From patchwork Sun Sep 23 18:26:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10612399 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 37C0F913 for ; Mon, 24 Sep 2018 12:33:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2693628485 for ; Mon, 24 Sep 2018 12:33:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1A5C52871B; Mon, 24 Sep 2018 12:33:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from upbd19pa11.eemsg.mail.mil (upbd19pa11.eemsg.mail.mil [214.24.27.86]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3E84628485 for ; Mon, 24 Sep 2018 12:33:12 +0000 (UTC) X-EEMSG-check-008: 159907182|UPBD19PA11_EEMSG_MP11.csd.disa.mil Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by upbd19pa11.eemsg.mail.mil with ESMTP; 24 Sep 2018 12:33:09 +0000 X-IronPort-AV: E=Sophos;i="5.54,298,1534809600"; d="scan'208";a="16142478" IronPort-PHdr: 9a23:OdY5ohMOSz6usp2GddEl6mtUPXoX/o7sNwtQ0KIMzox0L/n7o8bcNUDSrc9gkEXOFd2Cra4c1KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhjexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs7Vy6i76N2QxH2jikJOSMy/GXOhsBtkK5XpRSsrAF9zYHJeoGYLORwcK3ec90dSmVORNtfVzRDD4+hYYYBD/ABMvpXoYbjvFsDtge+ChK2Ce/z0DJEmn370Ksn2OohCwHG2wkgEsoQvXTUttX1NbwSUfy0zKbSyzXIcvJYwTHh6IjUaRAuvfGMUqxtesrPyEkgDR7OgEiOpozhPjOV0PkNsmeG5OdnTuKglWonqwB3ojiyycYhkZXJh4IJxVDE8iV12oA1JcaiR0Jhbt6kF4VQujicOoBrQc0iW3lltDs1x7AJo5K2fDUGxI45yxPQdfCLaZWE7grhWeuTOzt0mXFodbClixu980Ws0PPwW8ey3V1XtCRKiMPMuWoI1xHL78iHTeZy8Vm51DaU0gDT9vlEIUcplarHM5IhwqA/lp4UsUnbAi/5gl/2jK6LdkU/4OSo9+Tmbanmpp+bLYN0jB3xMr8ylcClBOQ4MwwOU3Ca+eS6yrLj4VX0TKhFg/A5iKXUsI3WKd4FqqO2HQNZyJsv5w66Dzi80dQYmXcHLEhCeBKCl4XpIE/BIPT5Dfe5nlStny5nyOvBPr38BJXCMmbMkKz6cLZh609T1AozzddF65JSEbEOOuj/WkD2tNzGFhM5KRC7w/77CNVh0YMTQWCPAqifMKzIrV+I5vggI++XaY8Xvzb9Lf0l6OT1jX8lh1AdZ7Kp0YEQaHCiEfRsO1+Zbmb0gtcdDWcKuRIzTO7oiFKYTTFTZG2yX6U65jE6FoKrFonDRoSwgL2Oxyi7A5tWZnxbClyWFnfobYqEUe8WaC2OOs9hjiAEVb+5Ro4v1BGusAr6xKR9LufP9C0Xq4/s1N9v5+LJjREy7zt0D8aD3G6RU2F4hGQIRyU53Kpnu0xy1k+D0bRkg/xfDdFc+u9GUgI9NZ7a0+x2Fsv/WhzfcdeTSVanQ9KmATcrQtI33dAOf153G8++gRDbwyqqH7gVmqSIBJMu8aLc2GXxKt1+y3nc16khiEQmTtFINW28ia517xLTCJLRk0WFi6aqcrwR0zTQ+2eZzGqBoltYXRVqXqrZWHATfEzWrc725knaVb+hFawnMhddyc6FMqZFdsfmjVFYS/f4JNTfY2WxlnyrBRmUx7ODcozqe3kc3CrHEkQElR4c/WqePwgkGiihu37eDCBpFV/3eUPj7PRxpWi0Tk8xwACGdUth2KSp+hQNn/yTV+sT3q4YuCcmszh0B1i938jRC9qbuwpsZ75cYdU64FZJ0GLWrQp9MoamL698ml4Uax53sF/21xVrFoVAltAnrX0wwwp2NaKXzklBdyiD0JDuJLLXMHL9/A2qa6LM3VHeytmW8L8V6Psks1XjoB2pFk06/nVh0tlV13+c6YvRDAcJS53+TFw39x9gq7HdeCk96Jve1WdwPqmsrj/Cx9UpCfM4xRa8ZdhfKriJGxP1E80fG8ehMvcqm0SzYhICIu9S6LY+P9m6ePuexK6rIOFgkSq4jWRG/I99zkWM9zBmRuHU35YFxPeY3gScWjf4jVehtNr4mZpDZT0IGWq/0yfkDpZLZqJuZYYLFXuuI8qvy9V6hp7tQGJY+Ee4B1wY3M+peBySb0Hy3ABLzkQXuX2nmS25zzNoiDEltKyf0zLSw+76bhoIJnZLRHV+jVfrOYW0ldcaXEysbwc3jhuq+UH6xqZAqaRkMmncXVxIczLxL2F4Xau6rqCCbNJX6JM0rSVXV/yxYVOERb77uBsXyCDjEHVYxDAgcTGlpIn5kwZ9iGKHI3Z5tGDZdt1oxRfD+NzcQuZc3iIcSylljTnYGEC8MMOv/dWIiZjDqPuzV3+6VpJNaynr1pmMtDC85W13Gx2wg+68mtPgEQgg3i/0ycNmVSPWoxbgeoPrzbi1Mfp7fkl0A1/x89R6GodjnYYrmpEQ32UVhpWP8XoBj2jzLc1R2bjiY3oVWT4L39nV7RD92EJ5M3KJw5n0WWmcwst9Z9i2e20W1Tg778xQD6eU9rNElzNvolWktQLRfeR9njAFxPsg8nEahf0JuA0oziiGDLAdA1RXPSv2lxuS99C+tqJXZGSxfresyEpyh9ehDKuNogtEQnb2Zo8iHTNs7sV4KF/M1Wf86oXgeNbOcdITqgebnA3bguhTNp0xiuEKijZ9NmLlo3Ip0eg7ggJy3ZuipoiIN31t/L6lAh5fLjD1adkT9S/wgqZFhMmW2ZyvHpJ6GjgQRpTnUfeoHCgVtfT9OAaECCc8pWuDGbrDAQ+f719rr2rRHJ+wKX6XIngZzcllRBSGJUxQnh4bUysgkp4+DACqy9TrcF1l6TAJ+l74thxMx/pzOBbkVWvfoAaoaiwoSJiENhZW9R9N6FvPPcyF8O1zGyBY/pu8rA2CMWGUewRJDXsUWkyfHVziMKOh5cXb8+ifAOqyNfzOYa+BqeZGTfeH2Yqv0pd6/zaLLsiAJXhiD/I82kpFRn12BtrWlC4OSyMNkSLBdcmbpA2z+idvtMCw7OzrWB7z5YuIE7ZSM9Vv+hCugaeEM+6QhTp5JihD25MJxH/I1KIf00AIhyFpbTmtHqwKtTTRQ6LIhq9XExkbZjtwNMpI66IzwBJAOcvcitP72L53kOI1C0tFVVzmn8Gme9YGI2ejO1PbHEyLLqiJJSXXw8HrZqOxUbtQg/tOuB20ojubEEjjPi+flzbzURCvKuJMjCCBMBxYpo69bg5nCXL/Q9L+dh27LNh3gCUswbIqnXPFK3QTMSJgfENNtbCf9iJYgu9iFGxG4HplNfOElDiZ7uXCLJYZr+drCDxul+1G+HQ616dV7CZcSfNonyvSqNhurEy4nemLyzpqSwBBpShRhIKMp0liPr/Z9pZYU3be4B0N9XmQCwgNp9Z9F9Lgob5QytnSm6LoMzpN6cjU/dEbB8naM8KILmYuMQfzGD7VEAsETSSnNWfBiExBiPuS7GGaroAmqpjwn5oDUrtbVFsvFvwEDERkHdsCLYx4XjMijL6XlskI5WCxrBPJXsVVoojHVu6OAfXoMDuZlqdLZx8JwbP+MIQSOZb21FBlall/gIvFAVHQXcxXri1ncAA0vF1H8GJiQW0rx0LldgSt7WcPFf61mx42jRd+YeQt9Tr3/lg3J1rLqzErn0Urn9XqnyyReibrLKisRYFWFzb0t08pP5zhRwZ1bBG9klJ8OzfBR7NRibxgdWZxhwLHopRPGORTTatdbB8e2PGbffMo3kpAqi+/309I+fPFCYd+lAstaZOjtGxP2wR4YdEvOKPQOrRGzkJLhq2UpC+p1vo9wAgEJ0YC6GmSYjIHuFQUNrk6ICql5uNs6RGDmztHfGgDSf8qr+l3+UwjIOuAzjjv07hZJkC2LeyfILuTu3Lcms6QXlMwykQImlFf/bhw0Mcsb0qUV0crzLuKDxoHLNfMJxtJYsRV73XcYSGOseDRzp1vJIW9CvrkTemQu6YImkikBhomH5wQ7sQdGZmhyFvYIt39LL4C0hog/xjrJE+fA/RXZh2LlDYHo8ewzJ9z3IldKTEdAXlzMSqt/LbXoxUmgPydU9cqen0aRJcLNmoqWM2mnC5Up3pBACOr3eIZyQiC6j78qT7TDDTnbtpseumbag12BNGx4zU//LC8iUTL/ZXGO2H6KdNit8fK6ewAvZaHCO1bTaV8s0falIlVXHKrXHTJEdGpI5jwbJQsYsHvCnqgVFywlS41Rd/rPNmxNqiInR3oRYFMvYaBxjAjKMm9GisdGxprpuED5aN8ZREYbJYhZx7nqRg+PbSlIAiEytWuX3qtKTxOQvlDyuW6YqdazzYwYu+/03QsVJc6wPer8UQVXpEFkgnexeq/Z4lZSSXzGHtddBvUqCUkiWdhLfg9wv0jwBzWrFYQKTaLe/J1aGZcpdEzGUuSIWlqCmo/X1Kcg5DD7RSq378O/itdhM1Z0ehdsHj/p5PfezytWLexpZXSqSogYsAso7dtPoz7PsuGqJTekyTDTJbNrwKFUTS1F/5Bl9dMJyJYReVHlns+Ocwao4ZB71Q+VtsmLbxVFKYsvqyqaSZjDSMK1S8ZTJ+A0yYfjeegwLbajRCQcIk4MBMYrppChMcdUzRsbSMavqOjUJ/Wl2CcQGgRPAgT9RhM5B4HloJoZe/l7pbHQINOxjJLrf95STfEFp5t91TnUG6WmkT4RO+nk+O3wQJY1Ojs3cUDWB5jFUhdwP5bllE2J75qK6kfpJLKvySMdUP9omLi1vWqK0VWycLJaVL0FozFunTgUicE430bWZdPyG3DFZQViwd5dLwrq0tSL4+7YUv++jgkx5hzH7aiS8CrxlElrXIYSCe2CdZBDPtmsF3PUj1/f5+rsInlO4lVQmJI+p2SsU1ZkEJ2My6905VcNdpA4jsRXDhLvTWdvce9SMxZ1s9wFJ8AONB/u23yGKlcIpiev2U2uqDzyn/e4z08sk21xDO9G6+iSOJW4nMRFx41J2uErEkvFOws/n3U8l/TrlB+5/1bCaSXjUVtvDZ9GYhDBjBN1X2+LlRzSnxGv/9bKKTTfcxcWeM9ZQSzOxwkCP4pw1CJ/VxunXjneSBysRFa+y/FVQkuSSYVmqvtmSEZqsy/Pz8aSo5HbTIlbyjfMAKXgyFXvBFYa0FxQJAUGdNF9r4U3IdO+crCU0msIzkfXBN+LgI4zeZflUlbvUWcYiDdCAqleO3BshJpYMiRq9SpI+7h/AddjYPnsv43+LkfR3G8ng2tW9/epZfmttKWrkuOaLv4M+qkbH/DTTjMiAu9hbI6AJjK4SfTKgtbK591yXY+Z5juF3LLNwxcJ60HP0pbSbx6adJer+BbZs5rYrwG9rN2CxKcWBzvBJKgo+VcIlbUXzTeID2L8vajroLL8bzdVe/ga9SXyHbGWKJ2MI116Tv6G7f2yY9R4Ff22vN2+0xmTljJLj6Oo878JgMR48mibFHtsocuHTPMD5d6iGDtyV1Yd8oLXy2q94wVyItD53bsVe140kbysOpI97ln8IU3+K5mycO1JafUNPRbvlRqAgCOCQV26potAGZ+R2dLYu8SMvvRfroWjdroq+/pE6wb8hqV+/ZWadHfPUHOhtG/Ci2ASRxDhAoBpiAVLg2A1/6CnK94Tt2lqvb92kIs5Vi+MxEHwatp5Yia4KqJpPXYYwHXzbcaRqjgXtnzoag0u0OO+f0kk6YDdXB3YwK9DOcQTdISxmDkzaAuzCIjDdnDH67+9/FfV3I1hDXgm4pyH18OAPMbAaKL/ZhCnmc/g+HZM9oWcqZemmaACxGpCboCyX+x5CuRPmZlnh/P0xbqQWOw91/6tyl4TjXQz937iEpaSqG3BVtOXyquIUJ4vy+APBHztNbupKo740c4Mm3itNKQm2qsI7xXH8jlK9yaPyY4vlUXjIc+Rta3w4AUBcK9IMsN8HF5dvbe6WSrky9Ho6tdm4Xe4sWV+ujKEnihjq2ara6NxDNZynUjo1E/686gOevK59KXQvSkzWARQDljuwHZRR66tqTbr0wIOUyMyErLmZIKMctf3XQj0kHm+fUsQNM09AVFDIrAYOkCpT/rMjvu3Vmfe843VjWZ0zZPHFL6D1d4GKY42G/rssPGj3HQ9EM0RoVqcUzomwB3BZ0iKU0x8FgX3jYDEQ8VZBCUCLGoAkrkIpUAVUgHchmHx7+6eqE23UJv2L+v4vHcbfBkDaoXKvldlhKOnERcGp8OtK0eQbF8e1xa9KPMpAjtEYvnX//glXUuM/25WMZa/t4Ft3E6+AawWwKg6Ytf77YckJ2HbbBLYZ7QvM1n9Edn4TkPdjBRgBhhkRy2TPoQpOf54tjUqJCo8PqhVL4xR+UL8Bg5H3x+j5z0gF85u9HW2eBcSonbiYnk9QBNJHmKuJ3E3BZgM+oOLJmrfK1h93UBKCgSPXUOPcCZa/Mk+S9iLC3T50BeAsMLfd4YMtTCmQRVik3xRr5e7cvaGl6dC4d2ac8o9W73xy4v/Zs7SObg5ye8JYrD4FFVI/NDkCJsmcrMpegN2/rSCTQY7meCZhhwwyOC14ONBOjq8eWL0tHUWEsMHjQqXIdFODqC5QunS/KylJXtTAyZ8dfzgJYke0KLWnyxnbgKsrpWEeFelCr3xD5eGZ7ph/iNqdqj9HNXtkFbEIZ09RDFHKRfPpNmORX3j8WrQkl8BjDjeMHPbRcuufCZxuEL4+lkMEv+f4AbKAoey73m8XpVUhduSLnus1acR+0eeNtmSPLCrnBS8o9gNa4PPF6Dq5zurzdIrk02AQAzZL83tDxaeVHEnBdJVKbspL4AlgwcXMZ7uUBWGmKwP3kx6iHaVaRTkKmRCPsV8iicTqwOT0VkKCV+TA2p2J92YbumgehHsn9aniN6uPUqyDJmRB6gtiDtpK8Awiwg96+itDUAuH1FSeOenz3OCVpd0PRZxZsbXm7r41i7SH8OcIXz5KVqP4Ln74Zlq3c2bREudAUMWe2rCCH3i67OAYKMsZRcmVrFttrmdqOpKSUUcLgwjVrvTmZw1yDSlQhl9W8MTCnm6tI4YM27NNorxy60FHKeeFsS76dhrsT8rxgIQfEwZFcnx39sloCMQTcAWMHGHk4zgxQqaGFYfYgF7gUVU+EujyqEs7du4A4ZenHXH56j942Wmt3HnTE5TNF31ifVq7eDi5cCznJogZV34zSItXBUcPbXF4d0C2X3/p9W1Oi7YvKqqO1BQ4xjjPy6XOQqLtio+Wzw3o5jHECi2PBWEkKwKu4Y7q/SSSa+UWmRUunNdHKD2347N0no/xizBls+bcpL6UgnPa+KnZNGmADJUbpwQjSW41TcyShrKu4edgQrqK+7agcKS6gXfOHaKu8whLU6CV0RfzrSECBrEe6qoBuom4RmP3hI/0r3e6Lu/xrgPd/UHQMLQrTXtppgxfvvbWKbOGR8zRR0dGbq6/vEHFQ8/rtXfISWm9XLr9t81uEBevJkMCl7sdkWzNFN846RheyKaxDK0pf7I5n6POSEGPbfwgw0e2gSabcdYAXo981uJdM9WrvODZNFrB8cAu48W5VnOGDvovInZDhvexLcMeznyvLhofiGM94N/3I= X-IPAS-Result: A2DvAAD52Khb/wHyM5BaHAEBAQQBAQcEAQGBUYFkKoEIXCiDdIgVX4tJhRyTQBQMgVMSGBMBhFmDQSE0GAEDAQEBAQEBAgFsKII1JIJnAiAEDRogDgMJAiQCIgQCAgIBAS0DAQUBAwEHARcHCwUYBIJBP4FqAQEBFQMBlk88iwt7M4QAAWeCGQQKGA2BDIFFEnmFV4QWDgmCAIEShWiBdQESAQiDGIJXAohNlCgKCZAeIohnCoY7K5Q3AgQCBAUCBQ8hOGk4ZHErChgpDzsxBnwagR+CJReNYjhtegEBAYl9gj0BAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 24 Sep 2018 12:33:07 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8OCX6TV031654; Mon, 24 Sep 2018 08:33:06 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8NIQtEm020555 for ; Sun, 23 Sep 2018 14:26:55 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8NIQqID008532; Sun, 23 Sep 2018 14:26:53 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1A8AAD52adbly0bGNZZHQEBBQEHBQGBUYILgWcog3SIFV+LSop5jWMUgWYLLIgIITQYAQMBAQEBAQECFAEBAQEBBhgGTIVuBBkBOQMSHwImAjYBBQEjEoMhgWkBAxUDAZZRPIsLezOCdgWBBQGCXwo/DYEMgT0CBhJ5hVeEFheCAIEShWiCEYMYglcCiE2UKAoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMDgmDRoocOG16jCoBAQ X-IPAS-Result: A1A8AAD52adbly0bGNZZHQEBBQEHBQGBUYILgWcog3SIFV+LSop5jWMUgWYLLIgIITQYAQMBAQEBAQECFAEBAQEBBhgGTIVuBBkBOQMSHwImAjYBBQEjEoMhgWkBAxUDAZZRPIsLezOCdgWBBQGCXwo/DYEMgT0CBhJ5hVeEFheCAIEShWiCEYMYglcCiE2UKAoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMDgmDRoocOG16jCoBAQ X-IronPort-AV: E=Sophos;i="5.54,294,1534824000"; d="scan'208";a="376433" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 23 Sep 2018 14:26:52 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A8AAC42adbly0bGNZZHQEBBQEHBQGBUYILgWcog3SIFV+LSop5jWMUgWYLLIgIITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUigwsEGQE5AxIfAiYCNgEFASMSgyGBaQEDFQMBllE8iwt7M4J2BYEFAYJfCj8NgQyBPQIGEnmFV4QWF4IAgRKFaIIRgxiCVwKITZQoCgmQHiKIZwqGOyuUNwIEAgQFAgUPIYEhgg00PBVsgjuCGQwOCYNGihw4bXqMKgEB X-IPAS-Result: A0A8AAC42adbly0bGNZZHQEBBQEHBQGBUYILgWcog3SIFV+LSop5jWMUgWYLLIgIITQYAQMBAQEBAQECARMBAQEBAQYYBkwMgjUigwsEGQE5AxIfAiYCNgEFASMSgyGBaQEDFQMBllE8iwt7M4J2BYEFAYJfCj8NgQyBPQIGEnmFV4QWF4IAgRKFaIIRgxiCVwKITZQoCgmQHiKIZwqGOyuUNwIEAgQFAgUPIYEhgg00PBVsgjuCGQwOCYNGihw4bXqMKgEB X-IronPort-AV: E=Sophos;i="5.54,294,1534809600"; d="scan'208";a="16132708" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa06.eemsg.mail.mil ([214.24.27.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 23 Sep 2018 18:26:51 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;ac6f15d9-c0d4-45f9-8147-92e992722f32 X-EEMSG-check-008: 271707461|UPDC3CPA04_EEMSG_MP20.csd.disa.mil X-EEMSG-SBRS: -0.2 X-EEMSG-ORIG-IP: 209.85.128.68 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CKAAB42adbYkSAVdFZHQEBBQEHBQGBUYIOggyDdIgVX4tKinmNYxSBZgsFJ4gIGQcBBDAYAQMBAQEBAQEBAQEGGBYIGwwlDII1IoMLBAsBDQE5AxIfAiYCNgEFASMSgyGBaQEDFQSWUDyLC3szgnYFgQUBgl8KPw2BDIE9AgYJAQh5hVeEFheCAIEShWiCEYMYglcCiE2UKAoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMF4NGihw4bXqMKgEB X-IPAS-Result: A0CKAAB42adbYkSAVdFZHQEBBQEHBQGBUYIOggyDdIgVX4tKinmNYxSBZgsFJ4gIGQcBBDAYAQMBAQEBAQEBAQEGGBYIGwwlDII1IoMLBAsBDQE5AxIfAiYCNgEFASMSgyGBaQEDFQSWUDyLC3szgnYFgQUBgl8KPw2BDIE9AgYJAQh5hVeEFheCAIEShWiCEYMYglcCiE2UKAoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMF4NGihw4bXqMKgEB Received: from mail-wm1-f68.google.com ([209.85.128.68]) by UPDC3CPA04.eemsg.mail.mil with ESMTP/TLS/AES128-SHA; 23 Sep 2018 18:26:48 +0000 Received: by mail-wm1-f68.google.com with SMTP id y13-v6so3148473wmi.1; Sun, 23 Sep 2018 11:26:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Po1ghVXkDsdNhMQqelu1GWCNdSOcs66SNoFqOuFE7n0=; b=R506IrUzh0x7BtHC0vjlUn42jzHwHb8qCpROWJZBBfsICRF+wzy5eU+0mj1K2RxNR5 aSyFnfOSNoAGDKVQFDewmDkvEouLOuv5DTstjocw2FnNNaDuKylHPyuOLv8wi0wDjEsc 5XIo7+S3BFUQLlt70vOpK7G/ddEiNKgfrUZluxd00iZhaZXfsnZzu7Q2wusrzRVIYDte KsvN/EWW9338eTJ7qJhC6LGYVUkoDABB4zHkdlomGGNNJKVkWbuV7rJefUL9m5rfFklk Gb6rC77UVmg7LZelByGPb4QPAJMQi4bp9TXRfCIX1qHi8i1h+cyhJx3wg+pPwoeYAb6Q yJ/w== X-Gm-Message-State: ABuFfogT/zOz46CxQOf+aRB05ZxsSikUEc6Bi8+YcQS3wsURz+AYE0fQ OkafKS97ei2UDxghdmamIpQ= X-Google-Smtp-Source: ACcGV60Y8zUuLLly61hjbUQXtnPBdbNxOMvp/pmeuzNvRb30Ez+vOsW1zBR2uaKm37BSeHFb+4IjLA== X-Received: by 2002:a1c:3a92:: with SMTP id h140-v6mr5065392wma.41.1537727207019; Sun, 23 Sep 2018 11:26:47 -0700 (PDT) Received: from desktopdebian.localdomain (x4dbb2f17.dyn.telefonica.de. [77.187.47.23]) by smtp.gmail.com with ESMTPSA id c8sm15007248wrx.92.2018.09.23.11.26.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Sep 2018 11:26:46 -0700 (PDT) X-EEMSG-check-009: 444-444 To: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, jmorris@namei.org, serge@hallyn.com, selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Date: Sun, 23 Sep 2018 20:26:15 +0200 Message-Id: <20180923182616.11398-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.19.0 MIME-Version: 1.0 X-MIME-Autoconverted: from quoted-printable to 8bit by prometheus.infosec.tycho.ncsc.mil id w8NIQtEm020555 X-Mailman-Approved-At: Mon, 24 Sep 2018 08:26:06 -0400 Subject: [PATCH v3 1/2] netfilter: nf_tables: add SECMARK support X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: =?utf-8?q?Christian_G=C3=B6ttsche?= via Selinux Reply-To: =?utf-8?q?Christian_G=C3=B6ttsche?= Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add the ability to set the security context of packets within the nf_tables framework. Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. Convert the security context strings at rule addition time to security identifiers. This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet. Set the maximum security context length to 256. Signed-off-by: Christian Göttsche --- v3: switch context string from char[] to char * rename function to nft_secmark_compute_secid() v2: convert security context strings to ids on rule addition time Based on nf-next Tested with v4.18.8 include/net/netfilter/nf_tables_core.h | 4 + include/uapi/linux/netfilter/nf_tables.h | 18 +++- net/netfilter/nf_tables_core.c | 28 +++++- net/netfilter/nft_meta.c | 107 +++++++++++++++++++++++ 4 files changed, 152 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h index 8da837d2a..2046d104f 100644 --- a/include/net/netfilter/nf_tables_core.h +++ b/include/net/netfilter/nf_tables_core.h @@ -16,6 +16,10 @@ extern struct nft_expr_type nft_meta_type; extern struct nft_expr_type nft_rt_type; extern struct nft_expr_type nft_exthdr_type; +#ifdef CONFIG_NETWORK_SECMARK +extern struct nft_object_type nft_secmark_obj_type; +#endif + int nf_tables_core_module_init(void); void nf_tables_core_module_exit(void); diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 702e4f0be..5444e7687 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1176,6 +1176,21 @@ enum nft_quota_attributes { }; #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) +/** + * enum nft_secmark_attributes - nf_tables secmark object netlink attributes + * + * @NFTA_SECMARK_CTX: security context (NLA_STRING) + */ +enum nft_secmark_attributes { + NFTA_SECMARK_UNSPEC, + NFTA_SECMARK_CTX, + __NFTA_SECMARK_MAX, +}; +#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) + +/* Max security context length */ +#define NFT_SECMARK_CTX_MAXLEN 256 + /** * enum nft_reject_types - nf_tables reject expression reject types * @@ -1432,7 +1447,8 @@ enum nft_ct_timeout_timeout_attributes { #define NFT_OBJECT_CONNLIMIT 5 #define NFT_OBJECT_TUNNEL 6 #define NFT_OBJECT_CT_TIMEOUT 7 -#define __NFT_OBJECT_MAX 8 +#define NFT_OBJECT_SECMARK 8 +#define __NFT_OBJECT_MAX 9 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index ffd5c0f94..3fbce3b9c 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -249,12 +249,24 @@ static struct nft_expr_type *nft_basic_types[] = { &nft_exthdr_type, }; +static struct nft_object_type *nft_basic_objects[] = { +#ifdef CONFIG_NETWORK_SECMARK + &nft_secmark_obj_type, +#endif +}; + int __init nf_tables_core_module_init(void) { - int err, i; + int err, i, j = 0; + + for (i = 0; i < ARRAY_SIZE(nft_basic_objects); i++) { + err = nft_register_obj(nft_basic_objects[i]); + if (err) + goto err; + } - for (i = 0; i < ARRAY_SIZE(nft_basic_types); i++) { - err = nft_register_expr(nft_basic_types[i]); + for (j = 0; j < ARRAY_SIZE(nft_basic_types); j++) { + err = nft_register_expr(nft_basic_types[j]); if (err) goto err; } @@ -262,8 +274,12 @@ int __init nf_tables_core_module_init(void) return 0; err: + while (j-- > 0) + nft_unregister_expr(nft_basic_types[j]); + while (i-- > 0) - nft_unregister_expr(nft_basic_types[i]); + nft_unregister_obj(nft_basic_objects[i]); + return err; } @@ -274,4 +290,8 @@ void nf_tables_core_module_exit(void) i = ARRAY_SIZE(nft_basic_types); while (i-- > 0) nft_unregister_expr(nft_basic_types[i]); + + i = ARRAY_SIZE(nft_basic_objects); + while (i-- > 0) + nft_unregister_obj(nft_basic_objects[i]); } diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 297fe7d97..c8ac0ef4b 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -543,3 +543,110 @@ struct nft_expr_type nft_meta_type __read_mostly = { .maxattr = NFTA_META_MAX, .owner = THIS_MODULE, }; + +#ifdef CONFIG_NETWORK_SECMARK + +struct nft_secmark { + u32 secid; + char *ctx; +}; + +static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { + [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN }, +}; + +static int nft_secmark_compute_secid(struct nft_secmark *priv) +{ + int err; + u32 tmp_secid = 0; + + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + if (err) + return err; + + if (!tmp_secid) + return -ENOENT; + + err = security_secmark_relabel_packet(tmp_secid); + if (err) + return err; + + priv->secid = tmp_secid; + return 0; +} + +static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs, const struct nft_pktinfo *pkt) +{ + const struct nft_secmark *priv = nft_obj_data(obj); + struct sk_buff *skb = pkt->skb; + + skb->secmark = priv->secid; +} + + +static int nft_secmark_obj_init(const struct nft_ctx *ctx, const struct nlattr * const tb[], struct nft_object *obj) +{ + int err; + struct nft_secmark *priv = nft_obj_data(obj); + + if (tb[NFTA_SECMARK_CTX] == NULL) + return -EINVAL; + + priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL); + if (!priv->ctx) + return -ENOMEM; + + err = nft_secmark_compute_secid(priv); + if (err) { + kfree(priv->ctx); + return err; + } + + security_secmark_refcount_inc(); + + return 0; +} + +static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj, bool reset) +{ + int err; + struct nft_secmark *priv = nft_obj_data(obj); + + if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx)) + return -1; + + if (reset) { + err = nft_secmark_compute_secid(priv); + if (err) + return err; + } + + return 0; +} + +static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) +{ + struct nft_secmark *priv = nft_obj_data(obj); + + security_secmark_refcount_dec(); + + kfree(priv->ctx); +} + +static const struct nft_object_ops nft_secmark_obj_ops = { + .type = &nft_secmark_obj_type, + .size = sizeof(struct nft_secmark), + .init = nft_secmark_obj_init, + .eval = nft_secmark_obj_eval, + .dump = nft_secmark_obj_dump, + .destroy = nft_secmark_obj_destroy, +}; +struct nft_object_type nft_secmark_obj_type __read_mostly = { + .type = NFT_OBJECT_SECMARK, + .ops = &nft_secmark_obj_ops, + .maxattr = NFTA_SECMARK_MAX, + .policy = nft_secmark_policy, + .owner = THIS_MODULE, +}; + +#endif /* CONFIG_NETWORK_SECMARK */ From patchwork Sun Sep 23 18:26:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10612401 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A47AC913 for ; Mon, 24 Sep 2018 12:33:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93BBF28485 for ; Mon, 24 Sep 2018 12:33:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 880F52871B; Mon, 24 Sep 2018 12:33:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from upbd19pa07.eemsg.mail.mil (upbd19pa07.eemsg.mail.mil [214.24.27.82]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DAFC128485 for ; Mon, 24 Sep 2018 12:33:25 +0000 (UTC) X-EEMSG-check-008: 170231745|UPBD19PA07_EEMSG_MP7.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa07.eemsg.mail.mil with ESMTP; 24 Sep 2018 12:33:14 +0000 X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="18575838" IronPort-PHdr: 9a23:ub3ezh8ide+Zi/9uRHKM819IXTAuvvDOBiVQ1KB61uoeIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsL4V7A0XSmp4bltRhHmlSwLMyc1/HzLhsB1iq9QvRCvqAFlw4PMfo+bOvlwcKTfctMUSmVORNtfVzRDD4+hYYYBD/ABMvpXoYbjvFsDtge+ChK2Ce/z0DJEmn370Ksn2OohCwHG2wkgEsoQvXTUttX1NbwSUfy0zKbSyzXIcvJYwTHh6IjUaRAuvfGMUqxtesrPyEkgDR7OgEiOpozhPjOV0PkNsmeG5OdnTuKglWonqwB3ojiyycYhkZXJh4IJxVDE8iV12oA1JcaiR0Jhbt6kF4VQujicOoBrQc0iW3lltDs1x7AJo5K2fDUGxI45yxPQdfCLaZWE7grhWeuTOzt0mXFodbClixu980Ws0PPwW8ey3V1XtCRKiMPMuWoI1xHL78iHTeZy8Vm51DaU0gDT9vlEIUcplarHM5IhwqA/lp4UsUnbAi/5gl/2jK6LdkU/4OSo9+Tmbanmpp+bLYN0jB3xMr8ylcClBOQ4MwwOU3Ca+eS6yrLj4VX0TKhFg/A5iKXUsI3WKd4FqqO2HQNZyJsv5w66Dzi80dQYmXcHLEhCeBKCl4XpIE/BIPT5Dfe5nlStny5nyOvBPr38BJXCMmbMkKz6cLZh609T1AozzddF65JSEbEOOuj/WkD2tNzGFhM5KRC7w/77CNVh0YMTQWCPAqifMKzIrV+I5vggI++XaY8Xvzb9Lf0l6OT1jX8lh1AdZ7Kp0YEQaHCiEfRsO1+Zbmb0gtcdDWcKuRIzTO7oiFKYTTFTZG2yX6U65jE6FoKrFonDRoSwgL2Oxyi7A5tWZnxbClyWFnfobYqEUe8WaC2OOs9hjiAEVb+5Ro85yx6hrxH1y7xmLurI/S0VrpPj28Zr6OLNjx0y8iZ0D8uF2WGXU250hn8IRyMx3K1nvEN9zVGD0a5ljPNGEdxT5uhEXR0kOp7GyOx2EdfyWhjOft2RUlapXs2mAS0tTtI229IPbUd9G9Gnjh/dxSqnGLEVmKKWC5wz6KLTxWDxJ9x6y3bEyqYuk0UmTtFINW28ia517xLTCJLRk0WFi6aqcrwR3CDX9GiZy2qBoEBYUBVrXKXARXAfZ1Larc/350PZVbOuDq4nMgRZw86YNqRKcsHpjUlBRPr7O9TReWGxm2CtBRuTxbODdonqe2IA3CnHD0gEiQ8T926cNQciHiehv37eDDt2GF31fkzs6+h+p22hTkIv1Q6Fc0hh26Cy+h4PivyWU+kT0a4cuCc9tzV0G06w0M7MBNqEuQVhZ7lcYNM64FpczmLWqw19MYKmL6B+h14RaR57v0Xw2BVrEo9Ai9QlrGs2zApuLqKVyElBeC6F0p3rNb3XL2bz8Aqpa6HIxlHUyMyW9bsX6PQkt1XjuxmkFlEs83V91NlVyGec647RDAoUVpLwXEM3+AJ8p73AZCky+Z/U32V2Maaoqj/Cx84pBOw9xxeuZdhfNL+EGxHoE80BHMWuNvIlm0KyYRIZOeBe7qk0P9mpd/Gewq6kIP5gnC66jWRA+I191EOM9y54SuHWxJYI2OuX0RWdVzf7lluhtdr3mY9cbzEIAmW/0TTkBJJWZqBqYIkLFX2hI9esy9pigJ7tXmJX+0S4B1MawsOpfwSdb0Dl1w1KyUsXuWCnmTe/zzFsjTEpr7aQ3DDJw+T4bhYIJm5LRG5kjVfjOoW0i9EaXE6yYAgzkxup/0H6x7JUpK5nNWncXV9IfzTqL2FlSqawsruCY9VT6J8xqiVYTuC8YVGcSr7grBoXyDjjH3NfxDA9djGlpo75kwZ8iG2DMHZ5tGDZdt1oxRfD+NzcQuZc3iABRCl8jTnYGEK8MMWu/dSajJrDqf2+WH66VpFJdinr14yAvjOh5WJ2GR2/g+yzmtr/HAg5zyD70cJqWD7LrBniZInrzKK6Pvx7fkVyA1/88cV6EJlkkoQsnJEQxWQahpKN8Hofi2jzLNFb1rzmbHUXQz4L38Da4BL+1U1+NXKG2Zj5Vm6Hzst6YNm6f3kW1T4j4MBED6eU9rNEkjVvrlq+sw3RfeB3ni0Bxvs29H4an+YJtRIzziWbH78fBldYPSrxmBSI9dy+qrtYZHq3e7iqyEV+hcyhDK2FogxEQHb2YIoiHStr48pjMVLMzH3y5pjqeNbKa9IfrBqUkw3Pj+JNMpI+iuIKhTZ7OWL6pXAlyO46jRhw0pyhuYiHLGtt/KynDR5EKj31Z8QT+jTzgqpEmMaZwZyvFI17GjoXRJvoUe6oEDUKuPTpLQmOFiE8qnCeGbfEEw+Q9lppr3XVE5+xL3GXPn4Zzdd8SxaBOExTmgcUXC81npQhDACl2NThcFtl5jAW/lP4pAFMxfx1OBnkSGjfohuoajAvSJWENhVZ8gRC613SMcyE4eJ5BztY8YG5rAyRNmybYBxFAnoSVUCDA1DjP6Ku5cXb8+SCHeqxMefBba+VqeNAU/eIxJSv0pZp/juXKsqOPmNiD+Ag2kZZU3F2AdjZmy4ISywRjS7NaNSbpBik8C1tss+/6OjrWB7o5YaXELRSMNpv+xewgaqYKuGfmj12KTdC2ZMK33PIz6If3FEKgSF0azatCagAtTLKTK/ImK9XDx4aazt0NMtM7qI8whdCNNXeitP0yr54lOA6B01CVVz7lcGjfdYKLH2lNFPbGEaLM6yLJTvVzM7tZaOxUr5QjOJPtx2sozmbFVTjPjeClzXzURCgL/1MhjmBPBNCoIG9bgptCW/7QdL8dBK7K8F4gicswbIohnPHLnUTMTlmc0xQqb2Q4ztYgu9hFG1B9HZlK/eLmzqB5enCNpkWqedrAjhzl+9C/Xs10aVV7CBZS/xugybdtMRuo0uhkuiB0TpoTgZBqitRhIKKoUVjOb/V9p9eVnbY5BgN93mfCwwWp9t5Dd3io6RQyt/VlK3tLjdD8tXU8NATB8jSNcKLKn0hMQDmGDTMFgsKUSarNX3Dh0xaiPyS7WOarpw7qpjqhZoPRaRWW0AyFvMfFktqBscCIIttUjMij7GbkNYC5WCioxnJWMVaopfHW+qPDvrzLTaZir9EZwcVzb7jM4QcKJf7201ja1l9moTGAUzQUs5Roid5dA87vF1N8GRiTm00w0/ldgKt4HoUFf6onh43ihBzbvks9Dbs+Vg4PUDGpC0un0ktgd/lmyyecCbtLKesWoFbEzD7t0wwMpznXQl6dQiynExiNDfDQbJelaBtentqiADGv5tDAPBcTbBebB8W2/6Xe+0i0U5ApSW/2U9H+ezFBIN5mwQ0d56htGhP1B99bNErP6zQP7BGzkJQh66UuS+ozO8xyhcEJ0kR6GOSZDIIuEsQO7k8ISqo//Bj6QyFmztHY2gCT+MkrO9w+E4hPOqN1D7v07lGKk+tLeOfNL+Zt3LGlcGWXlM6zlkImFVd/bhqzccjdFKZWFwtzLSLCxsELtbNKQZRb8pW9XjcYzyOsfnTzp1pP4WxDOfoTfWBtKwMmEKrAB4pH5gQ7sQGBpSsylvXLd3gLLEe0hgt+B7rK0+bDPtXfBKLkTEHo867zJ920oldJi0dAWtnPiWt47bbvAkqj+SfXN0ueHcVQpMENm4qWM29gyNYsW5MAyW30uIYzQiC7iXzpifLATn9cdVseumbaQlrCNGs9jU167K2hkLP8pXCO2H6MsxvutrV5uMApJaIFe9UTbh7s0fTgIRZSWalU2jTHt6xIJjwdpQjbcfuBna8TFO/lyo/T93tM9a1MqiInQboSJ5MsImc2DAsL9W9Fz8ZGxd0qeEO/6d8ZQoEY5ogfxHnqx4+N6ukIAeD09WuRWmtJSFRT/lFwuWwf6ZXwDY0bu+m1HsgSYk3wPOt8U4QQpEGlBLeyO2iZ4lfUCjzBmdSdx/JpSUni2hrLvwyzfsnwBPUrVkcNCiGdPBuaGxBpNw8GU+eIXBtBWYiQV+Tk5bD6Ba2378O5ytdg8pU0epdvXj8uZ/QfimhV7G1ppXOrSUgd8QmrLNsPoD5JMuJqo/elCTFTJbMqg2FTDK6F/1Cl9hMPS1XXfhIlnshOcEdpYVB7k8xWdskKLxUFKkgvLaqZiR4DSQK1y8WS5uA3CAegue7w7bajgyQcIg4PxMZrJVPmcAdUylrYiMEuKCsSYPWl3OeSmcRJAcf9wNM5BgPloVoZODq/JLITINQyz5Ru/97SSXLGYV0+1b5V22bj0P1R+mmk+yswQ1d1uns0sUBVB55F0dd2/5cllE0J7FvN6kQoonKvyeSdUzkoW3tyPGpJEVKxM3QcF34EpTKuXTgXS0b5HIbW5VDyHfBGpQOiwB5crokpE1QIIC6fUbz/yAkx553ELamSM+m3EslrXIaRyewCdVBFeBmsFXTWDJ7f5CnspLlO49dQmVI4p2St09ZkFlxMy6+0ZdcLttC4joIXDdRvTWdoMG9R9dY1M9wEZAMPsx/tGvnF6NcJpeduXs2taLzynXB4TAzrE+6xCmvG6+/V+9Z/XcRGh8uJ2SFrkkgFfUs/3zX8lDQtlB04+ZbCaSOjUprpjZ9BYpCBjFT1XCqN15zVmVJs/1GKKTJdMxRW/syagWpOxwwD/4m2FGG8l9vkHfleSNysBBa+yfHUwkySyYVnq/nmScCpcG/JT8aV5VIYC0ubyfYKgKbnSRXswhaa0xxRp8WHM1K+7AB0otS5MbCTlysKS4dVhx4Kg04yeZflVJEsEiAeyDdDA+oeO3KshJpfcaestSpLPX//AdIkI/ntv4397kbTX28hQKtWczer5P7ttCSsEuOcLz1M+y6YX/EVjTMjBawhbk+D5bQ5CjTLBBbK4Rmxno4fJjhE3DEMQ5BJ6IBKEpRTbp6ZsleouBGe89kf74E+apqBhKBWhPvF5KgoeJDLlbSXzveKTuO8vCxoILU97zdSvPgataKx3nZX6J9Jo165iXjG7f2zY9e/VL72vN29kN/SVXLKC6Bo8r8KQMM/smtbFPivocuHTPUHph/jGbtyltHd8oNTC2g6I4Yx49B6HbsVeJ41VD+sOxT9rZ+84Y4/6tkydyqKqfON/tVrVVrAh+OBgVl7p8tGnRwR3hNYu8NL/fcZb8WjcH1q+H5DaMX6hyV+/BBadTdOkHBntKyBS2bSRNZgggOsyMaLhGb1/6fgaB4U8GlpfL22kg1+VixMgYGzKxx5YeD4qeIvPXYbwfNwrgEVKnqQdnzrrc1t0OJ+/IkkL8OempoYwyoC+UdTtQSxnv8wqAqwyMsFNnDH7H69P5ASX05hDTglI55H1kMHfMUB7WL95xEnmgkg+zZKsEWcqdal2aACxGkFKMCyXms6yeQO2lqnBXO0xD2QWOu4177tit4TjXWz9bjiEVZTL+3CllOXyCxI093rCuPPBb0tNrwoak16kA2PXDjtNKJjmShI6lbH8z4JNybOik0v0kajJg+S92gw4wbHsC9INgJ+nFkcvTe83+rkzNGo6pfiIrR/tqV+u7OEXe9gKOUrbSNxDZFynk3plw/5dWgOevI59KUWfio0HwRTyhnsQvbQxG1sqDbr0wTOUGT0kfLn4wKPtdD0XYk1kHm4PUjT88y9QVfEIbAfPACpTHoNTvqwFaffcg4Vi2D3DtWBF71F0d3GLQk0mLqoM3JjWvQ+0EvRoRodkznmwZ4D4MjJEIp9VgY3ysDEQ8WaRyBC7GoH0vlJ5MeVUcfcRSHwKS6eqAv0E1x3Lyv6uHTbehnCqsDLPldiBCBnERBFpIQr6IeXKp2e0VB+67PugjiF4/nUuDplXo0Mv20TN5V8cQdt3Y5+Qa/QByg6ZZf4LoBjpCHaLJEa4DWvM9g90dn+SIPditVjRh6jhO5UuMcpOf479jZqpWo6eGuVKAzSOUR7RQ0AXpxj4foilA5vd7Xz/tcSpHSiYnn6w9CPXiKuJrB3hlnLeoOLJ6rfKp+93oZOicSPXUOPcCZa/Mk+S9iLC3T50BeAsMLfd4YMtTCmQRVik3xRr5e7cvaGl6dC4d2ac8o9W73xy4v/Zs7SObg5ye8JYrD4FFVI/NDkCJsmcrMpegN2/rSCTQY7meCZhhwwyOC14ONBOjq8eWL0tHUWEsMHjQqXIdFODqC5QunS/KylJXtTAyZ8dfzgJYke0KLWnyxnbgKsrpWEeFelCr3xD5eGZ7ph/iNqdqj9HNXtkFbEIZ09RDFHKRfPpNmORX3j8WrQkl8BjDjeMHPbRcuufCZxuEL4+lkMEv+f4AbKAoey73m8XpVUhduSLnus1acR+0eeNtmSPLCrnBS8o9gNa4PPF6Dq5zurzdIrk02AQAzZL83tDxaeVHEnBdJVKbspL4AlgwcXMZ7uUBWGmKwP3kx6iHaVaRTkKmRCPsV8iicTqwOT0VkKCV+TA2p2J92YbumgehHsn9aniN6uPUqyDJmRB6gtiDtpK8Awiwg96+itDUAuH1FSeOenz3OCVpd0PRZxZsbXm7r41i7SH8OcIXz5KVqP4Ln74Zlq3c2bREudAUMWe2rCCH3i67OAYKMsZRcmVrFttrmdqOpKSUUcLgwjVrvTmZw1yDSlQhl9W8MTCnm6tI4YM27NNorxy60FHKeeFsS76dhrsT8rxgIQfEwZFcnx39sloCMQTcAWMHGHk4zgxQqaGFYfYgF7gUVU+EujyqEs7du4A4ZenHXH56j942Wmt3HnTE5TNF31ifVq7eDi5cCznJogZV34zSItXBUcPbXF4d0C2X3/p9W1Oi7YvKqqO1BQ4xjjPy6XOQqLtio+Wzw3o5jHECi2PBWEkKwKu4Y7q/SSSa+UWmRUunNdHKD2347N0no/xizBls+bcpL6UgnPa+KnZNGmADJUbpwQjSW41TcyShrKu4edgQrqK+7agcKS6gXfOHaKu8whLU6CV0RfzrSECBrEe6qoBuom4RmP3hI/0r3e6Lu/xrgPd/UHQMLQrTXtppgxfvvbWKbOGR8zRR0dGbq6/vEHFQ8/rtXfISWm9XLr9t81uEBevJkMCl7sdkWzNFN846RheyKaxDK0pf7I5n6POSEGPbfwgw0e2gSabcdYAXo981uJdM9WrvODZNFrB8cAu48W5VnOGDvovInZDhvexLcMeznyvLhofiGM94N/3I= X-IPAS-Result: A2BsAAB72Khb/wHyM5BaGwEBAQEDAQEBBwMBAQGBUYFkKoEIXCiDdIgVX4tJhRyTQBQMgVEUGBMBhFmDQSE0GAEDAQEBAQEBAgFsKII1JIJgAwMBAiAEDRogDgMJAQEkAiIEAgICAQEtAwEFAQMBBwEQBwcLBRgEgkE/gWoBAQEVAwGWUDyLC3szhAABZ4IZBAoYDYEMgUUSeYVXhBYOCYIAhnqBcQQBEgGDIIJXApx1CgmQHiKIZwqGOyuUNwIEAgQFAgUPIThpOGRxKwoYKQ87MQZ8GoEfgiUXjWI4bXoBAQGJbg8XgiYBAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 24 Sep 2018 12:33:12 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8OCXBUO031667; Mon, 24 Sep 2018 08:33:12 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8NIQt0l020558 for ; Sun, 23 Sep 2018 14:26:55 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8NIQqIC008532; Sun, 23 Sep 2018 14:26:52 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AtAAD52adbly0YGNZZHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LSop5jWOBegsshEACg0YhNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQE5AwwGHwImAgI0AQUBHAcSgyGBaQEDFQMBllE8iwt7M4J2BYEFAYJfCj8NgQyBPQIGEnmFV4QWF4IAhnqBcYM4glcCnHUKCZAeIohnCoY7K5Q3AgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDA4JEYM1ihw4bXqJXoJMAQE X-IPAS-Result: A1AtAAD52adbly0YGNZZHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LSop5jWOBegsshEACg0YhNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQE5AwwGHwImAgI0AQUBHAcSgyGBaQEDFQMBllE8iwt7M4J2BYEFAYJfCj8NgQyBPQIGEnmFV4QWF4IAhnqBcYM4glcCnHUKCZAeIohnCoY7K5Q3AgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDA4JEYM1ihw4bXqJXoJMAQE X-IronPort-AV: E=Sophos;i="5.54,294,1534824000"; d="scan'208";a="376432" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 23 Sep 2018 14:26:52 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AtAABu2qdbly0YGNZZHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LSop5jWOBegsshEACg0YhNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSKCYgMDIwQZATkDDAYfAiYCAjQBBQEcBxKDIYFpAQMVAwGWUTyLC3szgnYFgQUBgl8KPw2BDIE9AgYSeYVXhBYXggCGeoFxgziCVwKcdQoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMDgkRgzWKHDhteolegkwBAQ X-IPAS-Result: A0AtAABu2qdbly0YGNZZHAEBAQQBAQcEAQGBUYILgWcog3SIFV+LSop5jWOBegsshEACg0YhNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSKCYgMDIwQZATkDDAYfAiYCAjQBBQEcBxKDIYFpAQMVAwGWUTyLC3szgnYFgQUBgl8KPw2BDIE9AgYSeYVXhBYXggCGeoFxgziCVwKcdQoJkB4iiGcKhjsrlDcCBAIEBQIFDyGBIYINNDwVbII7ghkMDgkRgzWKHDhteolegkwBAQ X-IronPort-AV: E=Sophos;i="5.54,294,1534809600"; d="scan'208";a="18561695" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa07.eemsg.mail.mil ([214.24.24.45]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 23 Sep 2018 18:26:51 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;21b56343-2bef-4f4f-a58f-66defb0b120a X-EEMSG-check-008: 63232796|UCOL3CPA09_EEMSG_MP24.csd.disa.mil X-EEMSG-SBRS: 2.7 X-EEMSG-ORIG-IP: 209.85.128.67 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BIAAB42adbf0OAVdFZHAEBAQQBAQcEAQGBUYQag3SIFV+LSop5jWOBegsshEACg0YZBwEEMBgBAwEBAQEBAQEBARMBAQkLCwgbDCUMgjUigmIDAyMECwENATkDDAYfAiYCAjQBBQEcBxKDIYFpAQMVBJZQPIsLezOCdgWBBQGCXwo/DYEMgT0CBgkBCHmFV4QWF4IAhnqBcYM4glcCnHUKCZAeIohnCoY7K5Q3AgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDBeDRoocOG16iV6CTAEB X-IPAS-Result: A0BIAAB42adbf0OAVdFZHAEBAQQBAQcEAQGBUYQag3SIFV+LSop5jWOBegsshEACg0YZBwEEMBgBAwEBAQEBAQEBARMBAQkLCwgbDCUMgjUigmIDAyMECwENATkDDAYfAiYCAjQBBQEcBxKDIYFpAQMVBJZQPIsLezOCdgWBBQGCXwo/DYEMgT0CBgkBCHmFV4QWF4IAhnqBcYM4glcCnHUKCZAeIohnCoY7K5Q3AgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDBeDRoocOG16iV6CTAEB Received: from mail-wm1-f67.google.com ([209.85.128.67]) by UCOL3CPA09.eemsg.mail.mil with ESMTP/TLS/AES128-SHA; 23 Sep 2018 18:26:48 +0000 Received: by mail-wm1-f67.google.com with SMTP id q8-v6so7898934wmq.4; Sun, 23 Sep 2018 11:26:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Vnlw7/pMb0oHqqOMoluWOOGIReW9qKzzqbHvYF5dZzY=; b=VSTsTLynWkj0TWRhEu0c1GJEU9YzvuCHVeypPDZ+9VeZaxJIePgr9XhuLGycGb4D9C W2cX1MD1dsCt+NFcWcdyjZapVPYN+0FAdeh5Sv4dg9uTnGoUqszwayrim5MTpkgej3Ob EinKQsPUX2XfWmmKKmVJQnnh2rTQtxEhQRvBxB+YX1OMR8IWbO+TLT0TsWnsT+RMrHts Q/BLutWnW7iayrf+WMikteDLIH1VasmQUIeBW4ZtUkUlsHH6C4Xlg/EW7eg6dE4JmkoB zv2q46KPNjB/VEmtTfrE8tVRvEW002uYIqcm1z0Xu0+kxQdby41pyRvQvH5PQPLSq+qY wFiA== X-Gm-Message-State: APzg51D7nSL3axeZmhpY5XioCTTahoyQBA51iqESEBIQpcKZOBzzHCZi 11Ui6VXhxsaOUE+8x2APf8k= X-Google-Smtp-Source: ANB0VdaOnzyLowbdPPii5VjFXa1uiFn+wJ8dRWC8T18G+/7aaWvAtFonFyN1xllmV3mb6k8hsClnnw== X-Received: by 2002:a1c:adcc:: with SMTP id w195-v6mr4546884wme.41.1537727207983; Sun, 23 Sep 2018 11:26:47 -0700 (PDT) Received: from desktopdebian.localdomain (x4dbb2f17.dyn.telefonica.de. [77.187.47.23]) by smtp.gmail.com with ESMTPSA id c8sm15007248wrx.92.2018.09.23.11.26.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Sep 2018 11:26:47 -0700 (PDT) X-EEMSG-check-009: 444-444 To: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, jmorris@namei.org, serge@hallyn.com, selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Date: Sun, 23 Sep 2018 20:26:16 +0200 Message-Id: <20180923182616.11398-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180923182616.11398-1-cgzones@googlemail.com> References: <20180923182616.11398-1-cgzones@googlemail.com> MIME-Version: 1.0 X-MIME-Autoconverted: from quoted-printable to 8bit by prometheus.infosec.tycho.ncsc.mil id w8NIQt0l020558 X-Mailman-Approved-At: Mon, 24 Sep 2018 08:26:06 -0400 Subject: [PATCH v3 2/2] netfilter: nf_tables: add requirements for connsecmark support X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: =?utf-8?q?Christian_G=C3=B6ttsche?= via Selinux Reply-To: =?utf-8?q?Christian_G=C3=B6ttsche?= Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add ability to set the connection tracking secmark value. Add ability to set the meta secmark value. Signed-off-by: Christian Göttsche --- v3: fix compile error when CONFIG_NF_CONNTRACK_MARK not defined Based on nf-next Tested with v4.18.8 net/netfilter/nft_ct.c | 17 ++++++++++++++++- net/netfilter/nft_meta.c | 8 ++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index d74afa707..586627c36 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -279,7 +279,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr, { const struct nft_ct *priv = nft_expr_priv(expr); struct sk_buff *skb = pkt->skb; -#ifdef CONFIG_NF_CONNTRACK_MARK +#if defined(CONFIG_NF_CONNTRACK_MARK) || defined(CONFIG_NF_CONNTRACK_SECMARK) u32 value = regs->data[priv->sreg]; #endif enum ip_conntrack_info ctinfo; @@ -298,6 +298,14 @@ static void nft_ct_set_eval(const struct nft_expr *expr, } break; #endif +#ifdef CONFIG_NF_CONNTRACK_SECMARK + case NFT_CT_SECMARK: + if (ct->secmark != value) { + ct->secmark = value; + nf_conntrack_event_cache(IPCT_SECMARK, ct); + } + break; +#endif #ifdef CONFIG_NF_CONNTRACK_LABELS case NFT_CT_LABELS: nf_connlabels_replace(ct, @@ -564,6 +572,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, return -EINVAL; len = sizeof(u32); break; +#endif +#ifdef CONFIG_NF_CONNTRACK_SECMARK + case NFT_CT_SECMARK: + if (tb[NFTA_CT_DIRECTION]) + return -EINVAL; + len = sizeof(u32); + break; #endif default: return -EOPNOTSUPP; diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index c8ac0ef4b..a6715c816 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -284,6 +284,11 @@ static void nft_meta_set_eval(const struct nft_expr *expr, skb->nf_trace = !!value8; break; +#ifdef CONFIG_NETWORK_SECMARK + case NFT_META_SECMARK: + skb->secmark = value; + break; +#endif default: WARN_ON(1); } @@ -436,6 +441,9 @@ static int nft_meta_set_init(const struct nft_ctx *ctx, switch (priv->key) { case NFT_META_MARK: case NFT_META_PRIORITY: +#ifdef CONFIG_NETWORK_SECMARK + case NFT_META_SECMARK: +#endif len = sizeof(u32); break; case NFT_META_NFTRACE: