From patchwork Mon Jul 16 18:24:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10527569 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 858F9600D0 for ; Mon, 16 Jul 2018 18:42:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0788A28DDD for ; Mon, 16 Jul 2018 18:42:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EF94C28F52; Mon, 16 Jul 2018 18:42:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, NO_RDNS_DOTCOM_HELO, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil [214.24.24.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F133728F29 for ; Mon, 16 Jul 2018 18:42:27 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="736172545" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa09.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:42:16 +0000 X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="13852019" IronPort-PHdr: =?us-ascii?q?9a23=3AVu5NBxxIMHR11bvXCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd1uIQLPad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndi?= =?us-ascii?q?QuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBg?= =?us-ascii?q?vwNRZvJuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0B?= =?us-ascii?q?vJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PG?= =?us-ascii?q?Av5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vy?= =?us-ascii?q?i84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYO/RkfqPZYNgUW2?= =?us-ascii?q?xPUMhMXCBFG4+wcpcDA+8HMOlfrYbyvVsOrRy5BQW1He/i1jFFi37r0aEjz+?= =?us-ascii?q?gtDBzN0Ag+E94StXjZqsj+OqUPXuCv1KTG0zvDYfNV1znz5ofHfRIur+yUXb?= =?us-ascii?q?9ybMbcx1UgGQzbgVWLsoHlIzGY2/4Rv2SH4edsS+SigHMnpQFrpTivw98hh5?= =?us-ascii?q?fTiYIO1F/F9ThyzpspKt24UkF7fNCkEJ9OuCGAKoB7Rd8tTHtzuCkkyrwLoo?= =?us-ascii?q?W7czQKyJs92h7fZfiHfJaS4h76SOmeOy10i25ieLK6nhu/91WrxO7kVsSszV?= =?us-ascii?q?pHoSVInsPMu3wQzRDf9MeKRuVn8ku8wTqC1gLe5vtZLU01kafXMZ8sz74qmp?= =?us-ascii?q?YNr0jOESn7k1jsgqCMbEUr4O2o5vziYrXhu5CTKZd5ihr7MqQygsy/Bvk4Mh?= =?us-ascii?q?QWU2ib5+u80Lrj8FXlQLpQlP02k7TZsIvAKcQaoK65DQhV0p095BmjFTumzN?= =?us-ascii?q?QZkmUHLFJCYh6HiZTmO0rSL/ziCPe/glCsnC9qx/DAILLhHo3AImXMnbruZ7?= =?us-ascii?q?pw61NQxBAtwd1Q+Z5YEKwNLOr2WkDrtdzYChE5Mxazw+biENh9zZ0RWWaOAq?= =?us-ascii?q?+fLaPTvkaE6fkoI+mRYo8apCjyK+M+6v7yjX42hV8dfa6z0ZsRc3C3BO5qI0?= =?us-ascii?q?qeYXrymtsBC3sFvhIiTOz2j12PSTxTZ3G0X60m+jE7CJipDYHYS4Cvh7yB2i?= =?us-ascii?q?K7EYdNZmBaFF+MC2zoe5+DW/cWZyKYOtVhnSAcVbi9V48h0gmjtA34y7V9Mu?= =?us-ascii?q?XU+TYYtZXl1Nh0+e3ejh8y9ThpD8WSyG6NUmd0nn8VRzMs26B/u0N9wE+Z0a?= =?us-ascii?q?dkm/xYCcBT5/RRXwY0NJ7cy+l6BM7oWg/acNeGVkupQtK8AT4rVtIx2dgOY0?= =?us-ascii?q?RjFNq+khDPxS2qA6Ual7aTHpw77rrc32TtJ8Z603vH1LQhj0M6TctPMm2mnL?= =?us-ascii?q?Vy9xXQB47TiUmZkbildbgE1i7X6GiD1XaOvF1fUANoTKrKQXUfZkzQrdTl+0?= =?us-ascii?q?/PVKGuBqo9MgtAyM+CLa1KZsfvjVpYWPfpIM7ebH6pm2esGRaIwauBY5f2e2?= =?us-ascii?q?oHxiXQE1QLkwcW/XmaLwc+HTuhr3jYDDNwCVLle1ns/vVmqHOnUk80yBmHYF?= =?us-ascii?q?N517Wv4B4VhOecRugL3r0eoichqi50HE65393MF9WPuRBtfKJGYdMy+F1Hz3?= =?us-ascii?q?7WtxRhPpy8KKBvnl0efB50v0PpyhV6EYZAntIprHMt0Qp+M6WY0ElOdzmAx5?= =?us-ascii?q?D/JqXXKnXu/BCoc6PZwEzR0MyX+qgR8vQ1sE/ssx2sFkY49HVnydZV2WOG5p?= =?us-ascii?q?rWFAoSTY7xUkEv+hhgur7VfzIw54zR1XxjK6W0tCHN284xDus/1hmgZ8tfML?= =?us-ascii?q?+DFALqCM0aCdKuKOsxm1i1dR8EJ+ZS9Kk6PsOjbfSG3rSnPOB+kzK6lW5H+p?= =?us-ascii?q?xy0lqQ9ypgTe7Fx5gEzOuc3gubSTj8lkyhv9vpmY9afzEdBXe/yS3+CI5WfK?= =?us-ascii?q?1ycp4BCX2yLM2v2tV+m5ntVmZe9F6iA1MG3NGmeQGJYlPnwwJQz0MXrWagmS?= =?us-ascii?q?uiwDx+iyspobaH3CzS3+TicwIKOnBKRGZ+kVfsJpK0g8oGU0ioaAgpkhSl6F?= =?us-ascii?q?3+x6haoqRwNXPTQUBScyjxNWFiXbO6tqCebM5X9JMorSJXXfy4YVCbUb79vw?= =?us-ascii?q?IW0zj9EGtaxTA7cSyqu5rikhxhkGKdLXBzrHvFdsFr3xvf4sLTReJJ1DocWC?= =?us-ascii?q?Z4kSXXBkS7P9Sx59WUkJPDsuSgWGK7SpJTdifqwJibtCum+WJqGgezn/epmt?= =?us-ascii?q?3oCQI6yzP018F2VSXUqxbxeorr2Lq8MeJ8ZURoB0Hz68xhGoF4jIQwmIsc2X?= =?us-ascii?q?8AhpWa5XAHi3v8Mc1H2aLia3oAXSYLzMTI4AjhxkJjNmiGx4TlVnqD2MtsfM?= =?us-ascii?q?S6YngI1SIn9MBGEryU7LtZnStvvlW3swzRYf9nnjcS1/Qi8ngajP8VuAA11C?= =?us-ascii?q?WSHqgSHVVEPSzrjxmI8da+o7hMaWaxd7i/yUp+kcqnDL6cvgFWQGz5dYs6HS?= =?us-ascii?q?9s8sV/N0rB0GXp5YH5fNndds4cthyIkxbAluRVJog+lvwQiSpgI2L9smUvy/?= =?us-ascii?q?Qnghx2wZG6oI+HJn1j/K2jBB5YKjr1Z8YI9zHjk6lRg8GW35q1EZV5ADULW5?= =?us-ascii?q?noQuy0HzIOr/jnMByOEDIkoHeBBbXfBROf6Fthr3/XFpCkLXWXJH0HwtV+WB?= =?us-ascii?q?mSPlZQjRsSXDokgp45DRyly9b5cEhn/DwR4ED3qgdUwOJyKxb/SnvfpBuvaj?= =?us-ascii?q?osRpifNgRZ4RxZ50jPN8ye8uVzHzpD85K7sAONL3aXZwNSDWEGQkaEHUzsPq?= =?us-ascii?q?Gy5dnc9OiVHvK+IOXVbrqQr+xeVuuIxZW034tn4TmDKNuAMmNlD/0h1UpJRW?= =?us-ascii?q?p5FNjBmzUTVywXkDrAYNWAqxu7/i13r9u/8OjwWA71/ouAFaddPc90+x+oha?= =?us-ascii?q?eDNuiQhDt2KDtDypwNxWXIyKUE3FIIhSBhbSWtEa8HtS7LVq7QnbVXDxEDYS?= =?us-ascii?q?NpKMRI97483hVKOcPDkdz117F4jvkzC1peSFPuhNqmZc0QLGG7Ll/HA1yLNL?= =?us-ascii?q?ueLz3R3873eb+8SaFXjOhMrRKwtiyUE1H9MTmYkDnpTw6gMedJjC6BPRxevJ?= =?us-ascii?q?qychFiCGT5S9LmcBK7OsdtjTIq2b00mm/KNWkEPDhgdENNq6ec7TlfgvR+BW?= =?us-ascii?q?NB6GFqLfODmymH7OnVMYoZsfxuAitoje1a+2g6x6FT7C5aWPx/gDHSocJ2o1?= =?us-ascii?q?G6jumPzSJqUBhOqjdLnIKLukFiOaTF9pZeQnvE+RMN7XmKCxsUvddlDcfvu6?= =?us-ascii?q?9IwNjViK3zMCtC887T/cYEBMjVKMaHP2Q6PBrsHz7UAgUFQiC3NWHDh0xdl/?= =?us-ascii?q?SS+WOPopg8tJfshIIESqVHW1wtCvMaFkNlEcQEIJhpRDwklaWWjM0P5XqlsB?= =?us-ascii?q?neXsNavovEVvKTG/nvLiiWjaVcbRsS3bz4NZgTNpH820F6cFl1gp/KFFTKUt?= =?us-ascii?q?BXviJhbhQ5r15M8HhkU2Iz3Ezlahu34HANFf+4hBg2hRViYe417jfj/083Jk?= =?us-ascii?q?bWpCs3iEQ+hNLlgTaXcDHsMqiwWYBWBjHuuEcvKJP7RBx5bQqonUxrLD3EXa?= =?us-ascii?q?5ej6N8dWB3jw/RoYZAFuRCTa1FfRAQ3uqaaO8y0VRGrSWmy1RH6vXZBpt/jg?= =?us-ascii?q?sqcIKsrnJa1wJlctE1ObTaJLBVwVhImqKOoiio2/g1wA8ZPUYC7mWSeS8PuE?= =?us-ascii?q?ETObkmITeo8vZr6QyYlDtJYHIMWOYyovJ26kM9PPyNzzn+3L5HK0CxMfGfLq?= =?us-ascii?q?yCtmfcks6IR08/2VkTl0lZ57R219ksc1aMXUA10LSRDwgJNdbFKQxNc8pS9X?= =?us-ascii?q?3TfSGSseXNwZN4JJiyFuHoTOCUr6kYmESkExg1H44U9MQOAoGs0F3ELcfgNL?= =?us-ascii?q?MK0xEt5AX3K1qbFPtJfRKKkDEAo8G51pB6xpJSJjAHDmV7KCm36KvXqhUsgP?= =?us-ascii?q?WdQNc8em0aUZccNnIqRM26nDZUsG9eAzmxye8W0hWN7yHiqSTKFznzdcBjZf?= =?us-ascii?q?eOaRNrEtG29i0187Kqhl7P7pXeO2b6OMxtut/S6OMao5KHBO1RTbRmrkjThZ?= =?us-ascii?q?JXR32wXG7JC9K1IILwa4Y0Z9zuFnm6SkC/iy4yT8rpJtatKKmIjh3oRYZTtI?= =?us-ascii?q?mbxygtO9agGD8EBxp+oPoO6757ZQ0Gf5U0ewXotxgkO6y5PgiYzs2kQ3yxJj?= =?us-ascii?q?tOU/lf0eK6aqRNzyU2dO+6z2AvQ4omz+mt60ENWo8FjhXfxfalaIleVSnzGn?= =?us-ascii?q?NdewXTqyo2jXJhNuMozuc53hzIrUEWMyqXe+xxdGxEo9Y8CEucIHlsFmU4R1?= =?us-ascii?q?6cjY/C4gG23LAf5CpdkMhK3uJbqnT+uYXfYD20UqyxtZrVqzYgbcQho6BpNI?= =?us-ascii?q?zsONGGtJDAkTzDTZnQtAKFXTW0FvVAnNhfPCZYQP5VmW44IswKo4xB5lQtVs?= =?us-ascii?q?0mPbxAFLEspqy2aTpjFSMd1zUZV56G3DAYgeexwLralhaRcJQ+KxMIqpNCjc?= =?us-ascii?q?UBUyRueCMRuLejV5nKl2+DUmULIQET7RhS6wIEiIBwe/7q4JbSTJ5M0DNWpO?= =?us-ascii?q?p0XTXNFplt7VT7S2WWjkP/SPSuieCp2hhSzP302NkBRBF/EVRdx/pRlkYwNL?= =?us-ascii?q?F3LKwQs5XWsjOUcEP1p3jhyO24K1lN0cfUbUH3DJLZtWrgVS0R4X8URYhRx3?= =?us-ascii?q?zECJsdjRF5Z7gxpFVQPo+pZ1zy5zo6yIR1B7O4T9ykx045rXYaQCenC9RBC/?= =?us-ascii?q?t8v1LRRDJlYourpY7gO5VKQ29c4YadqllCkEl3NC6505VcIdlX4jEQRDhPvS?= =?us-ascii?q?mdvNyqRc1fxMB5Ep4MLc17u3rmBKxEP52RrGEstbz01n/V4TY8v0mmxD+rAa?= =?us-ascii?q?+3U/pZ/3ECGgUuP2meslIvD/c2/WjP7lDAqUt0/+BGBriVkUp+vjB9HoxUBj?= =?us-ascii?q?lT0XCpNVNzTGNJs+9CMqTab9RcQ+UuZR+oIxExDvAm0FCV8Ux2gHv0bTd/uR?= =?us-ascii?q?dd+yDYQwY7TzIVgqv3lT0YtM6nJScQS4hUYjU5cyfFNwWblDhNvBlBdk5qW4?= =?us-ascii?q?oWAspe9rEf2otU4NTNRViwJiECQRNtKBg00fxBmk5fqE+YYzzSDRK0dfbTtR?= =?us-ascii?q?16ZduRrNS3I/vn4QhKkZ7nsOQk96UZXXKmhwytQdfar4Diqt2GrEyOdL33M+?= =?us-ascii?q?eke3/OUCDMjQyshbcjF5TK/TLcMBBcK5lhzXore4bhBHXOPRRbI6IbO0tbWr?= =?us-ascii?q?x7adpcpOBafNVoeKET+a9iHhiHXA/gGJSzrPlaKVbeXTbeID+H8uyxu4LT6q?= =?us-ascii?q?HSRvb7a8yQ3XnHRbl3PpBg5Tn9BbjqzZdU+lDq1fd16kN6VV/GPjiHrNTlPQ?= =?us-ascii?q?4L5c+idk74sp0oGzPWDo1wn2D2xkFcbcoXXjGl8IgFyJND9nn8U+V40lL8sO?= =?us-ascii?q?dK7blr9ZE346x1ycezParSL/VavlNgAhiQHApq7Y8hAGl4R2BWee8RM+zcfa?= =?us-ascii?q?EWgMHhsez3ELYX6BKN8exDddTHP13BmtW4CjyEVRNLhgMBpiABLguA1/+FnL?= =?us-ascii?q?R5Sd25quj4xE0t5US+Lh8cw7x344eL5LaIrvfNbxTN1bgERrTqRsTro7QooE?= =?us-ascii?q?OS4P0pmaUAemNrfgKnF/IdWdQFxmf6yqAqzzwjHN/fH776//5DTX05lCr6m5?= =?us-ascii?q?9hB1UWBu8UHb2T8IRcn2c4nvfUNtgIfaFChGmPDx+kErkNyXKx7SuYPnVliA?= =?us-ascii?q?nU0x7sWWOz8EP2rShgTCvNztbsiFBaWaWsCEdJQSWpJVF3vy+VMArvrtr3tr?= =?us-ascii?q?w/7FsqPWz8qNKNiGyhNatMEM3+P9ydLzM7pFAWjJ0tXtygw50bGd6mLdgN93?= =?us-ascii?q?Fxc+XR5Hm2ky9bpKdHnZDR7tuS+vXNEnmql7eapKmVxDBE1ng4ukky6si6Of?= =?us-ascii?q?HS+9KKQ/qp12ELTyd8ogfBRAC6qrjar1ASJEyK31zGmJQQMdFFwXY41k/n5O?= =?us-ascii?q?85QNIw7gleFZjPZ+kEpT/tPDv421GfY8g4ViOGyTtYAkr1EUVkGKg7wG/ws9?= =?us-ascii?q?zGlXHM+10vQYl8cFfnigJzD4U5L0It9VcWzzEHEQcTcxCaDKunCV7jLYQaSU?= =?us-ascii?q?gJcQ6H06SieqcrwU1zxaui6/PRbeNmG6UALepSjgmKnFhfG5IZr7ceQK5idF?= =?us-ascii?q?BB9K7bvA/iC5LoX/L+j3o/KeW1QtxG8cAer3Yi5wG/Rxy86ZdM8bkWk5WIdq?= =?us-ascii?q?9ebpjKos9880lm5TkVdixOmxhzlRW5Xv4ApOr7+NjUrIKo6vqyVKYqX+gX+A?= =?us-ascii?q?Q7B39lj5fpnV4trtfZ1+ZaSo3IhoXy6w9NI3uQt4bczRZwM+0OK5ikfLx47X?= =?us-ascii?q?UIOzAeJ24SPdqRc/Q84ShtMDXV51BYHswMZdcYPNfQlgFVi03pXqpT9snaGl?= =?us-ascii?q?KDFYdzdt4o4HDzyD8o8JswSODg5yGqJZrH9VFCI+tDjDlwlNLFvOUVwOTSBz?= =?us-ascii?q?IR4XSCbxh13z6Ny5iKC/br5+mMz8vUV1weFC4sT4hdPCaC+RCgRuetlpXmTA?= =?us-ascii?q?2U6sH3gJ8lekOfXHqxk7oZsqpWF+5PlDn71CBEFo/pn/KVr8as6GxPu11IFI?= =?us-ascii?q?Zz6hPEF7tbPpV/Ihn4jc6rRk59BiTjYs3UcAQhuPaOzOcW/+p+L1f+ZZMcIh?= =?us-ascii?q?8czrL66HlVTghpSLPtvFaWR+ERZNxgSPzaqHBZ84RgJLETPFKFvpzlsi9IqE?= =?us-ascii?q?wqAA8ucLI/tSJVdk/SnABOQKb0vLkAihcAUd5np0BDBHi8OGUk5zrITa5Vlr?= =?us-ascii?q?WeCOQJ8jWPSawDS11oMiR6QxyvwpVvdbypnfRJsm5dmyN9p/8q0yd4SxSgoy?= =?us-ascii?q?3soLkN2Skh+LG+uzUNo3tFTv+Rky3QE1VM0OwKjbsAC3bl8VG8bmcMbI/z4L?= =?us-ascii?q?l/O8vt7ogg43U6YRUmYSIGR+CgBD/qg6OPGIyPv8pWhASRt8XWcb+zMS8SO6?= =?us-ascii?q?wzyBL7XXh90xTRkwhz/WsOQzWg8MUkK5unNcYi3CqoFnDRdEwQ7aNRrMvxqV?= =?us-ascii?q?kLQfMxaVNl3mpuydCHRikXS8zUB2Y1jxQraXlecJ1d9xAWDa8ojSiUvqNe5A?= =?us-ascii?q?EbfC/UEpi5+onXhcrI3Xg9TdF3xmPZv6GFgpIq0GZ5m9Nv9SOOuW4dd+rfU8?= =?us-ascii?q?N2BXjzzIhfw/TkZ/qxquAHVJdmyLO5Xf8HKMas5Wu22JRsWk+i3bkeAVu5MO?= =?us-ascii?q?kdybffUielT3CYWOuRf2iLhTY5PVb45QO0IV0vdMdKs0g9P/PAhpFGlA3hVq?= =?us-ascii?q?h7Sz6NpV/d0GwjMeQadx85uIenZwwGVugRaPaAJeI22v0xFEMMb2PVHStxE+?= =?us-ascii?q?K2qlCtnI1nNHhh4kj3evrt/R78MNuTGxgEFojaooR3+fOkWmLScUNnmTlJGQ?= =?us-ascii?q?Eg8+bZCkR0reJXboyQgcmVgtN3zOoIX+liPDd7udMJnI9nr46O35HOOTXy6r?= =?us-ascii?q?O6cdXUpOWIRv7S1UInfklEXbcDJwD4/YM3Opg+QbKFWfNhtAkYTY09R4Ysfz?= =?us-ascii?q?Pp/bxwBBt6bwqUYbOzmMSsreWOMN8cnGPb9lI9Km/nvhQHzvGlBVhgY4uCm2?= =?us-ascii?q?T5IJd2QClI6dJqFE0iVLBiU+cBqRe3S8qPlaW6jcKh019rsO8N96zrA7bF08?= =?us-ascii?q?rvm807ZL1zzm/OMDfKD7RwmWxhj/+umbGYi9/2E8yoMYc/ccFQYSvJa6TNA5?= =?us-ascii?q?6kAjaPId7nPRYftbmG3+Q9GjeWZCaxfa2GvSu/OfMstUc8yoo+fu3TxTo24r?= =?us-ascii?q?fz09L0YGdarS6n63WOMc0bpH/HCPeWdBVTSrLR82toBqYQaojc/+cUNtkj3d?= =?us-ascii?q?3a5BN8unAK7MaZOLWm5m/F3E5yPcbDIU3mxic/HIoHOhKyNWMtxGvetHmbGn?= =?us-ascii?q?1fM9Ktb89gxtSNWFilxUB0lHplQ2lbAGvzDYOTPG8BwcOlTAuD8Q9KSdEZkL?= =?us-ascii?q?jkV1Q/s/iZQPJlK91+kuWjqbsDnMwhfyrGX8VLFzrbLLZrMD5cFKDErR4jZR?= =?us-ascii?q?tS4Ot9YZs8eZXbeBBPC0yH0y6niFqaixemfsGw1KuPPCcd+2lGyLSAyzVXug?= =?us-ascii?q?2loqzF2Z/+U73dNcDuVaaOdicoUyqVAzE7EELv/Fag6J9m9OGALzI5pVYZKj?= =?us-ascii?q?mXFBZVvrpm+NPZFWLCsfZofJQXivSXQWX7QWtzk69hY0QDrliCFtwEEwSedH?= =?us-ascii?q?r9mCxZsQ2mKOVL+CfuZqaV14JOUOwfH4VIf+fcSNKecvdbdFJK3i4BNrOaeN?= =?us-ascii?q?vR5608zkqOTWYdFPzQ80aCSUeNXvGG7ynsW4Qe5NBu/3B4vNnXmDRyCeLNNr?= =?us-ascii?q?eb4TG3q8iphSafvqvVUWx+Bi59jOEDBTyZyQJbYCEfCt4TsV3wWKPIeUtW1X?= =?us-ascii?q?wohO4vkx8BcQh+SDtvh1VHlfa6HYtSTlsZ?= X-IPAS-Result: =?us-ascii?q?A2AEAwD+5Uxb/wHyM5BSChsBAQIDAQEKAQGDHCuBCUoSK?= =?us-ascii?q?IwAX409gSGBX5JlFIFjJhSFBIJANBgBAgEBAQEBAQIBbBwMgjUkgl4DAwECF?= =?us-ascii?q?wEMEwYBAQwgCwECAwkBAUAICAMBLRQBEQYBBwUGAgEBARgEgn+BaAMVA55Ei?= =?us-ascii?q?huBaTOCcQEBBYECAQFfgjUDgycIF4dUgy2BESeBbEmEfQEHCwGFdYdnhHI9L?= =?us-ascii?q?owaCY8haodVhSyMP4JahDw4YXFNIxU7gmmCJReDRYocAVVPfIpggjkBAQ?= Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 16 Jul 2018 18:42:14 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIgDKJ023767; Mon, 16 Jul 2018 14:42:13 -0400 Received: from tarius.infosec.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w6GIP8sW024400 for ; Mon, 16 Jul 2018 14:25:08 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6GIPH7l020930 for ; Mon, 16 Jul 2018 14:25:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1CWAgCx4UxblywWGNZSChwBAQEEAQEKA?= =?us-ascii?q?QGDGyuBZSiDfIgEX4tdgWCBIYFfkmWBeoR3AkKCHyE0GAECAQEBAQEBAhQBAQE?= =?us-ascii?q?BAQgWBkyFQwMDGgEIBBkBATcBDyUCJgICRRIGAQwGAgEBgxyBaAMVA549ihtue?= =?us-ascii?q?zOCcQEBBYECAQFfgjQDgycIF3SGYIEXghaBESeBbEmFBYMsglWHZ4RyPS6MGgm?= =?us-ascii?q?PIWqHVYUsjD+CWoQ8ggpNIxU7gmmCGQwOCRGDNIocAVVPjhUBAQ?= X-IPAS-Result: =?us-ascii?q?A1CWAgCx4UxblywWGNZSChwBAQEEAQEKAQGDGyuBZSiDfIg?= =?us-ascii?q?EX4tdgWCBIYFfkmWBeoR3AkKCHyE0GAECAQEBAQEBAhQBAQEBAQgWBkyFQwMDG?= =?us-ascii?q?gEIBBkBATcBDyUCJgICRRIGAQwGAgEBgxyBaAMVA549ihtuezOCcQEBBYECAQF?= =?us-ascii?q?fgjQDgycIF3SGYIEXghaBESeBbEmFBYMsglWHZ4RyPS6MGgmPIWqHVYUsjD+CW?= =?us-ascii?q?oQ8ggpNIxU7gmmCGQwOCRGDNIocAVVPjhUBAQ?= X-IronPort-AV: E=Sophos;i="5.51,362,1526356800"; d="scan'208";a="324741" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 16 Jul 2018 14:25:16 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AjoFdghZfeeEfyY6mmkVYbBT/LSx+4OfEezUN45?= =?us-ascii?q?9isYplN5qZps67YB7h7PlgxGXEQZ/co6odzbaO7ea4ASQp2tWoiDg6aptCVh?= =?us-ascii?q?sI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFR?= =?us-ascii?q?rhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYL5+Ngm6oRnMvcQKnIVuLbo8xA?= =?us-ascii?q?HUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLn?= =?us-ascii?q?s65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD?= =?us-ascii?q?+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQctQYSm?= =?us-ascii?q?VbXsZRUCtBDpqlY4YTAecMPPtUo5Dhq1cTsBCyARegCP/qxjJOm3T437A10/?= =?us-ascii?q?45HA/bwgIgEdIAvnfaotr7O6gdU/y6wqbTwDXfbf5bwyvx5JTGfx0jp/yHQL?= =?us-ascii?q?J+cdDWyUkqDw7IkE+fqZf7MDKVy+8DrnSU7+p6WuKyhW4nrx9+oiKyzcorlo?= =?us-ascii?q?bGnJkVxU7E9Chi24Y6Od24R1RmYd6qFJtfqTuaO5JqTcw4WW1npCE6yrgftJ?= =?us-ascii?q?O9YSMEy4wnygbBZ/CafIWE+AzvWemLLTtmmn5pYr2yihmq/UWhyODwTNS43V?= =?us-ascii?q?dOoyZfk9TBtmoB2wLN5sWITPZ2412v1iyV1w/J7+FJOUA0mrTfK54m2rM/mI?= =?us-ascii?q?cdvFjdECL4hkj4lrObelkl9+Sy9evofLDmpoSTN4NujwHxKKUumsilDeQ9Mw?= =?us-ascii?q?gOW3CX+eW61LL94U30WKtGguA5n6XDrpzXKt4XqrCnDwNP3Ysu5A6zDzK839?= =?us-ascii?q?QZmXkHIkhFeBWCj4XxJ17BOuv4Aum/glm3izdk2/DGMaf8ApXDKnjMjq3hca?= =?us-ascii?q?9h5EFG0gY80ddf55dMBrEbPP3zQlPxtMDfDhIhKAy73eLnCNR71oMDVmOCGb?= =?us-ascii?q?OZMaPOvl+I4eIjOe+MZJQPtzrnJPgl4ODu3jcFngo5RozhiZ8Wbm2oW+9rKF?= =?us-ascii?q?iDYGb9x9IGHXoOsyIgQ+Hwzl6PSzheYzC1Ra1qonkfK6aDRdPHR4awkPmC0T?= =?us-ascii?q?29E5l+eG9LEBaPHG3ueoHCXO0DPmbaGsZ8lnQhUr+7Rsd1zRizsCfiwqdja+?= =?us-ascii?q?/T/TcV85nk0Y4xr9bPmAky+Do8NMGU12WAXikghW8TbyMn16B450pmwxGM1r?= =?us-ascii?q?Yux7RjOJR35vVUQk9uLpPYzupnG/juSwnBeZGPU1/gTdK4V3V5BOkU6vQtJk?= =?us-ascii?q?p8AN6/lQvr2yuxH6RTz+XNA4Y7uOqI5F3YDOU4x3fd37Q6lHEiQ9BTLiv+3+?= =?us-ascii?q?h47QeFQ8brlEWf34Stda0axyPLvDOBymqI+kNfUAd2SqjDdXsWYEzQrN/w4g?= =?us-ascii?q?XJSLr4TfwEPwZageWFLagCPt7kgE5NQ/DgEN/eeWW0mnq1QxGSyeXIJLbnZ3?= =?us-ascii?q?4A2239AU4ImkhH5XuAOhU/AGKirnjYAThGFBfrZF3ht/J3q26hRwkywkeIdx?= =?us-ascii?q?sln5i8/xMOzdmbUekSxfpQuiImsS91B3671tfbCpyHvQU3L4tGZtZoy15c2H?= =?us-ascii?q?ORjAd9N4GuK614zgoVeh96rmv13BV+F4tEnNJvp3psxw13f/HLmGhdfi+ViM?= =?us-ascii?q?ijcobcLXP/qVX/M/SMiFjDzNab/LsO4/0kqlLl+RukDVcm7249iIQHzniR4s?= =?us-ascii?q?ybFANKDdT8X0Ms+F5/rrDeJCw849CczmViZI+ztDKKwNc1HK090B/1dN5EPb?= =?us-ascii?q?KsDwTyGtAUA8W0becj3VOua0FMJ/hcoYgzOc7ubP6awOiuNedkkiihiDFM6Z?= =?us-ascii?q?tww2qX/Cp1V+DM0oxAyPje1QyCBH/nlFn0lMfxlMhfYC0KWGqyzS+xHIlKeq?= =?us-ascii?q?h7ZpoGE0+1JMu2zY4m3du3CzhT81i4AklA3caofVyddgW7zARQ0kNRqnuiym?= =?us-ascii?q?O0zD1xxikgtbHXnDfPzOLraAcdNyZVSXNjg1bhLcn8j90TUEWyKQl8vAqs5U?= =?us-ascii?q?H9gaNcoak=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BkAgBg4kxblywWGNZSChwBAQEEAQE?= =?us-ascii?q?KAQGDGyuBZSiDfIgEX4tdgWCBIYFfkmWBeoR3AkKCHyE0GAECAQEBAQEBAgE?= =?us-ascii?q?TAQEBAQEIFgZMDII1JIJeAwMaAQgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIF?= =?us-ascii?q?oAxUDnj6KG257M4JxAQEFgQIBAV+CNAODJwgXdIZggReCFoERJ4FsSYUFgyy?= =?us-ascii?q?CVYdnhHI9LowaCY8haodVhSyMP4JahDyCCk0jFTuCaYIZDA4JEYM0ihwBVU+?= =?us-ascii?q?OFQEB?= X-IPAS-Result: =?us-ascii?q?A0BkAgBg4kxblywWGNZSChwBAQEEAQEKAQGDGyuBZSiDf?= =?us-ascii?q?IgEX4tdgWCBIYFfkmWBeoR3AkKCHyE0GAECAQEBAQEBAgETAQEBAQEIFgZMD?= =?us-ascii?q?II1JIJeAwMaAQgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIFoAxUDnj6KG257M?= =?us-ascii?q?4JxAQEFgQIBAV+CNAODJwgXdIZggReCFoERJ4FsSYUFgyyCVYdnhHI9LowaC?= =?us-ascii?q?Y8haodVhSyMP4JahDyCCk0jFTuCaYIZDA4JEYM0ihwBVU+OFQEB?= X-IronPort-AV: E=Sophos;i="5.51,362,1526342400"; d="scan'208";a="13850979" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from usat3cpa06.eemsg.mail.mil ([214.24.22.44]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 16 Jul 2018 18:25:15 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;f5b48055-b68f-4f9d-9d3b-16bb0ce68891 Authentication-Results: ukel19pa04.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic302-28.consmr.mail.gq1.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 331399023|UKEL19PA04_EEMSG_MP1.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 98.137.68.154 X-EEMSG-check-002: true IronPort-PHdr: =?us-ascii?q?9a23=3AzWvJohC4EZjgbWp6rzDAUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP35o86wAkXT6L1XgUPTWs2DsrQY07SQ6/iocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= =?us-ascii?q?KeTpAI7SiNm82/yv95HJbAhEmDuwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+?= =?us-ascii?q?NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjD?= =?us-ascii?q?QhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlC?= =?us-ascii?q?YHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6zaf9wVX2pBXsFWVyBYG4+x?= =?us-ascii?q?c4UCAuscMepBs4XxukYFoR+gCQWwAe/izCJDiH3r0q0gy+kvDB/I3AIgEdwNvn?= =?us-ascii?q?rbotr6O6UOXu6616TI0TfOYulK1Tvh5oXFcBYsquyMU7JqdsrRzFEiGh3fgVWL?= =?us-ascii?q?t4PkPy6e2PkRvGib9eVgSOyvi2o5pAFrvzOiwdsjhZPSho0LylHJ7j55z5o1Jd?= =?us-ascii?q?KiVU57b9qkH4VKty2DK4R5WNkuTH1vuCY/07ALv4OwcisSyJk/wxPSaOaLf5WG?= =?us-ascii?q?7x/hTuqcIDR1iGh4dL+/iBu+6Umtx+/mWsWp0VtHqjBJn9jMu3wXyRDf9MeKR/?= =?us-ascii?q?1g9Um7wzmPzRrc6uRcLEA0i6XbL5khz6YrlpoUt0TDHzP5lUvqgKOIb0ko5Oul?= =?us-ascii?q?5/77bbXhoJ+cLIp0ihvkPqQrgMO/AOA4PhIBX2iC5Oiwzr3i8lf5QLVNif06iL?= =?us-ascii?q?XWsJffJcgDp665BRFa0po75hu7DDqqyskUkHcFIV5feR+KjJLlN0zOLf33Ffu/?= =?us-ascii?q?hk6jkDZvx/DIJL3hBZDNI2Dfn7j7ZrZy9U5dxREozd9D55JbEKwBIPz3WkDvrt?= =?us-ascii?q?zUFwM2PBauz+n7D9V905sSWXiTDa+BLKPSrViI6/o0I+aSYI8VuTD9K+Uq5vP1?= =?us-ascii?q?kX84mUMSfamu3ZcNbnC4Be5pL1+WYXrrnNdSWVsN6y4FaaS+jFyETC4WfHu5Qr?= =?us-ascii?q?g9+iB+DYWqEIPObp6ijabH3yqhGJBSIGdcBQbIWVPLU6DMD/MNbj+CZ8xsiDoJ?= =?us-ascii?q?UZC/RII7kxKjrgn3z/xgNOWCvmUgvI/nnP1y4Pfe3UUq/CFwJ9yUzmXISmZzhG?= =?us-ascii?q?5OTDgziuQ3mlBw0leO1+BDhvVcEdFCr6dSXhwSKY/Xz+s8Dcv7HA3GYIHNAG2L?= =?us-ascii?q?CvGnBywhBoYqztsPZVttM8mzhRDEmSyxCvkakKLdQNR+yYf19Fu0K8dmwGvdz4?= =?us-ascii?q?EljkI6WY0XbCuhnKE1v1zoIqfisACVlr2haL8H9CrM73uYizLX+kZCX1g0GYfC?= =?us-ascii?q?XXZXREzWpNLi60WKG72pCbJhMAxBwMiZJ61iYdTvilNHT/7nft/ZZjT100S9CA?= =?us-ascii?q?3A7bSLb8K+eGgQxy7aD0ssmAAJ+nOHKA14AT2u9SaWMDFyDk/oK2Pl9+V34Cej?= =?us-ascii?q?Q0k70gCMKk5szby4/jYUwPibVf5VxbsHpT0o7TN5WlSliZaeKdOFqhEpWaJGe9?= =?us-ascii?q?ImqANF0GXDrQ1mFpqpKq1jwFkEfFIkkVnp0kBcA55NgIARp3Mj0QR2JLjQhFhI?= =?us-ascii?q?bD6J9Yv7OrTKJG3/5lWkYujd3VSIg4XewbsG9Plt8warhwquDEd3tiU/iogH4z?= =?us-ascii?q?6n/pzPSTEqf9f0W0cz+QJ9ouiKMDI254rJ23lhK+y/u3nJ3Nd7XLJ5mCblRM9W?= =?us-ascii?q?Nea/LCG3C9cTXpj8M+cqkkWnah8eeetbsqUzOpH+LqbU6OuQJO9l2QmeoyFH7Y?= =?us-ascii?q?R6iRPe7C16S+WTh8xAmaHe1QyBTDLmylKos8SxlpkdIyAbHm24jyPjAdwJaw?= =?us-ascii?q?=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DVAQAo4kxbh5pEiWJSChwBAQEEAQEKA?= =?us-ascii?q?QGDG4IQKIN8iARfjT2BIYFfkmWBeoR3AkKCHxkGBjAYAQIBAQEBAQEBAQETAQE?= =?us-ascii?q?BCA0JCCkjDII1JIJeAwMaAQgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIFoAxWeQ?= =?us-ascii?q?YobbnszgnEBAQWBAgEBX4I0A4MnCBd0hmCDLYERJ4FsSQeEfoMsglWHZ4RyPS6?= =?us-ascii?q?MGgmPIWqHVYUsjD+CWoQ8ggpNIxU7gmmCGQwOCYNFihwBVR8wjhUBAQ?= X-IPAS-Result: =?us-ascii?q?A0DVAQAo4kxbh5pEiWJSChwBAQEEAQEKAQGDG4IQKIN8iAR?= =?us-ascii?q?fjT2BIYFfkmWBeoR3AkKCHxkGBjAYAQIBAQEBAQEBAQETAQEBCA0JCCkjDII1J?= =?us-ascii?q?IJeAwMaAQgEGQEBNwEPJQImAgJFEgYBDAYCAQGDHIFoAxWeQYobbnszgnEBAQW?= =?us-ascii?q?BAgEBX4I0A4MnCBd0hmCDLYERJ4FsSQeEfoMsglWHZ4RyPS6MGgmPIWqHVYUsj?= =?us-ascii?q?D+CWoQ8ggpNIxU7gmmCGQwOCYNFihwBVR8wjhUBAQ?= Received: from sonic302-28.consmr.mail.gq1.yahoo.com ([98.137.68.154]) by ukel19pa04.eemsg.mail.mil with ESMTP; 16 Jul 2018 18:24:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1531765473; bh=B73ucgKFKcDm5OzYtU155tatfDqFwqMkhT1XnmtkA7I=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=meyVOYGMUgGuXtSbXBBGcXwzn0GtQTMWRCFgezF4zCx/Di5GizZeUcesGPcR1kC19PYV2aoDanYCq3FppBHs29/E6O558/BTNHAtBVtiskSd5p6dL55IAyIpgTZ/X8a21EIZLL6fnoyBWcm5mZQ0Lj2nCNq2eKgpuQNhnUsDNf9WY02zvHmdDgZ4Rm0Kfks2wc+mF+XivxvugqR/DLADVdvd4mLie1emb3ENTd8OBlthw6rAdYi0aIqUXX3BZQg5EMpf9C4RwBDMmw19qINVU0UtqT0NcrLJ8ZHkSdnOER7Acx7UHO3A4bOFvnPgPht+6JkcF8tcFFwjeYd/6Nlc9g== X-YMail-OSG: XOOGI2wVM1kOufAvCmIZ7F0mm8OiHMHURpEQAiXXUc8xnxMeLLnU.LvtOVVqL97 OtYqv9.2_iGMJzYtweO4lvJgneSftse12eL.DLKnQx0ihv_s9PUfnaz6ZnPHfq9Q6nTJ13nM835l 9UmPmHL27utOro7j3sSoaRr6cJpgLETv3RN4uFSWnzOe4S3.aVAlB6KFI4vVCb2UMRXFWx6J1JEo fkrT8MMwazjZ8f.ZREW82M7NzT4p0Q5EDb6gsoWggYGsCsUp_vQmJpRxbkNuvrQ5wZSZ33qzz6E6 _Q1kcwvQN5O5yoJkohWWs1F.p8PA6q3sTTYKgwbx.KqXG.xCLjX89_r7PI2ioscANXioc1BH.hwW Ha6c5gFOsw7p6CFHbHI6VHgfahy_e17x89BV7.1MqAu1qBsq6pr5bV.1amRGxvB7DSb_aU..a_yZ DJRyk2zmuVdtpZ8GGTZgKwct_a0UkQpmlgOr45n2DcN94Wb4D9ri7Kbw75jejazKL7u2mmIvH2Bl aNNoM9NdqmAYhB6QlXJtEfYuYIESObR6hbglQ8cKxpYCIQQTfsN7XKhiyJE4W6SZ5kcWCHd1aHmO AbBy0mx.OWK_J7YPM_msbWuGdOZZ2nZW2Mci1cQAGtPJMOE68Ceky6EetW9aM6hu2h9zvFD3CqO. Vr_lv32IzZdyslLNRMLy.8gM38XB_63CXYn10y1dAJNHrEOZDayY0QMX87H.ViT7P1boLZaESYBZ uBtISZQbA.B5E2RNVV5YYALyaMKlWsozRdbJjqRa3EOJ3CD0RJhRIv.YDp8hpKo0HAS5nqUgs6oZ 3Mb386oa2cG7G7j4pBGRpCBZJxbsjqVBSsRu9vQfbSQpC922O1xIcWrTeJY2jnNKl.rN_EN9dRGm ZlXK8JaDz18VjBN4SFjrj1Y8lIGhxZpY5YhMQlROHzUrLjmxSNduP_xVlF_qWpX307o7wzxv9_s2 Ce0tepbYi5DKvmNJ62LFqucARujz7VfMMe9ct8pVDToJXlWJb61d7yH4Rl7eiI78C5m2jJWhxWRJ tLAr4nuripueuvTZUNc6eEiYz_ndThc0- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.gq1.yahoo.com with HTTP; Mon, 16 Jul 2018 18:24:33 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.100]) ([67.169.65.224]) by smtp414.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e75205420c505ed87b7e6a2b9b9b84a3; Mon, 16 Jul 2018 18:24:32 +0000 (UTC) To: LSM , LKLM , Paul Moore , Stephen Smalley , SE Linux , "SMACK-discuss@lists.01.org" , John Johansen , Kees Cook , Tetsuo Handa , James Morris References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: Date: Mon, 16 Jul 2018 11:24:29 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Mon, 16 Jul 2018 14:38:37 -0400 Subject: [PATCH v1 18/22] LSM: Use multiple secids in security module interfaces X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: "Schaufler, Casey" Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP LSM: Use multiple secids in security module interfaces This is the first of two parts required to change the security module infrastructure from using a u32 to identify extended security attributes to using a pointer to a structure containing the information required for the set of security modules involved. You can't put an SELinux secid, a Smack secid and an AppArmor secid all into a u32. They don't fit. Schemes that map a single u32 into sets of u32s are frought with data management issues and as a result are not suitable for use in the variety of ways secids manifest themselves in the Linux kernel. This patch changes the interfaces to the security modules to use a "struct secids" pointer where they used a u32 before. There are changes in networking code where the layering isn't so clean as I would like it to be. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 38 +++++++------- include/linux/security.h | 19 +++++++ include/net/flow.h | 5 +- include/net/netlabel.h | 8 +-- net/core/filter.c | 4 +- net/ipv4/cipso_ipv4.c | 4 +- net/netlabel/netlabel_kapi.c | 4 +- net/netlabel/netlabel_unlabeled.c | 29 ++++++----- net/netlabel/netlabel_user.c | 4 +- net/netlabel/netlabel_user.h | 2 +- net/xfrm/xfrm_policy.c | 7 +-- net/xfrm/xfrm_state.c | 3 +- security/apparmor/audit.c | 4 +- security/apparmor/include/audit.h | 2 +- security/apparmor/include/secid.h | 5 +- security/apparmor/lsm.c | 7 +-- security/apparmor/secid.c | 9 ++-- security/security.c | 85 ++++++++++++++++++++++++------- security/selinux/hooks.c | 59 +++++++++++---------- security/selinux/include/audit.h | 2 +- security/selinux/include/xfrm.h | 9 ++-- security/selinux/netlabel.c | 2 +- security/selinux/ss/services.c | 10 ++-- security/selinux/xfrm.c | 25 +++++---- security/smack/smack_access.c | 4 +- security/smack/smack_lsm.c | 76 +++++++++++++++------------ security/smack/smackfs.c | 14 +++-- 27 files changed, 275 insertions(+), 165 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 115e7cd89d88..7c321d11d994 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1548,7 +1548,7 @@ union security_list_options { int flags); int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); + void (*inode_getsecid)(struct inode *inode, struct secids *secid); int (*inode_copy_up)(struct dentry *src, struct cred **new); int (*inode_copy_up_xattr)(const char *name); @@ -1578,8 +1578,8 @@ union security_list_options { int (*cred_prepare)(struct cred *new, const struct cred *old, gfp_t gfp); void (*cred_transfer)(struct cred *new, const struct cred *old); - void (*cred_getsecid)(const struct cred *c, u32 *secid); - int (*kernel_act_as)(struct cred *new, u32 secid); + void (*cred_getsecid)(const struct cred *c, struct secids *secid); + int (*kernel_act_as)(struct cred *new, struct secids *secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(char *kmod_name); int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id); @@ -1590,7 +1590,7 @@ union security_list_options { int (*task_setpgid)(struct task_struct *p, pid_t pgid); int (*task_getpgid)(struct task_struct *p); int (*task_getsid)(struct task_struct *p); - void (*task_getsecid)(struct task_struct *p, u32 *secid); + void (*task_getsecid)(struct task_struct *p, struct secids *secid); int (*task_setnice)(struct task_struct *p, int nice); int (*task_setioprio)(struct task_struct *p, int ioprio); int (*task_getioprio)(struct task_struct *p); @@ -1608,7 +1608,7 @@ union security_list_options { void (*task_to_inode)(struct task_struct *p, struct inode *inode); int (*ipc_permission)(struct kern_ipc_perm *ipcp, short flag); - void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, u32 *secid); + void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, struct secids *secid); int (*msg_msg_alloc_security)(struct msg_msg *msg); void (*msg_msg_free_security)(struct msg_msg *msg); @@ -1644,8 +1644,10 @@ union security_list_options { int (*getprocattr)(struct task_struct *p, char *name, char **value); int (*setprocattr)(const char *name, void *value, size_t size); int (*ismaclabel)(const char *name); - int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); - int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid); + int (*secid_to_secctx)(struct secids *secid, char **secdata, + u32 *seclen); + int (*secctx_to_secid)(const char *secdata, u32 seclen, + struct secids *secid); void (*release_secctx)(char *secdata, u32 seclen); void (*inode_invalidate_secctx)(struct inode *inode); @@ -1680,20 +1682,21 @@ union security_list_options { int (*socket_sock_rcv_skb)(struct sock *sk, struct sk_buff *skb); int (*socket_getpeersec_stream)(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len); + int __user *optlen, unsigned int len); int (*socket_getpeersec_dgram)(struct socket *sock, - struct sk_buff *skb, u32 *secid); + struct sk_buff *skb, + struct secids *secid); int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority); void (*sk_free_security)(struct sock *sk); void (*sk_clone_security)(const struct sock *sk, struct sock *newsk); - void (*sk_getsecid)(struct sock *sk, u32 *secid); + void (*sk_getsecid)(struct sock *sk, struct secids *secid); void (*sock_graft)(struct sock *sk, struct socket *parent); int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, struct request_sock *req); void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); - int (*secmark_relabel_packet)(u32 secid); + int (*secmark_relabel_packet)(struct secids *secid); void (*secmark_refcount_inc)(void); void (*secmark_refcount_dec)(void); void (*req_classify_flow)(const struct request_sock *req, @@ -1732,15 +1735,16 @@ union security_list_options { struct xfrm_user_sec_ctx *sec_ctx); int (*xfrm_state_alloc_acquire)(struct xfrm_state *x, struct xfrm_sec_ctx *polsec, - u32 secid); + const struct secids *secid); void (*xfrm_state_free_security)(struct xfrm_state *x); int (*xfrm_state_delete_security)(struct xfrm_state *x); - int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid, - u8 dir); + int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir); int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, struct xfrm_policy *xp, const struct flowi *fl); - int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); + int (*xfrm_decode_session)(struct sk_buff *skb, struct secids *secid, + int ckall); #endif /* CONFIG_SECURITY_NETWORK_XFRM */ /* key management security hooks */ @@ -1757,8 +1761,8 @@ union security_list_options { int (*audit_rule_init)(u32 field, u32 op, char *rulestr, void **lsmrule); int (*audit_rule_known)(struct audit_krule *krule); - int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule, - struct audit_context *actx); + int (*audit_rule_match)(struct secids *secid, u32 field, u32 op, + void *lsmrule, struct audit_context *actx); void (*audit_rule_free)(void *lsmrule); #endif /* CONFIG_AUDIT */ diff --git a/include/linux/security.h b/include/linux/security.h index ea875e761d14..6e8e98237a79 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -70,6 +70,25 @@ enum lsm_event { LSM_POLICY_CHANGE, }; +struct secids { + union { + u32 common; + u32 selinux; + u32 smack; + u32 apparmor; + }; +}; + +static inline bool secid_valid(const struct secids *secids) +{ + return secids->common != 0; +} + +static inline void secid_init(struct secids *secid) +{ + memset(secid, 0, sizeof(*secid)); +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, int audit); diff --git a/include/net/flow.h b/include/net/flow.h index 8ce21793094e..aa29d11bc3d7 100644 --- a/include/net/flow.h +++ b/include/net/flow.h @@ -11,6 +11,7 @@ #include #include #include +#include #include #include @@ -37,7 +38,7 @@ struct flowi_common { #define FLOWI_FLAG_ANYSRC 0x01 #define FLOWI_FLAG_KNOWN_NH 0x02 #define FLOWI_FLAG_SKIP_NH_OIF 0x04 - __u32 flowic_secid; + struct secids flowic_secid; struct flowi_tunnel flowic_tun_key; kuid_t flowic_uid; }; @@ -107,7 +108,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, fl4->flowi4_scope = scope; fl4->flowi4_proto = proto; fl4->flowi4_flags = flags; - fl4->flowi4_secid = 0; + secid_init(&fl4->flowi4_secid); fl4->flowi4_tun_key.tun_id = 0; fl4->flowi4_uid = uid; fl4->daddr = daddr; diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 72d6435fc16c..51dacbb88886 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -111,7 +111,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct secids secid; kuid_t loginuid; unsigned int sessionid; }; @@ -215,7 +215,7 @@ struct netlbl_lsm_secattr { struct netlbl_lsm_catmap *cat; u32 lvl; } mls; - u32 secid; + struct secids secid; } attr; }; @@ -429,7 +429,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct secids *secid, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, @@ -537,7 +537,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct secids *secid, struct netlbl_audit *audit_info) { return -ENOSYS; diff --git a/net/core/filter.c b/net/core/filter.c index e7f12e9f598c..74cf4c829068 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4128,7 +4128,7 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params, err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF); } else { fl4.flowi4_mark = 0; - fl4.flowi4_secid = 0; + secid_init(&fl4.flowi4_secid); fl4.flowi4_tun_key.tun_id = 0; fl4.flowi4_uid = sock_net_uid(net, NULL); @@ -4230,7 +4230,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params, f6i = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, strict); } else { fl6.flowi6_mark = 0; - fl6.flowi6_secid = 0; + secid_init(&fl6.flowi6_secid); fl6.flowi6_tun_key.tun_id = 0; fl6.flowi6_uid = sock_net_uid(net, NULL); diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 82178cc69c96..e17896a5a947 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1480,7 +1480,7 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; - *(u32 *)&buffer[2] = secattr->attr.secid; + *(u32 *)&buffer[2] = secattr->attr.secid.common; return CIPSO_V4_TAG_LOC_BLEN; } @@ -1500,7 +1500,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { - secattr->attr.secid = *(u32 *)&tag[2]; + secattr->attr.secid.common = *(u32 *)&tag[2]; secattr->flags |= NETLBL_SECATTR_SECID; return 0; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index ea7c67050792..592ec7ba8822 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -224,7 +224,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct secids *secid, struct netlbl_audit *audit_info) { u32 addr_len; @@ -244,7 +244,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid, audit_info); + secid->common, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index c070dfc0190a..92744f4791c4 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -80,7 +80,7 @@ struct netlbl_unlhsh_tbl { #define netlbl_unlhsh_addr4_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr4, list) struct netlbl_unlhsh_addr4 { - u32 secid; + struct secids secid; struct netlbl_af4list list; struct rcu_head rcu; @@ -88,7 +88,7 @@ struct netlbl_unlhsh_addr4 { #define netlbl_unlhsh_addr6_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr6, list) struct netlbl_unlhsh_addr6 { - u32 secid; + struct secids secid; struct netlbl_af6list list; struct rcu_head rcu; @@ -244,7 +244,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, const struct in_addr *addr, const struct in_addr *mask, - u32 secid) + struct secids *secid) { int ret_val; struct netlbl_unlhsh_addr4 *entry; @@ -256,7 +256,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, entry->list.addr = addr->s_addr & mask->s_addr; entry->list.mask = mask->s_addr; entry->list.valid = 1; - entry->secid = secid; + entry->secid = *secid; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); @@ -284,7 +284,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, const struct in6_addr *addr, const struct in6_addr *mask, - u32 secid) + struct secids *secid) { int ret_val; struct netlbl_unlhsh_addr6 *entry; @@ -300,7 +300,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; entry->list.mask = *mask; entry->list.valid = 1; - entry->secid = secid; + entry->secid = *secid; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); @@ -389,6 +389,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct secids ids; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -421,7 +422,8 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); + ids.common = secid; + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, &ids); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -434,7 +436,8 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); + ids.common = secid; + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, &ids); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -508,7 +511,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(entry->secid.common, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -569,7 +572,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(entry->secid.common, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1124,7 +1127,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid; + secid = addr4->secid.common; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1138,7 +1141,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid; + secid = addr6->secid.common; } ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); @@ -1543,7 +1546,7 @@ int __init netlbl_unlabel_defconf(void) /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid(current, &audit_info.secid); + security_task_getsecid(current, &audit_info.secid.common); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 2f328af91a52..415643011499 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -112,8 +112,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, + if (audit_info->secid.common != 0 && + security_secid_to_secctx(audit_info->secid.common, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 4a397cde1a48..782ee194fdbd 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -48,7 +48,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - security_task_getsecid(current, &audit_info->secid); + security_task_getsecid(current, &audit_info->secid.common); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 5f48251c1319..63fa1ff1a71d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1069,7 +1069,8 @@ static int xfrm_policy_match(const struct xfrm_policy *pol, match = xfrm_selector_match(sel, fl, family); if (match) - ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid, + ret = security_xfrm_policy_lookup(pol->security, + fl->flowi_secid.common, dir); return ret; @@ -1182,7 +1183,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, goto out; } err = security_xfrm_policy_lookup(pol->security, - fl->flowi_secid, + fl->flowi_secid.common, dir); if (!err) { if (!xfrm_pol_hold_rcu(pol)) @@ -2365,7 +2366,7 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, return -EAFNOSUPPORT; afinfo->decode_session(skb, fl, reverse); - err = security_xfrm_decode_session(skb, &fl->flowi_secid); + err = security_xfrm_decode_session(skb, &fl->flowi_secid.common); rcu_read_unlock(); return err; } diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 8308281f3253..30086d2eaf6f 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1011,7 +1011,8 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family); memcpy(&x->mark, &pol->mark, sizeof(x->mark)); - error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid); + error = security_xfrm_state_alloc_acquire(x, pol->security, + fl->flowi_secid.common); if (error) { x->km.state = XFRM_STATE_DEAD; to_put = x; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index eeaddfe0c0fb..d67faf77d6c5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -225,14 +225,14 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, +int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule, struct audit_context *actx) { struct aa_audit_rule *rule = vrule; struct aa_label *label; int found = 0; - label = aa_secid_to_label(sid); + label = aa_secid_to_label(sid->apparmor); if (!label) return -ENOENT; diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index b8c8b1066b0a..8042046eef90 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -192,7 +192,7 @@ static inline int complain_error(int error) void aa_audit_rule_free(void *vrule); int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, +int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule, struct audit_context *actx); #endif /* __AA_AUDIT_H */ diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index dee6fa3b6081..81f29538e415 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -23,8 +23,9 @@ struct aa_label; #define AA_SECID_INVALID 0 struct aa_label *aa_secid_to_label(u32 secid); -int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen); +int apparmor_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid); void apparmor_release_secctx(char *secdata, u32 seclen); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index b0bf6ffe6a97..b0200481c811 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -707,10 +707,10 @@ static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) return; } -static void apparmor_task_getsecid(struct task_struct *p, u32 *secid) +static void apparmor_task_getsecid(struct task_struct *p, struct secids *secid) { struct aa_label *label = aa_get_task_label(p); - *secid = label->secid; + secid->apparmor = label->secid; aa_put_label(label); } @@ -1077,7 +1077,8 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, * Sets the netlabel socket state on sk from parent */ static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) + struct sk_buff *skb, + struct secids *secid) { /* TODO: requires secid support */ diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index f2f22d00db18..07a5024dd675 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -73,10 +73,10 @@ struct aa_label *aa_secid_to_label(u32 secid) return label; } -int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen) { /* TODO: cache secctx and ref count so we don't have to recreate */ - struct aa_label *label = aa_secid_to_label(secid); + struct aa_label *label = aa_secid_to_label(secid->apparmor); int len; AA_BUG(!secdata); @@ -102,7 +102,8 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } -int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int apparmor_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid) { struct aa_label *label; @@ -110,7 +111,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) seclen, GFP_KERNEL, false, false); if (IS_ERR(label)) return PTR_ERR(label); - *secid = label->secid; + secid->apparmor = label->secid; return 0; } diff --git a/security/security.c b/security/security.c index eea36930f6f3..785cd38b1245 100644 --- a/security/security.c +++ b/security/security.c @@ -129,6 +129,7 @@ int __init security_init(void) pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock); pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock); pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task); + pr_info("LSM: secid size = %zu\n", sizeof(struct secids)); #endif /* CONFIG_SECURITY_LSM_DEBUG */ return 0; @@ -1249,7 +1250,10 @@ EXPORT_SYMBOL(security_inode_listsecurity); void security_inode_getsecid(struct inode *inode, u32 *secid) { - call_void_hook(inode_getsecid, inode, secid); + struct secids ids; + + call_void_hook(inode_getsecid, inode, &ids); + *secid = ids.common; } int security_inode_copy_up(struct dentry *src, struct cred **new) @@ -1459,14 +1463,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old) void security_cred_getsecid(const struct cred *c, u32 *secid) { - *secid = 0; - call_void_hook(cred_getsecid, c, secid); + struct secids ids; + + ids.common = 0; + call_void_hook(cred_getsecid, c, &ids); + *secid = ids.common; } EXPORT_SYMBOL(security_cred_getsecid); int security_kernel_act_as(struct cred *new, u32 secid) { - return call_int_hook(kernel_act_as, 0, new, secid); + struct secids ids; + + ids.common = secid; + return call_int_hook(kernel_act_as, 0, new, &ids); } int security_kernel_create_files_as(struct cred *new, struct inode *inode) @@ -1525,8 +1535,11 @@ int security_task_getsid(struct task_struct *p) void security_task_getsecid(struct task_struct *p, u32 *secid) { - *secid = 0; - call_void_hook(task_getsecid, p, secid); + struct secids ids; + + ids.common = 0; + call_void_hook(task_getsecid, p, &ids); + *secid = ids.common; } EXPORT_SYMBOL(security_task_getsecid); @@ -1608,8 +1621,11 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + struct secids ids; + + ids.common = 0; + call_void_hook(ipc_getsecid, ipcp, &ids); + *secid = ids.common; } int security_msg_msg_alloc(struct msg_msg *msg) @@ -1788,15 +1804,24 @@ EXPORT_SYMBOL(security_ismaclabel); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata, + struct secids ids; + + ids.common = secid; + return call_int_hook(secid_to_secctx, -EOPNOTSUPP, &ids, secdata, seclen); } EXPORT_SYMBOL(security_secid_to_secctx); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct secids ids; + int rc; + + ids.common = 0; + rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &ids); + *secid = ids.common; + + return rc; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -1933,8 +1958,14 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct secids ids; + int rc; + + rc = call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, + skb, &ids); + *secid = ids.common; + + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); @@ -2003,7 +2034,10 @@ EXPORT_SYMBOL(security_inet_conn_established); int security_secmark_relabel_packet(u32 secid) { - return call_int_hook(secmark_relabel_packet, 0, secid); + struct secids ids; + + ids.common = secid; + return call_int_hook(secmark_relabel_packet, 0, &ids); } EXPORT_SYMBOL(security_secmark_relabel_packet); @@ -2142,7 +2176,10 @@ EXPORT_SYMBOL(security_xfrm_state_alloc); int security_xfrm_state_alloc_acquire(struct xfrm_state *x, struct xfrm_sec_ctx *polsec, u32 secid) { - return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid); + struct secids ids; + + ids.common = secid; + return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, &ids); } int security_xfrm_state_delete(struct xfrm_state *x) @@ -2158,7 +2195,10 @@ void security_xfrm_state_free(struct xfrm_state *x) int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) { - return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir); + struct secids ids; + + ids.common = fl_secid; + return call_int_hook(xfrm_policy_lookup, 0, ctx, &ids, dir); } int security_xfrm_state_pol_flow_match(struct xfrm_state *x, @@ -2187,7 +2227,13 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x, int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) { - return call_int_hook(xfrm_decode_session, 0, skb, secid, 1); + struct secids ids; + int rc; + + rc = call_int_hook(xfrm_decode_session, 0, skb, &ids, 1); + *secid = ids.common; + + return rc; } void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) @@ -2257,7 +2303,10 @@ void security_audit_rule_free(void *lsmrule) int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, struct audit_context *actx) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + struct secids ids; + + ids.common = secid; + return call_int_hook(audit_rule_match, 0, &ids, field, op, lsmrule, actx); } #endif /* CONFIG_AUDIT */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fcdf1ea3c438..c12c36f72258 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3426,15 +3426,15 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static void selinux_inode_getsecid(struct inode *inode, u32 *secid) +static void selinux_inode_getsecid(struct inode *inode, struct secids *secid) { struct inode_security_struct *isec = inode_security_novalidate(inode); - *secid = isec->sid; + secid->selinux = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { - u32 sid; + struct secids sids; struct task_security_struct *tsec; struct cred *new_creds = *new; @@ -3446,8 +3446,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ - selinux_inode_getsecid(d_inode(src), &sid); - tsec->create_sid = sid; + selinux_inode_getsecid(d_inode(src), &sids); + tsec->create_sid = sids.selinux; *new = new_creds; return 0; } @@ -3864,28 +3864,28 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old) *tsec = *old_tsec; } -static void selinux_cred_getsecid(const struct cred *c, u32 *secid) +static void selinux_cred_getsecid(const struct cred *c, struct secids *secid) { - *secid = cred_sid(c); + secid->selinux = cred_sid(c); } /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled */ -static int selinux_kernel_act_as(struct cred *new, u32 secid) +static int selinux_kernel_act_as(struct cred *new, struct secids *secid) { struct task_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; ret = avc_has_perm(&selinux_state, - sid, secid, + sid, secid->selinux, SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, NULL); if (ret == 0) { - tsec->sid = secid; + tsec->sid = secid->selinux; tsec->create_sid = 0; tsec->keycreate_sid = 0; tsec->sockcreate_sid = 0; @@ -3997,9 +3997,9 @@ static int selinux_task_getsid(struct task_struct *p) PROCESS__GETSESSION, NULL); } -static void selinux_task_getsecid(struct task_struct *p, u32 *secid) +static void selinux_task_getsecid(struct task_struct *p, struct secids *secid) { - *secid = task_sid(p); + secid->selinux = task_sid(p); } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -5024,7 +5024,9 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, return err; } -static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +static int selinux_socket_getpeersec_dgram(struct socket *sock, + struct sk_buff *skb, + struct secids *secid) { u32 peer_secid = SECSID_NULL; u16 family; @@ -5046,7 +5048,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * selinux_skb_peerlbl_sid(skb, family, &peer_secid); out: - *secid = peer_secid; + secid->selinux = peer_secid; if (peer_secid == SECSID_NULL) return -EINVAL; return 0; @@ -5083,14 +5085,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) selinux_netlbl_sk_security_reset(newsksec); } -static void selinux_sk_getsecid(struct sock *sk, u32 *secid) +static void selinux_sk_getsecid(struct sock *sk, struct secids *secid) { if (!sk) - *secid = SECINITSID_ANY_SOCKET; + secid->selinux = SECINITSID_ANY_SOCKET; else { struct sk_security_struct *sksec = selinux_sock(sk); - *secid = sksec->sid; + secid->selinux = sksec->sid; } } @@ -5323,7 +5325,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); } -static int selinux_secmark_relabel_packet(u32 sid) +static int selinux_secmark_relabel_packet(struct secids *secid) { const struct task_security_struct *__tsec; u32 tsid; @@ -5332,8 +5334,8 @@ static int selinux_secmark_relabel_packet(u32 sid) tsid = __tsec->sid; return avc_has_perm(&selinux_state, - tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, - NULL); + tsid, secid->selinux, SECCLASS_PACKET, + PACKET__RELABELTO, NULL); } static void selinux_secmark_refcount_inc(void) @@ -5349,7 +5351,7 @@ static void selinux_secmark_refcount_dec(void) static void selinux_req_classify_flow(const struct request_sock *req, struct flowi *fl) { - fl->flowi_secid = req->secid; + fl->flowi_secid.selinux = req->secid; } static int selinux_tun_dev_alloc_security(void **security) @@ -6174,10 +6176,11 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, + struct secids *secid) { struct ipc_security_struct *isec = selinux_ipc(ipcp); - *secid = isec->sid; + secid->selinux = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -6383,16 +6386,18 @@ static int selinux_ismaclabel(const char *name) return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); } -static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static int selinux_secid_to_secctx(struct secids *secid, char **secdata, + u32 *seclen) { - return security_sid_to_context(&selinux_state, secid, + return security_sid_to_context(&selinux_state, secid->selinux, secdata, seclen); } -static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +static int selinux_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid) { return security_context_to_sid(&selinux_state, secdata, seclen, - secid, GFP_KERNEL); + &secid->selinux, GFP_KERNEL); } static void selinux_release_secctx(char *secdata, u32 seclen) diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 1bdf973433cc..c9cadad5660e 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -51,7 +51,7 @@ void selinux_audit_rule_free(void *rule); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, +int selinux_audit_rule_match(struct secids *sid, u32 field, u32 op, void *rule, struct audit_context *actx); /** diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index a0b465316292..99bac3ccfebd 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h @@ -20,10 +20,12 @@ int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx); int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid); + struct xfrm_sec_ctx *polsec, + const struct secids *secid); void selinux_xfrm_state_free(struct xfrm_state *x); int selinux_xfrm_state_delete(struct xfrm_state *x); -int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); +int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir); int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, const struct flowi *fl); @@ -40,7 +42,8 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, struct common_audit_data *ad); int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, struct common_audit_data *ad, u8 proto); -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); +int selinux_xfrm_decode_session(struct sk_buff *skb, struct secids *sid, + int ckall); int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid); static inline void selinux_xfrm_notify_policyload(void) diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index c40914a157b7..efc87a76af72 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -122,7 +122,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( return NULL; if ((secattr->flags & NETLBL_SECATTR_SECID) && - (secattr->attr.secid == sid)) + (secattr->attr.secid.selinux == sid)) return secattr; return NULL; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 7f9c87b077f3..b79b5b2ddf59 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3410,7 +3410,7 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, +int selinux_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule, struct audit_context *actx) { struct selinux_state *state = &selinux_state; @@ -3431,10 +3431,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, goto out; } - ctxt = sidtab_search(&state->ss->sidtab, sid); + ctxt = sidtab_search(&state->ss->sidtab, sid->selinux); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + sid->selinux); match = -ENOENT; goto out; } @@ -3609,7 +3609,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (secattr->flags & NETLBL_SECATTR_CACHE) *sid = *(u32 *)secattr->cache->data; else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; + *sid = secattr->attr.secid.selinux; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; ctx = sidtab_search(sidtab, SECINITSID_NETMSG); @@ -3682,7 +3682,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, if (secattr->domain == NULL) goto out; - secattr->attr.secid = sid; + secattr->attr.secid.selinux = sid; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; mls_export_netlbl_lvl(policydb, ctx, secattr); rc = mls_export_netlbl_cat(policydb, ctx, secattr); diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 8ffe7e1053c4..067dd8307a9b 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -153,7 +153,8 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) * LSM hook implementation that authorizes that a flow can use a xfrm policy * rule. */ -int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) +int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, + struct secids *fl_secid, u8 dir) { int rc; @@ -167,7 +168,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) return -EINVAL; rc = avc_has_perm(&selinux_state, - fl_secid, ctx->ctx_sid, + fl_secid->selinux, ctx->ctx_sid, SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); return (rc == -EACCES ? -ESRCH : rc); } @@ -200,14 +201,14 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, state_sid = x->security->ctx_sid; - if (fl->flowi_secid != state_sid) + if (fl->flowi_secid.selinux != state_sid) return 0; /* We don't need a separate SA Vs. policy polmatch check since the SA * is now of the same label as the flow and a flow Vs. policy polmatch * check had already happened in selinux_xfrm_policy_lookup() above. */ return (avc_has_perm(&selinux_state, - fl->flowi_secid, state_sid, + fl->flowi_secid.selinux, state_sid, SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, NULL) ? 0 : 1); } @@ -261,13 +262,14 @@ static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, * LSM hook implementation that checks and/or returns the xfrm sid for the * incoming packet. */ -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) +int selinux_xfrm_decode_session(struct sk_buff *skb, struct secids *sid, + int ckall) { if (skb == NULL) { - *sid = SECSID_NULL; + sid->selinux = SECSID_NULL; return 0; } - return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); + return selinux_xfrm_skb_sid_ingress(skb, &sid->selinux, ckall); } int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) @@ -344,7 +346,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, * on a secid. */ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) + struct xfrm_sec_ctx *polsec, + const struct secids *secid) { int rc; struct xfrm_sec_ctx *ctx; @@ -354,10 +357,10 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, if (!polsec) return 0; - if (secid == 0) + if (!secid_valid(secid)) return -EINVAL; - rc = security_sid_to_context(&selinux_state, secid, &ctx_str, + rc = security_sid_to_context(&selinux_state, secid->selinux, &ctx_str, &str_len); if (rc) return rc; @@ -370,7 +373,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; - ctx->ctx_sid = secid; + ctx->ctx_sid = secid->selinux; ctx->ctx_len = str_len; memcpy(ctx->ctx_str, ctx_str, str_len); diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 489d49a20b47..1bbbd53de78b 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -550,7 +550,9 @@ struct smack_known *smk_import_entry(const char *string, int len) skp->smk_secid = smack_next_secid++; skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.flags = - NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; + NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL | + NETLBL_SECATTR_SECID; + skp->smk_netlabel.attr.secid.smack = skp->smk_secid; /* * If direct labeling works use it. * Otherwise use mapped labeling. diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 2d1a3fba40eb..157c6a731305 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1471,11 +1471,11 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, * @inode: inode to extract the info from * @secid: where result will be saved */ -static void smack_inode_getsecid(struct inode *inode, u32 *secid) +static void smack_inode_getsecid(struct inode *inode, struct secids *secid) { struct smack_known *skp = smk_of_inode(inode); - *secid = skp->smk_secid; + secid->smack = skp->smk_secid; } /* @@ -1941,12 +1941,15 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) struct task_smack *old_tsp = smack_cred(old); struct task_smack *new_tsp = smack_cred(new); - new_tsp->smk_task = old_tsp->smk_task; - new_tsp->smk_forked = old_tsp->smk_task; - mutex_init(&new_tsp->smk_rules_lock); - INIT_LIST_HEAD(&new_tsp->smk_rules); + int rc; + + init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); - /* cbs copy rule list */ + rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, + GFP_KERNEL); + if (rc == 0) + rc = smk_copy_relabel(&new_tsp->smk_relabel, + &old_tsp->smk_relabel, GFP_KERNEL); } /** @@ -1956,13 +1959,13 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) * * Sets the secid to contain a u32 version of the smack label. */ -static void smack_cred_getsecid(const struct cred *cred, u32 *secid) +static void smack_cred_getsecid(const struct cred *cred, struct secids *secid) { struct smack_known *skp; rcu_read_lock(); skp = smk_of_task(smack_cred(cred)); - *secid = skp->smk_secid; + secid->smack = skp->smk_secid; rcu_read_unlock(); } @@ -1973,11 +1976,11 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid) * * Set the security data for a kernel service. */ -static int smack_kernel_act_as(struct cred *new, u32 secid) +static int smack_kernel_act_as(struct cred *new, struct secids *secid) { struct task_smack *new_tsp = smack_cred(new); - new_tsp->smk_task = smack_from_secid(secid); + new_tsp->smk_task = smack_from_secid(secid->smack); return 0; } @@ -2063,11 +2066,11 @@ static int smack_task_getsid(struct task_struct *p) * * Sets the secid to contain a u32 version of the smack label. */ -static void smack_task_getsecid(struct task_struct *p, u32 *secid) +static void smack_task_getsecid(struct task_struct *p, struct secids *secid) { struct smack_known *skp = smk_of_task_struct(p); - *secid = skp->smk_secid; + secid->smack = skp->smk_secid; } /** @@ -3206,12 +3209,12 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) * @ipp: the object permissions * @secid: where result will be saved */ -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, struct secids *secid) { struct smack_known **blob = smack_ipc(ipp); struct smack_known *iskp = *blob; - *secid = iskp->smk_secid; + secid->smack = iskp->smk_secid; } /** @@ -3724,7 +3727,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, /* * Looks like a fallback, which gives us a secid. */ - return smack_from_secid(sap->attr.secid); + return smack_from_secid(sap->attr.secid.smack); /* * Without guidance regarding the smack value * for the packet fall back on the network @@ -3857,7 +3860,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) break; #ifdef SMACK_IPV6_SECMARK_LABELING - if (skb && skb->secmark != 0) + if (skb) skp = smack_from_secid(skb->secmark); else skp = smack_ipv6host_label(&sadd); @@ -3928,7 +3931,8 @@ static int smack_socket_getpeersec_stream(struct socket *sock, * Sets the netlabel socket state on sk from parent */ static int smack_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) + struct sk_buff *skb, + struct secids *secid) { struct netlbl_lsm_secattr secattr; @@ -3956,9 +3960,11 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, break; case PF_INET: #ifdef CONFIG_SECURITY_SMACK_NETFILTER - s = skb->secmark; - if (s != 0) - break; + if (skb->secmark) { + s = skb->secmark; + if (s != 0) + break; + } #endif /* * Translate what netlabel gave us. @@ -3979,7 +3985,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, #endif break; } - *secid = s; + secid->smack = s; if (s == 0) return -EINVAL; return 0; @@ -4053,9 +4059,11 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, * If there is no secmark fall back to CIPSO. * The secmark is assumed to reflect policy better. */ - if (skb && skb->secmark != 0) { - skp = smack_from_secid(skb->secmark); - goto access_check; + if (skb) { + if (skb->secmark != 0) { + skp = smack_from_secid(skb->secmark); + goto access_check; + } } #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ @@ -4326,8 +4334,8 @@ static int smack_audit_rule_known(struct audit_krule *krule) * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, - struct audit_context *actx) +static int smack_audit_rule_match(struct secids *secid, u32 field, u32 op, + void *vrule, struct audit_context *actx) { struct smack_known *skp; char *rule = vrule; @@ -4340,7 +4348,7 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - skp = smack_from_secid(secid); + skp = smack_from_secid(secid->smack); /* * No need to do string comparisons. If a match occurs, @@ -4380,9 +4388,10 @@ static int smack_ismaclabel(const char *name) * * Exists for networking code. */ -static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static int smack_secid_to_secctx(struct secids *secid, char **secdata, + u32 *seclen) { - struct smack_known *skp = smack_from_secid(secid); + struct smack_known *skp = smack_from_secid(secid->smack); if (secdata) *secdata = skp->smk_known; @@ -4398,14 +4407,15 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) * * Exists for audit and networking code. */ -static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +static int smack_secctx_to_secid(const char *secdata, u32 seclen, + struct secids *secid) { struct smack_known *skp = smk_find_entry(secdata); if (skp) - *secid = skp->smk_secid; + secid->smack = skp->smk_secid; else - *secid = 0; + secid->smack = 0; return 0; } diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 9d2dde608298..0a075c80abb4 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -197,7 +197,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + nap->secid.smack = skp->smk_secid; } /* @@ -1165,6 +1165,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, u32 mask_bits = (1<<31); __be32 nsa; u32 temp_mask; + struct secids secid; /* * Must have privilege. @@ -1281,10 +1282,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, * this host so that incoming packets get labeled. * but only if we didn't get the special CIPSO option */ - if (rc == 0 && skp != NULL) + if (rc == 0 && skp != NULL) { + secid_init(&secid); + secid.smack = snp->smk_label->smk_secid; rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, &snp->smk_host, &snp->smk_mask, PF_INET, - snp->smk_label->smk_secid, &audit_info); + &secid, &audit_info); + } if (rc == 0) rc = count; @@ -2951,7 +2955,9 @@ static int __init smk_preset_netlabel(struct smack_known *skp) { skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.flags = - NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; + NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL | + NETLBL_SECATTR_SECID; + skp->smk_netlabel.attr.secid.smack = skp->smk_secid; return smk_netlbl_mls(smack_cipso_direct, skp->smk_known, &skp->smk_netlabel, strlen(skp->smk_known)); }