From patchwork Wed Feb 22 17:03:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 9587189
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D8B04602A7 for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 22 Feb 2017 17:06:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C30342846A
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 22 Feb 2017 17:06:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B7B55284FF; Wed, 22 Feb 2017 17:06:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09C912846A
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 22 Feb 2017 17:06:35 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.35,195,1484006400"; d="scan'208";a="4129218"
IronPort-PHdr: =?us-ascii?q?9a23=3ADQq0JR/y/4xVbP9uRHKM819IXTAuvvDOBiVQ1KB5?=
	=?us-ascii?q?1+oQIJqq85mqBkHD//Il1AaPBtSGrasawLuL+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?=
	=?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFIiTanfL9/LRq6oAHRu8ILnYZsN6E9xwfTrHBVYe?=
	=?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?=
	=?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qlkSAXsiC?=
	=?us-ascii?q?waKTA39m/ZgdF0gK5CvR6tuxlzzojJa4+XKfV+ZLvQc9MES2RcUMhfVCtPApu+?=
	=?us-ascii?q?YocSAecOMvpXoYbjqFsVtha+GQuhCfnzxjJSmnP6w6s32PkhHwHc2wwgGsoDvm?=
	=?us-ascii?q?jVrNrpNKcdS/q1w7TVxjvBdfxW2DH955bTchs8pvyMR7NwftbRyUY1DQPKk02f?=
	=?us-ascii?q?ppD9MDOVzOsNsm6b4PR7Ve+0kGEntwBxoj6zxsgykInJgJwaykze+Splx4Y1IM?=
	=?us-ascii?q?S1RUhmatCqF5tQsjuVN4pwQs46W2Fnojo1yr4Ytp6nZiQKzoooxwLZZveacIaI?=
	=?us-ascii?q?+gruWPueLDp3nn5oeK+ziwys/UWv1OHwTNS43E5JoydEiNXAq38A2h3J5sWGSP?=
	=?us-ascii?q?Zx5Eas1DWJ2gvO8O9LO1o0mrDeK5M5x74wkYccvlrbEy/tnUX2kLeWdkI5+ui0?=
	=?us-ascii?q?8+jnYqvpppubN4JslgHxKL4ums2iAeQjKAQOQ2ia9vi81L3k50H5RqlFjuYqna?=
	=?us-ascii?q?XDtZDaJMAbqra4Aw9TzIkj9w6yAyqp3dkXh3UKLE9JdAiZg4XmJV3COu30Ae+6?=
	=?us-ascii?q?g1u2kTdrw/7GPqfmApXINnXDi6nufbJ8605a1QoywslT6IlTCrEcJvL8RlH+tM?=
	=?us-ascii?q?fDAx8lMw273+bnCNJn2oMYQmKAGLWVMKzVsV+W/u4vOfWDZJcJuDbhLPgo//zu?=
	=?us-ascii?q?jXg/mVAHYamp3YEYaHajE/RkJEWZZ3/sjc0aEWcWoAU+VvfqhEeFUT5JaHa4R7?=
	=?us-ascii?q?g86S0jCIK6EYfDQZiggL6D3CihApJWZXtGCleKEXfpaYWJQPkMaCaPIs5uiTME?=
	=?us-ascii?q?SL6hS5M81R20sw/60bVnJPLO+iIErZLjyMR15+rLmBA89Dx0C8Gd3H+XT2xvkG?=
	=?us-ascii?q?MHWSI53KdloUNn0leDy694g/5GGtNP+/NFSAA6NYTTz+ZiEdD9RhrBfsuVSFah?=
	=?us-ascii?q?WtipHC0+Ttc2w98If0ZxBs6vjg7d0CqwAr8UlruLBJou/qLawXfxO953y2za26?=
	=?us-ascii?q?k5k1kmXsxPOHW7ia5j7QfTHZXEnFmel6avaasTxjXN9HuZwWqIok5YTBZ6Ub/Z?=
	=?us-ascii?q?UnAHekvWsdP561vCTr6vDrQnNBBMycuGKqdTa93pi09KRPH5N9TEYGKxmnmwCg?=
	=?us-ascii?q?iSyrOKcoXqZ30X3D/BB0gcjwAT4XGGOBAlCSi6pG7eCD1uFUnzY0P36+V+s220?=
	=?us-ascii?q?QVMuwwGRcUJh07u1+hgIhf2TUP4cwrIFuD08qzVvBlq80cjZC8abpwpmeqVQe9?=
	=?us-ascii?q?Q94E1I1WjBrQxyIoSgL7x+hl4Zawl4oVvu2A9tCoVBisgnt2sqwxBoKaKZy1NB?=
	=?us-ascii?q?bzeY0orsNbLJMGXy+wqva6HO0FHEzNmW4rsP6Og/q1j7sgGpDFAt83N73NlUyH?=
	=?us-ascii?q?uR/ZDKDBITUZ7oSUY2+QN6q6vdYikn6IPezWdsPrWssj/ex9IpA/MoyhW6cNdc?=
	=?us-ascii?q?N6OECRT/E84ACMitL+wqhkKlbhUePOBd7KQ0Jd+pd+Oa2K63O+ZthCipgnld4I?=
	=?us-ascii?q?B8zE2M7TFxRfTU0JYA2f2Y2RGHVzjkhle7rs/3gZxEZS0VHmenySjrGopRZql1?=
	=?us-ascii?q?fYsQDWeuPtG3xtJ7h5H3QXJY80SjB1we0s+zZRWSd0D93RFX1UkPunynlzG4zz?=
	=?us-ascii?q?tvkzE1taefxyrOw+PsdRoCIGFLQnNujVHyLoiol9oaRlSnbxA1lBu54kb336Za?=
	=?us-ascii?q?q757L2nPX0hIZTP2Inp8UqSurLqNeNNP6JYyvSVQSuS8bkiQSqThrBsCzyPjA2?=
	=?us-ascii?q?xeySgndz63p5r5ngZ1iGaGIXlvq3rZfN1/yg3E5NzAX/JR2CQJRDVggznNGle8?=
	=?us-ascii?q?J8Wp/cmTl5rbtOC+VmahVplNfinw1o6PrjW05XdtARGlmPCzgNLnGxAg0SDnz9?=
	=?us-ascii?q?lqSTnIrBHkb4n11qS1Lf5nfk5yBFPm98V6GoZ+ko0/hJwL3Xgah5OV8mAdkWf0?=
	=?us-ascii?q?K9lb3rj+bHUVTz4R39HV+BTl2FFkLn+Rw4L5V26dwtd4a9mhfGwW3iM978ZXCK?=
	=?us-ascii?q?ab97FEhjN1olu+rQLQffd9hS0Ryf0w534Gm+sJohYizj2BArAOGklVJTbslxOM?=
	=?us-ascii?q?79C6sqpXfnqgcb++1UdlhtChEa2NohpGVHb+YJciEjd67t9jP1LUzH3z9obkdc?=
	=?us-ascii?q?HIbd0Jqx2Ulw3MgPJPJJ0qkfoKgTZnOWX7vXA+zu43kRpu3Zams4SdLWVi4r65?=
	=?us-ascii?q?CAZCNjLpf8MT5i3tjaFGk8aVwY+vGI5hFy4IXJT2S/KoCzQSuur7NwqUFz08sH?=
	=?us-ascii?q?ibE6LFHQCD8Edms27PE5ezOnGJInkW0M5vRAebJENCgAAYRjM6kYAlFgqy3szu?=
	=?us-ascii?q?bF955iwN5l7/shZM0vhnNwT7UmrEuAioays0SZiGIBpY9A5C4V3ZMcuE7uJ8By?=
	=?us-ascii?q?tY5IGurBSRKmyHYARFFXsJVVGZCF34Mbmu4NbB//KeBuWgM/vEea+OpvBGV/eU?=
	=?us-ascii?q?2ZKv1ZNr/y6WOcWSOnltEeU71VBFXXBlBcvZgS4CSzEMly3Tdc6bvw2w+jZwrs?=
	=?us-ascii?q?Ci6vTkRBzg5YWIC7tIPtVg5Qq6gaGdOO6MnCx5MypX1osQxX/Uz7gSxFAShDto?=
	=?us-ascii?q?dzmxFrQAsDXATKzOlaBKCB4bcTl8NNNS76I73AlCJ9LUis/v2r5/lP41BE9PVU?=
	=?us-ascii?q?b9lcGxecwKP2a9OUvCBEmRMLSGISPEw93rYaymU7Jdl+NUuAOsuTaAD0DsJCyD?=
	=?us-ascii?q?mCfzWxCpL+5MkDmRPAZCt4GlbhZtFW/jQcr8ahGhPt57lzg2zqcwhnPNNW8RKi?=
	=?us-ascii?q?JzfF9IrrGK6iNYmPp/EXRb7nV5NemEhzqZ7+7AJ5YYq/tkHDl7l/lA73Q817tV?=
	=?us-ascii?q?6zpESedvlyTOq95iuVamkvOAyjB/ShpBti5LhJ6XvUVlIajZ8INAVmzc/BIV9m?=
	=?us-ascii?q?iQBRUKp8F+Ct3ztaBQy97Pm7j1KDhe8tLb588cC9LTKMKdP3orKQDpFyLMDAsZ?=
	=?us-ascii?q?UT6rMnnSh1RDn/6J6HKVqJk6qoTrmJcVS79USkI6Ge0ABkRiBtwCL499Xik4nr?=
	=?us-ascii?q?6DkM4I+X2+oQHMS8VBoJ/ITP2SAe/1JzaHlrREfAEHwbDlLYQJLIL3wUhiakR8?=
	=?us-ascii?q?nIvQAUrcRMxNoipibg40p0VB6n5+QXMv20j9cAOi/GcTFeKonh4xkgZ+ev4i9C?=
	=?us-ascii?q?n27Fc4OFXKvzA9kFIrltX7mz+RfyD+LLyqUYFQFSX0q1A7MonnTAZtcQ2ygUtk?=
	=?us-ascii?q?OS/fSLJQgLtgcmZrhRTBtpRRAvFcTLdLYBkKyfGQffUo3kxWqj+7yk9f+evFFZ?=
	=?us-ascii?q?ximRMwfp6jtX1AxRxsYcUyJazIOqVJyF1QibiPvi+sze8xxwAfK1wK8GOIdy4C?=
	=?us-ascii?q?oFYIOaU+Jyq04uxs7hSPmydEeGgJTfYquPVq90IjNOSG1C3gyblDJV6yN+GEM6?=
	=?us-ascii?q?yZvG3AmtKSTVMrykMEjU9F8qZq0c07aUqbS1gvzKeNFxQOLcfCKgFUb85M+3XI?=
	=?us-ascii?q?eCaOtuvNwZxrMIWhCuDoTeiOtKMKjU6+GgYmAZgM5NwbHpawyEHYMdvnLLkdxB?=
	=?us-ascii?q?Ur+gvkPlGFAe9KeBKMizcHv9uwzJls3YleJzERG2N9Pjur5rzPvA8lnOKDXMsq?=
	=?us-ascii?q?YncdRoYELGw5WNaklCFDpXRPEDm33/kCxwiD9T/zuyPQDDfkb9p5eviVZQlgCN?=
	=?us-ascii?q?eo9jUj66K2k0LY8o3CJ2HmMtRvosLA6eQcp5aBFvxbU719s0bHloZCWXOqSWnP?=
	=?us-ascii?q?HcSyJ5jqZIkmdcb0BWqiUlyjlzI1SN/8M8u3IaiWgAHnWJ1UvZKB0zA5L8+9ET?=
	=?us-ascii?q?8fGwxuqO4f+aJ8fwwDY4Y7YBLysQQxKbC/Kh+C0tqyW2atNSdWT/5HwOW+YLxX?=
	=?us-ascii?q?1TQjbum7yXsnVZw6wO+38VMXSJENlBHeyu6pZ5NCXijrBnxdZwLPqDIil2d/Mu?=
	=?us-ascii?q?Yyw+E/wA7HsFQHLz+Lc+lpZ3BesNEnGVOeO3N2BXQkR1WEl4rM/has36wO/yta?=
	=?us-ascii?q?h9tU0vdFsXjksZ/ZfDKsWLemqZrSsyo4cdcquatxPpL/IsGerpPRgiTfTIXMsg?=
	=?us-ascii?q?2CSCO6C/tamt1XICJEQPlJmXooNtEHuYtB80U+Td0yJ7pRB6kwvrqqcyZrDTYO?=
	=?us-ascii?q?zS8FUIONxCYNguO927TGiBifaJEiMRwCsJVFhNsSSTV7bTgfpKC5UYXajmGESn?=
	=?us-ascii?q?URLAcV8wtM+BoKlpVsceD9/IrIUJhMxiZNrP1qVCvGDYNn+EblSm6Im1j4U++u?=
	=?us-ascii?q?k/ap3A5Iy/LsyNYbUgZlCUdB3+ZWilcoKLZvJqkfo47KszuIdUfks2Lo0+apOU?=
	=?us-ascii?q?dextbVd1LiCorJr238UjcT+XcMX49A1GnfFYgOkwp+cKsrvlNMIIG6dUb+4Dwk?=
	=?us-ascii?q?w59pEaGhW8623VgosXEISjy2HNpGDuFprEjYWCZ5Y5yxrpXqJYlSSHdK+JKBs1?=
	=?us-ascii?q?dZjFltMymhxJpGMc5N+DkMUyNUrDWBptu9UtND1tFyD58NJNd/tHP9GKJLOJiR?=
	=?us-ascii?q?v302tKbgymXc+zwmtle12imzEbeiT+1F520eBhkpJ2OGp0ghFecj7mfS8lHIsl?=
	=?us-ascii?q?B15ehbBaOCjURvrzljAJ9CHDFJ1WqqL15rVnlJr/1aKLjJc8xbW/Q9fwWvOwE4?=
	=?us-ascii?q?FfI83EyE5kB0nXb4YyxurQRW4SbdUBcoVSMNmLfihSUeqt27OT8dU59IbDMhbz?=
	=?us-ascii?q?vbJAKfhy9XuQhQa11wW5EZGdtF/Kkb0pVS/srHU0msKCUFUwdlNgM3y/ZfklRD?=
	=?us-ascii?q?sEqAcyDHEQWoberPsgFwfcqJo86pNu72/AFbio78seA48KsCR3u6mQ2tX9/ero?=
	=?us-ascii?q?n8tsGUuUuUbqv4NfOzYWPZRjjWkR+wnaskD4XN/yXLLApbLJx6xGE4YZT9DG7E?=
	=?us-ascii?q?Jg5KJ6QFKEpHTap6c8lJovhGZ894f6YE4a9tCQidRhz1HIygseJLIUvNSjTGNy?=
	=?us-ascii?q?WO7Oi/rpzJ7bDHTujgfMOMzW7dQ61rJpd69SX7G7Dy3I9c/Ur5xOxg+V5kRljd?=
	=?us-ascii?q?LS+BtsjhKR0W68W4cEvtoIEpFyvMAJhsiHrt2l1Ad80PTiKx/pQX1I9V5XTtRe?=
	=?us-ascii?q?92yUX8rOpS97x45oYt+LBp1d24JaHMJvRGqUVnGASbBh129pUxB2hyX3pRbfEM?=
	=?us-ascii?q?J/fRZ6sZkdvjq+TwF6wJ9hKZ5fBWadzaKE7fgMW/DC+TSQBclgcbtTEaNhec1+?=
	=?us-ascii?q?KCm6JsUcalvvT51Vgw7FiiNRMG17dt5Zqe+qWUuuDXaQfRzaIeVajuXM/zqa4s?=
	=?us-ascii?q?u0yK7/0+iLEOYnB1YxGgEOUFSs4d3Hnvwr43wi83DsPDG67g+ORZWHInnzLgnJ?=
	=?us-ascii?q?R9EEsKGv8OGrqL54telH8im+PFLt0WbrxCmmGXGBG5FL8N02Wm5DaRIGZ/mB3O?=
	=?us-ascii?q?1AvwQWyr5l/ssSB4WTfMz8vkkkdNVLm4H11SXy2yOU98qjyPIhHltN/quaQx8E?=
	=?us-ascii?q?E2M3DrtNOXm2unI7NbBcr/JMaTISMsvlIYkIUxRsCz2YAcAde9Is0e8HdwbvvE?=
	=?us-ascii?q?7GOkjjFOrrxbh4XE5MGV4fLXEWOmj6KEt7WH3CpYxWQgvVEj9tCgMenD59uOQ/?=
	=?us-ascii?q?mz1mYRSSJ/txHAXx6zpLzbtUobOVeX0EfRhYwFIs1Z3WQi1k74/uQjR8gz9ApG?=
	=?us-ascii?q?HIbae/wCvSzzOCfzwVuHZdI3VzWR0zxTHl3vCll0Aqk82GX3vMLSjnfd4FgoS4?=
	=?us-ascii?q?Z/dkD9ghx3FYo4I1o36FcL2ioDDRQNaReDAb60H0vlKZULVVMfaRWH27i3Ybw3?=
	=?us-ascii?q?0lFywryx4u/Tce18CLAXOvZbkAGOgEBRGogKvq0GXLJ8Z1hd+bbTpgj5DojqX+?=
	=?us-ascii?q?PrlXQuOvKoRcBa69oWt2M44ga4RRqv94tM76oBhJCPbK5EboDGvNpg4Ed/+T4P?=
	=?us-ascii?q?aitNjQB9jxO4VOARv+Xj7cbbsZW28OauVaAtR+oN+xgyGWt+k4P6gEo/rtHPy+?=
	=?us-ascii?q?dcVorVhJz+8AFMOXGFoprV3gJnKeUQN4KkYqpv+28AJygEKHIEJcCWZOUk4y9x?=
	=?us-ascii?q?LDXT4ERPDdgNZdMDMsvCgwJUikz1WLFL7MXbB1uYBpxveMAv8mX41io68YYmUu?=
	=?us-ascii?q?bn8j+5P4rT71ZXP/NMlC9sjs7NpPAJwfrODyga+WGZZAJpwiyey5mMBfHw/f+P?=
	=?us-ascii?q?yN3NTFMJACo2U4ZbJDqf9g2qXfK1m4/1UgyI6s/yjpU+dFiTRnCrn6QKrLxMEe?=
	=?us-ascii?q?hehSX/xDReEZr1h/2Nudq29GRXrkFHEJp07RDdBKVfJIt0ORDimcmtWEdxHTbw?=
	=?us-ascii?q?eMDbdhovpOqZ3PwM7P9kN0vjf4MbJAwLy67i43pPUgRuUKL2vkqeXe8Ja9tpUu?=
	=?us-ascii?q?nEoW5J6YJgMKIPOFmdpID0oTdIsl82HRQpZKU2rjNEaknEhBdVVLrsuL4clgsc?=
	=?us-ascii?q?VsZ0uUBSFmK2JGI+4D3HWaNOjKaPDPwV8zOTTrEBUkhzNiNxXQm12ZV0dLezm/?=
	=?us-ascii?q?BIrH9GlDtnoPc2yzxmWAe8uSr0qq0R2zIv4q23uS4dtnxCSuWelybIBktZzPQW?=
	=?us-ascii?q?k6gTF3bi5Ua7YHkZY4v4+KNnKtj49Yk9/3Q/Zg0ufygBXeSmFyHwgL2HD5eKsN?=
	=?us-ascii?q?JdnhGNvtvBbaO9LCgVLLQ9ygnjS2J70gfAgBZi6HELTSm47N84OIW9Pt4oxiW0?=
	=?us-ascii?q?FmjAb1YA+75HvsT3u14KSus2dFxgzX5s0siCXCINQtLAF3wyjgg+ZmVOaIhD5g?=
	=?us-ascii?q?MCF6k0njaIubFL/gMTYDfUFISp4JXfncfM2XkgUNhrx2PWpquehpMp0X1ogM10?=
	=?us-ascii?q?7i+QuHsIc+zXTs5sDmL11ohB1ez0f++tvfwfSIt61LShV+cPMsi9+WSs3pVnQU?=
	=?us-ascii?q?ulxqkDEFq4N+8D3a3XUyC/SW2XQe6LaXSDny4lMk7u4hmlNl83Z9lEr08zNuvP?=
	=?us-ascii?q?nZBdmBfnUbxqWiWcv1nbw3I/MekCbQI5pJ+nexAWTO4Wf+WcKuwuwPowCVQSa3?=
	=?us-ascii?q?/JGTB7C/SxsV6rnYh0J29s4UPkbuTx6grmKsedGgEYEY7GqZ584f66RmKBOH94?=
	=?us-ascii?q?yx1yOEh09/vBGFkqs+9ccoqRncLOiNhh1u4FbfhtOzUnutEPgoJj9ZWU0MCSfB?=
	=?us-ascii?q?HNz5byIMrYouSZA/LDzEQlZGVaXqAfYQzr+4UwJsQ5VKHLHbtFoRQcArA3QJkg?=
	=?us-ascii?q?N2fy96F0Kxh+cgzLa7S3hcnqoPyEZp1Oq3/Q8F0wMD/WuwcfxfysUQx7c5eqim?=
	=?us-ascii?q?3pL58uQDJBs8ZgCgBiHItIB8MAsxSnDICJl62hjN+x4Ux6sfcQsaXsEvDKyMi5?=
	=?us-ascii?q?34JpUphC4kyLOCzeBLNlg0RiiuSyjOzN0pz2CcPlYtMLSvR0QnTCar/dBYW/Kz?=
	=?us-ascii?q?SOOs3md05B6b6c36pzUg+NayDhQ6qGqCqkOe1q4Uolzox4ffLTwyI24rDa2dvy?=
	=?us-ascii?q?YmRbqTm5rX6NKpRT9lvKBfbRXxhMU/qK7H5lHbELbYvz7OoPP8QiwMKd4wZv8j?=
	=?us-ascii?q?tPy86FI6m9rk/WxE13b5XbLFHm2ywhQ4kFPAy/MVcwgW/esnndBnBcIda/JMl1?=
	=?us-ascii?q?hNaaFAft51VwmW4xem5BAHTnSsmLNWgdxc2+eBWA9BhXANYbg+63ZUk4u7W2Se?=
	=?us-ascii?q?lpPJVFhOqruKwDkdZoMCHPWNNaMjrRLLBsODpRCf/DpF8yYh4Lq7I1QJs6ZYCS?=
	=?us-ascii?q?IEMbN0eN0TjywhXG0U31cdysyamILCEZ/HVbz7LKzyJMqBehufmDmcDjU67WbI?=
	=?us-ascii?q?vwXPHMNCoqTSyaRTsoHUau41ektOIOvOCELmcHvlAUfiWSBRYWpq91sdfQDm7T?=
	=?us-ascii?q?metkfJARmvCaWibwRzN8lKozACZLqE+NT+AEFQnMYH/rmHBctxC6Jv9Q4XLlaK?=
	=?us-ascii?q?WVxqhPVOwVBYtDaeaUQ8beefBCJzcokSgZOOm8f93Atbo51EzHTXcBGanS6FKe?=
	=?us-ascii?q?VFKWQuCbxz/zUoUapZM7ujAp+t3Omi96CLrIP7KFqD618464kTyUuevAWWkxe0?=
	=?us-ascii?q?Y1mv4NAHGdwBlcL2EJE9MVuETqQq6afUZM1WkphPlo2xAWfQR8THxu3mdRnPan?=
	=?us-ascii?q?Fc1TUUQUg3+2QP0acFB3Cys9/VSE4g33fdMNuMPeSnRA9rQSU4odLfgp6I7ROK?=
	=?us-ascii?q?cKxvYmwi5mqjQgsyqBF1Ndkh6F863IEaJ+wb1C42048upzXk6RXjzffG/HypC6?=
	=?us-ascii?q?BM1R3ytup27r19aH9txqYaBXo4B/HUciHTN9Jteb+ytIF27zxk/6uxe9ASTbOz?=
	=?us-ascii?q?kF+B4VKiEfMOV41el2tFDPbNmFoUeRsb8x7VCmAhuRC6alnZlMBtzt2C2mZiRR?=
	=?us-ascii?q?NzamDZZ7rrBKjtlBT7kgYN2EAlvBJxLyRiKRuiYB71C+uLWgDcNQzlIVpaUlKd?=
	=?us-ascii?q?fkRKEAEdjfwDxixXtUgpEIyDvCUZvkepTl5pkgVjk1PZ6nRCyuOcrE?=
X-IPAS-Result: =?us-ascii?q?A2EcAgAaxK1Y/wHyM5BeGgEBAQECAQEBAQgBAQEBFQEBAQE?=
	=?us-ascii?q?CAQEBAQgBAQEBgyaBao5Vp2Y1LYkKVwEBAQEBAQEBAgECXyiCMyINPQoyAQEBA?=
	=?us-ascii?q?QEBAQEBAQEBAQEBGgIISAEBIAIkEwYBDSAMAgMJAgUSKQgIAwEtFRgHCwUYBId?=
	=?us-ascii?q?nA4FRAQMVBLBrOiYCgmEFgQKEWYMCBAiEP4lNgVURAYYBBYkICoY6gUqKepIWg?=
	=?us-ascii?q?giIYYY0iDWKcFh4CCEUH1OCWYFjDx2BYXWHWQ0XB4IQAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 22 Feb 2017 17:06:11 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1MH64b4002027;
	Wed, 22 Feb 2017 12:06:06 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v1MH3gcT227282 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 22 Feb 2017 12:03:42 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v1MH3gLQ001268
	for <selinux@tycho.nsa.gov>; Wed, 22 Feb 2017 12:03:42 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1D8AADxwq1Yh3kAFEFeGgEBAQECAQEBAQgBAQEBhTuOVaQNhBwMhhaDXgECAQEBAQECEwEBAQoLCQodhU0ZATgBFYEpEogIA4FRAQMVBLBiOoMJBYEChFmDAgQIhD+JTYRPDIMNBYkICoY6gUqKepIWggiPFYg1inCBVyEUH1OCWYEiAUAPEQyBYXWHWSuCEAEBAQ
X-IPAS-Result: 
 A1D8AADxwq1Yh3kAFEFeGgEBAQECAQEBAQgBAQEBhTuOVaQNhBwMhhaDXgECAQEBAQECEwEBAQoLCQodhU0ZATgBFYEpEogIA4FRAQMVBLBiOoMJBYEChFmDAgQIhD+JTYRPDIMNBYkICoY6gUqKepIWggiPFYg1inCBVyEUH1OCWYEiAUAPEQyBYXWHWSuCEAEBAQ
X-IronPort-AV: E=Sophos;i="5.35,195,1484024400"; d="scan'208";a="5953962"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 22 Feb 2017 12:03:42 -0500
IronPort-PHdr: =?us-ascii?q?9a23=3ASU4STRcRkNmSul/3LOSwF355lGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxcSzZh7h7PlgxGXEQZ/co6odzbGH7ua5BydRvN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?=
	=?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52LBi6txjdu8gZjYZmKqs61wfErGZPd+?=
	=?us-ascii?q?lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLe?=
	=?us-ascii?q?TQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgz?=
	=?us-ascii?q?oBOjUk8m/Yl9Zwgbpbrhy/uhJxzY3aboaOOfZiYq/QZ88WSHBdUspNUSFKH4Oy?=
	=?us-ascii?q?b5EID+oEJetWs4j9qEcOrRSkHwmjGf7kxD1SiX/32601zf8hGhzB0Qw6HtIBrH?=
	=?us-ascii?q?TUo8/vNKgPSe+60LHHzTXZYPNX3zfy9pPIfws6rvGQXLJwd9bRxlc1FwPDkFqQ?=
	=?us-ascii?q?tZbpMC+S1uQIqmWW6fdrW+yoi24isQ5xoz6vy980iobTmo0VyU7L9TljzIYzO9?=
	=?us-ascii?q?K4VEh2asOnHptIryyXNot7Ttk8T210oio21qcKtYOlcCQX0JgqxB/SZ+aaf4WH?=
	=?us-ascii?q?4x/vTuecLDViiH9ke7+ygQu5/1K6xe3mTMa01U5HripbndnIsXAAzwbT6seASv?=
	=?us-ascii?q?tg4ketxSuD2xrI5eFYO0w0ka3bK5ghz7IqipUTqVjMHivxmEXrkaCabFkr+u+y?=
	=?us-ascii?q?5+T6YbXqvp6cN4lqhQHiKqkjm8yyDf4mPgQSRWSX5f6w2KD98UHkWLlKi+c5kq?=
	=?us-ascii?q?jdsJDUP8Qboau5DhdP0oYi9xm/Dy2p0M4FknYfMF1KYBKHgJLoO1HIPv/4Fuyy?=
	=?us-ascii?q?jE+wkDdqwfDGIqPuAo/LLnfdjLftZ6py60lZyAYr19BQ+4pUCq0dIPL0QkLxr8?=
	=?us-ascii?q?LXDhs4Mwyy3ubmB85w1p8eWG2TAq+ZN7nesVmT5u01OeWMa4gVuCiuY8QisuXj?=
	=?us-ascii?q?iX4/hE81Ybii3ZxRbmuxWPthPQHRZXvqn8dECmwWpiIgQ+Hwzl6PSzheYzC1Ra?=
	=?us-ascii?q?14rjU6Dp+2SJzOTZ23gaCQmSK8EoBSa0hYBV2WV3TlbYOJX7ELci3BDNVml2k+?=
	=?us-ascii?q?VLOhQpUtnTGntQn30PIzNOvf+iQCuaXo49h85uvejjk46T1yE8mH1WyRCWpzmz?=
	=?us-ascii?q?VbFHcNwKljrBklmR+42q9ijqkAGA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EMAQDxwq1Yh3kAFEFeGgEBAQECAQEBA?=
	=?us-ascii?q?QgBAQEBFQEBAQECAQEBAQgBAQEBhRCOVaQNg1lDDIYWg14BAQEBAQEBAQIBAhA?=
	=?us-ascii?q?BAQEKCwkKHS+CMyAPPQoyAQEBAQEBAQEBAQEBAQEBGgIISAFHGQE4ARWBKRKIC?=
	=?us-ascii?q?AOBUQEDFQSwYjqDCQWBAoRZgwIECIQ/iU2ETwyDDQWJCAqGOoFKinqSFoIIjxW?=
	=?us-ascii?q?INYpwgVghFB9TglmBIgFADxEMgWF1h1krghABAQE?=
X-IPAS-Result: =?us-ascii?q?A0EMAQDxwq1Yh3kAFEFeGgEBAQECAQEBAQgBAQEBFQEBAQE?=
	=?us-ascii?q?CAQEBAQgBAQEBhRCOVaQNg1lDDIYWg14BAQEBAQEBAQIBAhABAQEKCwkKHS+CM?=
	=?us-ascii?q?yAPPQoyAQEBAQEBAQEBAQEBAQEBGgIISAFHGQE4ARWBKRKICAOBUQEDFQSwYjq?=
	=?us-ascii?q?DCQWBAoRZgwIECIQ/iU2ETwyDDQWJCAqGOoFKinqSFoIIjxWINYpwgVghFB9Tg?=
	=?us-ascii?q?lmBIgFADxEMgWF1h1krghABAQE?=
X-IronPort-AV: E=Sophos;i="5.35,195,1484006400"; d="scan'208";a="4129043"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from rgout0101.bt.lon5.cpcloud.co.uk (HELO
	rgout01.bt.lon5.cpcloud.co.uk) ([65.20.0.121])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 22 Feb 2017 17:03:40 +0000
X-OWM-Source-IP: 86.146.67.68 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2017.2.22.164218:17:7.944,
	ip=, rules=__HAS_FROM,
	__FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR,
	__CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID,
	__SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __ANY_URI,
	__FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __CP_NAME_BODY, __PHISH_PHRASE11,
	__LINES_OF_YELLING, __NO_HTML_TAG_RAW, BODY_SIZE_10000_PLUS,
	__MIME_TEXT_P1,
	__MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, __FRAUD_WEBMAIL,
	__FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES, __PHISH_SPEAR_STRUCTURE_1,
	__MIME_TEXT_P, NO_URI_HTTPS
Received: from localhost.localdomain (86.146.67.68) by
	rgout01.bt.lon5.cpcloud.co.uk (9.0.019.13-1) (authenticated as
	richard_c_haines@btinternet.com)
	id 584829CB078CE405; Wed, 22 Feb 2017 17:03:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
	s=btcpcloud; t=1487783020;
	bh=q/ErnuLIS1JrVwN+inNM0BXc2FbJI0nR0CmEFjtAx+E=;
	h=From:To:Cc:Subject:Date:Message-Id:X-Mailer;
	b=PRgV6O71bF8rNY4hDCA9c0W29THEXiXFVh8Md/FrgfR5mF8qLXFwujGvxtCFmPxFrxpAuhDAwjtqHDovTNq69UWpv3B22t+vpIFPUJ81ZZlvAvtanIg/Ro02CbpXvEtDKoz+Snx3JENTUbPutm9YLxsqcpWdFiV2ZoIqih1CmK4=
From: Richard Haines <richard_c_haines@btinternet.com>
To: selinux@tycho.nsa.gov, linux-sctp@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [RFC v2 PATCH 1/2] kernel: Add LSM hooks for SCTP support
Date: Wed, 22 Feb 2017 17:03:30 +0000
Message-Id: <20170222170330.5379-1-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.9.3
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Add four new SCTP hooks that are detailed in:
Documentation/security/LSM-sctp.txt

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 Documentation/security/LSM-sctp.txt | 171 ++++++++++++++++++++++++++++++++++++
 include/linux/lsm_hooks.h           |  37 ++++++++
 include/linux/security.h            |  33 +++++++
 security/security.c                 |  34 +++++++
 4 files changed, 275 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.txt

diff --git a/Documentation/security/LSM-sctp.txt b/Documentation/security/LSM-sctp.txt
new file mode 100644
index 0000000..a96ad0a
--- /dev/null
+++ b/Documentation/security/LSM-sctp.txt
@@ -0,0 +1,171 @@
+                               SCTP LSM Support
+                              ==================
+
+For security module support, four new sctp specific hooks have been
+implemented:
+    security_sctp_assoc_request()
+    security_sctp_accept_conn()
+    security_sctp_sk_clone()
+    security_sctp_addr_list()
+
+The usage of these hooks are described below with further information
+available in include/linux/lsm_hooks.h. The SELinux implementation is
+described in Documentation/security/SELinux-sctp.txt
+
+
+security_sctp_assoc_request()
+------------------------------
+This new hook has been added to net/sctp/sm_statefuns.c where it passes the
+@sk and @chunk->skb (the association INIT or INIT ACK packet) to the security
+module. Returns 0 on success, error on failure.
+
+    @sk  - pointer to sock structure.
+    @skb - pointer to skbuff of association packet (INIT or INIT ACK)
+
+The security module performs two operations:
+  1) If this is the first association on @sk, then set the peer sid
+     to that in @skb. This will ensure that there is only one peer sid
+     assigned to @sk that may support multiple associations.
+
+  2) Validate the @sk sid against the @sk peer sid to determine whether the
+     association should be allowed or denied.
+
+
+security_sctp_accept_conn()
+----------------------------
+This new hook has been added to net/sctp/sm_statefuns.c where it sets the
+sctp endpoint @ep->secid to the socket's sid (@ep->base.sk) with the MLS
+portion taken from the COOKIE ECHO packet @skb peer sid. Returns 0 on success,
+error on failure.
+
+    @ep  - pointer to sctp endpoint structure.
+    @skb - pointer to skbuff of the COOKIE ECHO packet.
+
+To support this hook include/net/sctp/structs.h "struct sctp_endpoint" has
+been updated with the following:
+
+	/* Security identifiers from incoming (COOKIE-ECHO) connection.
+	 * These are set by security_sctp_accept_conn() and used by
+	 * security_sctp_sk_clone() to set sids on newsock.
+	 */
+	u32 secid;
+	u32 peer_secid;
+
+
+security_sctp_sk_clone()
+-------------------------
+This new hook has been added to net/sctp/socket.c sctp_sock_migrate() that is
+called whenever a new socket is created for accept(2) (i.e. a TCP type socket)
+or when a socket is 'peeled off' e.g userspace calling sctp_peeloff(3).
+security_sctp_sk_clone() will set the new sockets sid and peer sid to that
+contained in the old @ep sid and peer sid respectively.
+
+    @ep - pointer to old sctp endpoint structure.
+    @sk - pointer to old sock structure.
+    @sk - pointer to new sock structure.
+
+
+security_sctp_addr_list()
+--------------------------
+This new hook has been added to net/sctp/socket.c and net/sctp/sm_make_chunk.c.
+It passes one or more ipv4/ipv6 addresses to the security module for
+validation based on the @optname as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+
+    @sk      - Pointer to sock structure.
+    @optname - Name of the option to validate.
+    @address - One or more ipv4 / ipv6 addresses.
+    @addrlen - The total length of address(s). This is calculated on each
+               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+               sizeof(struct sockaddr_in6).
+
+  ------------------------------------------------------------------
+  |                     BIND Type Checks                           |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+  ------------------------------------------------------------------
+  |                   CONNECT Type Checks                          |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+
+Security Hooks used for Association Establishment
+==================================================
+The following diagram shows the use of security_sctp_assoc_request(),
+security_sctp_accept_conn() in net/sctp/sm_statefuns.c and
+security_sctp_sk_clone() in net/sctp/socket.c, when establishing an
+association.
+
+      SCTP endpoint "A"                                SCTP endpoint "Z"
+      =================                                =================
+    sctp_sf_do_prm_asoc()
+ Initiate an association to
+ SCTP peer endpoint "Z".
+ Send INIT first as we need to obtain
+ a peer label before checking whether
+ this is allowed or not. This will be
+ checked once the INIT ACK has been
+ received.
+         INIT --------------------------------------------->
+                                                   sctp_sf_do_5_1B_init()
+                                                 Respond to an INIT chunk.
+                                             SCTP peer endpoint "A" is
+                                             asking for an association. Call
+                                             security_sctp_assoc_request()
+                                             to set the peer label if first
+                                             association, then check
+                                             if association is allowed or not.
+                                             IF allowed send:
+          <----------------------------------------------- INIT ACK
+          |                                  ELSE audit event and silently
+          |                                       discard the packet.
+    sctp_sf_do_5_1C_ack
+ Respond to an INIT ACK chunk.
+ SCTP peer endpoint"A" initiated
+ this association to SCTP peer
+ endpoint "Z". The security checks
+ are done now as we have a peer
+ label to check against, so call
+ security_sctp_assoc_request()
+ to set the peer label if first
+ association, then check if
+ association is allowed or not.
+ IF allowed send:
+    COOKIE ECHO ------------------------------------------>
+ ELSE audit event and silently                            |
+      discard the packet.                                 |
+                                                          |
+                                                 sctp_sf_do_5_1D_ce
+                                             Call security_sctp_accept_conn()
+                                             This sets the sctp endpoint sid
+                                             to the socket's sid with the
+                                             MLS portion taken from the
+                                             COOKIE ECHO packet peer sid.
+                                             IF ok send:
+          <------------------------------------------- COOKIE ACK
+          |                                  ELSE silently discard the packet.
+          |                                               |
+          |                                               |
+          |                               net/sctp/socket.c sctp_sock_migrate()
+          |                                   If SCTP_SOCKET_TCP or peeled off
+          |                                   socket security_sctp_sk_clone()
+          |                                   is called to clone the new socket
+          |                                   with the saved endpoint sid and
+          |                                   peer sid.
+          |                                               |
+      ESTABLISHED                                    ESTABLISHED
+          |                                               |
+    ------------------------------------------------------------------
+    |                     Association Established                    |
+    ------------------------------------------------------------------
+
+
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 558adfa..160c952 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -902,6 +902,33 @@
  *	This hook can be used by the module to update any security state
  *	associated with the TUN device's security structure.
  *	@security pointer to the TUN devices's security structure.
+ * @sctp_assoc_request:
+ *	If first association on @sk, then set the peer sid to that in @skb.
+ *	@sk pointer to sock structure.
+ *	@skb pointer to skbuff of association packet (INIT or INIT ACK)
+ *	being queried.
+ *	Return 0 on success, error on failure.
+ * @sctp_accept_conn:
+ *	Sets the sctp endpoint sid to socket's sid (ep->base.sk) with MLS
+ *	portion taken from peer sid.
+ *	@ep pointer to sctp endpoint structure.
+ *	@skb pointer to skbuff of the COOKIE ECHO packet.
+ *	Return 0 on success, error on failure.
+ * @sctp_sk_clone:
+ *	Sets the new child socket's sid to the old endpoint sid.
+ *	@ep pointer to old sctp endpoint structure.
+ *	@sk pointer to old sock structure.
+ *	@sk pointer to new sock structure.
+ * @sctp_addr_list:
+ *	Check permissions required for each address before setting option
+ *      associated with sock @sk. The @addrlen is calculated on each ipv4
+ *	and ipv6 address using sizeof(struct sockaddr_in) or
+ *	sizeof(struct sockaddr_in6).
+ *	@sk pointer to sock structure.
+ *	@optname name of the option to validate.
+ *	@address list containing one or more ipv4/ipv6 addresses.
+ *	@addrlen total length of address(s).
+ *	Return 0 on success, error on failure.
  *
  * Security hooks for XFRM operations.
  *
@@ -1609,6 +1636,12 @@ union security_list_options {
 	int (*tun_dev_attach_queue)(void *security);
 	int (*tun_dev_attach)(struct sock *sk, void *security);
 	int (*tun_dev_open)(void *security);
+	int (*sctp_assoc_request)(struct sock *sk, struct sk_buff *skb);
+	int (*sctp_accept_conn)(struct sctp_endpoint *ep, struct sk_buff *skb);
+	void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk,
+			      struct sock *newsk);
+	int (*sctp_addr_list)(struct sock *sk, int optname,
+			      struct sockaddr *address, int addrlen);
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1840,6 +1873,10 @@ struct security_hook_heads {
 	struct list_head tun_dev_attach_queue;
 	struct list_head tun_dev_attach;
 	struct list_head tun_dev_open;
+	struct list_head sctp_assoc_request;
+	struct list_head sctp_accept_conn;
+	struct list_head sctp_sk_clone;
+	struct list_head sctp_addr_list;
 #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	struct list_head xfrm_policy_alloc_security;
diff --git a/include/linux/security.h b/include/linux/security.h
index c2125e9..37b0032 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -109,6 +109,7 @@ struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
 struct seq_file;
+struct sctp_endpoint;
 
 #ifdef CONFIG_MMU
 extern unsigned long mmap_min_addr;
@@ -1199,6 +1200,12 @@ int security_tun_dev_create(void);
 int security_tun_dev_attach_queue(void *security);
 int security_tun_dev_attach(struct sock *sk, void *security);
 int security_tun_dev_open(void *security);
+int security_sctp_assoc_request(struct sock *sk, struct sk_buff *skb);
+int security_sctp_accept_conn(struct sctp_endpoint *ep, struct sk_buff *skb);
+void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+			    struct sock *newsk);
+int security_sctp_addr_list(struct sock *sk, int optname,
+			    struct sockaddr *address, int addrlen);
 
 #else	/* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -1391,6 +1398,32 @@ static inline int security_tun_dev_open(void *security)
 {
 	return 0;
 }
+
+static inline int security_sctp_assoc_request(struct sock *sk,
+					      struct sk_buff *skb)
+{
+	return 0;
+}
+
+static inline int security_sctp_accept_conn(struct sctp_endpoint *ep,
+					    struct sk_buff *skb)
+{
+	return 0;
+}
+
+static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
+					  struct sock *sk,
+					  struct sock *newsk)
+{
+	return 0;
+}
+
+static inline int security_sctp_addr_list(struct sock *sk, int optname,
+					  struct sockaddr *address,
+					  int addrlen)
+{
+	return 0;
+}
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/security.c b/security/security.c
index f825304..ab0a1cb 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1439,6 +1439,32 @@ int security_tun_dev_open(void *security)
 }
 EXPORT_SYMBOL(security_tun_dev_open);
 
+int security_sctp_assoc_request(struct sock *sk, struct sk_buff *skb)
+{
+	return call_int_hook(sctp_assoc_request, 0, sk, skb);
+}
+EXPORT_SYMBOL(security_sctp_assoc_request);
+
+int security_sctp_accept_conn(struct sctp_endpoint *ep, struct sk_buff *skb)
+{
+	return call_int_hook(sctp_accept_conn, 0, ep, skb);
+}
+EXPORT_SYMBOL(security_sctp_accept_conn);
+
+void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+			    struct sock *newsk)
+{
+	call_void_hook(sctp_sk_clone, ep, sk, newsk);
+}
+EXPORT_SYMBOL(security_sctp_sk_clone);
+
+int security_sctp_addr_list(struct sock *sk, int optname,
+			    struct sockaddr *address, int addrlen)
+{
+	return call_int_hook(sctp_addr_list, 0, sk, optname, address, addrlen);
+}
+EXPORT_SYMBOL(security_sctp_addr_list);
+
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1897,6 +1923,14 @@ struct security_hook_heads security_hook_heads = {
 	.tun_dev_attach =
 		LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
 	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
+	.sctp_assoc_request =
+		LIST_HEAD_INIT(security_hook_heads.sctp_assoc_request),
+	.sctp_accept_conn =
+		LIST_HEAD_INIT(security_hook_heads.sctp_accept_conn),
+	.sctp_sk_clone =
+		LIST_HEAD_INIT(security_hook_heads.sctp_sk_clone),
+	.sctp_addr_list =
+		LIST_HEAD_INIT(security_hook_heads.sctp_addr_list),
 #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	.xfrm_policy_alloc_security =