From patchwork Fri Jul 27 17:32:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10547503 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F6F9139A for ; Fri, 27 Jul 2018 17:33:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 437422C1FA for ; Fri, 27 Jul 2018 17:33:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 377C72C1FF; Fri, 27 Jul 2018 17:33:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from ucol19pa12.eemsg.mail.mil (ucol19pa12.eemsg.mail.mil [214.24.24.85]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FF272C1FA for ; Fri, 27 Jul 2018 17:33:47 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.51,410,1526342400"; d="scan'208";a="607792577" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa12.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 27 Jul 2018 17:33:44 +0000 X-IronPort-AV: E=Sophos;i="5.51,410,1526342400"; d="scan'208";a="14265790" IronPort-PHdr: 9a23:bDJX7xeTgY0Lb8PazrNBdKrvlGMj4u6mDksu8pMizoh2WeGdxcm+ZxaN2/xhgRfzUJnB7Loc0qyK6/6mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbJ/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4KlxSB/slSwJKTg3/m/KgcB0la5WoRetqhpiyIDWfY6VLuJzfqTdc90ES2RPXcReVyJPDYyzcoUPF+gMMftWoobhqFUBswC+CBKwBO7t0DJEmmP60Lck3+knDArI3BYgH9ULsHnMotv6LrkSUeGow6LVzzvDaP1X1in56IjMaRAqvPaBUq9wccrWx0ggCQfFjlGLqYH+JTOayPkCs2iB4Op8T+6gl2knqwRorzWp28wiiZHJi5oIxl3L+ih12oY4KcCiREJlbtOoDoFcuzyCO4Z3Q84uWXxktSU4x7Ecp5K2ciYHxI4lyhPRbfGMbpKG7Qj5VOmLJDd1nHdleLWiiBms6UWg0ej8VtWs0FZNsypFjsHAtnAT2BzX7ciKUud98V272TaOygDT8ftIIUEylarVLJ4h2aA/mYYJvUTfHi75hEX2jKiMekUi5ueo8Pjobq/jpp+dM494kgD+MqIwlcyjGek0LwcDUmeB9em8ybHv51P1TbpUgvEsj6XVqJXaKt4apq69DQ9VyIEj6xOnAje9ztsYmXgHLFRYeBOIloTmIFbOIO3+DfijnVusiyxmx+zGP7L9ApXNKWLPkLH6fbln8UJcxw0zzc5H65JOFr4BOO7zWlP2tNHADB85NAq0zPz7CNV9zIweX3mCAq2eMKPUtF+H/PkvI/WSa48PozbxMf8l5+ThjXUhg18SYbGp3YcLaHC/BvlmIUeZbmDwjdcCCmcKuQw+TO30iFCZXz5TY2uyXq0n6TEmDoKmEZrDSpqqgLyb0yexBodWaXxeClCQDXfocJ2JWvkNaCKWJ89ujCYEWKOvS4A/yB6usxX6xKB/LurO/S0Yt4zs28Rp5+HJkhEy7zN0BdyH026RV2F0gn8IRzgu0aF/vEx90EuM0ah/g/xCDtFT+vBJUh0gOZ7a0eN6F8j4WhjdcdeRVFamXtKmDCksQd0txt8OZEB9G8m/gh3YwSqlHaUVl72KBZwz9KLQxX7xKNhhy3zezqkuk0EmQtdTNW2hnqNw6hTTCJTTk0iCi6mqcqEc0zLX+2eY0WqCpkdYXxBsUa/dR3AQelPWrcjl5kPFV7KhF6wnPRFbyc6DMatHccXpgk9cRPfiI9Tee2axlH2sChmW3L+Ma5Dqe2oF1iXHFEcEixwT/WqBNQUmBSeuuWHeDDtzFV/0YEPj6+p+qHSmTkMuyAGKdUJh3aKv+hEJnfycV+8T3rUctSg7tjp0Ble90MzMC9ebvQVuYKBcbck64Fdd2mLTrxZ9MYC4L6B+ml4edBx6v1nz2BpqEYhAns0qrXwwwAp0N62YzEtLdymE0pDoJr3XNm7y8Qi0a67YwFHe182W+rsU5fQjrVXjuw+oFk84/HVhydVV1WWT5onSBgoITZ3xSlo39wR9p7zCbCgy/YfU1WFyPqmuqT/PwMwpC/U/yhm7YtdfNbmIFAjoE80VH8KuMvAlm0C1bhIYO+Bf7Kg0P8Kid/uCxqGrJ/1tkyi4gmRd54BxyEWM9zBzSuTQxZYK3+mY3hebVzf7lFqhrMH3lpxYZTEVBGqz0zTrBI5WZq10coYGEmOuI8yxxtpknZ7tXGRU9Fm5B1MJwMWpYwadb0Th3Q1M0kQauXinmSqjzzxoij0ptbSQ3CjPw+TkaRoGNXVGRHJ6jVftJ4i0jswVXFOyYwgvihSl+V7wx7JHq6RnM2nTXUBIcjDsL2FlVquwsqSNY9RT55MvvyRaS/+8YU2GRb7muRca1DnjH2RGzjAhaz6qoon5nwB9iG+FL3Z8snzZedpryBfc+tPcQ+VR3jwYSylkkzXXAUK8P9ax99WOi5jDqvy+V36mVpBLaSnk156AtC+l6m1yGxK/meyzlcP9EQUhzC/7zMdlVT/TrBrmeYnr0Lm6Mfh7cUZ2Cl/87NB6Go5gnYcqgpEfx2QajI2P/XUbiWfzLclb2aXmYXoTQz4E3sXY4Bbj2EJ+LnKF3YT5WWuBwsF5fdm1fnsW2j4h78BNEKqU9KZLnTZxolejsQ3RYOR9nzcExfsg8nEahfsFuA03ziWSGroSB1VXPTTwlxSU6NCztKtXa3ypcbis00p+mMusDL+crQ5BX3b5YI0tHTdq7sV4MlLDzmH86p3+dNnXd9ITuQWekw3cgOhNNJIxiv0KiDJiOW3nuX0lz/A0jQBy3Z6gpoeKMGNt87ylAh5DKjL6fdsT9S/3gaZYgMmWw5ilHo99FTUTQJvoUfWoHSoctfT9KQmBDSY8pW2dGbrDGg+f81xroGjTHJCuLX2XI2MZzdp6ThmHOENfmBwUXCk9npMhDgCl2tfuf1l/5jAQ+l74rQBByuN2OBbhTGjTvgCoai07SJKHNhpZ8hlC51vJMcyZ9u98BDpX8pqlrAyMMWybex9IAXsSWkOaG1/vJKKu6sfE8+iZAOq+MvTPbK6Spu1eTfeI2Imv3pFo/jmWKsWPJX5iD/sh1kpER3B5FNzTmy8TRCwPiyLNc8mbqQ+n9S12ocC/9/LrVRny6oSRELRSMM9g+xasjaeELe6Qiz5zKSxE2ZMU2X/I1L8f0UYIhCFhbTatD6oPuDXKTKLIhKBXCRsbZDlyNMtM9K082QZMNdTcitPv2b5yluQ1BEtdVVz9hsGpYtQHI326NFPCHkqLLrOGJDzVzMHxeqy8U7pQg/tXtxCrpTmbFErjMSiZmDnySxCjK+dMgz+HPBZGooGybg5tCXT/TNLhchC7Mt93jD0uwb0zgnPKNHIcPiZnfkNIr72Q8TlYjetlF2xG9HplIvGOmzyF4OnANpYWrfxrDzx3l+Na5HQ11aBY7CRDRPx7livdsMJuo02mkumIzzpoTgBCqjBVi4KXpU9iI7nW9oFcWXbY+xIA9WOQBAoQqNthEdDvuKdQysPTlK3pLjdC6NHU/coGC8jSNs2HLGIrMQD1Fz7MEAsFUTmrOHnFh0NDi/Gd6GearoImpZjsg5cBUb5bVEYoGfMdBERlBMYCL4l3Xz8+l76UktII72KkrBbNXMVaoozHVvWKDPryLzaZi79EaAYWzrP8LIQeLZf01FJ4all9hojKHFDQXd9VqC17cgA0uFlN8GR5TmArxk3qcB2t4H4OGv6vhRM5kBF+Yf4q9Dbi+Fc4OEbFpDYqkEkwhdXkgSqdcDjvI6esRYtWETb7t1AtMpPnRAZ4dQmynUt+NDjaQbJQjrxgeHtkiA/apJtDA/lcTbdLYBUI3/GYe+0o0UhAqiWg3UJH/vXKCZ9jlAssbJ6toGlN1B5kbN4wOaPfPrFJzkRKiqKIoCCoyvg7wBUCKEYV7GOSZCkItVQUNrknIiqo+fBs6QyCmjZYZWcMVvorrehx+U8nPeSP0T7g2aZZKk+tL+yfM7+Zu2/YmMGSRlMw118HmFdd8rhz0cYjdU2UV0Y1w7aKDBsJNNDNKQdMY8pc6XjfZyCOvvvRwZhtJYWyCvjoTfOStKYTmk+rBxgmH4IX48sbA5aszl/XLd38LLEf0xUs5B7nJFKfDPRGYBiLiisIo9mjzJ9r2olQPj4dAXh8MSWz4rbYuAoqjeGeU9goeXgaX5ELNnQsVM29gS5ZsGxKDCOr3eIB1AiC8zj8qzzKDDn6btpsePeUZRRoCNGt4Tsx6rW4h0TL/5vZPGz1KdNiutrT5uwAvJaHF+lYTb9jvEfAg4NYXWClU3bTEd6pIJj9c5MsYsbuCna9SVOykC41T93rM9azMKeIhQDoRYBbsImf3TAjOs+9Fi0QGxhqveED4bhwZQsdbJoneRTorRgxN7SjIAeE1dWjW2isJSFKQPlfzOW6Yr1XwDAvbuKhyXsvUI81wPet/U4KXpEKgQnUxey/aIlGTSjzBntddh3KpSUjjWhhNfg9wvs+wBPOvlkRKD6Ke/ZvaGNYu9E8Ak6SLmhtCmYiQV+Tk5bD6Ba2378O5ytdg8pU0epdvXfkpJ/ffTSsVLaoqZjOsiogbNkmo7FqPoD5JMuJqo/elCTFTJbMqg2FTDK6F/1Cl9hRJiJYXOdHmWU7NswDp4VB9VAxV8clKrxIEKkjuLaqaT9+Ai4TyS8WTISA3TMYjue7wbvamQ+acI4+PxwcrJVCntwdXjZqYiMZoa+uTJnWm3OBSmcQOgsT6xpD5B4YnI9qYu/l+JbITINLyzNOofJ0VTXEG4J1+FTlUWGZn0L4SOm/nOO0xw5Syuzj0sUDUh5lFUdd3/pWllcvKLxvN6kfo5PFsj6SekP+p2/i1OymJFxNxsLObF34EJDJtWziXS0A4XcUX5NAyGnDFZQOlAp0cL4rpE5QII+8Z0n++ycpx59uH7mlT8Ck20gqrXAaRyewCdVBD/tqsFXNWD1qe5qrsonqO41OQm9M/52Qs0xWkEtxPCKly5dQNs9A7yUQUzhIpDWSoMG9SNZf2cNsCZ8DPMt/sW/nGKxYIJiRv2E2urv3x3/D5T8zrVe6yy+vG6KjS+JZ+HMeFRs3K2uCrUkgEvUj/n3U8l/TrlB+5/1bCaSXjUVtvDZ9GYhDBipT1X+7MVt8UWJLs/heKKTJacxTWecyZR6oOxw6C/Emw1aF/UZunXf2eyZyrBdV+zjBXwkoUikYmrXtlicEqsGgIj8aT4hHbSs6YifANgKbnTxXvBdDZEFrQZ8ZBM1F96sc3YtO8crIUVysJj0dXBx+KgI41uJSlUxZv0WedyDdFw2oeuvRvRBsYceetsipLO/+/AtdjIPorvw4/b0ZR3K6gQ2tXczer4jku92MskuDb6b4M+u5YXPbTTjMix6wha0+AJnR4yjTKhdbJIVmyXo5e5juF3THPRNcJ6IUP0BbT7x1ac1aouBGYM9pYKAJ+a5xCRKAQhPgApevoONHLlbUQjTeND6B//e6oY/c4r3RU+/gZtaDx3zfWaJ4Io966SXnG7ftyYJR5lD52vNz+UNhVVjHMyeBoc/6JgwX5cmtaE3ivoEoHTzMGptwlmTixl1YfcoNXyKq6IgYyI9e6HvoTeJ4yU3zve1J+rlq94Y4/rdpyd2uKqfKM/Ratk1nDQaICQV27JktB3J/R29JaO8LNPjRZbgZjdzpq+3vFawX6RiV9vdcadTZJ0DOhNO/CjCaSRxLhgsBryAVLheE3f6fh6B0UdqlpfT+2k814li/LwQJw6px6oqf4aqHuvPXYAXNwrQeXajqXMzzpKw2u0yO/f0kiKIOemttbgK8EegdTcAcyX3izaAr0SIsC9nMH6/k+PNYS305mS/vlI5nEFULAPMUGqCL8p5Ekmc/gezZOcUccrpelWaXCR6kDrgCxGaz6ySNPGlqnhHO0h/3QWOp71/6tDR4TjXIz9filEpVS7a2CFxKXyWzJU93rDOPPQTvtNrtuqQ59kI2PXL+tNKLimShPKlbH8rlJNyTOSM0vk4YjIUtRtyz3oAWAdW9L8kX8HFiafve7GSnkzRfrKdDhore5NyV+/rMEHmkkaKasbWMyypCxng+o14/9siqNuvS6N2SX/Soy2ERQj9jtAvDRRG6tqfWoEwTOUyP1EfLmZIFPstF3XYmyk7m5PIvQNUp9AVRDozAfe8NpSjvODvoxlaSe9c3Vi6Y0ztLEVL6D0J1GK092G3qusLGi2vQ+lMvRolqdEznngZ7D4MmJkIx8FIX2DYMERARaRCHC7GlHUvlIpcfVUgYcBiJwbe0dKE23U1137Ou6/TebeN5B6UXMPZSkBSCnF9BGpIZqaceWq5ze0dB9K7LoQjvE4rnX//mlXo2L/G6XsBa8cQEt3Q/4we/Rhyg6YxA77Yak52IaK9EYYbWs8B48khn5CQDdipTjxhjlxm5S/wTpPj/4tjHt5ql8ueuVLg3SOUR7BU0A3l+gIbxgFAkutHbzeBcSpfaiY7n6gBCP2aKuJrG0xl7MecOKZykfLhu93UDPCUfKWgBPdyIZPkg+SNtNivc50BaCMMWedwYJNbNmRxTikDxV7FT8s3bG1GGBId3c8Al9HH3yDcz8Zs9Tuns8jm2Ko7D71tVJfNMkD1slM7epOgS2ffSBjIX7mOfaxdpwyOC0IKAC/Po/eWN0d3UTF0HHjUsX4daPjqC9hStRvCpm5XxTgOU9sjzjYo7dEKRRXyxn6MFv71OEeFaiSX72T5eGZ7zh/6Ptdqj9ndXvEVdEIlv9R3FBLlfPpJjNBvjiMarQFR8CzDkeMHQcRoupPaWxvkS7OpjLUf+YpUbIh0cwbLg9XVVVhduSKLxvluBReIRY99mR+nernFb7oJgL6EPMUOYpJztqTdIs045DxMzaL83tTxabUjOnAtaW6ruv74AkAQcW8ZjuUBQAWKwJH4+5z3fWKRbkqaRDP0V8i2NQaEVUkRoMyZ+Qxar15V0f7umg+pLsmRcniNyuPIqySBpRAOguS3woKIAwTwh+KmitDUApXNKUP6TkyLJCVVf1vQFk70QC3H46VyzeHMDdpf94KF7JcT88oks+3M/YRE9cCAdReSgDzv/j7iUAoyOrN1cmASNt9vQYrOpKygdKKg9wwr5R3dhygjegApo8GwTTzWk7d8kIpi9OMk8yiqsGGjbb0oM4rhSvcvwr1ELSuw2ZUlmwGV53ciNXjcNS9DXG2Ypkggkbn1JcJdZ5hAGF6kogzCIvq5d8wEKYTfUFJqq+o3RncfOxHk8Qs1mxmXMpq2KnpkqymFqm8to7i6Sv3Qfb+7YXNVvAnj0zYhS0vH+Z/OxsuAHT4tm1buhUP8eMsW5/2u5xolqUFe/xrsCB1q5LPMDxrDDXienTG2YXv6Lc3KNnzYiKUPy4wOnLlgpZ8dLtUM9NfHChpFEnQ37Tbx0XjmQpUPczGE7KuMaeQc2t5umdgEJV+MRefaTJfIvwPw/D1sMaWXFHS1oBO+q4haRm91lOm9nyVf3Z+XztATnNsaCXB4eHsjHrc1f4/u/E06IJ35shD11I0Rw8/yXQ1gxsfBRd5KKtcLdi9RyzagOcPI7Yn51gcIaho82sdrc68yNaxyEi8iof4Pcv+SYDvvDzk8jZmBdVP8DbBjo45khZIZpCaDYGr8A7AwVXfd8TZEkLGi38ah1KEV2cwqCAdb8jsrro7eNYZ1Z7z/T40krJSjR8xsE1rSvTAN9Ypzrz3X/KZw9XHRA+ttqDBY1eekHANsO+iygBZPcg6Snk5mp4Uovt+8Nrqf0Duviztm134xtGZNd4B/uXn7KHKc+uk1+layph+vYlJz4CMfsY9QBAeR7RXHIbrvdNp+yJjKHJoT3fEsVltzUy6p3By2YfzuxRK+arGukOfFjtF080ZB9dfHPwSYF6qGCnsH/a2FSumGoqnuE X-IPAS-Result: A2AnAgAEVltb/wHyM5BbHAEBAQQBAQoBAYMkJ4EJXCiMBF+NRJV1FIFiDxgUhDsDgyA0GAECAQEBAQEBAgFsKEIOAYFkJIJeAwMBAiQTFCALAwMJAQFACAgDAS0VEQ4LBRgEgjSCSwOvITOKQ4kZgUE/gREzgjGEeAESAQeFbgKHbIR8PXKLdAmXVIVokjSBQThhcTMaCBsVO4JpgiUXjhhuDHEUhT6GPA0XB4IcAQE Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 27 Jul 2018 17:33:43 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6RHWVI5001589; Fri, 27 Jul 2018 13:32:47 -0400 Received: from tarius.infosec.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w6RHWU0b021515 for ; Fri, 27 Jul 2018 13:32:30 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w6RHWUfk001587; Fri, 27 Jul 2018 13:32:30 -0400 IronPort-PHdr: 9a23:rAE9AhA8uOLUuYjDjUpHUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/q811A3UVoLfsqNcgrKJ9a3tXHcPp5OIsXREdZ1IBFcJisQTygonBsPNSUj2N+XjYCFyGsNeHERk8He2PQkdGMv3a1DI5Hzn6zkUF0a3LhJ7c8LyHIOalMGrz6aq4ZSGbwVPmze5ZahaNhi6rQzN8MIRhNgqMb4/nyPAuWAAYOFK3SVtLFOXkQz745K8/Jl8/iBUoNo7+sJAWLm8dKM9HvRDFDpzC2ku/4XwsAXbCwuC4nxJSmINjh9BGBTI9jn/Ts63qCb2tuNhniKdOMA= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BfAQBBVltbly0YGNZbHQEBBQELAYMkJ4FlKIN+iAZfi1yBaJV1FIFmCyyEQAKCeyE0GAECAQEBAQEBAhQBAQEBAQYYBoEaDgGEZgMDIwRSECUCJgICRxAZglVLggADrid7M4pDgQuHdxeBQT+BETOCMYUTgxmCVQKHbIR8PXKLdAmXVIVokjSBQYIKMxoIGxWDJIIlDgkRjgduDIEFhT6GPCuCHAEB X-IPAS-Result: A1BfAQBBVltbly0YGNZbHQEBBQELAYMkJ4FlKIN+iAZfi1yBaJV1FIFmCyyEQAKCeyE0GAECAQEBAQEBAhQBAQEBAQYYBoEaDgGEZgMDIwRSECUCJgICRxAZglVLggADrid7M4pDgQuHdxeBQT+BETOCMYUTgxmCVQKHbIR8PXKLdAmXVIVokjSBQYIKMxoIGxWDJIIlDgkRjgduDIEFhT6GPCuCHAEB X-IronPort-AV: E=Sophos;i="5.51,410,1526356800"; d="scan'208";a="333642" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 27 Jul 2018 13:32:29 -0400 IronPort-PHdr: 9a23:t/BashAgjB5Xw4TPShKmUyQJP3N1i/DPJgcQr6AfoPdwSPT6r8bcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRttfVytBDI2iYYUBDOgOPehWoIbyu1QAogCzBRWuCe711jNEmmX70K883u88EQ/GxgsgH9cWvXrattr1KqYSXv2ox6fKyjXCYe1Z2TP56IjTbxsspuyDXbJ3ccvf10YvEwfFjk6LpIz/ITyay+QNvHKH7+Z6Se2vjGsnphh3rzOyxckskpHEipwIxl3L7yl13ok4KcemREN0e9KpH5tduzmbOoZ3WM8uXmJltSQgxrEYt5O2cjIGxZYpyhPZdveJaZKH4gj5W+aUOTp4hGxqeLa4hxuq/0et1PTyWM+63VtUtCRIjsXAu3IX2xPN9MeHT+B9/ki71TaKzQ/T6+VELVoxlaraL54t2r8wlpwNvkTfBiL6hlj6gaCMekk69eWk8frrb7r8qpKTN4J4kgT+Pb4vmsy7D+Q4KA8OX22D9Ouh1L3j+kP4T6tOjv0yianUq4raKtoGqa65GQBVzpwv5Aq4DzejyNgYh2UILEpZeBKbiIjkI0rOL+3jDfqkn1StkCtkx/DBPrH7BJXNNWLMnK3ufbZ69U5W0BAzwsxH55JIFrEBJ+r+WlTvu9zcDx85NRG0wun8BdVh1oIRRWKPAqiDPKPUql+H/PgjI+aLZI8L637BLK075uTppW00n14DO62o24YHLneiEbJ7IBa3e33p1/sID2YG9io5U+HujEbKBTJTYGm/W6Ynzis2BIKvEcHIQYX70+/J5zuyApADPjMOMVuLC3q9MtzcA61WOiuPPs9slCAFXrG9SognkAujrxL+16E9drKG5yYfscuyzNEtuKvemBQp+npxBsWZlWSMSzI8kmAJQmow26Zy6Qx4x0yY2Kd1y/pfCZRI5vxPXwt7fZ7RxuB3EZbzDwTGeNraAE2+TICABjc8Bsk038dIe1x0TtmiiQ/O2y6xK6UYm7yCGNo/9aePl2PpKZNFwm3dnLIkk0FgR8JOMWO8gasq+wjUGIPNl16xjaumda0AmiXK8TTL1nKA6XlRSxU4SqDZRTYfa0/R+Mz+/V/HRqSyBK4PNxsYj9SPJqtDdpviilBL X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AUAQAEVltbly0YGNZbHQEBBQELAYMkJ4FlKIN+iAZfi1yBaJV1FIFmCyyEQAKCeyE0GAECAQEBAQEBAgETAQEBAQEGGAZYQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCAAOuJnszikOBC4d3F4FBP4ERM4IxhRODGYJVAodshHw9cot0CZdUhWiSNIFBggozGggbFYMkgiUOCRGOB24MgQWFPoY8K4IcAQE X-IPAS-Result: A0AUAQAEVltbly0YGNZbHQEBBQELAYMkJ4FlKIN+iAZfi1yBaJV1FIFmCyyEQAKCeyE0GAECAQEBAQEBAgETAQEBAQEGGAZYQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCAAOuJnszikOBC4d3F4FBP4ERM4IxhRODGYJVAodshHw9cot0CZdUhWiSNIFBggozGggbFYMkgiUOCRGOB24MgQWFPoY8K4IcAQE X-IronPort-AV: E=Sophos;i="5.51,410,1526342400"; d="scan'208";a="14265702" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa07.eemsg.mail.mil ([214.24.24.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 27 Jul 2018 17:32:28 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;2b4c768f-0aee-408c-acbc-8f2cbac11c9e Authentication-Results: ucol19pa07.eemsg.mail.mil; dkim=none (message not signed) header.i=none; spf=None smtp.pra=dhowells@redhat.com; spf=Pass smtp.mailfrom=dhowells@redhat.com; spf=Pass smtp.helo=postmaster@mx1.redhat.com X-EEMSG-check-008: 439303150|UCOL19PA07_EEMSG_MP5.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 66.187.233.73 X-EEMSG-check-002: true IronPort-PHdr: 9a23:jmc5qRVu2+bRa8uq+eDO7QNLAuTV8LGtZVwlr6E/grcLSJyIuqrYYxOFt8tkgFKBZ4jH8fUM07OQ7/i+HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9zIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZBYOycosBAfQPM+hbrYb9qVUBohSiCgejH+7v1j1Fi2Xq0aEmyeksEwfL1xEgEdIUt3TUqc34OqkIXuCrzanH0CjIYfFR2Tbz9ofIdhQhoeqRVr93bMXRyU4vFg3bgVWUrYzlJCiY1v4TvGeG7+pvT/6vh3Q7pAF2pzii38EhgZTKiIIN0l3J9CR0zJwoKdC7SkN3e8CoHZVeui2ANYZ7TMUvSHxytikg0L0Jo5u7cTAKyJs5wx7fbOSKc42H4x7+TuqROyl3i29leL2lmxa+61Svyur5VsWs0VZKqDRKksXUu30M1hHf8NWLR/h/80u7xzqC2Q7e5vtGLE06jabbLoQuwr80lpodq0TDGSr2lV3rg6+WcUUl9Pan6+DjYrX9vZKcLZF7hRz+Mqs0hsyzG/g3Mg8LX2SD4+SzyKXj/VHlQLVNlvA2ibTWsIvBKMQHpq+2Hw9V0oE55xa5FDepys4UnXYALFJbYBiHlZTmO0nSIPDkCveym0+snylvx/DHOL3hH5rMI2PfkLbhYbl960lcxBA1zdBE/Z1YEL4BIPXtWhy5iNuNEB4jNCSmzuDmFpN514UDSSSIGKDfLaCBn0WP47cDKveNaMc1vynwL/w+r6rijXgmlFsZZoGz0JcXYWz+FfNjdRbKKUHwi8sMRD9Z9jE1S/bn3RjbCWYKNiSCGpkk7zR+M7qISILKR4SjmruEhX3pBJBaZmlaTFuLFCWxLtnWa7I3cCuXZ/RZvHkcT7H4Ed072B2uvRO8wL1ifLKNp38o8Kn73d0w3NX90BE/8TstUZaYwzjLVWx4nmoUATQx2fImrA== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0C2AgAEVltbh0npu0JbHgEGDIMkggwog36IZY1Eg1+SFhSBZgsrAYRAAoMVBgEEMBgBAgEBAQEBAQEBARMBAQEKCwkIKS9CDgGBZCQBgl0DAyMEUhAlAiYCAkcQGYJVS4IAril7M4pDgQuIDoFBP4ERM4IxhRODGYJVAodshHw9cot0CZdUhWiSNIFBggozGggbFYMkgiUOCY4YPjAMgQMBAYU+hjwrghwBAQ X-IPAS-Result: A0C2AgAEVltbh0npu0JbHgEGDIMkggwog36IZY1Eg1+SFhSBZgsrAYRAAoMVBgEEMBgBAgEBAQEBAQEBARMBAQEKCwkIKS9CDgGBZCQBgl0DAyMEUhAlAiYCAkcQGYJVS4IAril7M4pDgQuIDoFBP4ERM4IxhRODGYJVAodshHw9cot0CZdUhWiSNIFBggozGggbFYMkgiUOCY4YPjAMgQMBAYU+hjwrghwBAQ Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) ([66.187.233.73]) by ucol19pa07.eemsg.mail.mil with ESMTP; 27 Jul 2018 17:32:26 +0000 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 14D194219DCA; Fri, 27 Jul 2018 17:32:26 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-116.rdu2.redhat.com [10.10.120.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id 86E4C2026D6B; Fri, 27 Jul 2018 17:32:23 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 X-EEMSG-check-009: 444-444 From: David Howells To: viro@zeniv.linux.org.uk Date: Fri, 27 Jul 2018 18:32:23 +0100 Message-ID: <153271274305.9458.13602378603425233117.stgit@warthog.procyon.org.uk> In-Reply-To: <153271267980.9458.7640156373438016898.stgit@warthog.procyon.org.uk> References: <153271267980.9458.7640156373438016898.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 27 Jul 2018 17:32:26 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 27 Jul 2018 17:32:26 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Subject: [PATCH 09/38] selinux: Implement the new mount API LSM hooks [ver #10] X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Implement the new mount API LSM hooks for SELinux. At some point the old hooks will need to be removed. Question: Should the ->fs_context_parse_source() hook be implemented to check the labels on any source devices specified? Signed-off-by: David Howells cc: Paul Moore cc: Stephen Smalley cc: selinux@tycho.nsa.gov cc: linux-security-module@vger.kernel.org --- security/selinux/hooks.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 290 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ef0428311a5c..9774d1f0e99f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -48,6 +48,8 @@ #include #include #include +#include +#include #include #include #include @@ -446,6 +448,7 @@ enum { Opt_rootcontext = 4, Opt_labelsupport = 5, Opt_nextmntopt = 6, + nr__selinux_params }; #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) @@ -2974,6 +2977,285 @@ static int selinux_umount(struct vfsmount *mnt, int flags) FILESYSTEM__UNMOUNT, NULL); } +/* fsopen mount context operations */ + +static int selinux_fs_context_alloc(struct fs_context *fc, + struct dentry *reference) +{ + struct security_mnt_opts *opts; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + + fc->security = opts; + return 0; +} + +static int selinux_fs_context_dup(struct fs_context *fc, + struct fs_context *src_fc) +{ + const struct security_mnt_opts *src = src_fc->security; + struct security_mnt_opts *opts; + int i, n; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + fc->security = opts; + + if (!src || !src->num_mnt_opts) + return 0; + n = opts->num_mnt_opts = src->num_mnt_opts; + + if (src->mnt_opts) { + opts->mnt_opts = kcalloc(n, sizeof(char *), GFP_KERNEL); + if (!opts->mnt_opts) + return -ENOMEM; + + for (i = 0; i < n; i++) { + if (src->mnt_opts[i]) { + opts->mnt_opts[i] = kstrdup(src->mnt_opts[i], + GFP_KERNEL); + if (!opts->mnt_opts[i]) + return -ENOMEM; + } + } + } + + if (src->mnt_opts_flags) { + opts->mnt_opts_flags = kmemdup(src->mnt_opts_flags, + n * sizeof(int), GFP_KERNEL); + if (!opts->mnt_opts_flags) + return -ENOMEM; + } + + return 0; +} + +static void selinux_fs_context_free(struct fs_context *fc) +{ + struct security_mnt_opts *opts = fc->security; + + if (opts) { + security_free_mnt_opts(opts); + fc->security = NULL; + } +} + +static const struct fs_parameter_spec selinux_param_specs[nr__selinux_params] = { + [Opt_context] = { fs_param_is_string }, + [Opt_defcontext] = { fs_param_is_string }, + [Opt_fscontext] = { fs_param_is_string }, + [Opt_labelsupport] = { fs_param_takes_no_value }, + [Opt_rootcontext] = { fs_param_is_string }, +}; + +static const struct constant_table selinux_param_keys[] = { + { CONTEXT_STR, Opt_context }, + { DEFCONTEXT_STR, Opt_defcontext }, + { FSCONTEXT_STR, Opt_fscontext }, + { ROOTCONTEXT_STR, Opt_rootcontext }, + { LABELSUPP_STR, Opt_labelsupport }, +}; + +static const struct fs_parameter_description selinux_fs_parameters = { + .name = "SELinux", + .nr_params = nr__selinux_params, + .nr_keys = ARRAY_SIZE(selinux_param_keys), + .keys = selinux_param_keys, + .specs = selinux_param_specs, + .ignore_unknown = true, +}; + +static int selinux_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) +{ + struct security_mnt_opts *opts = fc->security; + struct fs_parse_result result; + unsigned int have; + char **oo; + int ret, ctx, i, *of; + + ret = fs_parse(fc, &selinux_fs_parameters, param, &result); + if (ret <= 0) + return ret; /* Note: 0 indicates no match */ + + have = 0; + for (i = 0; i < opts->num_mnt_opts; i++) + have |= 1 << opts->mnt_opts_flags[i]; + if (have & (1 << result.key)) + return -EINVAL; + + switch (result.key) { + case Opt_context: + if (have & (1 << Opt_defcontext)) + goto incompatible; + ctx = CONTEXT_MNT; + goto copy_context_string; + + case Opt_fscontext: + ctx = FSCONTEXT_MNT; + goto copy_context_string; + + case Opt_rootcontext: + ctx = ROOTCONTEXT_MNT; + goto copy_context_string; + + case Opt_defcontext: + if (have & (1 << Opt_context)) + goto incompatible; + ctx = DEFCONTEXT_MNT; + goto copy_context_string; + + case Opt_labelsupport: + return 1; + + default: + return -EINVAL; + } + +copy_context_string: + if (opts->num_mnt_opts > 3) + return -EINVAL; + + of = krealloc(opts->mnt_opts_flags, + (opts->num_mnt_opts + 1) * sizeof(int), GFP_KERNEL); + if (!of) + return -ENOMEM; + of[opts->num_mnt_opts] = 0; + opts->mnt_opts_flags = of; + + oo = krealloc(opts->mnt_opts, + (opts->num_mnt_opts + 1) * sizeof(char *), GFP_KERNEL); + if (!oo) + return -ENOMEM; + oo[opts->num_mnt_opts] = NULL; + opts->mnt_opts = oo; + + opts->mnt_opts[opts->num_mnt_opts] = param->string; + opts->mnt_opts_flags[opts->num_mnt_opts] = ctx; + opts->num_mnt_opts++; + param->string = NULL; + return 1; + +incompatible: + return -EINVAL; +} + +/* + * Validate the security parameters supplied for a reconfiguration/remount + * event. + */ +static int selinux_validate_for_sb_reconfigure(struct fs_context *fc) +{ + struct super_block *sb = fc->root->d_sb; + struct superblock_security_struct *sbsec = sb->s_security; + struct security_mnt_opts *opts = fc->security; + int rc, i, *flags; + char **mount_options; + + if (!(sbsec->flags & SE_SBINITIALIZED)) + return 0; + + mount_options = opts->mnt_opts; + flags = opts->mnt_opts_flags; + + for (i = 0; i < opts->num_mnt_opts; i++) { + u32 sid; + + if (flags[i] == SBLABEL_MNT) + continue; + + rc = security_context_str_to_sid(&selinux_state, mount_options[i], + &sid, GFP_KERNEL); + if (rc) { + pr_warn("SELinux: security_context_str_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + mount_options[i], sb->s_id, sb->s_type->name, rc); + goto inval; + } + + switch (flags[i]) { + case FSCONTEXT_MNT: + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) + goto bad_option; + break; + case CONTEXT_MNT: + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) + goto bad_option; + break; + case ROOTCONTEXT_MNT: { + struct inode_security_struct *root_isec; + root_isec = backing_inode_security(sb->s_root); + + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) + goto bad_option; + break; + } + case DEFCONTEXT_MNT: + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) + goto bad_option; + break; + default: + goto inval; + } + } + + rc = 0; +out: + return rc; + +bad_option: + pr_warn("SELinux: unable to change security options " + "during remount (dev %s, type=%s)\n", + sb->s_id, sb->s_type->name); +inval: + rc = -EINVAL; + goto out; +} + +/* + * Validate the security context assembled from the option data supplied to + * mount. + */ +static int selinux_fs_context_validate(struct fs_context *fc) +{ + if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) + return selinux_validate_for_sb_reconfigure(fc); + return 0; +} + +/* + * Set the security context on a superblock. + */ +static int selinux_sb_get_tree(struct fs_context *fc) +{ + const struct cred *cred = current_cred(); + struct common_audit_data ad; + int rc; + + rc = selinux_set_mnt_opts(fc->root->d_sb, fc->security, 0, NULL); + if (rc) + return rc; + + /* Allow all mounts performed by the kernel */ + if (fc->purpose == FS_CONTEXT_FOR_KERNEL_MOUNT) + return 0; + + ad.type = LSM_AUDIT_DATA_DENTRY; + ad.u.dentry = fc->root; + return superblock_has_perm(cred, fc->root->d_sb, FILESYSTEM__MOUNT, &ad); +} + +static int selinux_sb_mountpoint(struct fs_context *fc, struct path *mountpoint, + unsigned int mnt_flags) +{ + const struct cred *cred = current_cred(); + + return path_has_perm(cred, mountpoint, FILE__MOUNTON); +} + /* inode security operations */ static int selinux_inode_alloc_security(struct inode *inode) @@ -6906,6 +7188,14 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), + LSM_HOOK_INIT(fs_context_alloc, selinux_fs_context_alloc), + LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), + LSM_HOOK_INIT(fs_context_free, selinux_fs_context_free), + LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), + LSM_HOOK_INIT(fs_context_validate, selinux_fs_context_validate), + LSM_HOOK_INIT(sb_get_tree, selinux_sb_get_tree), + LSM_HOOK_INIT(sb_mountpoint, selinux_sb_mountpoint), + LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),