From patchwork Thu Sep 20 00:19:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10607581 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3DBEA6CB for ; Thu, 20 Sep 2018 12:34:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A3D52C808 for ; Thu, 20 Sep 2018 12:34:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1E6572C9E2; Thu, 20 Sep 2018 12:34:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from upbd19pa10.eemsg.mail.mil (upbd19pa10.eemsg.mail.mil [214.24.27.85]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EEC0B2C808 for ; Thu, 20 Sep 2018 12:34:12 +0000 (UTC) X-EEMSG-check-008: 169706634|UPBD19PA10_EEMSG_MP10.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa10.eemsg.mail.mil with ESMTP; 20 Sep 2018 12:34:07 +0000 X-IronPort-AV: E=Sophos;i="5.53,398,1531785600"; d="scan'208";a="18464521" IronPort-PHdr: 9a23:lq3tXhZ/RGj9mu95FYmWRfb/LSx+4OfEezUN459isYplN5qZosu5Zh7h7PlgxGXEQZ/co6odzbaO7Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahY75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQct0ARWpFQ81fSSpPDI2hZIcLFuYNIPpUo4z7qlQJrxSxHwmsBOToyjNRn3P7waM33uU8HQ3fwAAsAs8FvHDKoNnpMasfV/2+wqvVwjXZd/5Yxzn95ojLfB4vr/6DUrB/f9fJyUQtCg/IgEmfp4P7MDOOzekNr2qW4vB8We6zhWMrtQd8qSWvyMc2jYnJg5oYx07e+iVi3ok0JcCzRlNnbt6kCpRQqi+aN49oTcM4Xmplvzo1xacduZGlfCkH048nyALfa/OdboiI7BbjW/iLITthmH1qYqiziAq18Uil0+DxUNS/3lVSriddj9XBuX8A2wbT58SaUPdx4Eis1SiV2wzO8u1JIEI5mbDGJ5MgxrM8jJsevETZEiPohkn7g6mbfVg+9Oey8eToeLDmq4eZN49zlw7xLLwjmte6AeQkKggOWHWb+fik2L3j40L5RLJKg+UqkqbDqpDaJNkbprWjDw9J0ocs9xa/DzC83NQegXYHN05KdAiCj4joP1HCOPH4DfGhjFSwiDpn2v/LM7L7DpjNM3TPiqntcLlj50JG1QY/1dVf6IhVCrEFLvLzQEjxtNnAAx8iLQO0x+fnCNNg1oIRQG6AGaiZML7UsVCU+O0vOPKBZJMVuTnhK/gl4OTijXkimVAHZ6Wp0pwXaG6gEvR8P0qZeWbsgssGEWoSvAo+S+rqh0eeUT5TfXmyWbkx5jM8CIKgCIfMXJutgKCf0yehBZ1afGdGCkqDEX3wbYWLR+8MaD6OIs9mijEEV7qhRJU92hGtrw/6zLxnLuvK+iADu5Lj0MV15uLImhEv8zx0E9md33uKT2FukWMCXyU207xnoUxh1leD1rB1gvJZFdxX4vNGTB06OIXSz+NkFt/yXRjBcc2RSFa8RdWmAy8+Qc4tw9MUZEZ9AdqihAjZ3yW2G78Vi6CLBJss/63Bw3fxIsF9y3Da1KU8lFQmXNVANXenhq9+8AjTAZTFk0OHmKa2ba4cxjLC9H+fzWqSu0FVSBB/Ub3fUnAFZ0vWts/05lvYQL+0CLQnKRNBycqYJaRWdNLll1JGRO3sON7GeWK+h3+wBQqUxrOLdIfqeH8S3CbaCEgZiA0T/myJNQs5Bie8uW7eCyZuFV33aUP27eZ+sG+7TlMzzwySdUJuyqC1+h8LivyGUP4cxK4LuCI7pzVzBla90MrcC8CcqAp5YKVcfdQ97U9b2m3DswxyIIegL7xih14ZaAl3pF/h1xRpBYVGjcgqrWklwBB0Ka2GzFNLbymY0ozoOr3LNmny+wiia7TL1V7Dy9uW9aIP6fsip1Xlog6pClIo82973NlNz3uc+pLKARIJUZL/SEY38AN6p63Bbykm4YPU0nNtMayuvT/Ewd4pAvUqygq4dddFLKyEDBPyE9EdB8W2Ju0lgVypbg4aM+BI7645JN2meOWc2KGwIeZgmSiqjWNd4IByykiM7TZzSvbU35YZxPGVxg2HVzb4jFelrM/3gptJaisMEWqlzijoHolRZrd9fYwTE2ehP9W3xslih57qQ3NX6UKjCEkc2MKyZRWSaFn90hFK2kQMvXyrgy24wCJokzsxtKqQwDTOw/j+dBoAImNLWmhigkvwIYizldAWRlSnbwgulBuj6kb33KxbpKV5L2bJW0dIeDL6L2Z4Uqu/rrCCedJA6Is0sSVLV+SxeVSaSr/moxsGyi/jBHVRxDQ6dzGsp5X4kAd3iHmFLHZyqnrZeN1/xQzF6NzaW/FRwiIMRDNkhjnPGli8I96p8M2Ol5fEtuC+U3yuVodPfinsw4KNrzC75XB2Dh2khfyzncfnEQci2y/hy9ZqTTnIrAr7YoTz1KS1L+RnflJzCV//9cV6HJp+ko0ui5EMw3QagY+V/XUfm2fpLdpbwb7+bGYKRTMT297a+hXl2El9IXKR3Y35UGmdzdV7Z9Shf2MWwTwy79pRCKuO97xEmjZ1okCkog3Pb/h9mS0dyfQw53IAheEGphYtxD2HAr8OBUlYITDslxOQ4tCgqqVYeX2icaa21EVjndCtFreCrR9AWHzhYJctATdw7tljMFLLyHDz8pvreMTUbd8IqhKUkgvAjuhMJJI/jPUKgzBrOWXnvX0q0+Q7lwBh3YmmvIibLGVg5Ky5DQReNj3pYMMT/yrgjahAkcmL2ICvBI9uGi0RXJvvT/KnDi4dtej9OwaJCj08pW+RGaDDEg+H9Edms3XPHoiuN36NIHkZycttRAWBJENFmg8ZRzM6kYAlFgCx2MPual956S4L6l7+tBRM1vpiNwPjXWfHuAeodjA0RYCRLBpM8A5N+lzVPtaY7uJvGCFY5YasoxaRJWyefQhICnsJWkOcDVD5Irau/cXA8/SfBuemN/vBf66BpvJYV/eJ2ZKv1ZBr/zeSOcqRIHZuFfo72lBMXXphAcTWhy0PSzALlyLKd8OUvwyz9ipzrsC+6/TrRBnv6ZGUC7RMLdpj4Qu2jrmHN+6RgiZ5NDlZ24gQyn7I0rgfwUUShztgdja3DbQArinNTKTKlq9QFR4bZDt5NNFU4KIkwglNJcnbh8vu2b55gf41DFFFWEf8lc63fsMKInuyNFXdCEaMLrSGKiXBw9vrbqOkVb1QkOJUugWyuTabE07jJjODlz3oVxCzL+5BlySbPB1CuIGnbBlhE2/jTMjpahejKt94kSU2waEohnPNLWMcMjh9c0dTobCL6CNYhft/G2Jf4Xp5MemEmyGZ7+zGJZoMt/tkHDh0nfpA4Hsm07tV8D1ERPttlSvUsNFhuVWmn/KMyjpgSxpOtixEhISQvUVhOKXV7J9AVmjY/BgV92WfFwwKp8d5Ct3oo61Q0MbAlLntJzhY6dLb4cscCtPPJ8KGKnouLB3pGDDMDAsfUzGqNXvTh0pDn/GO7neVtIQ1qoDwmJoSTb9WTEE6FvQcCkRjAdMNPpN3XjI/nLGBksEI/32+oAPWRMVAsZDNTuiSDun3KDaFkblEYAMFzq7iIoQNN430xldiZ0Jgk4TQAUrQWt5MojZ/YQAovUVN6nl+TnEz2k7/bAOi/mMTH+aunhEqkgt+ffgt9DD07lczIVrKvjU/kE8wmNXimj2RfzjxLLqqUYFRESr0uFA7MonnTAZtcQ2ygUtkOS/fR71Pi7tgdGZriBLTuJZUBfFcSqhEbwMKyvGMe/Uky1JcpTu7xUVf/+vKFYNilBc2cZ6rt39AxwNjbNsyJazMJKpIzkNdib+Pvi6ozO8+2xUSJ0AT/2OOYCQIolAHNqE6Jyq0+exh8RaNmz9CeGcQSfUluvdq90M7O+SHySLvyaVOJVuwN+OFKaOVombAldOSTlM2yEwIi1FP/aJq3sc7b0qUS0cvwaOKGBsXM8rPMhtaYNdM9HfNZyaOqv/CwYh1PomnEeDoV+COvr4Ogk24BAYpA5gM7sMZE5mjzUHYLMPnLLobxhUo/wnkOUuKA+9IeB2RljcLuca/zIV43YNFPDESHX19MTmr5rbQvgIqmvyDXNYqbXcaWYsEMmk2VtWjlSBEpXpNED653/kFxwiF6j/zuj7fDCLgb9Z5Yvebew9sAsms+Toj66i2lULX8pLGKmHgL9tioNjP5vgBqpabEfNbV6d9vFnYm4lZQXyqXGrPEd+6J5jwd4ksY8b7Cmy/UlCljTI6UdvxNs63LqeUmQHoWZpUsI6D0TEtL8OyCjEeGxZ1p+EC/q18ZhYOY5slbhH2qQsyLau/IB2X0t+2WWaiNSNWT+VDzeW9f7FXyjAjbvW5yHQ+UpE6zu+38UEWSZAElB7ew+qsZ41ZUSjuB3NdYB/DpSwnmGh9Luwy2PswwAvUsVkANDCGbPZmaHZZv9E6H1+SIm57Cms5R1+dkYrM+RSg37YM8CtBh9xUy/FKsGDivp/DZzKhQLCrqZLQsyc7cdgqv6hxPpf5LsuAqpzegiTVTIPMvQ2dTC66C/1al8BSICJfXvZFgnwqNtIduYVf80oxStkxKKFVBKkquL+qdSJuDTQOwi8BS4OAwDsCj/+y27vAjBiQdogtMB0fsJhZh9sdSy92bjoFpK6tTIXajWiESnIEIA0L9wRD+BoAlpNsfuDi+IfIUIJDxCNXo/1uVivGDYVn91z+Sm6Km1f4U+mhn/av3Q1M0PLmysMbVwJnCUhB2+ZWkVMlKKlsK6kMpIHFryOIeFjhvGLq1eumPkVextPSd13kForKr278Xjcb+X0OSo9F0GvfGogKkwpldKYro01BL5uoekni+zApxZllErejWM+3wFYlqGoJSD2xE9pdEe1mtkzYWCF9aZCxtJrlI4lSQnNX+JCFsVdWjlhiMy6jxppAMMxN5jkMXCZRrjmDoNSyT9BM1tFsA58KPNh/p2/3GLlYN5iJv302prvvx2fF+zAmrli12ii8FrSlT+Jd420eAB8mJ3qfqkkoC+sj7HvS/krKslBu8OdRHqKPgllpoDZhApBOAS5E1XK/IFRpS3lGqOFaJ77Lc8FHRvkyeBuvOwA/FfE63kyG50d0nWzjbyx1rAta9DjXXxMoWikNnrfthToep9mlOTAATZJIYy8hbyDYJA2Fgi1XoAxQa0dxW5AeGNpF/a8U3ZdM9MrYVUmsMT0FXABlNg8g1/pfkVVOsESeeSDYFwaodPDPshNtfciLt86pMO75/BpbhYP7reA47bsMS2ehmQ23TtDUt5X8ucGStkuSaKf4NPWxYXnATDfQihCwga0rD4LQ8yjSNwpbLIJ6yWE/bJjkBmPKMg5KJ6UBJ0pUTap6c8lJovhGZ894f6YE4attBgmCRh7vA4GvoudJIUvURTTENSqB6va/oYXR7bPDVefgetaAx3HdQ6J4Jp168yX0G6/20Y9C/Ur7wvVt9kJ/SVXdNiCOstTgKR0R5MmjcEvisYclHTXID5dsiHDt3F1Pd9ILQy2295QV0JJZ6XfqRu1izkf+q/ZS+Kd46YYp/79l08C0Jb3dKf5Cq09oHgCUBhl29pUqGGVwXGFRYvQfKfjLf6QZjNzuq/jtGKwK7B2Y4PBWadzaKE7fgMa/FyucSRtenAgbszIaKRGc1/Gdka9uVcmlvfT52l4q41WmNh4J1qxt6puE+quGo+/XdRjRwaEfWqf0QsPzr7Isu16d5PA/jL4BYHB1bBGnEOkTUc4d3GTgwbopzS0yCcPDGazv+PpZW3I+hDLglIh3H08KFfMMAbqL4YNek383m+PHMN0WbqdCmmGIGR6/DLACzX+r6y2KIGhqmRzO1w//QXmz7VDstyN4RzXDz8v7mEpPSra3HVtSXzauOUJgrDyPPhDnu8bstKsp60E2NmjktNOTm2u7JLNYAdHwJNyGLSkzvlIXg4U7Rsaz1oADBdq9PNAR/Wl7bvvZ7WOrjyBBrLlciorb48Ga4PPXEme8j6yUrLWN3jNYymMisVE59N+gKunE58eWTPSwy2YRUyB/thPOXxGpsbzbtEkYN1GE3knNmYwKOMxZ3HYj20Hp4egsWtQz+xtEGobHffMCqij5OCHozlaHf9I3Si6e3iNVHlLyEVl4HrIw137wvMLNiHff5lwpRoh2d0z8hhx3Dp41KVws6FgJ2CUDFRUCaRGBALGuG0vlMZMOVVIfZhSfwLi6ZqA30FVywrOx/uDTa/dxB64QNvlAjw6Om0NbFogRsa0ET7J2Y0Vd+7LPpgj+F4jnWODrlXguOv27TMBa9dsUtnU47Qa5WRWg9Y1P77AFh5CUbqREe4TDvNhg70d74j4CbiNNgBx4jxK3T+8coOTj78PAsJqv7OauVboiS/8R9xcqG2R0l4Hwj0w7odHLy+dcTZXYiYH+8ABOIH6Kv53X0xtmJuoNLIKreqhv93MdKygYOX0OIcKca+Mg7C91LDXT+1tCD9sXatwGOsrNhRtZilbtWLFU6srbBkGYBJlueMwy6Gr30j81+4MmUun88D+2OYzf71ZVMvNbiyVskMjNpPIbwPrVDCgX72KUax1ywiOF0JmCFer//f+LyNHPTFMGHyg2U4hHKDqF4wynSfK/lI/1XQOM9s/znJU+eVqeRnOvmKQFs75MHvBbhyT63zheE4X1iOyPs9qo9mRbrFpHEJx87RfdAqVQIo17OQjklsmsXkV9CDP/eNvVdhUypuWb3eIM4+RiN0vke4AXOBUEy6j16XBNVAthVKb2vkqFXeIWfNZmT/fEoW5O5IJ4L68AJkOdpIDrrjhUtFA2GhEmZ6EqojxcaEbOgBVfW7zot74YlgscTdl5tFdIGWKxPmI++jXGWb1RjKmQE/wV7i6TQ7cPU0pyNCN+RAm52JJ0e7umhfpHqH9JnjthoPg21DxrXB68tjfwqKIN2DIg/ra4uS4fuXxESOWRjSPICVRFzPQXgqYQEXHi6UazYHMbdov9/KFnJdj89Ykm+3k/Yw8sfy4BXeu7ECzwkqWIApCPsNJbmR6Nt8XObaOpISgUKLs91QrpR2Jh3QjGgBZo7GwLTy277N8qIYWyJccoyymzFGjFalkM+KJJscr2tV4NVuc2b01uwHkwmvSAEwk2YYSbH2czkxhhcmhPbYhC9Q5fEq4knzKFlrdJ8xtSYzrOFImhvI7KkpGMkVs0SNpxjkfRvLeEndt+0nhigcl19QaIsXEfdqrfScA6RjDI+897yOrjd735qe0DSY172Jy9QfQCNY+l4mLw15J0DAvt4pc6OhLtNO4F26eeUCq/T2CccfqEfnLKnDsjNEP2ox6yIQtzIOVNr0l1EOzCj5hHmgupBbFzRiPWp1jbxWo4POUyfAswv4GmcAUOCuUWYr7YbcsjzeZ2I1wLbDedHiZ7EOSxtl2Fl4hhPHBh/EC8Zv7ipESuDNaOAQQDWa7TqJJ4saiiS2SOJH5miR5/Jk9588/eUlA2qOIaaJ+SgMLZwdJ2l+wdIbMlCSQgvpY2nYV55MHAyM6XdTnJx4v2YNTSpeKVRfbYyhJuMlpGX6IZbAW93IAzOto0SvWHBrdClQgNDqg9Bpo6PiH+878iaEs5dg/XeaTxjNLmq/yGYrNKqHLMqFE9NiHRv1sE0PP+BVh/bpa3lzD8O5w9WD9Fh8NiBwEgH4ZVHc4E6Q29DMjQ0Ii/hs+86gtWvOUQsLv5DLie3di+1Z9wTpFczUOONTfVQqJshxIhxsGzifTJUZ3GMsrmcEcCHLx+Q2XtZr7JH4a4JnSIN96qPwZ9+rqC2a5+SBjZQS3iWLCPvyTsYO4i5EggzZZxd+OKkhQi6rja3J35YGQN9Qm5qnvcH5JE4U2CPufeVg9aTfefuDJuFLYafKPv/+cHLNImzcLZ6AA15zNHhpjWa5O9p1PBjxooPanQK1HkjmNoAdNQch2iLUshh3PYoX3BAHNaa9KpMtRpnM3PUke/2mlQvToGXkcZRSzlSNKKNi4e0sO6IgiL8FEubZ4Yh+DiX0k+u+WpTPVwfI1fkLChva4KgP5yICHGWcZeMjuVJ7YwNT1UXYCt7EMwbEsitL44EpwweYDIJUoGNEmazianxgLZ3FzcbNes3buHJCsMt35OibnC1GspxUGiofjMpMrlXfjCaY3uGv7fNC1wTjaBWTE7Clqk43+/vPwFt6HAfyJG+hYfZSSJDRRVo6luqZ7aADWViORje5pMj/efCEWSACF7la9nHi9QrgjMWPsMEwDKcmXsyHRRog2sJ/JAvDrlYrSUy7ATWrk+E4JMdfrfSNzddA== X-IPAS-Result: A2BdAQBUk6Nb/wHyM5BbHAEBAQQBAQoBAYFSggMDgQhcKIxni1GBaIJ+k3UUgWInEwGFBIJ+ITYWAQMBAQEBAQECAWwcDII1JIJgAwMBAiQTBgEBDCAMAgMJAQFACAgDAS0UAREGAQcFBgIBAQEYBIMAgWoDFQOYU4ocgWozgnUBAQWBBAEBdYJEA4JRCBeKWBeCAIESJwyCMYR5ARIBhXeISIUvQTGOBwmCDI4SHViIOYYRjmyCfYRVATBkcU0jFTuCbIIZDBeDRoocAVVPewEBijqCPQEB Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 20 Sep 2018 12:33:58 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8KCXva9025487; Thu, 20 Sep 2018 08:33:58 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8K0K7C2024201 for ; Wed, 19 Sep 2018 20:20:07 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8K0K695020735 for ; Wed, 19 Sep 2018 20:20:07 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AOAAB15qJbl3oVGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWAIgn6TdIF6hHcCQoJ5ITQYAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXGKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRInDIIxiC2CV4hDhS1BMY18CYIMjhEdWIg2hgyOaoJ7hE6CDU0jFYMnghkMDgmDRYocAVVPjWwBAQ X-IPAS-Result: A1AOAAB15qJbl3oVGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWAIgn6TdIF6hHcCQoJ5ITQYAQMBAQEBAQECFAEBAQEBBhgGTIVFAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXGKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRInDIIxiC2CV4hDhS1BMY18CYIMjhEdWIg2hgyOaoJ7hE6CDU0jFYMnghkMDgmDRYocAVVPjWwBAQ X-IronPort-AV: E=Sophos;i="5.53,396,1531800000"; d="scan'208";a="373915" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2018 20:20:06 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0ANAAAv56Jbl3oVGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWAIgn6TdIF6hHcCQoJ5ITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOZc4ocb3szgnUBAQWBBAEBdYJLA4JRCBd0iWIXggCBEicMgjGILYJXiEOFLUExjXwJggyOER1YiDaGDI5qgnuEToINTSMVgyeCGQwOCYNFihwBVU+NbAEB X-IPAS-Result: A0ANAAAv56Jbl3oVGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWAIgn6TdIF6hHcCQoJ5ITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOZc4ocb3szgnUBAQWBBAEBdYJLA4JRCBd0iWIXggCBEicMgjGILYJXiEOFLUExjXwJggyOER1YiDaGDI5qgnuEToINTSMVgyeCGQwOCYNFihwBVU+NbAEB X-IronPort-AV: E=Sophos;i="5.53,396,1531785600"; d="scan'208";a="16038226" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil3cpa11.eemsg.mail.mil ([214.24.21.122]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 20 Sep 2018 00:20:06 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;069b4a38-22e1-4af3-92e4-ea9191a4fe9c Authentication-Results: UHIL3CPA07.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic306-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 55438105|UHIL3CPA07_EEMSG_MP23.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.132.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BPAAAv56JbhzGEBkpcHQEBBQELAYFQg2wog3OIFV+NMgiCfpN0gXqEdwJCgnkZBgYwGAEDAQEBAQEBAQEBEwEBAQgNCQgbDiMMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFZl2ihxvezOCdQEBBYEEAQF1gksDglEIF3SJeYIAgRInDIIxiC2CV4hDhS1BMY18CYIMjhEdWIg2hgyOaoJ7hE6CDU0jFYMnghkMDgmDRYocAVUfMI1sAQE X-IPAS-Result: A0BPAAAv56JbhzGEBkpcHQEBBQELAYFQg2wog3OIFV+NMgiCfpN0gXqEdwJCgnkZBgYwGAEDAQEBAQEBAQEBEwEBAQgNCQgbDiMMgjUkgmADAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFZl2ihxvezOCdQEBBYEEAQF1gksDglEIF3SJeYIAgRInDIIxiC2CV4hDhS1BMY18CYIMjhEdWIg2hgyOaoJ7hE6CDU0jFYMnghkMDgmDRYocAVUfMI1sAQE Received: from sonic306-10.consmr.mail.bf2.yahoo.com ([74.6.132.49]) by UHIL3CPA07.eemsg.mail.mil with ESMTP; 20 Sep 2018 00:20:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537402800; bh=3J+qiALNxSw/NGUe+je3zM3JHobyUgbDaAYk6Vg2OGo=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=TR0+9qy1hlq/5tq65vK+1jP1csZCU9cNJiwMzOq4g8qI+ODAzveda18RMEl8+pka3BO13odL4Of/5EPXbSqyoVCoxiZLEe4RP25CnjbuQj8jUic/dKsHFbzugEJDLB7JnhSivTtEaT/fJpkYngsw7thWBchtueszkOonmQVUx1dJLHDZiJZhrjY1QYX1yDp6KbhNMXOx9AN9Y8CAmymUtA3dj6qUBLUkwgnHuA+VrNCkSlVWDIKHSq03D+4b0ey4BjIpH1N1Rvia9ll8vcI/QdxEDGIaX/zo3IwbYX3wIMnElS441JTK7k1PVFtKuOHAZr3SZ3LK8EEZlbG4qBs3iA== X-YMail-OSG: uPnWRtkVM1mpTeDQueSnU7BYFzvCKJZi_k7FuoWmghS5MGHTP8otPKePicrwIuL 7ZlQoogatDE7q.DNYIm8Lj5VflgyIIvXbEdndp_4jMedVpN2GfxDtIdjOvbTZvYCjUnKP2JWLeQR Vgm9DboTdqCr2FVZlnwzOzJ1JtTxb32aKsLjNkh5qx3ex8EGkpSv.MJ4Y_Guplr8AgYJ0HmTpZCD jzC9S23Jy2E800MCMtiD4H25RRYH5SuuWEH_15tph.eknaxB2CFf_zxivo8cOH9ar3WPqcVzkxF9 Gu0WZEOXQCCvex_JIMI7xzbdeHADHV7QZd6LYHnTHyQXQ_ZYDqzxzPmGBRaTu7LMX_S_3q1orKsf dUbXRQ5P4Ac._f9VjN.GpVCSTypF1KJoivKbaUr.T8qK8GI0PJFIKe4OCY98.ime2SQf.FTx26iz gt8r0m2Qwd4lbblKoHtxtITlwHAOuP3D3rVMWArd2Kv_Zk_QdO5Y9.s.ZvVBRO1U6KlsgflHMHed bQOHDwGe0GE47L5gTw3sCE5IOhnRPITFyWs1dYkOLZxo9baiCSU9YVi8aVc_MyhqzmH8RHa3_JS7 HUxDE8HjgAVAUQjwC85HMZtAHKhkFWUhEClKFMilhTf0xdftO_J.lIMctzxH1EWh4JG9Xi9QCWb. 07RBiDSgyYUmx_kIrhMXOf5ry9s2n9T40Ld1LYasP.UvQ_1pv4IaAt5E5F7Tw1bGVyFlPlveMe_0 Y7FAptZaWn7LDLm76lwqQlb1HCmkoK2hZPKJ4.vAhuVdoWTjk8FVEOtMSIAhllHWk9kjDfWSp5kP 8gqp5fI4N8JgL3CLUQYltHDsjtj7JVZxKcwA.CKeYBIijg.ckXizeOvvVRsiFHF9A4fS2q0cS.Yl u9WMzvprrJCDoHHoMPDv._4bzqmIYZK2xk26.GGkVnrvA8ZS3P0Pfs5.jmuCKz6H7wmyL6gibECS EGNhTmR9ZErQYMt3LLbadT1MOt4Lfy6jDrfcOxehiiCPU.bvcfPLxkT09Wyo.ycWlO74p5IXzOqb wpwAUOh2kfwvkz9EOGC_5A1Lctn2Jfk8- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Thu, 20 Sep 2018 00:20:00 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp417.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID bdf8f880f25bcf7d213f06dfcd9fb6dd; Thu, 20 Sep 2018 00:19:58 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: Date: Wed, 19 Sep 2018 17:19:54 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Thu, 20 Sep 2018 08:30:05 -0400 Subject: [PATCH v3 03/16] SELinux: Abstract use of cred security blob X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP SELinux: Abstract use of cred security blob Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler --- security/selinux/hooks.c | 54 +++++++++++++++---------------- security/selinux/include/objsec.h | 5 +++ security/selinux/xfrm.c | 4 +-- 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..9d6cdd21acb6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -228,7 +228,7 @@ static inline u32 cred_sid(const struct cred *cred) { const struct task_security_struct *tsec; - tsec = cred->security; + tsec = selinux_cred(cred); return tsec->sid; } @@ -464,7 +464,7 @@ static int may_context_mount_sb_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(&selinux_state, @@ -483,7 +483,7 @@ static int may_context_mount_inode_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(&selinux_state, tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, @@ -1949,7 +1949,7 @@ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid; @@ -1971,7 +1971,7 @@ static int may_create(struct inode *dir, if (rc) return rc; - rc = selinux_determine_inode_label(current_security(), dir, + rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, &dentry->d_name, tclass, &newsid); if (rc) return rc; @@ -2478,8 +2478,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) if (bprm->called_set_creds) return 0; - old_tsec = current_security(); - new_tsec = bprm->cred->security; + old_tsec = selinux_cred(current_cred()); + new_tsec = selinux_cred(bprm->cred); isec = inode_security(inode); /* Default to the current task SID. */ @@ -2643,7 +2643,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) struct rlimit *rlim, *initrlim; int rc, i; - new_tsec = bprm->cred->security; + new_tsec = selinux_cred(bprm->cred); if (new_tsec->sid == new_tsec->osid) return; @@ -2686,7 +2686,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) */ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct itimerval itimer; u32 osid, sid; int rc, i; @@ -2989,7 +2989,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, u32 newsid; int rc; - rc = selinux_determine_inode_label(current_security(), + rc = selinux_determine_inode_label(selinux_cred(current_cred()), d_inode(dentry->d_parent), name, inode_mode_to_security_class(mode), &newsid); @@ -3009,14 +3009,14 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, int rc; struct task_security_struct *tsec; - rc = selinux_determine_inode_label(old->security, + rc = selinux_determine_inode_label(selinux_cred(old), d_inode(dentry->d_parent), name, inode_mode_to_security_class(mode), &newsid); if (rc) return rc; - tsec = new->security; + tsec = selinux_cred(new); tsec->create_sid = newsid; return 0; } @@ -3026,7 +3026,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, const char **name, void **value, size_t *len) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct superblock_security_struct *sbsec; u32 newsid, clen; int rc; @@ -3036,7 +3036,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, newsid = tsec->create_sid; - rc = selinux_determine_inode_label(current_security(), + rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, qstr, inode_mode_to_security_class(inode->i_mode), &newsid); @@ -3498,7 +3498,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return -ENOMEM; } - tsec = new_creds->security; + tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ selinux_inode_getsecid(d_inode(src), &sid); tsec->create_sid = sid; @@ -3918,7 +3918,7 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) */ static void selinux_cred_free(struct cred *cred) { - struct task_security_struct *tsec = cred->security; + struct task_security_struct *tsec = selinux_cred(cred); /* * cred->security == NULL if security_cred_alloc_blank() or @@ -3938,7 +3938,7 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, const struct task_security_struct *old_tsec; struct task_security_struct *tsec; - old_tsec = old->security; + old_tsec = selinux_cred(old); tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); if (!tsec) @@ -3953,8 +3953,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, */ static void selinux_cred_transfer(struct cred *new, const struct cred *old) { - const struct task_security_struct *old_tsec = old->security; - struct task_security_struct *tsec = new->security; + const struct task_security_struct *old_tsec = selinux_cred(old); + struct task_security_struct *tsec = selinux_cred(new); *tsec = *old_tsec; } @@ -3970,7 +3970,7 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) */ static int selinux_kernel_act_as(struct cred *new, u32 secid) { - struct task_security_struct *tsec = new->security; + struct task_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -3995,7 +3995,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_security_struct *isec = inode_security(inode); - struct task_security_struct *tsec = new->security; + struct task_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4544,7 +4544,7 @@ static int sock_has_perm(struct sock *sk, u32 perms) static int selinux_socket_create(int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); u32 newsid; u16 secclass; int rc; @@ -4564,7 +4564,7 @@ static int selinux_socket_create(int family, int type, static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct *sksec; u16 sclass = socket_type_to_security_class(family, type, protocol); @@ -5442,7 +5442,7 @@ static int selinux_secmark_relabel_packet(u32 sid) const struct task_security_struct *__tsec; u32 tsid; - __tsec = current_security(); + __tsec = selinux_cred(current_cred()); tsid = __tsec->sid; return avc_has_perm(&selinux_state, @@ -6379,7 +6379,7 @@ static int selinux_getprocattr(struct task_struct *p, unsigned len; rcu_read_lock(); - __tsec = __task_cred(p)->security; + __tsec = selinux_cred(__task_cred(p)); if (current != p) { error = avc_has_perm(&selinux_state, @@ -6502,7 +6502,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) operation. See selinux_bprm_set_creds for the execve checks and may_create for the file creation checks. The operation will then fail if the context is not permitted. */ - tsec = new->security; + tsec = selinux_cred(new); if (!strcmp(name, "exec")) { tsec->exec_sid = sid; } else if (!strcmp(name, "fscreate")) { @@ -6631,7 +6631,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, if (!ksec) return -ENOMEM; - tsec = cred->security; + tsec = selinux_cred(cred); if (tsec->keycreate_sid) ksec->sid = tsec->keycreate_sid; else diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index cc5e26b0161b..734b6833bdff 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -158,4 +158,9 @@ struct bpf_security_struct { u32 sid; /*SID of bpf obj creater*/ }; +static inline struct task_security_struct *selinux_cred(const struct cred *cred) +{ + return cred->security; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 91dc3783ed94..8ffe7e1053c4 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -79,7 +79,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, gfp_t gfp) { int rc; - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct xfrm_sec_ctx *ctx = NULL; u32 str_len; @@ -138,7 +138,7 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) */ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); if (!ctx) return 0;