From patchwork Mon Feb 13 20:23:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9570735 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3D944601E7 for ; Mon, 13 Feb 2017 20:20:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2E8D828173 for ; Mon, 13 Feb 2017 20:20:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 223DA2833B; Mon, 13 Feb 2017 20:20:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EFC7D28173 for ; Mon, 13 Feb 2017 20:20:39 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.35,157,1484006400"; d="scan'208";a="3133051" IronPort-PHdr: =?us-ascii?q?9a23=3AJC1R2BBw9zSsYw+KDPv4UyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPr5pMWwAkXT6L1XgUPTWs2DsrQf2raQ4vurADdeqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLd9IRmsqQjcuMYajZZsJ6sw1xDEvmZGd+?= =?us-ascii?q?NKyG1yOFmdhQz85sC+/J5i9yRfpfcs/NNeXKv5Yqo1U6VWACwpPG4p6sLrswLD?= =?us-ascii?q?TRaU6XsHTmoWiBtIDBPb4xz8Q5z8rzH1tut52CmdIM32UbU5Uims4qt3VBPljj?= =?us-ascii?q?oMODAj8GHTl8d+kqRVrhy8rBB72oLYfp2ZOP94c6jAf90VWHBBU95RWSJfH42y?= =?us-ascii?q?YYgBAe0ZPetasoXwqVQBogexCwayH+Pi0SNIi33s0KEmyektDR/K0Qo9FNwOqn?= =?us-ascii?q?TUq9D1Ob8PX+Cp0qbI1TXDYO1Q2Tzg9YbIdwouofWIXb1uccva1E4iFxjYgVWL?= =?us-ascii?q?soHlIzOU2fgNs2ic9eZgU/mvhHQ9pwF+pTiv2N4hh4/UjYwW0lDJ7Th1zYk6KN?= =?us-ascii?q?GiSEN3fMSoHIVfui2ELYd6X8UvSHxytikg0L0Jo5u7cTAPyJQg2hHQdeSKc5ON?= =?us-ascii?q?4hL/TOaRJip4hG59dLK/mRmy9U+gx/XgVsauylZKrzdFksLWunAR1x3c9siHSv?= =?us-ascii?q?xn8kenxTmPzBzc5vtBIUA1karXM58hwrgumZoPqUnPAyD7lUrsgKKWa0ko4Pak?= =?us-ascii?q?5uv5brn8u5OQL4p0hRv/MqQqlMy/G+M4Mg0WUmiA5+u80Lzj/UvkQLRFl/E5ia?= =?us-ascii?q?7ZsI3cJcsHuKG5GBRY0poj6hmjDzem184UnX8cLF1fYh6HgI/pO0/WLPDiEfi/?= =?us-ascii?q?m0iskCtsx/3ePL3hBZPNIWLfkLfhZ7l97VVRyAg0zdBZ4pJbEKoBIO7tVU/rr9?= =?us-ascii?q?zUFBg5Mxa7w+z/EtVyypseWX6TAq+eKK7Ss12I6fgzLOmPf48VvzD9K/k75/P1?= =?us-ascii?q?g385nUIdfKay0psKbnC4AulmL1+eYXr2jdcLCX0KsRYmTOz2lF2CViZeZnizX6?= =?us-ascii?q?I44zE0FpimAJzNRo+znbOB2z27EYdOZmBcDVCME2nneJmYW/sWbyKSOMBhmCQe?= =?us-ascii?q?Vbe9U48hyQ2utAjixrV6MuXU/yoYtZT/1NRo/ODTiw899SZ1D8Wc1GGNSXt4nm?= =?us-ascii?q?UWSD8qxKp/u1Byyk+f0ahkhPxVDcFc5+9TXQcgLpPT0+t6C9XuVQ3bZdeJVEyq?= =?us-ascii?q?QtO4DjEtVtgx2cMBY15hG9W+iRDOxyqrAr4Sl7yNH5E096bc02HwJ8Z70XrG0r?= =?us-ascii?q?Muj0MlQstOK22pmLRz9w7NCI7Vi0+ZjbqldbwA3C7R82eO1XSBvFlCXw5qUKXF?= =?us-ascii?q?RmsSZlPMotTj50PCVKeuCbA9PQRd18GOMKxKasfmjV9eXvfsJMzeY36tm2e3HR?= =?us-ascii?q?uIyKmMY5Dse2oB3SXdE1MJkwUL/XaHLAQ+HSmgo3nEADxpD1LvbFvm8fNip3Oj?= =?us-ascii?q?Uk800waKYlVi17Wv+R4VguGcRugQ3r0euychrCh0EEy639LMBNqKvxBhc7lEYd?= =?us-ascii?q?Mh/FdH0nrUuBZgMZy6LqBtmEQefh9tsEzy0hV7EIJAkdIlrHky1gp9NbqY0E9d?= =?us-ascii?q?dzOfxZ3wOqPYKm32/BCocKPW3kze0MqR+qcK8vs0sVLjvBumFkA66XVoz8FV02?= =?us-ascii?q?eA5pXNFAcSSpzxUlww9xhhu7HXeTI954XT1XxiNKm7qDnC18gvBOQ71haqZ81f?= =?us-ascii?q?P7+cFA/uD80aANCjKeIwlFitchILIvpS9LUvMsO4afSGwrWkPPtlnD68imRH+o?= =?us-ascii?q?992FqW9yVgUu7Iw4oFw/aA0wubSjjzkVahvdrzmY1feT4SGW+/xjT+C45Keq1+?= =?us-ascii?q?Z4ALBnmyI8ev3NVxm4btW2JE9F6kH14G3s6peR6Wb1Pjxg1dzl4YrmK9mSu/1T?= =?us-ascii?q?B0lCsprqWH1izU3+vibAYHOnJMRGR6k1fsIJS7j8wdXEiydQQmiBul5UH8x6hU?= =?us-ascii?q?v6l/K2jTQUFScCjsKGFuSKywtqCNY8RX8pMnrT1XUPigYVCdUrP9pxoa0zj/H2?= =?us-ascii?q?dH3zA0aTWqupT/nxxnh2OQN21zrGLYecF2xBfQ+MfcSeRX3jUYWClykSPXCUSk?= =?us-ascii?q?P9m14dWUkI/Osvq5V2KlUp1cbzPrwp+HtCq1/mBqGgC/kOyomtH9Fgg6yyD73c?= =?us-ascii?q?FwVSrUtBb8fpXr16OiPOJ/ZEZoGVv859BgFY1kiYQwg5UQ2WQdhpWT5ncHlHv/?= =?us-ascii?q?MdNc2a3idnYNQyAEw8LN6gj/xEJjNm6Jx57+VniFwctued+6YngN1yI+8c9KDr?= =?us-ascii?q?yU7LpakitpuFa4qhjRYfdllDcH1fQu8GIag/0OuAc10CWdBK0dEFJGPSzqihuI?= =?us-ascii?q?78qyrKNJa2azabKwzlZxnci9DLGepQFRQG75dY0/HS909chwLFPM0GHz6439dt?= =?us-ascii?q?nfd9QTugeTkxfagOhfMIgxmeYShSp7JWL9umUoy/Yhghxz2ZG1opCHJH9r/KKl?= =?us-ascii?q?HBFYLCb4Z94I+j7zl6Zehdya35uoHpV8ADUEQIXnTfyvEDIIuvToKRyCEDsipX?= =?us-ascii?q?eHAbDfBxOQ6F96r3LTFJCmL3+XK2MfzdV+QxmdIVdSgA4KUzonmZ45DBqlxNT7?= =?us-ascii?q?cEd+5DAe+EL3qgdWxuJvLRn/XX/VpB20ZTcsVJifMB1W4xlH50jPNcye6vx8Hz?= =?us-ascii?q?1E/pK7tgOAMWqbaBpUDWESRkOLHUjjMae06dnG7eeYGvK0L+HSbrWWtexeS/CI?= =?us-ascii?q?yIq10od88TeALMCPMWNmD/082ktORmp2FNjcmzkVTCwXjS3NZdaBpBig4i13st?= =?us-ascii?q?y/8PPzVQLh/4uAFaZdMc519BCwnaeDMPWQiT1jJjlE05MA33jIyKIQ3FQKkSFh?= =?us-ascii?q?ayGtEagctS7KVK/QnLVXAAQDayNrL8ZI4aM83hNWOc7HhNP117h4geQzC1hZVF?= =?us-ascii?q?zugMWpadYNI2GnO1PNHFyLO6ieJT3X38H3ZruxSaVOg+pPqRKwvzebE1PkPjmY?= =?us-ascii?q?ljnmSQ6gPv9WgCGcJhxet5m3cgxxBmj7UNLmdhq7Pcdqgj0t37I7nHzKNXQGPj?= =?us-ascii?q?hiaE5Ntaef7SBFgvVlAWNN9H5lLfSCmymD9enUM4oWsfxoAiV0kOJW+nI6xKVJ?= =?us-ascii?q?7CtcXvx6hDPSrsJyo1GhiuSP0SBoUARUpTZEmo2Lpl5vOb7D+ZleQ3nE8wwC7X?= =?us-ascii?q?6KBxQMudRlFsXlu7pMxdjXiKLzNDBC/srP8ssdCMjUL8SHPWE8PhX3AzHUDREK?= =?us-ascii?q?TTixOWHYnUxdn+mY9meJoZgitpjshJ0OR6dBW1w6DPwaFFpqEccFIJdvQDwkl7?= =?us-ascii?q?ubg9QJ5Xq6txbRQ8pbsorAVvKIDvXlMCyZgqVcZxsU3bP4KpweNpH820xncFV6?= =?us-ascii?q?hoPKGkvOUtBLuSJhdAg0r1tO8HVlUmIz3EflZR+3738ICf64hBg2hRViYe417j?= =?us-ascii?q?fj/083JkbWpCs3iEQxmtXkgTSPfzPqKaewWo9WCyTquEgtLpP7QwF1bQiskkB+?= =?us-ascii?q?MjfLWa5RhaN6dW93kA/cpYdPGflEQK1CfhAf3/WXau4r0VRbsSWn2VVI5e3eCZ?= =?us-ascii?q?thlQsma5isoGxc2wh7dt46ObTQJLZVzlhXnq+OpDGn1vsvzwAEPUYC7GOSdTUT?= =?us-ascii?q?t0wJLLkpOi2o/uJ06QyYhTRCeHIAV/w0rfJ27kk9IfiPzzr8075fLUC8L/GQL6?= =?us-ascii?q?Sfu2jGiMGHXFcw1kITmkZf47d2y8Ajf1CTV0A1w7ubDw4JOtbaKQFJc8pS82De?= =?us-ascii?q?cjuUvuXTwJJ6Ip69G/vyQu+UrqYUhUylHB03EIsQ88QBBJis0F3YLMv9Kr4K1w?= =?us-ascii?q?kt7hzxJFqZFPRJZA6LkDAfrsG7y593x5dSJjccAGV6Kii36bDXphIwjPqERtc2?= =?us-ascii?q?bW8QXpEYOXIuRM26hylZsmxbDDap1uIZyQ6C7yLzpynLEDb8aN9ja+uOahN3FN?= =?us-ascii?q?G64zM//LaqiVTP6JXRO3n6Nch+ut/I8e4apIyHCvNOQrl7r0fcm5JVR3OtU27X?= =?us-ascii?q?DdG5PZ7wZJcwbdbsEHa1TkS/iy4pT8f2JNutMqmIgQTvRYZIsIma3CsuOtK8Fj?= =?us-ascii?q?AeARh/vPsP5KRiag0fe5A7ewLntxwiN6yjJweVys+hQ2KsKTRKUfZQ1eC6ZrxR?= =?us-ascii?q?zyoraO+10mAtQYo7z+at904BXZ8KjgzEyfaleYZeTTD5GmZBdAXXuSo5i29hO/?= =?us-ascii?q?4pzeghxhPFqkMTPC2VdON3cmxEpMszBUmSIHlsDWo4XVCch5LZ4gGwx7AS4zdd?= =?us-ascii?q?n9FM3O1KrXj+v5vfYDayV6yuspjarjQvYsMno6JrN4zvOMyGtInRnjbHVpnfrh?= =?us-ascii?q?WFUDKmF/pdgtVQOiRYQPhUlmElPswGvZFB51IoWMkjPbJCFK4iq6u2ZjpjCC4d?= =?us-ascii?q?0TUWV5ic3DAYhOezxafanA+KcJs+KBwErIlCgtwFXi5sfywRubSuV4rTl26LUG?= =?us-ascii?q?QLJhkc7RhU7gIaioBwZvzl4JbPTJJU0T5Zueh0UizQGZRz61v7UHuZgUbmR/Wl?= =?us-ascii?q?kuyp2w1SzPbt0tkUWB5/FUZdyPxMlkstMr13LbcfvpLSuD+SaUz6pH7tyPehJF?= =?us-ascii?q?RJx8zYbUH3DIrEtWr5Uy0T434USJROyH7BC5sdjRB1aKExpFVDOIqmYFrx5yQ4?= =?us-ascii?q?x4R1GLm1Tdqkx0w4rXYAXSuqEMFMC+BnsFLWRD1qeIqnqJP7NJVOWmVQ4oGSq0?= =?us-ascii?q?9FkEVxNC600ZtcK8dR4jESWDhAvzCds8WuSM1Z2c57FJgMIs9htHf7HaNLIpmR?= =?us-ascii?q?o3kttbzoxX7V4Tc8sE21xD+rAa+3U/pZ/3ECGgUuP2mepVMvAPEq8mfO6V3Ns1?= =?us-ascii?q?d0/uldBriTjUV+vjd9HpZSBjlXz3CpNVJzQ2das+9CMqTab9RcQ+UuZR+oIxE+?= =?us-ascii?q?Cfkm30mS8EFogXv5Zjd9uhFc+y/DQwk+TTMVjav1mT0CtsGnPicXS5JSYjU7dS?= =?us-ascii?q?jFLx+UlDtKsxlBc0FqQ44WAtJb9LEBx4dU+dDCSUm0IyEfQBNiLh440eZYlUNb?= =?us-ascii?q?skWYfj7SABG1evnRqR14Y92RrNK3I/vk5gtHjJ3osPwg/aUZW3KmgRGtQczZr4?= =?us-ascii?q?LkrdKKuFeBeLv6PuGhb3LMVyTDjRe1hbg4FZbK5DTTPBBdK5Zk1XoueYLhBnLT?= =?us-ascii?q?PRRaO6IbIFJWVbpkZtpbouBVfdNkdb0N+a9qGBKIWA3jF5CorPZbMFnfXzLeID?= =?us-ascii?q?ud8uanu4Lc8aTdSfT8ZsyL33vHW7l3Potg5jbmB7fnypRe+k3r2vd36kx1V17G?= =?us-ascii?q?MzybrNv7IgMH/s6idlHtvpcxBzPZHI9wkGbxxkFHb8cXXzeq/4oGx5xE83vwVO?= =?us-ascii?q?Z40lTpsOJI6blk6I4347R3xseoP6vSLu5asUB/CBiOGgpq7oktAHR4R21Jf+AR?= =?us-ascii?q?Lu3ecL8EgsDose/7DasX6Aea++ZBc9vIO1nBmtWjCjGbURFEnh0OqSQdLguH0/?= =?us-ascii?q?6KgbF0RN2gpejk3kIt/1m+IQIHzL9344eE4bCEpOjNbxve1bIEQLTlRtvvrrQw?= =?us-ascii?q?vEOf/f8km6QIemx7eQ2nF/USWdAGy2f8168qyzksE8TZE7Lm5vFDS2oznij8lJ?= =?us-ascii?q?BlA1UWBvQUEKKN/YRahWo4murZNtgMfqBDnGaPGwSkHaUZyX638SuXPXVqgg3T?= =?us-ascii?q?0xHqX2y/9lj2rTV3QSHU1dfsjlJVVqWrBUdVRyepP054vy+IPArsrtX3or457E?= =?us-ascii?q?AxMmzjr9KNj3CsOLZYEszwPtCcJjM0pF0Php0rWtOvwZwbGca6INoJ7H5xdP/e?= =?us-ascii?q?5H2wky9do6ZHgJHT4tqJ9fXWA3agibGaq7SXyzxCzHg3o00/4Mi6Nv7S/92KX+?= =?us-ascii?q?io12EJQid7oAvBWh64p6fVr18KJEOL113Ll5YSPtFD2nk41F/p6/Q/QN4p8wVe?= =?us-ascii?q?DInAbesYpT/vIDv03UqfY9UvWymc0jtXG0n4EVxmF6k8xm3wpsPJlXHf+1EyQI?= =?us-ascii?q?l/aVDnjwRtD4okMUIt9EQXwi0bHAgMaBGUFqunClj+IIsfS0cDdQqI06Sgdqcw?= =?us-ascii?q?x01zzaul5PXPYuxkG6oNKvFdgxaVk1haAZIXv7cRQLB9e19B7K7YvBXiC4z8Uv?= =?us-ascii?q?f6kno/KOO6TdpH8cADsHsi+BywSwCn6ZdZ4LYRkIqIebJcYZjQoMB86F9q5SYV?= =?us-ascii?q?eSxRnBd/jx24UecGpODg+9Tbq4Sn6uKvVKYrWuUW+AM5B3xkgJvsnF8jod/W1+?= =?us-ascii?q?BGSo3Wk4j/8x5CI2SMuInE1xlwM+0OK5ikfLx47XUIOzAeJ24SPdqRc/Q8/zVt?= =?us-ascii?q?PyvX51NYBMMDe8gVM9fMmQBbi03pRKtc9tHBFV+CFod/bcYo4HTryDot65szTv?= =?us-ascii?q?7g6COqJZDY91xNMOlMjD9ym9LepOgY2v7SCCkL4XaHaxh62D6Cy4KXB/b24+qM?= =?us-ascii?q?1MneV0kaES4uT4ddOD2C9BSoRuWrkpXpTgSU6sj0jJIlak2QQn2xnKIYsqdDCu?= =?us-ascii?q?NAjjv03iJeF4/vnf6VtcSj6HdPvF1dDIlz9QHFGLlYPphjJRv4lNOkSVRnCyTj?= =?us-ascii?q?f8HUch4uuOuIyecW/+VxKVfxZY8BLhID0bL65mJfThFyR77uolaZQeURacNjSP?= =?us-ascii?q?PDqHBV9Y1gJLEUMViYpZzltDFIp04qAA4nb78wtD9adlLUkA1TRan0pKYKihEA?= =?us-ascii?q?Xt5hpU9MBWWwNXox5zXbTqRVl7CdBuEa/DuVT6wOVVhoMyxlThO63ZVhYb2pku?= =?us-ascii?q?5dvmNBhCN9r+Ag0yZ6SxukpS3su6UN1Coi+LG/tDUBv2ZJQfmekyfMFFVM0fUL?= =?us-ascii?q?jaYaC3b56ly8YWIObJXz4Ll5P8vg8ZQu43UlbRUlYSIGQfyqCzvsgKOQHoyPrN?= =?us-ascii?q?VciQaMuMXQd7CzKzMfNrAgyR3+Rnh91RPekAxv8GsRTTWq9MUkK5mlOcY52iqo?= =?us-ascii?q?HnDWdFQS7aNHvsvxsUUGTeUsZlNn3mpjztKLRisTS8zTA2w1lBQraX1YcJJf7h?= =?us-ascii?q?8XD6YogjKPvqhI4A4UZDPUH5+++onXm8fI2GUyQc1sxm3Iuq2Pnokq32F9m9No?= =?us-ascii?q?8i6Ov2wfd+7YU85sGnjz0YNfye3iZ/qzqe0HTYpmyKi7UPAcKMWj/nG22JpyUE?= =?us-ascii?q?+/2rseB0a5MPMExrrDTyelSGiYVP+Xc2iNgzk5MVD95R2yIl0xdshKs1c3MvHe?= =?us-ascii?q?iZ5Eiw3hTbR0Sz2VpV/az2wjMuQaehk0uIi9eAwKS+gRaPaaJeQ0xv0xFkcMZW?= =?us-ascii?q?fTHSRqE++2rUKtnI9jNnp7/0r6Z/jt/xv9MNuWHRkEDZLaroBv9vOnXG6BPmVg?= =?us-ascii?q?zBJqNklu6+jfD0gxtvNbc5uJhdjQgNB73vQfd/ZjNi09vtATl5lm6YmT18eKag?= =?us-ascii?q?/ewYroJdHSufiYGPzfz0Ilem1AVboZewz17Z0gPtElQ73TAadZvRMECKg0XpMh?= =?us-ascii?q?M2bx9LlqIw5ocw/RZbG0gsz0qeKRYptbuWXa7lUqLCfToxcD0OC7TRRnb5C2gH?= =?us-ascii?q?X/OJ4xRipbr91sFhRpApBCG8YBrwq7GZ6bhru3i9ir+0N1o+UKq7b/CujW1NSl?= =?us-ascii?q?2IV8R59a5UiVMzvKHKlrhl5qjv+ugvfBzpbxFdnids0aW+RhRG7KdKPGFJ2lKj?= =?us-ascii?q?2SIsL8Z1JG87mE3bJ9UxWRYj35XqWfuC2gNfVk+lk7ypdjcerS1jMt6bbb1MH1?= =?us-ascii?q?Z2FBqSeptWSJO4dH7FzWGezeWApZSeGb/2ZhHK0Xa5b09egJPdIt3Nic4xd87C?= =?us-ascii?q?5c38udOaestUzM1VxhdZLdMkTp3z02WZQFIBilNkssm2DZoGzHAXtANsikNdVt?= =?us-ascii?q?gNGNAxzo/UZ+hWEtZm9HGmrvXtqRJ2kb28Sgaw2O9QJLCcsDnuGtdU4/rK2yRv?= =?us-ascii?q?FiOo9ZluWyqLUHjdFpJjnNRMdAPCHQK6R5MyFMDuXJuFgoYhkEs6U6Woc1eZiC?= =?us-ascii?q?OkUHP1mcySnq1wvNzVX0d8Cw1KaOOCsZ6W5Iw7XB0ThNvAm5pe2Zjtf4UL/HcJ?= =?us-ascii?q?76RuXSPzQhVjGbQzQyDEmo9Ey4tPsEpvqYPHwfrkoaYy2IFA4Tvadvrd7KAm/U?= =?us-ascii?q?g+1jc4UAhOqGVCDoVC14iK0yCz5EtU+WWPUDDwjWYGHlgGdHpgyiIuVD/Wnkb7?= =?us-ascii?q?2F3KZVXfIZApdUeP2DX9TYYexeJysvljgBOua8etrcr6wj0lLJVmsUCK/I+0eb?= =?us-ascii?q?TEGIQ/yQ3TXrXZ8av4IsoCon5srQnjNrE6TPJ7ufvDCu8oukgyuZuuDTTXctbF?= =?us-ascii?q?IvgOIDAWiBxx9AJHsCC94LpEHnWrSAaFpU1HI1leJu3AcBeAZ0Un1o1n1bh/O9?= =?us-ascii?q?FdNERl4ai2OuWuEJY05tADM240CK/l66XdtVos3XRmlD5pMQWIEdK78u84CRN6?= =?us-ascii?q?wOk9gz2zczmzA3qyWQCRtmiwuB96fBVPZnyqZq+Xgz//YwWFqGBTzYbD6UmcKd?= =?us-ascii?q?F8tTyHI28jjf3M3Os7UobuNX?= X-IPAS-Result: =?us-ascii?q?A2FGBADcE6JY/wHyM5BeGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgyeBWRGOU6hYI4dzVwEBAQEBAQEBAgECXyiCMxuCIwI3FCALAwMJAhcpC?= =?us-ascii?q?AgDAS0VHwsFGASJPA2xNSYCiy4mj2ELBgGCaAyDDQWQQYsxkhQCgXmIWwyGIQK?= =?us-ascii?q?TFVh4CBkHAhIIGw89hEUdgX9Xh3IOF4IWAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 13 Feb 2017 20:20:37 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1DKKYNG027868; Mon, 13 Feb 2017 15:20:36 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v1DKKNH1016507 for ; Mon, 13 Feb 2017 15:20:23 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1DKKMrH027848; Mon, 13 Feb 2017 15:20:22 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: Add tests for prlimit(2) permission checks Date: Mon, 13 Feb 2017 15:23:45 -0500 Message-Id: <1487017425-26654-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add tests for prlimit(2) permission checks for getting and setting resource limits of other processes. The tests are only executed if the new getrlimit permission is defined by the base policy. Signed-off-by: Stephen Smalley --- policy/Makefile | 4 ++ policy/test_prlimit.te | 52 ++++++++++++++++ tests/Makefile | 4 ++ tests/prlimit/Makefile | 7 +++ tests/prlimit/child.c | 22 +++++++ tests/prlimit/parent.c | 164 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/prlimit/test | 30 +++++++++ 7 files changed, 283 insertions(+) create mode 100644 policy/test_prlimit.te create mode 100644 tests/prlimit/Makefile create mode 100644 tests/prlimit/child.c create mode 100644 tests/prlimit/parent.c create mode 100755 tests/prlimit/test diff --git a/policy/Makefile b/policy/Makefile index de7b950..6537b68 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -38,6 +38,10 @@ ifeq ($(shell grep -q netlink_iscsi_socket $(POLDEV)/include/support/all_perms.s TARGETS += test_netlink_socket.te endif +ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_prlimit.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te new file mode 100644 index 0000000..d51d692 --- /dev/null +++ b/policy/test_prlimit.te @@ -0,0 +1,52 @@ +######################################## +# +# Policy for testing prlimit(2) permission checks. + +attribute prlimittestdomain; + +# prlimit_test(permission) +# Generate a pair of test domains and rules for +# testing the specified permission check. +# +define(`prlimit_test', ` +# Domain that is allowed $1 permission to the child. +type test_$1_t; +domain_type(test_$1_t) +unconfined_runs_test(test_$1_t) +typeattribute test_$1_t prlimittestdomain; +typeattribute test_$1_t testdomain; + +# Child domain +type test_$1_child_t; +domain_type(test_$1_child_t) +unconfined_runs_test(test_$1_child_t) +typeattribute test_$1_child_t prlimittestdomain; +typeattribute test_$1_child_t testdomain; + +# Transition from parent to child. +spec_domtrans_pattern(test_$1_t, test_file_t, test_$1_child_t) + +# Allow parent $1 to child. +allow test_$1_t test_$1_child_t:process $1; + +# Domain that is not allowed $1 permission. +type test_no_$1_t; +domain_type(test_no_$1_t) +unconfined_runs_test(test_no_$1_t) +typeattribute test_no_$1_t prlimittestdomain; +typeattribute test_no_$1_t testdomain; + +# Transition from parent to child. +spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t) +') + +prlimit_test(setrlimit) +prlimit_test(getrlimit) + +# +# Common rules for all prlimit test domains. +# + +# Entry into the test domains via the test program. +miscfiles_domain_entry_test_files(prlimittestdomain) +userdom_sysadm_entry_spec_domtrans_to(prlimittestdomain) diff --git a/tests/Makefile b/tests/Makefile index bb5868d..1311234 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -24,6 +24,10 @@ ifeq ($(shell grep -q netlink_iscsi_socket $(POLDEV)/include/support/all_perms.s SUBDIRS += netlink_socket endif +ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo true),true) +SUBDIRS += prlimit +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/prlimit/Makefile b/tests/prlimit/Makefile new file mode 100644 index 0000000..f11debe --- /dev/null +++ b/tests/prlimit/Makefile @@ -0,0 +1,7 @@ +TARGETS=parent child + +LDLIBS += -lselinux + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/prlimit/child.c b/tests/prlimit/child.c new file mode 100644 index 0000000..0c385d6 --- /dev/null +++ b/tests/prlimit/child.c @@ -0,0 +1,22 @@ +#include +#include +#include + +int main(void) +{ + char buf[1]; + int rc; + + buf[0] = 0; + rc = write(1, buf, sizeof buf); + if (rc < 0) { + perror("write"); + exit(-1); + } + rc = read(0, buf, sizeof buf); + if (rc < 0) { + perror("read"); + exit(-1); + } + exit(0); +} diff --git a/tests/prlimit/parent.c b/tests/prlimit/parent.c new file mode 100644 index 0000000..be320f0 --- /dev/null +++ b/tests/prlimit/parent.c @@ -0,0 +1,164 @@ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void usage(char *progname) +{ + fprintf(stderr, + "usage: %s [-g] [-s soft|hard] newdomain program\n", + progname); + exit(-1); +} + +#define RESOURCE RLIMIT_NOFILE + +int main(int argc, char **argv) +{ + char buf[1]; + int pid, rc, fd[2], fd2[2], opt; + security_context_t context_s; + context_t context; + struct rlimit newrlim, oldrlim, *newrlimp = NULL, *oldrlimp = NULL; + bool get = false, set = false, soft = false; + + while ((opt = getopt(argc, argv, "gs:")) != -1) { + switch (opt) { + case 'g': + get = true; + break; + case 's': + set = true; + if (!strcasecmp(optarg, "soft")) + soft = true; + else if (!strcasecmp(optarg, "hard")) + soft = false; + else + usage(argv[0]); + break; + default: + usage(argv[0]); + } + } + + if (!get && !set) { + usage(argv[0]); + exit(-1); + } + + if ((argc - optind) != 2) { + usage(argv[0]); + exit(-1); + } + + rc = getcon(&context_s); + if (rc < 0) { + fprintf(stderr, "%s: unable to get my context\n", argv[0]); + exit(-1); + + } + + context = context_new(context_s); + if (!context) { + fprintf(stderr, "%s: unable to create context structure\n", argv[0]); + exit(-1); + } + + if (context_type_set(context, argv[optind])) { + fprintf(stderr, "%s: unable to set new type\n", argv[0]); + exit(-1); + } + + freecon(context_s); + context_s = context_str(context); + if (!context_s) { + fprintf(stderr, "%s: unable to obtain new context string\n", argv[0]); + exit(-1); + } + + rc = setexeccon(context_s); + if (rc < 0) { + fprintf(stderr, "%s: unable to set exec context to %s\n", argv[0], context_s); + exit(-1); + } + + rc = getrlimit(RESOURCE, &oldrlim); + if (rc < 0) { + perror("getrlimit"); + exit(-1); + } + + rc = pipe(fd); + if (rc < 0) { + perror("pipe"); + exit(-1); + } + + rc = pipe(fd2); + if (rc < 0) { + perror("pipe"); + exit(-1); + } + + pid = fork(); + if (pid < 0) { + perror("fork"); + exit(-1); + } else if (pid == 0) { + dup2(fd[0], 0); + dup2(fd2[1], 1); + execv(argv[optind + 1], argv + optind + 1); + buf[0] = -1; + write(1, buf, 1); + close(1); + perror(argv[optind + 1]); + exit(-1); + } + + rc = read(fd2[0], buf, 1); + if (rc < 0) { + perror("read"); + exit(-1); + } + + if (get) + oldrlimp = &oldrlim; + + if (set) { + newrlimp = &newrlim; + if (soft) { + newrlim.rlim_max = oldrlim.rlim_max; + if (newrlim.rlim_cur == RLIM_INFINITY) + newrlim.rlim_cur = 1024; + else + newrlim.rlim_cur = oldrlim.rlim_cur / 2; + } else { + newrlim.rlim_cur = oldrlim.rlim_cur; + if (newrlim.rlim_max == RLIM_INFINITY) + newrlim.rlim_max = 1024; + else + newrlim.rlim_max = oldrlim.rlim_max / 2; + } + } + + rc = prlimit(pid, RESOURCE, newrlimp, oldrlimp); + if (rc < 0) { + perror("prlimit"); + write(fd[1], buf, 1); + close(fd[1]); + exit(1); + } + + write(fd[1], buf, 1); + close(fd[1]); + exit(0); +} diff --git a/tests/prlimit/test b/tests/prlimit/test new file mode 100755 index 0000000..5456ad5 --- /dev/null +++ b/tests/prlimit/test @@ -0,0 +1,30 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 6} + +$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +# Verify that test_setrlimit_t can set soft limit of test_setrlimit_child_t +$result = system ("runcon -t test_setrlimit_t $basedir/parent -s soft test_setrlimit_child_t $basedir/child 2>&1"); +ok($result, 0); # we expect this to succeed. + +# Verify that test_no_setrlimit_t cannot set soft limit of test_setrlimit_child_t +$result = system ("runcon -t test_no_setrlimit_t $basedir/parent -s soft test_setrlimit_child_t $basedir/child 2>&1"); +ok($result); # we expect this to fail. + +# Verify that test_setrlimit_t can set hard limit of test_setrlimit_child_t +$result = system ("runcon -t test_setrlimit_t $basedir/parent -s hard test_setrlimit_child_t $basedir/child 2>&1"); +ok($result, 0); # we expect this to succeed. + +# Verify that test_no_setrlimit_t cannot set hard limit of test_setrlimit_child_t +$result = system ("runcon -t test_no_setrlimit_t $basedir/parent -s hard test_setrlimit_child_t $basedir/child 2>&1"); +ok($result); # we expect this to fail. + +# Verify that test_getrlimit_t can get limits of test_setrlimit_child_t +$result = system ("runcon -t test_getrlimit_t $basedir/parent -g test_getrlimit_child_t $basedir/child 2>&1"); +ok($result, 0); # we expect this to succeed. + +# Verify that test_no_getrlimit_t cannot get limit of test_setrlimit_child_t +$result = system ("runcon -t test_no_getrlimit_t $basedir/parent -g test_getrlimit_child_t $basedir/child 2>&1"); +ok($result); # we expect this to fail.