From patchwork Mon Feb 6 21:43:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9558823 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A1C8C6021C for ; Mon, 6 Feb 2017 21:41:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90C4E280DE for ; Mon, 6 Feb 2017 21:41:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 83B532815E; Mon, 6 Feb 2017 21:41:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 78BD6280DE for ; Mon, 6 Feb 2017 21:41:29 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,342,1477958400"; d="scan'208";a="3584315" IronPort-PHdr: =?us-ascii?q?9a23=3A8MoawR1kOddSEsHtsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sewUKfXxwZ3uMQTl6Ol3ixeRBMOAuq4C1LWd6v28EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRp?= =?us-ascii?q?OOv1BpTSj8Oq3Oyu5pHfeQtFiT6ybL9oLhi7rwrdutQWjIZtN6081gbHrnxUdu?= =?us-ascii?q?pM2GhmP0iTnxHy5sex+J5s7SFdsO8/+sBDTKv3Yb02QaRXAzo6PW814tbrtQTY?= =?us-ascii?q?QguU+nQcSGQWnQFWDAXD8Rr3Q43+sir+tup6xSmaIcj7Rq06VDi+86tmTgLjhy?= =?us-ascii?q?kdNz497WrZlMp+gqxGqx6lvhBz3ZLYbISTOfFjfK3SYMkaSHJBUMhPSiJPDICy?= =?us-ascii?q?YYwXD+cDIOpVoYbyqEcBoxSgHgmhH//vxz1Si3Pqx6A2z/otHAfb1wIgBdIOt3?= =?us-ascii?q?HUoc3oOqcOT++11KnIwivFb/hLxDn97ZLHchQlof6SXbN7bM3cyVIyGAPelViQ?= =?us-ascii?q?tYzkMC+V1uQKqWSb6fFgWvi1h24orAFxvCGiy8ExgYfKnoIY0k3I+Cp2zYovJd?= =?us-ascii?q?C0VVR3bcCrHZdOrS2WKo17Sd44TW5yoiY10LgGtIa+fCgN1Zso2QbSa+eCc4iU?= =?us-ascii?q?+hLjU/uRIStgiHJlZr2/gxGy/FC8yuLmTMm00UtKrjFfntnQtnECyxzT6s+dRv?= =?us-ascii?q?t74kihwiqA2xrW6uFFJUA4javbK5g/zb4sjpcfrEvOEyDslEj2kaOabFso9+e2?= =?us-ascii?q?5+j9f7nqvpqcOJV1igH6PKQugMu/AeEgPwgVQWeb/eW81Lv+/Uz2WblFlfo2kr?= =?us-ascii?q?TfsJ/GO8sbvbW0AxNV04k/6xa/CC2q0NIDnXYdNl5FdxWHj5bxN1HUPP/4Feu/?= =?us-ascii?q?g0irkDpzxfDGObvhDY/RLnjDirjhe61w60xbyAo1yNBQ/YlUCq0fL/LpQU/9rt?= =?us-ascii?q?vYDgU2Mwas2eboFM191p8CWWKIGqKZMqHSvkWU6eIsOOmMY4kVuDfjK/U+6f7u?= =?us-ascii?q?iWI5mFAGcqm025sXdG24Eu5hI0WDbnrmms0BHnsSvgoiUOzqj0WPUDBSZ3a2Wq?= =?us-ascii?q?Iz+Cs7BZmoDYjdW4+th6aB0z2jHp1MYWBGCE6DHmv0d4meXPcMci2SKNd7kjMY?= =?us-ascii?q?TbihV5Mh1Ra2uQDn17VnK+3U+isEtZ7+z9V1+fPclQsz9T11CMSd1XuBT2dqkW?= =?us-ascii?q?MUXzU2xrxwoVRhylef1qh1m+FXFcBJ6PNTSQo1KZncz+lmBN/oQQLBYs2FSFC4?= =?us-ascii?q?TdW6GTsxVM4+w8cSY0ZhHNWvlhDC3iutA78TjLGLAZg0/rvd33j3Pcp9zWzJ1L?= =?us-ascii?q?Mij1knXMtAK3eqhqhh+AjPH4TJiVmWl762daQA2y7A7HmMzXKUs0FCUQ5wSr7I?= =?us-ascii?q?XWgFaUvMrNT5/VvCT7u0Brs7LARN08mCKrFFatfxl1VJWO/jOMjCY2K2g2qwCw?= =?us-ascii?q?yIyamKbIX2emUdxz7QCE0ckwAS5HqGLgY/Bjy7r2LZFjxuGkrlY1nw/ulmtHO7?= =?us-ascii?q?Ukg0whmJb0J71Lq1/QMViOefS/wJ3bIEvzohpy9zHFan0NLcE8CAqBZ5fKVAfd?= =?us-ascii?q?M9509K2njEuAxnP5yvMbpii0UEfAtrukPizRJ3Cp9PkcIytnMl0BJyKb6E0FNG?= =?us-ascii?q?bz6Y3Y7/OrnTKmn15x2vb7PW2k3Z0NaT4KgD8vM4q0/svAuxDEot721n08VJ03?= =?us-ascii?q?ub/pjKFwQSUYj2UkYs6xh3vKraYi8654La0H1jK6+0viXE2903GOsv0gygcMtH?= =?us-ascii?q?MKOYCA/yFNUXBsa0J+wuh1imcAgEPPtJ+a4qIcymbeCJ2LOuPOp6mzKml2tH6p?= =?us-ascii?q?hn0k2Q7yp8VvLI35EdzvGEwwSISjb8g02lss3shY9EYjQSEXalxij/GI5dfKty?= =?us-ascii?q?cpgXCW22Oc242s1+h4LxW35f7FOjAVIG2MuteRWMdFzwxhdf2loNoXyggye4yC?= =?us-ascii?q?Z0kz4xpKqFwCPO2/jidAYAOmNTWmlijEvjIZSzj9AARkSncwgplByj5Ub13KVb?= =?us-ascii?q?oKV/L2/JTkdSeCj6NWZiUrG/trCaec5A9IsosTlLUOS7eV2aTr/9owAG0y/6BG?= =?us-ascii?q?tR2jQ7dzCsupXkkB13k3mdLG5yrHrfeMF/2Qzf6MbaRfFPwjoMXDN4hiXPBlig?= =?us-ascii?q?I9mp+s2Zl43EsuC6U2KuSIdTfjXszYKOrya7/nBqDgGkn/ypnd3nCwc62zfh19?= =?us-ascii?q?Z2TSXIsAr8Yo7z2qSiK+1nY01oCEXm5MZgAY5+lY8whI0X2XgcnZiV+GYLkWH0?= =?us-ascii?q?MdpHw67+amQCRSITyd7P/AflwFFjLm6Ox4/hVXWS3M1hZ8Khb2MVxC096dtKCK?= =?us-ascii?q?GK47xYhyd1pUC4rQ3Ja/hngjgd0ecu6GIdg+wRpgotyDiSD6sMHUleICPslw6E?= =?us-ascii?q?79ago6VLfGyva6S/1FJindC9C7GPuhlcV2zkepcmBiJ/8sR/ME7M0XHq5IHrYt?= =?us-ascii?q?/QYcgUth2OnBfKl/JVJ44plvoWmSpnPnrwvWc4xOEmlhFu0pS6vYedJ2Vr4q25?= =?us-ascii?q?HgZSNifpaMML5jHtkaFek96O34+1A5VhHisEXIPyQvKuDDIdq+7nOh2TED0ntH?= =?us-ascii?q?ibA6HfERWE6EdhsnLPCYykOG+ZJHke19ViSweSKFZZgA8KQDUwhoQ5GRyyxMz9?= =?us-ascii?q?bEd54Sgc5lDipRtK1uJoMBz/X3zRpAi2dzg0T4KfIwBO7gFY4EfVM9KR4f5vHy?= =?us-ascii?q?1C+Z2htgONIHSBZwtUFWEJRlCEB1f7M7mr/9bA9+yYCfSiL/vSe7qBs/dTV/GW?= =?us-ascii?q?ypKzyYtp4yyDNt2RMXV4Cf00xFZDV2hjG8vFgzUPVzAXlyXVYs6Bvhu99Dd7rs?= =?us-ascii?q?Wl//TvXwLu5ZCCBKFOPtVq4Ry2hr2DN+GIjiZjNTlYzo8MxWPPyLUH0l4SkT9h?= =?us-ascii?q?eCS2Ebsasy7NUKXQmrRMAhEBdyxzMdFE76Um3glCIcTbkM/61qZkjv4pDFdITV?= =?us-ascii?q?rhmtuzaswSO2GwL13HBEeRNLSdOT3LzcD3YaWmRr1WkOpUtge/uTKBH0/kJDSD?= =?us-ascii?q?mCHjVwqzPuFUkCGbIBtetZmlchlzEmfsUtTmahynMN9wljA2wKM7iW3UOmIGNj?= =?us-ascii?q?h8aUxNpKWK7SxEmvV/B3BB7n19IOaZgCaW8fPXKpkMsfRxHCR5jPla7245y7tI?= =?us-ascii?q?9iFLXuZ5mC/Prt5ouV6miPCDyiZgUBpNqjdLg5iHvUN8NqXF7pNAQ2rL/AoR7W?= =?us-ascii?q?WMDBQHv8BlBcfxu69KxdjAirnzJSxZ893O48sTHcfUJ9ycMHY7NxrmBiLUBhMf?= =?us-ascii?q?TTG3LWHfm1BdkPaK+3KOr5g6pZ/smJwVR7BGSlM6DfIaBV5jHNAYJ5d3RDwkm6?= =?us-ascii?q?aBjMEU/Xq+sAXRRMJCs5/dWfKdG+vvJyiCgLlDfxsH37X4LYEJOY3630xtcV56?= =?us-ascii?q?nYvQF0rXR9BNrTVrbhUor0VV7Hh+Umoz1lr5agOq5X8fD+S0nhk3iwRgZ+Qi7y?= =?us-ascii?q?3s41ApKVrJvyY/jE4xmdD5jj+Laz7xML28XYdIBCror0IxKI/0Qx5pbQ2umkxp?= =?us-ascii?q?LDTERrJVj7R+bm1rjQjcuZVBGfFCUa1EfB8QxfaSZ/o2y1hcrDuoxVNf7+vfFZ?= =?us-ascii?q?RijBcqcYKrr39Y3QJscsQ6JajLKapKyVhQnb6OsTWu1uAqww8eJlwB8GWMdy4U?= =?us-ascii?q?oEYILKUpJzK0/uxw7gyPgyFDd3YXV/U0uP1q7F8yO+Sbwi370r5DMF2+N+uRL6?= =?us-ascii?q?OBoWjPi86JTkk21kwWi0lP5aJ23ts7c0qIS0Avy6OcGAkONcrELwFactRd9HzS?= =?us-ascii?q?fSuVq+rC34h1P4KnGuDvV++Ou74egli4EwYxA4QM8sMBE4Gx307CM8fnLaMKyQ?= =?us-ascii?q?426QvxPlWFFvNJeRyQkDgZv86/0YV33YhBJjAdG2l9Nzu45qrPrA8wnPWDRMs2?= =?us-ascii?q?YmsdXoYcMnI2X9e6lDBfv3VBCzm6ye0ZyA6f7zPmoSTQFjb8ZcJ5ZPiIfRNsFM?= =?us-ascii?q?22+TIn/qitl1HX9pTeJ2fnNdVtodLA9eQap5ObBPxOVrl9r13Qm49GSHy2S2TP?= =?us-ascii?q?C8K6J4Dsa4kwatz5EnW6Uka/ij0vScfxINatI7OHgQHvXYZbrJOX3DY9Os+hDj?= =?us-ascii?q?seAQt/p/kf5KJgYg0Oe4Y7YR/ttwQ5K6y/IAeZ386zTGasKTpZVeJQwf+8Z7NJ?= =?us-ascii?q?0yomdvW6x2c4TpEm0+m39lYAS4sOjhHf2fmseZFRUS3zG3xbfAXPozA2mnN6Oe?= =?us-ascii?q?Yz2Og/xgrEsVcBMzyRcuxmdnBEtckmBVyOOXV2FnY4R1iEgIXY/AGs2asf8DFA?= =?us-ascii?q?kNZKz+JFqmP+sYXFYDOsQqCrro/VsyU4Z9g8v6JxKZDjIteBtJ7GkTzfUZjQsg?= =?us-ascii?q?mBUCGkEvpXgcVfLzxDT/lJg24lP9YKuY1b6Uo+Ts0+PaBACLEwprC2bjppFTQS?= =?us-ascii?q?zSkYV4yc3DwCheO826DCmBmJbZosKgAJvpJZj9QBVC52Zz8Rq7W4V4XKjWOETH?= =?us-ascii?q?YEIBsL5wRW+A0AjpNwfvzi4IfQVp9D0SRWo/VvXSbQCplo7UH0Sn+Ijlj8SfWh?= =?us-ascii?q?leOp3QZTzPLj0tkbRBB/BlJHx+ZTjEcoLq94K7UItI7QrjCIbV/6vH7qyOa+Kl?= =?us-ascii?q?hd09Hbd135DIrAtGrzSC4c9GYVRYBR1n7QC44ekw1jaKYkvF9MOpypel7i5zw4?= =?us-ascii?q?wIRkB6O3Vdq2x1Yjt3oGRDynE9tAC+FnrFLYQydpY5a1p5X5I59SWHNf+IWBq1?= =?us-ascii?q?dFl0VgKy+5yZxAK85T5j4DQj1PriuBvNuoSMxOwsh2D4cSLdd5vnfyAqJEOJyK?= =?us-ascii?q?rH0xtb3j0HjZ+yozsF2i3jW8B7e4T/5F/20ZAggpKH6epVMpD+sw6WrS81fNs1?= =?us-ascii?q?5y/+dHBriAk0RxoDBhHp9QHDZFz3alIEpvTHNeqeVVNLzVc9BAQ/k1fRKvJxs+?= =?us-ascii?q?Ffs90kyV4U10mGz2bzZ0tgRE5yDXRxM0WjUNgrfxhT0erdmqOT8ARJJSdzohaz?= =?us-ascii?q?rKJhmGli9JpBZfc19lW5QHDdZf4b0b2pFU/sXaQ0a2NS4FRABiNh4/0fdHl05D?= =?us-ascii?q?t1uXdDvAAgW2bvbArAd3fduPo8G0Nvj5+hlIip//uuAi66oDX2GmmRGqQd3GtI?= =?us-ascii?q?D8uMGFuleMeavlPeCxemPOTD/JjR+sn7gkFIXK8zLVMAVFN5lw0WAkboT5CW7X?= =?us-ascii?q?IRRGILoWJ1BFWq9nadVJuPxaatRgeKYO569iGAyLSQ/oGIOysvZKNFDTSirCLy?= =?us-ascii?q?+Z6OywvZrT7aDBSejnfsGM323HQ75tMZhn9Tn2AKzq0YhD+krsxvhi6EV6SUTc?= =?us-ascii?q?My+bqNTtPAQL5NOtdkH6pJ0mASvWAItskHrq3kxAa9AXTDO0/5sF055Z9XLwSf?= =?us-ascii?q?5i0kfpru1S9r5k6Y0p7LB108u0Ir3SKftCu099HheUHhlq9okqAGVnWm9RZPUe?= =?us-ascii?q?JezMcqQfl8/isef3F7YY6BeN4exWdcPHJ13dmsm4EjycSwZLnB0GqT4BKguTze?= =?us-ascii?q?CFlrRxSca4oej5xkMt7ES/LhEcyrBt/p2I+q2SpO/YdxHR16QLWrD2RsPvqbQh?= =?us-ascii?q?o0GS6ucilL4AYGx1ZBCoH/YGW84B3Gjgy7sqzSU2H8PFAb3g5OZJV2glkTL4h5?= =?us-ascii?q?B9A1IWF+sSHbqP5olen2E4m+nDOt0XdKBClHyPGgS/Er8e036r9jeYIHV4ghHU?= =?us-ascii?q?zR78W2Sz7EX5rSVgWyvD08/jklZJVrmwHUpSWSupNlN/sDOLJgXor8D7uaUy7E?= =?us-ascii?q?ExKWzkr8mAlG6uNbJYBcH/I8acISYsrlINkJIxXsCv2ZwcGdelPNge6nV+YeXF?= =?us-ascii?q?62O3ky5BpLxKh5HC7cGU5PrXG2Wgj6yApLmXwjBX1GQ4t0kl6t+8LvHO+8GKQ/?= =?us-ascii?q?Ow2mYVVCd/vgvMUgW7qrPFsl8UPlaL313TmIwQOdFZ32c32V365OQ5R9Iz7gpe?= =?us-ascii?q?HJ7aZ/wevTDzJCf0wVGHbtI1Vyme1iBaHlfrHlh4Bqc8wmPwvMTGlXvK/V0nWJ?= =?us-ascii?q?VwfVT9hRNrF4U4NV4t6F8PzyoCEAkCcwqUA62zCET+M4QESVYMZgid0Li9YKc3?= =?us-ascii?q?0lV5wqmz6+/Lcex8G60NO+5GgQ6Ph1haFIgZsa8fQLJgY19S7rPXpgz5Bof7WP?= =?us-ascii?q?jpiGQ/OueoQsBA9sAZrWEt7hy4Rxq65pdJ96wbh4yQdq5YfZjMu9hx71996j4T?= =?us-ascii?q?aiNNgBZ+jxSjUeAfvezj+cbUsJ6p6uaoSaYsSP4a9wAuCGRik5TwgF4iodbN1+?= =?us-ascii?q?dfUIHViprw8BpLI3GUvIbWyR58KfABK4izZrZv620HJzQCJ3IJJdeWd+M87DFp?= =?us-ascii?q?MDrJ4VxNHNgBas4ZPMrCmABUllfmWKpJ+crBB1+UEYFzeN4072Dv0jA67YM8Uv?= =?us-ascii?q?r86D+xPZ3f4EtCP+ldgyVwlNLPv+wVwfvOCCcJ4XmWcQV1wjiYx5mLFfnw4f2G?= =?us-ascii?q?yMvIWFMeAi42T4BdKSKN+QO5QOq1iJLpUgST5s/onp0+cEOQRnqsnKUKqatMFf?= =?us-ascii?q?BPij/73zdEDIz1geyas8a04mtNqlJHCJpz7QHCGKhHIpp7Ow73mdWwS0dgASv/?= =?us-ascii?q?fMXUdhswt+qM2ucD/flxN0vkaY8cOBIExKrw6WBJQQt2VL72olGZUPoUZNthTv?= =?us-ascii?q?PEsn9V5px7Jq8KPViSvprqoSlUqFE4Bw8pcrwwridAeknIggJVR77+uKQchQsE?= =?us-ascii?q?Td55pUhMFHq/OG0i/DrHTr1ZgrSeBvIT8zWTSLEOUkpzPyNxRhO6wpNudKWzkf?= =?us-ascii?q?BAqGNGkTt3oOI23Dx+WBu8pSrsqroP2TIn+LG4si8NtmBFTuWajifHFFRCzPUM?= =?us-ascii?q?jacHCHbi6EexYGcCbIvs+rZnIdnv9Yg773Q5fxojYzUMXf68BCHok6OIHouPvc?= =?us-ascii?q?pdhB6TosrOa6S+LSwPNrsgyBLjQGN93hLZnBZy/2sBWi+g48M8JIWhJcYlwTKl?= =?us-ascii?q?GWrFe1YC7KNJtND8tFARQ+swd1xh3H9v0s6ZSS0RXMbPAXo6jhA4aWVYd5JO8R?= =?us-ascii?q?AaF60vgjeGoKZG+gUUbSzPEoSi/InQnNvH1WM7Tdh02mLcvreFiY8y0H15h9N0?= =?us-ascii?q?6TaDuHYSd+3YS89sBXzz1oZDyePgfPitt+EHSJd8yLu/SvMCNdOj+WSu0pVwRk?= =?us-ascii?q?Cl3qgeH0a+MOIb2rfbUiKlRHaEWeSKb2eMnCg2Mkro6RmuMFI3dN9Ar1UhPeva?= =?us-ascii?q?mp5ciwrhXKtxRiWRpl/bz2sjPPgYdw0su4enfAoKQ/AXZ+SGI+gh3uE+AkMWb3?= =?us-ascii?q?DVBSt2F/O2sVm1kYdgJXpg51n6bP/28gDiN9uSBgUEEZDEoZFs4/C6QXiBOXB4?= =?us-ascii?q?xh1oIEZ07/vfF0g2tuJEa5aRmtzQiM5h0e8LcPdtNSM9t8UWmoJk7omUy9mFfg?= =?us-ascii?q?3Lzpb1PtHVufmYA/vQz0gwfWFaSLUZaxvv54omJt45R6HTHbxBsBQSG6c6RJ0h?= =?us-ascii?q?N3/v+6xvLQJzcwvRZLGqjcnwouKEeIFYp3jM7lI/NC3coQEMyuSoTQxnaJCnn3?= =?us-ascii?q?vzIIgqRjJAs9JiFABrHI5OG8MctQqoHYSYmKahi9++40l6ofMFsbLsCvDW09S0?= =?us-ascii?q?x4JxX5xE6kGQJDbRALNkgl95juSznvjAzoPxBt38dt8eUuh0XHLFYKfcHoqjMj?= =?us-ascii?q?KOJt78e0le/r6Y0bJ5VAiRZS/gU6qCtS2kL+lk4V4gx4x5ZuXTyjst46vc2Nvo?= =?us-ascii?q?aGFRvj2jomKRNJtD8FzKAvTTXwlKRvqB8WZlG7AXbITz+OkBLdwiwMaT4xNt4z?= =?us-ascii?q?RaysSIOKuhoVHW2kJ9a53bKFDm2zs2WYUQJxS/K0Qsi3fDqnvBGXRcMtSkKc51?= =?us-ascii?q?jdaQFBPi+0lxmWArZm5GAWfoW9aROW4F1MK6ZQ2K8h9LDtkZk+6wY044ubW4Sf?= =?us-ascii?q?N0NZVdheWqqLIHnM5rKy7VR8haODrfIaRrPjpXEuXPpF8oYgMLs7g1Roc5f56O?= =?us-ascii?q?L10bME2Y0yP90RPC0VHod9yrzKuGOz0Z/nJDz7LEyjhMuxK5teyCgsL9TL/Vdo?= =?us-ascii?q?r2U+DWMCokUDGaWDszHF219lakofoEoeGYLX0Ro18OfiKSEwkTpqZ1odjXFG/T?= =?us-ascii?q?lvVpfIcWi/CCRyDwVCp4mbI9BilRrk+MWfsDGhfSb3L6nmpcvBatJuRN/XL4db?= =?us-ascii?q?GYwLRaW/AOCItWbvKZW8fYeexZJzowlDUZPeG8f8fGr7Y4yVLFVm0ZHLPN9FKA?= =?us-ascii?q?TU6aWPucxyjkXY8NpYg7pjIo+s7Mni9wC6nIJLifpzuy/YO5jyuVovPeWXc3Y0?= =?us-ascii?q?w0geMCB2+BzANGKG4aF9EfoFvtTbKYZ0ZQyHIpjvpj2x0LeAR1Vn1jyXhWk+ig?= =?us-ascii?q?Fc1XTl4Uln+hT+McYFBxEjww4RzC3gqnetEEuMbOV0dC57AMTswbN/Bu547Ja4?= =?us-ascii?q?UKx/N85y5ruCw3tW2mClpZig+Uu/7LELlU2qxJ5W5++ep/GE6IXWWMISD81oO6?= =?us-ascii?q?BpcXlm9Vqnf+2p+R5Lhg?= X-IPAS-Result: =?us-ascii?q?A2GrAwAY7ZhY/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgyiBWRGOUqhaI4hXVwEBAQEBAQEBAgECXyiCMxuCIwIkExQgC?= =?us-ascii?q?wMDCQIXKQgIAwEtFR8LBRgEiUUNsS86JgKLMCaPYREBgmgMgw0Fjz1+iyuSCQK?= =?us-ascii?q?BeYhYhi0CiCiKZFh2CBgHAhEIGw88hmBXhmiCLQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 06 Feb 2017 21:41:27 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v16LfPwT032689; Mon, 6 Feb 2017 16:41:26 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v16LdvK0130482 for ; Mon, 6 Feb 2017 16:39:57 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v16LdvBS031737; Mon, 6 Feb 2017 16:39:57 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: add tests for new netlink socket classes Date: Mon, 6 Feb 2017 16:43:26 -0500 Message-Id: <1486417406-29267-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add tests for the new netlink socket classes introduced by kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes") circa Linux 4.2. A representative sampling of the new netlink socket classes are tested, including netlink_iscsi_socket, netlink_netfilter_socket, netlink_generic, and netlink_crypto. The tests verify that a domain can create a socket with the corresponding netlink protocol iff it has the necessary permissions to the corresponding new netlink socket class. The tests are only run if the new netlink socket classes are defined in the base policy. Signed-off-by: Stephen Smalley --- policy/Makefile | 4 ++ policy/test_netlink_socket.te | 50 +++++++++++++++++++++++++ tests/Makefile | 4 ++ tests/netlink_socket/Makefile | 4 ++ tests/netlink_socket/netlinkcreate.c | 72 ++++++++++++++++++++++++++++++++++++ tests/netlink_socket/test | 38 +++++++++++++++++++ 6 files changed, 172 insertions(+) create mode 100644 policy/test_netlink_socket.te create mode 100644 tests/netlink_socket/Makefile create mode 100644 tests/netlink_socket/netlinkcreate.c create mode 100755 tests/netlink_socket/test diff --git a/policy/Makefile b/policy/Makefile index 6a9e6e4..de7b950 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -34,6 +34,10 @@ ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && ech TARGETS += test_extended_socket_class.te endif +ifeq ($(shell grep -q netlink_iscsi_socket $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_netlink_socket.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te new file mode 100644 index 0000000..b56c06c --- /dev/null +++ b/policy/test_netlink_socket.te @@ -0,0 +1,50 @@ +######################################## +# +# Policy for testing the new netlink socket classes. + +attribute netlinksocktestdomain; + +# +# netlink_socket_test(newclass) +# +# Generate a pair of test domains and rules to test +# that the kernel checks permission against the +# 'newclass' security class rather than the generic +# 'netlink_socket' security class. +# +define(`netlink_socket_test', ` +# Domain that is allowed to create $1_socket. +type test_$1_t; +domain_type(test_$1_t) +unconfined_runs_test(test_$1_t) +typeattribute test_$1_t netlinksocktestdomain; +typeattribute test_$1_t testdomain; + +# Allow $1 but not netlink_socket. +# This is to ensure that the kernel is checking the right class. +allow test_$1_t self:$1 create_socket_perms; + +# Domain that is not allowed to create $1. +type test_no_$1_t; +domain_type(test_no_$1_t) +unconfined_runs_test(test_no_$1_t) +typeattribute test_no_$1_t netlinksocktestdomain; +typeattribute test_no_$1_t testdomain; + +# Allow netlink_socket but not $1. +# This is to ensure that the kernel is checking the right class. +allow test_no_$1_t self:netlink_socket create_socket_perms; +') + +netlink_socket_test(netlink_iscsi_socket) +netlink_socket_test(netlink_netfilter_socket) +netlink_socket_test(netlink_generic_socket) +netlink_socket_test(netlink_crypto_socket) + +# +# Common rules for all netlink socket class test domains. +# + +# Entry into the test domains via the test program. +miscfiles_domain_entry_test_files(netlinksocktestdomain) +userdom_sysadm_entry_spec_domtrans_to(netlinksocktestdomain) diff --git a/tests/Makefile b/tests/Makefile index 53f256a..bb5868d 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -20,6 +20,10 @@ ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && gre SUBDIRS += extended_socket_class endif +ifeq ($(shell grep -q netlink_iscsi_socket $(POLDEV)/include/support/all_perms.spt && echo true),true) +SUBDIRS += netlink_socket +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/netlink_socket/Makefile b/tests/netlink_socket/Makefile new file mode 100644 index 0000000..8dce555 --- /dev/null +++ b/tests/netlink_socket/Makefile @@ -0,0 +1,4 @@ +TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/netlink_socket/netlinkcreate.c b/tests/netlink_socket/netlinkcreate.c new file mode 100644 index 0000000..3f20589 --- /dev/null +++ b/tests/netlink_socket/netlinkcreate.c @@ -0,0 +1,72 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +struct nameval { + const char *name; + const int value; +}; + +static struct nameval protocols[] = { + { "route", NETLINK_ROUTE }, + { "sock_diag", NETLINK_SOCK_DIAG }, + { "nflog", NETLINK_NFLOG }, + { "xfrm", NETLINK_XFRM }, + { "selinux", NETLINK_SELINUX }, + { "iscsi", NETLINK_ISCSI }, + { "audit", NETLINK_AUDIT }, + { "fib_lookup", NETLINK_FIB_LOOKUP }, + { "connector", NETLINK_CONNECTOR }, + { "netfilter", NETLINK_NETFILTER }, + { "dnrtmsg", NETLINK_DNRTMSG }, + { "kobject_uevent", NETLINK_KOBJECT_UEVENT }, + { "generic", NETLINK_GENERIC }, + { "scsitransport", NETLINK_SCSITRANSPORT }, + { "rdma", NETLINK_RDMA }, + { "crypto", NETLINK_CRYPTO }, + { NULL, 0 } +}; + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +static int lookup_value(const char *name, const struct nameval *nvlist) +{ + const struct nameval *nv; + + for (nv = nvlist; nv->name; nv++) { + if (!strcmp(nv->name, name)) + return nv->value; + } + return -1; +} + +int main(int argc, char **argv) +{ + int sock; + int protocol; + + if (argc != 2) { + fprintf(stderr, "usage: %s protocol\n", argv[0]); + exit(1); + } + + protocol = lookup_value(argv[1], protocols); + if (protocol < 0) { + fprintf(stderr, "%s: unknown protocol %s\n", argv[0], argv[1]); + exit(1); + } + + sock = socket(AF_NETLINK, SOCK_DGRAM, protocol); + if (sock < 0) { + fprintf(stderr, "%s: socket(AF_NETLINK, SOCK_DGRAM, %s/%d): %s\n", + argv[0], argv[1], protocol, strerror(errno)); + exit(1); + } + close(sock); + exit(0); +} diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test new file mode 100755 index 0000000..c38672e --- /dev/null +++ b/tests/netlink_socket/test @@ -0,0 +1,38 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8 }; + +$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +# Verify that test_netlink_iscsi_socket_t can create a NETLINK_ISCSI socket. +$result = system("runcon -t test_netlink_iscsi_socket_t -- $basedir/netlinkcreate iscsi 2>&1"); +ok($result, 0); + +# Verify that test_no_netlink_iscsi_socket_t cannot create a NETLINK_ISCSI socket. +$result = system("runcon -t test_no_netlink_iscsi_socket_t -- $basedir/netlinkcreate iscsi 2>&1"); +ok($result); + +# Verify that test_netlink_netfilter_socket_t can create a NETLINK_NETFILTER socket. +$result = system("runcon -t test_netlink_netfilter_socket_t -- $basedir/netlinkcreate netfilter 2>&1"); +ok($result, 0); + +# Verify that test_no_netlink_netfilter_socket_t cannot create a NETLINK_NETFILTER socket. +$result = system("runcon -t test_no_netlink_netfilter_socket_t -- $basedir/netlinkcreate netfilter 2>&1"); +ok($result); + +# Verify that test_netlink_generic_socket_t can create a NETLINK_GENERIC socket. +$result = system("runcon -t test_netlink_generic_socket_t -- $basedir/netlinkcreate generic 2>&1"); +ok($result, 0); + +# Verify that test_no_netlink_generic_socket_t cannot create a NETLINK_GENERIC socket. +$result = system("runcon -t test_no_netlink_generic_socket_t -- $basedir/netlinkcreate generic 2>&1"); +ok($result); + +# Verify that test_netlink_crypto_socket_t can create a NETLINK_CRYPTO socket. +$result = system("runcon -t test_netlink_crypto_socket_t -- $basedir/netlinkcreate crypto 2>&1"); +ok($result, 0); + +# Verify that test_no_netlink_crypto_socket_t cannot create a NETLINK_CRYPTO socket. +$result = system("runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate crypto 2>&1"); +ok($result);