v4 07/19] TOMOYO: Abstract use of cred security blob X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide helper functions that provide the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook --- security/tomoyo/common.h | 21 +++++++++++++++-- security/tomoyo/domain.c | 4 +++- security/tomoyo/securityfs_if.c | 15 +++++++++---- security/tomoyo/tomoyo.c | 40 +++++++++++++++++++++++++-------- 4 files changed, 64 insertions(+), 16 deletions(-) diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 539bcdd30bb8..c9d8c49e3210 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, /********** External variable definitions. **********/ extern bool tomoyo_policy_loaded; +extern bool tomoyo_enabled; extern const char * const tomoyo_condition_keyword [TOMOYO_MAX_CONDITION_KEYWORD]; extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; @@ -1196,6 +1198,17 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) atomic_dec(&group->head.users); } +/** + * tomoyo_cred - Get a pointer to the tomoyo cred security blob + * @cred - the relevant cred + * + * Returns pointer to the tomoyo cred blob. + */ +static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred) +{ + return (struct tomoyo_domain_info **)&cred->security; +} + /** * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread. * @@ -1203,7 +1216,9 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) */ static inline struct tomoyo_domain_info *tomoyo_domain(void) { - return current_cred()->security; + struct tomoyo_domain_info **blob = tomoyo_cred(current_cred()); + + return *blob; } /** @@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void) static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct *task) { - return task_cred_xxx(task, security); + struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task)); + + return *blob; } /** diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index f6758dad981f..b7469fdbff01 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -678,6 +678,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee) */ int tomoyo_find_next_domain(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; struct tomoyo_domain_info *old_domain = tomoyo_domain(); struct tomoyo_domain_info *domain = NULL; const char *original_name = bprm->filename; @@ -843,7 +844,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) domain = old_domain; /* Update reference count on "struct tomoyo_domain_info". */ atomic_inc(&domain->users); - bprm->cred->security = domain; + blob = tomoyo_cred(bprm->cred); + *blob = domain; kfree(exename.name); if (!retval) { ee->r.domain = domain; diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c index 1d3d7e7a1f05..768dff9608b1 100644 --- a/security/tomoyo/securityfs_if.c +++ b/security/tomoyo/securityfs_if.c @@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf, if (!cred) { error = -ENOMEM; } else { - struct tomoyo_domain_info *old_domain = - cred->security; - cred->security = new_domain; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *old_domain; + + blob = tomoyo_cred(cred); + old_domain = *blob; + *blob = new_domain; atomic_inc(&new_domain->users); atomic_dec(&old_domain->users); commit_creds(cred); @@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode, */ static int __init tomoyo_initerface_init(void) { + struct tomoyo_domain_info *domain; struct dentry *tomoyo_dir; + if (!tomoyo_enabled) + return 0; + domain = tomoyo_domain(); /* Don't create securityfs entries unless registered. */ - if (current_cred()->security != &tomoyo_kernel_domain) + if (domain != &tomoyo_kernel_domain) return 0; tomoyo_dir = securityfs_create_dir("tomoyo", NULL); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9f932e2d6852..25739888921f 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -18,7 +18,9 @@ */ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) { - new->security = NULL; + struct tomoyo_domain_info **blob = tomoyo_cred(new); + + *blob = NULL; return 0; } @@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - struct tomoyo_domain_info *domain = old->security; - new->security = domain; + struct tomoyo_domain_info **old_blob = tomoyo_cred(old); + struct tomoyo_domain_info **new_blob = tomoyo_cred(new); + struct tomoyo_domain_info *domain; + + domain = *old_blob; + *new_blob = domain; + if (domain) atomic_inc(&domain->users); return 0; @@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) */ static void tomoyo_cred_free(struct cred *cred) { - struct tomoyo_domain_info *domain = cred->security; + struct tomoyo_domain_info **blob = tomoyo_cred(cred); + struct tomoyo_domain_info *domain = *blob; + if (domain) atomic_dec(&domain->users); } @@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred *cred) */ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + /* * Do only if this function is called for the first time of an execve * operation. @@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) * stored inside "bprm->cred->security" will be acquired later inside * tomoyo_find_next_domain(). */ - atomic_dec(&((struct tomoyo_domain_info *) - bprm->cred->security)->users); + blob = tomoyo_cred(bprm->cred); + domain = *blob; + atomic_dec(&domain->users); /* * Tell tomoyo_bprm_check_security() is called for the first time of an * execve operation. */ - bprm->cred->security = NULL; + *blob = NULL; return 0; } @@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) */ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) { - struct tomoyo_domain_info *domain = bprm->cred->security; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + blob = tomoyo_cred(bprm->cred); + domain = *blob; /* * Execute permission is checked against pathname passed to do_execve() * using current domain. @@ -531,6 +547,8 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { /* Lock for GC. */ DEFINE_SRCU(tomoyo_ss); +bool tomoyo_enabled; + /** * tomoyo_init - Register TOMOYO Linux as a LSM module. * @@ -539,13 +557,17 @@ DEFINE_SRCU(tomoyo_ss); static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); + struct tomoyo_domain_info **blob; if (!security_module_enable("tomoyo")) return 0; + tomoyo_enabled = true; + /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); - cred->security = &tomoyo_kernel_domain; + blob = tomoyo_cred(cred); + *blob = &tomoyo_kernel_domain; tomoyo_mm_init(); return 0; }