From patchwork Tue Apr 11 17:51:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9675889 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 71BD260385 for ; Tue, 11 Apr 2017 17:48:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 691AF28584 for ; Tue, 11 Apr 2017 17:48:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5DA722859A; Tue, 11 Apr 2017 17:48:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BC5F628584 for ; Tue, 11 Apr 2017 17:48:48 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.37,186,1488844800"; d="scan'208";a="4800073" IronPort-PHdr: =?us-ascii?q?9a23=3ACdch5xTcOaIocW7nMUv9H7XES9psv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa68ZROEt8tkgFKBZ4jH8fUM07OQ6PG+HzVcqs/Y6jgrS99lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBo?= =?us-ascii?q?KevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyrAjdrNQajIRtJqos1xfFvGZDdv?= =?us-ascii?q?hLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfM?= =?us-ascii?q?TQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklD?= =?us-ascii?q?sLOjgk+27ZkMxwiL9QrgynqRJx3oXYZJiZOOdicq/Ye94RWGhPUdtLVyFZAo2y?= =?us-ascii?q?cZYBAeQCM+hft4nwpUYCoBWxCgawC+3g1CRIi2Tq3aA4yektDRvL0BA+E98IrX?= =?us-ascii?q?/arM/1NKAXUe2t0afI0SvMb+tW2Tjj7ojDbw0vofSWUrJ0dcre10kuHB7Cg1WL?= =?us-ascii?q?tIPlJCiY1vgNsmeH7+pgUviji2g8qw5ruDSvycAsipfQi48T11vK+yJ5wIMvKt?= =?us-ascii?q?25Tk52edGkEJpMtyGaKot5WdkuTH1vuCY/zLANpJ21fDASxZg6yBPSZOaLfoiV?= =?us-ascii?q?7h75SuqcLil0iGh4dL+5mh2861KvyvfmWcmxyFtKqy1FncTSuX0VzBzT79SHSu?= =?us-ascii?q?N6/ke8xTaDzwDT5f9AIUAzjafbN4QuwqQxlpoOqkTPBDP2mUXqg6+WcUUo4O6o?= =?us-ascii?q?5Pj8Yrr6vJOcMo50igXmPqQvnMywH/g4PxATU2WU9umwzr3u8VDjTLlUgfA6jL?= =?us-ascii?q?PVvI3CKcQevKG5AgtV0og56xa4CjeryM8YkmcDLFJEfhKHkofoN0jVL/D/EPe/?= =?us-ascii?q?hUijnylwx/3dIr3gAonCLnjEkLv7e7Z98FRTxBA8zdBY+ZJYEqsBL+7rWk/tqN?= =?us-ascii?q?zYCQc0Mw6zw+bhEtp9yoMeVniJAqKCMqPStlmI5uc1LOmXeI8apiz9K+M/6/7p?= =?us-ascii?q?l385lkcXfbO10psPdHC4AvNmLl2bYXrumNgODWQKvhE5TOzsiV2CTyVeZ3i2X6?= =?us-ascii?q?Ih6TA0E5+mDYHfRoCwmrCB2z27HpJObGBcFl+MCWvod5mDW/oUZiOSI8thkjka?= =?us-ascii?q?Wri7UIIh2w+huxL9y7p9NOXU4jcYtZXh1Ndr++LTiQs+9TtuD8SSy2uNVX17nn?= =?us-ascii?q?sURz8q26ByuVFyxUuG0ah/hfxYCcFf6uhXUggkL57czu17C9f0Wg7beNeGVkqm?= =?us-ascii?q?SM28AT4tVtIx38MOY0FlFtq/khDMxTCqDqQJmLyMAZw77rjT32PtJ8pnzXbJyr?= =?us-ascii?q?UhhUE8QsRTLW2mmrJ/9w/LCo/JkkSZkKCqeL8Z3C7J7WuDzGyOsFteUAFqS6XF?= =?us-ascii?q?XnEfZlXIotjj4EPNUaOuA6w9MgRd0c6CNrdKatrxgFpdX/jvP9DeY2Oqm2esHh?= =?us-ascii?q?aE3KiMY5T2dGkHxyXSFkwEkwEV/XabOgkzHTuuomLEDDxzDlLjeU3t/vNiqHOg?= =?us-ascii?q?SU80yRuGb0p717q64hQVn+CTS+sP3rIYvycssyt7HE6n0NLMCtqAvBFsfL1Gbt?= =?us-ascii?q?Mn4VdHznrZtwhnMZO8Ma9unFkecx54v0n2zRV4Fp1AkdQ2rHMt1AdyJ7iY30lH?= =?us-ascii?q?dzyE3JDwIabaKmzq/BCucqLWwV/f0M2M9qcI8vQ4pE3pvBu1GUo673Vnz95V3m?= =?us-ascii?q?Of5prQDwoSVo/xX1009xdgpLHaZTQ965nT1X12Pqm+qiXC1M4xBOs51hageM9S?= =?us-ascii?q?P7mZGw/oEs0VGdKuJfcwlFe1axIIJudS9LQ7P8m+bfuJxLarPPp8nDKhlWlH+4?= =?us-ascii?q?590liL9ypnVu7FxI0Fw/ef3gqJUjfzllGhvtrxmY9aeTEYBnC/xjT8BI5Neq1y?= =?us-ascii?q?ep4GCGm0LM2z2tVxmYTtW2VD+V69GVwGwtSmeQeXb1Dn2g1Qz0sXq2S9mSSk1z?= =?us-ascii?q?x0jy0prq2H0SzS3uvtaRsHNXRPRGR5kVjsJo20gMwAU0izcwgljh2l6ljmx6JD?= =?us-ascii?q?vqRwM3HTQVtUfyjxN2xiVKqwtr6GY8FR85Mlqj9YX/qmYVCdULL9pAEa0yz7FW?= =?us-ascii?q?tE2D87by2quon+nxFilmKdLWp8rGbeecFq3xvQ+NzcRflX3joJXyR4jTjXBl6m?= =?us-ascii?q?MNmz+tWYjZDDsvqxV2i5TJ1cbTHrzZ+ctCu8/WBqBRy/n+uvmtH+Cgg1zyv719?= =?us-ascii?q?hsVSXVoxfxeZLr17y7MeJhf0lnGET859B8Go5gjos6nIsQ1mQChpWJ4XoHln/+?= =?us-ascii?q?Mc9c2aL6aHoCWyQLzMLS4Anrw0BjNW+JyJ7iVnmHxcthfda6aHsM2i0h98BKFL?= =?us-ascii?q?uU7LtckCttuFW4sAbRbeJnkTsH0vQu73oag/0OuAor1SidB6weHU9fPSPwjRiI?= =?us-ascii?q?6c6xrLlPbma1bbewzFZ+ncymDLyaoQFTRnD5eow5EC9z8Mp/NknM0Hvt5YH4Yt?= =?us-ascii?q?XQasgTthKMmRfak+dVMI4xluYNhSd/J2L9u2AqxvUljRxowJ66vJKLK2Nz86Kl?= =?us-ascii?q?GhRYLCH6Z9sP+jHxiqZTht6W0JqyHpVlATgEQJroTe6oET4Lu/ToLQCOHCc7qn?= =?us-ascii?q?eBFrrVBRWf51t+r3LTD5CrMGmaJGEDwtV/QBmSOlRfjxoSXDUmgJE5DBunxNH6?= =?us-ascii?q?cEhn/DAR/UT0qgBLyuJ1LRnwTnnQpAmvajcuR5iQMgBa7gdc6EfJKcae9P58Hz?= =?us-ascii?q?lE/p29qwyAMmKbaB5ODWEVXUyEAkvuPrew6tbd9OiYHPCxL+PUYbWJq+xRSeuH?= =?us-ascii?q?xY613oth5TaMOd2FPmN+AP0jxkpDQXd5FtzcmzoVTywXkzzCb9KHpBim4CJ6tc?= =?us-ascii?q?a//+r3WAL0+YSAEaNSPst19xCwn6iDK/aahDxlJjZAypMM2XjIxaAF3FIIhSBi?= =?us-ascii?q?bTytHq4EtS7KTKPdgbVYAAIeay9pM8tI9a081BFXOcHHktP1yqJ4jvktBldLT1?= =?us-ascii?q?zuhNymZdcQLGG7KFPHA12LOa+cKjLXxsH7e6S8SadfjO9MrR2/pS6bE1P/PjSE?= =?us-ascii?q?jzTpUQqvPvtUjCGDJxFetoC9cgx2CWj/QtLmaxu7P8VxjTIqwL07nHfKOXQbMT?= =?us-ascii?q?hmfENHtqeQ4j9AgvVjB2xB6WJoLfGalCmC8ebYLJcWsedsAilvluJV/mo1xKVP?= =?us-ascii?q?4CFDXvx1lzPYrsRyrFG+jumP1j1nXQJTpTZQmo2Ep0piOb/D+ZleQnvE5wgC7W?= =?us-ascii?q?aNCxQQvdRpENnvu71WytfVjqL/MStC89XX/cocAMjYMsSHP2Q9MRDxAj7bEBMF?= =?us-ascii?q?TSK3NWHYn0Fdi+ud9mOPoZg1tJfsg4EDSqRBW1wrDPwaBVpqHMcYLJdxQDwkja?= =?us-ascii?q?aRjNQU6nqmsBnRWMJas4jcWfKTDvXvLzCZgKJZaBQW2rz4LJ4cNovh10xlcFl6?= =?us-ascii?q?k5zAG1DMUtBVvi1hcgg0rV1X/3hxVGIzxVzqZxiq4H8LC/G0mBs2hRF/YeQp7z?= =?us-ascii?q?js5Fg2KkDNpCsqn0k7gc/ljiyJcD7tMKewWplbCzbzt0g0KJ/7WQF1bAyskkxi?= =?us-ascii?q?LzjEXbVRgKVjdW1wlADcvp5PFuJGQq1ffB8c3/eXaOs00V5EsCWo2VdH5ffZCZ?= =?us-ascii?q?tljAYqcp6tr3Ze1A94ad41IqLQJKRXwVhMmqKOviio1uUvzwMEIUYC7n+ScjYS?= =?us-ascii?q?uEMULrkmOzao/ut05AyEhTRMYmwMWuEpovJt7UM9J/6PzyT7075AK0C9LeqfIL?= =?us-ascii?q?2Fu2LYj86HXksw1l8Ul0lC5bV2y9ksc1GKWE811rueCxQJONHZJgFUdcpd6X/T?= =?us-ascii?q?fSiWseXX3510P5+xFub2Qu+SrKwUmF6rHB41H4QQ6cQMBoSj0EbeLcfhMbEK1x?= =?us-ascii?q?Et5AXwKVqfEvtJYhWLnC0Ao8Glw599xZNdKS0FAWVhLSW34a7aqRIwj/qdXdc5?= =?us-ascii?q?f2waU5AeOXIsQs26nCBYv29eAzarz+IZ0gmC7yP8pyjKCjnzccZjbu+OZRxwEN?= =?us-ascii?q?G25Sk/86+uhF7T9ZXePX/1NdJju9/I8u4aqJCHC+5OQbl6qUfclJFSR2a2XG7X?= =?us-ascii?q?Dd61O5/wZpE3bdPqDna6U1q/iy86TsrqINmtKa2Ijh3ySoZPrImXxjYjOtGhFj?= =?us-ascii?q?sGARd/u/kD5L5gZQ0Ee5c7YgTotgQkOKy5PAeY0s6jQ2mqKTtOU/ZT1+O6aKJL?= =?us-ascii?q?zyA0dO+11GMgTo0mz+mw6UMNWJAKjhTZxfa/Z4lfUTP+FWFcewTPvyU2jHJtNu?= =?us-ascii?q?Aszecj2BnIq0UTMyiXdOx1b2xJp8szBVeTIXpqFGU3X1qcjIrF4g6r2bAd5TBQ?= =?us-ascii?q?kM1V0eJftnjyp5HfYC+2VKytt5rVrzIqbcI6rK1pLYzjPsyGuYvFkTPBSpndqR?= =?us-ascii?q?eKXzOkF/VEgNhQOzhXQONImG0/PswGo4VB41IrVsgiP7xPFLUspreyZDprEC4S?= =?us-ascii?q?zCsZV4ee0zwHmeqzxqXVmQyRcJs4NhwIqpJCgsESUyRueCMRuLejV5nKl2+DUm?= =?us-ascii?q?ULOgET7QVQ6wIAkY9wevvl7pLRQpFR0TBbv/V6XzDXGZlv8lv0VnuZgUPkSPm7?= =?us-ascii?q?leymwx5Sxur20tYHQB5/FVRdx+FOm0syNb54NrIdvoHPsj6Hb0/6unziyPe+Ll?= =?us-ascii?q?lL1cLUb0H4DJbCtWfkSC0T42cURYhUx3zECZQSiRB2aLg1q1VIIYCmfEn+5zgl?= =?us-ascii?q?x4RmH7m4Sc6ryEw/rXYDXSuqFcROC/1+ulLNRDJle4yrqIniO5hKTG5c4oGSq1?= =?us-ascii?q?dYkEVoMi6205lcJtpM4jESQjdAvy+RvNyoSM1MwcV2FYMDIs9ju3fhH6NJIIKe?= =?us-ascii?q?o2crurzp0HPZ+CsxsFa7xDWyB6+3VPhV/2sAFQU1P26esFUgD/Mw8mfO9VDAql?= =?us-ascii?q?F0/+FHBreRiUV+vjN9EY5SBjZT1XGoNFNzTGFYvOVcLaTaac1cQ/0pah+oNB0y?= =?us-ascii?q?D/km31aG/Utsh3f2fzRythdG+yDaRwQ0WjMVja3rmT0CscynODgaSpxObTU9by?= =?us-ascii?q?fKNQObmSZLvBlBcUFmQZYZDchZ+7sDx4tb4tLCSVqwKSECRBFiKgU40f9EmE5f?= =?us-ascii?q?rEmYfDvSARCudfnRrh19Zd2Ro9KxLPTl4AdHjZvqsOAi+KUZXXKmnRCiTMvDoI?= =?us-ascii?q?Dirt2KrlWBdKPmPO2me3PBSyLMjR+oj7c+E5bK5zTTMBZcK5Riy3okZobuBHXW?= =?us-ascii?q?MhtYPKIUOVBbVbxkZtpbuOxaYdFreLoR8693Gh2HXg/vGJCorPReNVnTSyjRIz?= =?us-ascii?q?mD/+Cir4/e9qDSSe/lZsOQ3XnHWL53Mo186TblB7fgyZVe9Vbu2vdx6kN6TkDL?= =?us-ascii?q?Mzqfo9v8JgME/tWie1Dmvp0uAzPZHol8n2bqxk5dacUbWSuq/4oEyJlB8nb/Vf?= =?us-ascii?q?p40lTvsO1V77Rk8ZI346xzxsipOaffMu9asUh6AhiOGgpl6JMtAHRlR29LZu8d?= =?us-ascii?q?MvDRfb4Wjcr2seD4C7QX6AGJ++xecdbHO1vBldehBT6BUhFEgQMBqSIALgSGyf?= =?us-ascii?q?6Fmqh0ScK7qujlwE4t5EK+LhEexrB3+YiE4raIpPPQbxbJ0LcEXLLlS9juobQq?= =?us-ascii?q?oUye//oklKQBemZteQ2oDPAdVtIBxmfn1a0qzzgjE9nEH7L7/P5MTWw5kynlm5?= =?us-ascii?q?BgG1UWBvIUEqaK/YtEmGc4gPbVNtoMcqBNgmyPDwKrEqceyX637CuaOGtljQvI?= =?us-ascii?q?0xH+W2Oz60L5ojFjTCvQ1djjlFFVVr6tCUdUQSWpJVdysCmTMwrwqNr3paM14V?= =?us-ascii?q?kwMmzgr9+NlW2hOLZNE83+ItycLzM0q0gMjJ0tXNyvxJwUGcagINcL7n5ydPze?= =?us-ascii?q?63mkkyVZuadIm5Le4t2J+vXQBXSgiayapKmKxDBc0Hc4pksz6tGnNvHJ/N2KWO?= =?us-ascii?q?+l12MeQiZwoQfBWAS1qrPDpVAOJUOLyFvLmJANPtxBwXY3zEXm6/Y4QNIv9ARe?= =?us-ascii?q?EZ3NZ+geqjDyJjT0x0qfY9MtWSWE1TtYAE71G0FiGKcgwGLwoN7JlXDI9l0sXY?= =?us-ascii?q?lwckzqiAd5D4omNE0t70IXzTAbEQgXbhCbDq+nClj5LYceUkgDcxuH1qCgeqgr?= =?us-ascii?q?xU1z3q+v5OjLYOx+BqoNM+1QjguQk1lbBJ0Wq6weQLRze1NH8q7YuBTiAZD9X/?= =?us-ascii?q?f6jXowKeG1QsdC/MAYtnot+BywSAa75JdY8bkblI6HebJebZjLpsB84F9t5SQT?= =?us-ascii?q?eSxVnBh/kxS5XPgHq+Di+djavoCn6uSvVKYxX+UY7QU0B2BlgpTsh1AsvM/Y2P?= =?us-ascii?q?1BSo3PjoT/6hpCL2SNuIbA3Bl2MfAOJJ6zfLZ863UHIDATJ2oUMtqKd/Y84yFs?= =?us-ascii?q?MDLJ51xBG88Mfs0XPM7MmQBSl03oV6pe9tLBFV+EF4hzd84p723tyDA265c8Uf?= =?us-ascii?q?jv6CWwJZ/B61FBJfRDjD9jlNjavuga3eLSCDQL4XmecxV13jmCxIeJC/nq++WD?= =?us-ascii?q?1srZWE4HHi45UoddOCCN+Re9SeqviZXlSAWU5dHvgJgmbkKfWmSxnLgZsqZLCe?= =?us-ascii?q?NAhT/03iJAGYDph/KYqN6s6GpLtlJZEIZ89wDFGL5FMpV9Jxv4itGhRlJgCSvn?= =?us-ascii?q?ZMHUah0utfKZxugS5eV+K0z+ZYgcLhIf1b367XtVTg1zSL/5pVuZWfweZMFmSf?= =?us-ascii?q?zetHxV75xvK7MXNliHuJPqtitIqEwxAAIxbb8wqTpadlXBnAJLQKv0vb8AhREa?= =?us-ascii?q?UdFnpU9NF2WwOHg95zrcT6hVireeCOAN+DWJUqMOS1loMj95Qx6t15VhZ6Cpne?= =?us-ascii?q?tevm1bkS1zpvkq0zp7RBqzoiDsqKcN1igm+L6mrjkBvmZFTuqGmSfSFVpD1OgK?= =?us-ascii?q?jbsbC3v661y8Z3kDbI3o7LZ7JcTg8ZQh7Gk+YBUieS0GRuegCyDrgqOWA4yPrs?= =?us-ascii?q?hThBqQt8XPd7OzKzYdNqglwxL5W3d9yhTenApv8GYTQzWg8sUrJIOmNMYh2yqn?= =?us-ascii?q?BGnbdFEX4q9Tt8vxr1ELRvMsaVx92GVjztSHRioVSczNBWk1gAYkaWFffZNN8x?= =?us-ascii?q?AaEbcngiqSsqlA4A4UfC/eEp659YnIgcfIxX49QM9lxmLSoa2EiI0l0Hlhm95v?= =?us-ascii?q?9S6Ov3ISd+3EXMN2BHj8yJtfw/TkZ/qxquAHVJdmyLO5Xf8AMsmi+XO22JJuWk?= =?us-ascii?q?+k2rQRAUG0MOoCxrfHSSeqV3eUWeORc2iDhzw5KFL95QG0Ll0rb8dHt1M9MurH?= =?us-ascii?q?hpNHiw3hUK97RiaOql/f1mAjN/0Vdx4usoe9ZwMKVPIRZ/SbJeU2xf0+CVgMb3?= =?us-ascii?q?zOHSZtCe+5q12tnI99O3p+50X2e+Lt/R76MNGKABkLDZbaroJt+fy9Xm+OImFv?= =?us-ascii?q?zBtuPERv7OffE1MxtvNAc5aPg9ffms530ekfd/diKSc9oMIcmpp/6YmI18eHaQ?= =?us-ascii?q?nRzpH2Jd7PuPiZDfrfz0AkemxBV7oZZgT1554kMdElQb3TGqBZvQ8dBag8T5wt?= =?us-ascii?q?LWDx9Lt7LAlraA7eeKy0gtX2puKMfpZUqWHZ7lYxLCfEpRIO0f21TQ1+b5CvmX?= =?us-ascii?q?ryOpQwSSxbo91qEBtmE5NFG9kcoAq/H56UhKa7hse/+kNioe8KsLb/Be7R2dS8?= =?us-ascii?q?3oVxQ4Ja6lKRMDbWHqlrjVxvjv6ujffYzpnxFcTidMsDVOh/XGHIcafGHoGlJT?= =?us-ascii?q?KVJsL8elJJ86KG0L1nTBqdfib5ULSatCe8LvVr/V07ypBkfOrU1DEt67Db2N3v?= =?us-ascii?q?Z2BUvyujqX+JNIBD7FzRHuHeXghbSfyC8Gp/Gq0Xd4T0/v8UMdM+2Nic/xVz7D?= =?us-ascii?q?Na3cuePaehqk7M2kRmdZPUK0fn1Do5WYkULxSlL0QsmXXWp2/eAXtCNMikL9di?= =?us-ascii?q?gNKOARzw6El9g2YtZnROGmDwX9eeJXAb296iZA2N7A9LCswMkPK3eU45sK2yTv?= =?us-ascii?q?JlOotEmeWsqroHlddpKyfSRMlVJS3QK6V2PjVJBOXVuFcoegIEs6QyWootZ5iB?= =?us-ascii?q?OkAHMECbxi7p0AvC11H0d9yr1KaULyYW8mlHw6jD0TdSuwmzoeyZjdH7ULDFcJ?= =?us-ascii?q?H2W+bfMCU/WT6BXzQyEFim+VO/tvoauPqXO3wfolEJYi6IDg4cuLxvp8DKDmDP?= =?us-ascii?q?ge1jYIEKhPeCViDyTS14k7AyBjxKtUCXWPcDExPZb3r/j2pdogCiIeVM/X39Zb?= =?us-ascii?q?2C2qVVQ/AWApdLcvCBWNvYd/VeKCspmzgaI+u8YcPTr6w40lPJSmsZFbPE9FuA?= =?us-ascii?q?Q06KWvac3S7kXZ0Jv4govSol4tDQnihxE6TMJLufoiCh/ZO2jCafo+3RSncib1?= =?us-ascii?q?YzgO0cHGnSiCVHfXoJD9ATpVHFXr+LZ0EK0mkgz+1pxUwiYgN2B0Zy32VWkfD1?= =?us-ascii?q?IchQTVoZnSv6W/EdRExmBzM3u0mR60v9ZsJW6pObfHNX6rZZEdlVF/Iv8oSCff?= =?us-ascii?q?JIzQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2F5BAAxFu1Y/wHyM5BcHAEBBAEBCgEBFwEBBAEBCgEBgn8?= =?us-ascii?q?pYXkSjmyYdY8KOCwLhS6ELlcBAQEBAQEBAQIBAmgogjMiCQRGKS8BAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEaAg1lAiQTFCALAwMJAhchAQcICAMBHRAVHwsFGASHZEaBLQMIDQ6?= =?us-ascii?q?rGDomAocKDYNJIQWND4ECgVcRAQhcAYUcBYklkx87hwCDK4MWWgGENQ2Bf4h/D?= =?us-ascii?q?IY4AosBiQBYfQgcCQIUCB4PQYRbHIF/WYcZAQ0XB4IQAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 11 Apr 2017 17:48:46 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3BHlqq1029616; Tue, 11 Apr 2017 13:48:03 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v3BHlnHu097465 for ; Tue, 11 Apr 2017 13:47:49 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3BHlmBd029606; Tue, 11 Apr 2017 13:47:48 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] libsemanage: Save linked policy, skip re-link when possible Date: Tue, 11 Apr 2017 13:51:44 -0400 Message-Id: <20170411175144.15067-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP In commit b61922f727d5643265e27654a2d626bcae5d894c ("libsemanage: revert "Skip policy module re-link when only setting booleans"), we reverted an optimization for setting booleans since it produced incorrect behavior. This incorrect behavior was due to operating on the policy with local changes already merged. However, reverting this change leaves us with undesirable overhead for setsebool -P. We also have long wanted to support the same optimization for making other changes that do not truly require module re-compilation/re-linking. If we save the linked policy prior to merging local changes, we can skip re-linking the policy modules in most cases, thereby significantly improvement the performance and memory overhead of semanage and setsebool -P commands. Save the linked policy in the policy sandbox and use it when we are not making a change that requires recompilation of the CIL modules. With this change, a re-link is not performed when setting booleans or when adding, deleting, or modifying port, node, interface, user, login (seusers) or fcontext mappings. We save linked versions of the kernel policy, seusers, and users_extra produced from the CIL modules before any local changes are merged. This has an associated storage cost, primarily storing an extra copy of the kernel policy file. Before: $ time setsebool -P zebra_write_config=1 real 0m8.714s user 0m7.937s sys 0m0.748s After: $ time setsebool -P zebra_write_config=1 real 0m1.070s user 0m0.343s sys 0m0.703s Resolves: https://github.com/SELinuxProject/selinux/issues/50 Reported-by: Carlos Rodrigues Signed-off-by: Stephen Smalley --- libsemanage/src/direct_api.c | 260 +++++++++++++++++++++++++++------------ libsemanage/src/semanage_store.c | 18 +-- libsemanage/src/semanage_store.h | 8 +- 3 files changed, 197 insertions(+), 89 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index ee2f9e7..b10c732 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -617,13 +617,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c } if (size > 0) { + /* + * Write the users_extra entries from CIL modules. + * This file is used as our baseline when we do not require + * re-linking. + */ + ofilename = semanage_path(SEMANAGE_TMP, + SEMANAGE_USERS_EXTRA_LINKED); + if (ofilename == NULL) { + retval = -1; + goto cleanup; + } + retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; + + /* + * Write the users_extra file; users_extra.local + * will be merged into this file. + */ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA); if (ofilename == NULL) { - return retval; + retval = -1; + goto cleanup; } retval = write_file(sh, ofilename, data, size); if (retval < 0) - return retval; + goto cleanup; pusers_extra->dtable->drop_cache(pusers_extra->dbase); @@ -652,11 +672,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb } if (size > 0) { + /* + * Write the seusers entries from CIL modules. + * This file is used as our baseline when we do not require + * re-linking. + */ + ofilename = semanage_path(SEMANAGE_TMP, + SEMANAGE_SEUSERS_LINKED); + if (ofilename == NULL) { + retval = -1; + goto cleanup; + } + retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; + + /* + * Write the seusers file; seusers.local will be merged into + * this file. + */ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); if (ofilename == NULL) { - return -1; + retval = -1; + goto cleanup; } retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; pseusers->dtable->drop_cache(pseusers->dbase); } else { @@ -1095,20 +1137,19 @@ static int semanage_direct_commit(semanage_handle_t * sh) size_t fc_buffer_len = 0; const char *ofilename = NULL; const char *path; - int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0, - missing_seusers = 0, missing_fc = 0, missing = 0; + int retval = -1, num_modinfos = 0, i; sepol_policydb_t *out = NULL; struct cil_db *cildb = NULL; semanage_module_info_t *modinfos = NULL; - /* Declare some variables */ - int modified = 0, fcontexts_modified, ports_modified, - seusers_modified, users_extra_modified, dontaudit_modified, - preserve_tunables_modified, disable_dontaudit, preserve_tunables; + int do_rebuild, do_write_kernel, do_install; + int fcontexts_modified, ports_modified, seusers_modified, + disable_dontaudit, preserve_tunables; dbase_config_t *users = semanage_user_dbase_local(sh); dbase_config_t *users_base = semanage_user_base_dbase_local(sh); dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh); dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh); + dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh); dbase_config_t *ports = semanage_port_dbase_local(sh); dbase_config_t *pports = semanage_port_dbase_policy(sh); dbase_config_t *bools = semanage_bool_dbase_local(sh); @@ -1120,13 +1161,22 @@ static int semanage_direct_commit(semanage_handle_t * sh) dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh); dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh); dbase_config_t *seusers = semanage_seuser_dbase_local(sh); + dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh); + + /* Modified flags that we need to use more than once. */ + ports_modified = ports->dtable->is_modified(ports->dbase); + seusers_modified = seusers->dtable->is_modified(seusers->dbase); + fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase); + + /* Rebuild if explicitly requested or any module changes occurred. */ + do_rebuild = sh->do_rebuild | sh->modules_modified; /* Create or remove the disable_dontaudit flag file. */ path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT); if (access(path, F_OK) == 0) - dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1); + do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1); else - dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1); + do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1); if (sepol_get_disable_dontaudit(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); @@ -1149,9 +1199,9 @@ static int semanage_direct_commit(semanage_handle_t * sh) /* Create or remove the preserve_tunables flag file. */ path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES); if (access(path, F_OK) == 0) - preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1); + do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1); else - preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1); + do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1); if (sepol_get_preserve_tunables(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); @@ -1179,54 +1229,75 @@ static int semanage_direct_commit(semanage_handle_t * sh) goto cleanup; } - /* Decide if anything was modified */ - fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase); - seusers_modified = seusers->dtable->is_modified(seusers->dbase); - users_extra_modified = - users_extra->dtable->is_modified(users_extra->dbase); - ports_modified = ports->dtable->is_modified(ports->dbase); - - modified = sh->modules_modified; - modified |= seusers_modified; - modified |= users_extra_modified; - modified |= ports_modified; - modified |= users->dtable->is_modified(users_base->dbase); - modified |= bools->dtable->is_modified(bools->dbase); - modified |= ifaces->dtable->is_modified(ifaces->dbase); - modified |= nodes->dtable->is_modified(nodes->dbase); - modified |= dontaudit_modified; - modified |= preserve_tunables_modified; - - /* This is for systems that have already migrated with an older version - * of semanage_migrate_store. The older version did not copy policy.kern so - * the policy binary must be rebuilt here. + /* + * This is for systems that have already migrated with an older version + * of semanage_migrate_store. The older version did not copy + * policy.kern so the policy binary must be rebuilt here. + * This also ensures that any linked files that are required + * in order to skip re-linking are present; otherwise, we force + * a rebuild. */ - if (!sh->do_rebuild && !modified) { + if (!do_rebuild) { path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); - if (access(path, F_OK) != 0) { - missing_policy_kern = 1; + do_rebuild = 1; + goto rebuild; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); - if (access(path, F_OK) != 0) { - missing_fc = 1; + do_rebuild = 1; + goto rebuild; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; + } + path = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED); if (access(path, F_OK) != 0) { - missing_seusers = 1; + do_rebuild = 1; + goto rebuild; + } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; } - } - missing |= missing_policy_kern; - missing |= missing_fc; - missing |= missing_seusers; + path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; + } + } - /* If there were policy changes, or explicitly requested, rebuild the policy */ - if (sh->do_rebuild || modified || missing) { +rebuild: + /* + * Now that we know whether or not a rebuild is required, + * we can determine what else needs to be done. + * We need to write the kernel policy if we are rebuilding + * or if any other policy component that lives in the kernel + * policy has been modified. + * We need to install the policy files if any of the managed files + * that live under /etc/selinux (kernel policy, seusers, file contexts) + * will be modified. + */ + do_write_kernel = do_rebuild | ports_modified | + bools->dtable->is_modified(bools->dbase) | + ifaces->dtable->is_modified(ifaces->dbase) | + nodes->dtable->is_modified(nodes->dbase) | + users->dtable->is_modified(users_base->dbase); + do_install = do_write_kernel | seusers_modified | fcontexts_modified; + + /* + * If there were policy changes, or explicitly requested, or + * any required files are missing, rebuild the policy. + */ + if (do_rebuild) { /* =================== Module expansion =============== */ retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); @@ -1316,37 +1387,69 @@ static int semanage_direct_commit(semanage_handle_t * sh) cil_db_destroy(&cildb); - /* Attach to policy databases that work with a policydb. */ - dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); - - /* ============= Apply changes, and verify =============== */ - - retval = semanage_base_merge_components(sh); + /* Write the linked policy before merging local changes. */ + retval = semanage_write_policydb(sh, out, + SEMANAGE_LINKED); if (retval < 0) goto cleanup; - - retval = semanage_write_policydb(sh, out); + } else { + /* Load the existing linked policy, w/o local changes */ + retval = sepol_policydb_create(&out); if (retval < 0) goto cleanup; - retval = semanage_verify_kernel(sh); - if (retval < 0) - goto cleanup; - } else { - /* Load already linked policy */ - retval = sepol_policydb_create(&out); + retval = semanage_read_policydb(sh, out, SEMANAGE_LINKED); if (retval < 0) goto cleanup; - retval = semanage_read_policydb(sh, out); + path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED); + if (access(path, F_OK) == 0) { + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_STORE_SEUSERS), + sh->conf->file_mode); + if (retval < 0) + goto cleanup; + pseusers->dtable->drop_cache(pseusers->dbase); + } else { + pseusers->dtable->clear(sh, pseusers->dbase); + } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED); + if (access(path, F_OK) == 0) { + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_USERS_EXTRA), + sh->conf->file_mode); + if (retval < 0) + goto cleanup; + pusers_extra->dtable->drop_cache(pusers_extra->dbase); + } else { + pusers_extra->dtable->clear(sh, pusers_extra->dbase); + } + } + + /* Attach our databases to the policydb we just created or loaded. */ + dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); + + /* Merge local changes */ + retval = semanage_base_merge_components(sh); + if (retval < 0) + goto cleanup; + + if (do_write_kernel) { + /* Write new kernel policy. */ + retval = semanage_write_policydb(sh, out, + SEMANAGE_STORE_KERNEL); if (retval < 0) goto cleanup; - retval = semanage_base_merge_components(sh); + /* Run the kernel policy verifier, if any. */ + retval = semanage_verify_kernel(sh); if (retval < 0) goto cleanup; } @@ -1357,21 +1460,21 @@ static int semanage_direct_commit(semanage_handle_t * sh) * Note: those are still cached, even though they've been * merged into the main file_contexts. We won't check the * large file_contexts - checked at compile time */ - if (sh->do_rebuild || modified || fcontexts_modified) { + if (do_rebuild || fcontexts_modified) { retval = semanage_fcontext_validate_local(sh, out); if (retval < 0) goto cleanup; } /* Validate local seusers against policy */ - if (sh->do_rebuild || modified || seusers_modified) { + if (do_rebuild || seusers_modified) { retval = semanage_seuser_validate_local(sh, out); if (retval < 0) goto cleanup; } /* Validate local ports for overlap */ - if (sh->do_rebuild || modified || ports_modified) { + if (do_rebuild || ports_modified) { retval = semanage_port_validate_local(sh); if (retval < 0) goto cleanup; @@ -1440,9 +1543,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) sepol_policydb_free(out); out = NULL; - if (sh->do_rebuild || modified || fcontexts_modified) { + if (do_install) retval = semanage_install_sandbox(sh); - } cleanup: for (i = 0; i < num_modinfos; i++) { @@ -1454,14 +1556,12 @@ cleanup: free(mod_filenames[i]); } - if (modified) { - /* Detach from policydb, so it can be freed */ - dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); - dbase_policydb_detach((dbase_policydb_t *) pports->dbase); - dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); - dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); - dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); - } + /* Detach from policydb, so it can be freed */ + dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); + dbase_policydb_detach((dbase_policydb_t *) pports->dbase); + dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); + dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); + dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); free(mod_filenames); sepol_policydb_free(out); @@ -1977,7 +2077,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh) if (retval < 0) goto cleanup; - retval = semanage_read_policydb(sh, p); + retval = semanage_read_policydb(sh, p, SEMANAGE_STORE_KERNEL); if (retval < 0) goto cleanup; diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index bf1a448..6b75002 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -95,7 +95,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = { static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "", "/modules", - "/base.linked", + "/policy.linked", "/homedir_template", "/file_contexts.template", "/commit_num", @@ -104,8 +104,10 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "/nodes.local", "/booleans.local", "/seusers.local", + "/seusers.linked", "/users.local", "/users_extra.local", + "/users_extra.linked", "/users_extra", "/disable_dontaudit", "/preserve_tunables", @@ -2042,9 +2044,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename */ /** - * Read the policy from the sandbox (kernel) + * Read the policy from the sandbox (linked or kernel) */ -int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in, + enum semanage_sandbox_defs file) { int retval = STATUS_ERR; @@ -2053,7 +2056,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) FILE *infile = NULL; if ((kernel_filename = - semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) { + semanage_path(SEMANAGE_ACTIVE, file)) == NULL) { goto cleanup; } if ((infile = fopen(kernel_filename, "r")) == NULL) { @@ -2083,9 +2086,10 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) return retval; } /** - * Writes the final policy to the sandbox (kernel) + * Writes the policy to the sandbox (linked or kernel) */ -int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) +int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out, + enum semanage_sandbox_defs file) { int retval = STATUS_ERR; @@ -2094,7 +2098,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) FILE *outfile = NULL; if ((kernel_filename = - semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) { + semanage_path(SEMANAGE_TMP, file)) == NULL) { goto cleanup; } if ((outfile = fopen(kernel_filename, "wb")) == NULL) { diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h index c5b33c8..0b96fbe 100644 --- a/libsemanage/src/semanage_store.h +++ b/libsemanage/src/semanage_store.h @@ -49,8 +49,10 @@ enum semanage_sandbox_defs { SEMANAGE_NODES_LOCAL, SEMANAGE_BOOLEANS_LOCAL, SEMANAGE_SEUSERS_LOCAL, + SEMANAGE_SEUSERS_LINKED, SEMANAGE_USERS_BASE_LOCAL, SEMANAGE_USERS_EXTRA_LOCAL, + SEMANAGE_USERS_EXTRA_LINKED, SEMANAGE_USERS_EXTRA, SEMANAGE_DISABLE_DONTAUDIT, SEMANAGE_PRESERVE_TUNABLES, @@ -129,10 +131,12 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filenames, int num_modules); int semanage_read_policydb(semanage_handle_t * sh, - sepol_policydb_t * policydb); + sepol_policydb_t * policydb, + enum semanage_sandbox_defs file); int semanage_write_policydb(semanage_handle_t * sh, - sepol_policydb_t * policydb); + sepol_policydb_t * policydb, + enum semanage_sandbox_defs file); int semanage_install_sandbox(semanage_handle_t * sh);