From patchwork Tue May 16 21:22:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9729693 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 17D4C602DB for ; Tue, 16 May 2017 21:18:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 099AB28715 for ; Tue, 16 May 2017 21:18:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F122F28A1F; Tue, 16 May 2017 21:18:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9E48928715 for ; Tue, 16 May 2017 21:18:47 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.38,350,1491264000"; d="scan'208";a="7127311" IronPort-PHdr: =?us-ascii?q?9a23=3AHuTw8xFe50BWpBYnr9jkQZ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ79p8W9bnLW6fgltlLVR4KTs6sC0LuJ9fm9EjVdsd6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?= =?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52Lhi6txjdu8kZjYd/Kqs8yQbCr2dVde?= =?us-ascii?q?hR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/Y?= =?us-ascii?q?TQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhS?= =?us-ascii?q?EaPDE36mHXjtF7grxdrhyvuhdzx5fYbJ+JOPZ7eK7WYNEUSndbXstJVyJPHJ6y?= =?us-ascii?q?YYUMAeQGJeZVrZTxqlUQohulHgSgGP/jxyVUinLswaE2z+IsGhzG0gw6GNIOtW?= =?us-ascii?q?zZosjpNKgMSeC1zLfHzTPeZP1L3Dfy8ozIchQ/rvCMQLl9dtHRxlQ0Fw7eklWR?= =?us-ascii?q?qZDqPzOS1ugXtWib9PBvWfigi24gtQF8uz6izdovhInRno8Z11/J+CpjzIs1ON?= =?us-ascii?q?G0UlB3bNG6HJdKqi2XMZZ9TNk4TGFyoik6z6ULuZu8fCcX1psq3wXfa/mbc4iQ?= =?us-ascii?q?5RLjSfqRLS94hH17fLK/gA6/8VS6xe3mV8m0zU1KojBZktjMqn8N1xvT5tKBSv?= =?us-ascii?q?Rh5UeuxSyD1wXS6uFAOUw0lKzbJIA9wrMoi5YevkvOEjX2lUnrlqOaaEop9vay?= =?us-ascii?q?5+j6ernmo4WTN45wigHwKKQuncm/DPwjMgcQW2ib+OK81KDs/EHgW7pKieA2kq?= =?us-ascii?q?/Fv5/EPsQWvbK5Ag9J3YYj7BazFTGm0M8CknUdI1JFfwyHg5DzO17SOPD4Eeu/?= =?us-ascii?q?g1O0nTdpwPDGOKfuAonNLnfZlrfsZrR960layAo2199f/I5UBa8bIPLoQEPxs8?= =?us-ascii?q?bYDhAhOQyu3+nnEMl91p8ZWW+XAK+ZMrndvkOL5uI0JOmMYo4VuCjmJvgr4/7u?= =?us-ascii?q?kHA4lkQAfamvwZsXdWq0HvN8I0WWeXDsmMsOEX8WvgoiS+znkEWCXiBIaHmsWa?= =?us-ascii?q?I85y07CIW9AIfCWI+inqKO0D28Hp1MaWBMEkqMHmvwd4WYR/cMbzqfLdJmkjwC?= =?us-ascii?q?U7iuVpEu1RWvtALh0bVoMPDU+ioCuZLkzth16PXZlQsu+jxsE8Sdz2aNQnlpkW?= =?us-ascii?q?MUXTA2xrtyrlB6yleGzad3medYFcBJ6/NPTAg6KYbWz/ZmBNDqRgLBYtCJRU6n?= =?us-ascii?q?QtWgHTE+UNYxzMELY0ljB9WilBDC0jGtA78NibOLApk0/bjd33j1PMl9zHnH2L?= =?us-ascii?q?Mmj1k8TctFLXemibJn9wjPG47JlF2UlqardKQb2i7A72KDzW6XsEFZVg58S6PF?= =?us-ascii?q?UmoFZkvVrNT5+F3NQ6WoCbs5LgtL0dSCJbdSat31kVVGQ+/uN8/FbG62n2ewBA?= =?us-ascii?q?2Ixq+XbIbwYGUSwjnSBFIfkw8N+XaGNA4+Bjquom/FEDNvFUjvY1738eVkpnK0?= =?us-ascii?q?VFM0zxqNb01nzba1/QQVhfOEQfMJwr0EoDshqylzHFulwd3WE8CPpxBgfKVHet?= =?us-ascii?q?49+E1I1XjYtwxmJpygK7ptiUIAfAhtuEPuzRp3AJ1akcc2tHMq0BZyKaWA3VJP?= =?us-ascii?q?djOY2ZXwNaPNKmTp8hCgdbPZ2lbE0NmM4qcP8vM4q1f9sw61Ckou6XJn08Na03?= =?us-ascii?q?GE/JXFEBISUY7tUkYw7xV6qavabTM754zI1H1sKrK5sjra29IoHecl0Rihf8xF?= =?us-ascii?q?PKODDg/yHNUQB9KyJ+wyh1ipchUEMfhR9KEuPMOmcOaG1bWoPOl6nzKminlH7J?= =?us-ascii?q?p60kKW+Cp2UvTI0Iodw/GEwguHUC/xg028vcDtmIBLeysSE3Glxif4AY5dfKpy?= =?us-ascii?q?fZwECW22Oc242s1+h4LxW35f7FOsG0kJ2Mu3dhqJc1z83QpQ2F8MoXO7mCu30T?= =?us-ascii?q?p0ky0orqWFxiDOxfrtdAYfMG5RWGZilUvsIZSzj90CR0ioYRIplBy+5Ubm3KVb?= =?us-ascii?q?v6J/L27dQEdNZSf2KXtuUq2uubqee8RP8o8nsT1LUOSgZlCXUrD8rAEe0yP/AW?= =?us-ascii?q?Re3is7eiq0uprnhRx1k3+dLHNpoHreY8Fwyg/V5MbASv5JwjoGWC54hCHLBleh?= =?us-ascii?q?Itap/M+bl5PYv++iUGKhU4FcfjPwzYOcrie743NlAQGnlfCphtLnCRQ60TP819?= =?us-ascii?q?RySyXIrQrzYpXs16SgK+5oYkloBFj668p1AYx+loowhJcK1ngAgZWZ530HkX38?= =?us-ascii?q?Md9Dw6LxcGINRSIXw97S+AXl3ExjLmmVx47gTXWS3M9hZ9i8YmML1SMw9NtKCL?= =?us-ascii?q?+V7LxCnCt6vkG4oRjXYfdjgjcX0eEu52ICg+EVpAotyT2QAqoVHUlcOSzjiQ6I?= =?us-ascii?q?4My5rKRZf2uvaqWw21Zlndy7C7GCuA5cUm7jepg+BS9w8tl/MFXU3X3r8I7kZd?= =?us-ascii?q?3QYcgJuRGOiBjAiOxVKI42lvoMnidnPH7xvXsiy+EnlxBu24+1vJSfIWV34K25?= =?us-ascii?q?GgJYNiHyZ84L+THik6Bent2N0oCsAJphHC4LXJ32QvK0Cj4Ssu7nNwmWGj0mtn?= =?us-ascii?q?ibAabfHROY6Ep+t3LACY2rN3WJK3kB19piQgWdK1JFgA0PQTU6hYA2FhqxxMD7?= =?us-ascii?q?a0d54S0R5kTkpRRSxOJoMAP/UmjBqwuybDc7VoSfJgJM7g5e/0fVLdCe7uVrEi?= =?us-ascii?q?FG+J2usReAKnKdZwtVDWEFQEqECE7/PrO2/9nP7/CYBvaiL/vJebiOsfZRV+qM?= =?us-ascii?q?xZ+0zoRm/iqMN8WWMnlsFfI73FBPXXdjG8TWgz8PUTAYlzrRb86Hoxex4i53r8?= =?us-ascii?q?C78Pv1Qw/v4IyPC7VcMdpx5xC2naeDN+mVhClnMzpY0I0DxWPQwrgFwFESkz1u?= =?us-ascii?q?dyWqEbkYuy7CVqTQmrNQDx4ecC5zOtVH4L873glXI8Hbksn11rl6jvErF1hFSU?= =?us-ascii?q?btmsazZcwFO2u9Lk/IBF6XNLSaIj3G29v3bbmySLFKieVbrRmwuTGbEkL4JDuM?= =?us-ascii?q?izzpWwqoMeFWgyGRJAZet52lchZxFWjjS8rrahOhMNBpkDI22qc7hnXWNW4bKj?= =?us-ascii?q?hxaFlCoaGV7S9ChfV/AWNB5GJ/LeaYgyaZ8/XYKpEOvPttGCR7jfpa4Gwhxrtb?= =?us-ascii?q?7SFEXud1mDfcrt5vpVGpiO+PxSZmUBVUrjZHnoWLvV9tOa/B7JlPRW7E/A4R7W?= =?us-ascii?q?WXExkFusBlBcP1tKBf0NjAjrzzJSxZ893O/sscGtLUJ9idPHolLBrpHiTbDBEc?= =?us-ascii?q?QT63MmHfhExckPaI+n2TsJc6toDmmIASRb9DSFw1CvQaB1xjHNwDJJd3Wi0rka?= =?us-ascii?q?WAgcES+3W+th7RSN9dvpDdWfKYGe/vJyqBjblYexsIxqv1Ip8SNo303ExibEJ3?= =?us-ascii?q?k5nUFEXLXNBCuCthYhUzoEVX/3h0Vncz1F79agOx/H8TEua5kQQ5igRkf+Qi6i?= =?us-ascii?q?zh41AvJlXUoiswlVM+mdThgT+Kdz7wI728XYZMCyr7r0IxKI/0Qx5pbQ2umkxp?= =?us-ascii?q?LCvER7VUj7d6b2Brjw7dtoVJGfFHV61EZwEfxfKMavo01lRcrzmoylVc5evZE5?= =?us-ascii?q?dikhUlcYK0pXJaxw1jdMI1JbDXJKdRyFhfmLiBviuz2+Ayxw8ePFoN/3mUeC4T?= =?us-ascii?q?u0wIN6MqJyy28exw8QaCgSdMeHAQV/o2pfJn7lk9NPqbzy3+ybFDMFy+N+yEIq?= =?us-ascii?q?yCumjAj9OHQlQ+1kMQjUlK47h33d0lc0WKS0Al1KGRGAgRNcreNQFVaNJf+2XJ?= =?us-ascii?q?ciaQsOXC3Il1Mp6nGeDyV++Os6gVglm6Ewk1AoQM9MUBHoWs0U3CK8foMqIFww?= =?us-ascii?q?035Av3PFWFEOhJeBWTnTcDpMG/1oF43Y9cJzEaGmh9PiO35qvNqg8tmvqDU888?= =?us-ascii?q?Ym0GUYscKnI2RMq6ljZCv3teCDm30+QZyBWN7jLnuivQCzz8YMZ5a/ePeRNgEt?= =?us-ascii?q?e29isj86Kuk17Y7o3eJ33mNdRlotLA9P8Vp5OAC/NSUblxrlzRm5dGSHywUm7O?= =?us-ascii?q?ENm1J57qZ4kqc9P0Fm6wUkajhDItU8fxINGtI7CLgQHyRYdbqo+b3CwjNcKmGT?= =?us-ascii?q?EeHA9wqP0Z6KJ6ewIDf4IxYQT0uAQmK6y/PACY382yQ2asLDtWSOVfzeW6ZrFM?= =?us-ascii?q?0iUsb++7x2E7QZ0gyem471INTokQjh7C3faje5VeUS/rF3xSYQXAvyw5l3R6O+?= =?us-ascii?q?Yzxec+zhXIsUUcMz+VdexpbnBEsM8mBV+IJ3V5FHY4TUeGjYXf+g6sw6wS/yxF?= =?us-ascii?q?ktlO1e1FsWTxsYHHbzKpWK2rr5LVsyw6YtU9uKJxMJbsIs2fuJPQgzzTVp/QvR?= =?us-ascii?q?OZUCSiDfpVhsBQID5EQPlPgWwqItIJuYxa5EUrS8g+OaJACLM3pr+wczplDTQe?= =?us-ascii?q?zSgDV4OPxDYCmPuz26PGlheMd5QvKAYEsJNDgtQBUy52ZScepLS7WYvPimGKUH?= =?us-ascii?q?QGLgAI4AtQ4wIAk5N/cfr+4IrUVpNMzSBZo+5sWCvRCpZo70f7Sn2RgVXgVPqh?= =?us-ascii?q?kfam0h5Jwf3w1dkbXBp/CUlDyOZMiksnNq14K6kKso7NqD+IelvwvHjxx+u+OF?= =?us-ascii?q?lR1crUekXiDIXfr2r8VTYT9GYIRY9V0n7fC4odkw54aKYtq1VMJIGmekn+5zw4?= =?us-ascii?q?yYRmBaO4VcWxy1Yjs3kGWz+gE8BdBOF+rFLXRDplboilqZn/J5pSQm5Q+Jicq1?= =?us-ascii?q?hDk0VgKC+5xoRCJM5T+DIMWyJPoTqFttuoVMJDwdN2D4MLItpno3f9H6dEN4KL?= =?us-ascii?q?o3w4vbzvznHZ9is5sFe9wzWzALG3QP5D/20ZAQUpPGWeqk8gD+c29WfS6F/NuE?= =?us-ascii?q?hu/+hHHriPkVlxoDFlE59UHDZJyHalI05wTHRdsuVaKaXVc9BHTPUoYx+gJQA+?= =?us-ascii?q?H+Y830OV5UF0gWv5YytquwtG/CDdWhI5VTUJjrfogjISsMenNiEGS5hQdzUucz?= =?us-ascii?q?/FKx6HmSBQpBtfa1tlW4oDDdZB5r4WxpZb8dTaSUa0Ny4FWAJtNhgi3fpYj05D?= =?us-ascii?q?v12SeTrBAgqwafbPrhp3cN+TrM6uMvv05xpIhZ38sO8m7aUDW2OplhC3TdDYsY?= =?us-ascii?q?D8qsWAtlGSe6fgL+28fXjBQSDXghC+mbgoE5vH8zXdPQdAN5Z6zn8kboT7Bm7Q?= =?us-ascii?q?IRRKPaQbKFRHVapic9VJvvhaZ9N4eKYO4aJtHAyISQ7vGIO1sPlLNVLTRTPALy?= =?us-ascii?q?qf7OCwvYXT4qHDRuT6YMyD2WrHSbptPphm8Tn7B6vq0YhG90ruwfdt6ll1RkXa?= =?us-ascii?q?My2at9ThIR4L5NO+eUT8uJ0pASnWD410kHb3wUFAbcUXSTWw8JsE0JNZ9GrwSe?= =?us-ascii?q?Vg30jvqu1d6adr5pQs7rB0zce0Ob3SJu5EsU9mBRiUAhtl9ok3DGh4XWBRbfcb?= =?us-ascii?q?KO3NcqQBkcDut+f3GrQS6BKP/+xZbcXIJ13dmsalED6RUhpEkxkdqT4BMgSTze?= =?us-ascii?q?aFlLFuRcaju+f5xlon40KiIR4e0LBt+YCE97KKpODNdRvRyqMEWqzwScPttbks?= =?us-ascii?q?vl6S5fk4lL4PZmN1YheoEO4GVsIHwWfg168qxzo2E8zfB7Lg5OJDV3UhkzLigZ?= =?us-ascii?q?99GVsWGukTHbWW44tThXs4lPbfNt0NdaBOgGCPGgC4ErUa036k9zOXIHV5ghHJ?= =?us-ascii?q?yxzwTn6z7F7yrS98XyTMyszunVdLWbasBEddRSypNVV/sDOVMwrirMD3trgt7E?= =?us-ascii?q?EqLmzks8qAlG2lOL5MHs3/ItmcLTM1pFIRgp0xXMag2ZsHGdqnPdce7G1+bubE?= =?us-ascii?q?62y1iSNBpL1Hh4XG6MGP5vrXBWWgj7Gdq7iVwTBYzX44vU0w6t++LfzO4tyKTO?= =?us-ascii?q?6u12kPUyd+tQzBXwS2qrzAtVwUP1KE0FvTkowQIt5ZxWU41l3h5OU7WtI86RhR?= =?us-ascii?q?G53PZ/MHqjH/Ij30zkiDY9gvTCmRzyNXHk7pEVl/AKU83HnwvMfJmHrL9V0nWJ?= =?us-ascii?q?R/d0v9hRNtF4U4M0Ut6FoJzSUfDQgBcxebDKunBU79N4sLSVADaQib3Li9Yqo3?= =?us-ascii?q?xld8wq216+/cc+N8HLEANu1HgQ6QhldbFYwZsbYETLJ6ZVBd6LbdphL+BIj/Q/?= =?us-ascii?q?jmiX0wOOW3QsBb9MAUrH4i7Ri/RhW+85dD7rAbiJ+Seq5Cf5fMoNh271176j4X?= =?us-ascii?q?aixNnB9/ggu4UeEdvu/s+MTUvYGz6umwSKYiWfkY+wIzB2RkgJv6mEojrs3P1+?= =?us-ascii?q?dAVo3Vjpzy/xtMI36RtofVyRt8KesSK4KzZrlg6nEHKjMCKHIJINWZdeMz4zJ3?= =?us-ascii?q?MDXU/VxNGNkAZdQCPMrCgQpUkFHmWKlP9srHHV+VE59zeNo072XryDA0/5w8Uv?= =?us-ascii?q?zj6DOvPpDQ8VVNP/JFjCVxm9PPv/AVzuDOCCcL4XmYZR91wjmBy5WXCPb/4/+M?= =?us-ascii?q?yNfKWFMCBCI2VJ1dJDWa8wy9WuW1jInpUh+T6sLrnJI+blyfRnirk6QDrKlBCv?= =?us-ascii?q?NPiiT03jhfCoD6nemVvMC26GtKrFFHFph87QHdEqVFIpp7IQj4ltWsRkVkCSvw?= =?us-ascii?q?YtvUeQQyuOqW3eoM5+R+N1fgao8bOB0E1qn65WBTTgRwVL78pkyZUv4JZNt6VP?= =?us-ascii?q?PEqWhY6Y1+JK8JIFido5vqojBTqF8oBA8pabkwriFVd0TVmA1aRbz0ub4ahQcG?= =?us-ascii?q?V952p1NME3qqOG0i/zrHSbhVjK6JBfwT8zWcUqsOU0FyPSNlWR+12ZJue7yynf?= =?us-ascii?q?BcqW5Gmyxwofcw3zxhXhu8tjXmp7gR1jI45LG4qDIBtGRKTuqCiCfIEkxPwukF?= =?us-ascii?q?g6kaCnbi70G8YXYYYYv95bloP8Lg+pc773Q4exUjcDUMXf68BCHok6OIHouPvc?= =?us-ascii?q?pehB6KuMXOa6W/IjQSNrQ51BLsWnl80gnYnBZz82sLQy6t7MElJIWjI8klwjen?= =?us-ascii?q?GWnBeFYK/KxJrNP7tUQXQ+sudVNh3GJj39CGRi0TXsPPHX04jgw5aWpZcZJD7g?= =?us-ascii?q?QaG7MvgjaSsalM5hsUbyvMEoS55onQmt/F2XsjQtdkyGLWoraIh50w331jhdx0?= =?us-ascii?q?8jSCuHIMeOzES8VsGGT81p9DyeziYPWgqu8HSI9hyLWvTvACNs2j9HCt2JVtXE?= =?us-ascii?q?+lx6gRE0C/MOAd2rfRSz2lRnGAWeSXb2iMmC40Mkzy5RioNl03b8NKr04hMuTc?= =?us-ascii?q?nZNckgzhUa9uRiqOv1Pby3YjMewCfQIspIinYxAKTPIWZ+WEOeguwfg+BUAQb3?= =?us-ascii?q?/IASR2CPG5sVq3kIh9JXpg/V3wYf7x/QD+LNuSBh4EHJbfrp5w+vy6RWWBNGRi?= =?us-ascii?q?zBJoP0l08OHfGEo3tuNGdZaeg8TQjcxh0eEZb/dtLTE9utkLl41494aU1tuKfA?= =?us-ascii?q?rKzpb2ItHVvuSYA+PBwEs3YG1aVaAZYQzt7YUgItE5Q6HTHadevRkEC6g1Xpgh?= =?us-ascii?q?N2bp9K5qNw5ycw/RZLGxgsb0vOKLYoVbq2XR7lIqIyfWowcDxeCsTQxnc5CqgG?= =?us-ascii?q?3/IZ4oRjJbrt1iFgVpEZBKG8MBswqnGYCblLu8i9+r9ENwo/UKvrboCvDWyNS5?= =?us-ascii?q?2J18X59e5UOVJzvRHK1rjV5+juSug/fPzoXxCdn8dtwaTuR7RHDKaqPeFIWlNj?= =?us-ascii?q?2OIt78e1JB87OE1LJ5UxORZD32XqafsC2kNe5k4VkgyoFjferc1jot77bB1Nv1?= =?us-ascii?q?fWFbqT+prWSVO5tH8FzKGeveUgpPSfWb9GZlHKsXbZb79esJPtIi3Nic7Bdp7D?= =?us-ascii?q?tcyMuKObOsrkzS1UJhc5LUMk/p1D0kWYkFOhi/NlEsgWDBoHTHHXtcNtSkKdVq?= =?us-ascii?q?gNuNCxzi/VV+mWEsZm5HHWrlXsmROWkd282gYA2K9QRLD8sMnuKtfk44rKKyQ/?= =?us-ascii?q?FyOppZgeWqqKkHkdFxJiHNXsdaPCbQI6RtMzpMCOXPuFgoYhkZs7g6Woc1eYKC?= =?us-ascii?q?IEUZP0ec0Sny1xfN0VXod9yw06aEOCkW/W9cwLLf0DhDuQ25tO2Hgs3nSr/Zd5?= =?us-ascii?q?D2XOPIPCojSD6aWSw4EVy19le8p/oEoP2YLH8dolARZSKSEhQTpqF0rdXLCG/c?= =?us-ascii?q?g+hjc4MLhPyAXCDwUiJ4nrIoBilXrUCMX+YDFQ7OYn/6jmpcvRCtK/5P8H/+cb?= =?us-ascii?q?2X2LBVW+0XA4tLdP2VWd3Ydu5CJ2RgqjJMI+u4ftvBv54lw1nISi0fCKCO+1qA?= =?us-ascii?q?H2CMRfnJ/C7mRYUYucAPvyMs/t/B1ntsH7/gI6eUpzno9JWxyimfp7uNBSEWf0?= =?us-ascii?q?UpjbdaUyG6yx5aJTRBUYkY?= X-IPAS-Result: =?us-ascii?q?A2FtAQD2axtZ/wHyM5BcGQEBAQEBAQEBAQEBBwEBAQEBFQE?= =?us-ascii?q?BAQECAQEBAQgBAQEBgwEpgVwSjneRY5cOJYtUVwEBAQEBAQEBAgECaCiCMySCS?= =?us-ascii?q?QIkUgMDCQIXMQgDAWwFiAJNgUINrkc6JgKLEIg9gmeFCoV/BZ4Kkw4NggSJFYZ?= =?us-ascii?q?SiH+LRFiBCiYJAh4IHw9GhHccgX9ahgiCOwEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 16 May 2017 21:18:45 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4GLITc7016093; Tue, 16 May 2017 17:18:35 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v4GLIQIs005992 for ; Tue, 16 May 2017 17:18:26 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v4GLIPfl016080; Tue, 16 May 2017 17:18:25 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH v2] libsepol, checkpolicy: add binary module support for xperms Date: Tue, 16 May 2017 17:22:36 -0400 Message-Id: <20170516212236.30782-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Presently we support xperms rules in source policy and in CIL modules. The binary policy module format however was never extended for xperms. This limitation inhibits use of xperms in refpolicy-based policy modules (including the selinux-testsuite policy). Update libsepol to support linking, reading, and writing a new binary policy module version that supports xperms rules. Update dismod to display xperms rules in binary policy modules. Also, to support use of a non-base binary policy module with a newer version on a system using a base policy module with an older version, automatically upgrade the version during module linking. This facilitates usage of newer features in non-base modules without requiring rebuilding the base module. Tests: 1. Add an allowxperms rule to the selinux-testsuite policy and confirm that it is properly written to the binary policy module (displayed by dismod), converted to CIL (the latter was already supported), and included in the kernel policy (via dispol and kernel test). 2. Use semodule_link and semodule_expand to manually link and expand all of the .pp files via libsepol, and confirm that the allowxperms rule is correctly propagated to the kernel policy. This test is required to exercise the legacy link/expand code path for binary modules that predated CIL. Signed-off-by: Stephen Smalley --- v2 updates the dismod code to convert the av_extended_perms_t structure from the avrule to an equivalent avtab_extended_perms_t structure rather than assuming that they will always be identical. checkpolicy/test/dismod.c | 25 +++++++++++ libsepol/include/sepol/policydb/policydb.h | 3 +- libsepol/src/link.c | 15 +++++++ libsepol/src/policydb.c | 66 +++++++++++++++++++++++++++++- libsepol/src/write.c | 60 +++++++++++++++++++++------ 5 files changed, 153 insertions(+), 16 deletions(-) diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index aac13e1..d5c7eea 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy, } } else if (avrule->specified & AVRULE_NEVERALLOW) { fprintf(fp, " neverallow"); + } else if (avrule->specified & AVRULE_XPERMS) { + if (avrule->specified & AVRULE_XPERMS_ALLOWED) + fprintf(fp, "allowxperm "); + else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW) + fprintf(fp, "auditallowxperm "); + else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT) + fprintf(fp, "dontauditxperm "); } else { fprintf(fp, " ERROR: no valid rule type specified\n"); return -1; @@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy, policy, fp); } else if (avrule->specified & AVRULE_TYPE) { display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, ""); + } else if (avrule->specified & AVRULE_XPERMS) { + avtab_extended_perms_t xperms; + int i; + + if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION) + xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION; + else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER) + xperms.specified = AVTAB_XPERMS_IOCTLDRIVER; + else { + fprintf(fp, " ERROR: no valid xperms specified\n"); + return -1; + } + + xperms.driver = avrule->xperms->driver; + for (i = 0; i < EXTENDED_PERMS_LEN; i++) + xperms.perms[i] = avrule->xperms->perms[i]; + + fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms)); } fprintf(fp, ";\n"); diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 37e0c9e..99e4990 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -748,9 +748,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 #define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 +#define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_XPERMS_IOCTL #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/src/link.c b/libsepol/src/link.c index f211164..cd4cc86 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1325,6 +1325,15 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, tail_perm = new_perm; cur_perm = cur_perm->next; } + + if (cur->xperms) { + new_rule->xperms = calloc(1, sizeof(*new_rule->xperms)); + if (!new_rule->xperms) + goto cleanup; + memcpy(new_rule->xperms, cur->xperms, + sizeof(*new_rule->xperms)); + } + new_rule->line = cur->line; new_rule->source_line = cur->source_line; if (cur->source_filename) { @@ -2569,6 +2578,12 @@ int link_modules(sepol_handle_t * handle, goto cleanup; } + if (mods[i]->policyvers > b->policyvers) { + WARN(state.handle, + "Upgrading policy version from %u to %u\n", b->policyvers, mods[i]->policyvers); + b->policyvers = mods[i]->policyvers; + } + if ((modules[i] = (policy_module_t *) calloc(1, sizeof(policy_module_t))) == diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 7093b29..069eb7e 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -284,6 +284,13 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_XPERMS_IOCTL, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -381,6 +388,13 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_XPERMS_IOCTL, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, }; #if 0 @@ -557,6 +571,8 @@ void avrule_destroy(avrule_t * x) next = cur->next; free(cur); } + + free(x->xperms); } void role_trans_rule_init(role_trans_rule_t * x) @@ -3215,8 +3231,8 @@ static avrule_t *avrule_read(policydb_t * p if (rc < 0) goto bad; - (avrule)->specified = le32_to_cpu(buf[0]); - (avrule)->flags = le32_to_cpu(buf[1]); + avrule->specified = le32_to_cpu(buf[0]); + avrule->flags = le32_to_cpu(buf[1]); if (type_set_read(&avrule->stypes, fp)) goto bad; @@ -3252,6 +3268,52 @@ static avrule_t *avrule_read(policydb_t * p tail = cur; } + if (avrule->specified & AVRULE_XPERMS) { + uint8_t buf8; + size_t nel = ARRAY_SIZE(avrule->xperms->perms); + uint32_t buf32[nel]; + + if (p->policyvers < MOD_POLICYDB_VERSION_XPERMS_IOCTL) { + ERR(fp->handle, + "module policy version %u does not support ioctl" + " extended permissions rules and one was specified", + p->policyvers); + goto bad; + } + + if (p->target_platform != SEPOL_TARGET_SELINUX) { + ERR(fp->handle, + "Target platform %s does not support ioctl" + " extended permissions rules and one was specified", + policydb_target_strings[p->target_platform]); + goto bad; + } + + avrule->xperms = calloc(1, sizeof(*avrule->xperms)); + if (!avrule->xperms) + goto bad; + + rc = next_entry(&buf8, fp, sizeof(uint8_t)); + if (rc < 0) { + ERR(fp->handle, "truncated entry"); + goto bad; + } + avrule->xperms->specified = buf8; + rc = next_entry(&buf8, fp, sizeof(uint8_t)); + if (rc < 0) { + ERR(fp->handle, "truncated entry"); + goto bad; + } + avrule->xperms->driver = buf8; + rc = next_entry(buf32, fp, sizeof(uint32_t)*nel); + if (rc < 0) { + ERR(fp->handle, "truncated entry"); + goto bad; + } + for (i = 0; i < nel; i++) + avrule->xperms->perms[i] = le32_to_cpu(buf32[i]); + } + return avrule; bad: if (avrule) { diff --git a/libsepol/src/write.c b/libsepol/src/write.c index e75b9ab..1606807 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -50,7 +50,8 @@ struct policy_data { struct policydb *p; }; -static int avrule_write_list(avrule_t * avrules, struct policy_file *fp); +static int avrule_write_list(policydb_t *p, + avrule_t * avrules, struct policy_file *fp); static int ebitmap_write(ebitmap_t * e, struct policy_file *fp) { @@ -779,9 +780,9 @@ static int cond_write_node(policydb_t * p, if (cond_write_av_list(p, node->false_list, fp) != 0) return POLICYDB_ERROR; } else { - if (avrule_write_list(node->avtrue_list, fp)) + if (avrule_write_list(p, node->avtrue_list, fp)) return POLICYDB_ERROR; - if (avrule_write_list(node->avfalse_list, fp)) + if (avrule_write_list(p, node->avfalse_list, fp)) return POLICYDB_ERROR; } @@ -1613,18 +1614,13 @@ static int range_write(policydb_t * p, struct policy_file *fp) /************** module writing functions below **************/ -static int avrule_write(avrule_t * avrule, struct policy_file *fp) +static int avrule_write(policydb_t *p, avrule_t * avrule, + struct policy_file *fp) { size_t items, items2; uint32_t buf[32], len; class_perm_node_t *cur; - if (avrule->specified & AVRULE_XPERMS) { - ERR(fp->handle, "module policy does not support extended" - " permissions rules and one was specified"); - return POLICYDB_ERROR; - } - items = 0; buf[items++] = cpu_to_le32(avrule->specified); buf[items++] = cpu_to_le32(avrule->flags); @@ -1661,10 +1657,48 @@ static int avrule_write(avrule_t * avrule, struct policy_file *fp) cur = cur->next; } + if (avrule->specified & AVRULE_XPERMS) { + size_t nel = ARRAY_SIZE(avrule->xperms->perms); + uint32_t buf32[nel]; + uint8_t buf8; + unsigned int i; + + if (p->policyvers < MOD_POLICYDB_VERSION_XPERMS_IOCTL) { + ERR(fp->handle, + "module policy version %u does not support ioctl" + " extended permissions rules and one was specified", + p->policyvers); + return POLICYDB_ERROR; + } + + if (p->target_platform != SEPOL_TARGET_SELINUX) { + ERR(fp->handle, + "Target platform %s does not support ioctl" + " extended permissions rules and one was specified", + policydb_target_strings[p->target_platform]); + return POLICYDB_ERROR; + } + + buf8 = avrule->xperms->specified; + items = put_entry(&buf8, sizeof(uint8_t),1,fp); + if (items != 1) + return POLICYDB_ERROR; + buf8 = avrule->xperms->driver; + items = put_entry(&buf8, sizeof(uint8_t),1,fp); + if (items != 1) + return POLICYDB_ERROR; + for (i = 0; i < nel; i++) + buf32[i] = cpu_to_le32(avrule->xperms->perms[i]); + items = put_entry(buf32, sizeof(uint32_t), nel, fp); + if (items != nel) + return POLICYDB_ERROR; + } + return POLICYDB_SUCCESS; } -static int avrule_write_list(avrule_t * avrules, struct policy_file *fp) +static int avrule_write_list(policydb_t *p, avrule_t * avrules, + struct policy_file *fp) { uint32_t buf[32], len; avrule_t *avrule; @@ -1682,7 +1716,7 @@ static int avrule_write_list(avrule_t * avrules, struct policy_file *fp) avrule = avrules; while (avrule) { - if (avrule_write(avrule, fp)) + if (avrule_write(p, avrule, fp)) return POLICYDB_ERROR; avrule = avrule->next; } @@ -1870,7 +1904,7 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms, return POLICYDB_ERROR; } if (cond_write_list(p, decl->cond_list, fp) == -1 || - avrule_write_list(decl->avrules, fp) == -1 || + avrule_write_list(p, decl->avrules, fp) == -1 || role_trans_rule_write(p, decl->role_tr_rules, fp) == -1 || role_allow_rule_write(decl->role_allow_rules, fp) == -1) { return POLICYDB_ERROR;