From patchwork Fri May 26 15:58:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 9750719 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F127960249 for ; Fri, 26 May 2017 15:59:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEABA2624A for ; Fri, 26 May 2017 15:59:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D354B28408; Fri, 26 May 2017 15:59:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3894D2624A for ; Fri, 26 May 2017 15:59:57 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.38,398,1491264000"; d="scan'208";a="7497760" IronPort-PHdr: =?us-ascii?q?9a23=3AX+w1UBID+uzcJDcu19mcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgQK/3yrarrMEGX3/hxlliBBdydsKMbzbGI+PG6EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRp?= =?us-ascii?q?OOv1BpTSj8Oq3Oyu5pHfeQtFiT6/bL9oIhi7rArdu80IjYB/Nqs/1xzFr2dSde?= =?us-ascii?q?9L321oP1WTnxj95se04pFu9jlbtuwi+cBdT6j0Zrw0QrNEAjsoNWA1/9DrugLY?= =?us-ascii?q?TQST/HscU34ZnQRODgPY8Rz1RJbxsi/9tupgxCmXOND9QL4oVTi+6apgVRHniD?= =?us-ascii?q?0DNzUk7m/ZjMJ+h79frB64uhBz34vYbYeIP/R8Y6zdZ8sXS3dBUMhPWSJPAYGz?= =?us-ascii?q?b4UBAOUOIelWoJH9qlkToRawGwasH/jiyiNKi3LswaE2z/4sHAPA0Qc9H9wOqn?= =?us-ascii?q?PUrNDtOakIS++10a3IxijEYfNR3jf98pbHeQ0mrPGUWLJwds3RyVMxGA7elFWf?= =?us-ascii?q?t5HqPzOP2eQRqWSU8+1gVee2hmMhtgp/oSCvy98xhoTGiY8Z0FDJ+ThjzIorKt?= =?us-ascii?q?C0VlR3bcO8HJdOqy2XM5F6Tt4sTm12oio2174LtJChcCQUy5kqwQPUZeadfIiS?= =?us-ascii?q?+B3jUf6cITJ/hH14Zr2ynw2y8U28yu3kUcm0zUpKojJFktbSsnAN0ATe6tSdRf?= =?us-ascii?q?tn/0ehxC2P2xrP6uBEPU80la3bJ4QnwrEsjZocrV7PHir3mEXylKOWd0Mk9fa0?= =?us-ascii?q?6+n/f7nrqZCRO5V0hw3jKKgihMOyDfoiPgQTR2Sb/P6z1Lzn/U33WrVKifg2n7?= =?us-ascii?q?HCsJ/EIcQbp6i5AxJa04o68Bm/CCqm0NIEknYZN1JIYw6Hjoj1NFHOJ/D0F/G/?= =?us-ascii?q?g0+2nztxyPDGOaPhDo3XLnffiLfhYap960lExQoxytBf4YhbCq0BIP3pXE/8r9?= =?us-ascii?q?7YDhg/Mwyx2ennE8l92Z0EWWKUGKOZN7nSsVCQ7OI1P+aMfJMVuCr6K/U95f7u?= =?us-ascii?q?j2U2lkMefamy2psXbnG4Hup9LkWXZXrsn9gAHnwXvgo4UOzqlUeOUTlJZ3a9R6?= =?us-ascii?q?g8/C00CJq6DYffQYCgmLKA3Ca/Hp1TeG9GEEuBEXn2eIqZXPcMcjidItd7kjwD?= =?us-ascii?q?V7iuVZMu1Q20uA/90bpnIfLe+jcEupL7yNh1++rTmAkv+jNoCsSd1GeNT31pkm?= =?us-ascii?q?4TWT85wrp/oU18y1eE16h0mfpYGsJP5/lRSAc1KYbcz/BmC9D1Qg/OY8uJR0y8?= =?us-ascii?q?Qti9HT4xSdcxzMMUbEZmB9WulBbD0DS2A7UNjbyEGIQ08r7A33j2P8t8y3fH1K?= =?us-ascii?q?4nj1Q9R8tPMXSqhq959wTJAY7GiV+Zl6WrdaQCwiHB7mGDwnSSvEtASg5/Tb3F?= =?us-ascii?q?XWwDZkvRtdn2/VjNQ7iqCbQmKQtB1dWCJrFRatL3kVpKXuzjN8raY2KwnWewGB?= =?us-ascii?q?mJy6iQY4vqYWUdwT7dBFIKkg8J4XaGLg8+BiG7r2LZFjxuGkrlY1nw/ulmtHO7?= =?us-ascii?q?Ukg0whmUYE15zbW14B8VheeHRvMLxL0EoiYhqy5sHFa5xd3ZF8SPqxBmfKVGbt?= =?us-ascii?q?M3+E1H2n7BtwxhIpygKLhvhlAEcwttuUPhyxR3Cp5bnMgvtHMqzRN+KbmW0VNa?= =?us-ascii?q?bT+Y2orwOrLPIGno4B+vc7LW2k3Z0NuO+acA8vc4q1L+vAyyFUot6XZn095I03?= =?us-ascii?q?eG4ZXKFgUSW4rrUkkr7xh6u63aYi4l6ozOyHJsK6i0vSHY298yHuQq1hOgc81Y?= =?us-ascii?q?MKOeGw/4C9caCNS2KOw2h1ipaQoJPPtc9K4uOMOmbOeG1bWwPOZmmzKng2FH75?= =?us-ascii?q?p70k6W8SpzVPLI1Y4fw/6ExguHSyv8jFC5v8H5g49EYS0SEXSlySj/H4NReLN9?= =?us-ascii?q?fZwQBmezJs273NJ+h4TiW3RA7l6sG0sG2NO1eRqVd1H9wRBf2lkWoXO9nSu11C?= =?us-ascii?q?B7kzYsrqWDxiPO2PjieAABOmFVWGlolU3sLpSsj9AGQEioaBAklB2k5Ub+w6hU?= =?us-ascii?q?ur9/InLJTkhWZSj2KHtuUqyqtrqNe8RP8o8nsT1LUOSgZlCXUqD9oxoG3CP/GG?= =?us-ascii?q?te3io3eC2qupX+mRx6h3mQLHJyrHrfY85w3xDf6MbbRf5L0ToMXDN4hiXPBlig?= =?us-ascii?q?I9mp+s2Zl5PCsuClS2KtT4ZTfjfvzYOBsiu7+GJrDAakn/Crm93nFwk63jPg19?= =?us-ascii?q?VwUyXHsgr8aJHx16umKeJnYlVoBFjk5spgHYF+lo8wi48K2XcGgZWU82EKkXzu?= =?us-ascii?q?MdpHwqLydn0NRSQEw9TN+gjqxFVjLm6Vx4L+Tnid2tFuZ8S+Ym8MwC0x9dtFCK?= =?us-ascii?q?CQ7LxYmit1pEG1rQfNbfh7mTcS1eEi6HgEjOEVoAAt1DmSAqgOHUlEOizhjxeI?= =?us-ascii?q?4M64rKVMf2uvcqa/1ExlndCnEr6CvhtQWHHjepctBSVw9NlwMErQ0H3v7YHpYM?= =?us-ascii?q?fQbdQOuRCPjRfAifVaKJIrmvoMmyVnJXr3vWc5xO4jkRxuwZa6sZCfK2p34aK5?= =?us-ascii?q?BgVVOSH0Z8MP+jDhlKhekdyQ34y1GZVhADoLVoPyTf20CDISqejnNwGWHT0mt3?= =?us-ascii?q?iUBKHSHQCa6EZptX7PFY6kN22PLnkD0dpiXAWdJFBYgA0MRDU1hIM5FgS0y8z5?= =?us-ascii?q?akh54CwR6UDiqhZX1+JoLAfwUn3EpAuycTc0T4WfLABK4Q5c6UfVNtae7u1tEC?= =?us-ascii?q?1C+J2ushCNIHSBZwtUFWEJRlCEB1f7M7mg/9bA9fSYBu27L/bVb7WBt/FRV/CS?= =?us-ascii?q?xZ21yotm5TGMNseRMXZ+E/03wE1DXWp2G87BgTUAVzQXlz7Rb86cvBq8/zd4rs?= =?us-ascii?q?S78Pv1RALv+ZGABKFJPNVp5R+2nbyDOPKKiyZhNzlUzJUMymHUyLIHxl4dlzlu?= =?us-ascii?q?dyWxEbQHrSPNVrjcm6FNAx4ecSxzMMxI7qIn0wZXJcHbj8n51rlijv46E11FT0?= =?us-ascii?q?Dumtm1ZcwWJGGwLF3HBFyVO7ubPj3E2cf3Yb+7Sb1Ll+hbrQG/uTOBH0/kJDSD?= =?us-ascii?q?mCHjVwqzPuFUkCGbIBtetZm7chZ3E2fjVMrmZwa1MN92lz022qE0hn3LNW4aKz?= =?us-ascii?q?d8dV9CrryK4iNcmPl/HHZB7nV9J+mehymZ9/XYKooRsfZzGiR7iflV72o8y7tU?= =?us-ascii?q?8CFEQ+d4mCrModFwvV6qiO6PyiBoUBBWsDZEmJqLvVl+OaXe7pRPRG3E8wwX4m?= =?us-ascii?q?WfERQFvcVlB8b0u69KydjPibjzJy1Y/9LQ4MscAdLbKNiePHo9NhrpGz7VDAwf?= =?us-ascii?q?QT6tK27fm1RXkOuO+X2Nspg6tp/slYIVSrBBSlw6DPwaBVp+HNEZO5d4RC0knq?= =?us-ascii?q?SUjMEW/nqyth/RS9tGvprfTPKdHe3vKCqFjblDfxYH2rL4LYsUNo39wEFtd0d1?= =?us-ascii?q?k5/LG0XKW9BBuCphbhU7oE9V6nhxUnUz2175agOq+HIcD/G0kQQoigRgeukt8y?= =?us-ascii?q?/s7EkxJlrPviQwkU0xls7igTGeajLxK72wXY5OASruq0cxKo/7QxpybQCqgUxk?= =?us-ascii?q?MzLES6hLj7tndGFklgnctoBVGf5bU6JEYwQdyu2QZ/UtzVtTsD6nxVNd6evDF5?= =?us-ascii?q?RiiBMgcYSwoHJYxwJjcNk1KLTTJKtJylhfmLmDviqv1uA/zg8ROVoN8H+SeC4P?= =?us-ascii?q?vUwHKKMqJyy28exw8QaCgSdMeHAQV/o2pfJn7kU9NPqawCLkyLNDKUexN/eDL6?= =?us-ascii?q?yDvWjAjs2IQlIq2kMOiUZF4aB80d0/fEqMS0Av0LyRGgwTNcXcMgFacdBd9GLP?= =?us-ascii?q?ciaOqujC2pN1P5+gGeDvQ++OrLwUjVykHQozGYQD8NgBFIG20E7ENcfnMKIFyR?= =?us-ascii?q?I16Qv2I1WFCvJJdw+VnzcDosGy14V40pdHJjEaG2l9Nj+35rnPrA8wnPWDRMs2?= =?us-ascii?q?YmsdXoYcK305QtO6my9EsHRbFzS4yPgZyBKF7z7yvSTfEiXzb8d5ZPeVeRNtCM?= =?us-ascii?q?u6+TMh/KiqkVTX6InRJ3nmNdR+vd/C8ecap5GdC/xKS7l8skDclpJXR3ysTm7D?= =?us-ascii?q?C9m1J4L/a4M0d9z7Fm66UkCjizIyV8rxJ8iiLqyJgQHuWIZVv5KW0ywkNc+4Cj?= =?us-ascii?q?4RAQxwp/0Z6KJ6ewIDf4IxYQT0uAQmK6y/PACY382tQ2a3KTpZVf9fzfm6Z7FM?= =?us-ascii?q?wCosafe6x2c6QpE80ea37VYHRIsWgRHG2faje45eXDDvGnxcfgXPojY5l2hhN+?= =?us-ascii?q?sp3+g/wRPJvkMHPDyRcuxmdnBEtckmBVyOOXV2FnY4R1iEgIXZ5g6s3qwd8DVF?= =?us-ascii?q?kNZR0exFtn/+vpnFbz+3Q6OrqI/asyw5Ydgovq19K4rjLdWatJnGhDzQUIHQsh?= =?us-ascii?q?GZUC69D/dVgcZfICRDTfZShG4lJ9IJuZBa6UUrTMc/J6ZDCK42prClcTBkFzId?= =?us-ascii?q?zTcFV4Oc2zwPmui826bblheUdJQtLhkEvY5fjdQDSCF2YzkRpKm5W4XRjW+ERX?= =?us-ascii?q?ABIB0P4gRU+AIAiohwc/j/4IrOTZ9D1z5Wo/VwUivQDpdm7kb1RHuKjFb/U/iu?= =?us-ascii?q?j+up3QdOw/32ydkbRARzCU5DyOZKjkEoMq14K7EMvo7WtT+FbVn6s3j3yOuhP1?= =?us-ascii?q?Zc0tHUd0fiA4rbq2X8Viwc+XsbRY9LyXHfGpQSkxZ3aKkxvlVMJZqqekDg6Dw4?= =?us-ascii?q?345pBaW3Vdi3x1Y5qnYLXymrH8BdBOFmsVLXXTxlbIqoqJj+OpVdXHFf94OHp1?= =?us-ascii?q?deikVtPDazyYBAJMFV/j4MQD9PrC2Hs9uoVc1D39V6D5wXL9d+unf9Gb9EN4OL?= =?us-ascii?q?r30wpLPv1mfT+yogv1ei2DWzB6i4QvpY/20YBgUmOWCepVcqD+Qy7mfS6FDMv0?= =?us-ascii?q?tz/+dDGLePi0Bxryx8HpBKHTlJ0n+kI050THlcvOVQML7VfNBEQ/kueR+vPAQz?= =?us-ascii?q?FfE830OT+0F0gWz0Yy11tgpU/SDdQwk0WjcUgrfrhT0RtNunNSUcS51WcTUrdz?= =?us-ascii?q?3FJB6DmSBLoBZfbFlnW4weAtZA4LwbwZdY/s/ZRkq2LyEKQgBiPBoi0fVDjU5D?= =?us-ascii?q?rFmYeSfFAAqob/nPqAd4fcOMo8OyMfv24h9Hipv5v+A86aoDXWeqmQq3QdDRt4?= =?us-ascii?q?X8rMGFtlOSdKfkNO2xeX3BTD/Sgh2rmLgrEYLK8DbJMApHNZZ11GAoYZ7/Bm7X?= =?us-ascii?q?JR5GPb4UJ1JHVaBmbtVLuvtVZ8F4d6oV+6JhGxyKSwjzF4yoqflJMkzcRS/CLy?= =?us-ascii?q?mb9Oywv57T56THSef8fsyM22rHQ6VvM5dg9zb0Brfq3pVC+kft3vdt8V16RkbY?= =?us-ascii?q?Py+dq9TuOx0E6NOkdkT8op0jBSnWD4tokHrx2kFAcNIaQzWx8JQE0pxW9WrwRP?= =?us-ascii?q?lj0kj0re1S7aVr5pcx47B108e7P6PSJe5dsU99DRieHh9q+Yk1AGhjW2BRZfcc?= =?us-ascii?q?KOvLfasHk8/htvv6F7ET6B2J4exWc8XHJ0DGmsm7FD6cVQZInAAbqT4VNgGcze?= =?us-ascii?q?KKm7doSca5ouj0wkAt7EKkLh4B17Bt4Z2L+rSTqe/SchvRyaQEWqn2ScPytLss?= =?us-ascii?q?vViS6ecjlL4UdWx/exenH/QFVs4B2mfgyrgnzSA2HMPFEbLg4vlDWG8nkT/7h5?= =?us-ascii?q?ByBVMWGugTHbaR+4RRgHs4kfTDNtIKaqBChnqPFRm8H78EzX6m8CqXIG9ggh3U?= =?us-ascii?q?0hHwR22z7EXsoi9jXSvM1crjnVZJVrmqH0ddQTClOUhisDOAJADorsb4ubwp7E?= =?us-ascii?q?EqNWzprNSNlGq9N7NQG83wPsecLTM1pFIQi50xXcev1JseGdeyL9Yd6nZ+buHR?= =?us-ascii?q?62mziS9Ov79Hh5bC4sGS4vjYAWOvj6mEpLWW2DBZyn84sEok6t+8N/HB+duKQ+?= =?us-ascii?q?ip12kLVSt/vRXOXwKtoLzBs18UIVCL0FvMmIESOtFZxnw420H96egtXt086QJe?= =?us-ascii?q?FpzaaPMavzDzPzn0zkiDbNIrTCWe1CFXHl3tG1liBKc8wH7wvN7OlXrI+V0oR4?= =?us-ascii?q?xwelfihRNpD4Q3N1gt6FkRwioMCwQNbw6UDK2wD0T/MYQETVQDaQiA3LWie6c2?= =?us-ascii?q?3Fd8zamz6+LIduxzGbYNOehBgQKUm1hbAJ0Wu7UEQL1gY19d6LLXpg/6Bof8Xv?= =?us-ascii?q?jmjnQxOue3QsBb7cAZr2Et4hu7Rxe79ZhD6KsUh46Sea5Ze5jMu9p84F196T4I?= =?us-ascii?q?bCxNjwB1jwmlXuAEuODj/t/bvYKw6um0SKYiW+UX9hYzB2RkjJv8mUsjrs/T1+?= =?us-ascii?q?ddTI3VlIv+/RtVI3GQpIbVzxl8KOQJK4Kxf7Zs7XYHKDYEJ3III9WWb+Mw4yh3?= =?us-ascii?q?MDXc/1ZCGN8DZcsEPMrRngBZklHpWKtN+crfAFCYDZl8ets14Gr2xzA18Ic8Xf?= =?us-ascii?q?z76DCsP5Df8ktBP/VdgyVwjNjCvvQaweLOCCgL5nmUcxd1zTmYy5aTF/bw/f6B?= =?us-ascii?q?yNXVV1MaACE2U51SJCeZ+QC9QOq6ionpWBuO6sDvmJI+aF6QRnupkaQKrKlMF/?= =?us-ascii?q?JAiiL83jRZDYD6mfaVs9uq6GtKuVxKC4Jz4gPfGKRfJJp3IxL4mde3RkJkHCvw?= =?us-ascii?q?ZNnUdgYyuOqR3uoD/+d+OFHiaoIAPh0EzLb66X5UTgRwUr72okiWUv4RZNd8T/?= =?us-ascii?q?PEtH9V45p6K6ATJFiduIDqrjBQpVAzBw8pbqMwrjNEeUTVmQ1VWrz7uLgehQsA?= =?us-ascii?q?X995vlVMGWGrOG4k4TrIS7hVhrGLCPMJ6jWTUrAOU0JwPyNxXxy1w45ud6K0k/?= =?us-ascii?q?5ItG1GnyV9oOUl0jF9Sxu8vDfjp6QT1j46/7G4rjoBs2RfTuqCiyfIFUlDzPMS?= =?us-ascii?q?gKceDHbi6Vq8bGMfY4vy5LlnONnv9Igg43Q5ehUjfCwGUP++CyHxkaOHGIiPv8?= =?us-ascii?q?9dhBKXvsXBc6OzJzAINrsh0RLjW2R90g/GkRZp7msEWDOg4cQgJIWgJMklxy2o?= =?us-ascii?q?GXPBeFYL+KNJv9P7tUQXQ+sudVNh3GJj39CFRiITSszPFWI1gxMqaGpedpJM9w?= =?us-ascii?q?MaG7MugjmWoqlM5hsUbyvMEoS55onQmt/F2XY5TddtyGPZuKmFhpcx3X1+nNN0?= =?us-ascii?q?6C+Ot2gIe+zeTcBsHmD51p1Dxuzme/WtrucHRZNkyLShUP4CKs6j+W+32JV2RE?= =?us-ascii?q?Co3bEeH1ulMO8Z2LjXSSClSXeXWe6TaWiDgy45MlLu5RmvNlA3dMZKr0omP+ve?= =?us-ascii?q?h55Tiw7hXq1wRimKo1/U0nAjO/sAdw0qoIenZxAKTOkJauiZJOguw/4+CFwXYn?= =?us-ascii?q?/LByR2COi2sVizk4h9IXlg51v1Yfj1+AD8LNSSAgUEEZLdrpNp4vO1WGSBOWN7?= =?us-ascii?q?wR1pOEl08PvfF0gvtuBCbpmdh9/Qh8500eQdbfdiLTU9usIPmoJk8YSUyMCKcR?= =?us-ascii?q?XLwZboK9DVpfyYA/PEwkQvfWFaVaEZbh3p6IUgOd45QKbTHbpfvRQTH6Q6R4Yh?= =?us-ascii?q?N2jp/qFuMAxzahLRZKizgsTyqOKEeJ9Up37O7l0uNyrduhwDyvmxTQNldZCqg2?= =?us-ascii?q?v9LIo3RjJboN1nEgFmE5dXG8McswqnBIaZma+ji9+r+kN1p/EFvLH1CvDLyNS5?= =?us-ascii?q?xZt+U4Jd5UyRMzbbHLNrjVh9juSunvfA1YH8CcTmedwaT+V7WmrFZaXdHoWjKz?= =?us-ascii?q?KBJt78e1RY/LGCyr55VAueZDzhVaqcqCKkLOlk4Vk8yoFgeOrTzTot76zU2dfr?= =?us-ascii?q?Y2FbpzyjrWKSNJZE7VzFH+reXxVORfqC6mZlErUdbZHo++cWLdwi3N+c7hFo7D?= =?us-ascii?q?tc1MuFIq6hrlLD2058epzbMEvp1DgjWYYUOBSwK1AhgWzHpXTHB3RTMMykJtJw?= =?us-ascii?q?gNaaFBDt4FNxmW41bG5bBmXoXcuROXQc28+mYQ2F7h5ED9YCn+6xfk41rbOySe?= =?us-ascii?q?huOppbneWqtbMHkctmKi3VQ8haJS7QJqdsPjVNFuXPuEQoYhkcvrg3QIg1Zp+O?= =?us-ascii?q?L1gcPUedzyPy0QvC0Urpd9yj1KaJPDwa8nNZwLLZyTJMvRW2ue6Fgs3/V7DUdJ?= =?us-ascii?q?72U+TJPyo/VzGVWzAyHF23+VegofUEp/uYIXoFrlASfC2SFBYZprpzotjIEm/T?= =?us-ascii?q?hepjcYUIhPCfXCDwUjd4lKspBitQs0CDWf8DGhfXb3P7h2pcogOiLOdW/X35d7?= =?us-ascii?q?2Y2rZVW+sOD4tXfP2ZRsfXdPFdKjoziDUWJvy8f9zdrrY+1FLEV20ZHLfU9A7W?= =?us-ascii?q?cEnDWfGYxjT2Ta0JroM0vWwu4duWkShpQIrSOLPKnzez9sadiyGCtKWKTmwqZF?= =?us-ascii?q?Y4qPgPDGmI3F9LL2RSWIJdg13kXqPVPxUE73kuk+87nkZUdQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2H0DQC3TyhZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwEmA2WBCoNvhn+EDJBRIYx7iwIshX4Dgw5XAQEBAQEBAQECA?= =?us-ascii?q?QJoKIIzJIJCBgECIARVAwkBARcIBQISEAQCAgMBQxAZBYhTgVKrO4FsOiYCi1+?= =?us-ascii?q?BC4VUgV42hzZeDII+gmABBIk9Cog9jB+KVYpZiHUQFwyGSYkBi01YgQowIQgbF?= =?us-ascii?q?YUFRByBf1qGW4IuAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 26 May 2017 15:59:56 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4QFxtgO005735; Fri, 26 May 2017 11:59:55 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v4QFwQQM247952 for ; Fri, 26 May 2017 11:58:27 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4QFwQCE005358 for ; Fri, 26 May 2017 11:58:26 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AMBwAfUChZhxy3hNFdGwEBAQMBAQEJAQEBgywmaIEKg2+Gf4QMkFEhjHuLDYYkAoMKVwECAQEBAQECEwEBAQoLCQgohUgDAyMEYiAFAhIUAgJHEBmIWIFSqzuBbDqLVQwmgQuFVIFeNoc2XgyCPoJgAQSJPQqIPYwfilWKWYh1ECOGSYkBi02BYTAhCBsVhUkQDIF/JDaGW4IuAQEB X-IPAS-Result: A1AMBwAfUChZhxy3hNFdGwEBAQMBAQEJAQEBgywmaIEKg2+Gf4QMkFEhjHuLDYYkAoMKVwECAQEBAQECEwEBAQoLCQgohUgDAyMEYiAFAhIUAgJHEBmIWIFSqzuBbDqLVQwmgQuFVIFeNoc2XgyCPoJgAQSJPQqIPYwfilWKWYh1ECOGSYkBi02BYTAhCBsVhUkQDIF/JDaGW4IuAQEB X-IronPort-AV: E=Sophos;i="5.38,398,1491278400"; d="scan'208";a="6068033" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 26 May 2017 11:58:12 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AEcxkuxW9K7b4OeaJjrED5LCH/sDV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYYhOGt8tkgFKBZ4jH8fUM07OQ6PG/Hzdeqsfb+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?= =?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG0oAnLuMQbgIRuJ6IvxhDUvnZGZu?= =?us-ascii?q?NayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnD?= =?us-ascii?q?VhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0ji?= =?us-ascii?q?oMKjg0+3zVhMNtlqJWuA+vqRxhzYDaY4+aNvR+ca3SctwGSmRMRdpRWi5bD4+g?= =?us-ascii?q?c4cCFegMMOBFpIf9vVsOqh6+CBG2Cuz11z9IgmL906o90+QmCwHJwhErEtUWsH?= =?us-ascii?q?TRq9X1M70SXv6uwanS0zrMcvNW1i3h6ITSbh8hpvSMUKt2fMHMykcvDxvIgkuM?= =?us-ascii?q?pYHhJT+Zy+oAv3aB4+Z9Vu+ihXQrpx9yrzWp28wikJPGhpgPxVDB7Sh5wJg6Jd?= =?us-ascii?q?m/SENjZN6lH4ZcuzuAN4RoX8wiQ3tnuDogxrIavp67eTAGyJUhxxHBd/yKa5aE?= =?us-ascii?q?7g7nWeqLPDt1imxpdKiiixux/0Ws0PPwW8qs3FZPtCVFk93Mtn4X1xzU78iKUu?= =?us-ascii?q?N9/kKm2TaIzQDc9PpJIVoqmqXGK54u2KIwmoAPvkTEGy/6gF/2g7OOdkU45uio?= =?us-ascii?q?7PzqYq74qZ+YNo90jBz+M6s1l8yjAeU3LggOX2+B9eS6z73s51f1QLpNjv0owe?= =?us-ascii?q?Hlt8XBKMAaoLOpKxNE2YYkrRCkBnGp18pLs2MAKQd9cQ+Dx63uPEvDaKTgCPC4?= =?us-ascii?q?mVmEijpnx/naeLbmB8OefTD4jL79cOMluAZnww0pwIUH6g=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FHCwC3TyhZhxy3hNFdGwEBAQMBAQEJA?= =?us-ascii?q?QEBFgEBAQMBAQEJAQEBgwEmaIEKg2+Gf4QMkFEhjHuLDYYkAoMKVwEBAQEBAQE?= =?us-ascii?q?BAgECEAEBAQoLCQgoL4IzIoJEAwMjBGIgBQISFAICRxAZiFiBUqs7gWw6i1UMJ?= =?us-ascii?q?oELhVSBXjaHNl4Mgj6CYAEEiT0KiD2MH4pVilmIdRAjhkmJAYtNgWIwIQgbFYV?= =?us-ascii?q?JEAyBfyQ2hluCLgEBAQ?= X-IPAS-Result: =?us-ascii?q?A0FHCwC3TyhZhxy3hNFdGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgwEmaIEKg2+Gf4QMkFEhjHuLDYYkAoMKVwEBAQEBAQEBAgECEAEBAQoLC?= =?us-ascii?q?QgoL4IzIoJEAwMjBGIgBQISFAICRxAZiFiBUqs7gWw6i1UMJoELhVSBXjaHNl4?= =?us-ascii?q?Mgj6CYAEEiT0KiD2MH4pVilmIdRAjhkmJAYtNgWIwIQgbFYVJEAyBfyQ2hluCL?= =?us-ascii?q?gEBAQ?= X-IronPort-AV: E=Sophos;i="5.38,398,1491264000"; d="scan'208";a="6146344" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from mx1.redhat.com ([209.132.183.28]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 May 2017 15:58:11 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 97BF82B0A72 for ; Fri, 26 May 2017 15:58:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 97BF82B0A72 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pmoore@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 97BF82B0A72 Received: from [127.0.0.1] (ovpn-125-205.rdu2.redhat.com [10.10.125.205]) by smtp.corp.redhat.com (Postfix) with ESMTP id 30DFF808C5; Fri, 26 May 2017 15:58:10 +0000 (UTC) Subject: [PATCH 2/2] all: use ./tools/check-syntax to fix the existing code From: Paul Moore To: selinux@tycho.nsa.gov Date: Fri, 26 May 2017 11:58:09 -0400 Message-ID: <149581428964.13714.3317522790537623046.stgit@sifl> In-Reply-To: <149581413266.13714.10451742889870299166.stgit@sifl> References: <149581413266.13714.10451742889870299166.stgit@sifl> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 26 May 2017 15:58:10 +0000 (UTC) X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Paul Moore The results of running './tools/check-syntax -f' across the repo. Signed-off-by: Paul Moore --- tests/cap_userns/userns_child_exec.c | 455 ++++++++++++++++++---------------- tests/mmap/mprotect_stack_thread.c | 3 tests/mmap/shmat.c | 2 tests/unix_socket/client.c | 14 + tests/unix_socket/server.c | 8 - 5 files changed, 253 insertions(+), 229 deletions(-) diff --git a/tests/cap_userns/userns_child_exec.c b/tests/cap_userns/userns_child_exec.c index 78aa9aa..bfff944 100644 --- a/tests/cap_userns/userns_child_exec.c +++ b/tests/cap_userns/userns_child_exec.c @@ -28,11 +28,11 @@ on the value in 'errno' and terminate the calling process */ #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \ - } while (0) + } while (0) struct child_args { - char **argv; /* Command to be executed by child, with args */ - int pipe_fd[2]; /* Pipe used to synchronize parent and child */ + char **argv; /* Command to be executed by child, with args */ + int pipe_fd[2]; /* Pipe used to synchronize parent and child */ }; static int verbose; @@ -40,38 +40,38 @@ static int verbose; static void usage(char *pname) { - fprintf(stderr, "Usage: %s [options] cmd [arg...]\n\n", pname); - fprintf(stderr, "Create a child process that executes a shell " - "command in a new user namespace,\n" - "and possibly also other new namespace(s).\n\n"); - fprintf(stderr, "Options can be:\n\n"); + fprintf(stderr, "Usage: %s [options] cmd [arg...]\n\n", pname); + fprintf(stderr, "Create a child process that executes a shell " + "command in a new user namespace,\n" + "and possibly also other new namespace(s).\n\n"); + fprintf(stderr, "Options can be:\n\n"); #define fpe(str) fprintf(stderr, " %s", str); - fpe("-i New IPC namespace\n"); - fpe("-m New mount namespace\n"); - fpe("-n New network namespace\n"); - fpe("-p New PID namespace\n"); - fpe("-u New UTS namespace\n"); - fpe("-U New user namespace\n"); - fpe("-M uid_map Specify UID map for user namespace\n"); - fpe("-G gid_map Specify GID map for user namespace\n"); - fpe("-z Map user's UID and GID to 0 in user namespace\n"); - fpe(" (equivalent to: -M '0 1' -G '0 1'\n"); - fpe("-v Display verbose messages\n"); - fpe("-t Test clone flags combination is supported\n"); - fpe("\n"); - fpe("If -z, -M, or -G is specified, -U is required.\n"); - fpe("It is not permitted to specify both -z and either -M or -G.\n"); - fpe("\n"); - fpe("Map strings for -M and -G consist of records of the form:\n"); - fpe("\n"); - fpe(" ID-inside-ns ID-outside-ns len\n"); - fpe("\n"); - fpe("A map string can contain multiple records, separated" - " by commas;\n"); - fpe("the commas are replaced by newlines before writing" - " to map files.\n"); - - exit(EXIT_FAILURE); + fpe("-i New IPC namespace\n"); + fpe("-m New mount namespace\n"); + fpe("-n New network namespace\n"); + fpe("-p New PID namespace\n"); + fpe("-u New UTS namespace\n"); + fpe("-U New user namespace\n"); + fpe("-M uid_map Specify UID map for user namespace\n"); + fpe("-G gid_map Specify GID map for user namespace\n"); + fpe("-z Map user's UID and GID to 0 in user namespace\n"); + fpe(" (equivalent to: -M '0 1' -G '0 1'\n"); + fpe("-v Display verbose messages\n"); + fpe("-t Test clone flags combination is supported\n"); + fpe("\n"); + fpe("If -z, -M, or -G is specified, -U is required.\n"); + fpe("It is not permitted to specify both -z and either -M or -G.\n"); + fpe("\n"); + fpe("Map strings for -M and -G consist of records of the form:\n"); + fpe("\n"); + fpe(" ID-inside-ns ID-outside-ns len\n"); + fpe("\n"); + fpe("A map string can contain multiple records, separated" + " by commas;\n"); + fpe("the commas are replaced by newlines before writing" + " to map files.\n"); + + exit(EXIT_FAILURE); } /* Update the mapping file 'map_file', with the value provided in @@ -89,30 +89,30 @@ usage(char *pname) static void update_map(char *mapping, char *map_file) { - int fd, j; - size_t map_len; /* Length of 'mapping' */ - - /* Replace commas in mapping string with newlines */ - - map_len = strlen(mapping); - for (j = 0; j < map_len; j++) - if (mapping[j] == ',') - mapping[j] = '\n'; - - fd = open(map_file, O_RDWR); - if (fd == -1) { - fprintf(stderr, "ERROR: open %s: %s\n", map_file, - strerror(errno)); - exit(EXIT_FAILURE); - } - - if (write(fd, mapping, map_len) != map_len) { - fprintf(stderr, "ERROR: write %s: %s\n", map_file, - strerror(errno)); - exit(EXIT_FAILURE); - } - - close(fd); + int fd, j; + size_t map_len; /* Length of 'mapping' */ + + /* Replace commas in mapping string with newlines */ + + map_len = strlen(mapping); + for (j = 0; j < map_len; j++) + if (mapping[j] == ',') + mapping[j] = '\n'; + + fd = open(map_file, O_RDWR); + if (fd == -1) { + fprintf(stderr, "ERROR: open %s: %s\n", map_file, + strerror(errno)); + exit(EXIT_FAILURE); + } + + if (write(fd, mapping, map_len) != map_len) { + fprintf(stderr, "ERROR: write %s: %s\n", map_file, + strerror(errno)); + exit(EXIT_FAILURE); + } + + close(fd); } /* Linux 3.19 made a change in the handling of setgroups(2) and the @@ -127,68 +127,68 @@ update_map(char *mapping, char *map_file) static void proc_setgroups_write(pid_t child_pid, char *str) { - char setgroups_path[PATH_MAX]; - int fd; + char setgroups_path[PATH_MAX]; + int fd; - snprintf(setgroups_path, PATH_MAX, "/proc/%ld/setgroups", - (long) child_pid); + snprintf(setgroups_path, PATH_MAX, "/proc/%ld/setgroups", + (long) child_pid); - fd = open(setgroups_path, O_RDWR); - if (fd == -1) { + fd = open(setgroups_path, O_RDWR); + if (fd == -1) { - /* We may be on a system that doesn't support - /proc/PID/setgroups. In that case, the file won't exist, - and the system won't impose the restrictions that Linux 3.19 - added. That's fine: we don't need to do anything in order - to permit 'gid_map' to be updated. + /* We may be on a system that doesn't support + /proc/PID/setgroups. In that case, the file won't exist, + and the system won't impose the restrictions that Linux 3.19 + added. That's fine: we don't need to do anything in order + to permit 'gid_map' to be updated. - However, if the error from open() was something other than - the ENOENT error that is expected for that case, let the - user know. */ + However, if the error from open() was something other than + the ENOENT error that is expected for that case, let the + user know. */ - if (errno != ENOENT) - fprintf(stderr, "ERROR: open %s: %s\n", setgroups_path, - strerror(errno)); - return; - } + if (errno != ENOENT) + fprintf(stderr, "ERROR: open %s: %s\n", setgroups_path, + strerror(errno)); + return; + } - if (write(fd, str, strlen(str)) == -1) - fprintf(stderr, "ERROR: write %s: %s\n", setgroups_path, - strerror(errno)); + if (write(fd, str, strlen(str)) == -1) + fprintf(stderr, "ERROR: write %s: %s\n", setgroups_path, + strerror(errno)); - close(fd); + close(fd); } static int dummyFunc(void *arg) { - exit(0); + exit(0); } static int /* Start function for cloned child */ childFunc(void *arg) { - struct child_args *args = (struct child_args *) arg; - char ch; + struct child_args *args = (struct child_args *) arg; + char ch; - /* Wait until the parent has updated the UID and GID mappings. - See the comment in main(). We wait for end of file on a - pipe that will be closed by the parent process once it has - updated the mappings. */ + /* Wait until the parent has updated the UID and GID mappings. + See the comment in main(). We wait for end of file on a + pipe that will be closed by the parent process once it has + updated the mappings. */ - close(args->pipe_fd[1]); /* Close our descriptor for the write + close(args->pipe_fd[1]); /* Close our descriptor for the write end of the pipe so that we see EOF when parent closes its descriptor */ - if (read(args->pipe_fd[0], &ch, 1) != 0) { - fprintf(stderr, - "Failure in child: read from pipe returned != 0\n"); - exit(EXIT_FAILURE); - } + if (read(args->pipe_fd[0], &ch, 1) != 0) { + fprintf(stderr, + "Failure in child: read from pipe returned != 0\n"); + exit(EXIT_FAILURE); + } - /* Execute a shell command */ + /* Execute a shell command */ - printf("About to exec %s\n", args->argv[0]); - execvp(args->argv[0], args->argv); - errExit("execvp"); + printf("About to exec %s\n", args->argv[0]); + execvp(args->argv[0], args->argv); + errExit("execvp"); } #define STACK_SIZE (1024 * 1024) @@ -198,122 +198,145 @@ static char child_stack[STACK_SIZE]; /* Space for child's stack */ int main(int argc, char *argv[]) { - int flags, opt, map_zero, test_clone = 0; - pid_t child_pid; - struct child_args args; - char *uid_map, *gid_map; - const int MAP_BUF_SIZE = 100; - char map_buf[MAP_BUF_SIZE]; - char map_path[PATH_MAX]; - - /* Parse command-line options. The initial '+' character in - the final getopt() argument prevents GNU-style permutation - of command-line options. That's useful, since sometimes - the 'command' to be executed by this program itself - has command-line options. We don't want getopt() to treat - those as options to this program. */ - - flags = 0; - verbose = 0; - gid_map = NULL; - uid_map = NULL; - map_zero = 0; - while ((opt = getopt(argc, argv, "+imnpuUM:G:zvt")) != -1) { - switch (opt) { - case 'i': flags |= CLONE_NEWIPC; break; - case 'm': flags |= CLONE_NEWNS; break; - case 'n': flags |= CLONE_NEWNET; break; - case 'p': flags |= CLONE_NEWPID; break; - case 'u': flags |= CLONE_NEWUTS; break; - case 'v': verbose = 1; break; - case 'z': map_zero = 1; break; - case 'M': uid_map = optarg; break; - case 'G': gid_map = optarg; break; - case 'U': flags |= CLONE_NEWUSER; break; - case 't': test_clone = 1; break; - default: usage(argv[0]); - } - } - - /* -M or -G without -U is nonsensical */ - - if (((uid_map != NULL || gid_map != NULL || map_zero) && - !(flags & CLONE_NEWUSER)) || - (map_zero && (uid_map != NULL || gid_map != NULL))) - usage(argv[0]); - - args.argv = &argv[optind]; - - /* We use a pipe to synchronize the parent and child, in order to - ensure that the parent sets the UID and GID maps before the child - calls execve(). This ensures that the child maintains its - capabilities during the execve() in the common case where we - want to map the child's effective user ID to 0 in the new user - namespace. Without this synchronization, the child would lose - its capabilities if it performed an execve() with nonzero - user IDs (see the capabilities(7) man page for details of the - transformation of a process's capabilities during execve()). */ - - if (pipe(args.pipe_fd) == -1) - errExit("pipe"); - - /* Only test if clone flags combination is supported */ - if (test_clone) { - if (clone(dummyFunc, child_stack + STACK_SIZE, - flags | SIGCHLD, &args) == -1) { - if (verbose) - printf("clone(0x%x): %s\n", flags, strerror(errno)); - return errno; - } - return 0; - } - - /* Create the child in new namespace(s) */ - child_pid = clone(childFunc, child_stack + STACK_SIZE, - flags | SIGCHLD, &args); - if (child_pid == -1) - errExit("clone"); - - /* Parent falls through to here */ - - if (verbose) - printf("%s: PID of child created by clone() is %ld\n", - argv[0], (long) child_pid); - - /* Update the UID and GID maps in the child */ - - if (uid_map != NULL || map_zero) { - snprintf(map_path, PATH_MAX, "/proc/%ld/uid_map", - (long) child_pid); - if (map_zero) { - snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getuid()); - uid_map = map_buf; - } - update_map(uid_map, map_path); - } - - if (gid_map != NULL || map_zero) { - proc_setgroups_write(child_pid, "deny"); - - snprintf(map_path, PATH_MAX, "/proc/%ld/gid_map", - (long) child_pid); - if (map_zero) { - snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getgid()); - gid_map = map_buf; - } - update_map(gid_map, map_path); - } - - /* Close the write end of the pipe, to signal to the child that we - have updated the UID and GID maps */ - - close(args.pipe_fd[1]); - - if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */ - errExit("waitpid"); - - if (verbose) - printf("%s: terminating\n", argv[0]); - - exit(EXIT_SUCCESS); + int flags, opt, map_zero, test_clone = 0; + pid_t child_pid; + struct child_args args; + char *uid_map, *gid_map; + const int MAP_BUF_SIZE = 100; + char map_buf[MAP_BUF_SIZE]; + char map_path[PATH_MAX]; + + /* Parse command-line options. The initial '+' character in + the final getopt() argument prevents GNU-style permutation + of command-line options. That's useful, since sometimes + the 'command' to be executed by this program itself + has command-line options. We don't want getopt() to treat + those as options to this program. */ + + flags = 0; + verbose = 0; + gid_map = NULL; + uid_map = NULL; + map_zero = 0; + while ((opt = getopt(argc, argv, "+imnpuUM:G:zvt")) != -1) { + switch (opt) { + case 'i': + flags |= CLONE_NEWIPC; + break; + case 'm': + flags |= CLONE_NEWNS; + break; + case 'n': + flags |= CLONE_NEWNET; + break; + case 'p': + flags |= CLONE_NEWPID; + break; + case 'u': + flags |= CLONE_NEWUTS; + break; + case 'v': + verbose = 1; + break; + case 'z': + map_zero = 1; + break; + case 'M': + uid_map = optarg; + break; + case 'G': + gid_map = optarg; + break; + case 'U': + flags |= CLONE_NEWUSER; + break; + case 't': + test_clone = 1; + break; + default: + usage(argv[0]); + } + } + + /* -M or -G without -U is nonsensical */ + + if (((uid_map != NULL || gid_map != NULL || map_zero) && + !(flags & CLONE_NEWUSER)) || + (map_zero && (uid_map != NULL || gid_map != NULL))) + usage(argv[0]); + + args.argv = &argv[optind]; + + /* We use a pipe to synchronize the parent and child, in order to + ensure that the parent sets the UID and GID maps before the child + calls execve(). This ensures that the child maintains its + capabilities during the execve() in the common case where we + want to map the child's effective user ID to 0 in the new user + namespace. Without this synchronization, the child would lose + its capabilities if it performed an execve() with nonzero + user IDs (see the capabilities(7) man page for details of the + transformation of a process's capabilities during execve()). */ + + if (pipe(args.pipe_fd) == -1) + errExit("pipe"); + + /* Only test if clone flags combination is supported */ + if (test_clone) { + if (clone(dummyFunc, child_stack + STACK_SIZE, + flags | SIGCHLD, &args) == -1) { + if (verbose) + printf("clone(0x%x): %s\n", flags, strerror(errno)); + return errno; + } + return 0; + } + + /* Create the child in new namespace(s) */ + child_pid = clone(childFunc, child_stack + STACK_SIZE, + flags | SIGCHLD, &args); + if (child_pid == -1) + errExit("clone"); + + /* Parent falls through to here */ + + if (verbose) + printf("%s: PID of child created by clone() is %ld\n", + argv[0], (long) child_pid); + + /* Update the UID and GID maps in the child */ + + if (uid_map != NULL || map_zero) { + snprintf(map_path, PATH_MAX, "/proc/%ld/uid_map", + (long) child_pid); + if (map_zero) { + snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getuid()); + uid_map = map_buf; + } + update_map(uid_map, map_path); + } + + if (gid_map != NULL || map_zero) { + proc_setgroups_write(child_pid, "deny"); + + snprintf(map_path, PATH_MAX, "/proc/%ld/gid_map", + (long) child_pid); + if (map_zero) { + snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getgid()); + gid_map = map_buf; + } + update_map(gid_map, map_path); + } + + /* Close the write end of the pipe, to signal to the child that we + have updated the UID and GID maps */ + + close(args.pipe_fd[1]); + + if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */ + errExit("waitpid"); + + if (verbose) + printf("%s: terminating\n", argv[0]); + + exit(EXIT_SUCCESS); } diff --git a/tests/mmap/mprotect_stack_thread.c b/tests/mmap/mprotect_stack_thread.c index fed9969..fe16caf 100644 --- a/tests/mmap/mprotect_stack_thread.c +++ b/tests/mmap/mprotect_stack_thread.c @@ -46,7 +46,8 @@ int main(int argc, char **argv) } if (!strcmp(argv[1], "fail") && strverscmp(uts.release, "4.7") < 0) { - printf("%s: Kernels < 4.7 do not check execstack on thread stacks, skipping.\n", argv[0]); + printf("%s: Kernels < 4.7 do not check execstack on thread stacks, skipping.\n", + argv[0]); /* pass the test by failing as if it was denied */ exit(1); } diff --git a/tests/mmap/shmat.c b/tests/mmap/shmat.c index 4467d64..56baaca 100644 --- a/tests/mmap/shmat.c +++ b/tests/mmap/shmat.c @@ -15,7 +15,7 @@ int main(void) exit(1); } execmem = shmat(shmid, 0, SHM_EXEC); - if (execmem == ((void *) -1)) { + if (execmem == ((void *) - 1)) { perror("shmat SHM_EXEC"); rc = 1; } else { diff --git a/tests/unix_socket/client.c b/tests/unix_socket/client.c index e937bf9..093c319 100644 --- a/tests/unix_socket/client.c +++ b/tests/unix_socket/client.c @@ -63,14 +63,14 @@ main(int argc, char **argv) sun.sun_family = AF_UNIX; if (abstract) { sun.sun_path[0] = 0; - strcpy(&sun.sun_path[1], argv[optind+1]); + strcpy(&sun.sun_path[1], argv[optind + 1]); sunlen = offsetof(struct sockaddr_un, sun_path) + - strlen(&sun.sun_path[1]) + 1; + strlen(&sun.sun_path[1]) + 1; } else { - strcpy(sun.sun_path, argv[optind+1]); + strcpy(sun.sun_path, argv[optind + 1]); unlink(sun.sun_path); sunlen = offsetof(struct sockaddr_un, sun_path) + - strlen(sun.sun_path) + 1; + strlen(sun.sun_path) + 1; } if (bind(sock, (struct sockaddr *) &sun, sunlen) < 0) { @@ -83,13 +83,13 @@ main(int argc, char **argv) remotesun.sun_family = AF_UNIX; if (abstract) { remotesun.sun_path[0] = 0; - strcpy(&remotesun.sun_path[1], argv[optind+2]); + strcpy(&remotesun.sun_path[1], argv[optind + 2]); remotesunlen = offsetof(struct sockaddr_un, sun_path) + strlen(&remotesun.sun_path[1]) + 1; } else { - strcpy(remotesun.sun_path, argv[optind+2]); + strcpy(remotesun.sun_path, argv[optind + 2]); remotesunlen = offsetof(struct sockaddr_un, sun_path) + - strlen(remotesun.sun_path) + 1; + strlen(remotesun.sun_path) + 1; } result = connect(sock, (struct sockaddr *) &remotesun, remotesunlen); diff --git a/tests/unix_socket/server.c b/tests/unix_socket/server.c index f882930..8f3e458 100644 --- a/tests/unix_socket/server.c +++ b/tests/unix_socket/server.c @@ -74,14 +74,14 @@ main(int argc, char **argv) sun.sun_family = AF_UNIX; if (abstract) { sun.sun_path[0] = 0; - strcpy(&sun.sun_path[1], argv[optind+1]); + strcpy(&sun.sun_path[1], argv[optind + 1]); sunlen = offsetof(struct sockaddr_un, sun_path) + - strlen(&sun.sun_path[1]) + 1; + strlen(&sun.sun_path[1]) + 1; } else { - strcpy(sun.sun_path, argv[optind+1]); + strcpy(sun.sun_path, argv[optind + 1]); unlink(sun.sun_path); sunlen = offsetof(struct sockaddr_un, sun_path) + - strlen(sun.sun_path) + 1; + strlen(sun.sun_path) + 1; } if (bind(sock, (struct sockaddr *) &sun, sunlen) < 0) {