From patchwork Mon Dec 5 16:14:03 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 9461125 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8B90E6071F for ; Mon, 5 Dec 2016 16:21:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D41C24DA2 for ; Mon, 5 Dec 2016 16:21:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7225E27D9B; Mon, 5 Dec 2016 16:21:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33DE624DA2 for ; Mon, 5 Dec 2016 16:21:19 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.33,305,1477958400"; d="scan'208";a="1593692" IronPort-PHdr: =?us-ascii?q?9a23=3AaYkE/B2GRREOtBZHsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sewSIvzxwZ3uMQTl6Ol3ixeRBMOAuqkC17qd6fGocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= =?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDSwbal9IRi1ogndqM0bipZ+J6gszRfEvmFGcP?= =?us-ascii?q?lMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLD?= =?us-ascii?q?QheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2TxDmlT?= =?us-ascii?q?oHNyUh8G7JlsNwkKxVoBWkpxNlwo7UZpyeOP5xc67ZeN8XQ2ROXtxVVydcHI2y?= =?us-ascii?q?aYUBBPcFMepBsoXxu14CoB2jDgeuGezv0CdFiH/o06Mn3eovEgbI3BQiEt4Tvn?= =?us-ascii?q?nbo8n6OqgMXuCu16TI0TfOYulK1Trn9ITEbBYsquyMU7JqdsrRzFEiGR/EjlqM?= =?us-ascii?q?qYzqJSmV2fkQuGaZ9eVgVOSvhHA8qwpspTWv3MYshZXJho0P0FDL6D12z5otKt?= =?us-ascii?q?24UkF7YNikH4VLtyyBLIR2XsIiQ2d0uCkk0L0Gv4C0fDQQxJs7wB7fbuWKfo6V?= =?us-ascii?q?6RztU+aRJC13hHNjeL+ngxay8FagxfP+VsmzzVZKtCxFncPItnwXyxPT7c2HR/?= =?us-ascii?q?1g9UmiwTaCzx3f5+5LLEwulafXNoQtzqA/m5YNq0jPAzf6lUb3gaOMa0kp9Oel?= =?us-ascii?q?5/7nb7n4vJOROJJ4hwfjOao0gMO/G/43Mg0WUmie/uSzyaPs8FXiQLVPkv02iq?= =?us-ascii?q?7ZsI3GJcgDpq62HQtV0oE75hajFTimytUYnWQcLF5fZBKGj5TmO1HJIPziC/ew?= =?us-ascii?q?n0+snytxy/DDP73hBo3BLnnFkLj/YbZw81NQxQU8wNxF559YF6sNLOz8V0Pvrt?= =?us-ascii?q?DUEwc1MwmuzObmDNV92JkeWWWKAqKBK6Pdr1uI5uMpI+mRa44ZoS3yK/845/7o?= =?us-ascii?q?kXA2h0QdcLK13ZoXdH+4HvNmL1+fYXr3mNgNC2gKvg0gTODykl2NTSZTZ2quX6?= =?us-ascii?q?I7/jw7BpimAp3FRo+xgbyBxzy2HphOZmBHE1yMCnnpd56eV/cLciKSLddrkiYY?= =?us-ascii?q?Wri5V48hyRauuRf5y7V9LerU/TAYuIng1Ndv5O3Tkgwy+SZzD8SH3GGHV3t0kX?= =?us-ascii?q?8QRz8qwKB/plRwxU2e3qhigvxXC8ZT6uhTXQgmMJ7Q1et6C8r9WgjZZNeGVE6m?= =?us-ascii?q?Qsm6ATE2Vt8xw8EBY0J5G9WllR3D2zeqA6MSl7yOHpM46KXc32L+J8xl0XbJyL?= =?us-ascii?q?Ehj0U6QstILWCmnaB/9xLUB47Sj0WUjL2qdaIb3C/D8WeM12yOsFteUAFuTaXP?= =?us-ascii?q?RWofaVfOrdTl+kPCSKejCLo9PQtF1c6NNLFKasbygFVYWvjjIs/RY3+0m2uqAh?= =?us-ascii?q?aI3LyMZpLwe2oBxCXdFFQEkwcL8HaaKAcxGyahrHjaDDF1CV3vZEbs/vVkp3Og?= =?us-ascii?q?Uk841QeKYFN917Ct4B4ameScS+8P3rIDoCohrTR0HFK5393IENqNvBBuc7tGYd?= =?us-ascii?q?M6+ltH0njZtwNlNJy6M69inkIecxhwv072yhp4EJlAntI0o3Mkwwt/Mr6X0FNb?= =?us-ascii?q?eDOCwZD/JKfXJnP0/B+xd67cwkve38qO+qcT9PQ4rE3uvB+oFkU+73Vn1MNV32?= =?us-ascii?q?GA6ZXKCwoSV53xX10z9xh7obHVeDM954TO2X1rK6m0vSfI28g1C+s91hagY9Bf?= =?us-ascii?q?PbuAFA/zCM0aG9GiKPc0lFitbxIEOv1S9aEvMsO9b/uG2airPOd8kzK9l2hH5p?= =?us-ascii?q?5y0l6U/SpmVuHIx4oFw+2f3gafTTf8i1OhssTploBeeT4SGWS+xDP/BI5MeqJy?= =?us-ascii?q?ZpwHCWC0I8243t9+nYLiW2ZE9F6/AFMLwNepdgCPb1z5xwFfz14brmegmSu80z?= =?us-ascii?q?x0lDcpo7Ga3CDSxeTicwYINnRNRGZ8kVfmOZK0gMwCXEi0cwgpkwOo5UP+x6RC?= =?us-ascii?q?uqt/KXLeQVlWcCjyK2FtTLGwuqCEY8FR9JMiqT9XX/ikYVCGVr79pAMX0yD9EG?= =?us-ascii?q?tY3zA2bDKqtYv/nxxhjmKSMmpzoGDeecFqyhfV/MbcSuJJ3joaWCl4jiHaBka6?= =?us-ascii?q?P9a05tiUiZHDvf2+V267UJ1cbzXrx5uatCSn/W1qHQG/n/erl93/Cwc6zCv72s?= =?us-ascii?q?J2WiXJsBb9YpDn16qgPuJhZEVoA0X868ViEIFkjoQwnI0Q2WQdhpiN5XoIi3rz?= =?us-ascii?q?MdFF1qLmdnUNQyILzMDP4AX+xU1jNWyGx5jiVnmH2cthYMS6YnkK1S0j4cBKD7?= =?us-ascii?q?2U7LNakidvpFq3sx7Ra+BnnjgB0fsu9GIag+YRtQoj1CqdBKwSHU5dPSH3mRSH?= =?us-ascii?q?8c2xrKJNZGm1abiwzk1+ndK/A76evgFQQnH5eo0tHSVo9MVwLErM0GHv6oHjYN?= =?us-ascii?q?TQYtITuQGOkxbAl+hVNJUxm+EMhSV5JWL9pmEqxPQjjRNwx526upaIK3l19qKj?= =?us-ascii?q?HhFYLiH1Z98U+jz1iKZRhMKW34SxEZV9BjUERoHnQOmuED0MqfTnLBqBHyckqn?= =?us-ascii?q?iFA7bfGxGQ6Ft+pXLVD5+rL22XJGUezdh6XhmRPkJejBoRXDogmp45EQCrydf7?= =?us-ascii?q?f0hl4zAd/Fn4qgFDyuhwLRnwTn/fpBu0ajczUJWfKgBW4Rta50fNKsGe4ONzHz?= =?us-ascii?q?tD/p29ogyNK2qbaB5ODW4VW0yLHVTjMqOp5dna/OiSHvC+IOfWYbWStexeUO+F?= =?us-ascii?q?xYqx3YR94TmMMMSPPmVlD/Ag20pMQ252FNrDlzUIUSwXmDrHb9SHqxek5i13ss?= =?us-ascii?q?e//ez2VwL0+4SAEbRSMc919BComqqDLPSfhCVkKTZCzJwA33vIyKUZ3FEIkSFi?= =?us-ascii?q?biWtEbMDtS/NS6LcgKlXAAAHaylrLstH87o83hVROc7ckt71zaR3juAvBFdKS1?= =?us-ascii?q?PhgdqkZdcQLGGjLlzHC1iENK+cKT3N3c73fbu2SadMg+VMqx2wpTGbHlf4MTSC?= =?us-ascii?q?mDnpUBavPPpRgy6FJxNeuZuychB3BWjkVtLmZQWxMMVrgj0u3b00mnTKOHYGPj?= =?us-ascii?q?hzaUxNsKOf4DhfgvVnBWNB6H9lIvOFmyad9ObYLZkXveFsAiRumOJQ+G46xKdN?= =?us-ascii?q?7CFYWPx1nzPfrsJpo1GjiOWP0D1nURtQpTZNn42Lp0JiNrva9pRbRXnE+xcN4n?= =?us-ascii?q?mKBBQRu9tpENvvtL5MytLXjqL8NC9C887I/csbH8XUK8KGMH4/PhfyHT7UCwUF?= =?us-ascii?q?TTC1OmHDm0xdkPaS9niLoZQgrJjjhoYOQKdBVFMpDvMaFlhlHNsaLZd2WDMkja?= =?us-ascii?q?CUjMoW6nq7shbRWN9av5DcW/KVGfXgNjCZjbxeaBsJxbP3NoMTN4Lh10xlcFl6?= =?us-ascii?q?k5zAG1DMUtBVvi1hcgg0rV1L8HdgVGIz31noagCq4H8ICf67hBg2ihB9YeQs7j?= =?us-ascii?q?vs5Uk4JkbSrisqjEYxgcnlgSyWcDPpNqe/Q5pWBDTuuEgrLpz7Qx14YhaznUx+?= =?us-ascii?q?KTjEQLxRj6N6dW91iA7Qo51PFuBATadceh8f2emXZ+k00VRbsiio2EhH5e3DCZ?= =?us-ascii?q?R/igQqdZ+somla1A19dt41IrbcJK1TzlhfnqiOpDOn1vgtwA8CIEYA6H6ddzQW?= =?us-ascii?q?uEwJK7YmPDGl8fZ26QyYnDtCdnMMWOQ2rfJ37EM9OviAziL6375FNE+xK/SVL7?= =?us-ascii?q?mFtGjYic6IXlQw21sGl0lf47d5zNwjfFCSV0Azy7uRDA8EOtDeJgFQdcZS82LT?= =?us-ascii?q?fSmWu+XX3Z11J5m9FvzvTeKWsKYUhVikExgvH4UN6cQMBZas0EfFLcv9K74F0x?= =?us-ascii?q?ot7hzxJFqZFPRJZA6LkDAfrsGk0pB32YhdJjcAAWRyKii4+rHXpgo2j/WZR9c2?= =?us-ascii?q?fm0WXo0aOXIqQMe6gTJWv2xcDDmr1eIU0AuC7yX8pyvKCjn8c9pjaeybZRNrEN?= =?us-ascii?q?G55S8z866ohl7L6p/ePX31Ncx+ut/T7uMXv4qHC/JRTbl6r0fcm4lZSme3XG7O?= =?us-ascii?q?Ed+6PYP/Z5MqbdPqFnawSka/hC4tT8ftINatKbCFjhvsRYZVrIaUwigsNcq9Fz?= =?us-ascii?q?EYHBdwofsM6blnag0CeZU7ZwfktwojN6ClJgeXzMmuSX63KTRKV/lf0fm6Z7tP?= =?us-ascii?q?wiU3cOC6zmAtQYsnwOmp70ENXooKgQvExfejfYVeVjLzGnNFcQXVuSU5j3RhNv?= =?us-ascii?q?o1wuonzxPIrFgcMzSPdON3bWxJpMwzCk2JLnV3EGU4QUWQjY3Z4g6jx7oS5TdS?= =?us-ascii?q?n85I0e1Zt3jzpoXfYDStWKO3qZXVtC4gbcM+raNoLILtONeLupTFkzPDS5nQtx?= =?us-ascii?q?GKXzShF/pGgNRQJjxXQOVQk2E/JcMGoZZB6VY2VsomPbxAFbQjq6ulaTphAi8e?= =?us-ascii?q?1ykZWJ2c3DYamOezx6PalguMcJQlKBELrJdCjcEBXCNtfiweo6ujV4HXl2CaUG?= =?us-ascii?q?gLPBkc4hhM5A4akY9wZO/l6pLSTJBQ0z5Wv+50UizTG5ly7VT7UGaWjkPjRfW9?= =?us-ascii?q?ieymxxxSw+zo0tkaXh5/Bkxdx+dZlksoNLF3JbMfvpTPsjOSc0P1on7twvO8JF?= =?us-ascii?q?ZN0c3Ua0H4DI3duGv8SCIc4mcbRYpOyHHZDpkSkhZ5Z7wwpFpQOo+qYED+6CI4?= =?us-ascii?q?x45xBbm3Sdirx0o5rXYBXyqrHcBNBP1msFLWXT1lYoqkqJb+NpVTXGBf5oOSp0?= =?us-ascii?q?1ekEV3PC6z0YBcJN1V4j4QQDhPpi2Qs8GoSM1e3896FZwML8x+u3f8GaNEJIOe?= =?us-ascii?q?r2cwurPx1n/T4yo8v0uixDWvB6+4SPpU/2IEGgozIWSetlIiD+or8mbc9FDNrl?= =?us-ascii?q?B08PlaBriJkUV+vix9EopIBjlXyXCvN05zQ2Ves+VGNKTVdNRRQ+U1ZR+qIBE+?= =?us-ascii?q?CeIq30mS8k1um3f2fTByvBNA+y/BRwk0STUVgrD1lD0esM6nIyUVS5ZVYjg6ci?= =?us-ascii?q?jKNRqbmThJsxZbdU5qQYoVAtFf+7EUxYFU5NbNSV6wKSEZWxxvLgA40f1BmkNY?= =?us-ascii?q?rUqXZzvdAhSydfbTrBJ4YN2drMi3I/Tl5A1HkJ/osPgk96UfQH2rgRaiQd7CoI?= =?us-ascii?q?PgtNCGq0WDebzkPO27ZH/OUCLDjQushbs+CZnF4TTTOhJBK5Zm0XokfYThCWnT?= =?us-ascii?q?MBRcOa0UOkpbWrpmadhdpuBaYNFkd7gX9aBxARKIWw3gFJaprPZYMlbZXS7eID?= =?us-ascii?q?mZ8uyjvYLT6qTQSfD7ZsyQ3XnIXr53M4xh6Tn8Brfqy5NR9VTw2vdx7EN1U1zG?= =?us-ascii?q?PzqGrNT7KQMB/NOieVf6vp01ATPWB499kGb3xk5eacUYXjan8IkcyJNF8nb/U/?= =?us-ascii?q?x40kn0sO1W6bZk9ZM747dzyce7Pa3SM+hVsVd7AhiIAQVn7ogiAG5lSG1Kf+AR?= =?us-ascii?q?Lu3ecb4ejcD0pOD9D7YX5wGN++xFddvHIFnMmsulBTGaRxxEhgABpiMEIQaHy/?= =?us-ascii?q?6Kgal0Sd2ipeTj3EIi/US+JAYczL9x/YeE5raIpOjPYhvT17cEQK/qRtj3rrs2?= =?us-ascii?q?pUOf/vgklKMKemxpYg2oDOkdWdQbxmf716wqyjgsE8zbFbL65PFDT245ni7nm5?= =?us-ascii?q?1lGVUWHugZHbuN/YRbhGs4murZNtMMcq9YgWaPCQSkEqIexn639iuXOndqjgvJ?= =?us-ascii?q?0xHqTmO59EX2ojNgQSvQ09fjlVJYVr+2BUhOWCqpPVV3sCiVMArps9r3vr817F?= =?us-ascii?q?otP2zhu9+Mm3GtOLRNH83wPNacOzU7pEoLjJ0tQdyiwZwUFsC5INgP63F+cvvf?= =?us-ascii?q?62Swni9av6hHhpTR4seJ+vXWB3aslauapKuRxDpA0Hg3oUk/6sy8NvHJ/9CKR+?= =?us-ascii?q?+o12MRQipktQvOQQO6qrvBr18OIUyLykDLmI4UMd5FwXk0zEbm5PIsQNgr7gVR?= =?us-ascii?q?Cp7AZ+8epTD0IDb0xFKfbMwyVimZzTRXGkn4EVZmF6g7w2LwpNjGlWvR+1IyQo?= =?us-ascii?q?lwdkrnhQBpAIU8LUIt6VcXzTQFEQcRdx+XFreoClr5LYEcT0gMdQyH3KSmeqcw?= =?us-ascii?q?xUBzwLKv5OrIYOx5GaUMNuhSjhSPnFhdFZIaq6seT6xge1VF7q7YuhDiC5T7X/?= =?us-ascii?q?jhjXcwNPy0TdpA/s8FrHYi+RiwRwa+5phf9bobj4qIdqFca5jWoM9891tn5SII?= =?us-ascii?q?diFVmxd/jgi5UO4Gq+Dh49jbrIKo5fyzVKYpXOgY6x80CHlggJTqnVAju9bX1/?= =?us-ascii?q?1GRYHPjoT/6g9NKWaQuInGyxl8NfYOK4WzcbZ47XoHOzQRJ3IAPNqRcfk84DZh?= =?us-ascii?q?MC7N6FxGA8MMY84YPcXWlABMkELpRK1c9srVG1+fEYdzdNok72npxzAv95szTO?= =?us-ascii?q?Lg5CWxJZDF4FFHJ+lDgzl0lNLeuOgVxuLfCDQN4XaHbxh62CWCxIeWBvnt/OWM?= =?us-ascii?q?x9DUV08cES4tSYhdPieC9RahRuWriJXjShmU5dPrgJIiaEKQQWS8nKsfvaZWD+?= =?us-ascii?q?FAliX70yNaFoD0m/Kardqs53FKtl1cCopz6wPKGLlHNJVhJRv4jtWrRlR7Bibn?= =?us-ascii?q?d8HbaBwuuPaRxucL5Ol+LFXxZYsaIhIC1rL75mFYTg9wR77svleWR/gdZN14R/?= =?us-ascii?q?PYtnpV855vK7cTPFiBo5zntjJIqFcwAA81Z78/sCdXdkzPnAJPXab7pqIAiwUb?= =?us-ascii?q?Ud5juk9MAni8OGQg6DrbTa5VlrWeCOQJ8jWPSawDS0poPT9lQxOuwZlgZrSnk/?= =?us-ascii?q?ZGsmNAgyN8r+Mn0zNjRBSmvy3jubgB2TU6+LG3rD8Bo2BKTv2CkyfUDlVO1PYK?= =?us-ascii?q?jaAcC3bk81CzfHkDbI/v4LZ6JMXg9I8h4288YRUiZCAGQ+WgCz/qgKOMH4OPsc?= =?us-ascii?q?hQhBiTt8XSdbWzNzQdNqwhyRL/QHhwygnenAhy/2sNWTig6MIkK5i8OcYi3Sqk?= =?us-ascii?q?A2/bdEwD4qlRqsv+qUYLTPcqaVNm2Ghj0NaIRiMDRMzLAGs0gBIraWNaf5Jf8x?= =?us-ascii?q?MaEbcngiqQtKlc4g4UeCvUEpii+oTIksfI3X49TNl0yWLSoq2InYgq0Hpjm9N1?= =?us-ascii?q?8iGConISePLEU8V0GHj8yp9fyfDiZ/Wqqu0HSotmybS5UP8FNsmj+He214txV0?= =?us-ascii?q?+gx7QeA0C5P/EZyrfcSSelRnWSWf6XfGiUgzY5Lkny6AGnLl0qacdFskg9P/De?= =?us-ascii?q?hp5GiQLhV690ST+UpVDBymwsLeIaeBgstIehZQMKUPYbZ/KAKug23P0+FFwMYm?= =?us-ascii?q?fVHSt3Du+7qkKtnIlnNHVj/0r6Zf7h8gb4P9uOAhMEC5LVroZt+fymQWKMIXpg?= =?us-ascii?q?zBxxPEl38OfSDFYxufVfc5aWm9jfmdJ73fQDd/hzLS03osQTlZ576YmIzMeKdg?= =?us-ascii?q?ncwY3sKtHTvviVGObfz0AtemFGTroZfx366JggMt4+Qb3TEqNTvQ4ACqgiXJwh?= =?us-ascii?q?K2Dx+blsLAN0dg7efq60g8ftpuKPaJtZvHrW7lU3LCfHpRIM1ua0TQtgb5Cxhn?= =?us-ascii?q?XyJp8wSihGr913BRtsBJFPFN8Yrwq7H56Un7m2i9Gv9EN+uu8KqbT/B+vL1dS4?= =?us-ascii?q?2oVxWoZV5VaPPDnPHqVrhV5ljuuqiPfazpbxEd/iec8DVOVjQm7Fdr/GHoK6Kj?= =?us-ascii?q?2UIcLxYEtG87+A0LJjTBqdfif5X7CJtCe8LvVr/V07ypBkfOrU1DEs4anb2MHz?= =?us-ascii?q?Z25HuCiutnuJNJpD7FzQG+PSRRVUSeCK8Gx9B60YcZP09PsSMdwl2NWc5A1z4y?= =?us-ascii?q?pZ3cudJ6iutFTM2l56dZ3HMEvpwTg2VpcQLBS5L0QsnXfTqm7BDnREMsikNc5t?= =?us-ascii?q?jc6RDhzs4UlxhG4sandFGmrpXteRJXMb1tm/ZAKQ8gJLCMwPn+mteU43rqeyU/?= =?us-ascii?q?VnOo1ZmeW2s7UKic1pJD/LRMhbOSHQMbB3Mj1eAOXTpFgnfAQEvKYtWogvfpWO?= =?us-ascii?q?I10IMF2GySzsyQvNylD0d9O22KaOOiYW/W1Nz6jZ3jhUuwm5pfGZj9XnULDYd5?= =?us-ascii?q?H2QOXfMSs8VjGcXzs+C0Cp9km4u/AcpvqXPX8fokwIYiKVEAMTo7pgosTQDm/S?= =?us-ascii?q?n+1je4YHhO6bWyD2ViJ4kKsyBiBWtUGDWfYDEhPWb3D5impGpAOiPuNM/W7ib7?= =?us-ascii?q?CAxKpaQe8WAoxXffCCXtvYf+xeJzcvljUEN+a8f8Hco6w/0l3WUWsTC7PI+0GG?= =?us-ascii?q?TE6KXvycwCrmUp4OsIQzvioo+8nQnjNsE6jSJLaQuSKh/pSjjCmGve3eV28tY1?= =?us-ascii?q?E6ge8ZHGaAwANAKHwfC90PtkDiWLKAZ11L1HIvk+5u3AUMeAtrWH10znJWhOq9?= =?us-ascii?q?GtFeSVMMg2OhWuYJbEp2DDwu+U+H+RPyYdgatsDIRm9e66EASYwDI/k08IPXIr?= =?us-ascii?q?cfwO413DJ6pyw3qyedD1ZajgKf6arQHbl8y6ZE5WYi+vF5QECPTynYcmjdxYqs?= =?us-ascii?q?E9hPyjt2oXD4y8rUufhgO6VYp4F+AFcKBzl2Jtfb/T1aXmH0whayvwilEzSEOj?= =?us-ascii?q?4Z5igEJTAdfOZv0+B7qArIdsrG6U6IrKIhpk6rBhqKB7e3w5FLFN/m1R+5aShK?= =?us-ascii?q?djWrEYp6qvBTm9YOeaknf5SxA0jdLgjiCQKVoyIM9B/sorSvFsdKx3sRnbgiKN?= =?us-ascii?q?HuRYkFEcfW0Ct+w3lW2JpchVGWV8jSYpz/9txQGWAFNp77T2LiJp3OIWbcrvcG?= =?us-ascii?q?h60vHEabculSHGtatZMt3jPwblio8J38ySS6Lqi5czGiEMsSMZK0hnNIj7qHPY?= =?us-ascii?q?Trsa8RQUEb9LQx3JuT/UvVrS6RNI3mcw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2F5AwCPk0VY/wHyM5Bdg2gBAQEBAR9agQa7EkAhC4V5ghR?= =?us-ascii?q?TAQEBAQEBAQECAQJfKIIzChkEPQoDLwEBAQEBAQEBAQEBAQEBARoCCAREASECF?= =?us-ascii?q?w0TBgENIAwCAwkCBRIpCAgDAS0VHwsFGASIMwEDFwQKrGY9KgKCYQWBAoRKgwI?= =?us-ascii?q?DCIQviTKBSAoRAQYvhUgFiFiHaYolhkuKP4JPh2aGFZIPVmEXRIJnAQsBRRyBX?= =?us-ascii?q?XIBhkqCLgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 05 Dec 2016 16:20:02 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB5GJRxX016390; Mon, 5 Dec 2016 11:19:35 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uB5GEKsj226089 for ; Mon, 5 Dec 2016 11:14:20 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uB5GEJAa014898 for ; Mon, 5 Dec 2016 11:14:19 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BgAACqkUVYh9MAFEFdGwEBBAEBCgEBgzkBAQEBAXmBBrc+hBcLHoV5gmcBAgEBAQEBAhMBAQEKCwkJHYU5DRkBOAEVgTuIVAEDFwQKrGI9gw0FgQKESYJcJgMIhC+JMoFIIoJiC4MKBYhYh2mKJYZLij+CT417kg+BToMrUhELgV1yAYZKgi4BAQE X-IPAS-Result: A1BgAACqkUVYh9MAFEFdGwEBBAEBCgEBgzkBAQEBAXmBBrc+hBcLHoV5gmcBAgEBAQEBAhMBAQEKCwkJHYU5DRkBOAEVgTuIVAEDFwQKrGI9gw0FgQKESYJcJgMIhC+JMoFIIoJiC4MKBYhYh2mKJYZLij+CT417kg+BToMrUhELgV1yAYZKgi4BAQE X-IronPort-AV: E=Sophos;i="5.33,305,1477972800"; d="scan'208";a="5860645" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 05 Dec 2016 11:14:08 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3AdU4I1hfLNRniPVFoL6/Ama8klGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxcS9YB7h7PlgxGXEQZ/co6odzbGH6Oa8CSdasN6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?= =?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52Ihi6twrcu8oZjYd8Lqs61wfErGZPd+?= =?us-ascii?q?lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLe?= =?us-ascii?q?TQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgz?= =?us-ascii?q?oAODAk7WHXkdRwg7xHrxK9qRJ/xIvUb5uUNPp4Y6jRedwXSG5EUstXSidPAJ6z?= =?us-ascii?q?b5EXAuQBI+hWsofzqVgJoxalGQWgGPnixiNSi3PqwaE31fkqHwHc3AwnGtIDqG?= =?us-ascii?q?jarNTpO6cSS++11rTHxijBYfxM2Df97pbHcgs8qvyLR7JwcNbeyUk1GAPfk1qf?= =?us-ascii?q?sZDqMCuV1usXsmib6fRvVfm0hmE8twFxoz6vxtsyhYnTgIIa1EzE+T9lz4YyIN?= =?us-ascii?q?21UUh2asOqHptXsiGVLYp2QsU6TmFsuSY61KMJuZy8fCgX0pQnwQTQa/idf4eU?= =?us-ascii?q?5RLjUeCcKip7inJ9YL+yhha//VK+xuHgTMW4zExGojRYntXRrnwA1B3e5tKaRv?= =?us-ascii?q?Zz8UqtwzaC2x7J5uxLPEw5k7fQJYQ7zb4qjJUTtFzOHi/ol0Xyi6+bbl8k+uev?= =?us-ascii?q?6+T6frXqupGRO5VvhQHiKKgunsu/AeI4PwQUQ2eb4fiz1Lnk/U3kXbpGlOE5kq?= =?us-ascii?q?7DvJDHJsQXvq+5AwlL3YY/8xuyDjer3M4GkXUbNl5JZAiLg5b0N13TOPz4CO2w?= =?us-ascii?q?g1WokDdl3fDGObjhD43XLnjCjLjhfaxy61RBxwUr0d9Q/5JUBasAIPL1REDxr8?= =?us-ascii?q?fVAQQlMwy1xebnFMty1pkYWW2RHq+VKr/dsViN5u43OemDeJcVuCrhK/gi//Pu?= =?us-ascii?q?lmE2mVscfamvwJsWZ2u1HuhmIkqFYXrshc0NEWERvgUkVuDqh1qCUSAAL0q1Cr?= =?us-ascii?q?kx4jA9FZKOEZbIRofrhqeImii8AM54fGdDX2qNGnfhbYnMe/4Nbi+Japt7kzcE?= =?us-ascii?q?XKKtfIQW1RivsgLh47B7L+zI9zceuI6l399wsb6A3Sou/CB5WpzOm1qGSHt5yz?= =?us-ascii?q?9ZSg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GXAAApkUVYh9MAFEFdHAEFAQsBGAYMg?= =?us-ascii?q?w8BAQEBAXmBBrc+g1RDCx6FeYJnAQEBAQEBAQECAQIQAQEBCgsJCR0wgjMKGQQ?= =?us-ascii?q?9CgMvAQEBAQEBAQEBAQEBAQEBGgIIBEQBOg0ZATgBFYE7iFQBAxcECqxhPYMNB?= =?us-ascii?q?YEChEmCXCYDCIQviTKBSCKCYguDCgWIWIdpiiWGS4o/gk+Ne5IPgU6DK1IRC4F?= =?us-ascii?q?dcgGGSoIuAQEB?= X-IPAS-Result: =?us-ascii?q?A0GXAAApkUVYh9MAFEFdHAEFAQsBGAYMgw8BAQEBAXmBBrc?= =?us-ascii?q?+g1RDCx6FeYJnAQEBAQEBAQECAQIQAQEBCgsJCR0wgjMKGQQ9CgMvAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBGgIIBEQBOg0ZATgBFYE7iFQBAxcECqxhPYMNBYEChEmCXCYDCIQ?= =?us-ascii?q?viTKBSCKCYguDCgWIWIdpiiWGS4o/gk+Ne5IPgU6DK1IRC4FdcgGGSoIuAQEB?= X-IronPort-AV: E=Sophos;i="5.33,305,1477958400"; d="scan'208";a="1289790" Received: from rgout0305.bt.lon5.cpcloud.co.uk (HELO rgout03.bt.lon5.cpcloud.co.uk) ([65.20.0.211]) by emsm-gh1-uea11.nsa.gov with ESMTP; 05 Dec 2016 16:13:59 +0000 X-OWM-Source-IP: 86.134.52.41 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2016.11.28.94518:17:8.707, ip=, rules=NO_URI_FOUND, NO_CTA_URI_FOUND, NO_MESSAGE_ID, TO_MALFORMED, NO_URI_HTTPS Received: from localhost.localdomain (86.134.52.41) by rgout03.bt.lon5.cpcloud.co.uk (9.0.019.07.01-1) (authenticated as richard_c_haines@btinternet.com) id 581B45AB03196011; Mon, 5 Dec 2016 16:13:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1480954440; bh=rvaRW6Kkd1tjhov/zfl2xatEqSZpUdgLh2UO6hULmKU=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=JNOwMwywej54bC+nqiorohBHxs3HafdrK9TI99jC+C3tF6mY35TLx1U9xekMoq6Wus3yoiU2IqjIwA+Sm9ZPuPSUtvjumdP67JXFM37KcnYw/cj+eU/XSz2oy9ZLiFX1PWYp2l34GTJBodIMjh+/tPgijeVJlAB/0cCblbrTxQQ= From: Richard Haines To: selinux@tycho.nsa.gov Subject: [RFC PATCH 1/1] selinux-testsuite: Add IPv6 client/server support plus tests Date: Mon, 5 Dec 2016 16:14:03 +0000 Message-Id: <20161205161403.9253-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Split the Netlabel tests into two, one for full labeling and the other for plain CIPSO4. Added comments to tests where required to explain pass/fail as there is no support for retrieving UDP peer labels on IPv6 stack. Signed-off-by: Richard Haines --- README | 1 + .../inet_socket/{netlabel-flush => cipso-fl-flush} | 0 tests/inet_socket/{netlabel-load => cipso-fl-load} | 2 +- tests/inet_socket/cipso-flush | 5 + tests/inet_socket/cipso-load | 11 ++ tests/inet_socket/client.c | 91 +++++++------- tests/inet_socket/ipsec-load | 6 + tests/inet_socket/iptables-flush | 2 + tests/inet_socket/iptables-load | 20 +++ tests/inet_socket/server.c | 67 +++++----- tests/inet_socket/test | 140 ++++++++++++++++++--- 11 files changed, 251 insertions(+), 94 deletions(-) rename tests/inet_socket/{netlabel-flush => cipso-fl-flush} (100%) rename tests/inet_socket/{netlabel-load => cipso-fl-load} (89%) create mode 100755 tests/inet_socket/cipso-flush create mode 100755 tests/inet_socket/cipso-load diff --git a/README b/README index 69b4839..8dbbbda 100644 --- a/README +++ b/README @@ -16,6 +16,7 @@ test SELinux: CONFIG_AUDIT=y CONFIG_NET=y CONFIG_INET=y +CONFIG_IPV6=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y diff --git a/tests/inet_socket/netlabel-flush b/tests/inet_socket/cipso-fl-flush similarity index 100% rename from tests/inet_socket/netlabel-flush rename to tests/inet_socket/cipso-fl-flush diff --git a/tests/inet_socket/netlabel-load b/tests/inet_socket/cipso-fl-load similarity index 89% rename from tests/inet_socket/netlabel-load rename to tests/inet_socket/cipso-fl-load index 35898d3..3fbc928 100755 --- a/tests/inet_socket/netlabel-load +++ b/tests/inet_socket/cipso-fl-load @@ -7,7 +7,7 @@ # CIPSOv4 only supports passing MLS labels across the network). # Define a localhost/loopback doi and apply it to the loopback address -# so that we get full SELinux labels over loopback connections. +# so that we get full SELinux labels over IPv4 loopback connections. netlabelctl cipsov4 add local doi:1 netlabelctl map del default netlabelctl map add default address:0.0.0.0/0 protocol:unlbl diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush new file mode 100755 index 0000000..2ac8523 --- /dev/null +++ b/tests/inet_socket/cipso-flush @@ -0,0 +1,5 @@ +#!/bin/sh +# Reset NetLabel configuration to unlabeled for all. +netlabelctl map del default +netlabelctl cipsov4 del doi:16 +netlabelctl map add default protocol:unlbl diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load new file mode 100755 index 0000000..662747d --- /dev/null +++ b/tests/inet_socket/cipso-load @@ -0,0 +1,11 @@ +#!/bin/sh +# Based on http://paulmoore.livejournal.com/7234.html. +# +# Modifications: +# - Defined a doi for testing loopback for CIPSOv4. + +netlabelctl cipsov4 add pass doi:16 tags:5 +netlabelctl map del default +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl +netlabelctl map add default address:::/0 protocol:unlbl +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 diff --git a/tests/inet_socket/client.c b/tests/inet_socket/client.c index cf274cf..f104b0d 100644 --- a/tests/inet_socket/client.c +++ b/tests/inet_socket/client.c @@ -2,6 +2,7 @@ #include #include #include +#include #include #include #include @@ -18,51 +19,62 @@ void usage(char *progname) { fprintf(stderr, - "usage: %s [-n] [stream|dgram] port\n", - progname); + "usage: %s [-e expected_msg] [stream|dgram] addr port\n" + "\nWhere:\n\t" + "-e Optional expected message from server e.g. \"nopeer\".\n\t" + " If not present the client context will be used as a\n\t" + " comparison with the servers the reply.\n\t" + "stream Use TCP protocol or:\n\t" + "dgram use UDP protocol.\n\t" + "addr IPv4 or IPv6 address (e.g. 127.0.0.1 or ::1)\n\t" + "port Port for accessing server.\n", progname); exit(1); } -int -main(int argc, char **argv) +int main(int argc, char **argv) { - char byte, label[256]; - int sock; - int result; - struct sockaddr_in sin; - socklen_t sinlen; - int type; - char *mycon; + char byte, label[256], *expected = NULL; + int sock, result, opt; + struct addrinfo hints, *serverinfo; unsigned short port; struct timeval tm; - int opt; - bool nopeer = false; - while ((opt = getopt(argc, argv, "n")) != -1) { + while ((opt = getopt(argc, argv, "e:")) != -1) { switch (opt) { - case 'n': - nopeer = true; + case 'e': + expected = optarg; break; default: usage(argv[0]); } } - if ((argc - optind) != 2) + if ((argc - optind) != 3) usage(argv[0]); - if (!strcmp(argv[optind], "stream")) - type = SOCK_STREAM; - else if (!strcmp(argv[optind], "dgram")) - type = SOCK_DGRAM; - else + memset(&hints, 0, sizeof(struct addrinfo)); + + if (!strcmp(argv[optind], "stream")) { + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + } else if (!strcmp(argv[optind], "dgram")) { + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + } else { usage(argv[0]); + } - port = atoi(argv[optind + 1]); + port = atoi(argv[optind + 2]); if (!port) usage(argv[0]); - sock = socket(AF_INET, type, 0); + result = getaddrinfo(argv[optind + 1], argv[optind + 2], &hints, &serverinfo); + if (result < 0) { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(result)); + exit(1); + } + + sock = socket(serverinfo->ai_family, serverinfo->ai_socktype, serverinfo->ai_protocol); if (sock < 0) { perror("socket"); exit(1); @@ -70,23 +82,13 @@ main(int argc, char **argv) tm.tv_sec = 5; tm.tv_usec = 0; - result = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tm, sizeof tm); + result = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tm, sizeof(tm)); if (result < 0) { perror("setsockopt: SO_SNDTIMEO"); exit(1); } - bzero(&sin, sizeof(struct sockaddr_in)); - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - if (inet_aton("127.0.0.1", &sin.sin_addr) == 0) { - fprintf(stderr, "%s: inet_ntoa: invalid address\n", argv[0]); - close(sock); - exit(1); - } - - sinlen = sizeof(sin); - result = connect(sock, (struct sockaddr *) &sin, sinlen); + result = connect(sock, serverinfo->ai_addr, serverinfo->ai_addrlen); if (result < 0) { perror("connect"); close(sock); @@ -101,7 +103,7 @@ main(int argc, char **argv) exit(1); } - if (type == SOCK_DGRAM) { + if (hints.ai_socktype == SOCK_DGRAM) { struct pollfd fds; fds.fd = sock; @@ -125,15 +127,8 @@ main(int argc, char **argv) } label[result] = 0; - if (nopeer) { - mycon = strdup("nopeer"); - if (!mycon) { - perror("strdup"); - close(sock); - exit(1); - } - } else { - result = getcon(&mycon); + if (!expected) { + result = getcon(&expected); if (result < 0) { perror("getcon"); close(sock); @@ -141,9 +136,9 @@ main(int argc, char **argv) } } - if (strcmp(mycon, label)) { + if (strcmp(expected, label)) { fprintf(stderr, "%s: expected %s, got %s\n", - argv[0], mycon, label); + argv[0], expected, label); exit(1); } diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load index c72d4b9..21e2dfe 100755 --- a/tests/inet_socket/ipsec-load +++ b/tests/inet_socket/ipsec-load @@ -9,3 +9,9 @@ ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx $goodclient ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required + +# IPv6 loopback +ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 +ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 +ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush index 8371648..c168d89 100755 --- a/tests/inet_socket/iptables-flush +++ b/tests/inet_socket/iptables-flush @@ -2,3 +2,5 @@ # Flush the security table. iptables -t security -F iptables -t security -X NEWCONN +ip6tables -t security -F +ip6tables -t security -X NEWCONN diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load index c55e427..5be94f4 100755 --- a/tests/inet_socket/iptables-load +++ b/tests/inet_socket/iptables-load @@ -27,3 +27,23 @@ iptables -t security -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNSECMA # Label UDP packets similarly. iptables -t security -A INPUT -i lo -p udp --dport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 iptables -t security -A OUTPUT -o lo -p udp --sport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 + +##### IPv6 entries +ip6tables -t security -F + +# Create a chain for new connection marking. +ip6tables -t security -N NEWCONN + +# Accept incoming connections, label SYN packets, and copy labels to connections. +ip6tables -t security -A INPUT -i lo -p tcp --dport 65535 -m state --state NEW -j NEWCONN +ip6tables -t security -A NEWCONN -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 +ip6tables -t security -A NEWCONN -j CONNSECMARK --save +ip6tables -t security -A NEWCONN -j ACCEPT + +# Common rules which copy connection labels to established and related packets. +ip6tables -t security -A INPUT -m state --state ESTABLISHED,RELATED -j CONNSECMARK --restore +ip6tables -t security -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNSECMARK --restore + +# Label UDP packets similarly. +ip6tables -t security -A INPUT -i lo -p udp --dport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 +ip6tables -t security -A OUTPUT -o lo -p udp --sport 65535 -j SECMARK --selctx system_u:object_r:test_server_packet_t:s0 diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c index a53e346..09ddfb3 100644 --- a/tests/inet_socket/server.c +++ b/tests/inet_socket/server.c @@ -1,6 +1,8 @@ #include #include #include +#include +#include #include #include #include @@ -18,23 +20,26 @@ void usage(char *progname) { - fprintf(stderr, "usage: %s [-n] [stream|dgram] port\n", progname); + fprintf(stderr, + "usage: %s [-n] [stream|dgram] port\n" + "\nWhere:\n\t" + "-n No peer context will be available therefore send\n\t" + " \"nopeer\" to client, otherwise the peer context\n\t" + " will be retrieved and sent to client.\n\t" + "stream Use TCP protocol or:\n\t" + "dgram use UDP protocol.\n\t" + "port Listening port\n", progname); exit(1); } -static const int on = 1; - -int -main(int argc, char **argv) +int main(int argc, char **argv) { - int sock; - int result; - struct sockaddr_in sin; + int sock, result, opt, on = 1; socklen_t sinlen; - int type; + struct sockaddr_storage sin; + struct addrinfo hints, *res; char byte; unsigned short port; - int opt; bool nopeer = false; while ((opt = getopt(argc, argv, "n")) != -1) { @@ -50,23 +55,35 @@ main(int argc, char **argv) if ((argc - optind) != 2) usage(argv[0]); - if (!strcmp(argv[optind], "stream")) - type = SOCK_STREAM; - else if (!strcmp(argv[optind], "dgram")) - type = SOCK_DGRAM; - else + memset(&hints, 0, sizeof(struct addrinfo)); + hints.ai_flags = AI_PASSIVE; + hints.ai_family = AF_INET6; + + if (!strcmp(argv[optind], "stream")) { + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + } else if (!strcmp(argv[optind], "dgram")) { + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + } else { usage(argv[0]); + } port = atoi(argv[optind + 1]); if (!port) usage(argv[0]); - sock = socket(AF_INET, type, 0); + result = getaddrinfo(NULL, argv[optind + 1], &hints, &res); + if (result < 0) { + printf("getaddrinfo: %s\n", gai_strerror(result)); + exit(1); + } + + sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (sock < 0) { perror("socket"); exit(1); } - result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); if (result < 0) { perror("setsockopt: SO_PASSSEC"); @@ -76,23 +93,18 @@ main(int argc, char **argv) result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); if (result < 0) { - perror("setsockopt: SO_PASSSEC"); + perror("setsockopt: SO_REUSEADDR"); close(sock); exit(1); } - bzero(&sin, sizeof(struct sockaddr_in)); - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - sin.sin_addr.s_addr = INADDR_ANY; - sinlen = sizeof(sin); - if (bind(sock, (struct sockaddr *) &sin, sinlen) < 0) { + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { perror("bind"); close(sock); exit(1); } - if (type == SOCK_STREAM) { + if (hints.ai_socktype == SOCK_STREAM) { if (listen(sock, SOMAXCONN)) { perror("listen"); close(sock); @@ -105,8 +117,7 @@ main(int argc, char **argv) socklen_t labellen = sizeof(peerlabel); sinlen = sizeof(sin); - newsock = accept(sock, (struct sockaddr *)&sin, - &sinlen); + newsock = accept(sock, (struct sockaddr *)&sin, &sinlen); if (newsock < 0) { perror("accept"); close(sock); @@ -123,6 +134,7 @@ main(int argc, char **argv) perror("getsockopt: SO_PEERSEC"); exit(1); } + printf("%s: Got peer label=%s\n", argv[0], peerlabel); } @@ -183,7 +195,6 @@ main(int argc, char **argv) } } } - result = sendto(sock, msglabel, strlen(msglabel), 0, msg.msg_name, msg.msg_namelen); if (result < 0) { diff --git a/tests/inet_socket/test b/tests/inet_socket/test index e97151e..8d20eb6 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -6,14 +6,14 @@ BEGIN { if (system("ip xfrm policy help 2>&1 | grep -q ctx") != 0) { plan skip_all => "ctx not supported in ip xfrm policy"; } else { - plan tests => 20; + plan tests => 35; } } $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; -# Load NetLabel configuration. -system "$basedir/netlabel-load"; +# Load NetLabel configuration for full CIPSO4 labeling over loopback. +system "$basedir/cipso-fl-load"; # Start the stream server. if (($pid = fork()) == 0) { @@ -23,11 +23,11 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client stream 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; ok($result); # Kill the server. @@ -41,18 +41,75 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok($result); # Kill the server. kill TERM, $pid; # Flush NetLabel configuration. -system "$basedir/netlabel-flush"; +system "$basedir/cipso-fl-flush"; + +# Load NetLabel configuration for CIPSO4 over loopback. +system "$basedir/cipso-load"; + +# Start the stream server with a defined level. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; +} + +sleep 1; # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using level. +$result = system "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that authorized client can communicate with the server using level. +$result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that authorized client cannot communicate with the server using different level. +$result = system "runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Kill the server. +kill TERM, $pid; + +# Start the dgram server with a defined level. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; +} + +sleep 1; # Give it a moment to initialize. + +# Verify that authorized client can communicate with the server using same levels. +$result = system "runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; +ok($result eq 0); + +# This looks like it should pass as the client levels are dominated by the server, however +# because this is UDP, the server uses the same socket for sending (whereas the TCP version +# uses a new socket that inherits the clients MLS levels). This test fails as there is an +# MLS constraint in the Fedora "targeted" policy: +# mlsconstrain peer recv l1 dom l2 or ( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ) +# This causes the following denial as l1 = s0:c21.c49 and l2 = s0:c20.c50, giving the +# following AVC entry: +# avc: denied { recv } for pid=8298 comm="server" saddr=127.0.0.1 src=65535 daddr=127.0.0.1 dest=50511 netif=lo scontext=unconfined_u:unconfined_r:test_inet_client_t:s0:c21.c49 tcontext=system_u:object_r:netlabel_peer_t:s0:c20.c50 tclass=peer permissive=0 +$result = system "runcon -t test_inet_client_t -l s0:c21.c49 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c21.c49 dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client cannot communicate with the server using levels dominating the server. +$result = system "runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# Kill the server. +kill TERM, $pid; + +# Flush NetLabel configuration. +system "$basedir/cipso-flush"; # Verify that authorized domain can bind UDP sockets. $result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1"; @@ -97,11 +154,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client stream 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; ok($result); # Kill the server. @@ -115,20 +180,45 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# This would be expected to pass, however the kernel IPv6 stack does not currently +# support retrieving peer labels for UDP using cmsg_level SOL_IP/cmsg_type SCM_SECURITY. +# Therefore nothing is sent back to the client. +### See the test below where the server does not request peer context #### +$result = system "runcon -t test_inet_client_t $basedir/client dgram ::1 65535 2>&1"; +ok($result); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; ok($result); # Kill the server. kill TERM, $pid; +# Start the dgram server for IPSEC test using IPv6 but do not request peer context. +if (($pid = fork()) == 0) { + exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; +} + +sleep 1; # Give it a moment to initialize + +# This test now passes. +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; +ok($result eq 0); + +# Kill the server. +kill TERM, $pid; + # Flush IPSEC configuration. system "$basedir/ipsec-flush"; -# Load iptables configuration. +# Load iptables (IPv4 & IPv6) configuration. system "$basedir/iptables-load"; # Start the stream server. @@ -139,11 +229,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize. # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t -- $basedir/client -n stream 65535"; +$result = system "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -n stream 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; ok($result); # Kill the server. @@ -157,11 +255,19 @@ if (($pid = fork()) == 0) { sleep 1; # Give it a moment to initialize # Verify that authorized client can communicate with the server. -$result = system "runcon -t test_inet_client_t $basedir/client -n dgram 65535"; +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram 127.0.0.1 65535"; +ok($result eq 0); + +# Verify that unauthorized client cannot communicate with the server. +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1"; +ok($result); + +# Verify that authorized client can communicate with the server. +$result = system "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; ok($result eq 0); # Verify that unauthorized client cannot communicate with the server. -$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -n dgram 65535 2>&1"; +$result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1"; ok($result); # Kill the server.