From patchwork Fri May 5 13:53:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9713595 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9813F602B9 for ; Fri, 5 May 2017 13:54:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8333828675 for ; Fri, 5 May 2017 13:54:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 77C39286A0; Fri, 5 May 2017 13:54:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 20ABA28675 for ; Fri, 5 May 2017 13:54:02 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.38,292,1491264000"; d="scan'208";a="5514779" IronPort-PHdr: =?us-ascii?q?9a23=3ARIA28BGsiSPW9TUuAxr9T51GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ79p8m8bnLW6fgltlLVR4KTs6sC0LuI9f68EjJfqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdzIRmsrAjcucYajIpgJ60s1hbHv3xEdv?= =?us-ascii?q?hMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTD?= =?us-ascii?q?QhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlS?= =?us-ascii?q?kINyQ98GrKlMJ+iqxVqw+lqxBm3YLYfISZOfxjda3fYNwaX3JMUMVMWSJBHI2y?= =?us-ascii?q?YYkAD+QGPelEqIfyqFQArQO8CAWxCu7g1CRIi2Tq3aA5yektDRvL0BAiEt8IrX?= =?us-ascii?q?/arM/1NKAXUe2t0afI0SvMb+tW2Tjj7ojDbw0vofSWUrJ0dcre10kuHB7Cg1WL?= =?us-ascii?q?tIPlJCiY1vgNsmeH7+pgUviji2g8qw5ruDSvycAsipfQi48T11vK9j15zZ4oKd?= =?us-ascii?q?C3R0N3e96pHIZKuy2EOIZ6XNkuT3xutS0n0LMJo4S7czIPyJk/wh7fbOGIfJaQ?= =?us-ascii?q?7xL4UeaRPS94hHV4eLKjnxqy8Vavyun7VsSszFZFtDBFktjRtnAWzRDT9siGRe?= =?us-ascii?q?d9/kemwzqP0Rzc6vpYLkwukKrbKpohzqYxlpoVr0vDAjf7lFj5gaKZbEkp+vWk?= =?us-ascii?q?5/75brjpuJOQLZJ4hhn7Mqs0m8y/Beo4MhIJX2ie4em8z6Ps/Un4QLVMk/03nb?= =?us-ascii?q?DVv4vdJcQGoK62HxFa0p045hajDzapzNQYnX4dIFJDYxKIlZLlO17JIPDmFfu/?= =?us-ascii?q?mUijkC93x/DaOb3sGpfNLn/FkLj7YbZ961RTyAwowNBd4JJUDLQBL+joWk/tqt?= =?us-ascii?q?PYFAQ5Pxazw+b9B9V3zpkeVn6XAq+FLKPStkeF5uAtI+aWeIAVuy39K/8j5/7v?= =?us-ascii?q?k380glEdfa203ZoYc3+4A/JmI1mEYXb2hdcBC2gKtBIkTOP2kF2CTSJTZ3GqUq?= =?us-ascii?q?0h4TE7DoSmAprdSYCpgbyMxz20EYNMZmBBEFyMFm3od4qcUfcWdC2SOtNhkiAD?= =?us-ascii?q?VbW5VoAhyQuhtBXhxrV7KerU/zEXuoj41Nhp/eHTkw899SBsBcSHz26NV310nn?= =?us-ascii?q?8PRzIu3aB/p1B9xUmH0admhvxXC8BT5+lJUwohMp7c1/J1C9b3Wg3bf9eJTE2p?= =?us-ascii?q?QtKpAD0rSdIx2dAOaV5nG9q+lhDDwzaqA7gNmr2LBZ009aTc0mP0J8Z50nrG1a?= =?us-ascii?q?8hg0MgQsRVL22mha9/9xbNCILTlUWWibqqf7wG3CHR7GeD0XaOvEZAXQ9+UKXF?= =?us-ascii?q?WXUfaVXMrdni6EPNUaKhCbM9MgRb0c6CMKxKat/3glpaWPfvItPeY3i+m22oHx?= =?us-ascii?q?aH2quMbJb2e2UaxCjdBlIEnBoV/XmaNAg+HTyso2fGDDxvDF7veE3t8fJkpHO8?= =?us-ascii?q?VE80wBmAb1d92Lqt5h4VmfucRusQ3r0euychrCh0EU2+393MCNqAoBdhcL9bYd?= =?us-ascii?q?Mn71dNzXjZuBBlPpy8M6BigUYTfB5qsEP01hV4FJ9AnNMwo3w2yQp+M6WY0ElO?= =?us-ascii?q?dzmAx5D/JqXXKnXu/BCoc6PZxkvR0NKI9acU9PQ5q1LjsRqyFkU+8nVozd9V02?= =?us-ascii?q?ed5prQFgYSV4z+Ulov/Rhgu77aejU955/T1XB0Kqm0vCXC29UyBOs50RugZNFf?= =?us-ascii?q?MKSKFQ/3CcIaAdKiKOo0lFi1dhgEJvxd9LYoP8O6cPuLwKCqM/xknDK6k2tH+p?= =?us-ascii?q?t931mS9yViUO7HxIsFw/SC0guATTf8g0+rstrrloBceTESAm2/xDD4BIFMe6Jy?= =?us-ascii?q?fJwECWO1LsKrwdV+goLiVGRD9F6/HV8G3tGmeQaKZVznwQJQzVgXoWCgmSag0T?= =?us-ascii?q?x0ki0mrraY3CzU2ejtaBoHOmlNRGltllrsJYm0j9YAU0iyaAgljhyl5Vz1x6JD?= =?us-ascii?q?vqRwM3HTQVtUfyjxN2xiVqqwtqGeY8JW85MnryFXUOW6YVCHRb/wuAAa0zviH2?= =?us-ascii?q?tYxTA0ayqqto//nxNklGKXNGxzo2bBecFs2Rff48TRReRW3joCQCl3lyPXCUS7?= =?us-ascii?q?P9in5tiUjIrDvfylV267UZ1Taybrx5uatCSn/W1qHQG/n/erl93/Cwc6zCv728?= =?us-ascii?q?NwWinStxn8ZY3r17i9MeJhZURoAUPw68x9Go5iiIcwgo8f2WQCjJWP4XUHiXvz?= =?us-ascii?q?Mclc2a/mb3oCWzgLw8XO7QjmxkJjKGmJx4TnWXWB2MdhYMO6YmwO0CIn889KEL?= =?us-ascii?q?uU7KBDnSZtulq3tx/RYfxjkTcF0/Qu7mIajP8TuAc20yWdGa4dHVNDPSD2jBSI?= =?us-ascii?q?6M2+rL9La2mxf7iw01B+nd+/A72YpAFTRmr5cI84HSBs9sV/LE7M0Hrr54H6ft?= =?us-ascii?q?nfcMketgOSkxjdj+hZMpQxmeQWhSB/I2LyoWUly/InjRxpxZy6pJKIK3hp/K+i?= =?us-ascii?q?HhFYNyH1ZsMK9jHjl6lemNya34e1HpVuAj8LRofnTeq0EDIOsvTqLwWOET04qn?= =?us-ascii?q?iFArffGAif6Elor33RD5CrK3GXJH4czdp8XhWdIlJQgBwMVjUggpE5DhyqxNDm?= =?us-ascii?q?cEph6DAe/Fj4qgdLyuJtLBT/XHnQqxqvajcuUpefNABW7gZA50jLLcOe8vh/Hy?= =?us-ascii?q?ZC/p2utAaNMHCUZxxUDWEVXUyJH0rjMaSz6tTb/OiYA+W/I+HIYbqQtexUT+2I?= =?us-ascii?q?yo630ot64zaMMd2CPmN4A/w1wEZDWGp2G8DemzQPUCEYjT7Cb8uBqBe74C13od?= =?us-ascii?q?i18O73VwL3+YuPF7xSPM1h+xCsn6iMKvWQizx/KTZE0ZMM3mTFx6ID014XkS1u?= =?us-ascii?q?cCOtEbsYvy7XUK3QgrNXDwIcay5rMstI9bgz3hFVOcPAhNP116R4juUpC1dLVF?= =?us-ascii?q?zhnNumZcoWLGG8LlzHAFyHNLOcJT3E28v3e7+zSaVMjOVIsB29oS2UHFTkMjSH?= =?us-ascii?q?ljnpTAyvMfpWgCGAIhNRpJuxcg1zBmjnTdLmbAC7MdBsgDIqwbw0nG7KNXUGPT?= =?us-ascii?q?lyaUxNsqaQ7SRegvllHGxB9HVlJ/GemymF9+nYNooWsfxzDyRyluJa5HA6xKVO?= =?us-ascii?q?7CxfXvN6hjHSrtl0r1GhiOmPxSJtUABSpTZTmIKLoUJiNL3C+ZlBVnbE+xQN4H?= =?us-ascii?q?6NBBsUvNRlC8fgu6ZKxtjIjqLzJy9I88jI8ssEG8jUNMWHPWI7PhrmAjHUEhUK?= =?us-ascii?q?QCWsNWHHmUNdlvSS+WeUrpg+sZfsn5UPRqVcVFwvGfMQEl5lE8AaIJdrQjMklq?= =?us-ascii?q?aWjNIP5Xq7thXRXsJav5HZWfKUGvrvMjGZgqdHZxYT3bz4KoETOZHh1Ex5dll2?= =?us-ascii?q?hoLKFFTMXdpVuC1uchc0oFlR8Hh5VmAz3VzqZRmp4HIIFv60mQU2ihdkbuQr7z?= =?us-ascii?q?fs4FY3KkDMpCQujEk7gc/ljiyJcD7tMKewWplbCzDquEgqLJz0WRx1YhGynUF/?= =?us-ascii?q?LzjERqhRgKZndWBlkA/co4VAGP5GQa1CfhAQ2emdZ+803lREtiWn2UhH6PPYBp?= =?us-ascii?q?R4igsqcIOjr2lb1g15dt41P6vQJaRSzldOmq2OozWo1uEtwA4ePUoN9n2deDIQ?= =?us-ascii?q?skwSKrYmPzao/vBr6QGahjRDY3YDWOAlovJw7Ew9Jf+Nzzn63L5AN0CxLfaQI7?= =?us-ascii?q?mdu2jdk86HWEkw2loUl0lC/rh30cAjf1CSV08x0LubDw4JOtbaKQFJc8pS82De?= =?us-ascii?q?fSKJseXX3511OYS8FufzQO+BsqYUn1ioHAEzH4QD9s4BBIWj0FnELcf7K74I0Q?= =?us-ascii?q?4t6xrvJFWECvRJZR2KnSwbrMG4yZ94wZNSJioBAWlnNyW4+KrXrBcwgPWfRNc2?= =?us-ascii?q?fmsaXowcO30rRMK6nilZv3JcDDWqye8Z1haN7yX9piXRCzn8acBvZPGKahNwEN?= =?us-ascii?q?u24ykw87CqiV7L9ZXTP2L6Nc5iu9DV7+Mau5aHBuhbTbl6q0fTh5NUR3q0XG7T?= =?us-ascii?q?CdS1PYT/a5EwbdzoDXa3SkC/izMwT8f2INatLqiJjBr1SoZVsIiUxissOdW7Fj?= =?us-ascii?q?4ABxd6v/sD675kZQ0ff5o7ZgbltwskN6OlJgeYzs6jQ2eqKTpYSflf0eW6aKJW?= =?us-ascii?q?zyoqcu+11mEgQos8z+ap7U4HXIsKgQ3Gxfa/e4leVjD+FWZZewXOuSU2iXBuNu?= =?us-ascii?q?Myw+c5xxPIt0MTPiuQe+xocmNEucgwBV2PIXlsDGo3WUOch5LZ4gGwx7AS4zdd?= =?us-ascii?q?n9FM3OJernf+uITSbyixV6y1t5rVqTEgYsI8o6xxK4DjJdGGtJzGlDzFUJbQqh?= =?us-ascii?q?GFUDK9F/dCgNhQJiNYT+VImWEiPcwGopJP51MsWMkkO7FBD7IhqaytaTphESEd?= =?us-ascii?q?1zQZV5+a0DwEnOi8x6PQlg2Mf5Q6LBwErJJCj8MBXC50eCwRuLSuWJnRl2+ATm?= =?us-ascii?q?gLIRkc7R5Q5A0eioBwfvrp4I3STJ9D0zRWue57UjPXFpl08Fv2UnuWjkLiSPWm?= =?us-ascii?q?iOOkxh5SzOj23dkFRhF/DUldx+BZlkssKbF3JKkQvpLEsjCSb0P6uXjhyO24K1?= =?us-ascii?q?lN0cfUbUH3DJLZtWrgVS0R4XMVSZVTx3HfFJQSlgt5Z7wopFhXIYCpZFjx6CI+?= =?us-ascii?q?y4RuBbm4Wtihx0w5onYeWyeqD91BBvl+sFLQXD1qeYqrqZviO5VWTG9d45idq1?= =?us-ascii?q?BekEV2LSG21YBcK8ZW4j4XXThPpzqdsMG1SM1Z1s98F4UMLctnu3fhBKNEP4Cc?= =?us-ascii?q?rGcsurzyzH/V4TM8vUy7xDWyGq+4U/lW83cYGgo3O2SUslMvAPc08mfO7lDNtU?= =?us-ascii?q?h5//tcBriKlkhxvCpxHpVVCTpT03CqMUhzRmFcs+pGMKTVb9BcQ/4qaB+vIRM+?= =?us-ascii?q?D+Qp30iU8kxvgHj2fTRythNE9CDZQQY0TzMZgrD3mT0RssunIyMVS4pUbTU9aC?= =?us-ascii?q?fIMwCbmSdJsxtEdk5lRYsZDchf+7EHw4Rb49DOSUCyJiEZRBZiLB430eJDlU5f?= =?us-ascii?q?t0WVYTvSDQS0evrTsBB7YMmcodW1I/T++QdIlpnosPsk96kZQX2phxGtS8jEr4?= =?us-ascii?q?Dgrt2KqleOdKDgPu2mf3DOUTjMggqshbo/C5nK+DbTPxRFJ5ZmznorfIbuBXTN?= =?us-ascii?q?PRtYO6IRP1BbWrxiadVavuBaYNdpeL4S+a9xHB2IWw/vFZe0rPlBM1bTXyjRID?= =?us-ascii?q?uH8uyju4Lc97jdRfLnZsyWyHbNW7h3MYti6TnnB7fq1pdT+lbs2vhz6Ex1VEPL?= =?us-ascii?q?Mz2FrNT9PAME/teidkrlvp0tAzzWHI18kH33xkFPb8AXWTGl8IwEyJNF73b9Ue?= =?us-ascii?q?d43VL3sO1W6bZk9ZU37KpzxsqvI6fdN+hasVR7DReOHgVl6I8hAG5hSGBNeuUR?= =?us-ascii?q?MuvefbwFjcDyrOD6D64X5weP++xectvHI1vOmtekBzGZVBxEmBsBqT8GIQudzf?= =?us-ascii?q?GFnbR0Rdyipejj1UIn+0K+IQIezLBx+YeE/bKFpO3NYBvXw7gEQK/qSd7tobk3?= =?us-ascii?q?p0Od//sklKUJemBvZQ2oDvQdXNYHxmj81aAq0T4sE8TbErLv5f5DVnY5njb+lJ?= =?us-ascii?q?B4BFgZB+0bEqGK/YtEmGc0gevZNscZcqpagGaACQakEqMeyX6s8yaXJm1ljwrP?= =?us-ascii?q?0xH2RGO/9l72rSl2QSvW1djjiVZVVqOqBUhOQyqpJFV4vy2VMArvrtr3trw/7F?= =?us-ascii?q?sqPWz8qNKNiGyhNatSH834ItycPSY0q0wMgZ00R9ygw4YbFsShINYf93F+dPje?= =?us-ascii?q?63ixny9HvahHm5LU4tuJ9fXPAXmgk6qapq2JxDBDz3g1vUoy6t6+Of7T4N2KWe?= =?us-ascii?q?6n134LTyd4uQvOQQK6qqDBo1ATI0yL31/BmJYWMdFBwXk4ykbm6fA4QN0p6gVR?= =?us-ascii?q?DInAaO0ZpT3oIzv720ifbMg4ViaAyDtbBFT1HkdkGKIkwmL/oNrJlWvM+10vXo?= =?us-ascii?q?RwdU3nhRlsAoU9N00s6EYYwjACEQgLZhCXFreoClr5LYEcT0gMdQyH3KSmeqcw?= =?us-ascii?q?xUBzw7Ku6/XJYuNgHKcNLehSjhKQk1dHAJ4WtrceQL1kcV9H6KHXvhTiC5TgX/?= =?us-ascii?q?X+jnUwNOa1Q85A/sAbtnsi/h6/SAC96ZdH9LsUlJeIebNabpfWocB89UBn5SQV?= =?us-ascii?q?eSBXhxh/lRy5W/gGpO//+tjbrIao6uG2WaY1XeoX6wQ7B2Rwjpv3mlAjosjb1/?= =?us-ascii?q?xCRY3RiIT/9h1NInGRtYbCyRZ8NfYBK4KlfbZn7XUHJDISJ3EQMtqMbfkz/Stt?= =?us-ascii?q?PC/U51xYDcMGfckYM9bVmQBIlk3pX6le9tbBGlCGD4d8bcYo4HTsxT8o8Js8Xe?= =?us-ascii?q?fg6COsKpDE9V5NJe5DgD9qlN3cuOgf2eDSBzQP4XmFdxh1xTuPy5aXBPbq4+qM?= =?us-ascii?q?1NHUWkgCHi43T4dSOjqC9ha6RuqujpnpVB2b6tPripIkaE2QXmCxnLgCsqtUHu?= =?us-ascii?q?5PlCP73iRZFoDygP6VqMSj6G9Wtl1BDYZy4gbIGKFBMZVhORX3jNOnRk5iCSvj?= =?us-ascii?q?YMvUbAYhuPKKxucQ5OVzL03+ZY4HLRIDz7L182FVQhFvSL7xuVaZRvkRacBjSP?= =?us-ascii?q?7LoXFZ84VgK7UAPFKFvpzlsi9IqEwqAA8ucLIwoSBVdlLVnAFMRqj6t7gOigoa?= =?us-ascii?q?Ud5ktk5BAm2wOGck6DrBS6tZlq6RCOYa8j+LVKwBT11oMj9iQxOywJhuebypnf?= =?us-ascii?q?BBsm9cgix9oPwq0yF7Sxq9uC3sobkN2TEh+LyjqjUBuGJFQf+akyjVCFVP1vIK?= =?us-ascii?q?grkAC3z681yzfGEDbJfu4LlgPcng9Jch7G45YRg4ey0GQPmvCyD3j6OTGICPt8?= =?us-ascii?q?hchBGVssXUcbCzNTQSNqg6yR/7RXhyzAbenBhs8GYQTDSv9tkkK5uhOco/wCqn?= =?us-ascii?q?B3Tbfk4W4qxVqMvxqUILTOwuZFNuxGVj1caGSTMJRMzLAGs1lQ8kaWNFcJ1f8x?= =?us-ascii?q?MaEbcngiqQtKlc4g4UeCvUEpii+oTIn8fI2Xk8Tc9txmLSp62Fmo0l3WZgm9N1?= =?us-ascii?q?8i6Oomode/bfU892DXj5zp1fxvDmZ/WxruAHT5NryLu8UP8DL8aj/nC72IlwWk?= =?us-ascii?q?C7wLQeA0C2MOsZybfdTyilSHeXVf6Nc2eSgzYzKlTy6gWwLl0rdMdKqFcwMvfD?= =?us-ascii?q?hp5ZjADhTbJ0STmTpVDFyGwvK+UaeBwquI2/YQwFUPYRZ/SAJegp2PA+DVoMb3?= =?us-ascii?q?zKHStxEOK2s0SinIt8O3Vm/0r6Z/7h8gb4P9uOAhMEC5LVroZt+fymQWKMIWRv?= =?us-ascii?q?wwN0PElo7OrfDFAxtuhAc5aNg9jfmcl03fQCd/d3Pi03osQTlZ576YmIzMeKdg?= =?us-ascii?q?nczpjsKtHRo/iYG+PQwl8re2FbV7oZZB36558+PtEnQbHTGqFZvRsED6ggXJMh?= =?us-ascii?q?L3vx9L1zLA5rfA/RfK60gsj2qe2VfZZUon7W7k4qLCjCoREDzea0TQNjZZCwm3?= =?us-ascii?q?ryOIwwRi5Gr9B1DRtmGJVAFtgYrwqjGZGUg727i96t9ENmoe8Fr7T/BurM1Nun?= =?us-ascii?q?w4V7R4Ja6lCTPDbNGKlrhVxojuCzgvfGz5nwBtruedcFVOhgXm7FcaTLHoSlJT?= =?us-ascii?q?KIPcLwYUlG86ST0LhhSBWeeDj5X7aatC2jLPhk+ls0yoh5fOrV0Tws4LbX1tTu?= =?us-ascii?q?Z2FbuCijt2CGNINF41HRBuzRQQhUSfyb/2ZhBqIXcIT0+P0JMdw4z9iW+xNz4y?= =?us-ascii?q?ha0MuZP6ihqVfB2kdhep3HLEvp2iA5WY4RLRShMEssh3HWqnDcAXRaM8ilJtNh?= =?us-ascii?q?gNGPDhzi/0Nxg30iZnZdGmr0QtecIWob1Ni9ZA2N7w1GFMsDn+ireU44sa2yVO?= =?us-ascii?q?ZoOpVZmemwsrUIj8ppITnVRMdGJyHQMKN2Pj1JA+XAvlcneQQEs7krVYcxfpWO?= =?us-ascii?q?PkcHP12bySPz0AvOy0v0eMKw1KyROiYZ7m1Hz67Z0ThLvwS5u/OZgsr5ULDDbZ?= =?us-ascii?q?H2R+XfMCw/WTGfWzsyEFyl+VC+u/oLpPCYO3sQokgIYiKODw4evrtvrdbVDmDP?= =?us-ascii?q?mOBuf4YHhO6EVCDqSS15la0yBiBRuUCKXfUDCVqeU3i0mGNBvCS6L+JIuHfiaK?= =?us-ascii?q?eVgKFSXr84GIxJJ8aFTsPYdPYWHDIhkjEUKa7oZNHHh6oo2VLPC20CGu/H80PI?= =?us-ascii?q?Hx3eeeCV2z++BdZdhIMzoCd9v4iIkw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2G8AwAdgwxZ/wHyM5BcGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgn8CKYFug2iLC483BoEml3slikxXAQEBAQEBAQECAQJoKIIzI?= =?us-ascii?q?oJBAQUBAiAPAUYDAwkBAQgCDQsCAiIEAgIDAVMZBRaHbYILDZMinWGCJiYCij4?= =?us-ascii?q?LAQEBJIELhQ6CJIMbhDINgyqCXwWdb4pOiEmCBIkTDIZFlDdYgQolCQIeCB8Ph?= =?us-ascii?q?1RahjgCJAEBghUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 05 May 2017 13:53:59 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v45DpqAP000456; Fri, 5 May 2017 09:52:15 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v45DnDx3080043 for ; Fri, 5 May 2017 09:49:13 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v45Dn90C031788; Fri, 5 May 2017 09:49:10 -0400 Message-ID: <1493992395.5745.3.camel@tycho.nsa.gov> Subject: Re: [RFC][PATCH] selinux: add a map permission check for mmap From: Stephen Smalley To: paul@paul-moore.com Date: Fri, 05 May 2017 09:53:15 -0400 In-Reply-To: <20170505131448.8718-1-sds@tycho.nsa.gov> References: <20170505131448.8718-1-sds@tycho.nsa.gov> Organization: National Security Agency X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Fri, 2017-05-05 at 09:14 -0400, Stephen Smalley wrote: > Add a map permission check on mmap so that we can distinguish memory > mapped > access (since it has different implications for revocation). When a > file > is opened and then read or written via syscalls like > read(2)/write(2), > we revalidate access on each read/write operation via > selinux_file_permission() and therefore can revoke access if the > process context, the file context, or the policy changes in such a > manner that access is no longer allowed. When a file is opened and > then > memory mapped via mmap(2) and then subsequently read or written > directly > in memory, we presently have no way to revalidate or revoke access. > The purpose of a separate map permission check on mmap(2) is to > permit > policy to prohibit memory mapping of specific files for which we need > to ensure that every access is revalidated, particularly useful for > scenarios where we expect the file to be relabeled at runtime in > order > to reflect state changes (e.g. cross-domain solution, assured > pipeline > without data copying). > > Signed-off-by: Stephen Smalley > --- > NB I chose not to define a new policy capability for this permission, > since it is adequately covered by handle_unknown for compatibility > and > others seemed to agree that this does not fall into the category of > changes requiring a new policy capability.  I also chose to define > the > permission for socket classes in addition to file classes and let it > be checked for both. > >  security/selinux/hooks.c            | 12 ++++++++++++ >  security/selinux/include/classmap.h |  2 +- >  2 files changed, 13 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e67a526..5432628 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3550,6 +3550,18 @@ static int selinux_mmap_addr(unsigned long > addr) >  static int selinux_mmap_file(struct file *file, unsigned long > reqprot, >        unsigned long prot, unsigned long > flags) >  { > + struct common_audit_data ad; > + int rc; > + > + if (file) { > + ad.type = LSM_AUDIT_DATA_FILE; > + ad.u.file = file; > + rc = inode_has_perm(current_cred(), > file_inode(file), > +     FILE__MAP, &ad); > + if (rc) > + return rc; > + } > + >   if (selinux_checkreqprot) >   prot = reqprot; >   > diff --git a/security/selinux/include/classmap.h > b/security/selinux/include/classmap.h > index 1e0cc9b..3e49a78 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -1,7 +1,7 @@ >  #include >   >  #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ > -    "getattr", "setattr", "lock", "relabelfrom", "relabelto", > "append" > +    "getattr", "setattr", "lock", "relabelfrom", "relabelto", > "append", "map" >   >  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", > \ >      "rename", "execute", "quotaon", "mounton", "audit_access", \ Below is the refpolicy patch (relative to the Fedora rawhide policy source RPM) I used for testing. I simply added the map permission declaration to the common file and common socket definitions since I wasn't concerned with compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, RHEL < 6). Not sure whether that's acceptable for upstream refpolicy or not; if not, it will need to be added at the end of the existing lists for all file and socket classes. With regard to allow rules, I initially tried just adding map permission to mmap_file_perms and exec_file_perms, which covered most shared libraries and executables, but quickly ran into a number of cases where programs and libraries required it just for mmap'ing data files. I addressed several of those but more kept popping up. Abstractly, any domain that previously was allowed read permission could have used mmap, so if the goal is to ensure 100% backward compatibility in refpolicy, we would need to add it to every rule that allows read permission. In my limited testing, it seemed to suffice to add it to the _file_perms and _chr_file_perms macros that already allowed open (although technically a process that inherits/receives a descriptor could mmap it as well). I think it is ok to allow map permission widely in refpolicy (as with open permission), and leave restricting it to specialized domains (as with sandbox domains for open) given its narrow use case. diff -ru serefpolicy-3.13.1.orig/policy/flask/access_vectors serefpolicy-3.13.1/policy/flask/access_vectors --- serefpolicy-3.13.1.orig/policy/flask/access_vectors 2017-05-03 16:25:32.750029182 -0400 +++ serefpolicy-3.13.1/policy/flask/access_vectors 2017-05-04 09:18:58.999737761 -0400 @@ -20,6 +20,7 @@ relabelfrom relabelto append + map unlink link rename @@ -47,6 +48,7 @@ relabelfrom relabelto append + map # socket-specific bind connect diff -ru serefpolicy-3.13.1.orig/policy/support/obj_perm_sets.spt serefpolicy-3.13.1/policy/support/obj_perm_sets.spt --- serefpolicy-3.13.1.orig/policy/support/obj_perm_sets.spt 2017-05-03 16:25:32.751029170 -0400 +++ serefpolicy-3.13.1/policy/support/obj_perm_sets.spt 2017-05-04 09:34:15.418877678 -0400 @@ -153,19 +153,19 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_inherited_file_perms',`{ getattr read ioctl lock }') -define(`read_file_perms',`{ open read_inherited_file_perms }') -define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') +define(`read_file_perms',`{ open map read_inherited_file_perms }') +define(`mmap_file_perms',`{ getattr open map read execute ioctl }') +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') define(`append_inherited_file_perms',`{ getattr append }') define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') -define(`write_file_perms',`{ open write_inherited_file_perms }') +define(`write_file_perms',`{ open map write_inherited_file_perms }') define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_file_perms',`{ open rw_inherited_file_perms }') -define(`create_file_perms',`{ getattr create open }') +define(`rw_file_perms',`{ open map rw_inherited_file_perms }') +define(`create_file_perms',`{ getattr create open map }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_file_perms',`{ getattr relabelfrom }') define(`relabelto_file_perms',`{ getattr relabelto }') define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') @@ -245,15 +245,15 @@ # define(`getattr_chr_file_perms',`{ getattr }') define(`setattr_chr_file_perms',`{ setattr }') -define(`read_chr_file_perms',`{ getattr open read lock ioctl }') +define(`read_chr_file_perms',`{ getattr open map read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') -define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') +define(`write_chr_file_perms',`{ getattr open map write append lock ioctl }') define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') +define(`rw_chr_file_perms',`{ open map rw_inherited_chr_file_perms }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`manage_chr_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') define(`relabelto_chr_file_perms',`{ getattr relabelto }') define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')