From patchwork Tue Jan 10 17:28:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9508201 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9EE39601E9 for ; Tue, 10 Jan 2017 17:27:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9034227BFC for ; Tue, 10 Jan 2017 17:27:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 84B2E2858A; Tue, 10 Jan 2017 17:27:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6CAED27BFC for ; Tue, 10 Jan 2017 17:27:51 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,344,1477958400"; d="scan'208";a="2666904" IronPort-PHdr: =?us-ascii?q?9a23=3AvH3c2R/gkA/Ehf9uRHKM819IXTAuvvDOBiVQ1KB5?= =?us-ascii?q?0O4RIJqq85mqBkHD//Il1AaPBtSHragawLOO6+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMizexe61+IRS5oQnMqsUanZZpJ7osxBfOvnZGYf?= =?us-ascii?q?ldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2Yu5M32rhbD?= =?us-ascii?q?VheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RSiu4qF2QxDmki?= =?us-ascii?q?cHMyMy/n/RhMJ+kalXpAutqwJjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfWSJCDI27?= =?us-ascii?q?d4sCDfcNMOhXoIbhqFUBswC+CBKwBO7t0DJEmmX70bEk3+knDArI3BYgH9ULsH?= =?us-ascii?q?nMsdv1KLkdUfi1zKbWyzXIcu5Y2TLn54jMdhAuv/GNVq93fMrK1EYvDBjIjkmQ?= =?us-ascii?q?qIP5PzOV0f4Bs26A7+V6T+6vhGknqx9orzWp28wiiZHJi5oIxl3L+ih12oY4Kc?= =?us-ascii?q?CiREJlbtOoDoFcuzycOoBrWM0tWXtotzw/yrAevJ67ezUFx4o/yh7EbvyHb5CI?= =?us-ascii?q?4hX+VOaNOTt4hGxqeLa4hxuq7Uiv0Pf8Vsip0FZRtCZFjtnNuWwN1xzU8MSHTO?= =?us-ascii?q?dy/ly91jqV0gDT6+VELVg1lardNZEh3qY9moccvEnMBCP7mFj6gLWIekgr5OSk?= =?us-ascii?q?8fnrbq3jppCGNo90jg/+Mr4pmsy6Gek4KRYBX2ya+eS6yb3i8lT1T65Njv0rlK?= =?us-ascii?q?nWrI7VJd8Aq66lAw5azoYj6xGlAzegy9QXh2MLLF1CeBKZl4TpIU3BIOjkDfej?= =?us-ascii?q?hFShiDVrx/fAPrL7HpXNLmLMkLH6cLZ/7E5czg8zwspE55JIFL4BOunzVlX2tN?= =?us-ascii?q?zCAR8zKxa0zPr/CNVhyoMeXnqCAq2bMKzIrVCI5fkvI+6KZI8UpjbwMPYl5/rz?= =?us-ascii?q?jX42glAdYK+p3YcKaHyiGfRmOUqZa2L2gtgdCWcKohY+TOvyhVyMUD5TY3OyUL?= =?us-ascii?q?wm5jwgBoKpE5rMRoe3gLObxCe7BJpWZmJYBV+QDXfkbYKEW+0DaCiKOM9ujiQE?= =?us-ascii?q?VaS9S48mzRyhqRP1y79gLurS5i0UqInu1MZr6O3JlBEz9Dt0D8KH32GLUW50gn?= =?us-ascii?q?sCRyUq06BnvUx91lCD3LBljPxED9NT/ehEXRs9NZ7Z0+N1EcvyWh7bctePVlmm?= =?us-ascii?q?Xs2sASstQdIp398Of0F9Fs2ijxHC2CqqBaQYl7mPBJAt86Lc2WL9J8BnxHbc16?= =?us-ascii?q?khjkcmTdVVOW2gmKF/6xDZB5TVnEWBi6aqaaMc0TbW+2iYymaOuEBYUBVsUaXe?= =?us-ascii?q?R3wffVXZosjj6kPZUbCuDbUnMg1cyc+NMaZFdt3ojU9bRPf4ItjfbXi+m3urBR?= =?us-ascii?q?aPwLOAdo3qe38S3C/FEkgLjxgT/WqaNQg5HiquvXreAyZ0FVLueEPh6vF+p2mh?= =?us-ascii?q?Tk811AGKd0lh2KCp9RELn/CcTOkT3r0csic7tzp0BEq9387RC9eYqQphZr9TYd?= =?us-ascii?q?Uh71dGzmLUrAl9PoShL6x7nV4ffR93s1np1xVtBYVKidIqo28yzApuNaKY10tM?= =?us-ascii?q?dzCC0pDzPb3XN3L//BO1ZK7V3VHezcya+qAV6PQ3s1/jph2mFlI+83V71NlYy2?= =?us-ascii?q?GT6YjQDAoTT53xSF06+AJmqLHfeCU94JnU1XJ0O6murjDCw84pBPciyhu4f9dQ?= =?us-ascii?q?LqeEFAv1E8ABA8iuNfAqm1+sbh0eJuxS87Q0P8y+ffucxKGrJPpgnC6hjWlf+4?= =?us-ascii?q?B93FiM9y1nSu7UxJsF2PeY3gyJVjf5llihtNr7mYZaajEOBmC/0zTrBJZNZq1u?= =?us-ascii?q?eoYGEWmvLNezxtVimZHtQWVY+UW9B1wYws+mYgeSb1nn0Q1Xz0QXrmStmTGkwD?= =?us-ascii?q?xsjzEpsq2f0TTSw+v/aRUHO3RERG15gFjwJoi0iswVU1Kzbwg1jhel41j1x7RD?= =?us-ascii?q?rqRlM2bTWVtIfzTxL2x6VKuwt76CY8pR55MzqihYSvqzYUqdSrLnpBsaySzjFX?= =?us-ascii?q?NExD8nbzGqpon5nxtihWKDLXZ8sGbZecZqxRvF+NPcRflR3jwJRCRjjTnXB168?= =?us-ascii?q?MMOz/dWTjZvDtfq+V225XJ1JbSbr1Z+AtDe85WByBR2/nuuzmsH+HQghzyD709?= =?us-ascii?q?hqVSPVrBfzeYTrzLy6MeNhfklpGFD88NB2GodgnYssnJsQw2QVho2J/Xoblmf+?= =?us-ascii?q?Kc9b2aX6bHoJWzEL2cLa4A/r2UB4NXKJ2p72Vm6Hzstmfdm6bXsc2jgh4MBSFK?= =?us-ascii?q?eU8LtEkDNtolWisALRZeJxkS0HxfQ1734ah/0JuA0rziiGB7AeAU9YPSvwmBiS?= =?us-ascii?q?6dCxsrlXbn61cbeszEp+gcyhDLaarwFfRnn5fIwiEDRz7sphNlLMy3vz5Z/4eN?= =?us-ascii?q?XKatITrBKUmQ/aj+dJMJIxiuYKhS1/NGLju30q1vU2jQJo3Z6nvIiLMWNt87yl?= =?us-ascii?q?AhRALD36e9sT+i3xjaZZhsuWx5qgHohlGjgQQJToTO6oETILufTpLQmOFicwqn?= =?us-ascii?q?CBGbrQBQWf8ltpr2rTE5C3MHGaPGEZws9/RBmZOkNfmBobXDMmnpEnDACn39Hh?= =?us-ascii?q?cFxn6TAL/V70sABMyuV1NxnlTmjQugmoajAuSJiQMhVa9AdC6FnJMcaG9OJ8Az?= =?us-ascii?q?lY/oG9rAyKMmGbaR5HDWcVWkyDAlDuJbeu6sfd/OifHOqxNePOYa+JqexcSfiH?= =?us-ascii?q?2Y6v3pFh/zaWOcWFJmNiAOEj2kpfQXB5HNzUmzAVRCwTkyLCcdKbpAum9SJttc?= =?us-ascii?q?2/9urkWB705YSTEbRSKctg9wqwgaidK+6anDx5JipA1pMQ2X/Iz6AS3EQIhyBg?= =?us-ascii?q?bTWtFK4PtSrKTKPQgaJYFQIUayZpOMtP9aI80RFHOdTHhdPtyr54kvk1Bk9DVV?= =?us-ascii?q?z7gM6pfdQKLnqzNFPGHkaLL6iGJTPKw8Hxe6y8T6FfjOROuB20ozqbFFXjPjub?= =?us-ascii?q?nTnzSx+vKf1MjD2cPBFGoIGybA1iBnblTNLndh27N8R6jTwozrIqmHzGL2kcMS?= =?us-ascii?q?Jzc0lVtL2f8TtYguljG2xG9ndqMPKElDiD4OnXMJYZq+VrDz9vl+1A43Q61qFV?= =?us-ascii?q?4zteSPxxhSvSqMRho0u/numTzTpnUxpPqjFRiIKNo0piJb3T9oNcVnbc4BIN8W?= =?us-ascii?q?KQBgwRp9R/FN3goa9QxcbUlK/oMzdN6czU8tETB8fKM8KLKnwhPgT1GDTMFgsK?= =?us-ascii?q?USarNX3Dh0xaiPyd7XyVrpc9qpjqg5cBV6FUW0c0FvwADERpBtsCII14Xjk8i7?= =?us-ascii?q?6UkNYI5WairBnWXMhVpJ/HWeiMAfrxMzuZiqFEaAUOwbP9N4sTN4n71Fdlalh1?= =?us-ascii?q?hojKHFDQXd9VqC17cgA0uFlN8GR5TmArx0LlbQat7GUJFf6znx85lA1+bv839D?= =?us-ascii?q?fr/Vg3JUHHqzc3kEk0hdrqmyuRcCLrIKe2Q45WFzL+t1ItPZPjXwZ1cQqykFRn?= =?us-ascii?q?NDbEQ7JekaBtdWVsiA/St5tAB+JcTbFEYB8XwPGYee8k0VJCpSW73UVH//fKCY?= =?us-ascii?q?N+lAs2dp6ht3RA1Bx5Y94xPqHQJ61JzkNMhq2UuC+ozeMxwA4EK0YL7mySZDYC?= =?us-ascii?q?uFYUObk+Oyqo4uts5BSYmzRdY2gDSeAlouh2+UM9IOmP1CPg06ReJUC2OeyfN7?= =?us-ascii?q?mZtHbAlMKSRFM/yF8InVFf/bdqyccjb1aUV0c3wbSMEBQJM8zCJhxLYMpW9Xje?= =?us-ascii?q?ZjyBvvvXwZJyJYm9EfroTeCWvqYOnk2kBBopH5gL7skZA5ajyl/YLcb6I74e0h?= =?us-ascii?q?gi/h7rJE+CDPVHYxKEjisIo9ylzJ92wYlcJisRAWNjPiWr/rzXvBMlgOKfXNcq?= =?us-ascii?q?ZXcXRoUENmgoV8KngC5WpXJADCWw0uIC0wWN9SPzpiHKADn7ddpja++eZQlwB9?= =?us-ascii?q?Gu5TU/76+2hEbT8pXZPWH1K9Jiu97I6e4BqJaHDe5UQaN6s0fGlIlSX2aqXHLX?= =?us-ascii?q?Ed6pO5jwbJEhbcfqBXa+U1y/jS81TsjqMdmxKaiIhB3nSpxPsImHxjwjM9GyFi?= =?us-ascii?q?0GERdqu+4D/L58ZREEY5cjYh7orQQ/OLa5IAeE0tWjWGmtKTxOT/ZD1+m6YaJY?= =?us-ascii?q?zzY0ZO+g1HQgVo06z/Ww8UMVWJEKjxTexfG/Z4leUSn+AWFSewTPpCUjjGdtLO?= =?us-ascii?q?AyzfkjwBnQq1kTLyiLdPB1aGxDp9wzH1eSIXRqBWUmX1CciIrC4gir37AU5SRQ?= =?us-ascii?q?hM1b0exfv3j4p5Pfbi+sVLatqZrLryoqdcImrLFpMYz/PsuGs4vTkSfBQ5nWqQ?= =?us-ascii?q?CKSjO1F+REldhKOyJXWuNImGE/NcwBo4pB5lI7Vt0iKLxXFKksureqZCJrDS4P?= =?us-ascii?q?zC8ZU4eA0yIHguqnxrTViAyfcJU4PxwCqplChcEdUyFuaCMEuKCjT5nWl3ODSm?= =?us-ascii?q?UTOgcT6wVM6x4Alo93euDl+5LGQoZRxTBMv/96VTDGGYVv91v+Vm6Zm0P4SOm7?= =?us-ascii?q?n+yvww1S0Orm0sMHVx5nFUhd2+FWm1MyKL5qNqYdpYHKsjqHdE/gumLi1vemLk?= =?us-ascii?q?FLycLIb134EJbFtW3kXyIA+30bX5NAxWrDGpQVlwp5bKcrq0tWIIC6ZEnx+zwk?= =?us-ascii?q?y55uH7miWsCh30wlomoeRye2D9pBDPlrsEjNVz1/ZJCks47oO4lIQmBK5p2StV?= =?us-ascii?q?NZkERrMy62zZpcKs5N4j4QXDhBuzqdpt6yRNdF2cBoE58GOs1/tGvlGKNYJJiR?= =?us-ascii?q?pGU7u7L1xnDF+zA8sVK6xDSpFK+7VO9Z/nMRFRs3KGiErUkvFeQs+H/I8l/Rql?= =?us-ascii?q?B04/tbBr+XgEprujZ9A5ZOCixK1X2+LlRzTXhGs/lBJ6jPdcxTXeUybwe1OxMi?= =?us-ascii?q?Df4mw1CJ/UZskHf4ZSxyqhVV+yTDUAkxSyYVnq3tmD0Fp8GgIT8VVZRIbTA7YC?= =?us-ascii?q?fELwKUgidXvRlFZ0FtQZAZDc5P+6sH0otM4srCVUGsJDkKXBx4LA041+ZfmFVC?= =?us-ascii?q?sEWfdyHdCxaodfbRvR12e8eRsNCmLO7j8AdBlIznrPgy978fSH2+hQ2tXdfeop?= =?us-ascii?q?fgtt2Ns0uDb7v4P/G5YXDaVjTMiw6/has8BZnQ4yfTKBZbK4V9yXc8YZjuE3TL?= =?us-ascii?q?Mg5CJ60GPEdUSL51ac1eou9EY89rZrwJ9bVqBhKdSRPlAJavo+VeLlbPWTTeKD?= =?us-ascii?q?2M8u64oY3N9rHSVPbvZteSyHbdX6J4IIp15SP9G7j0zY9U4lD21et19kNmVVjG?= =?us-ascii?q?NDiMo8/vJgwX+MWvdFbus5MyEDzKB5dwlWbiyVtbd8oLWSGq9ooXyI9B4nbqVe?= =?us-ascii?q?14ylTzsPFV97R884k4/a1myceuKqfOMvlatUhnAgaKCQl06potB3VwSH5Lbu8X?= =?us-ascii?q?NvjRYbwTjdrypODvC6wX9BqV9vRBadvcO0HOgNSwCi2HRBxfmwcBtCQaIReC2P?= =?us-ascii?q?6Dh690U9yqpezj1kIq+Vi+IQYMzKpx6oec5qqIuOjXYgPNzbgeRKflWN78o68x?= =?us-ascii?q?u0OW+f0kjqQBenJ0Yw2gFOgSSNIdyn3nzaAwwiImC9nDEK74+P5fS3I5mSrtlI?= =?us-ascii?q?17H1oMAf4bALyL8p5Ekmc/gezZOcUccrpelWaXCR6kDrgCxGap6ySNOmllhQrO?= =?us-ascii?q?0xXqTmOt91L2qDJ4QS/Qz9fijkVVV6O4BUFJXyazPk94qjyPNhLytNXroaQ18F?= =?us-ascii?q?02Mmv8udKPjmShPr1XH9f4JNOBPyY5v04Xg4c3Rty03oAXA9y9L8kN8HtmdPvR?= =?us-ascii?q?93urkzNdo6dAn4fe5MWV9+7WHXmmiq2WsbSNxDZWyngip14/8cygNuvT59KWX/?= =?us-ascii?q?SoynwRQDlltwvGRR61paTRr0oINkyTzEfLhIsKM8lf3Xk5yk7m4+wjT8go9AlE?= =?us-ascii?q?F4bAYPQCpSvoODbvxFaSbN02WjOZ0ztNEVL/CUN4F7Qk2GLsoMLJkm/d9EEySY?= =?us-ascii?q?l0aUPnngB3DoU/KU8281gY3isDHhYLaRCHDbGnH17pLY0aWkgfcR6HxqS1er8r?= =?us-ascii?q?3U1vxbOi/OvTbfd5B6cNLftdgBCBk0VcGpIMq6IeWKh8e1hf9KHJugfiF5LrX/?= =?us-ascii?q?/8lXo/Lfe1WNxV8dgFt3s+5QayXxig6ZZG77sAjZCHaK5FbobWvMB96Udn6iQD?= =?us-ascii?q?dipTjxhjlxm5S/wTpPj/4tjHt5ql8ueuVac3SOoN6xc5HH9+gIXsgF89vd7bze?= =?us-ascii?q?BcSpfaiY7n6gBCP2aKuJrG0xl7MecBMIOrfK1u9nodJSgeJm4OPcKMZPkh5y9g?= =?us-ascii?q?Kync51tfDcwSf9wYIdDNmQdOikLzQr1T8dDbGlCAAYdpa88o93b3yCwy8ZYkSu?= =?us-ascii?q?bv8iO2Kozf71BDOPNDliZsmMvZpOcLxfrSCS4X4WSWahVu2iON0YWNBOrw/eSC?= =?us-ascii?q?z9HUTVAGEjQ1U4hDPjqC/xKoRu6vmJXuSAOU5df5gIgie0KIWnyxgKMFv75QEe?= =?us-ascii?q?5alCr72iJRFobriP+OrtWs6WRXtlxbEIlp9h3KAr9fPohhNRT+iMarWlB2BjHj?= =?us-ascii?q?d8HMahoupO2Wy/8D4+pkLUvxe5MbIhIfxrL+6HpVUhVhSL7ssVaERuIdft1mR+?= =?us-ascii?q?3YrnpN84JvN7cPPESBpJzttjpIp045AAk1aL83qTxWcVLOkxNRW6b1vr4AlwQd?= =?us-ascii?q?XMV9uUBSA2KxOHgx6yDBVatLkKmbEOYV/SmLTqwST0VoNTtzQxay2JVoZ7upku?= =?us-ascii?q?5Iv3hDniN8uvcq1SJpRAeyuC3rvaIN2ikg9Ku+tDofpXxPVv+enDvQCVVf0PQK?= =?us-ascii?q?ir8RC3n+5lyne3kPdZb87rZhK8Th84kh/ns+bA4sfy0DR+ugDT//g7mPAoyVv9?= =?us-ascii?q?JWnASNt9nWbb+vMSgSMawwyRDkR3h91AjShgpn8GsPQjW98dAlJYS9OcA+xiqr?= =?us-ascii?q?GGjWb0gM4qJXsMTrsV4EUeo2ZUlnwGp9zsiNXjcNS9DXG2Ypkggkbn1JcJNd6R?= =?us-ascii?q?AAEaklmTKIvrRb8QEVZzfUCZ6p+o7KncfHwXM9V8tlxnrKpq2ZgZMnyH9llM16?= =?us-ascii?q?7i6AvHQfbOLZXNVqAnftyodT0+r+aOuxsuofUotp1KyhUOMeMsmk4Wa215FqWk?= =?us-ascii?q?irx7sAG1q5NPQOxqzcUyejSG2XRf6Hc26SkDYlKkTy/wWnLkUraMdWqE8wKunC?= =?us-ascii?q?hp5clg35VrN0QiSQpUPFw2E4NOMadh42uJ25dAAQS+4RfeecL/A0wPIiEFsMc2?= =?us-ascii?q?PJHSxuBu+5rF6tnZV0O3J77EXme+Ti7AbmMMeIFRkAC4HaqIJ++f2gSW6bP39v?= =?us-ascii?q?0gFyNlFu9+jDD1QxqvNcc5GJkNjMhtR71PUId+tsMSIhud4chIZj5ZOS0MiUbR?= =?us-ascii?q?Hb1ozyKs3NoviEH/3fyFwnemRbUroaYgP14J43PtwjVL3QGrtZuwoTBa4gTJwn?= =?us-ascii?q?KWjx6Ll+LBlvfQ7JeLS0ns7qq/qQaZRKoX/W8kk9LDzYux0E1vy0URJ7YI63iH?= =?us-ascii?q?noJ5AwXD1BpcV3ChR6BItPB98Arw2/Dp6Mn6G7j8W++1l0uu8NtarwBOvH1NG+?= =?us-ascii?q?34V2RJhV+1CEPCzWBKlwmURlj+Kygvja3pn2E8PidssOVPJnTW7ddr/GAoK/Jy?= =?us-ascii?q?qAOs3if05G8qac36xiXxSQZSD5Wq+GuzO+NPVg/0o30It4fPDczDY19bHUxMPy?= =?us-ascii?q?Z31HpiektXOJNIdf7FzNBezbRR1UUuGI8GNkHa0Ld4v76v0CMds4wNiT+wNz9i?= =?us-ascii?q?hN0NOZI6i9qU/Bwkx6dYrBLEvoxyk2R5IHIBG+MUswm2/WtG7RAXNGLsirMcNt?= =?us-ascii?q?msqaDgTx50ltnmEgfmlBGm72StqKIWgb39ixZBaW9AJKE9kDg/S3dlAmuaGoT+?= =?us-ascii?q?lnJIlFk/2wtLobidZpNz3PRM9CMiHULb92OCdRD+rWqFgsYx4EqKQ1WpwuaJiP?= =?us-ascii?q?OkwHNkCAxTn1zQvY3k3+b8as27qRICYK7nVHyKrI0SNSqAm9uPaZhNDjUb/eYJ?= =?us-ascii?q?/5QP7SMDQqViuESjQqC0mk4lSktOQevPqeP2gfpksbYj+dCAIJoaBvt9fQBHfJ?= =?us-ascii?q?meJ/ZJ0KmOyaWyfoRS19jqU9GiZLtUGKQ/oEDgTWcX7hgGxCtwymJ/9M+2/lbr?= =?us-ascii?q?KCyqpSQewWDZNGcueFTNvAZfBeOzAomy0bOOmmfN3cqK0230nVTWsfD6nI9Fqe?= =?us-ascii?q?TFOZQvyc2zLnR4MVsJYouiAw4NLfgjd3E7jUP7aYvzOu/ZS3gz2Cue3fSGYtZ1?= =?us-ascii?q?c4gPwGAGab2xlAKXwEB8sTuE7zXq6Kf1xM224xieJyxx8Mfxx+Un9r0n1Rhva9?= =?us-ascii?q?AMxZSUUPgWOoWvIGaU54DDIq8U+N+A3ybsQKudrPSG9G6rsMVY0dIeEz6InZPa?= =?us-ascii?q?sf3Pck0TF9rSwkrSqdFVJdjwOC86rWBq58wKNN5XUg9fFsQk6PWy/fcnTAyoe+?= =?us-ascii?q?CcJPwiFuoXT/2srRoO9iKbVap4ZjAFgWHy16PNbd8i5dUTK85Aznpx+mGByGKS?= =?us-ascii?q?8dpTMMIjYIMO1yyrxVqhHNI+3d5FuQuqRpk06iDQKGG/Lgw5BQIt343gW/Ly9Q?= =?us-ascii?q?eHOkEI4g+aUFr8obfa5yPdv2OFvGNAWrS1jAtg=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FeBgBCGXVY/wHyM5BdGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgw8BAQEBAR+BbI5JkBMGkXCGWiOICFMBAQEBAQEBAQIBAmAoQg4BgWIbg?= =?us-ascii?q?iMCJBMUIAsDAwkCFykICAMBLRUfCwUYBIhCDbI+OiYCiXomhgGJPREBgmoMgww?= =?us-ascii?q?FiHWHIosMkVICikGGHAJIkhZYcBwGAhAHGw84hDIcgX1VhS+BCYIuAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 10 Jan 2017 17:27:43 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v0AHQBiq011215; Tue, 10 Jan 2017 12:26:31 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v0AHQ8bK110996 for ; Tue, 10 Jan 2017 12:26:08 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v0AHQ153011161; Tue, 10 Jan 2017 12:26:03 -0500 From: Stephen Smalley To: paul@paul-moore.com Subject: [PATCH] security,selinux,smack: kill security_task_wait hook Date: Tue, 10 Jan 2017 12:28:32 -0500 Message-Id: <1484069312-26653-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov, yangshukui@huawei.com, oleg@redhat.com, linux-security-module@vger.kernel.org, james.l.morris@oracle.com, Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expects sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can in general lead to zombies; in the absence of some way to automatically reparent a child process upon a denial, the hook is not useful. Remove the security hook and its implementations in SELinux and Smack. Smack already removed its check from its hook. Reported-by: yangshukui Signed-off-by: Stephen Smalley Acked-by: Casey Schaufler Acked-by: Oleg Nesterov Acked-by: Casey Schaufler --- include/linux/lsm_hooks.h | 7 ------- include/linux/security.h | 6 ------ kernel/exit.c | 19 ++----------------- security/security.c | 6 ------ security/selinux/hooks.c | 7 ------- security/smack/smack_lsm.c | 20 -------------------- 6 files changed, 2 insertions(+), 63 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0dde959..6fe7a5c 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -666,11 +666,6 @@ * @sig contains the signal value. * @secid contains the sid of the process where the signal originated * Return 0 if permission is granted. - * @task_wait: - * Check permission before allowing a process to reap a child process @p - * and collect its status information. - * @p contains the task_struct for process. - * Return 0 if permission is granted. * @task_prctl: * Check permission before performing a process control operation on the * current process. @@ -1507,7 +1502,6 @@ union security_list_options { int (*task_movememory)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); - int (*task_wait)(struct task_struct *p); int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void (*task_to_inode)(struct task_struct *p, struct inode *inode); @@ -1767,7 +1761,6 @@ struct security_hook_heads { struct list_head task_getscheduler; struct list_head task_movememory; struct list_head task_kill; - struct list_head task_wait; struct list_head task_prctl; struct list_head task_to_inode; struct list_head ipc_permission; diff --git a/include/linux/security.h b/include/linux/security.h index f4ebac1..d3868f2 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -332,7 +332,6 @@ int security_task_getscheduler(struct task_struct *p); int security_task_movememory(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); -int security_task_wait(struct task_struct *p); int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); @@ -980,11 +979,6 @@ static inline int security_task_kill(struct task_struct *p, return 0; } -static inline int security_task_wait(struct task_struct *p) -{ - return 0; -} - static inline int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, diff --git a/kernel/exit.c b/kernel/exit.c index 8f14b86..60f2451 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -14,7 +14,6 @@ #include #include #include -#include #include #include #include @@ -1360,7 +1359,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; * then ->notask_error is 0 if @p is an eligible child, - * or another error from security_task_wait(), or still -ECHILD. + * or still -ECHILD. */ static int wait_consider_task(struct wait_opts *wo, int ptrace, struct task_struct *p) @@ -1380,20 +1379,6 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, if (!ret) return ret; - ret = security_task_wait(p); - if (unlikely(ret < 0)) { - /* - * If we have not yet seen any eligible child, - * then let this error code replace -ECHILD. - * A permission error will give the user a clue - * to look for security policy problems, rather - * than for mysterious wait bugs. - */ - if (wo->notask_error) - wo->notask_error = ret; - return 0; - } - if (unlikely(exit_state == EXIT_TRACE)) { /* * ptrace == 0 means we are the natural parent. In this case @@ -1486,7 +1471,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; then * ->notask_error is 0 if there were any eligible children, - * or another error from security_task_wait(), or still -ECHILD. + * or still -ECHILD. */ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) { diff --git a/security/security.c b/security/security.c index 32052f5..8c9fee5 100644 --- a/security/security.c +++ b/security/security.c @@ -1025,11 +1025,6 @@ int security_task_kill(struct task_struct *p, struct siginfo *info, return call_int_hook(task_kill, 0, p, info, sig, secid); } -int security_task_wait(struct task_struct *p) -{ - return call_int_hook(task_wait, 0, p); -} - int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { @@ -1769,7 +1764,6 @@ struct security_hook_heads security_hook_heads = { .task_movememory = LIST_HEAD_INIT(security_hook_heads.task_movememory), .task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill), - .task_wait = LIST_HEAD_INIT(security_hook_heads.task_wait), .task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl), .task_to_inode = LIST_HEAD_INIT(security_hook_heads.task_to_inode), diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bada3cd..720dbd0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3969,12 +3969,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); } -static int selinux_task_wait(struct task_struct *p) -{ - return avc_has_perm(task_sid(p), current_sid(), SECCLASS_PROCESS, - PROCESS__SIGCHLD, NULL); -} - static void selinux_task_to_inode(struct task_struct *p, struct inode *inode) { @@ -6217,7 +6211,6 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), LSM_HOOK_INIT(task_movememory, selinux_task_movememory), LSM_HOOK_INIT(task_kill, selinux_task_kill), - LSM_HOOK_INIT(task_wait, selinux_task_wait), LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8da4a6b..2166373 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2272,25 +2272,6 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, } /** - * smack_task_wait - Smack access check for waiting - * @p: task to wait for - * - * Returns 0 - */ -static int smack_task_wait(struct task_struct *p) -{ - /* - * Allow the operation to succeed. - * Zombies are bad. - * In userless environments (e.g. phones) programs - * get marked with SMACK64EXEC and even if the parent - * and child shouldn't be talking the parent still - * may expect to know when the child exits. - */ - return 0; -} - -/** * smack_task_to_inode - copy task smack into the inode blob * @p: task to copy from * @inode: inode to copy to @@ -4658,7 +4639,6 @@ static struct security_hook_list smack_hooks[] = { LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), LSM_HOOK_INIT(task_movememory, smack_task_movememory), LSM_HOOK_INIT(task_kill, smack_task_kill), - LSM_HOOK_INIT(task_wait, smack_task_wait), LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),