From patchwork Thu Apr 20 15:35:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9690823 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9E7ED60383 for ; Thu, 20 Apr 2017 15:31:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 998331FF60 for ; Thu, 20 Apr 2017 15:31:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8D56128433; Thu, 20 Apr 2017 15:31:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A83401FF60 for ; Thu, 20 Apr 2017 15:31:35 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.37,225,1488844800"; d="scan'208";a="6160753" IronPort-PHdr: =?us-ascii?q?9a23=3ApOXjiRGioz54zyzZpL/m1p1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ79pci4bnLW6fgltlLVR4KTs6sC0LuI9fu6EjxRqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdzIRmsowjdqMYajIhmJ60s1hbHv3xEdv?= =?us-ascii?q?hMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTD?= =?us-ascii?q?QhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlS?= =?us-ascii?q?kINyQ98GrKlMJ+iqxVqw+lqxBm3YLYfISZOfxjda3fYNwaX3JMUMZPWSJcDI2y?= =?us-ascii?q?bIwBD/IDMOpFoYTyuUAOoACiCQWwHu7j1iVFimPq0aA8zu8vERvG3AslH98WrX?= =?us-ascii?q?rUsMv6NL8SUe+ryqnD0CjNb/ZM1jf57IjHbBAgquyLULJrbMXR0lIiFx/Fj1qM?= =?us-ascii?q?qYzlOCmZ1uIWs2eB9eZgWuWvi3A+pgx3vzOhxd8sh5HUio8axV3I7yV0zJsvKd?= =?us-ascii?q?GmR0N3f8SoHIZWuiqHLYV5WNkiTHttuCsiz70GvoO0czYSxZQ8wh7fd+SHc4+V?= =?us-ascii?q?4hL/TOqRISl3hHZieL+nmxa961KgyuzhVsmvylpKsipEncXMtnAKzRDT7NSISu?= =?us-ascii?q?Bh8Uu73DaP1gTT5vlFIUAyi6XbN4YszqM/m5ccq0jOHjL6lF/ogKKZaEko4PWk?= =?us-ascii?q?5/ziYrr8p5+cM4F0ihv5MqQrgsG/Gvo3MgwPX2id5OS926Tv8lb+QLVXiP05jr?= =?us-ascii?q?fWsIvBKMQHpq+2Hw9V0oE55xa5FDepys4UnXYALFJbYB6HlZTmO0nSIPDkCvey?= =?us-ascii?q?m1askDBtx//cIr3hAo/CLn7YnbfjerZ97UtcxxAozdBD+Z1UEKoBLOj0Wk/ru9?= =?us-ascii?q?zSFgU5PBCsw+b7FNV90ZsTWWCNAqCDLKzSskSI5uUpI+mNeo8Yozj9K/w45//h?= =?us-ascii?q?lnA5hFkdfbW03ZcNb3C4BPtmKV2DYXXwmtcBDXsKvg0mQezyllKNSiBcZ3CzX6?= =?us-ascii?q?Ig4TE2E4OmApndSY+zmrCB2z27HpJObGBcFl+MCWvod5mDW/oUdS2SJclhkjoZ?= =?us-ascii?q?Wre/T48h1AqjuxXkxLp9KerY4CoYtYjs1NJt/e3ciQky9SBoD8Say2yCUn10kX?= =?us-ascii?q?kSRzItwK9/pkl9xUuZ3qhjn/xUD9pT6O1VUg0iL57T0/R6C8zuWgLGZtqJSVCm?= =?us-ascii?q?Qsm4DjE1UN0xxsEBY1pnG9SilR3D2DKqDKETl7yOHpM086bc0GP2J8dy0XrG07?= =?us-ascii?q?Mhj1Y+SMtVKWKmnrJ/9xTUB4PRk0SYlqGqdaIH0S7I8GeP1GuOvEdCXA52S6rF?= =?us-ascii?q?R3MfZkrIrdvn/E/CSaGhCag/OAtb1cGCMrdKasHujVheWvjjIM7RY3iwm2erHh?= =?us-ascii?q?uI3qmDbJDre2UGxCXdDFILnBwN8nqcMgg+HCihqXrEDDNyDVLvf1/s8e5mpXK1?= =?us-ascii?q?T080ywSKYFN717eu9B4am+GTS/QJ3r0eoCchsTJ0HFSj0N3KF9qMvQ1hfL9TYd?= =?us-ascii?q?kl+ldIyXrZtxBhPpynN61iiEQefB5xv0zy1hV3EZ5Nkc0yrHMr1QZyMqyZ0Ehb?= =?us-ascii?q?ezOfx5DwNaXdKnPu8xC3d67Wxlbe3c6V+qgV6/Q4rEjjsRqqFkU48HVn1MRV32?= =?us-ascii?q?Gb5pXQAwoYSYjxXVov9xhmu7HaZTEw6JnJ2n12MKm7rCXC1skzC+Q5zxasZdBf?= =?us-ascii?q?MLmLFAXqCc0VG9CuKPA2m1iudh8LIPpd9KoqMMO9a/uH2KmrMf17nD26jGRI/o?= =?us-ascii?q?Z90l6N9yVmUOLI2YgKw+2A1AudSzj8lEuhstzwmY1cfjESEHC/yS//BI5NfaBy?= =?us-ascii?q?ZoALCWCgIs2y3Np+gYThW3hG+16/H1kGwtOmeQKOb1zh2g1dzUoWrmajmSuk0T?= =?us-ascii?q?N0iSopo7GB3CPQ2eTtbwcHOmtRSGlll1fsLpC+j8oGU0iwcwgpiByl6F7mx6dG?= =?us-ascii?q?uat/LnPcQUNTcifqKGFiV7e/uaCZY85T8p8otztYUPika1CAVrH9uwca0z/kH2?= =?us-ascii?q?ZG2jA7di2luon+nxxgkm6SMHZzrH3fecF/3hrf4N3cRfhL0TocQyl0kz7XBkKz?= =?us-ascii?q?P9Ox59Wbi4/DsvyiV2KmTpBTdSjrzZictCei/m1lHxm/n/G1mt36Hgk3yjT718?= =?us-ascii?q?FrVSXOrRbzfpLr2768Me15YkliHEX85NZiGoFijoswg4kd2WIdhpWR+XoIj33z?= =?us-ascii?q?Pslc2aPwd3cNXiMLzMLO4AT/301jNH2JzZrjVnqB2sthe8W6YmQO1yIl9c9KFa?= =?us-ascii?q?OU4KZekidvuVW4qgbRYeR6njcb0vYu7WIWg+cOuAUx1CmdBK4dHVVANyz2ixuI?= =?us-ascii?q?98y+rLlQZGu3cri/ykx+ncu6AbGBvA5cXm35epE8Ei9s9Ml/N0jM0HLr4IH+ZN?= =?us-ascii?q?bQdc4TtgGTkxrYl+haMo8xlv4Uiip/I239u2ElxPAhjRF1wJG6p5aIK392/K6j?= =?us-ascii?q?GR5YMSD1Z9kP9T7zg6ZemdyW34+xEZl7HDUEQofoR+qyED0OrfTnKxqOEDokp3?= =?us-ascii?q?eFH7rQABSS6Flgr33SE5CnLXeXK2cFzd96XhmSOFRfgBwIXDU9hpM5DhqlxNHl?= =?us-ascii?q?cEpi+j8R50L4qxtVxuJmLRb/VH3TpACyajc7UJKfNgZZ7hle50fJNsyT9uFzHi?= =?us-ascii?q?Fc/pK/twGNL2ubZwpGDW4XRkyEG1DjPr6r5dbe6eSYAPSxL+fWa7WUteNeT+uI?= =?us-ascii?q?xY6o0oZ+8TaDLMOPPmVlD/0+wUdDU252FNnemzUVUSMXjzjNb8mZpBii5iJ3st?= =?us-ascii?q?qz8PPxWALg/YGPEaddMc1z+xCqhqeOL/OfhCBjJjtDy5wMw2XHxKIY3F4IhCFk?= =?us-ascii?q?byOtHqgYtS7RUKLQnbdaDwQGZCxuL8ZI4Kc83wZXNc7dlNz1yqZyjuQpBFddSV?= =?us-ascii?q?zhhsapaNQQI22nOlLLHkOLO66CJT3Mw8D6ermzRqFVjOlOsB2wozmbGVf5Pjuf?= =?us-ascii?q?jznpSwyvMeZUgSGVJhxRppyycg13BmjlUNLmbQa7PcRtgjIqxL04nHTKNXQTMT?= =?us-ascii?q?JkaUNCsqWQ7T9EgvV4A2FB6GBlIvOcmyaB9OTYJJcWseFwAiRomeJa4XI6xKFT?= =?us-ascii?q?7C5YRfx6gi/SosRpo1G8nemF0iBnXwZWqjZXmIKLul1vNr7C+ZVHXXbE/QkN7X?= =?us-ascii?q?mLCxgQvNtqFMHgt7pLytfRkKLzKTFC88/b/MYHG8fVKNiHMGc6MRbzFj/bFhcF?= =?us-ascii?q?TSWsNWHZnUBdl+uS9nKNpJggtpfsgIYOSqNcVFEtEPMaC0BlHNgcL5dsRT4ri6?= =?us-ascii?q?CUjNQP5XakqxnRXspatIjdVv2OGfXvNCqZjb5cahQTwLP4IoMTNovg1kN/dFZ1?= =?us-ascii?q?h4XKFFDWXdxXpS1hdAA0ql1X8HdiVm0zx17lagS17XAJGv67hAA2hRVlbOQq7D?= =?us-ascii?q?fj/VE3Jl/QqysxlEk+gtLlgD+LfD72NqewUplcCzDouEgpLpP7XwF1YBWunUxj?= =?us-ascii?q?MTfIXahRj7xhdG91jg/TooFPGflCQq1HexIf2faXZ/A03ltGsSWn2VVL5e3bBp?= =?us-ascii?q?t+jAEqa4Kjr2pc2wJ/a944ParQK7RTwVhUna+OvSio1vstwAAEIUYN62CSeC8S?= =?us-ascii?q?tEwOKLYmOzKi/vZw5gyahztDZG8MWuIwov107UMyJf6Pzzj83L5DMU2+LO2fL7?= =?us-ascii?q?mEtGjHm86IWkkw2V0IlkVf+7h5z9sjeVKOV08z1LuRCwgJNc3aJA5IdcVS6nnT?= =?us-ascii?q?cjuVsejW2511JZ+9FufmTO+Vqqkbnl+kHBwoH4QQ7sUNBJ+s31/ELc3/Nr4K1Q?= =?us-ascii?q?0t5Bj3JFWCFPlGZQmLnykdrMGw1p94x5ddKyoGAWpnMiW3+6zXqRUwjPqHQdc2?= =?us-ascii?q?ZG0VXpEdOnIqX826mC5Yv3NaADmxzO0Z1BCI7yXgqSTIEDn8c91jae+QZRNrEt?= =?us-ascii?q?G55zM/8qmxiVPM/ZXeIXz6Oc5lut/V5uMQv4yHBO9MTblhr0fcnJFVR2e0XG7L?= =?us-ascii?q?EN61IYXwaoY3YNPoDXa6V0CwhCguT8ftJtqtKLaHgR3wT4ZOrIabxCwjNdO6Fj?= =?us-ascii?q?wGBhh/u+QD5KV6ZQ0ffpY2egDouBokN6y+IQaY1dOuT3yrKTRIU/lV1f+6aKBP?= =?us-ascii?q?zyowcu+6z2MtTpIgz+i360ENQo0KjhHFyPasYIleSTT8FmZbewrRuSozj3JhOf?= =?us-ascii?q?oqwucj3BPItkERMyyKdOxsb2xEo9E8BFOJLHprC2o5R0WTgpHZ7g6qwb8S4zNX?= =?us-ascii?q?n8xI3u1drHj+opjfbSqjWKyxs5rVtTYgYMMno612P43jJNeGtJPAkTzeSpnQrh?= =?us-ascii?q?OKUDSgG/pchNdQPDpSQONUlmE9JcwGpY1B5FIrWcc6JrxAFLcjqaivaTtkCy4S?= =?us-ascii?q?yikZWJmb0TMZg+ezwb3amg6ecJQ/KhAEtotNgscFWS5sfiwevLOjV5nRl2KcUW?= =?us-ascii?q?cEPgET4B9W6w0diI9/YPrl4JHSQ59Wyz9aufV0UjHEFpNw7Vv0VnmWgUTkSPWm?= =?us-ascii?q?i+GpxwRSzPPw3dkbXx5/DVNdyf5PmEU1Mr96N64es5XWvT+PcEP1oHjiyPC6JF?= =?us-ascii?q?VLz83baUH4BpLftWXgSi0c5WEURYhXxX7DF5QdiRZ2Zb03q1VLJICmfkf+6CI+?= =?us-ascii?q?x4R1Aba3ScCry0wirXYcSCegC8BBBP1+sFLLRD1lZIimqI//NJVIRW9f44aQq0?= =?us-ascii?q?tDkEp3LS62155cK8BL4j4DWDhPoDqdvNuuSM1Nw8B2FZoMLs15u3jjBKNOIIKR?= =?us-ascii?q?rGEuurzz1n/Z/CgxsVmgyDqvG6+4TudZ/2wEFQUqPGmeq1cgAPUy/WvI9VDNqF?= =?us-ascii?q?909f9BBreTlUVxvCp9HpdWCzZR0nClK058TGNIsuVdLKTVfddRQ/w1ZR+oIBwx?= =?us-ascii?q?C+Ip31aO/UFvhnf5YipytgRA9yDaRQk0WjEfgq3xlj0GtsGnJTgaRopSYjU7ci?= =?us-ascii?q?fFLRiXmSNMsRZeakFqWowZDc1f97Edw4RU4tLISVywJiEdQBxiKgU43OJDlU5E?= =?us-ascii?q?tUWVYjzdARatdfnUqBF3e9merNKxJvTj4AhHkp/nsPw/96gbR32pgxetTsrar4?= =?us-ascii?q?DhrdCFq1WBdL/gM+KiZX/OUiLMgQq3hbc+AJnA5zLTPxZDK5lm1XokZoDsCWzM?= =?us-ascii?q?PRtYPK8UOlRUVbtkZtVcvuBVedJrdLwP+aBzGhKNXgnvF5C3rPlaMlbTQizTID?= =?us-ascii?q?6P8uOjvY7e76HRROb7a8OQwHbHRr54MY1h6TnnAbvq15FR+lbu0Pd36kx6UUTG?= =?us-ascii?q?MzyGrNn5PAME+tStdkv4sZ01Bj7WBJBwkGTzyU1ea8UXRDCl/4oCxJNf9nnwVf?= =?us-ascii?q?py0lLvv+1K67lk9Y437qhxycevOafdM+lVsVN8DxiPAQVq648tD3RhSGBXfu8R?= =?us-ascii?q?Mu3efaADgcDpseD3GLQd6AeJ9OxBddvHO0bBl9GjCjGGVxNLghoOpCUHLguYy/?= =?us-ascii?q?6FgbV7Sdikpej+3kIi/US+IgQBzLB36oeO4rCIq/PPbxvN0bgEXbDnRsbpobQo?= =?us-ascii?q?v0Od++EklKIUdWNveACnFvYSVtIGxmj8168q1TwjH9nFH73+5P5JT2g5kS74m5?= =?us-ascii?q?BhA1UWHesZHbiR8oREmWc4gOjZOccIcq1Zn2aPCBqkEqMDyXG36iuYOm9lggrU?= =?us-ascii?q?3xH3W2Oz40f8rTVkTivU09fjjk1VW6G1BUhIWSqpN1V4sDSSMwX2r9f3pb467E?= =?us-ascii?q?ctMmzjrt6NknWuOK9PFc3lONOcOTU0pE4QjJApSdyvxIEbGd65INgP9XFzdebR?= =?us-ascii?q?5H2wnC9AuahHgZDS4saP+vXYBXOglbGVq62RxDBEzXg1pVc/6tS7O/HP4d2KRu?= =?us-ascii?q?6k12cXTydxoQvORQW1qqDBr1AJJUOLzFrLmJYUMd1D2nk4zE7m7vA5QN0v7AVe?= =?us-ascii?q?CprAZ/QaqDD2Pzv0x0qfY90pWSSF1jtXH0j6EV9mF6gg1mPwu9jJlXTL+1EyQI?= =?us-ascii?q?l/aVDnjwRtD4okMUIt9EQXwi0bHAgJchCbCbGlCF/rLYQaSEcDbg6H06Kieqct?= =?us-ascii?q?2k1zwK2g6/PPbeBmAKoNLPldhBaUnFdHApIWrbEeQLVkdl9G7qHXuBLtC4f5UP?= =?us-ascii?q?j9jncwLue6Qt5A/sAWqXQi+RyzRxy+5pdf97wbkoyHdrZYYZjQu8Bx90Vn5T8K?= =?us-ascii?q?diFWhRhwkRO4Xv4GpODi5Njbv4Ck6uCwW6YxX+8X7QQ7B3xij5vsh1AuudDX1u?= =?us-ascii?q?ZGRYLPlYvy6xtNLGCWuInEzxZwM+0OK5ikfLx47XUIOzAeJ24SPdqRc/Qz+C5t?= =?us-ascii?q?MC7d5lNYAMMMZM8YPNLXlgBJjk3kQ61c9s3GFVCGEYhzatoo723tyD8v65c8Vf?= =?us-ascii?q?zg6DCuL5DF815NJ+9DjDlrlN/avOga2+bSBzQX4XiXbBh12CCCx4CWC/nu+eWM?= =?us-ascii?q?ydfUV04JHyMtS4dSPiaC9hCnRuu7k5XpSACU5tXwgJ0gbkKQQGK+nKAfvqZLC+?= =?us-ascii?q?5AhT3x3iJCGYDtm/KVr92s5XNLtl1dDolz6QfKGKNBMZhgJBv4l8arRklgBiTl?= =?us-ascii?q?Y8HbbAAuuPeMyucK/ep+K1P0ZZUHLRIc17L69X1VQxNhSLHspFaWQ/4RZNt9Rf?= =?us-ascii?q?PAr3BV9ZxvK68VM1iAv5zmtDFIp04qAAUxcr8/siRadlXSnA1SQ6v0t6APig0A?= =?us-ascii?q?Ud5+vk9AHnmwN3w65zrGU6RVkaaQBecR8jqNVKwPU19nPjl4QxyrxJVkY6Gpku?= =?us-ascii?q?xfsmNagiN9p+An0zpnRBSgvi3so7gC2Sk69LG5szUBvmdFTv6FnifNBlhCw+4G?= =?us-ascii?q?jaAGC3bt8Va8emUMbJPu4Ll7IsTt7YYh7GgkYRU4ZiEIQOuuBSfxj6OOH4yOv8?= =?us-ascii?q?lRhBGIuMrUa7+8MzIeNrMnyRLsX3J9yBTRnA508GsXRTWt9N0kJIK9OcYj3Can?= =?us-ascii?q?BWjbdFIR4qxUscrxtFgLTPA1aVNg22hjzMmHRjMXS8zLBmk1jxIoaWNaf5Jf8R?= =?us-ascii?q?UaDbUngi6Uvqla+QEZeDbUEpq/9YnWhsrI3WQ9QsprxmLRva2JnJQq0Gdqm9ls?= =?us-ascii?q?9C6BpGwSd/DEU89rGnXz1JlQyeLwZ/Wpqe0GRpFpyLK/X/8eKMWj/3W52IlyUE?= =?us-ascii?q?+/2rseB0a5MPMExrrDXCelTWqYWOqVfGiImzY0KVXy5R6uLl02dMhGtUk9PfXe?= =?us-ascii?q?hpREjQ3uTat0RjmMpV/c1GEjM+MadgIuuIegfwwKTfIRaPaHKOgrwf0+FEEMYG?= =?us-ascii?q?HTEStxEe+2vkannJJnNHV4/UX6fePt/xjpMNuPGxkLDInao4Vt+fygWG2BP2Ng?= =?us-ascii?q?wwd2PEZu8efQC1UxufVGf5aXg9fQm8xx0fQZePd1LS09ptkTl5p/6YmV1ceHag?= =?us-ascii?q?3RzpfuKtHWvPeYB+fTz0I0dWFGSrAZex/6550mPt4lXL3eBb5ZvRUfBag5R5ws?= =?us-ascii?q?LGXx+7t3LAN0dA7eerK0jtPspu2Veptev2XW4U4oLCfApx0DzeS5QhdlYJCsm3?= =?us-ascii?q?X/O4swRjZGr91xFhtmApVAFN4aowqgGZ6Ul7mxi8Wt9ENip+8Kra3wB+jE1Nun?= =?us-ascii?q?24VxXoBa6lKQMTfQBalrh0FlgfqogvfEzJb9E8TieckLVOJjWG7KdqfGHpmjKj?= =?us-ascii?q?KJIs/9dVZG86Sd0L1lTBqcfyX5X6uatC2+Kvpo+0I7ypZ3fODL1jwi86nb2Mfu?= =?us-ascii?q?Z2FcviqjqnqJO4VE4VzSAezRRQlUSeaE8Gl5Aa0Xd5X7+/kUPdwk3tec/xF57C?= =?us-ascii?q?5e38udP6ihskjM11p/dZLaKkvpxik4VZAOIBS+KkssnXTZp2/cAXtGKMikLtNh?= =?us-ascii?q?gNGPDhzi/0Nxg30iZnZdGmr0QtecIXMb1Ny6ZA2L8gJLEtkCk+m4d04ktq29V/?= =?us-ascii?q?NoNYtdmeqwr7gHkshmKzvJRMdEOyHfN6J2PjVLAuXIvlgobQYOs6IpVYcteZiO?= =?us-ascii?q?PEQHPV+FySzo0QTC0Uz0d9qr1KuSPiYW83NHwKzB0ThNoQm5pPmYjtfkULDDY5?= =?us-ascii?q?H8ROTSPzY9VjGGWTQyFl6k+VW+tPoHu/qXOnwSok0SYiKOCA4Tob1vrdfQDm/P?= =?us-ascii?q?g+FjeoMFhOyCUSDqVCJ4jLYyBjpMtU2UTPoMDxLZb2XggGVCvAyvPeFM/Xb/YL?= =?us-ascii?q?2Dx6pVRvYaAo1Sff2FW9HYY+xRJy80ljUFP+axZ9/cr7M+0lLSV2sZErLI+UaY?= =?us-ascii?q?TEGMR/yT2TPrUZ8Sv4gutSoi4sjQkTNvE6TUI7afoCaj8pW2jCadpeLTV2ogbl?= =?us-ascii?q?crgO0cGmmBwRhBKGYCC90PvkHiXLKAbV5W1H01keJuxwMMeANrX31s1X1WmvK9?= =?us-ascii?q?F9ZcSVEKkWyuTvoGbEprAzwu50OK5BP9YcBT8fzUEnRT8roKVJo1MOgj6I6RPr?= =?us-ascii?q?AZhvkuwmFIuis/5h6BAktdgwTNyK/ZGKZx1/UW/mUj1+1nVUGIBTXEey7IzZTw?= =?us-ascii?q?WJEH/jtnvX2xj5mchetqLrYP4tshDQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2H1AgDo0vhY/wHyM5BTCRsBAQEDAQEBCQEBARYBAQEDAQE?= =?us-ascii?q?BCQEBAYMAKYFaEo5vqFwoigJXAQEBAQEBAQECAQJoKIIzIoJIAnYDAwkCFzEIA?= =?us-ascii?q?wFsBYgBS4E+Da0EJgKLJo95hgwFnTSSdg2LCoZJAkiTTFiBBR0JAhsIHg+HRVm?= =?us-ascii?q?JLgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 20 Apr 2017 15:31:33 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3KFVS1k023722; Thu, 20 Apr 2017 11:31:30 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v3KFVRcw026473 for ; Thu, 20 Apr 2017 11:31:27 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3KFVPQj023716; Thu, 20 Apr 2017 11:31:25 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: Add CAP_MAC_ADMIN tests Date: Thu, 20 Apr 2017 11:35:15 -0400 Message-Id: <20170420153515.10589-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add a set of tests for SELinux CAP_MAC_ADMIN checking, which controls the ability to get or set a raw, uninterpreted security context unknown to the currently loaded security policy. Signed-off-by: Stephen Smalley --- policy/Makefile | 2 +- policy/test_mac_admin.te | 52 +++++++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 2 +- tests/mac_admin/Makefile | 2 ++ tests/mac_admin/test | 55 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 policy/test_mac_admin.te create mode 100644 tests/mac_admin/Makefile create mode 100755 tests/mac_admin/test diff --git a/policy/Makefile b/policy/Makefile index 6537b68..661f27a 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -20,7 +20,7 @@ TARGETS = \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ - test_mmap.te test_overlayfs.te test_mqueue.te + test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te new file mode 100644 index 0000000..579a017 --- /dev/null +++ b/policy/test_mac_admin.te @@ -0,0 +1,52 @@ +######################################## +# +# Policy for testing mac_admin permission checks. + +attribute mac_admintestdomain; + +# Domain that is allowed mac_admin. +type test_mac_admin_t; +domain_type(test_mac_admin_t) +unconfined_runs_test(test_mac_admin_t) +typeattribute test_mac_admin_t mac_admintestdomain; +typeattribute test_mac_admin_t testdomain; + +# Relabeling a file to an undefined label remaps it to the unlabeled context, +# which may have a different SELinux user identity (e.g. system_u). +# This would go in the common section below but the interface only +# accepts types, not attributes. +domain_obj_id_change_exemption(test_mac_admin_t) + +# Relabeling a file to an unknown label requires mac_admin permission. +allow test_mac_admin_t self:capability2 mac_admin; + +# Domain that is not allowed mac_admin permission. +type test_no_mac_admin_t; +domain_type(test_no_mac_admin_t) +unconfined_runs_test(test_no_mac_admin_t) +typeattribute test_no_mac_admin_t mac_admintestdomain; +typeattribute test_no_mac_admin_t testdomain; + +# See above. +domain_obj_id_change_exemption(test_no_mac_admin_t) + +# +# Common rules for all mac_admin test domains. +# + +# Relabeling a file to an undefined label requires relabelfrom +# the old file label and relabelto the unlabeled type. We also +# require getattr to both types for stat and getfilecon calls. +allow mac_admintestdomain test_file_t:file { getattr relabelfrom }; +allow mac_admintestdomain unlabeled_t:file { getattr relabelto }; + +# Creating a directory in an undefined label requires search/write/add_name +# to the parent directory and create to the new directory. We also +# allow getattr to permit stat and getfilecon. +allow mac_admintestdomain test_file_t:dir { search write add_name }; +allow mac_admintestdomain test_file_t:dir { getattr create }; +allow mac_admintestdomain unlabeled_t:dir { getattr create }; + +# Entry into the test domains via the test program. +corecmd_bin_entry_type(mac_admintestdomain) +userdom_sysadm_entry_spec_domtrans_to(mac_admintestdomain) diff --git a/tests/Makefile b/tests/Makefile index 4e5e7c0..fb8a0aa 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -10,7 +10,7 @@ SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue + overlay checkreqprot mqueue mac_admin ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) diff --git a/tests/mac_admin/Makefile b/tests/mac_admin/Makefile new file mode 100644 index 0000000..e7c006f --- /dev/null +++ b/tests/mac_admin/Makefile @@ -0,0 +1,2 @@ +all: +clean: diff --git a/tests/mac_admin/test b/tests/mac_admin/test new file mode 100755 index 0000000..8a186f3 --- /dev/null +++ b/tests/mac_admin/test @@ -0,0 +1,55 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8} + +$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +# Verify that test_mac_admin_t can relabel a file to an undefined context. +system("rm -f $basedir/test_file; touch $basedir/test_file"); +$result = system ("runcon -t test_mac_admin_t -- chcon -t UNDEFINED $basedir/test_file 2>&1"); +ok($result, 0); # we expect this to succeed. + +# Verify that test_mac_admin_t sees the undefined context. +$result = `runcon -t test_mac_admin_t -- secon -t -f $basedir/test_file 2>&1`; +chomp($result); +ok($result, "UNDEFINED"); + +# Verify that test_no_mac_admin_t sees the unlabeled context +$result = `runcon -t test_no_mac_admin_t -- secon -t -f $basedir/test_file 2>&1`; +chomp($result); +ok($result, "unlabeled_t"); + +# Delete the test file. +system("rm -f $basedir/test_file"); + +# Verify that test_mac_admin_t can create a directory with an undefined label. +system("rm -rf $basedir/test_dir"); +$result = system ("runcon -t test_mac_admin_t -- mkdir --context=system_u:object_r:UNDEFINED:s0 $basedir/test_dir 2>&1"); +ok($result, 0); # we expect this to succeed. + +# Verify that test_mac_admin_t sees the undefined label value. +$result = `runcon -t test_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`; +chomp($result); +ok($result, "UNDEFINED"); + +# Verify that test_no_mac_admin_t sees the unlabeled context. +$result = `runcon -t test_no_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`; +chomp($result); +ok($result, "unlabeled_t"); + +# Delete the test directory +system("rm -rf $basedir/test_dir"); + +# Verify that test_no_mac_admin_t cannot set an undefined label on a file +system("rm -f $basedir/test_file; touch $basedir/test_file"); +$result = system ("runcon -t test_no_mac_admin_t -- chcon -t UNDEFINED $basedir/test_file 2>&1"); +ok($result); # we expect this to fail. + +# Verify that test_no_mac_admin_t cannot create a directory with an undefined context +system("rm -rf $basedir/test_dir"); +$result = system ("runcon -t test_no_mac_admin_t -- mkdir --context=UNDEFINED $basedir/test_dir 2>&1"); +ok($result); # we expect this to fail. + +# cleanup +system("rm -rf $basedir/test_file $basedir/test_dir");