From patchwork Mon Jul 10 20:25:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9833751 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B1C9A60318 for ; Mon, 10 Jul 2017 20:25:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 99F6526785 for ; Mon, 10 Jul 2017 20:25:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8BA94283B0; Mon, 10 Jul 2017 20:25:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 827AE26785 for ; Mon, 10 Jul 2017 20:25:05 +0000 (UTC) IronPort-PHdr: =?us-ascii?q?9a23=3A6AH4Vh8RzLMw6/9uRHKM819IXTAuvvDOBiVQ1KB5?= =?us-ascii?q?0+MRIJqq85mqBkHD//Il1AaPBtSLragawLOK4+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMhzexe61+IRS5oQnMucQbgpZpJ7osxBfOvnZGYf?= =?us-ascii?q?ldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2Yu5M32rhbD?= =?us-ascii?q?VheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RSiu4qF2QxDmki?= =?us-ascii?q?cHMyMy/n/RhMJ+kalXpAutqwJjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfWSJCDI27?= =?us-ascii?q?d4sCDfcNMOhGoInmvFYCsQeyCBOwCO711jNEmnn71rA63eQ7FgHG2RQtEc8SsH?= =?us-ascii?q?vKtNX1NLkdUeaox6fVyDXMdfdW2TPj54nIbxsspuqMUq9rccfK1UkuFx/KjlWX?= =?us-ascii?q?qYD/OTOVzf4Cv3KU7+pnS+KikmgqoBxyrDi33sogl4bEi40Pxl3E6Cl12pg5KN?= =?us-ascii?q?KmREJhfNKpFoZbuTuAOItsWMwiRnlluCM9yrIbp5G2ZDMKyJE7xx7HbPyHbpSI?= =?us-ascii?q?7grjVOmPJTd4g2poeK6liBao8Eig1/b8WtOo0FdKsiVFkt7MumoL1xPP8ciIVu?= =?us-ascii?q?Fx/kKg2TaLzwzT6+dELl4olafDNpIszbE9moATvEjeBCP6hkr7gLGMekk54uSo?= =?us-ascii?q?7v7oYrTipp+SLY90jQT+P7w1msOhBeQ4Mw4OX3WU+Oilz7Lj+lD5QLNWgfIoia?= =?us-ascii?q?nUq4zaJMQHqa65BA9ZyIAj6w2lADu839QYmmcHIEpfeB2bl4jpJ03OIPfgAPe9?= =?us-ascii?q?hFSsli1kx+zGPrL7BJXANXrDkLDnfbZ48UFc0xYzws5F55JPEL0BJ+jzWkDpvt?= =?us-ascii?q?zCEhA5KxC0w/rgCNhl1IMeW3iADbOaMKPJtl+I4OMvI/eXaY8bvDb9Nvck6OXz?= =?us-ascii?q?jX8/hV8dYLOl3ZwNaHC3Bv5mOVmWYWLwgtcdFmcHphI+Q/Lxh1KcVz5TZmqyX6?= =?us-ascii?q?Un6zE6Fo2pE5nMSpqqgLyb0yexBodWaXxeClCQDXfocJ2JVOoLaCKUJM9ujyIL?= =?us-ascii?q?VbygS4I6zx6hqhX6y719IurT4C0Yuorp1MJp6O3LiREy6Tt0AtyA3GGRVW50hH?= =?us-ascii?q?gFSCMx3KB6vUNy0EyD0bRij/xeC9NT++tDUh0mOp7E0+x6F9fyVxrAftePVFap?= =?us-ascii?q?XNGmDi80Tt0v398OeUZ8Fs6ljhDbwSWqBboVmKaKBJww6a3c2HfwK9x6y3bc26?= =?us-ascii?q?krl0MmTddXNW26mq5/8BDeBo7IkkWekaanbqEc3CrU+GeCy2qCpkdYXxRqUaXG?= =?us-ascii?q?XHAfeFXZoc7/5kzcU7+kEa4nPRdZyc6eNqtKbcXkgkteRPj5ItTeYnmxlnyoBR?= =?us-ascii?q?mS3LOMbZHqe30Z3CrHFEcLjRof/XGcNQgxHi2huX7RDCRyFVLzZEPh6ed/qHK/?= =?us-ascii?q?Tk8x0Q6KdVZs17Sr9REIgvycUekc3qoeuCcmqTV7Akqy387MB9qHvQphc71WYc?= =?us-ascii?q?kh71dfyWLZqwt9M4SuL6B4nFEedRh4v0L11xhsD4VAickqoGoxzAt8MqKUylRB?= =?us-ascii?q?dymX3ZroIL3YNnHy/Ayza67Rwlze08yZ+qQI6PQlsFjjvxumFkkl83V6ydVV1G?= =?us-ascii?q?Gc5prSBgoITZ3xSlo39wR9p7zCeCYy+pnU1XxyPqmuqTLNwc4mBO4/xhanZddf?= =?us-ascii?q?P7uOFBXuHM0CG8iuNOsqlkC1YR0eOOBd6rU0P9+mdvuBw6OrJ/pvnDO4gmRB/I?= =?us-ascii?q?B901iD+zB6SuHWw5YP2+uY0RefVzfgkFehtdj6mZpZaj4PBWe/xi3kBYFLaq10?= =?us-ascii?q?Y4kLFX+kI9erydVmm57tR3lY+Ua4B1MIws+pfgGSb0Dm0A1L00QXpnKmmS6iwD?= =?us-ascii?q?xyiT0pqLSQ3DDWyeT4aBUHInJLRHVljVr0L4m7ldQaXFS2YAgzjxuo/lj6yLZB?= =?us-ascii?q?pKtkMmnTRF1Efy/sL2FtSqGwrKaNY9ZT6JM0tiVaSPi8bk2HRb78uRQa1zjuEH?= =?us-ascii?q?dZxDA+az6loI75nwBghGKbMnlzsGLTedtsyhfH+NzcWflR0yIYRCl5lTbXGl+8?= =?us-ascii?q?P8Oz8dqIl5fDtea+V226W51XcCnry5mPtDG85WFwBh2/hf+zkMX9EQcmyS/7y8?= =?us-ascii?q?VqVSLQoRb4Y4nrzLi6Pft8fkZ2AF/86sx6Gpxxk4Yrn5EQwXkahpOU/XUbimf/?= =?us-ascii?q?K9Nb1rzibHAVXz4E38bV4BT52E1kNn+J3YX5VnGZwsR/fdm1fmQW2ywm4sBRFa?= =?us-ascii?q?eb8KdEkTFyolqiogLbeeJ9kSsFyfsy9H4ahPkEuBI3wSWABrAeB1NXMTb3mBSP?= =?us-ascii?q?69C+sKJXZGC0fLi1yEZ+m9ehA62YrgFaRnn5Zo8oHTVs4cVnLFLMzHrz55nneN?= =?us-ascii?q?bOa9ITrQaZkxTegOhTM5IxkOQFhTZ9NWL6p30lxPYxjQZy0pGioIiHN2Jt8bqh?= =?us-ascii?q?AhFCKz31Y90c+in3gqZYgsaZwZqvE458GjUQQpToV+moHCgJtfTgKgaOCiEzpW?= =?us-ascii?q?mVGbrYBw+f51lpo2jJE5+1K3GdPGMZwsl6RBmBOExfhxgZXCs8npEkDQ2q2srh?= =?us-ascii?q?f1p55jwL4F73tAdMwPpyNxbjSmffuBuoajAsRZiHNhVW8wVC6lzJPsyf8uJyHz?= =?us-ascii?q?hU/pO7owyLMGCbYB5IDW4RUEyeG1/jJqWu5cXH8+WABeq/L//ObquVpOxbUPeI?= =?us-ascii?q?y5yv3ZV6/zaQNsWPOXxiAOMh1kpFQ395B9zTmy8TRCwPiyLNc8mbqQ+y+iJtqM?= =?us-ascii?q?C/7PPrWAf06IuBFbRdLNJv+wqsjqebLe6QgyR5JihE2ZMQ33PIz6If3FEKgSF0?= =?us-ascii?q?azatCagAtTLKTK/IgK9bFRAaZzl2NMRS66I82QlMNNXBhdzp0750lPk1C01KVV?= =?us-ascii?q?b5gMGmedQKI32hNFPAHEuLOq6GKiPWzMHse6y8T6FQjOJPtxCrozmUD0rjMi6E?= =?us-ascii?q?lznzWBClKftMgz2DPBxCpIG9dQ5gCW75TN38ch27KMR6jTM3wb0unXPKKWAcMT?= =?us-ascii?q?l6c0xXqL2f8SJYje97G2Bb6XplN+aEkT6D7+bEMpYWredrAiNsmu1B+3s2zL9V?= =?us-ascii?q?7CBfRPxpgyvetMVurE+6neWV0TpoTh5OqjdNhIKWskRvIrnW95laWXbZ5xIB92?= =?us-ascii?q?uRBA4Wp9t+Dd3vvbpcyt/VlKL8MD1C6c7b/dMAB8jIL8KKKHwhMRvtGD7QEgQF?= =?us-ascii?q?ViWmOnvBiExHl/Ge7HqVroI1qpL0gpoBVqdbVEApFvMdEklqB90CIJhwXjMiir?= =?us-ascii?q?OUkdAH6mG/rBbLQsVWpJfHVuidAf/3MjaWkaFEZwcUwbP/NYkcLIL71FZ8alZk?= =?us-ascii?q?h4nKHFLQUs5Loi1kdAA0oUFN/2N5Tmw8wU7lbRmt4HALH/6ughE2khd+Yfgq9D?= =?us-ascii?q?r0/1c3IV/KqDEqkEk2mNTqnzaRfyXrLKe3Q45WCDH5uFQ2MpP+Xwl6dxaynVB+?= =?us-ascii?q?ODfCWb1Rk6NqdXp3hw/EpZtPBflcQLVCYBAO3/6XY+4l0VdbqiW82U9I/+3FCY?= =?us-ascii?q?BhlAsra5KsqWxP2x57Zt4vOaPQPLZJzkRXhq+WpC+nyPsxzxEEKEYX7GySeDUF?= =?us-ascii?q?t1cJNrk8OiWo+eJs6RSYmzRdeGkATfwqrex29kklIeSP0zrg06JfKkC2L+GQMr?= =?us-ascii?q?mWu3bBlcGVWVM9zVkHl1Nf/bhx38YjaFSbWFwyzLuLFhQJKcrDJRtTb8VM6HjZ?= =?us-ascii?q?ZTyOvvnVwZJpI4W9EfjlQvKVtKkKmE2kExwpEJ4S7skaBZmjykLYLdr9LLEf0x?= =?us-ascii?q?kt4BnrJFOfA/RTYR6LjDAHo8K/zZ9wx4VdIC8SAXllOyWt+rnXvhMqgOaEXNou?= =?us-ascii?q?ZncaWZEEOWwwWMy7nC5UpHtADD+q0u4DzwiC9TD8rDzKDDbgd9pjeOuUZRR0Bd?= =?us-ascii?q?Gt5zo/96m2iVjK8pTRPGz1KdNiutrT5uwAvJaHF+lYTb9jvEfAg4NYXWClU3bT?= =?us-ascii?q?Ed6pIJj9c5QjYsDxCna9VFy/ly85QtzvPNmzNKiIgADpRYFSsIWB2jAsK9O9HC?= =?us-ascii?q?kEGxhsv+ED+L58ZQobbpo4ex7ptx4xN6qjIAeYydiuTGGtKSNKQPVFy+W1eaBX?= =?us-ascii?q?xTI2buCm0HsgUo06z+6v/E4RRZEKixbexeqjZ4heSiX8B31degXVqiUijWRhMP?= =?us-ascii?q?g9wvsnyhPSrVYcKyyLdPBuaGFcsNE8H0mdIXNqCmcjRl+cioTC4giw37AS4SRd?= =?us-ascii?q?ntBU0fFbv3jkpJPfZiyjWLCzo5XPryUgdcQmo7F2MYH7OMSGsJLekSDBQ5bItw?= =?us-ascii?q?2EUCi6F/1cmtdKOy9XW/hIlnsjOcAft4pB9FA9VsEgKLxTEKMsvKylaSJ4DS4O?= =?us-ascii?q?yi8UT5iP0yIEguqnwbTViwmQf4o4MBwfqppCmNscXzRxYiMEq6+pT5/WmHOcSm?= =?us-ascii?q?gXPAcT6hxB5BgGlo9xYu/l4I3ITJtXyzBOuvx6TzHFG4Vv+VbgVm6Whl34R+m7?= =?us-ascii?q?nOyywQJe1vTs3ccHWBRnE0hS2/5Wllc0KLFwM6QfoozKvSWUek7hoG3tz++mJF?= =?us-ascii?q?1QycLKbV34EJTKunb8UiEG/n0UX4BPwmnFFZsOiwp5dLorpFJULYC8YEn+/Tsk?= =?us-ascii?q?yJ9yErmkT8Ck3UglomgCRyerFdpBBOVmsFPYWD1lf5Crpo/qO49XQmNK/p2StU?= =?us-ascii?q?tZml13MyGl0ZpcN91N4jkUUTlBuzmSoNuySMxG2c93FZAMIcxyu3bjF6xaJped?= =?us-ascii?q?uXo2uqbgynXB4TAzrE+6xCmvG6+/V+9Z52oeGgEzKGSEpEgvCO8s8mnJ/1DItV?= =?us-ascii?q?B0+PxbCaaTgkVrpzZ9BYtOBjdP1XCqNVhzS2NGs+pCIqTPb8NcW+UyZQOoOxEm?= =?us-ascii?q?D/EmxVGJ/UdukXf6eCFytwpa+yHBXwYvTyUVhKnimSEGoMG9JTAaU45IbSkmby?= =?us-ascii?q?rdNwKbniVXsQ1Da012XpAWGcxJ+7cF0otI5sDCU1qjKTkZXBx+MQI1yfpfmlRZ?= =?us-ascii?q?sEqCfSDSEBGleuvRvR1vZceessqpI+rj/AtdjYPnqu84/b0ZR3K6gQ2tXczer4?= =?us-ascii?q?jku92IsUuBarz1PPCibn/aUjfMlwywiqk5AJXQ+SjcLhZbIYFgyXU4eZjhFXLL?= =?us-ascii?q?PRNeKq0AKUpUSbx2ZNdbru1UfMJrZKEJ+apxCR2dXRPvBJajrP9YIVbPXT7eNT?= =?us-ascii?q?mO8vSjoYLP6rzQUfLgadKRyHbHWa13Iox36T38G7f0z4BS5Fb52vBw+UxkU1TG?= =?us-ascii?q?NT6OrMj5LAMR+MaiblfivoEuHT7OGJdwi2btyVtdeMoLWCCq65MYyI5D6HnsV+?= =?us-ascii?q?141FTzsPdI+Llg84U35KppycisL6fINftaqVNnAgSTBghy6pUtGnZwSH5MbeIK?= =?us-ascii?q?NffRebgZjdr0pODpFqwX7xmV9PJFadfdIEHBgMa/ACmGSRNYhAcBtSIaLgyE2v?= =?us-ascii?q?6AgaB0TcKlqvbl2kIx+VexNAULzLZz6oeY4aqHuPXYbwPPwrQeXKjlWN/zpKw2?= =?us-ascii?q?u0yO/f0kiKIOemttbg2lCucdTMkdxnzkza8w0yIhCMbDH6/k+P5fVnI2gjPglI?= =?us-ascii?q?p7H1UNAP8UGqCL/YtGlGcih+PZLsEWcrxFmmuXFx6rCLkCyXCx6yuQPWZqnArD?= =?us-ascii?q?0w3qTmO191/2qjV0QS3SwNf/ikBVTKW4BV9OXyq1Pk91qDyPPBfptNrzvaQ68k?= =?us-ascii?q?Q2P3f5u92Tj2ShOalYH8vlKNybOyk0q0odjIctSdy3xYAbBd29Lc8X8HF6dfbe?= =?us-ascii?q?6mWrkypbr6dGgYre7NuV9e/MHXm8la2atqmCxCxFyngio14z8NegNuvB59eSWf?= =?us-ascii?q?Sny34RTztjuwvGRxO1r7vbr1YIOUyEzkjGg4kKPtBD0nk+yE7m+OYiQNUp9AVd?= =?us-ascii?q?DYbMffUCqi7vODHs21aQf8o3VjWC0ztQBl/1FUJ4GK081W/rssLGi2rf+1oyRo?= =?us-ascii?q?Zqb0znnxt3D4cmJk0x9Fgb2C0DERICaRqDFrGnGVzlLZcYVUgEcRmHx6K1erkt?= =?us-ascii?q?0k183Lyv//TebfdmCKoTLPldgRCBnENBFpIQr6IeXKp2e0VB+67PugjiF4/nUu?= =?us-ascii?q?DklXoxMP24WcVa/t4ZtnQ8+Aa/Rhyg6ZhZ47Ydlp+IarZOYYLQs8Bk80dn+TkP?= =?us-ascii?q?ezRMgBl+lRy2S/wTqfv44tfFrJqn9PqhWLwqR+UN+Bg+H35+gIfogFA/vdHX0P?= =?us-ascii?q?9RRZbUiYTk/gFCOXyKuIfG0xlkM+UONoarca18+HUAOicROWgBPceMa/k7+S9i?= =?us-ascii?q?Ki/f51tYAsMDfdkYJtbCmRhIik31X7Fe7tLbFUWEC4hvd8Ap4W33yCo28ZclSe?= =?us-ascii?q?bv9ju2JZHZ71FQMPJOlz1sm8jepOcJwfrTBi8X4WOaaxRvwSON1YONC/Du8uWI?= =?us-ascii?q?0t3UUEkGHiEuWYdHODWC4RCnRvaylJjxTgOU8NH8gJYke0KWWHO8h7kKsqdDEe?= =?us-ascii?q?5BliX0xCNeGZrvh/KIqdas7nVYtkFfGoZp8RLFALlfPol8ORngmcmkXFJ8CTXj?= =?us-ascii?q?eMHUbRcuvOuWxvsS7OV+LUT+eJQbLggCy73k9XpfVhFuR6LuvlaFQeIRY8NrSP?= =?us-ascii?q?zaoXBT9YJgLKgPMF+GpJP0qjdIqVY2ABImabIrqjxVaFPOnQ1PVKruvr4PlBcc?= =?us-ascii?q?W8ZjuUBQAWKwJH4+5z3fWKRTjameFPsV8jGJQawVSUloMyR+QxSu2JV1YLapmP?= =?us-ascii?q?9Ks2xckiN6uvgq3CRsRAGgti30u6INxTUg9am3tDodonxFVfySnTrHB1tFzfQK?= =?us-ascii?q?i7ocCnn55FyzZXkMdo3y76d9KcTn74kh7Gw1YQ8/cC0eQeSgFybwgruKAoyIsN?= =?us-ascii?q?JcggSBt9nObb+3MCgdK7U8yRPlR3hm0QjenQ1l8HUKQjW+9tAkIJiyOcc/yiqu?= =?us-ascii?q?B2fbaE4G4rlVv8vpqV4LUOw2ZEtgwGV9yMeHQDYARMjSG2kojwgkbn5EfIhE6R?= =?us-ascii?q?8AGKkimiyIsbVe/gEIfDfUFZyo+ovOksfG13k9Scxnx2zMqa2DmJwqzGdpm9Vq?= =?us-ascii?q?4S6SoH4SbfDXU9dwAnjv0YdS0eP+Z/GqsuEJVoRmzLChXeQZMsmk/2u22YllVl?= =?us-ascii?q?WjxrsAA1qzKPUDyavDUye5VW2YXvyGc2qMnzc5Kk7y4h2oLlwraMhUtEI9N+rC?= =?us-ascii?q?hoJGlwL/S790QT+QpVDDxmw5Lewabx42uJugewESUO4RZu2cKPMywP0/FFQMbG?= =?us-ascii?q?HGHS9sB++wr1GtgJBxO2987kXifeTt7gfmPcOXGhkFEo7arZlx9Oe4Rm2bOn9g?= =?us-ascii?q?yxtyM1dy9+vFEVQ+qPNceY6LndfMn9R7zfIFd/B1PCImpNETnJ5j5JKP0MeOdh?= =?us-ascii?q?HR0oryJc/LrfeFGfHfyF4qem5CWLoDfQz1/5k6PsI+W7DLE7tWoxAcBakiQJM/?= =?us-ascii?q?LGrw9aB0LAZ2cgHPfrS0htflqviMZptOqH/c9kgwIzvEux0f1vy0ShR2bp6yh3?= =?us-ascii?q?XoIZA/WixOosZoChtnAItPAd0PoxCgA56Ol6Gxk8Wx9F9iu+8WrarwDejH1NO9?= =?us-ascii?q?34pvRJVa/UiLMyzKBKl3g0Rqkviygu3e3ZbvE8/if80LVPRjSG7fdrDGBpm/Ki?= =?us-ascii?q?6JOs/kf05G8ric0K92UxmIYCD5XrGGtDG/NPh/4EU00Ip4fO3JwDwq9bHb18P4?= =?us-ascii?q?Z3tHqSe7sX6JKJxf4UTRBePAWxJUSPyF8HtqHKEQYoX06OcOPsI4wNeC+wl89i?= =?us-ascii?q?9P0MibLKi7qE/DxEZ7eonGLEvmwSo5XpMKIBunO0s2nWDZsmjdAWhbLsW8LMli?= =?us-ascii?q?msqaDhzs50l3nmEgfXBBGmvuRdiPPWgb2sS+ZBCF9Q5RCNYDheG3c1YitqKuUe?= =?us-ascii?q?loJolFmeKyubUFi9lpKCbPS9NBMiHNKr92IjpRDuLSpFgnYh4Er6I5WoErapiS?= =?us-ascii?q?OEkHKluPyTvuzQve1k35b9Os27ySLyYM83VI0bbF3CNSpwm9o/mZmczjUK3DYJ?= =?us-ascii?q?HwQvHSLDIvViuGSjQqDUap5VCktuIGvPqdJmcfuEoUYiOJCAMIoKBgt93QAXHS?= =?us-ascii?q?meF5e50Knv+aUTjqSCJkjKoyGjpLtUeUTvoYGwnWamPujWtftQG5OP9D42jlb7?= =?us-ascii?q?yZx6pSXewaGI1MfeOFQ4iQRfcLPDoslzMEKM6gbtbcqPA/yVuOQmwHQIfS81jL?= =?us-ascii?q?d1KbWvyRwXrQWIwRu4Ul8n4z9sn4gj58E6OOOa2W4TGp7Njr326jpeTCWzx1MA?= =?us-ascii?q?QOi+UYDTzEmkFN?= X-IPAS-Result: =?us-ascii?q?A2HgAQC/4WNZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwQrgWUTjnypBiiJKFcBAQEBAQEBAQIBAmgogjMkgkkCJFIDA?= =?us-ascii?q?wkCFzEIAwFsBRmHcE+BRQ2tRzokAotLgyiFLYIYi2oFiVEKiFGMcosNiHANggy?= =?us-ascii?q?JMQyGVwKVQFiBCigJAh8IIQ+FXBwZgWpahicqghUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 10 Jul 2017 20:25:01 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6AKMxSs015164; Mon, 10 Jul 2017 16:23:06 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6AKMuNl003066 for ; Mon, 10 Jul 2017 16:22:56 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6AKLYP6014894; Mon, 10 Jul 2017 16:21:34 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions Date: Mon, 10 Jul 2017 16:25:53 -0400 Message-Id: <20170710202553.20668-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP As systemd ramps up enabling NoNewPrivileges (either explicitly in service unit files or as a side effect of other security-related settings in service unit files), we're increasingly running afoul of its interactions with SELinux. The end result is bad for the security of both SELinux-disabled and SELinux-enabled systems. Packagers have to turn off these options in the unit files to preserve SELinux domain transitions. For users who choose to disable SELinux, this means that they miss out on at least having the systemd-supported protections. For users who keep SELinux enabled, they may still be missing out on some protections because it isn't necessarily guaranteed that the SELinux policy for that service provides the same protections in all cases. Our options seem to be: 1) Just keep on the way we are now, i.e. packagers have to remove default protection settings from upstream package unit files in order to have them work with SELinux (and not just NoNewPrivileges= itself; increasingly systemd is enabling NNP as a side effect of other unit file options, even seemingly unrelated ones like PrivateDevices). SELinux-disabled users lose entirely, SELinux-enabled users may lose (depending on whether SELinux policy provides equivalent or better guarantees). 2) Change systemd to automatically disable NNP on SELinux-enabled systems. Unit files can be left unmodified from upstream. SELinux- disabled users win. SELinux-enabled users may lose. 3) Try to use typebounds, since we allow bounded transitions under NNP. Unit files can be left unmodified from upstream. SELinux-disabled users win. SELinux-enabled users get to benefit from systemd-provided protections. However, this option is impractical to implement in policy currently, since typebounds requires us to ensure that each domain is allowed everything all of its descendant domains are allowed, and this has to be repeated for the entire chain of domain transitions. There is no way to clone all allow rules from children to the parent in policy currently, and it is doubtful that doing so would be desirable even if it were practical, as it requires leaking permissions to objects and operations into parent domains that could weaken their own security in order to allow them to the children (e.g. if a child requires execmem permission, then so does the parent; if a child requires read to a symbolic link or temporary file that it can write, then so does the parent, ...). 4) Decouple NNP from SELinux transitions, so that we don't have to make a choice between them. Introduce a new policy capability that causes the ability to transition under NNP to be based on a new permission check between the old and new contexts rather than typebounds. Domain transitions can then be allowed in policy without requiring the parent to be a strict superset of all of its children. The rationale for this divergence from NNP behavior for capabilities is that SELinux permissions are substantially broader than just capabilities (they express a full access matrix, not just privileges) and can only be used to further restrict capabilities, not grant them beyond what is already permitted. Unit files can be left unmodified from upstream. SELinux-disabled users win. SELinux-enabled users can benefit from systemd-provided protections and policy won't need to radically change. This change takes the last approach above, as it seems to be the best option. Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 41 ++++++++++++++++++++++++------------- security/selinux/include/classmap.h | 2 +- security/selinux/include/security.h | 2 ++ security/selinux/ss/services.c | 7 ++++++- 4 files changed, 36 insertions(+), 16 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3a06afb..f0c11c2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2326,24 +2326,37 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, return 0; /* No change in credentials */ /* - * The only transitions we permit under NNP or nosuid - * are transitions to bounded SIDs, i.e. SIDs that are - * guaranteed to only be allowed a subset of the permissions - * of the current SID. + * If the policy enables the nnp_transition policy capability, + * then we permit transitions under NNP or nosuid if the + * policy explicitly allows nnp_transition permission between + * the old and new contexts. */ - rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); - if (rc) { + if (selinux_policycap_nnptransition) { + rc = avc_has_perm(old_tsec->sid, new_tsec->sid, + SECCLASS_PROCESS, + PROCESS__NNP_TRANSITION, NULL); + if (!rc) + return 0; + } else { /* - * On failure, preserve the errno values for NNP vs nosuid. - * NNP: Operation not permitted for caller. - * nosuid: Permission denied to file. + * Otherwise, the only transitions we permit under NNP or nosuid + * are transitions to bounded SIDs, i.e. SIDs that are + * guaranteed to only be allowed a subset of the permissions + * of the current SID. */ - if (nnp) - return -EPERM; - else - return -EACCES; + rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); + if (!rc) + return 0; } - return 0; + + /* + * On failure, preserve the errno values for NNP vs nosuid. + * NNP: Operation not permitted for caller. + * nosuid: Permission denied to file. + */ + if (nnp) + return -EPERM; + return -EACCES; } static int selinux_bprm_set_creds(struct linux_binprm *bprm) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index b9fe343..7fde56d 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -47,7 +47,7 @@ struct security_class_mapping secclass_map[] = { "getattr", "setexec", "setfscreate", "noatsecure", "siginh", "setrlimit", "rlimitinh", "dyntransition", "setcurrent", "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", "getrlimit", NULL } }, + "setsockcreate", "getrlimit", "nnp_transition", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e91f08c..88efb1b 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -73,6 +73,7 @@ enum { POLICYDB_CAPABILITY_EXTSOCKCLASS, POLICYDB_CAPABILITY_ALWAYSNETWORK, POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNPTRANSITION, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -84,6 +85,7 @@ extern int selinux_policycap_openperm; extern int selinux_policycap_extsockclass; extern int selinux_policycap_alwaysnetwork; extern int selinux_policycap_cgroupseclabel; +extern int selinux_policycap_nnptransition; /* * type_datum properties diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2f02fa6..2faf47a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -76,7 +76,8 @@ char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { "open_perms", "extended_socket_class", "always_check_network", - "cgroup_seclabel" + "cgroup_seclabel", + "nnp_transition" }; int selinux_policycap_netpeer; @@ -84,6 +85,7 @@ int selinux_policycap_openperm; int selinux_policycap_extsockclass; int selinux_policycap_alwaysnetwork; int selinux_policycap_cgroupseclabel; +int selinux_policycap_nnptransition; static DEFINE_RWLOCK(policy_rwlock); @@ -2009,6 +2011,9 @@ static void security_load_policycaps(void) selinux_policycap_cgroupseclabel = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_CGROUPSECLABEL); + selinux_policycap_nnptransition = + ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_NNPTRANSITION); for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) pr_info("SELinux: policy capability %s=%d\n",