From patchwork Fri Jun 22 21:18:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 10483055 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 41F7F60230 for ; Fri, 22 Jun 2018 21:19:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D73328FD9 for ; Fri, 22 Jun 2018 21:19:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 215CE2903C; Fri, 22 Jun 2018 21:19:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from USFB19PA13.eemsg.mail.mil (uphb19pa10.eemsg.mail.mil [214.24.26.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1E58428FD9 for ; Fri, 22 Jun 2018 21:19:30 +0000 (UTC) Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA13.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 22 Jun 2018 21:19:28 +0000 X-IronPort-AV: E=Sophos;i="5.51,258,1526342400"; d="scan'208";a="13132568" IronPort-PHdr: =?us-ascii?q?9a23=3A9GXPvR/K1EmuFf9uRHKM819IXTAuvvDOBiVQ1K?= =?us-ascii?q?B61+oTIJqq85mqBkHD//Il1AaPAd2Graocw8Pt8InYEVQa5piAtH1QOLdtbD?= =?us-ascii?q?Qizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBB?= =?us-ascii?q?r/KRB1JuPoEYLOksi7ze+/94HTbglSmDaxfa55IQmrownWqsQYm5ZpJLwryh?= =?us-ascii?q?vOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3?= =?us-ascii?q?o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsL4V7A0XS?= =?us-ascii?q?mp4bltRhHmlSwLMyc1/HzLhsB1iq9QvRCvqAFlw4PMYI+bKvRwcKDTctwVWG?= =?us-ascii?q?RBRsRcWzFPD4ygYIUAEfEBMP1Er4T/vVYCsQeyCBOyCO7p1zRGhmX23ao/0+?= =?us-ascii?q?k5Cw/JxhEgH9YTu3rTq9X1M70SXv6ox6TP1TXDavRW2TDn6IfWaR0hu++DUq?= =?us-ascii?q?9wccXL1UkjDR/KjlKVqYH8OT6ey+cDs3CD4uZ9Wu+ihHQrpgFsrjS12MshhZ?= =?us-ascii?q?fFipgIxlzc9Ch0wZw5KcC7RUN5e9KoDpVdui+AO4Z0TM4vRXxjtjwgxb0co5?= =?us-ascii?q?G7eTAHyJEgxxHCdfOKa5OI4hf/VOaJJjd4mW5ldKq/hxms9UigzfXxVtWu31?= =?us-ascii?q?ZQrypFj8LMumoR1x3T9seHSvx98l2n2TmTzADc9vtIIUU1larfM5Ihw7gwmY?= =?us-ascii?q?QPsUnbAyP7l0r7gLWWe0k54OSk9evqbqv8qpOBL4N0jxvxMqUqmsyxG+Q4NQ?= =?us-ascii?q?0OUnCA+eui0L3j/Ev5QKhFj/EviabZt43aJcIHqaGnGA9YyZoj6hajADem19?= =?us-ascii?q?QUh38HLElfdx6dgIjpPE/OLOjiDfijm1SsjCtrx/feM73jBZXNKGLMkKvhfb?= =?us-ascii?q?ln7U5R0wgzzddZ55JREL4BO+7zVVHrtNzDFBM5NBa0w+n/AtVnyoweQX6PAr?= =?us-ascii?q?OeMK7Ks1+I5PggLPWPZI8Ovzb9Lfkl5+D1gH83nV8dYKao0oAKaHC+AvRmPl?= =?us-ascii?q?+VYX32gtcOCW0KpBYxTPT2iF2eVj5ef26yULwn6T4lDoKmDJvDRoe2jbyAwi?= =?us-ascii?q?i0AINZanpBClCWHnfib5+EVOsUaCKOPs9hlSQJWqWmS48n0xGhqRH1y75mLu?= =?us-ascii?q?fP4CIXq4jj1N9v6+3UjxEy+iR+D96B3GGVU2F0gmQISicr06Bju0N90EyO3r?= =?us-ascii?q?R/g/xdCdNc/ehJUhsgOZ7a0eN6F8j4WhjdcdeRVFamXtKmDCkwTtI3398BfU?= =?us-ascii?q?J9FMunjh/dwyqqGb8UmqeMBJws7K3c2X3xKNx8y3bCz6YhiFYnTtFINW28ia?= =?us-ascii?q?517xLTCJLRk0WFi6aqcrwR0zDV9GiZ12qOvVpYXRVoUarfR3AfZ1DWrcz95k?= =?us-ascii?q?zYU7ChF64rMgxbyc6NMqFKcMHmjU1aRPf/P9TTe2ywm2a0BRaN2LyMdpHne2?= =?us-ascii?q?sD0yrAD0gEiRoc/W6cNQg5BCeuvX7RDCB0GVLoeUPs/vF0qGmnQU8s0wGKc0?= =?us-ascii?q?ph2qK7+h4Pn/OcTe8c3rMfuCo6rjV0BFe908vNC9uOvAptZqJcYcky4F1fz2?= =?us-ascii?q?LWqxR9PoC8L6BlnlMecB54v0Dp1xVqEYhAktIlrHAtzApvM66Y10lBdzyA15?= =?us-ascii?q?DqJrLXMnXy/Ayoa6POwF7RzcyW+qYR5/QisFjsph2mFk84/3VgydlV3GOW5o?= =?us-ascii?q?/WAwoKTZLxTkE3+gBmqL7AZiky+ZjU1WFsMKmzqTLCwM4mBOo7xRamY9dfMb?= =?us-ascii?q?mLGBX0E8IEG8ikMPYqlESxbhIYIOBS87Y5P9m7ePSbw6OrM+NgnT28gWRB/o?= =?us-ascii?q?99zlqG9zBgRe7Qw5YF3/aY0xOcVzfyllehtdv3mZxfaDEJGGq/ziblBItLaa?= =?us-ascii?q?10Z4oLD3mhI9GvzNVkm5HtQ2JY9EKkB14e1s6mYx6Sb0Dj0g1KzkQaumKnlj?= =?us-ascii?q?WizzNvjjEpq7CT3CvUw+TtbBAHIHJERHF+jVfwJoi5l84aXEm0YAg1kxul/1?= =?us-ascii?q?z2yLRbpKR4KWnTTlxFfyz3L2FkSKSwrL2Cb9RI6JMyviVdSP68bkyCSr7hvx?= =?us-ascii?q?sa1DvuH29fxDAgazGmo475kAJ+iGKcKnZzsXXYdNprxRfH5dzcQ/9R0SYdRC?= =?us-ascii?q?VijznYGES8NcGz/dqIj5fDrvy+V2W5W51JdinryYeAuzWh5WJ2Bh2+keu+ms?= =?us-ascii?q?b6EQcmyi/3zd5qVT/HrBzkeInky7y6Mf57fklvHFL86NR1GodlkoYrh5Efx3?= =?us-ascii?q?4aho6T/XUZjWf/K9Jb2bjxbHAVXz4E38bV4BT52E1kNn+J35j2VmiZwsR/f9?= =?us-ascii?q?m1eGUW2j4j4MBQE6qU8adEkjVvolqjtw7Rev99nioHyfQy9nEajeYJuBAizi?= =?us-ascii?q?qDGLwSG1dXPTD0nRSS89++tLlXZHqocbWoykp+m82uAaqcogFaRXn5eo0uHS?= =?us-ascii?q?lu4cVjKFjMymH86pn4eNnMatIergWUnA3dj+hRM58+ivsKhTZnOG7ks30q0e?= =?us-ascii?q?g7gQZp3ZGgs4iNM39t876hAh5EKj31YNse+jLtjKZagMmbxIWvHpJvGjUFQp?= =?us-ascii?q?ToUe6oEDIVtfTiKQmCCjs8pWmHGbDHBw+Q9F9mr27TE5CsL3yXKmMWzdN+RB?= =?us-ascii?q?maIUxSmw4UUysnkZ4+DACl3tThcF1+5jAT+FH3tgdMxvhvNxnlXWfVvB2oZS?= =?us-ascii?q?ssSJiDMBpW6RlP50nPMcOA8+1zBDtX/pu9rAyKMWyWfB5HAn0MWkCeAFDjJL?= =?us-ascii?q?au78Ha8+eEHuq+M+fOYbKWpONFTPiEwpav0op9/zaQLcWDJGJiAOMn1UZZRn?= =?us-ascii?q?B2BcDZmzQJSywKmCPAdNKUpRem+i1qtcCz6vrqVxjz5YuUDLtSN89j+xesga?= =?us-ascii?q?eML+SQnjp2KS5E1pMQwn/F0L4f3F8WiyFqaTatCq8NujTTQ6LKna9bFRkbaz?= =?us-ascii?q?l8NMFQ9aIzwhFNOdLHitPyzrN3lf81C1hCVVzngcymeNIFLHq8NFzdAkaHLr?= =?us-ascii?q?OGJSfEw8vve6OzVaVQjPlItx23oTuUCUDjMS6dlzb3TB2vNvlMgz+dPBxboo?= =?us-ascii?q?69cxJtBnPkTNPpcBG7N8V3jTIuy70umnzKLXIcMSR7c05Vsr2Q6iZYju9lG2?= =?us-ascii?q?xG73tqM++ElD2D7+nfNJkWsuBmDThzl+Jf/Hs10aBV7D1eSPxzhiTSssZko0?= =?us-ascii?q?u6nemX1jpnTB1Opy5JhIKLvURiIaLZ9p1BWXbY4h0A9mCQCxUWp9t/FNLjoa?= =?us-ascii?q?dQysLAlKjrMjdN78rU/dcAB8jTMM+HNmQuPgDtGDPPDwsFSiWrNX3FiExbi/?= =?us-ascii?q?GS9XyVooI8qpfyhJoEUqVbW0AtFvMGFkRlG8QPII1pUTM/j7GUltQI6ma+rB?= =?us-ascii?q?TKX8pav4rHWe+VAfXhMDaZl6dLZhsSzbP+M4sTKpXx21Z+ZVligITKB03QUM?= =?us-ascii?q?hQrSJ7cA80oVhC8GNlQ2IpwULlcASt4XEIFfGqghE2lxF+YeUx9Dbs+Vs3IE?= =?us-ascii?q?TFpDcomkkrhdrlmSyRcCL2LKqoWYFWDDD0uFY3MpL6RAZ4dgKynUp5NDveQL?= =?us-ascii?q?JRlbRgf3hxiADAoZtPBeJcTapcbR8L2/6XY/Qo0VJBqiSo3kJI+ezFCZ5+mw?= =?us-ascii?q?Qwap6ss2hM2wR9Y94pPabQPrZGzkBMhqKSuS+lzv0+zxMbJ0YK9mOSZDMEtV?= =?us-ascii?q?cWNrY4PSqo/+1t6QuEmzdZfmgDSeYqqOpw9kwhI+SA0z7g07lbJ0CtNuyfKq?= =?us-ascii?q?SZu3TAlc+IWV4/y0IIlklf8rdty8sjdVSbV1w3xruLCxsJLdbCKR1Sb8dK7n?= =?us-ascii?q?fTeSeOvvnTzp1tOoW8FuboTeiItKkOmU+rBwcpEJ4K7sgYEJmszVvULcH5I7?= =?us-ascii?q?4Z0R8t/hjkJE2ZDPRVfxKGiCwIrN+5zJJsx4ZSOy8dDntnMSWs/LnXvA8rjO?= =?us-ascii?q?CEXNcsbXcQRpEEOW4uWM2mhy5ZuGxNDCOx0uIY1AeC7zj8piDLDDfkdtRtee?= =?us-ascii?q?2aaA9rBtyt5To/9K22hkLN/ZXFO2H2L9JitcHT6ekCvZaIF+tUTaVhs0fbg4?= =?us-ascii?q?RXW36qXHTTHtOuO5fwbI0sbdj1CnmkSFy/lyw6QNvxPNq3KaiImw7oT55OsI?= =?us-ascii?q?aHxDAjKdO9FjYGFhdqve4D/qV8ahYYbponex7nrRo+OLK7IAeZ1NWuTGKtKT?= =?us-ascii?q?pZT/lf0eW6aaZYzzApbuOgznsvUI06xfGt8UERXJEKkg3exfG7aohQSyT8Bn?= =?us-ascii?q?xdewTKpSo4jWdhNf0/wuYhzxzWr1YQKTeLdPZmaGZcpdEzGUuSIWlqCmo/X1?= =?us-ascii?q?KciJDM4hSv378M4ytdntBU0eJevXnwpJDfZi6jWKisqZXIriUgdsIqo6tvPo?= =?us-ascii?q?z/OsGGro/RniTDTJnMtQ2ISDa6F/1emtdKOiJZTv5ImWUrOcEdvIpB7k0xVt?= =?us-ascii?q?wgKLNTEqksoauqaSFlDS4Uwi8VTYSA3CYNgu2kwbvVig+QcIg+MBwDqJhNmM?= =?us-ascii?q?EdUzNwYi8Ep6+uTITWl26FSmgXOwgf9wJM6xwcloVoZODq/JLITINQyz5Ru/?= =?us-ascii?q?90TizLFpxz+lvnVm2WhEP3RO+nk+O3wQJY1Ojs3cUDWB5jFUhdwP5blkkvKL?= =?us-ascii?q?5pMKQfo5DFsiSWekPgoGLi1vapKENXycLKa13yFJDFunbkUi0A5X0UQpdCyG?= =?us-ascii?q?3CGpsPkgp2cqIrqU5QL4Chf0bx+yYrx591H7WiU8Ck2Uolp24cRyi2C9pBF/?= =?us-ascii?q?1msFXPVTJ+bZCktInpNpdPTmJe45CSt1BZkEBxPCGj0ppcN9tB4jgSUzhTuT?= =?us-ascii?q?+dpse9SNVf2c9qCJ8BOs1/tGngF6NEIpeRv2Y7urjoyn/H5T8wrku1xDKuFK?= =?us-ascii?q?CmVe5Z+XMRGhkxLWSEtkYvF/cs8nvV8l3VqlB05PtbCaKSgkVtuzt9BZdOBi?= =?us-ascii?q?tT1X+5MVtzSmVGs/9AJ6TRacBcROMyZRC3MRwkCfEmx1CJ/V1znXrhfyxyrB?= =?us-ascii?q?VV9D7AUAQvSCkVhqvtmScEpcG5OD8aTJZIYis9byvfLAKbgy9Xtg5Fa052Q5?= =?us-ascii?q?AZHspF+7YD0ItR5MXCTUKsJj8ZXBx+LA03y+FSlUhdv0WEYiDSERCnde7RvR?= =?us-ascii?q?Fte8eestKpJuzj/AhbkoPnrPw496IbSn2kgwKtW9fer5T4ttKQqEuDb6L4M/?= =?us-ascii?q?C4YX/dTTjDkRGwiq0iD5nR5STTNxBbK5Ziw3o+fZfhEXLLPQhBJ68DJUpUT6?= =?us-ascii?q?Z6adtcouBdesBrZr0E+bN3CRKBXRPvH5ajrP9YIVbPXT7eNTmO8vSjoYLP6r?= =?us-ascii?q?zQUefgZtGNx3bDR6J4IJJ65CLmFLj0yoBe+1D52vF3+kN9U1jGPDiLrM79KQ?= =?us-ascii?q?MT+Mmiakzis4UrHTPXBZd9i3/tyV9AdsUJWS2q8ZIYyJxD5Hb2V+14zlD5sP?= =?us-ascii?q?dO+Ll89Yk3/7dpxN+yJafWMvlasElnAh2OCgVr8JUtDnJ/SHpKYu8NMvfRYL?= =?us-ascii?q?gWjdzzq+DtCaMb8hqV+/ZWadHfPUHOhtG/Ci2ASRxDhAoBrDkaLg2A1/6Kha?= =?us-ascii?q?B5UsOlpenj1UIr/Ve+MhAHzLd35YeH4aqEvunXYAXNzbIcQKjlWtvzrqgwu0?= =?us-ascii?q?OV/fAkkKUOeml1bgC8HugSSNMSxmD6za8w1SIsCcTDH7D+9/FfS3I1hDXgm4?= =?us-ascii?q?pyH18OAPMbAaKL/ZhCnmc/g+HZN9wXfbpYlWmTDhOkCaENyWK15CSLOmVlhQ?= =?us-ascii?q?vO0x7oS2Op8FD2tTN4QTfLz9r7iUVVV6K3BElIUCqrOE94rCuPMxD1tNrzoq?= =?us-ascii?q?k68EY2PXH6u92XiWuhIrRXH9flK9CGJik0vl0XhoUrRtOzwYAbBca9INAJ/X?= =?us-ascii?q?FmdPTe93+kky9PoqdAnYre4diZ+u7JEnmkjq2araiNxT9Dx3ggp14/9syvNv?= =?us-ascii?q?HA5t2NWfSo1HwdTyRhtAvbWR66tLjbo0oTOUyR30fBgJYKMc1B3XkkykHm4/?= =?us-ascii?q?AuQN0p+wVECInAe/MCqCv3ODv13VaQfdI3WTOD0ztMBF71F0d3GLQk0mLqoM?= =?us-ascii?q?3JjWvQ+0EvRoRoeEzomxp3D5k/KUIq71QX2TQMEQwMaRCdEbGpCl/oLY8aWk?= =?us-ascii?q?gZaRWIxqK2eqEp0k1v2rmv/vPcbfRgB6oRMfZQlgiOnFlHFZIRta0RWql8d0?= =?us-ascii?q?Vc9K7QoQjiEJPnUuPjlXc/Ovy5WMda8doWt3E6+AawWwKg6Ytf77YckJ2Ieb?= =?us-ascii?q?JLYYPXvMxl8klp6jgBdi1LgBhigBK0Su8cpOX57djdrpWk8OGuVLwiR+8P7R?= =?us-ascii?q?g7G3x+j4fsgFAkudzX1eBcSo3TiYjl7A9NI3qKuJvH3Bh9KOoOLZmrfLVh93?= =?us-ascii?q?gcOSgeJmwOMsCSa/Yh4i9hKjPT6EJeAskUf9MXINLNmRxIik3uQLxT99TbFU?= =?us-ascii?q?WeC4poc8Ao8nf4yDEy8ZsnSOrg7yW2JZ/H5VFXI/xDlDlslM7FpOUNw/rdFi?= =?us-ascii?q?YX4XedaxVuzCKN0Z+NBOjs/emWztHbSU8GFDYsU4hBPDqC5RCnRu2tmZXmVg?= =?us-ascii?q?OU7cHyj4w6dEKUXXGxh6MFsqBNEeFckCn72CZRFpztjfKPr9Ws8HdXtkFAEI?= =?us-ascii?q?tr6B3FGaZfPpZ8ORnjlMmkXEt8Biz5eM7KcBoiouyWyfkQ4+9mLUvxeZcbIg?= =?us-ascii?q?4Yy7L98XdaVRVhSLjqvluCRuIRYNxmSO/YrnBL941vNrUDPF+HpJzltj1Isk?= =?us-ascii?q?w5ABc1aL8sqTxXbkfOkxNRW6b1oL4PlBARUN94uU9JHGK/Jng+5z7ZWqhPi6?= =?us-ascii?q?mREvMV+C2JTqMSS0VoLj9+QxSt1ZRgY7uph/FHvX9YkS5mpfgq0iBmRAGiti?= =?us-ascii?q?H2oKINwz0g8qmitDodoXxFUvmekyDQBFVEyPQFk7wRC27m6VOme3kDcIry76?= =?us-ascii?q?V7JcT664Yu/W4zYRM9cC0aRe6gET3/j7uUAoyTt9JRnBqNuMTIbb+uIikeL7?= =?us-ascii?q?A9yRP4R3hhyQjThxdo/3ENQjWn9tMkI5+9Ock9zCqyBWfbbEoM4r9OsMbpsF?= =?us-ascii?q?4EVvc5aVNgwGVl1ciKXTMNRM3JG2kriggkaGNEcI9M6BMAEKkomDmItLFc/g?= =?us-ascii?q?4IeDfUDpil+o7IkMfKw3Y9TtBqyXnNq62YgJMqzH1lm9Rp7i6BuHQSa/bUU8?= =?us-ascii?q?lyDXjvzo1f0/DxZ+2xsuAbT4tr0LahUPoFMsm542u22Y5qV1SjxrsEGlq2Lu?= =?us-ascii?q?4Dyq3cUye/Rm2SQf6LfHSUnzYlLk7y4gGlLkY5aMdPs0AwM+jPi4VClwL/S7?= =?us-ascii?q?N0RySRpVjdzGA5N+MVaR4268+bfFkMQfIdava0O+cj2rs9BUEKYnuPGjF5WM?= =?us-ascii?q?Gstlv4pIFmPz1F5kLgbKy56gXhN8GfMgMJHY7Tsth6/vnsFTHJAmNp0BAnZB?= =?us-ascii?q?o8zOzYDVlk87YEKczDlMXMh9l9ze8OfutsNit4oNMIh4Z/8tPMipW3Wjb1lb?= =?us-ascii?q?3KDImJ5PWVBubQiUEje2UcV7sdMmaXr4k5P9tsXbrVEPMZuBkHHqE1TdQnMH?= =?us-ascii?q?u576B7Kg5/M0bRab24j9Osp7eNYZ1Z9Bq0pkkoInL6vBsOguexURQ9d4qj0m?= =?us-ascii?q?33J5cqSxpbotFtAwcgF4xKSIsbtwTyO5ePg+mgjsOpvUZzuusEq631X+jP09?= =?us-ascii?q?Oj0q1rUpRa7FDNNzHUV8wJyl99gLGKi+zbmoL0Fduked4AU71jRXXZb7bdAo?= =?us-ascii?q?ilAjeeY4TmdkJG+qLa27V8Xw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2BNBwDSZi1b/wHyM5BbHAEBAQQBAQoBAYNGA2UgShIoi?= =?us-ascii?q?31fi2CBY4EXi1+EB4QsFIFeEhgTAYMsgQ8DgwchNBgBAgEBAQEBAQIBbCiCN?= =?us-ascii?q?SSCVwIkExQgCwMDCQIfIQgIAwEtFR8LBRYCBIUEA654M4hHgQWIaIFWP4EPM?= =?us-ascii?q?4InhHwBEgGFdQKHNyGRUAmXCw+FOgErkT2BQThhcTMaCBsVO4JngiMXjjNTe?= =?us-ascii?q?gEBFItzgjkBAQ?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 22 Jun 2018 21:19:27 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w5MLIQeQ028842; Fri, 22 Jun 2018 17:18:40 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w5MLIIi1035762 for ; Fri, 22 Jun 2018 17:18:18 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w5MLIPDf028840 for ; Fri, 22 Jun 2018 17:18:25 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1CICgBIZi1bly0YGNZbHgEGDINGaGoSK?= =?us-ascii?q?IN5iGOLYIFjgReLX4QHhiULLIMsgRSDBSE4FAECAQEBAQEBAhQBAQEBAQYYBoY?= =?us-ascii?q?qBFIwBQImAkkpG4MKggADrQ+BaTOISIEFgQuHXYFWP4EPM4IniDCCVQKHNyGRU?= =?us-ascii?q?AmXCw+FOyuRPYFYgXMzGggbFYMigiMOCRGOIlOBEI4sAQE?= X-IPAS-Result: =?us-ascii?q?A1CICgBIZi1bly0YGNZbHgEGDINGaGoSKIN5iGOLYIFjgRe?= =?us-ascii?q?LX4QHhiULLIMsgRSDBSE4FAECAQEBAQEBAhQBAQEBAQYYBoYqBFIwBQImAkkpG?= =?us-ascii?q?4MKggADrQ+BaTOISIEFgQuHXYFWP4EPM4IniDCCVQKHNyGRUAmXCw+FOyuRPYF?= =?us-ascii?q?YgXMzGggbFYMigiMOCRGOIlOBEI4sAQE?= X-IronPort-AV: E=Sophos;i="5.51,258,1526356800"; d="scan'208";a="308404" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 22 Jun 2018 17:18:24 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AMrK9ahb5qvTDlgInomNAd1z/LSx+4OfEezUN45?= =?us-ascii?q?9isYplN5qZoMy7bnLW6fgltlLVR4KTs6sC17KL9fi4EUU7or+5+EgYd5JNUx?= =?us-ascii?q?JXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQ?= =?us-ascii?q?viPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa9bL9oMBm6sRjau9ULj4dlNqs/0A?= =?us-ascii?q?bCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG?= =?us-ascii?q?81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUj?= =?us-ascii?q?mk8qxlSgLniD0fOjAk8G/ZlMJ+gqFVrx2uuxNxzJXZYJ2XOfdkYq/RYckXSG?= =?us-ascii?q?hHU81MVyJBGIS8b44XAuQbJ+lYso39rEYJoxu5AgmsHv3gwSJPi3/u2K061O?= =?us-ascii?q?MhERvY0wE7BdIBrmnbrNXvO6cOS+y60K7IzTDaYv5QxDzz65DIfwg/rf2RUr?= =?us-ascii?q?98a9TdxEY1Gw/bgVics4PoMjON2ukMsmWX9fdsWOGthmI9tQ18rDaiyt0uh4?= =?us-ascii?q?THgI8e10rK+j9jwIkvIN21UE57bsCgEJtXryyVOZV7TNokTWxmpis00KELtY?= =?us-ascii?q?K5cSQQ1pso2Rvfa+eIc4SS5xLsTueRITNiiHJgebK/gw6+8UmmyuLiSsm5yE?= =?us-ascii?q?hGojdKn9XWqHwA2Abf5taIR/dn8Uqs2S6D1wXJ5eFFJUA0m7DbK5kkwrMojp?= =?us-ascii?q?oTtEPDHijsmErol6KWbFsr9fWo6+v9frXqvIOTN4hxig3mKKQhhtS/AfgkMg?= =?us-ascii?q?gJR2Wb4vqz1Lni/U3/XbVLgeY7krXZsZ/GJcQbobS1AwlO0ok58Rq/ADCm0M?= =?us-ascii?q?pL1UUAeVRIZB6KkaD3NFzUZvP1F/GyhxKrijg46erBO+jZC4jJZl3El63sNe?= =?us-ascii?q?Jl7klb0gcb191T55tITLoGJaSgCQfKqNXEA0phYESPyOH9BYAljNlMUH+TAq?= =?us-ascii?q?KfLKLZuEOJ4eRqOeSXeYsJo2+sdaoYzNnK1lQBsAdBO6Sk2IAYLnWxH/AgJk?= =?us-ascii?q?SdMjLggdYERGENuAd2DOnnk0aLXjMbYXGuF7k96Tc2BMPuDYrKSo23xr3U2i?= =?us-ascii?q?C9E84efXhIX3aLF3qgbICYQ7EUcivHOspmlSYJfaKsR48oyVelswqpg6F/IL?= =?us-ascii?q?/s8zYD/YnmyMAz4uTSkR8o8jkhF8Ga1HuAZ3t5kmMBW3k926Us6VdlxAK72L?= =?us-ascii?q?Njy+ddCcQV5/5NVVIiMoXAyuVhF93ocgfRJ5GTRVqmS8ngCjY0Qw=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CMCgDSZi1bly0YGNZbHgEGDINGaGo?= =?us-ascii?q?SKIN5iGOLYIFjgReLX4QHhiULLIMsgRSDBSE4FAECAQEBAQEBAgETAQEBAQE?= =?us-ascii?q?GGAZYgjUignsEUjAFAiYCSSkbgwqCAAOtD4FpM4hHgQWBC4ddgVY/gQ8zgie?= =?us-ascii?q?IMIJVAoc3IZFQCZcLD4U7K5E9gViBczMaCBsVgyKCIw4JEY4iU4EQjiwBAQ?= X-IPAS-Result: =?us-ascii?q?A0CMCgDSZi1bly0YGNZbHgEGDINGaGoSKIN5iGOLYIFjg?= =?us-ascii?q?ReLX4QHhiULLIMsgRSDBSE4FAECAQEBAQEBAgETAQEBAQEGGAZYgjUignsEU?= =?us-ascii?q?jAFAiYCSSkbgwqCAAOtD4FpM4hHgQWBC4ddgVY/gQ8zgieIMIJVAoc3IZFQC?= =?us-ascii?q?ZcLD4U7K5E9gViBczMaCBsVgyKCIw4JEY4iU4EQjiwBAQ?= X-IronPort-AV: E=Sophos;i="5.51,258,1526342400"; d="scan'208";a="13132540" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa07.eemsg.mail.mil ([214.24.24.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 22 Jun 2018 21:18:24 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;827dfe6d-e222-429c-94d0-11a625849e0a Authentication-Results: UCOL3CPA04.eemsg.mail.mil; dkim=none (message not signed) header.i=none; spf=None smtp.pra=pmoore@redhat.com; spf=Pass smtp.mailfrom=pmoore@redhat.com; spf=Pass smtp.helo=postmaster@mx1.redhat.com X-EEMSG-check-008: 290026399|UCOL3CPA04_EEMSG_MP19.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 66.187.233.73 X-EEMSG-check-002: true IronPort-PHdr: =?us-ascii?q?9a23=3A6UtqXBInO+YW0QrpW9mcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgXL/XxwZ3uMQTl6Ol3ixeRBMOAtKIC1rGd6v2ocFdDyKjCmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TXhpQIVTxPyKQZ4?= =?us-ascii?q?OMzrFYPIyce6zea//9vUeQobqiC6ZOZKJQiy5SDWsdMbyd96L6E20BbhuHZEe+?= =?us-ascii?q?1Kg2hvIATAzF7H+s6s8cs7oGxrsPU7+psYCPSoT+EDVbVdSQ8eHSUw7czvuwPE?= =?us-ascii?q?SFLVtGERXmUfjlxDBA2XtUimDKe0iTPzs69G4AffJdf/FOpmQzmu7653DhTvjX?= =?us-ascii?q?VfbmNrwCTsksV1yZljjlehqhh4mtCGZZHMcuBzcqPUYZURQm8TB8s=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CwAgC8Zi1bh0npu0JbHgEGDIQuahIog?= =?us-ascii?q?3mIY41DgReLX4QHhCyBeQsTGAGDLIEUgx8GAQQwGAECAQEBAQEBAQEBEwEBAQo?= =?us-ascii?q?LCQgpL4I1IoJ7BFIwBQImAkkpG4MKggCtEoFpM4hHgQWBC4kzP4EPM4IniDCCV?= =?us-ascii?q?QKHNyGRUAmXCw+FOgErkT2BQYIKMxoIGxWDIoIjDgmOMyMwgQ4BAY4sAQE?= X-IPAS-Result: =?us-ascii?q?A0CwAgC8Zi1bh0npu0JbHgEGDIQuahIog3mIY41DgReLX4Q?= =?us-ascii?q?HhCyBeQsTGAGDLIEUgx8GAQQwGAECAQEBAQEBAQEBEwEBAQoLCQgpL4I1IoJ7B?= =?us-ascii?q?FIwBQImAkkpG4MKggCtEoFpM4hHgQWBC4kzP4EPM4IniDCCVQKHNyGRUAmXCw+?= =?us-ascii?q?FOgErkT2BQYIKMxoIGxWDIoIjDgmOMyMwgQ4BAY4sAQE?= Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) ([66.187.233.73]) by UCOL3CPA04.eemsg.mail.mil with ESMTP; 22 Jun 2018 21:18:22 +0000 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 610A38D76C; Fri, 22 Jun 2018 21:18:21 +0000 (UTC) Received: from [172.31.98.183] (ovpn-121-125.rdu2.redhat.com [10.10.121.125]) by smtp.corp.redhat.com (Postfix) with ESMTP id F2AE22026D6C; Fri, 22 Jun 2018 21:18:20 +0000 (UTC) X-EEMSG-check-009: 444-444 From: Paul Moore To: netdev@vger.kernel.org Date: Fri, 22 Jun 2018 17:18:20 -0400 Message-ID: <152970230022.7734.15824980755229329454.stgit@chester> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 22 Jun 2018 21:18:21 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 22 Jun 2018 21:18:21 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'pmoore@redhat.com' RCPT:'' Subject: [PATCH] ipv6: avoid copy_from_user() via ipv6_renew_options_kern() X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Paul Moore The ipv6_renew_options_kern() function eventually called into copy_from_user(), despite it not using any userspace buffers, which was problematic as that ended up calling access_ok() which emited a warning on x86 (and likely other arches as well). ipv6_renew_options_kern() ipv6_renew_options() ipv6_renew_option() copy_from_user() _copy_from_user() access_ok() The access_ok() check inside _copy_from_user() is obviously the right thing to do which means that calling copy_from_user() via ipv6_renew_options_kern() is obviously the wrong thing to do. This patch fixes this by duplicating ipv6_renew_option() in the _kern() variant, omitting the userspace copies and attributes. The patch does make an attempt at limiting the duplicated code by moving the option allocation code into a common helper function. I'm not in love with this solution, but everything else I could think of seemed worse. The ipv6_renew_options_kern() function is an required by the CALIPSO/RFC5570 code in net/ipv6/calipso.c. Signed-off-by: Paul Moore --- net/ipv6/exthdrs.c | 155 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 121 insertions(+), 34 deletions(-) diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index 5bc2bf3733ab..902748acd6fe 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -1040,36 +1040,47 @@ static int ipv6_renew_option(void *ohdr, return 0; } +static int ipv6_renew_option_kern(void *ohdr, + struct ipv6_opt_hdr *newopt, int newoptlen, + int inherit, + struct ipv6_opt_hdr **hdr, + char **p) +{ + if (inherit) { + if (ohdr) { + memcpy(*p, ohdr, + ipv6_optlen((struct ipv6_opt_hdr *)ohdr)); + *hdr = (struct ipv6_opt_hdr *)*p; + *p += CMSG_ALIGN(ipv6_optlen(*hdr)); + } + } else if (newopt) { + memcpy(*p, newopt, newoptlen); + *hdr = (struct ipv6_opt_hdr *)*p; + if (ipv6_optlen(*hdr) > newoptlen) + return -EINVAL; + *p += CMSG_ALIGN(newoptlen); + } + return 0; +} + /** - * ipv6_renew_options - replace a specific ext hdr with a new one. + * ipv6_renew_option_alloc - helper function for allocating ipv6_txoptions * * @sk: sock from which to allocate memory * @opt: original options * @newtype: option type to replace in @opt - * @newopt: new option of type @newtype to replace (user-mem) - * @newoptlen: length of @newopt - * - * Returns a new set of options which is a copy of @opt with the - * option type @newtype replaced with @newopt. + * @newoptlen: length of the new option * - * @opt may be NULL, in which case a new set of options is returned - * containing just @newopt. - * - * @newopt may be NULL, in which case the specified option type is - * not copied into the new set of options. - * - * The new set of options is allocated from the socket option memory - * buffer of @sk. + * This really should only ever be called by ipv6_renew_option() or + * ipv6_renew_option_kern(). */ -struct ipv6_txoptions * -ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, - int newtype, - struct ipv6_opt_hdr __user *newopt, int newoptlen) +static struct ipv6_txoptions *ipv6_renew_option_alloc(struct sock *sk, + struct ipv6_txoptions *opt, + int newtype, + int newoptlen) { int tot_len = 0; - char *p; struct ipv6_txoptions *opt2; - int err; if (opt) { if (newtype != IPV6_HOPOPTS && opt->hopopt) @@ -1082,7 +1093,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); } - if (newopt && newoptlen) + if (newoptlen) tot_len += CMSG_ALIGN(newoptlen); if (!tot_len) @@ -1096,6 +1107,44 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, memset(opt2, 0, tot_len); refcount_set(&opt2->refcnt, 1); opt2->tot_len = tot_len; + + return opt2; +} + +/** + * ipv6_renew_options - replace a specific ext hdr with a new one. + * + * @sk: sock from which to allocate memory + * @opt: original options + * @newtype: option type to replace in @opt + * @newopt: new option of type @newtype to replace (user-mem) + * @newoptlen: length of @newopt + * + * Returns a new set of options which is a copy of @opt with the + * option type @newtype replaced with @newopt. + * + * @opt may be NULL, in which case a new set of options is returned + * containing just @newopt. + * + * @newopt may be NULL, in which case the specified option type is + * not copied into the new set of options. + * + * The new set of options is allocated from the socket option memory + * buffer of @sk. + */ +struct ipv6_txoptions * +ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, + int newtype, + struct ipv6_opt_hdr __user *newopt, int newoptlen) +{ + char *p; + struct ipv6_txoptions *opt2; + int err; + + opt2 = ipv6_renew_option_alloc(sk, opt, newtype, + newopt && newoptlen ? newoptlen : 0); + if (!opt2 || IS_ERR(opt2)) + return opt2; p = (char *)(opt2 + 1); err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen, @@ -1142,23 +1191,61 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, * @newopt: new option of type @newtype to replace (kernel-mem) * @newoptlen: length of @newopt * - * See ipv6_renew_options(). The difference is that @newopt is - * kernel memory, rather than user memory. + * See ipv6_renew_options(). The difference is that @newopt is kernel memory, + * rather than user memory. */ struct ipv6_txoptions * ipv6_renew_options_kern(struct sock *sk, struct ipv6_txoptions *opt, - int newtype, struct ipv6_opt_hdr *newopt, - int newoptlen) + int newtype, + struct ipv6_opt_hdr *newopt, int newoptlen) { - struct ipv6_txoptions *ret_val; - const mm_segment_t old_fs = get_fs(); - - set_fs(KERNEL_DS); - ret_val = ipv6_renew_options(sk, opt, newtype, - (struct ipv6_opt_hdr __user *)newopt, - newoptlen); - set_fs(old_fs); - return ret_val; + char *p; + struct ipv6_txoptions *opt2; + int err; + + opt2 = ipv6_renew_option_alloc(sk, opt, newtype, + newopt && newoptlen ? newoptlen : 0); + if (!opt2 || IS_ERR(opt2)) + return opt2; + p = (char *)(opt2 + 1); + + err = ipv6_renew_option_kern(opt ? opt->hopopt : NULL, + newopt, newoptlen, + newtype != IPV6_HOPOPTS, + &opt2->hopopt, &p); + if (err) + goto out; + + err = ipv6_renew_option_kern(opt ? opt->dst0opt : NULL, + newopt, newoptlen, + newtype != IPV6_RTHDRDSTOPTS, + &opt2->dst0opt, &p); + if (err) + goto out; + + err = ipv6_renew_option_kern(opt ? opt->srcrt : NULL, + newopt, newoptlen, + newtype != IPV6_RTHDR, + (struct ipv6_opt_hdr **)&opt2->srcrt, &p); + if (err) + goto out; + + err = ipv6_renew_option_kern(opt ? opt->dst1opt : NULL, + newopt, newoptlen, + newtype != IPV6_DSTOPTS, + &opt2->dst1opt, &p); + if (err) + goto out; + + opt2->opt_nflen = (opt2->hopopt ? ipv6_optlen(opt2->hopopt) : 0) + + (opt2->dst0opt ? ipv6_optlen(opt2->dst0opt) : 0) + + (opt2->srcrt ? ipv6_optlen(opt2->srcrt) : 0); + opt2->opt_flen = (opt2->dst1opt ? ipv6_optlen(opt2->dst1opt) : 0); + + return opt2; +out: + sock_kfree_s(sk, opt2, opt2->tot_len); + return ERR_PTR(err); } struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space,