From patchwork Wed Aug 1 15:25:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10552563 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1C73113B8 for ; Wed, 1 Aug 2018 15:32:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09FD42B7C8 for ; Wed, 1 Aug 2018 15:32:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F1E072B7EE; Wed, 1 Aug 2018 15:32:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from UPBD19PA09.eemsg.mail.mil (upbd19pa09.eemsg.mail.mil [214.24.27.84]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BF48E2B7D3 for ; Wed, 1 Aug 2018 15:32:33 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UPBD19PA09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 01 Aug 2018 15:32:29 +0000 X-IronPort-AV: E=Sophos;i="5.51,432,1526342400"; d="scan'208";a="16473771" IronPort-PHdr: 9a23:r7U2oBEdX8Waw0QSu8h3H51GYnF86YWxBRYc798ds5kLTJ7+o8+4bnLW6fgltlLVR4KTs6sC17KI9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa8bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjus9adrTALjhjkBOTA37WrbjtV8gaNerB+nuhdxwZPbYJuNOfp5fq3TY90US2lDUcZfWSNODZ6yb5MNAuYcM+tXs4bzqEUVrRalGQmhBvnixiNUinLsw6E31fkqHwHc3AwnGtIDqHrao8/rNKcTTO++0avGzTLNbvxI3Tf97JPIeQ0mrP6RXbJwdsTQxlcrFwPBlVWdspblMC2I2eQNqWeb8/BsWv6oi24isgx8pCWkyMQ0ioTRm44YxV/J+T95zYooP9G0VkF2bcC+HJdNry2XNop7Ttk/T2xruis20KMKtJC1cSQQypkqyRjSYOGdfYeS+BLsTuORLC99hHJiZb2wmQ6/8VOlyu3gTsm010tKrjZdntnMqH8N0xvT59CbSvRn5Eeh2CuP1xvJ5uFFJ0A0m63bK4U/zbEsjJYTrUTCETP2mEXxlqOWcFkr+vO05Oj9Z7Xmp5ucO5d1igH4LKsuhtSyDfk3PwUBRWSW+fmw2Kf98UD2XrlGlOA6nrHcsJ/AJMQboqC5AxVS0oYm8xu/FCmp0NAZnXkBMVJEdwuLgJPuO1HTJvD3Eemwg0+3nTd3x/HJIr3hApLXInjFi7fuZ6xx60FbyAot1dxf/Y5bCqkdIPLvXU/8rN7YDhg/MwOu3+bnCM9y1oUFVGKNBa+ZNqbSvkWT5uIzPeaMfpQVtCz6K/g/6P7klWU5lkMFfam1wZsXb2i1HvZkI0qDfXXsgcwBEWAMvgo/Uuznk1OCUTpOZ3e9RK08+zc7CJ67DYvZQYCtmrOB1j+hHpJKfmBGFkyMEXDweoSERvcMcj6dIs9mkjweTrWhVowh1Qu0uA/81bVnMvLe+jcEupL7yNh1++rTmAkq9TNqFMuSzWeNT2BonmMPXDI23b5wrlJjxVuZ1qh4mfNYH8RJ5/xVSgc6KYLcz+tiBt/vXQLBeNGJR0u4TdWiADE8Vcg+zMEUY0Z6AdmiiQrD3yWyCb8Pi7OLHIA08r7b33XpOsl912zJ1LM6glY6RctPMHGpibRk9wjPHYLJlVuWl7qyf6QGwCHN7HuDzXaJvExAUQ5wV7nFUm4bZkTIqNT2+F/CT6WuCLk8NQtB0dCNKq1PatLzjFVGQOzsONPRYm6rnGewHxmIzKuWbIX2Y2UdwDndCE8cngEd/HaGMQ0+CTm7o2/FAjxhC0/gY0T28eZksHO7VEg0zwOUYEJ9y7q54BkVheaTS/kLxLILpD8hqyloHFa6x9/WBcCAqBBnfKpAYNM9+0xK1WfBtwx8J5CgNK5jhkUEfwRwpUPu2A19Cp9cnsgysHMq0A1yJLqb0FxbdDOY2o3wN6bUKmbo/xCvbLPW1kvZ0NaM9acF8O44pEn7vAG1Ckoi9G1q3MNI3HuG55XFEhASXInrXUkr8hh2vbbaYjMy54nMz31jLbG0siPe29IuHOYq1gyvf9NBP6OfCA/zE8oaCtO1KOM2mlimcBQEPPxT9KEuJc+mceWJ2LKzNuZ6gD2mlXhH4Jx60k+U7SpzV/PH0o0Kw/Gd0QqLTTH8g0m9ssrvg4BLeSkSHnajySjjHINRfaNyfZwMCWe1P8263c5+h5jqW39W8V6sHVUG1NWveRWMc1z3xRdQ2lgPoXy7hSu4yCR5kj8zoaqbwCzB3f7idAEcN25VWmZil0zjIZWxj9wAW0iodQcpngO/5Unm36hbuLh/L27LTEdOfij2K2ViXbWrtreZecFA9okosSJNXOS7e1CaRab3owEG3CP7A2te2Dc7eim0upX4gxN6lGWdLGxpoHXFecFwwhHf5NPHSP5V3zoGQjN3iSPQBlSmONmp59qUnY/Zsu+iT2KhSoFTcS7zwIOEtSu7/nFqDQSkn/+tnt3nEA460TL01tRxTiXItBf8Yo/q16umKuJrZE9oC0Hg68BiAIFxjpMwhI0M2XgdnpiV530HkWP3MdpFw6LxcH0NRDAQzt7O/QjqxFZjImiOx4LjWXWX2tFhaMWiYmMKxiI96NhHCKSK47xChit4uVm4ohzXYfhmmDcS1+cu5GQdg+ETtwon1j+dDawKHUlEISzskAyF78iko6VKYGagb6Cw21B4ndC9Er6CuBpRWGviepg8By9w9d9zMEnL0H3u8IHrZMffbdwUth2OnBfPkfJZKJQvmfoWnSBnI37yvWU5y+4nihxjxY+6vI6aJGh24qK5BANXNj3va8MV5D7tkb5UntyK0IC3ApVhBjILUYPwTf2yDTISse/qOBqPED0gqnaXALTfEhWZ6Et8qHLPCZ+rPWmNJHYF1dViWAWdJEtHjQAXXDQ6moA2GxuvxMzmfkd56C4e5kLkqhtMzeJoMgfwXn3ZpAi2djc+UIKfIwZO7gFe+0fVNtST7uxpECFe4p2hqwmNJ3eVZwtWEG4JXVaECEr7Prm04tnA8faXCfaiL/fUZrWOs+NeXe+SxZ2zyotm4yqMNsKXM3lsFf00xFdMXWtjFMTfhzUPTDcXmjnXYMGHoRew4Cp3rtqw8P7zQgLg+ZOPC6dOMdVo4x25mryMO+mUhCZ4MjZYyogMyWXTyLcBwFEekTpueCepEbQBsy7NUa3Rl7RLAB8bcSNzKdBI47gy3wZXJc7bkdT11rhigv4yEVdFWkTrmtu1aswSP2G9KFTHCV6QO7SHKj3LxMf3bLihRrJOl+pUtge/uTCBH0/kJDSDmCHjVwqzPuFUkCGbIBtetZmnfRZiE2fjUszpZwa8MN9vkzI2x7g0iWnLNW4YKjd8dExMoqeX7SNCjfV1A3ZB4WZ9LemYhyaZ6PHVKooRsftuGCh0jeVa4XUkxLtT9y5EXvt1lzXRrtN1v16mleyPxSZ9XxpVtjZHnoSLslt+Oa/B7JlPRW7E/A4R7WWXExkKpdtlC933u6BXztjPlb7zJylZ/tLR/MscG9LUJ9ydPHomKxrpFybeDBEZQj6zKWHfm0tdnemM+X2NtJc6sJnsmIEVR79DTlM1DPIaCl99HNwGOph4Qi0rnaScjM4S6nq0tAPRS9lCvpDbSvKSBu3iKDCHgrZeYxsF2rD4LYMINo3nwUNibEJ6nIfLG0bKW9BCvDFhZBcuoEpR6Hh+UnEz20X9ZwO3/nATDuC7kQQsigRiYeQg7yzj41YtJlXXoyswnlExmc/7jjGRajLxKrm/XZ1OASruq0cxKo/7QxpybQCqgENrLinER7NMgLt7bm1kkhXcuYFIGf9SVq1LfgMfxeyNZ/UpzVRdqj+rxUlZ6uvZEZFijhclcYawr3Jc3AJudNo1JavKJKVXyFhRh6WOszSn1uA33Q8SPUEN8HmdeCQQokwHKqEmJza0/uxr8QGCgCVMeGwNV/osv/Jr+VgwNPiHzyLlz7FMMFuxN/CFI6OfpWfAidaCQkks2UMQi0lF4b923N8+fEWIUkAvy72RFwgUOcfZNwFacdBS9HnSfCaJt+XB25R1MJuhFurwV++BqL4Ugl64HAYuB4kM8sUBHpyr0EHELcfmLKUIxggs5AXrPlqKF+5FeBSVnzcbu8u/1oN43ZFBJjEBBmVwKT+45rLWpgA2nvWMRNI2Y3ccXosDMHI5Qta3lDVYv3taCjm7y+wZyBWY4z/6uCvQECH2b8B/a/eMeRNsFNa29C0k/Keoj17a6Y/RKHzkNdt8oN/P8vkVp4yHCv9OSrl9qUjckZFCR3O2S27PDcK1J5/oZok2a9z0C2q1Uly4izIxVMf/JM+jILWSjwz0QohZq5WU3DcmNcChDD4eAAtwq/sF5K1ieQ0Je4A7bgLwtwQiK6y/Jx+V3cmsQ2m3NTRbVOVQzeK+Z7xTziojcPW6yGc+QZ4mz+m760kNRIsFjhvG3/ase5FeUTTvGnxaYwjPvzA2l3JmNukp2eo/3AnIvkMCMz+VcOxpaWpEv944BVOTLnV2CnY4R1GGgorZ5w6gxbYS8DVBn9xMy+1KrGD+voPDYDKrQKGqp4/ZvDYgbdgnpq1xMJbsIsiduZPfgDPQUoffvheCUC6gGPpQgsJQLz5AQPlUhWElPtQLuY9b5korVccxOaBPCKgqprClcjdlAzQdzSkFWIOE2zwCn/qz26DAmheWbpsiLAQOsI9ejdsFTy52fiQeqbe7V4XRk2+LUHILIQkU7QRI6gINjYpwfufi4IrTUpBD1yRWo/VvUivQF5lo8VT7RnuRgVjiR/Wri/ap0h5KzPLwztkbXwZyBlJHx+ZLkEskMrJ3JrIRvo7Lsz+IaVj1sHjryOS4OFlb0dfUeEHgDIrZqWr8VTUR+WETRY9K03zfCYgekw9iZ6oxolVDPpymcF7k5zM434RpA6W4VcezylYnqnYJWTynHMdfBOF9rl3XQiFlbI62p5n/PZVdXHNQ8oWHq1hFiEVtLzK5yZ1EJsFR/zEDQTlPri+ZvNapVMJD3sp2AIMWLddkp3fxAqVEN4aNo3cuoLzg1mfZ+ywgsFe93DizA7S4T/5D8GIDBgUkPH+eqk4yD+s27mjd7FbNskxu/+hBAriDl0JxoCxyHppWHDZGyWilL0hvTHlBq+hVM6rVfNBAT/QweBOiNQczGuIh30yM4U57h2z5YzBougtc5S/dQxE+VTMJjbf1hT0etsanNCcAS51WcDohbz3KKx6AlCBTuxZfdV9lV44FDdZC5r4Uw5FY/szcRkawMSsFRgBtNhok0fpDkk5OqFmYeTrDAgW2aPnCqQB3fcONrM6zNvv54gZHioTjsO8m66UPXXqmmReiQdrGtY/zqsWKtleSdKf/K+C8ZGXOTDzIjR+umbckE4PF8DLIPQpdNZZ61WEkboT7Bm7TIxtKPaQbKFRHVapic9VJvvhaZ9N4eKYO4aJtBAiIRgnoGIy0qPlJNEjTSC/bLyWc9uy/vYPT4qDcSef6YMyM3GzLQ6VtPpd18TP7Aavl0ZdC+krq3fdg7kF6RkLAMyCPttThIR4E69e5e0v+pJIpGyjWAJBqnHrr2E5Aa9IdQze2/5QA1JNZ9HHwRPp30kjuse1S871k5pcy471y1Mi7O7zdKfVAvk9hGBSUAR9q9po1CmhlW29RevMRKOvWfakBj8DuquX3GrcS6BKL++1Wd8HHJ0DHmsmwED2cTwJLnBsZoz4AMgScz+KFm7NzScu9o+j53lkg41m4Lh4D1rxt5IGE+qSSpODNdBvR0aIEWrX2ScPvs7QsoV2d6ecjlL4UdWx/exenH/QFVs4B2mfgyrgnzScrE8PFA7Lg9+BMWmk8njLhgZ99GUsZGu8aHLqM54RenXw4l/bfNtIIbqBIgnyPGgK8Er8e1X6r7DOaIG1+ghHL0xz9Wm2z40Hroi9/WyvD1c/jklBSVrm1G0hdQzapNVV/sDOVMwrirMD3trgt7EEqLmzks8qAlGqgObxNBcLwOMeRITIqq1ILkpI+Wsaj2YcBGdqyON0R6m1xbuPC62O3lC9Mu7xIh4vF4sCb4PrXH3igj7GCq7qX2TBYzmM1sk046t+9KP7B/cCKQ+6v12YLVShzoQzBXwS6qrbDtVAbJVSL0FvXmIwNJtxZxWM31l366+gjTtMz8x9eFoXZa/MZuz/zPDr0wVCCY9M4TSSeyyFYHk7pHll4Fqk833jwvMHTmXfT5VIoXI9weFLjhRBtCIU4M00t4kANwiUfCQgNdQybDLawCETqM4QEU1QDaROA3LS9Yac4w0lzwrKp5O/OYu1xHK4NOehHjg+OhldXAJQWvrMCQLhkYV9S6LbXphT+C4jgR/Xmk3swOuGyQsBe688ZrGEu4ge4Rxqn8pdD9K0WiJWHe69Le5TMu9p870h/7z4VaiNNmAR/jw++Ue0Eq+Ds/sPbsIGx5uizW6gjQeQX9x4pB2VxlJbwj1UjrsvR1+hCUIHVjp7/8A9VKX6QpInaywV8KfYJK4+zfrZg8HUHJy4EK30SPdqWb+Q87DJsMTXS4VxCGcAMZdIDMcrTmABUlFfmWLVO+craAFOYDZl8d9ww5Wrt1D816Yc8Uvrn6DKuJJDf8UtCP/VYgSVoidLNuekVwf3JCCQN5nmZcRd1yDuYy5aRE/bw4fmMyNbMWlMEACE2XYldJD6Z9A2pXOW1kovmUh+O5s/1np0+aFqaRmatk6QdrqZMDelAhz303jhaEYD0ieyas96o6GZMrV1HF4Bz7RzZF6lFOJV0Jwj4nNGxRkdgHiv/ZN3Udh02teqTx+cM4OZ+N0zlaI8ZOB0EyLX66XxLQQtoUrL2uEiWXf4Jbtt8VPzEtmxV6Z5nK6IXJ1eSuprqritTpVAtBA8pb6MwriBEdkbQgQJZQaH0uKQPigEES952pVdMGX6sOGI5/zfHW7pajK2QCPwN7DqeVa0PU0RtMiN7XRy1wpFudKWzkfBAqGNGkTt3oOI23Dx+WBu8pSrsqroD2DI44rG4tSkOtmJeQ+WbkifIFU9Dw+oQgacbEXbi5kS2YGMfY4vq/LlnOcPg+JEm43Q7fxouZDUGXeC6BCHrk6OIA5CAsM5GhBGTpsrCd7mzIjYONr4l0xLsW2B90hTCnBZv6GYLRjSg7Nk5JISyIMolwiuoGXPHdFYX+a5JsdH+tVgMTOcsblNh2mpj2NCdRiIRXMzPB3o1jg88ZGVBap1M9R8aF6gugjaPpaRG4AAUYDHKHYSh+4nQm9rI2HYnQddt3GLWqbWPhok23319h9N08imOtWwQd+PCUM9sBWP825xCyez4e/WtsucHSJZpyLShTP8OKM+j9nWq2J9yQE+q2qweH0alMO8E3rrbUSKlSWqCWeSRcmiMhC00Mkjo6hmtMFI3ad1Gr0gnMuvNnpRcjRHuUatoRiWMol/W1HcjMe0fdw0quYqqeBcHTPAPaOiGJOgvwfo+CF0WY3/PAyR2F7z+jVn4golhPF1y7EP7f6Lp8wb7IJ2VABZCDI2JgIR2/KmWT3yANTdAywJ/OE1vv7PTF1Muu+tYaL6LkNTQjsg92ukAIaQ+eRYhs8Iez9owobKf192HJFSPlMygLMzJovWeH/zUxlgrfWcfSLcCfAfp/N9ibowkULrXROpBtE1BQ6U3RYcucWL49aUyKQJ3IWuzLLi3g8y/oOWNa9MUonLN9Vs/IW/avAFL0f27SwF3Ltiqinz+LYp2R2dHqNtgWX4EVJBXFZYmqAyqS4WRhLn9k8W4rk96vPAHta7rIurH2NSww8N6WJ0JgC7DJy7fUZFimV8tleGumrHF25j1B9nlfIYIVO9kT2rBcZfcE4m/Iy7IMcX5KCsku6WE3udBWw6KLDv8Q7LAtCCgM6B85l4nz4VjYOfJ5Dk9tvfB1dfybn0drSCmoA== X-IPAS-Result: A2D2AwA00WFb/wHyM5BbHAEBAQQBAQoBAYMkJ4EJXCiMBF+NSJV9FIFiDxgUhDsDg2g0GAECAQEBAQEBAgFsKEIOAYFkJIJeAwMBAiQTFCALAwMJAQFACAgDAS0VEQ4LBRgEgjSCSwOyCjOKWIkfgUE/gRIzgjGEeQESAQeFbgKHc4R9PXKLfwmXYIVtkkKBQThhcTMaCBsVO4JpgiUXjhhuDHEUhVyGOQ0XB4IcAQE Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 01 Aug 2018 15:32:27 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w71FV8tV020691; Wed, 1 Aug 2018 11:31:28 -0400 Received: from tarius.infosec.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w71FV6TE025583 for ; Wed, 1 Aug 2018 11:31:06 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.infosec.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w71FV59v020689; Wed, 1 Aug 2018 11:31:05 -0400 IronPort-PHdr: 9a23:N8iWlxYTNQdoN9hMo2/TgDn/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21geRD5jQ7PYd2vLf6v2mVGEF+pnHtXkDdNpJVhtWwckVngl1BsmDBAW7KfPxdCU1EYxEU0Mt5HC0N0VZWY7+alTer2f07GsUHRPyZkJuPuqgPInUgoys0vyqvYXJalBEhD2ibLd2Nz2soAnRv9VQioxnee4q0hWcmnJTYKxNwH9wY1eanhLy/MC1qZJj9Dtdv/Y639RNXaXzY+IzSrkLRC8+PTUN7dbw/QLGURPJ5nYYVTAOlQFUBgHe8BzgdpLh623gu+Z90TXcNsrzQA== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DiAACx0GFbly0VGNZbHQEBBQELAYMkJ4FlKIN+iAZfi2CBaJV9FIFmCyyEQAKDQyE0GAECAQEBAQEBAhQBAQEBAQYYBoEaDgGEZgMDIwRSECUCJgICRxAZglVLggADsQ17M4pYgQuHfReBQT+BEjOCMYUUgxmCVQKHc4R9PXKLfwmXYIVtkkKBQYIKMxoIGxWDJIIlDgkRjgduDIEFhVyGOSuCHAEB X-IPAS-Result: A1DiAACx0GFbly0VGNZbHQEBBQELAYMkJ4FlKIN+iAZfi2CBaJV9FIFmCyyEQAKDQyE0GAECAQEBAQEBAhQBAQEBAQYYBoEaDgGEZgMDIwRSECUCJgICRxAZglVLggADsQ17M4pYgQuHfReBQT+BEjOCMYUUgxmCVQKHc4R9PXKLfwmXYIVtkkKBQYIKMxoIGxWDJIIlDgkRjgduDIEFhVyGOSuCHAEB X-IronPort-AV: E=Sophos;i="5.51,432,1526356800"; d="scan'208";a="337105" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 01 Aug 2018 11:31:05 -0400 IronPort-PHdr: 9a23:CIffWhyXLgKlUXXXCy+O+j09IxM/srCxBDY+r6Qd2+seIJqq85mqBkHD//Il1AaPAd2Fraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HSbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CWGRBWcZfWTJPDI2/bYQPAeQOMulEoIfyvFYOsRmzCBOwCO/z0DJFhHn71rA63eQ7FgHG2RQtEdwUv3TKrdX6KboZX+KyzKjG0zrDa/dW2Szg44XPbx8hofaMXLxufsrVzUkvDBjIjk+OpoP4PzOazPgNv3KH4OpnUOKikmgqoBxyrDi33soglJTFi40Pxlza+ih12pg5KcCiREN0YdOoCJpduiCAO4drQc4vQXtktDg0x7AIo5K2fiYHxZI6zBDFcfOHaZKH4hf7WeaRPzh4gHVldaqxiBiw8kauzOPxW9eu3ltWsiZIk8PAuW4T2BzW8ciHReFx/kK71jaO0wDf8OREIUEwlabDKp4hxKA/loYLvEjdAyP7l1/6gLGZe0k+5OSk9v7rb7rmq5OEMo97kAD+MqAgmsylBuQ4NxADUHWb+eS72rzs40n5QLFRjvAtiKnWro3VJcQBqa6lGQNazoEj6xOnAze8zNsYhWUHLE5CeB+flIjmJkrOLevkDfa/n1uskDBry+rAPr36GJrBNHfDkLD/fbxl8U5T1BIzzcxD55JTErwBO+z8WkvwtNzeEx84PBe5w/rnCdph1oMeXniDAqmCMKzIq1OI6eUvI/ffLLMS7Sj8Mf8N9fPojGF/nV4bYLnv2oEYLm27Tdp8JEDMTXPyg9tJMWAVsw46V6S+hF2FTjNXY22aRa8w5jgnTomhCNGQFciWnLWd0XLjTdVtbWdcBwXJSC+wLd/WUuoQaC+UPs5qmyAFUr7kUYI6yBWyr1Wik+h6Je3Qo3wAvMu+ktV44vbc0xQ79DgyCsWZgCmBTGBxy2UPQTJ+nKVyuld0xVrL169ky+dZGtpe67IBUgozOZPGie0vDdf0V1GJZc+HHXChRNjuGjQtVpQp2dZbb0Z6BNimigvrxSemA7YJ0beMAc986brSikD4PN010HPazO8khlgiTNFIMDiqhqlg+gzXHKbTnkmZnrrsfqMZj2bW7GnW9WOVpwlDVRJoF6XIWXdKfkzNsdHw/V/PVZerGe1hKAZNyceebKBNb9A= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CyAACc0WFbly0VGNZbHQEBBQELAYMkJ4FlKIN+iAZfi2CBaJV9FIFmCyyEQAKDQyE0GAECAQEBAQEBAgETAQEBAQEGGAZYQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCAAOxEnsziliBC4d9F4FBP4ESM4IxhRSDGYJVAodzhH09cot/CZdghW2SQoFBggozGggbFYMkgiUOCRGOB24MgQWFXIY5K4IcAQE X-IPAS-Result: A0CyAACc0WFbly0VGNZbHQEBBQELAYMkJ4FlKIN+iAZfi2CBaJV9FIFmCyyEQAKDQyE0GAECAQEBAQEBAgETAQEBAQEGGAZYQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCAAOxEnsziliBC4d9F4FBP4ESM4IxhRSDGYJVAodzhH09cot/CZdghW2SQoFBggozGggbFYMkgiUOCRGOB24MgQWFXIY5K4IcAQE X-IronPort-AV: E=Sophos;i="5.51,432,1526342400"; d="scan'208";a="14401732" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil3cpa06.eemsg.mail.mil ([214.24.21.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 01 Aug 2018 15:31:04 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;4504903f-cd81-4104-862f-dc051fbfac7c Authentication-Results: ucol19pa15.eemsg.mail.mil; dkim=none (message not signed) header.i=none; spf=None smtp.pra=dhowells@redhat.com; spf=Pass smtp.mailfrom=dhowells@redhat.com; spf=Pass smtp.helo=postmaster@mx1.redhat.com X-EEMSG-check-008: 582422279|UCOL19PA15_EEMSG_MP13.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 66.187.233.73 X-EEMSG-check-002: true IronPort-PHdr: 9a23:5C9Vqh/5bC+oiP9uRHKM819IXTAuvvDOBiVQ1KB41OgcTK2v8tzYMVDF4r011RmVBduds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+55zebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMNboRr4oRzut86ZrSAfpiCgZMT457HrXgdF0gK5CvR6tuwBzz4vSbYqINvRxY7ndcMsdRWRcXshfSSJPDIC+YIsBAeUOMvpXoYbmqlsSrxazHxWgCP/1xzJKgHL9wK000/4mEQHDxAEuEcgBsGrVrNroKawcU+e1zafWwjXHa/NWwir25Y/VfRAhpvGNU6x/cc7VyUk0DA7FlEufppHlPzyPyuQBqXSU7+1lVe+2jWMstgJ/oiC3y8oti4TFnJ8Zx1PG+Clj3oo4K9O1RFR5bNOqFpZbqjuUOJFsQsw4RmFloCY6xaMCuZ68ZCUKzZsmywPFZ/ydbYeH/xLjW/yNITtimH1lf7e/iw6z8Uim1OL8StG53VdLoyZfj9XBtXIA2wbN5sWJRPZx5EWs1DiX2wDW8O5EIEQ0laTBK54mx749joccsUTEHi74hkr2iKuWdl4/9+iy9evof7XmqYWAN4Nulg7+NaEultSlAeskKggOQ3Sb+eOk2b344EL5W65HjuE2k6bFsJDaIt4XpqiiAwBPyIoj5BG/Dym+2tQCgXYHNE5FeA6Aj4XxIFHBPvT4Dfa5g1SxnzZm3OzGP739DZXNKXjPirHhfa1n5EJGxwozys5ftNpoDeQfIej0cl38st3GSBs4NRGkheH9B5Ng1dAwQ2WKV4OQLqLe+X+P+e8rJ/LEMIMVvynwL/w+z+TjgX8whRkWeqz/jshfU2yxAvkzexbRWnHrmNpUVD5S5lNvHtyvs0WLVHtoX1j3Wqs94j8hD4f/V9XZS4ytiaDH1yC+TMQPOjJ2T2uUGHKtTL2qHu8WYXvIcNVsnjwNSf6qTIpzjUjz5j+/8KJuK6/vwgNdtZ/n04ErtejDzFco+DB0Btjb2GaIHTh5 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DlAgD9z2Fbh0npu0JbHQEBBQELAYMkggwog36IBl+NSINhkhwUgWYLKwGEQAKDXQYBBDAYAQIBAQEBAQEBAQETAQEBCgsJCCkvQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCALETezOKWIELiBSBQT+BEjOCMYUUgxmCVQKHc4R9PXKLfwmXYIVtkkKBQYIKMxoIGxWDJIIlDgmOGD4wDIEDAQGFXIY5K4IcAQE X-IPAS-Result: A0DlAgD9z2Fbh0npu0JbHQEBBQELAYMkggwog36IBl+NSINhkhwUgWYLKwGEQAKDXQYBBDAYAQIBAQEBAQEBAQETAQEBCgsJCCkvQg4BgWQkAYJdAwMjBFIQJQImAgJHEBmCVUuCALETezOKWIELiBSBQT+BEjOCMYUUgxmCVQKHc4R9PXKLfwmXYIVtkkKBQYIKMxoIGxWDJIIlDgmOGD4wDIEDAQGFXIY5K4IcAQE Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) ([66.187.233.73]) by ucol19pa15.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 01 Aug 2018 15:25:08 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D39D48182D06; Wed, 1 Aug 2018 15:25:07 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-116.rdu2.redhat.com [10.10.120.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id A6EF0200AC23; Wed, 1 Aug 2018 15:25:05 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 X-EEMSG-check-009: 444-444 From: David Howells To: viro@zeniv.linux.org.uk Date: Wed, 01 Aug 2018 16:25:05 +0100 Message-ID: <153313710509.13253.3272354079158175303.stgit@warthog.procyon.org.uk> In-Reply-To: <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> References: <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 01 Aug 2018 15:25:07 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 01 Aug 2018 15:25:07 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Subject: [PATCH 09/33] selinux: Implement the new mount API LSM hooks [ver #11] X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Implement the new mount API LSM hooks for SELinux. At some point the old hooks will need to be removed. Question: Should the ->fs_context_parse_source() hook be implemented to check the labels on any source devices specified? Signed-off-by: David Howells cc: Paul Moore cc: Stephen Smalley cc: selinux@tycho.nsa.gov cc: linux-security-module@vger.kernel.org --- security/selinux/hooks.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 290 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ef0428311a5c..9774d1f0e99f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -48,6 +48,8 @@ #include #include #include +#include +#include #include #include #include @@ -446,6 +448,7 @@ enum { Opt_rootcontext = 4, Opt_labelsupport = 5, Opt_nextmntopt = 6, + nr__selinux_params }; #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) @@ -2974,6 +2977,285 @@ static int selinux_umount(struct vfsmount *mnt, int flags) FILESYSTEM__UNMOUNT, NULL); } +/* fsopen mount context operations */ + +static int selinux_fs_context_alloc(struct fs_context *fc, + struct dentry *reference) +{ + struct security_mnt_opts *opts; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + + fc->security = opts; + return 0; +} + +static int selinux_fs_context_dup(struct fs_context *fc, + struct fs_context *src_fc) +{ + const struct security_mnt_opts *src = src_fc->security; + struct security_mnt_opts *opts; + int i, n; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + fc->security = opts; + + if (!src || !src->num_mnt_opts) + return 0; + n = opts->num_mnt_opts = src->num_mnt_opts; + + if (src->mnt_opts) { + opts->mnt_opts = kcalloc(n, sizeof(char *), GFP_KERNEL); + if (!opts->mnt_opts) + return -ENOMEM; + + for (i = 0; i < n; i++) { + if (src->mnt_opts[i]) { + opts->mnt_opts[i] = kstrdup(src->mnt_opts[i], + GFP_KERNEL); + if (!opts->mnt_opts[i]) + return -ENOMEM; + } + } + } + + if (src->mnt_opts_flags) { + opts->mnt_opts_flags = kmemdup(src->mnt_opts_flags, + n * sizeof(int), GFP_KERNEL); + if (!opts->mnt_opts_flags) + return -ENOMEM; + } + + return 0; +} + +static void selinux_fs_context_free(struct fs_context *fc) +{ + struct security_mnt_opts *opts = fc->security; + + if (opts) { + security_free_mnt_opts(opts); + fc->security = NULL; + } +} + +static const struct fs_parameter_spec selinux_param_specs[nr__selinux_params] = { + [Opt_context] = { fs_param_is_string }, + [Opt_defcontext] = { fs_param_is_string }, + [Opt_fscontext] = { fs_param_is_string }, + [Opt_labelsupport] = { fs_param_takes_no_value }, + [Opt_rootcontext] = { fs_param_is_string }, +}; + +static const struct constant_table selinux_param_keys[] = { + { CONTEXT_STR, Opt_context }, + { DEFCONTEXT_STR, Opt_defcontext }, + { FSCONTEXT_STR, Opt_fscontext }, + { ROOTCONTEXT_STR, Opt_rootcontext }, + { LABELSUPP_STR, Opt_labelsupport }, +}; + +static const struct fs_parameter_description selinux_fs_parameters = { + .name = "SELinux", + .nr_params = nr__selinux_params, + .nr_keys = ARRAY_SIZE(selinux_param_keys), + .keys = selinux_param_keys, + .specs = selinux_param_specs, + .ignore_unknown = true, +}; + +static int selinux_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) +{ + struct security_mnt_opts *opts = fc->security; + struct fs_parse_result result; + unsigned int have; + char **oo; + int ret, ctx, i, *of; + + ret = fs_parse(fc, &selinux_fs_parameters, param, &result); + if (ret <= 0) + return ret; /* Note: 0 indicates no match */ + + have = 0; + for (i = 0; i < opts->num_mnt_opts; i++) + have |= 1 << opts->mnt_opts_flags[i]; + if (have & (1 << result.key)) + return -EINVAL; + + switch (result.key) { + case Opt_context: + if (have & (1 << Opt_defcontext)) + goto incompatible; + ctx = CONTEXT_MNT; + goto copy_context_string; + + case Opt_fscontext: + ctx = FSCONTEXT_MNT; + goto copy_context_string; + + case Opt_rootcontext: + ctx = ROOTCONTEXT_MNT; + goto copy_context_string; + + case Opt_defcontext: + if (have & (1 << Opt_context)) + goto incompatible; + ctx = DEFCONTEXT_MNT; + goto copy_context_string; + + case Opt_labelsupport: + return 1; + + default: + return -EINVAL; + } + +copy_context_string: + if (opts->num_mnt_opts > 3) + return -EINVAL; + + of = krealloc(opts->mnt_opts_flags, + (opts->num_mnt_opts + 1) * sizeof(int), GFP_KERNEL); + if (!of) + return -ENOMEM; + of[opts->num_mnt_opts] = 0; + opts->mnt_opts_flags = of; + + oo = krealloc(opts->mnt_opts, + (opts->num_mnt_opts + 1) * sizeof(char *), GFP_KERNEL); + if (!oo) + return -ENOMEM; + oo[opts->num_mnt_opts] = NULL; + opts->mnt_opts = oo; + + opts->mnt_opts[opts->num_mnt_opts] = param->string; + opts->mnt_opts_flags[opts->num_mnt_opts] = ctx; + opts->num_mnt_opts++; + param->string = NULL; + return 1; + +incompatible: + return -EINVAL; +} + +/* + * Validate the security parameters supplied for a reconfiguration/remount + * event. + */ +static int selinux_validate_for_sb_reconfigure(struct fs_context *fc) +{ + struct super_block *sb = fc->root->d_sb; + struct superblock_security_struct *sbsec = sb->s_security; + struct security_mnt_opts *opts = fc->security; + int rc, i, *flags; + char **mount_options; + + if (!(sbsec->flags & SE_SBINITIALIZED)) + return 0; + + mount_options = opts->mnt_opts; + flags = opts->mnt_opts_flags; + + for (i = 0; i < opts->num_mnt_opts; i++) { + u32 sid; + + if (flags[i] == SBLABEL_MNT) + continue; + + rc = security_context_str_to_sid(&selinux_state, mount_options[i], + &sid, GFP_KERNEL); + if (rc) { + pr_warn("SELinux: security_context_str_to_sid" + "(%s) failed for (dev %s, type %s) errno=%d\n", + mount_options[i], sb->s_id, sb->s_type->name, rc); + goto inval; + } + + switch (flags[i]) { + case FSCONTEXT_MNT: + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) + goto bad_option; + break; + case CONTEXT_MNT: + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) + goto bad_option; + break; + case ROOTCONTEXT_MNT: { + struct inode_security_struct *root_isec; + root_isec = backing_inode_security(sb->s_root); + + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) + goto bad_option; + break; + } + case DEFCONTEXT_MNT: + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) + goto bad_option; + break; + default: + goto inval; + } + } + + rc = 0; +out: + return rc; + +bad_option: + pr_warn("SELinux: unable to change security options " + "during remount (dev %s, type=%s)\n", + sb->s_id, sb->s_type->name); +inval: + rc = -EINVAL; + goto out; +} + +/* + * Validate the security context assembled from the option data supplied to + * mount. + */ +static int selinux_fs_context_validate(struct fs_context *fc) +{ + if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) + return selinux_validate_for_sb_reconfigure(fc); + return 0; +} + +/* + * Set the security context on a superblock. + */ +static int selinux_sb_get_tree(struct fs_context *fc) +{ + const struct cred *cred = current_cred(); + struct common_audit_data ad; + int rc; + + rc = selinux_set_mnt_opts(fc->root->d_sb, fc->security, 0, NULL); + if (rc) + return rc; + + /* Allow all mounts performed by the kernel */ + if (fc->purpose == FS_CONTEXT_FOR_KERNEL_MOUNT) + return 0; + + ad.type = LSM_AUDIT_DATA_DENTRY; + ad.u.dentry = fc->root; + return superblock_has_perm(cred, fc->root->d_sb, FILESYSTEM__MOUNT, &ad); +} + +static int selinux_sb_mountpoint(struct fs_context *fc, struct path *mountpoint, + unsigned int mnt_flags) +{ + const struct cred *cred = current_cred(); + + return path_has_perm(cred, mountpoint, FILE__MOUNTON); +} + /* inode security operations */ static int selinux_inode_alloc_security(struct inode *inode) @@ -6906,6 +7188,14 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), + LSM_HOOK_INIT(fs_context_alloc, selinux_fs_context_alloc), + LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), + LSM_HOOK_INIT(fs_context_free, selinux_fs_context_free), + LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), + LSM_HOOK_INIT(fs_context_validate, selinux_fs_context_validate), + LSM_HOOK_INIT(sb_get_tree, selinux_sb_get_tree), + LSM_HOOK_INIT(sb_mountpoint, selinux_sb_mountpoint), + LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),