From patchwork Thu Apr 20 15:31:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9690813 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0625C60383 for ; Thu, 20 Apr 2017 15:28:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F0167200E7 for ; Thu, 20 Apr 2017 15:28:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E3E0528433; Thu, 20 Apr 2017 15:28:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 274F9200E7 for ; Thu, 20 Apr 2017 15:28:10 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.37,225,1488844800"; d="scan'208";a="6160416" IronPort-PHdr: =?us-ascii?q?9a23=3A/kZiWxXMNZa5Vf0gYI+65yqmM/TV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYYhaDvadThVPEFb/W9+hDw7KP9fuxBypbu93R4TgrS99lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBo?= =?us-ascii?q?KevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyrAjdrMcbjZVtJqsyzhbCv2dFdf?= =?us-ascii?q?lRyW50P1yYggzy5t23/J5t8iRQv+wu+stdWqjkfKo2UKJVAi0+P286+MPkux/D?= =?us-ascii?q?TRCS5nQHSWUZjgBIAwne4x7kWJr6rzb3ufB82CmeOs32UKw0VDG/5KplVBPklC?= =?us-ascii?q?EKPCM3/2HNjsx7kbxVrhSvqRdix4LYeZ+ZOOZ7cq7bYNgUR3dOXtxJWiJBHI2y?= =?us-ascii?q?coUBAekGM+ZArYTxulUDogWlBQS3GO/j1iVFimPs0KEmz+gsFxzN0gw6H9IJtX?= =?us-ascii?q?TZtMj7NLsMXuCtzKnH0zPDZO5L1zf48ofIdhQhru+MXLltdsfR0lQgFxjeg1WM?= =?us-ascii?q?qY3qIzOV1uMXv2id9OpvT/iji2EgqwFvuzWiwNonhIrRho8N11zJ+ip0zJw1KN?= =?us-ascii?q?GlUkJ3f9GpHIVKuy2HMYZ9X9ksTHtyuCkgz70LoZu7fC8Xx5s53xPfcPmHc5SQ?= =?us-ascii?q?4hLkSeaRPS90hHJ7d7K7gBa/6VSgxffmVsm1zVZKtTBJksXMt38R1xzT7dKLSv?= =?us-ascii?q?1h8Ue6xTmDzQXT6uBAIUwslKrbLYAuwqIom5YOvknOETX6lUXrgKOMaEkp9fak?= =?us-ascii?q?5/76brn+o5+TLY50igXwMqQ0ncy/BPw1MhMQUGif+OS80qDj/ELgTLpRif02j6?= =?us-ascii?q?/Zv4zEKsQAvaO5Hw9U3Zoj6xa4FTum1s8YkmMdIFJKfxKHkZDlO0vSL/DgEfe/?= =?us-ascii?q?n1OsnS9px/DBOL3uGInNLnjZn7fnZrt96UlcyAw2zd9F/JJUFq8OIOjoWkPrs9?= =?us-ascii?q?zYFBA5ORSuw+n7ENV9yp8eWWWXD6+bMqPdq0OH5uE0I+mLYo8VuSj9JuMr5/7q?= =?us-ascii?q?kH84lkQSfbSv3ZsLdXC0BPNmI1+WYXD0mNcODX8KvhYiTOztkFCCSSBcaG2sUK?= =?us-ascii?q?I65zE7FIWmAJzCRo+znrOOwj23HppMZmBJElqMC2vnd52YW/cQbyKfOtJukjsC?= =?us-ascii?q?VbinVoAuyxWutA7hxrV9MOXU4CoYuYjk1Nhv6O3ZjQsy+iBsD8SBz2GNSHl5kX?= =?us-ascii?q?4URzAsxqByulByylCG0adkmfNYDsBT6+lPUggkKZ7W1/Z6BMzqWgLdYteJT06r?= =?us-ascii?q?QtSgATEtUN0xx8EBY0NjFNW+lBDC3zGnA7gNl7OVApw097jT33n1J8lmzHbH27?= =?us-ascii?q?Mtj148QstALWemnLJw9xDPB47VlEWUj6ardKUb3C7L72qDyG6OsFhZUA52S6nF?= =?us-ascii?q?W2oQZlHVrdT4+EPNUaWiCbI5PQtd0cSCMLdFasX1jVVaQ/fuIM/RbHm2l2e0BB?= =?us-ascii?q?aI3a+MbJHwd2UGwirSFFIIkxsN8naCNAg+ADqhom3FATNyFVPveV7s8fJkpHK1?= =?us-ascii?q?VEA00xqKb0pn17av/R4Vn/OcQesJ3r0YoCchtyl0HFGl0t3IE9qPvRBhfKRHYd?= =?us-ascii?q?4m+FdIz3jZtw1mPpy4K6BtnEIRfBpts0PpzRV3BZ1KkdI2o3My0ApyNaWY3UtP?= =?us-ascii?q?djOZ2ZDwP6PYKnPp8RChdaHZx1be0MyM9acX8vQ4rFfjsx+1GUo+6Xln1MNV03?= =?us-ascii?q?SE7JXQEAUSSY7xUlow9xViqbHaeDMy54XI2n1tKqm5qTrC28ooBOc80Rahccxf?= =?us-ascii?q?PLmDFA/oHM0QH9KuJ/Aym1i1chIEO/hf9K0uMMOlcPuGxbWmPOV6kzKlimRH/Z?= =?us-ascii?q?px0kWW9ypzUuTIxYoKw+mE3gubUDfxlE2uvd3tmYBFez4SBHGyxjL4C45UfKFy?= =?us-ascii?q?epwLCWi2Kc2t2tp+n4LtW2Jf9FO7G1wJwsupdgSJb1zh3QxQ0l8aoWe7liu50T?= =?us-ascii?q?N0lS0prquF0yDUxeTtagYHMHZRRGZ+lVfsPZS0j9cCUUizYQgpjhyl5V3mx6VA?= =?us-ascii?q?v6R/KW7TQElNfyfsKWFuSK2wuaSeY8RX8pMnrT1XUPigYVCdUrP8rQEV0yf/H2?= =?us-ascii?q?RA3jA7bCqnuovnkBxgk22dMXNzoGDeecFqyhfV/MbcSuJJ3joaWCl4jiHaBkSh?= =?us-ascii?q?MNa0/NWbjZPDv/uiWGKmU51cbTPkzZictCeh421lHwG/leipmtL7CQg6zTP719?= =?us-ascii?q?5yWCXWrRbzfpXr16OgMe59YkZoBFj868x1GoxlloswhZcQ1mIAhpWS53YHln3z?= =?us-ascii?q?MdpD06LkcHUNXSILw8LS4AX93E1jL2mJx57gWnWG3MRhY9i6YmUL2iMy9M1KE7?= =?us-ascii?q?+U7L1CnSt0vlW4thjdYf5jkTcB0fEu8mIVg/kVuAoxySWQGqoSHU5cPSzoiRuI?= =?us-ascii?q?9cyxrKJZZWu0ariwyVZxncu7ALGFuAFcV27zeo0+Ei9o8sV/LFXM3WXr6o7+Zd?= =?us-ascii?q?nQacgfuQeOnxjbiOhVLI4xlv0MhSd8PGLxoXsly+knghB025G1opSHIX13/K2l?= =?us-ascii?q?Gh5YKiH1Z8QL9zHuk6lemN2W0pusHpp/HDULR53oQuy0ED4IsvTnLQmOGiUmqn?= =?us-ascii?q?iHAbrfAROf6EB+onLXCZ+rKnWXK2cBzdp4QhmdOFJQgBoPUTUnhZ42CBqqxNf7?= =?us-ascii?q?fEdi4TAR+0T4pQdSxeJmMBn/SGjfqxmyZjcyVpefMAJc7hte6EfNLcye8uVzEj?= =?us-ascii?q?lG/p2nsQOAMXKbZwJVAmEJQECEAU7sPqW279na7+eYHva+L+fJYbiWsexRTeqI?= =?us-ascii?q?xZa034R6/jaMKsWOMmBsD/Ih3EpPR3d5G97Wmz8XUSwYizrNb9KHpBe74iB3rc?= =?us-ascii?q?C+8PD1Vw/04IuPDLVSMdtx9BCqnaeDN+mQhCNnJjpC0JMD22PIwqAF3FEOkyFu?= =?us-ascii?q?ayWtEbMYuC7DVq3QnLNXDxkeay5oOstH8b8z3g5XOcHBktP1zLl4jvwrBFhZSV?= =?us-ascii?q?ztgMapZdYFI2ulLlPIGF6LNKiaJT3M28z4fKW8RqdLgepJsR2/oyyXE0j5PjSM?= =?us-ascii?q?jzPpTQygMflQjCGHOxxToJu9fgxjCGT5SdLpcBm7MNh3jDAt27I7mnbKOXQbMT?= =?us-ascii?q?hmfENHtqeQ4j9AgvVjB2xB6WJoLeeemymH8ubYMYwZsf13AiRzjOJX+241xKdQ?= =?us-ascii?q?7C1eQ/x1giTSpMZ0o166iumP1iZnUB1WpzZNnoKEp11iOb3C+5lOWHbE5gkN7X?= =?us-ascii?q?meCxQLodtqENvvtLxRytfVkKL/MjBC88jb/cEEHcjbNNqHMGY9MRruADPbERAF?= =?us-ascii?q?QiCxOmHQnUxSiu+S+2aOrpcgqZjshYAORaVBWFwxC/MaDF5qHMYbLJdrWTMkkr?= =?us-ascii?q?6ajMkS6Xq4shbRWN1QvorbWfKKHfXvNDGZgKFCZxsJxbP4KZocNpbg1kN4dFZ6?= =?us-ascii?q?hoPKF1DXXdBXrS1rdhU0r1lV8HhiUm0z3FroZRis4H8cEv60mAU7hRZgbus29T?= =?us-ascii?q?fj+VE3KkDNpCsqn0k7gc/ljiyJcD7tMKewWplbBDD7t0crLJP0XR14bQqqnUN6?= =?us-ascii?q?MjfEQqhej7pkdW9wjw/dtoFDGflGTa1LeBUQ3+2YZ+000VRArSWq3VNH5ezACZ?= =?us-ascii?q?d4jgsqdp+toGxG2w14dt41IrLfJKlSw1dMgaKOuzOn2foqwA8CPUoN9n2deDIQ?= =?us-ascii?q?skwSKrYmPzao/vBr6QGanTtMZnIDV/4xr/Jp8UM9IPiAwDjm075YKUCxNvaTL6?= =?us-ascii?q?WHtGjcjcSIWE8/1lsUl0lZ+rh7yd0jfFSPV08x1rSRDQgGNcrZJA5ObspS7mXc?= =?us-ascii?q?fSGAseXV25J6IYW8GvruTeCQqKYemlikExoxH4QQ8sQBGYGh31zCIsf5Lb4K1A?= =?us-ascii?q?4t6R/xK1WfFvRJfxyKkCwZrM6j0Z93x4hdJi0dAGlnNyW4+KrXrBcwgPWfRNc2?= =?us-ascii?q?fmsaXowcO3IyX826gTBWv3JBDTmwye8Zxw6C7yLmqiTXFjn8YMJpZO2IahN0FN?= =?us-ascii?q?G25TI//rCtiVHJ9pXeJmf6Ncltu9LU9ewaoJOHBO9OQrlmr0fQgY9YSGK2U2TX?= =?us-ascii?q?C966O4Dwa5UwbdzzEnu1T0CwizcyT8f3INahM7OFgR/2SoZOsYma3TcjNcmnGj?= =?us-ascii?q?EYBRhwu/kJ5Lhgag0bf5o7fRnouhw9N6ylIAaXyNOuQ3qtKTZNQPlfyv26aKBN?= =?us-ascii?q?wyoqcOC61GMqTosmwOmv7U4NWJYKgwnCxfaiYoleVjTzGnxdegjUuCU5lmhgOf?= =?us-ascii?q?wpzeslxhPHr0UcOSiRdON1cGxEo808BVSKLHV5EGo3XVmcjZbY7w6t2LAT8S1d?= =?us-ascii?q?n8pU0eJbsXj+uIPfbyy2WKCxr5XarTYgZ8A8o6JtKYzjPteGtJTGkzPFSJnQsx?= =?us-ascii?q?GKXzCiGPpfmtlQJiVYQP9Slmw+IsMGuJBO6UwoWscwOrxDEq8sqa62aTB8Fy4d?= =?us-ascii?q?0TcZV5+c3DwFmuqzwKXVlhGLfZs4LRMErotNgsEGUyFseCMfpLWvV4LMl2+LUm?= =?us-ascii?q?ILOhsc7RxQ5AIckY99Zvrl4IzJTJBQyz5WpPZ0UjDTGJdx6lX1UH2bj1/jRfq9?= =?us-ascii?q?lOyp2B5dw+j30tkHQhJ/D1ZSx/pOnEsyNL53M7UQvpLNsjKQaUz6vnjix/e9KV?= =?us-ascii?q?ZNzs3Uc1n4DIvbumrmTi0T52EbRY9VxHHYD5QSnBJzaLw3q1VUPICmZkH+6iQ+?= =?us-ascii?q?x4tzBbm4Utukyk05rXYcXSiqDcROC+VnsFLRVz1lZ5GrqJrlO5VOTG9f4oedq1?= =?us-ascii?q?JDnEVrLSG51YJWK9tR7T4UQDhPvTKdscO8ScFZxcB2D54MItJ+u3jnG6NJI5mR?= =?us-ascii?q?rGMotbPx0HPZ/Co8sFiizjWpB6C4V/5Z/3EZGggxP2SerU0vAPE28mbc9VDNtl?= =?us-ascii?q?508vxeBriIikVxuyhyEYxUBjZOznClNFVzTH9Js+lAL6TVacNcSeEoZRCzIxw+?= =?us-ascii?q?CeIm30uR8E5uh3f5fipyuhFZ+y3GXgk0VCgVgqv2ljEErMGoJyMaQYpSbTo9dy?= =?us-ascii?q?fFNx6bmSdPsRZDbEFqXosUAspZ97EexoRY5MzCRliwKSsdRhxtKho40eZDlU5E?= =?us-ascii?q?qEiYeTrSDRCyevbLrxJ6Ztqeo9CxLPTh4ghHjp3osPoi+6UEXX2mlhWnQcrCoI?= =?us-ascii?q?/kqt2KqkyOeb/6M+27f3DMVyXDgg6rhbg6FZnK4zbcPxdBJ5l813UkfYDrCXTX?= =?us-ascii?q?MhReO6IbO01bWLhhZtVIvu9We81pdLsH9KJ2Gh2HQRbvF5C1o/ldMlbfXzLeID?= =?us-ascii?q?ud8uanu4Lc8aTdSfT8ZsyL33vHWbx4MYp66TbhB7fnyote+k3o2vhz6E91VV/G?= =?us-ascii?q?PD2fo9j7IAME+tWifFP4vpI1BTPWHItwkH31y0FYbMoXXzel/4kEyJ5C83bwTv?= =?us-ascii?q?940lLvv+JM8blk9ZM37KptycuuIqfSM/tau1d9AheIHgVq6oktAG9nSmBNeO8e?= =?us-ascii?q?NunecrkCgMDzr+D3C7YX5weL++xYbtvHI1/OmtWlBjGbUxxEkx8LqSQGIQuEy/?= =?us-ascii?q?6Fh6h0RN6gpefj3kIt50axLgIazL93/4iJ4ayIq/HLbxvK0bcLQLDqSd3porQq?= =?us-ascii?q?pUyS+eUulKQSdWxtfw2nDO8dW9Yfxmj616AqyjksE8fZELL+4/NDUm85njb8m5?= =?us-ascii?q?B8A1oWG+kbHbyQ/YhEmWc4gePZPMUMcq9egmaPCQKkErgaxH6p8SSXJmdlggvJ?= =?us-ascii?q?0x7tX2y+90P2ojV+QSvXyNfviExVWaerBU1KRSqmJVd4sC+TPArvrNf3trk17E?= =?us-ascii?q?AyMmzgqt2NkXCsN65JEMLkJdyTOy80qEgQjJ0rSdylwZobFsalINcN7HF+aePT?= =?us-ascii?q?62WvkyJaoqdHgY/e7tuU+vXRE3mglbeVq66RxDBC13g3oU0/6s26Nv7Q/dGKRO?= =?us-ascii?q?6o12kJRSdlpwTBRwK1qqDcr10MPEyL10HLmJAFPt5HxnQ400Dm6/IlQN0t6AVf?= =?us-ascii?q?GIHAZ+kBpTDoIjf0x0iQY84vXCmEzzRXBk71EUV/GKUkwmL/od/GmGzf+10tSY?= =?us-ascii?q?h8bUrnigJrD48gM0Ii9EAXwjYfEQgKcR2bCKqoBUHlIIYfW0gMdwmI3L+geqgt?= =?us-ascii?q?xU1z2LSv5O3NYuNgG6oBLPFdjhSBnFJDAJIZrbUeQK5ge19a7KPXvRLtC5b9UP?= =?us-ascii?q?jpi3UwLua4QttA/sAHrXQi7RiwRwG65ZdF8bkblIiCdrRYbpjUoMB880Bn6CYN?= =?us-ascii?q?dixMhRhylBa5Xv4cpe/9+NjbsZyo6um0WKYrWeoX6wA+B35igJvonFAjvdbX2v?= =?us-ascii?q?9dSozUk4vw6hxCLmWRuInEzxlzN/YBJ5isfLZ6+HUNPzIeKG4WPdqKd/k85Ddg?= =?us-ascii?q?Py7S51xZDMIDf9EYPMvRmQBMkELpRbVT+9HHFV+fFoh8adon73ftyDAy65szSP?= =?us-ascii?q?zs6DisJZDQ91tNJe9MjD1wlNLeo+gY2eLSBzIL4XaFaxh0zCSCy4OOC/rp5uWD?= =?us-ascii?q?1tXUV1IAHi4rXIZQPyKC9ha7RuWplJXoXASU6tXwgJ4kd0KfWGaxnKIbvaZIC+?= =?us-ascii?q?JAjT/73jdGHIDvm/2Vq8as6HdQtlBfDIZz9wPKGKFFMZV9Jxv1jdSkRklzBiv+?= =?us-ascii?q?ZMHbbAEut/CMxucR+el+MVXxZZMDKBIe17368WZVThdpSLPusVaWR/gRa8V6SP?= =?us-ascii?q?PEtX1V7YNgK7MRM1idvpPqsyxIpEowAAA3dL86tiZaeVXWnA1JR6b0v6YNigQC?= =?us-ascii?q?Xt5/pU9MHmWwNGUl5zXZUaRVja+RCOEa8ziISqwBTV9oMyNkTB+v3pVhZaepl+?= =?us-ascii?q?hdsmxahiN9vOQq0zt+SRu6uC3ju6UN2TY697GjrjkBuHtFTuKFkyfTElhDyfsH?= =?us-ascii?q?jKgGB3bl81y8b2EJbJHu77l/OcTg6Y4h7mwwYRo/ZC0GRv2sBTz/ga2OA4yPts?= =?us-ascii?q?9chRGWtcXBaL+8Ny4SOaonxRLkXXh93RDUnAx0/2sTXjWg8NgkKZ2/OcYixiqo?= =?us-ascii?q?H3LXe0oM4qNNrcv+qF8KTOowaVN6w2Vj09OKRjMMRMzRAWk1ihUraWRefJJF9x?= =?us-ascii?q?AaC7EigiyUsale4gEUfDDUH5yk+onOh8jI32IwTdN3xm3Lp62FgYgq3Gdim9Nu?= =?us-ascii?q?4S6EoG4SePDAU89wHnjz0Z9Sye7gaPWjvOAHTJBrybq7X/8ELMaj5XG62JN0VU?= =?us-ascii?q?+53r4eBUa2MPcfxrfHVCeoUWKYWeCMc2mCgTk5Nkry6AKzLl0wbsdKrlMyPvHE?= =?us-ascii?q?hpFCiw3rSal0STmIpV/H0GwjNvsXdwA2uIanYwwKS+oRZ+mAJecw2/A+DVoMb2?= =?us-ascii?q?PTHSRoEeO2tkStnIdjMXV6/Ur6efjt8hzhMNaKFRkEDI/aoYN2+fGhWmKBI2Fv?= =?us-ascii?q?zBtuPEZu8+fQDVIxufNdc5mLh9TQgcp00fIdffd3LSI9osITmp5k6YSMzMeKcB?= =?us-ascii?q?TRw43uJdHUvveYAOPQz0AwdmFcTLUZfRv/558mMd4hR73TAbxZsAwZBag7Q5wh?= =?us-ascii?q?NGDx+bp2LAxpcQ7RY7K0jdfspu6RYJtbuWPW5EoqLCjAox0D1uC0TQtjYp+xmX?= =?us-ascii?q?ryJowwSylar91pDRtmAJdPG90eoAW6GZKUn7u7i9Cp8UNgp+AKqbbwCuzN1Nmh?= =?us-ascii?q?0YV+QZxa5U2TPDnPH6Rqg0VljuG3gvjeyJnxDd3tdckDVOhhTW7PcqXGEZmnKj?= =?us-ascii?q?KSJsL8fFZL8rCE0LJjUxWeeD72UrGDtC2lKPVk+1s0xpZ/fOrJwzwn96vb18fq?= =?us-ascii?q?Z2FHuiejqmaENJxb7FPUHuHeRxZURuCe8GZ5HK0YcZf09P0QPtM82tSc5Rd87C?= =?us-ascii?q?ha2sufP6ehtlPM2l58dZ/DKEvp2iA5WZQFIRimNUssgHTZqmjGAXlHL8irM89t?= =?us-ascii?q?gNGPAhzq/UlxlnknZnRdFWrwWdeRJW8b1tqlZAKU8AJLDtADn/O4eEI/uaOyVe?= =?us-ascii?q?loNYtfmeq0rLUIi81kKyLRS8hAOSHfMrt2MSFMDuXAvlQoZQQEs7ctUIcveZeO?= =?us-ascii?q?OF8HMFuHyS7qyAvNy1H7d9yt1KaPJyYb6WtHz7PD0TdSowm5uPCZgtDsUbzDa5?= =?us-ascii?q?H2RvHSOjI/Vj6GXTQyDVqp+VC8tvoGpvWYImAfrUsPbyKPDg4TuqBvrd/NDm/c?= =?us-ascii?q?me1jYIcGhPaEVCDsUCd4jrY9Bj5XtUCQRPoODQbWYGX6j2pGuQytOPtM8Gn7b7?= =?us-ascii?q?2c3KVVQO0WApZWfv2fXdTYZehUJy00mTUBJOa8Y9rcoq470lLNSmsZCbPI9FyF?= =?us-ascii?q?TEONRPyT3TfrUpsUv4QuvSoo4N3QlDdtE6vUJ7afuyKu8omggSaDt+3eU3Uibk?= =?us-ascii?q?02je8ZHmmO3gNAKGAFCtESvkHhWKiAaFhQ1Hgxk+JhxwcMeBhvUn1pynBWnvG9?= =?us-ascii?q?GstdSVMPiWOhXuAJbF5wDDMq4UCF/Bf+YdoetsDPFCdi8e4UQJcZBOEh9Y2SPa?= =?us-ascii?q?wX2vtv1zVj8wIgtCDINE9QlgKI9eLrGat4wrBTrT0j8+peQlCEQzSZdHPOjIWh?= =?us-ascii?q?FZQclm9VvXn42p+M7ahWP7xAqtQ8Wg8H?= X-IPAS-Result: =?us-ascii?q?A2EDAwDo0vhY/wHyM5BcGwEBAQMBAQEJAQEBFwEBBAEBCgE?= =?us-ascii?q?BgwApgWyOb48/AQEBAQEBBpkPKooCVwEBAQEBAQEBAgECaCiCMyKCSAIkUgMDC?= =?us-ascii?q?QIXMQgDAWwFiAGCCQ2sSjomAosmhg2KX4UZBZAEjTCSdg2LCoZJAkiTTFiBBR0?= =?us-ascii?q?JAhsIHg+FKhyBf1mJLgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 20 Apr 2017 15:28:07 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3KFRkvc021882; Thu, 20 Apr 2017 11:27:52 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v3KFRgQ3026463 for ; Thu, 20 Apr 2017 11:27:42 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3KFReiW021874; Thu, 20 Apr 2017 11:27:40 -0400 From: Stephen Smalley To: paul@paul-moore.com Subject: [PATCH] selinux: only invoke capabilities and selinux for CAP_MAC_ADMIN checks Date: Thu, 20 Apr 2017 11:31:30 -0400 Message-Id: <20170420153130.8992-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP SELinux uses CAP_MAC_ADMIN to control the ability to get or set a raw, uninterpreted security context unknown to the currently loaded security policy. When performing these checks, we only want to perform a base capabilities check and a SELinux permission check. If any other modules that implement a capable hook are stacked with SELinux, we do not want to require them to also have to authorize CAP_MAC_ADMIN, since it may have different implications for their security model. Rework the CAP_MAC_ADMIN checks within SELinux to only invoke the capabilities module and the SELinux permission checking. Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e67a526..1aef63c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3107,6 +3107,18 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) return dentry_has_perm(cred, dentry, FILE__SETATTR); } +static bool has_cap_mac_admin(bool audit) +{ + const struct cred *cred = current_cred(); + int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; + + if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) + return false; + if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) + return false; + return true; +} + static int selinux_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { @@ -3138,7 +3150,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); if (rc == -EINVAL) { - if (!capable(CAP_MAC_ADMIN)) { + if (!has_cap_mac_admin(true)) { struct audit_buffer *ab; size_t audit_size; const char *str; @@ -3264,13 +3276,8 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void * and lack of permission just means that we fall back to the * in-core context value, not a denial. */ - error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, - SECURITY_CAP_NOAUDIT); - if (!error) - error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, - SECURITY_CAP_NOAUDIT, true); isec = inode_security(inode); - if (!error) + if (has_cap_mac_admin(false)) error = security_sid_to_context_force(isec->sid, &context, &size); else @@ -5918,7 +5925,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) } error = security_context_to_sid(value, size, &sid, GFP_KERNEL); if (error == -EINVAL && !strcmp(name, "fscreate")) { - if (!capable(CAP_MAC_ADMIN)) { + if (!has_cap_mac_admin(true)) { struct audit_buffer *ab; size_t audit_size;