From patchwork Tue Feb 28 15:35:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9596039 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BB53760453 for ; Tue, 28 Feb 2017 15:36:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A9FF92851D for ; Tue, 28 Feb 2017 15:36:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9DEF02852E; Tue, 28 Feb 2017 15:36:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1472E2851D for ; Tue, 28 Feb 2017 15:36:49 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.35,220,1484006400"; d="scan'208";a="3538226" IronPort-PHdr: =?us-ascii?q?9a23=3ApPYhAhcboYWcsT2FzCT4GJeMlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxcq4ZxCN2/xhgRfzUJnB7Loc0qyN4v2mAzxLvsbJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6?= =?us-ascii?q?OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBW7oR/PusQVjodvKKU8wQbVr3VVfO?= =?us-ascii?q?hb2XlmLk+JkRbm4cew8p9j8yBOtP8k6sVNT6b0cbkmQLJBFDgpPHw768PttRnY?= =?us-ascii?q?UAuA/WAcXXkMkhpJGAfK8hf3VYrsvyTgt+p93C6aPdDqTb0xRD+v4btnRAPuhS?= =?us-ascii?q?waOTE56mXXgdFugqxdrhyquhhzz5fKbI2JMfZzeL7Wc9EHSmpbRstfVzJPDJ6y?= =?us-ascii?q?YYUMCOQBJeRVo5TzqlQBsRSwChejBPj0xz9UhHL7x7E23v49HQ3Y2gErAtIAsG?= =?us-ascii?q?7TrNXwLKocTPy1w7fQzTXDcfxW3yr25pXNch87pfGMWax/cMrMwkQoDAPKk06Q?= =?us-ascii?q?pJf5PzKVyusNs2+b4/BmVeK0kWErsQ5xoj+xxso1jITCm4Ebykjc+Clkz4s4Ks?= =?us-ascii?q?e0RU5mbdK+DpdduD+WO5FrTs4kXmpmojw1yqcctp6+ZCUKzZMnyAPBZPGfaIiI?= =?us-ascii?q?5w7jVP6WITdlmHJpYLK/iAi28Uin0uD8StO70ExLripYidnArGwN1hzP5ciHTf?= =?us-ascii?q?tx5EGh1iqU1w/P8O1EJEE0la7DJ54gxL4/iIYTvFzeEiL5l0j6lq+belg+9uS2?= =?us-ascii?q?5OnrfK/qqoKEO49xkA7+M6AumsKlAeQ/NwgDR3Ob9vq41L3i+035XbpLguQtna?= =?us-ascii?q?nerZDaI9gUqbCiAwJOzoYi6wqwDzeh0NgCm3kHN0hKdAiIj4juJVHCOOr4Auun?= =?us-ascii?q?g1SwjDdrwOjLPr/mApXLNHfDjLfhcqx760NHygozytZf55dOBbEaPPL8RFXxtM?= =?us-ascii?q?fCAh8+KQy0zP7tCM9h2YMGRWKPHqiZPbvQsV+K/O0gP+qMZJQSuDb7Kvgl+eXj?= =?us-ascii?q?jXE9mV8AcqimxoYXaHakHvR7OUmZZmDsgtgZG2cQogU+VPDqiEGFUTNLf3a9Qb?= =?us-ascii?q?kz6S89CIKnEYfDQZuggL2f0yilAJJafGdGCkqDEX3wbYWLR+8MaD6OIs9mijEL?= =?us-ascii?q?SL+hS4kn1R6zqgD6z7tnI/HO9SIGr5Lj08J55+rJlRE97TZ0FdiS03mRT2FomW?= =?us-ascii?q?MFXyI53Lxlrkxn0VqMza94g/lEGtNJ/PNJTh02NZjCwOxmE9ryQB7Ofs+VSFa6?= =?us-ascii?q?RdWrGTAxTtQtw9AQZ0ZyBdCigQ7f3yqwA74YjLuLBIQq/aLa2nj+Pcd9y3Ld26?= =?us-ascii?q?kmgFgqWMxPNXephqRn7QjcG5bJk1mFl6atbakd3C/M9GCFzWeVuUFYVBd8UaTD?= =?us-ascii?q?XXwFYEvZt8755kDDT7+wF7srKA1BxtCeKqFScN3mkU1GROv/ONTZe2++hX+wCg?= =?us-ascii?q?ySxrONd4rnYH0d0z/HCEgFiAAT5XKGOhIiCSi/uW7eCyZuFV33aUP27eZ+sG+7?= =?us-ascii?q?TlMzzwySYUxh1r61+hsLivyGUP4T0KwLtzomqzVuBlm9x8jWC92CpwV/YKpcfc?= =?us-ascii?q?kx4FBd1WLWrwZ9JICvL7h+hl4CdAR6p03u1w9tBYVGjccqrWgqwRF3KaKA0VNN?= =?us-ascii?q?biiY3J7rOrHNLWny5h+vYbbM2l7CyNaW5rsP6PMgplXgpg6pFU0i82h83tlWyX?= =?us-ascii?q?Sc5ZLKDBcIXZL2SEY3+ABwp6vGbSkl+4PUyXpsPLGuvTDfwdIpBfUqygy7cthF?= =?us-ascii?q?LKyEERX+E8oAB8ihMOYqgUSmbgoYPOBO8645J9+peOGC2KG1J+ZggDKnjWNc7Y?= =?us-ascii?q?Bmzk2M9jRzSujU35YE2f6UxA2HWCngjF25qMD4hZhEZS0OHmq40SXkBJBeZql2?= =?us-ascii?q?fYYMEmquJ9C3xsl5h57oQXFU7lmjB0kJ2MWxYxqdc0T93RFM1UQQuXGngiW4zy?= =?us-ascii?q?ZzkzEysqqSxzfOw+LldBsJP25EXm9igU3qIYeqk9AQRFKoYBQxlBu5+Ub6wLBW?= =?us-ascii?q?paplIGnXXUdHYTL2L3p5X6uuqLWCedVA6I4tsSlNV+S8e1+aQKbnoxQGyyPjA3?= =?us-ascii?q?dexDcjejG2p5r2gh16h3iZLHtosHXZfsRwygvF69zHWf5dxDwGSzdkiTPPHFiz?= =?us-ascii?q?I8Gp/cmIl5fEqu2+UWOhVplXcSb11oONrzG06nNwAR24hfyzncfnEQci2y/hy9?= =?us-ascii?q?ZqTTnIrAr7YoTzyaS6MP5oflVvBF/m8cZ1BoF+kow2hJEfwnUagpSV/Xwdnmfp?= =?us-ascii?q?NtVXw6X+bGACRTQT2d7a/BDl2FF/LnKO34/5UnSdwtB9Z9WjeWMZxCY978FMCK?= =?us-ascii?q?eJ471JhjB1okK5rQLXYPhygiwdxeEo6HEEn+EDoBAtwTmFArAOAUlYOjThlw6P?= =?us-ascii?q?79C6qKVYenyvfqS31Etwht2hF6yCrR1HWHrjfZciByBw5N1lMF3QyH3z9p3keN?= =?us-ascii?q?7IYNILrBKUjhPAg/JPJ54rjfUKgi5nOX76vX0j0OM7iABi3Ze9vIebMWlt+ry2?= =?us-ascii?q?AgJAPD3ve8wT4i3tjbpZnsuO3ICgAJNhGi4QUZvrU/2oFikStfL5OAaSCjE8rW?= =?us-ascii?q?2bGbXHFw+F9Ehmt27PE4ysN3yPPHkW18hiRB2DK0xHmg8UWik6kYAjFg2x2czh?= =?us-ascii?q?a1l25ioK5lLisRtMzf9oNwPjXWjBqgeobS00SJeBIxZM6AFN+VvVO9SE7u1vBy?= =?us-ascii?q?FY4oGhrAuVJ2yFYQRHEHoEWlKCB1/+Prmi/9/A/PaEBuCmNfvBfa2OqfBCV/eP?= =?us-ascii?q?3Z+vypFp/yuINsiUInZiDuE720paUXB3AcvZnS8DSysNlyLCd8Sbvguz+jVrrs?= =?us-ascii?q?Cj9/TmQAHv5IuLC7RMKthv/he2gamNN+GOmCZ5NTZY1pQJxXDW0rQf2kAdiz12?= =?us-ascii?q?fTm3DbsArTLNTL7XmqJPAR4UcSVzNNdP76I5xQRNN9DUhc7y1r5ilPE1E01FVV?= =?us-ascii?q?vjms63ecMKP3uxNFTdBEaELL6GPyHEw9nrYaOgTr1dlPhbtxuqtjuADkDjOC6M?= =?us-ascii?q?myPuVxC1PuFGlDubMwBGuIGhbhZtDnDuTMj7ZRKmK9J3gjg2wLIuinPMK2EcLS?= =?us-ascii?q?B2c1lRob2I8SNYnvJ/FnRb7nZ/I+iIgSOZ4PPcKpYRsfpmGT57mP5f4HggzLtV?= =?us-ascii?q?9i5ETuRvmCTOtt5uv02mku6XxzppShpBtCtEhJmRskVkJaXZ8YJAVG3e8x0R6G?= =?us-ascii?q?WcERMKp8FqCtf3oaBf1sDPlL7vKDdF69/U+9EcCNLMKMKfK3chPxvpGCTPDAsZ?= =?us-ascii?q?Qz6rNGffiFZbkP6O932atJw6poLrmJoURb9RTEY1Ge8CCkR5ANwCJ496US4/kb?= =?us-ascii?q?GFlsEI6mC+owPPRMhBpZDITPGSAej1KDmDl7VEYwYIwbXiIoQJL4H7x0tialp6?= =?us-ascii?q?nYTNAUbQW85CojF5ZA8uvEpN6GR+TnE020/9cQyt4XATFfmynhMtlwRxf/8i9D?= =?us-ascii?q?b27FcxPFbKozEwkEYpk9X/nT+RaCLxLLu3XYxOESX0uFI+Mo3lTAtuag2yhVJr?= =?us-ascii?q?NDHBR71LjrtgcXtkiAjTuJdVHv5cV6JEagcKxf6Lf/UozUhcqiK/yE9b4uvFDI?= =?us-ascii?q?FulBEtcZ+tsX1A3RlsbMQyJaPOJ6pE1URfhqWLviC0zO8x2xMeK1wL8GyMZC4C?= =?us-ascii?q?oFYIOaU+Jyq04uxs7hSPmz1dd2cWU/onufFq9kQmO+Sc1S3g1aVDKkOwN+CFKa?= =?us-ascii?q?OWpXTAn9aSQlwszkMIi1VF/b9u3Mc5bUWUTF4gw6GLFxsVNcrPMhpab8tI9HfO?= =?us-ascii?q?eiaOv/3NwYhrMIS9DOzoS/GBtLoMiEK+AAkpB5gM7tgGHpS0zU7XN9nnLL8Yxh?= =?us-ascii?q?U2/wnkPk+FDO5OeBOFizcIvd2wzIJt3YlcOjEcAX9xMSOp6bbLvgUqmuaMXM8q?= =?us-ascii?q?YncGWYsJLnY2WMqgmyFHuXRBDT633/kWyAiE8j/wvCPQDCPzb9B7fvebeQtsCM?= =?us-ascii?q?2q+TU466W2kkDY8pHfJ2H8KNRjtcTC5v8dp5aCF/xbV6J9s1vGl4leWXOqT3bF?= =?us-ascii?q?EcSpKJjod4kscdv0B26nXVOjjjI1SMHxPMqwIqWTnwHnW5xUsIia3TAkM8+xDD?= =?us-ascii?q?ceFAlsp+sb/qJzeRUDY4YnYR7vrwk+NLa/IQeC3dWoX2atKSBbT/ZYzeWie7Nb?= =?us-ascii?q?1SwsYfGmyHE4VJE10/G38VIRRJENlhze2fejZ4xZUSjvGnxcex7Cqjc4l2lhLO?= =?us-ascii?q?k92f0zwBXWvlkAKzqLbvBmaHRYv9EgAlOfOXp2CnAiSF+akYrO+Q+s37cc/itb?= =?us-ascii?q?g9ZU0fNKsHn4vp/Dfj2sQranqZPLvCo8ddImubF+MZT/Isuas5PThibQTJ3Rsg?= =?us-ascii?q?KZTiG1D/9am9hWICJfRvlHg3ooNtcHuYVb70o9T8k+J6FVBKkquL+qdSJuDTQO?= =?us-ascii?q?wi8BS4OAwDsCj/+n1LTEkBeda44tPwEasJpcmNsdSDR5YjkepaO5UIXWjWCEQH?= =?us-ascii?q?ARIAgP9QRM+B4Alohoc+D/5orITYNDyz5Ro/JwSSvFDoBm+UbhRGyKhlb1U+mu?= =?us-ascii?q?k+us3Q1O1v3sycUbVAR5CUdD2+ZcjlEoJ61vK6kMoo7KtSeFel/4vG331OSrP0?= =?us-ascii?q?VeycrQd138DYrKq3D8UjEC9nIIRY9D0nbfFY4dkwBhcqYkuE1MIJy6ekb5/zEk?= =?us-ascii?q?3Z5mH6O/Vc+w3FslsWwGSD20E9VfD+FmsVTXWDJhY5Cqp5XlO4lSQmFK952Hrl?= =?us-ascii?q?dVikNtPDClyZBEMcFC/iYMXCRToTWapNazRtdP1tN2D58NJ9d/um3yGKBfNZiQ?= =?us-ascii?q?vXI5pKLgxmXe+zAmv1ew3C+zFLOgT+JF420eHR0kJ3yZqkkrFeQs6GnT8lfJsl?= =?us-ascii?q?B65OpbA7+PjUJqoDljAp9OHDFJ1Wu+L1RySnlGvP9WKKPPc8xTW/MyfwOgOwQi?= =?us-ascii?q?Ff462EyE5Vt7nW3kYyx0rAda+DvQXwg1VSkUnrfigicSqse5Nj8GU5hIdykubz?= =?us-ascii?q?/ZKwKHniBapApfa0ZvW50CHtZJ57Qb0pBO8srEV0msNTkPXAZ+OQIgzfpfiUlD?= =?us-ascii?q?vV2YeS/HFwqnb/LPvQBscMiMssGpNOz58xlDioz5quA07aIDR2epmQe1W9DRs5?= =?us-ascii?q?f8tsGWtkuJbKr4Meq8bmHaQTfRkx+wnqkrD4PW/yfNLQVXMZ96xmQ4YZL5E27E?= =?us-ascii?q?IQxGJ74HJ0pcTa11cttGrfxGa8JmZaoE97RgCQ6ARhPqBIOgtuJGLkrJSTTYMS?= =?us-ascii?q?qB7vS1oZjP4rzFVejgesuMym7dQ61pI5h66SP0G6vx3I9a/Ur2xOli+l1mRljB?= =?us-ascii?q?Li+Oss7tJgUV68m+bkHipIEmHSvKAJdsl3rg3llAd9ELQyKw7ZsY1IhU6G33Se?= =?us-ascii?q?JlyEj8rPNd97946Ykt+b9pzd24JaDIKfRVqUVnGASbBh129pUxB2hyX3xRYvUP?= =?us-ascii?q?J/jPYKsUlt3uq+TrF6wN8hKV5e1ZadzDJ07fhsmzEDacSQZLnA0Zsz4VMhOc1+?= =?us-ascii?q?KZm69zUculoPL22kYp41egMh4G0Kpi6p2f96qOuuDXcwDRwqQeVajyWMz/tLIs?= =?us-ascii?q?tF2O5fc8jr4BZnR1YxG7EOgaTsMdxH3vzbotzSI3F8PMBazg9eVGV3IkmjLgh5?= =?us-ascii?q?F9EEkXGvwOG7qL5p5SnmAim+zWLtcWaLxNmn6TFR64Fb8P0Xyr5DGRIGlrmBHO?= =?us-ascii?q?1Az/Tn2o4V/qtyB4RzDMz9D5nkpTSLa3GV9YXzC1Nk9grDOPIA3oucL4uaQo7U?= =?us-ascii?q?E2Nmjku8yIlGa6JbxYAdbwJN2GLikyvl4Xi4cxRtO304ABBdW9OMsR8G15bvbG?= =?us-ascii?q?7WOrlzRMo6ZBh4rb+M2V+/PXHXe6j6KAsLWN2CpYymUkslEj99CgLO/B68eNQ/?= =?us-ascii?q?Sy2GYbVz1/tBfZXx6ptrzbqEgZOUmM0EfNhIwKMc9W0GI91kHn/ucjRsw89BlQ?= =?us-ascii?q?F4bHffMCpivzNCHywVmBf9I9TjOe3CdPHlLpDVl4H7Ax2GbrvMLMlXrd4FMoSZ?= =?us-ascii?q?dteEzgnxx4FZ04KVgq6FgV3CUMDRQNZQqcDLGyCkTvNZEEWlQbaRSbwLi6fb86?= =?us-ascii?q?3VZpzbOx/uDTYvJzB7EWO/ZGlAGOgkJUGp0Ivq0FWr58fUFS9LLPrAj4F4fnR+?= =?us-ascii?q?TmlWY3NfCtQMBa8MUZumAn4gmhRxuv941D77cdiJCHbKJEZ4bDvNxk5Ud9+TEP?= =?us-ascii?q?bjBNgAR4jx6hUOAdpfrs7cLHv5ez8eahSrotSPsL+BQuAGR+lZTwikg5od7Lz+?= =?us-ascii?q?dcVpHViYPn/Q9WIn6Ko4jb3AN+KeoPN4KrZKxv92gDJyUFO30OOseZZOcm7C9w?= =?us-ascii?q?KjXT4EZCDdkWadMfJsrNlhheilf1V7FL6srbBliYBp9rd88y82r41DA18JU7Uu?= =?us-ascii?q?b66z+6PIvf4E9JP/NCiiVsid3DqfMNwfXIFCgY/XmZahZywiOYyJmBEfXw8vuW?= =?us-ascii?q?yNHSSVwGGjQ6U4BHJDqN4QanXPa6lI31UgOI7c/+mI4+dFiOSXy1hqsFtLhDHP?= =?us-ascii?q?VdhSX60TheF5z1iOiOs9W28mtXq0dLEIBt4h3ZAK9fJIl0OQzklsm3QUhxHiT/?= =?us-ascii?q?d9vOdhUwpOqWxvwB4+F/N0vie4AbIggLy6/h6XZPSAthVqL2tE6DXe0NfNtmVO?= =?us-ascii?q?/ErndN5IJvNaAPOkSdpJvtrjtPs1A5HgspaL42rjxHeUjDhwlVVLjuuL8AkAQQ?= =?us-ascii?q?S9h5tlFQGWioImIx+yLHVbhJjKmWEPEV9DSTQbAJU0VsKCx+WAm52JRpe7uuhv?= =?us-ascii?q?BHqXhLniZyrfklyTBmQwG8uSL0raIXxT0g4K24tCkGuXFdQeWRjzzICU5awPoX?= =?us-ascii?q?gqkSDXfi6VqhYHgMd4by77xnKt7m9YY/+Xg/Zg8jfyIeV+S6Fy7wl7+IApCIsN?= =?us-ascii?q?9Ehh6Nv8XObbmpIScONrQ9zQ/jSGV80wjfmhZo62gLQjS74d86JYW9J9wqxi61?= =?us-ascii?q?FmjabloM5L1GsNfpv14RUOQ2cU9hwHlk0sWfRy0NWtbAG2AugwggdGVLbZND6R?= =?us-ascii?q?gBF6UyhTaIpKZG9BkOYDjICoSl5pXQncDQ1Hk/U9hqyGzWpqmei5IkynJlnc17?= =?us-ascii?q?7jKUtHQUaePYT9dmAmLv2YdH1ez+e/Ktv/gISItiz7SgXuENMs2n+Watw5VqXU?= =?us-ascii?q?mlxrUCEFajNu8M2KvbWT+/SWKEQeSLb3SMnzEhP07w5RmpLkU3aMBOr088LuvN?= =?us-ascii?q?mIVRlwjgUbNoXCWfu0XXzGs5MeMVbwg2opuoexQWTO4NYOiRPfQuwPw7CFYXc3?= =?us-ascii?q?/JHDd5C+yovl6phoR7PWtv4Vnia+T37g/mKMeSGgUDEYPCq55x+P+6RmGGOXJ7?= =?us-ascii?q?zh19Jkp09+DZF1svsO9QaZCRksbMh95jy+4Ka+9tMTEhut4Ugo9s8peb0MGWcR?= =?us-ascii?q?zK1ZbyIdbVouSEA/3B0UslZ3tWUr0DYQP6/486JMI2W6XPHbtFuhQRHaY6T4Il?= =?us-ascii?q?N2fw7KF7Mhh+cw/QZLSxh8nluPiLZp9KqHPM6VIwNijcsQUZyvOoVQx7c4yqh3?= =?us-ascii?q?LqLZE+XjJBtdxtBQd4E4ZUHsMArhanA4SKl62hjN+x4Ux6sfcQsaXsEvDKyMi5?= =?us-ascii?q?34JpUphd4UyEIi3cBLFvgkt/leSynvbA3YXtCcP4Z9wLSvJ3QmjbZb/aBo+/MC?= =?us-ascii?q?6BOtrge05a9L6RyLZ5UhSXZCDkUKuKrSmkNPR/4UUn0Yx1Z+vTwyYr77Hcwtfy?= =?us-ascii?q?YHtbpii7p36TKJRf9EDKBfDZXx9MUvqK7mJlHawRbYvp++YCNtMswMSc4wZt9j?= =?us-ascii?q?RNztOFLLK6o0/PxE17b5TbI1Xt2ykiRIkKLw6zMUw2gW/Wsn7dG2hTLtC4Kclx?= =?us-ascii?q?h9aYFhnt6FNtlmEtZ25BHG3oSMyPOWga3cKxegmK9ANND9YekO+7Y0k4tre9Se?= =?us-ascii?q?NwIJVKhf2qtKkbkdZuMyzPRtJVPyLXLLBtJTdRE+PPpEQoYh4Drrg1VYc1ZYSU?= =?us-ascii?q?LEMBLkiA1Tv4zRHe3k3sa9ysyKGJLT4N/XpcyL7F1TlMpxKlufaCmMHjS67WY4?= =?us-ascii?q?3sUP7JLiUlUjCaRTIvEUem4lqrp/oFvOCFIWcEuFwVbDidCBIIpqBoq9jcFGjT?= =?us-ascii?q?mfdsfJcSnvCVRzjwSDFklKo1HitLulqDTOEZFQnXcXDhhHFRuBKmJvBW5nLlbq?= =?us-ascii?q?CYyrBTW+MIHotGaueZTMfAefBCOzcokS0UOOS5f93btbY5yFPITXACHqnO7lKe?= =?us-ascii?q?SVCZQv2GyzLsR4UVsJA+ujA09dLIgi93D6PIMq6Epz6g9463kCeVtO7FW2kzfU?= =?us-ascii?q?M1muMCAWiGwBlGMm0EDc8auF31SK6ae0lMzG4pif5p2xIUegRzVXtu0nlNkfa4?= =?us-ascii?q?BMJWVFAUjGS0QPIacl97FjUw8lGW4l66XdtVocnOQ0dG/6YIDI8aK+MlroLQPf?= =?us-ascii?q?g+2vEsiQl6rTQ6viPVNFZUigaI4uKEB65n7qFT7mk/ufdtVweARC2JITuP8Zav?= =?us-ascii?q?F88anXQmmnvjzceB+7o1OQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2GoAwCAmLVY/wHyM5BeGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgyWBao5Wj0gGmF0miDBXAQEBAQEBAQECAQJfKIIzIoIjAiQTF?= =?us-ascii?q?CALAwMJAhcpCAgDAS0VHwsFGASJSQ2yZTomAosVJoYHiVoRAYYBBY9Tf4tRkiw?= =?us-ascii?q?CimCGNAKTMlh5CBkIAhIIHQ8+hE8dgX9Xh0KCLgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 28 Feb 2017 15:35:40 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1SFWwo1020774; Tue, 28 Feb 2017 10:33:37 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v1SFWlQT068369 for ; Tue, 28 Feb 2017 10:32:47 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1SFWbcq020759; Tue, 28 Feb 2017 10:32:38 -0500 From: Stephen Smalley To: paul@paul-moore.com Subject: [PATCH] selinux: wrap cgroup seclabel support with its own policy capability Date: Tue, 28 Feb 2017 10:35:56 -0500 Message-Id: <1488296156-2169-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , john.stultz@linaro.org, selinux@tycho.nsa.gov, kernel-team@android.com MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP commit 1ea0ce40690dff38935538e8dab7b12683ded0d3 ("selinux: allow changing labels for cgroupfs") broke the Android init program, which looks up security contexts whenever creating directories and attempts to assign them via setfscreatecon(). When creating subdirectories in cgroup mounts, this would previously be ignored since cgroup did not support userspace setting of security contexts. However, after the commit, SELinux would attempt to honor the requested context on cgroup directories and fail due to permission denial. Avoid breaking existing userspace/policy by wrapping this change with a conditional on a new cgroup_seclabel policy capability. This preserves existing behavior until/unless a new policy explicitly enables this capability. Reported-by: John Stultz Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 7 ++++--- security/selinux/include/security.h | 2 ++ security/selinux/selinuxfs.c | 3 ++- security/selinux/ss/services.c | 4 ++++ 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9bc12bc..7163fed 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -480,12 +480,13 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) sbsec->behavior == SECURITY_FS_USE_NATIVE || /* Special handling. Genfs but also in-core setxattr handler */ !strcmp(sb->s_type->name, "sysfs") || - !strcmp(sb->s_type->name, "cgroup") || - !strcmp(sb->s_type->name, "cgroup2") || !strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || - !strcmp(sb->s_type->name, "rootfs"); + !strcmp(sb->s_type->name, "rootfs") || + (selinux_policycap_cgroupseclabel && + (!strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2"))); } static int sb_finish_set_opts(struct super_block *sb) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index beaa14b..f979c35 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -71,6 +71,7 @@ enum { POLICYDB_CAPABILITY_OPENPERM, POLICYDB_CAPABILITY_EXTSOCKCLASS, POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_CGROUPSECLABEL, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -79,6 +80,7 @@ extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_extsockclass; extern int selinux_policycap_alwaysnetwork; +extern int selinux_policycap_cgroupseclabel; /* * type_datum properties diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c354807..d850c76 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -46,7 +46,8 @@ static char *policycap_names[] = { "network_peer_controls", "open_perms", "extended_socket_class", - "always_check_network" + "always_check_network", + "cgroup_seclabel" }; unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a70fcee..b4aa491 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -74,6 +74,7 @@ int selinux_policycap_netpeer; int selinux_policycap_openperm; int selinux_policycap_extsockclass; int selinux_policycap_alwaysnetwork; +int selinux_policycap_cgroupseclabel; static DEFINE_RWLOCK(policy_rwlock); @@ -1993,6 +1994,9 @@ static void security_load_policycaps(void) POLICYDB_CAPABILITY_EXTSOCKCLASS); selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_ALWAYSNETWORK); + selinux_policycap_cgroupseclabel = + ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_CGROUPSECLABEL); } static int security_preserve_bools(struct policydb *p);