From patchwork Tue Jul 25 15:52:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9862383 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E3F19601A1 for ; Tue, 25 Jul 2017 15:48:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C50DA286BE for ; Tue, 25 Jul 2017 15:48:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B9B33286D4; Tue, 25 Jul 2017 15:48:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil [214.24.24.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 993B7286BE for ; Tue, 25 Jul 2017 15:48:33 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208";a="497886569" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by ucol19pa09.eemsg.mail.mil with ESMTP; 25 Jul 2017 15:48:32 +0000 X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208";a="463027" IronPort-PHdr: =?us-ascii?q?9a23=3AOWaCyB26XJ6LS8ktsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sewWKf/xwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ou?= =?us-ascii?q?JSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgpp?= =?us-ascii?q?POT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+?= =?us-ascii?q?RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLd?= =?us-ascii?q?QgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9Qr4uWTSm8qxlVhnmhi?= =?us-ascii?q?kaPDI96W3blNB8gKddrRm8pRJw3pTUbZmVOvRgcK3TftQUS3dZXstTSiBMDJ2z?= =?us-ascii?q?b5AUAuYdIepVtZXxqkESoReiAwSnGePhyiVPhn/zxaA0zvghHh/e3AwgAd0Otm?= =?us-ascii?q?nfosjwNKgIVeC1yLfHzDXeZP5Rwjfy9ZPIfws9ofCMQb1wcc3RxVMpFwPelFqc?= =?us-ascii?q?s4PlPzSL1ukUtWWQ8uluVfq3hmI6pAx8rSKjy8cxhoXTmI4YxU7I+T9kzIszON?= =?us-ascii?q?a2UlR0YcS+H5tVryyaMox2Td48TGxwoyY6z6EGuYa8fCgX1JQr3x7fZOKDc4iP?= =?us-ascii?q?+h/jSPyeIS15hHJ4Y7KznQqy8Ei8xe38Ucm4ylBKoTZektbQrHwN0h3T6syfRv?= =?us-ascii?q?t8+EeuxyqP2hjO5uxLLk04j6rWJ4M7zrIumZcfr17PEjLulEXzlqCWd0Ek+uay?= =?us-ascii?q?6+TgZ7XrvoScOJFwigH/NKQuh8O+Df0jPQgJQmib//iz26P4/UDiXLVLjuE5kq?= =?us-ascii?q?nesJzAI8QbvbS2DxVa0oYk9RazFy2m38gAnXkbMFJFfwqKj4ruO1HIOv/4Efe/?= =?us-ascii?q?jE6qkDpwxfDGObvhApDXIXjYjLfuY6x961VGxAo019Bf6IpeCqsdL/LrRk/xqN?= =?us-ascii?q?vYAwc7Mwy22enoFNZ91pgZWWKJA6+ZLrjfsVGM5uIyLOiDf5IVuDDhK/g4/fLu?= =?us-ascii?q?imU5mVAFd6mzwZQXcGy4HuhhI0iBb3vsg9MBEWIUsQokV+HqhkONXiNUZ3aoRa?= =?us-ascii?q?08/is7CIWkDYjdWo+tnKaN3CChHp1ZfmpGEEyDEW/0d4WYXPcBcD+dLdNkkjwD?= =?us-ascii?q?U7ihV5It2AqwtADk0bpnL+vV+ioetZ750th6+fHTnwko9TNoF8Sdz32NT2Zsk2?= =?us-ascii?q?wVWz85xrp/rFdhxVeE1Kh3n+ZXFcdP5/9TVAc1K4LcxfRgC9/uQgLBYsuJSFG+?= =?us-ascii?q?T9SmADAxSdQxzsQLY0Z5AtmijxbD0zCsA7APjbyLB5008rzC0HTrIcZy1WrG3r?= =?us-ascii?q?E7j1Y6WstPKXGmhqln+gfIHIHFlEGZl6exdaQAxy7B7nyDwnSSs01CSw5/T6HF?= =?us-ascii?q?XXEZZkvLotX0/V/NTr+0CbQ6KQtN08CDJbFWat3yilVGQu3vONPEY2K+g22wHw?= =?us-ascii?q?qHxquQbIr2fGUQxDvSCFAenAAJ/HaGLhMzBj+7rGLEDTxuDkrvY0f2/uZitny3?= =?us-ascii?q?VEg0zxuFb0d5zbq65gYVheCAS/MUxr8Etj0hpC9yHFmh3tLWEMGNpw95fKVdeN?= =?us-ascii?q?89+1lG1XnDuwx6JJygILhohkQCfARvo0PuyxJ3B51Dkccwr3MqyxdyJLmb0Fxb?= =?us-ascii?q?dDOY2o3wNqfQKmno8xClc7TW1U3G0NaK5qcP7+w1pE/+swGzF0ot7W9n3sJP3H?= =?us-ascii?q?SA45XGFg0SUYj+Ukwv7Rh1u6naYjUh54PTzXBsK7S7vSLZ1tImAeskxQysf9FB?= =?us-ascii?q?P6OYDAXyCdEVB9CyKOw2nFikdgkEPO5I9K4zJMOma+CL2LWtPOZnkjOmiH5I4I?= =?us-ascii?q?Zn3kKK6SV8VvbC34wZzPGAwguHSzD8gU+vs8/tnYBEeS8dHnCkySX/Go5eeLdy?= =?us-ascii?q?cp0WCWerOcG3wc9+h5H1UX5C6FGjH08G2NOueReKc1zywBBf1UUNrnyjgia30z?= =?us-ascii?q?t0kzQ1oaWFxyzO3/7udBwZNW5XXGNil0vjIZCoj9AGW0ildw4plBqh5Ub+2adb?= =?us-ascii?q?v79yIHPNTkdSeCj6NWZiUrG/trCaec5A9IsosTlLUOS7eV2aVL/9rAcG0yPkBW?= =?us-ascii?q?tS3iw0dzGtupX/kBx3k2adLHd1rHXDY8Fwwg3T5NvGRf5exjAGXjV3iSHLBlig?= =?us-ascii?q?ONmk5dGUl5bYsuCiTm6hTYNccS3qzYOGqSu66nZnAQann/CynN3nEBQ10TTh29?= =?us-ascii?q?lsSyrIsA72YpP32KSiLeJnYk5oCUfm68p9HoF+lpU/hIsM1ngdiJSY5mEHkXrv?= =?us-ascii?q?PtVAw67+a2ANRTETyd7P/AflwFFjLm6Ox4/hTnWS2NZhZ92gbmwMwC4y9MdKCK?= =?us-ascii?q?OI7LxDmyt4uV+4oR7XYfh6gjgR0/0u52AGg+sRogoi0j2dAqwOHUlfJSHslAqH?= =?us-ascii?q?79alrKhMZ2agb76w1FF4nd+/ELGOuAZcWGz2ep06By9/8t1/ME7Q0H308ozkYM?= =?us-ascii?q?Pfbc8XthKKixfPle5VKI4vmfoQnidnJHn9smM/y+4glxBuxpa6vJWdK2px4q25?= =?us-ascii?q?DBlYNif6Z8wN4D3ti7hRntqO1YC1ApphAikLXIfvTf+wDjISs+noOh2QED06t3?= =?us-ascii?q?ibGaDTHQmB50d6t3jPCYykN2mLJHkFytVvXAGdK1ZCgAAQRzg1gp85FhyqxcD4?= =?us-ascii?q?fkd2/DYR6kT/qhtWxeJiLwP/XXvHpAe0djc0T4CSLBRM4QFE+0fVNsme4/l9Hy?= =?us-ascii?q?5G45KhqxaNJXaDZwRSCmEJWFKLCEz/PrW04tnA6eeYDPKkL/TSebWOtfBeV/CQ?= =?us-ascii?q?yJKqyIRm+zKMOduTPnl+FfI0wFFOXXZnFMTFgDUAVzYYlzrTYMKBohez5DF3pN?= =?us-ascii?q?il8Pv3QALv+ZePC7xKPNV14Ry3j72PN+uKiyZ9LjZZ1ogBymXUx7gaxlISjDtu?= =?us-ascii?q?dza1G7QaqSHNVL7QmrNQDxMDZSNzLtVH4L8n3gZXP87bltT11qVjg/EvF1hFUE?= =?us-ascii?q?btmsazZcwFO2u9Lk/IBF6XNLSaIj3G28f3YbmmRr1IlOVZrBOwuTeBE0/4IjSD?= =?us-ascii?q?mTjpVxa1PuFKkC6bPQZRuIWnfhZqE2jjQ8rsagenP99vkT023bo0i2vSNWECKj?= =?us-ascii?q?dzbUVNrryM7SNfmfh/GnJO4WR7IuWenCaZ9ebYII4MsfR3GiR0i/5a4HMixrRI?= =?us-ascii?q?9yFLWuZ6mCTIrtF0vVGrifKPxSBkUBpTsDZEnpiHvUF/OaXf7JZAQ2/I/A4K7W?= =?us-ascii?q?WTCxUKoMFpCtvxtKBM0tLPjr78KC9e89LI+ssRH9PUJ9iZMHU7PhrmBiXUARAe?= =?us-ascii?q?TTGxK2HQnUNdn++J9nGPqJg1tITskoIUSrBHTFw1Cu8aCkN9EdMZIZd3UTQkkb?= =?us-ascii?q?iAgcEV+3WxtxjRS99cvpzdUfKSG/rvIi6DjbZYfxsI3a/4LYMLO4Lh1ExtcEd6?= =?us-ascii?q?k5rRFkrXRdBCvCthbgour0VM9HhxVWoz2k3/ZgOq+n8TGua+ngQqhQtmfeQt6D?= =?us-ascii?q?Ds7k8rJlrNoSs8ilMxmdLkgD+Pdj7+N72wXYZIBCr3rEU+LpT7QwNpYgKohkxk?= =?us-ascii?q?KC3IR7RPgLt8bWprkhPTuYNTGf5ASq1JeBwQxPGTZ/o2yllcryKnxUFJ5eTbFZ?= =?us-ascii?q?tiiAsqcZmpr31ewQ5jasA6JbDILqpT0ldQnr6OvjOv1u0pxg8ROVwC8GeJdS4L?= =?us-ascii?q?v0wILaUmKDCu/ux36gyCmiFPeG4SWPo2uvhq7F8yO/yczyL81L5OMlqxOPKEL6?= =?us-ascii?q?yHoWfAj9KHQlMr20wTlklF56V50cAtc0qMTUAg0ruQGw4PNcXcNQFfd9BS+2TL?= =?us-ascii?q?fSaSreXNxop4MJi6FuDuS++BqbgbgkalHAsyBYsD8N4BHp623EHfN8fnI6YPyQ?= =?us-ascii?q?8x6wTzOFWFEPNJdQqWnzgdvcG/zYJ43ZJGKz4HG2V9KyK357jMpgA0nPWDQc02?= =?us-ascii?q?YnYGXooELH42XtO1mzJBtXRaEDa3yv4ZyBSF7zLkoiTQCyP8YMRlZPaVYhNhE9?= =?us-ascii?q?62+TMi86Ssjl7X6JreLXngNdt+ot/P9f8ap5GfBvNPU7Z9t0bcm49FR32lSGPA?= =?us-ascii?q?Ddm1J53sZIY2dtz0Fmy2UlqhhDIpV83xJsqiLrCUgQH0QoZZqIqb3CojNMCnED?= =?us-ascii?q?EeBxdwqvoM5KJ7fQ0Mf4A3YRj2uAQiL6a/OhuX0s2yQ2axLjtbV+VfzeS/Z7xQ?= =?us-ascii?q?0yosbu+7xWA9QZE7z+i461UCSIsMjh7A2fapf5NeXjTrGnxBZwXPojI0mHJlNu?= =?us-ascii?q?Yz3ugw3gvHsVwcMjCNc+xpbnZLssonClOTO3p2DHM0R1GBjYbZ5A6jwawS9TNH?= =?us-ascii?q?n9lIye1FrGT+vpjHbT23RqOrr47YvDA9Ytg4vaJxK5fjLdGctJLehDDfS4PQsg?= =?us-ascii?q?KdWi6gC/VagsRQID5fQPRQlmElJM0GuY5F6UUvU8czPKFAB7c3qbCrczVkCzQe?= =?us-ascii?q?zSgDV4OPxDYCmPuz26PGlheMd5QvKAYEsJNDgtQBUy52ZScepLS7WYvPimGKUH?= =?us-ascii?q?QGLgAI4AtQ4wIAk5N/cfr+4IrUVpNMzSBZo+5sWCvRCpZo70f7Sn2RgVXgUvWu?= =?us-ascii?q?ifap3QVJw//3ztkbQgRwCVZDyOZSl0soLr53K60Rvo7Fsj+IaU36s3j3yOujPl?= =?us-ascii?q?VRz9Pbd0HgBorfqWX8SjEc+WETRYJXxnDTD4gdkwp4aKYupVVDOoOmd13/5zM6?= =?us-ascii?q?2YtmAaO0Vcexx1YqtXwGXTulE8JdC+F6t1LaQCdqY4q2qJXjIZlSQXRd+Jycq1?= =?us-ascii?q?dYjEViKDS1yZxCJMFR+jQMRiRAoS2BvNuuT81Owc52D5kQIthhv3fyBqZEN4aN?= =?us-ascii?q?o30sur3i0XjZ+ygiv1e8wTW8Aa64T+ZC8G0ZFQQlPWOeqlMgD+E06Gfd7kjNsk?= =?us-ascii?q?xo/+dcHrWPgl9xryx7HpBSHTtJ1HelLlp1THlas+VVNqXVc8pAQ/Ysfx+jIRo+?= =?us-ascii?q?GuA630aR50F7gW/5YzButgtd4y3dQw40VSwOj7fxhTEer9qoNSUcS51WcTUrdz?= =?us-ascii?q?3FJB6DmSBLoBZfbFlnW5ADDdZf4b4b2ZZb89HfRkmyMSEFRAJtNgYm3vpFj0JD?= =?us-ascii?q?t1+YeS/FBwqyafnPqgF3fduWrMOxLvT5+xlIh5j6v+8m7KUMWWemmRGzTt/DtY?= =?us-ascii?q?P8sMOFtleWfqfiL+K8eWPBTCTLjR2onrgkAYXF8zTRPQZGJZR30mYrYZ/kCWHX?= =?us-ascii?q?JxtGPL4bK1BdVa9kddVMuvpaaNN8eKYV5a9tAQqKRgnxF4OyrPlJNErTSC/aLy?= =?us-ascii?q?WG7Oywv5zf4qDaSef9eMOA3XDHTLxrPp1i8zn0B6/q0ZNC+krxwvpt7lh6SUTc?= =?us-ascii?q?PC+csNTsPRgL5M6/dkv4opImAzXWAItqkHX3wkFMbc0XQzel8J4A0pNW9G7wSf?= =?us-ascii?q?5k0kj0qOBS66Nk5pcp7L900sq0OKPSKehAsUB9HBiUBwJq9pEzD2hjXWxRZfUR?= =?us-ascii?q?KPjJd6QDkc/us/z3F7AQ6BCN+exWc8HHJ0bamsm7ED6cVwdJnAIcqT4eMguc1u?= =?us-ascii?q?KKm65uRsajvuj1wEUt40KxLhQe1rBi+Z+E+raUpO/QdxbRz6ILWq7kRsPpqbQj?= =?us-ascii?q?pl2d6OY4lLEUfGx1eAqnHPIbVsED2mfq1boqwj40E8PfA7Lg/+ZOV3Q9nj/7mp?= =?us-ascii?q?B9GVAWFukVHbqN84RehH03m/fFNt0Mb6BNhnqPFQO+ErAc03Kr7DGXIGZ9iBHU?= =?us-ascii?q?zx7wWX+z7EPxrSJgRyvMzsvskk1RVratHkdeRSupOUh/sDOUJwrlr9/3tKs67U?= =?us-ascii?q?0sNWzkrt2NnnO7OLxLB83/OMCcIS4sqV0LlpIxQsKg2ZsHGdu9J9cc62p+Yeff?= =?us-ascii?q?62y1lS9Bv6ZHiJDE7sGT5PrXAWGqj7eGpLWV2DBY1n84sEk76tC7M/HD58aHQ/?= =?us-ascii?q?q22GkMSCd/oRHOXwavqrzcrVAbJ1CE0FvRlIwNJNFZ0mEy1lv66+g7XNIz6AJe?= =?us-ascii?q?G57CZ/MDoDD+Iz70zkifYt0pTCme0j1XHl3vHVl+Bqc8xHr6vNjVmnfI510oWo?= =?us-ascii?q?5welTmhR12FYo3M14i5UMMwiUdDQgCdwyUAKuvBUT/IosOTVIDZgif3LimZqc3?= =?us-ascii?q?2lV+zaiu5O/IY+1zHagNNvdBjg6WhldbB5YWvLYCT7J7ZlBS6rTYphX4C4jgRf?= =?us-ascii?q?jpj2A8NfqvQsBV6coZrWct4h6jRxq87pdO964bh4qUdqFYYZjNssd8711k5TIW?= =?us-ascii?q?bSxCnhx/jxK/UeABq+Hu+cDbv4C06umyVKYsSeIX9wI3B2hkjJv/nkojodfJ2O?= =?us-ascii?q?dYUIHVjp7/8A9VKX6QpInaywV8KfYJK4+zYLZg7WsIJywEKHIII9WbcOQz4y5i?= =?us-ascii?q?MDXS+1xNGNgMaskCPMrQgwxUjFPmWK1L/MrBBlCYE5tzd9wv72fvxzA664E8Xf?= =?us-ascii?q?j86D+2Pp3f61BNP+9dgyVsjt3CufMVzeDUCCcJ/XmTcwJ1zT+ay5mRF/bw+v2B?= =?us-ascii?q?yN7KWFMAAi42VIBdKD2Z+QO5Quq1lZPpUh6b68LohJIxaliQR3yrk6gftKZDD/?= =?us-ascii?q?JAgD3h3jdCDoD1m+6Vs9205WRLtF1ICpp84AbZF6VYOpV7PRX4mdexRkhgGCTw?= =?us-ascii?q?ZMHUegApuOqMyecG+/9+OFfmZY8HPhIEzKr36X9STgtoVL72sUiWUPkUZNtnUv?= =?us-ascii?q?zEqG5a6Z5uKq8IJlidp4fqoi1OqF8oHA8jcKUwoSBCdknSgA1VXL75uLEchQsH?= =?us-ascii?q?St51oFJCF222NmI/4TrHSKtUgbKeCPwQ6DqTSLIBX19vMiNkTBO/wI9udKexnf?= =?us-ascii?q?BbrmNGmTtwoPot0zxmQhuwozHjp6IJ2TI95b65tTQBuXpeTuWdkifFEktDzPUU?= =?us-ascii?q?jagGD3bt9F28bGMFbITs/LltPd7g+pU543QjfRUjeDULXeW+Cy7qiaOFGYiPsM?= =?us-ascii?q?9Bix6Mv8XOdqW/LS8INrQy0RjjXWRy0hDCnBZ092sGWjeg48EqJIWzPcYo3SSp?= =?us-ascii?q?FnLddFkS/qNFqs3xukAXTOEuc1Nu3H1j0tSbRi0KXMHPFGI1jg8qaGpadJJD7Q?= =?us-ascii?q?QXF7IvgjaOv6lJ4hsYYDHKHYS54oPQh9vH2WEhTdd2wWLbvq+FhpMq0X19nNN0?= =?us-ascii?q?6i+OuGgMeOHDVs9sA2Tz1p1BxuDkYPWtqO8HQpN8yLu9SP8CLtWj+Wyu1ZV2W0?= =?us-ascii?q?+lw68TH0a4MOAfxbfUTSOlRXeeWeuVb2iGhyw5PVLq5Rm0Ml03b99Hr0o8MuvB?= =?us-ascii?q?hZ5ckBbsUbFuSSWTol/bynIsMeUAewIwpoinZxQATPQNaOiEOegu3Po+BUMXYH?= =?us-ascii?q?DXGyt2F/S7sUWpnIh8J3Vg/Vv6bvrw/Qz8N9uSABYEG5bArpFt4fy6Wn6BOXh4?= =?us-ascii?q?wR1qO0l08/3QF04/t+9bd5aRk8Pdh9F80e4CbPdiLzEyusQUmoJ48omU0cGKcR?= =?us-ascii?q?7Lwpb1P9HVreCSA+fDwEQyZmFaTr0ZbBv754okOt45WqXTEqVCsBUdBKg6RZkh?= =?us-ascii?q?OHnr9KFwMgx/aAnRZK67gsPyvOKEeoNUp2PK7lI3NCrdtQUDyua1TQNncZ+nnH?= =?us-ascii?q?DyIJEsRjJbsdJhEBxmHJFAG8kYtQqoH4aUmL2ni9+24056vOsKvrTrB/DS0NS2?= =?us-ascii?q?xZ5xX4Rb5UOXIDbRHrdkjVp/guS0nPjAzoH7Cdn+dtMcSOh7XmnFZ6fCHoW+LD?= =?us-ascii?q?KOJ839d1dC876dy7J5Tg6RaTv4X6Wcsi2kM+9o4UIhyox3ZODT1iAi76nH2Nvu?= =?us-ascii?q?YGFWvjyjomCNNJte6lzKGOPfUxVbR/qZ8GZqA7cXYpXs9OgUKtEiw8aT4xN17D?= =?us-ascii?q?tc1MuKOLWhrkDW1kJ8b5LbI1Pj2zwlVokSPBS/LUwsjHfcqnvHHXtcLsmkKc9q?= =?us-ascii?q?gNuOEBzt5k9xln8pZm5AHGroWNiQNXIc28Kkaw2A7BhLAMobn+6rZU44sbW/Se?= =?us-ascii?q?tyNZVGnuWlr64KkctvKyHTRMhaODzQLLB2PjpNFOnPokYnYgIcubgvRog1fYSO?= =?us-ascii?q?IF8AMEqYyyPyyAzC0Vfud9ytz6aEOyAW/W9Cz73b0DhAvQ65ueyWgsf7SrDWcI?= =?us-ascii?q?n2XOLOMCoiTjyaXjoyEUO19lqluPcJp+SYLnkFolAVYyOSDwgTqrpprdfOEm+A?= =?us-ascii?q?0dFkKYYHgPGcRjDYVDxzlK10AD1C80+LXaktDw7TOkT9jXJctQrqHfpF+Xbofv?= =?us-ascii?q?XM3aZOc/AHCYtLNPuCSp3Xfu4IdGRgrSkQJOvpJ46UlL0+yF+dCDFBHg=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2BwAQBAZ3dZ/wHyM5BeGQEBAQEBAQEBAQEBBwEBAQEBFAE?= =?us-ascii?q?BAQEBAQEBAQEBBwEBAQEBgwQrgWUTjn+pCSWIX1cBAQEBAQEBAQIBaiiCMySCS?= =?us-ascii?q?QIkUgMDCQIXMQgDAWwFiAkZAzOBRQ2zNToiAotFgyiFLodwhhsFiVUKiGSNFIs?= =?us-ascii?q?ZiHkNggyJPAyGZZVpV4EKKAoCHwgiD4VfHBmBalqGdSqCFgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 25 Jul 2017 15:48:27 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFluic022818; Tue, 25 Jul 2017 11:48:07 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6PFloLs026434 for ; Tue, 25 Jul 2017 11:47:50 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFlkfC022802; Tue, 25 Jul 2017 11:47:46 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Tue, 25 Jul 2017 11:52:27 -0400 Message-Id: <20170725155227.30765-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 Subject: [PATCH v3] selinux: Generalize support for NNP/nosuid SELinux domain transitions X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , luto@kernel.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP As systemd ramps up enabling NNP (NoNewPrivileges) for system services, it is increasingly breaking SELinux domain transitions for those services and their descendants. systemd enables NNP not only for services whose unit files explicitly specify NoNewPrivileges=yes but also for services whose unit files specify any of the following options in combination with running without CAP_SYS_ADMIN (e.g. specifying User= or a CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5) man page. The end result is bad for the security of both SELinux-disabled and SELinux-enabled systems. Packagers have to turn off these options in the unit files to preserve SELinux domain transitions. For users who choose to disable SELinux, this means that they miss out on at least having the systemd-supported protections. For users who keep SELinux enabled, they may still be missing out on some protections because it isn't necessarily guaranteed that the SELinux policy for that service provides the same protections in all cases. commit 7b0d0b40cd78 ("selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in order to support limited usage for sandboxing programs. However, defining typebounds for all of the affected service domains is impractical to implement in policy, since typebounds requires us to ensure that each domain is allowed everything all of its descendant domains are allowed, and this has to be repeated for the entire chain of domain transitions. There is no way to clone all allow rules from descendants to their ancestors in policy currently, and doing so would be undesirable even if it were practical, as it requires leaking permissions to objects and operations into ancestor domains that could weaken their own security in order to allow them to the descendants (e.g. if a descendant requires execmem permission, then so do all of its ancestors; if a descendant requires execute permission to a file, then so do all of its ancestors; if a descendant requires read to a symbolic link or temporary file, then so do all of its ancestors...). SELinux domains are intentionally not hierarchical / bounded in this manner normally, and making them so would undermine their protections and least privilege. We have long had a similar tension with SELinux transitions and nosuid mounts, albeit not as severe. Users often have had to choose between retaining nosuid on a mount and allowing SELinux domain transitions on files within those mounts. This likewise leads to unfortunate tradeoffs in security. Decouple NNP/nosuid from SELinux transitions, so that we don't have to make a choice between them. Introduce a nnp_nosuid_transition policy capability that enables transitions under NNP/nosuid to be based on a permission (nnp_transition for NNP; nosuid_transition for nosuid) between the old and new contexts in addition to the current support for bounded transitions. Domain transitions can then be allowed in policy without requiring the parent to be a strict superset of all of its children. With this change, systemd unit files can be left unmodified from upstream. SELinux-disabled and SELinux-enabled users will benefit from retaining any of the systemd-provided protections. SELinux policy will only need to be adapted to enable the new policy capability and to allow the new permissions between domain pairs as appropriate. NB: Allowing nnp_transition between two contexts opens up the potential for the old context to subvert the new context by installing seccomp filters before the execve. Allowing nosuid_transition between two contexts opens up the potential for a context transition to occur on a file from an untrusted filesystem (e.g. removable media or remote filesystem). Use with care. Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 53 ++++++++++++++++++++++++++----------- security/selinux/include/classmap.h | 4 ++- security/selinux/include/security.h | 2 ++ security/selinux/ss/services.c | 7 ++++- 4 files changed, 48 insertions(+), 18 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1684844..0b2eddf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2319,6 +2319,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); int rc; + u16 sclass; + u32 av; if (!nnp && !nosuid) return 0; /* neither NNP nor nosuid */ @@ -2327,24 +2329,43 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, return 0; /* No change in credentials */ /* - * The only transitions we permit under NNP or nosuid - * are transitions to bounded SIDs, i.e. SIDs that are - * guaranteed to only be allowed a subset of the permissions - * of the current SID. + * If the policy enables the nnp_nosuid_transition policy capability, + * then we permit transitions under NNP or nosuid if the + * policy allows the corresponding permission between + * the old and new contexts. */ - rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); - if (rc) { - /* - * On failure, preserve the errno values for NNP vs nosuid. - * NNP: Operation not permitted for caller. - * nosuid: Permission denied to file. - */ - if (nnp) - return -EPERM; - else - return -EACCES; + if (selinux_policycap_nnp_nosuid_transition) { + if (nnp) { + sclass = SECCLASS_PROCESS; + av = PROCESS__NNP_TRANSITION; + } else { + sclass = SECCLASS_PROCESS2; + av = PROCESS2__NOSUID_TRANSITION; + } + + rc = avc_has_perm(old_tsec->sid, new_tsec->sid, + sclass, av, NULL); + if (!rc) + return 0; } - return 0; + + /* + * We also permit NNP or nosuid transitions to bounded SIDs, + * i.e. SIDs that are guaranteed to only be allowed a subset + * of the permissions of the current SID. + */ + rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); + if (!rc) + return 0; + + /* + * On failure, preserve the errno values for NNP vs nosuid. + * NNP: Operation not permitted for caller. + * nosuid: Permission denied to file. + */ + if (nnp) + return -EPERM; + return -EACCES; } static int selinux_bprm_set_creds(struct linux_binprm *bprm) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index b9fe343..b3f892d 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -47,7 +47,9 @@ struct security_class_mapping secclass_map[] = { "getattr", "setexec", "setfscreate", "noatsecure", "siginh", "setrlimit", "rlimitinh", "dyntransition", "setcurrent", "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", "getrlimit", NULL } }, + "setsockcreate", "getrlimit", "nnp_transition", NULL } }, + { "process2", + { "nosuid_transition", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e91f08c..3e32317 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -73,6 +73,7 @@ enum { POLICYDB_CAPABILITY_EXTSOCKCLASS, POLICYDB_CAPABILITY_ALWAYSNETWORK, POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -84,6 +85,7 @@ extern int selinux_policycap_openperm; extern int selinux_policycap_extsockclass; extern int selinux_policycap_alwaysnetwork; extern int selinux_policycap_cgroupseclabel; +extern int selinux_policycap_nnp_nosuid_transition; /* * type_datum properties diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2f02fa6..16c55de 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -76,7 +76,8 @@ char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { "open_perms", "extended_socket_class", "always_check_network", - "cgroup_seclabel" + "cgroup_seclabel", + "nnp_nosuid_transition" }; int selinux_policycap_netpeer; @@ -84,6 +85,7 @@ int selinux_policycap_openperm; int selinux_policycap_extsockclass; int selinux_policycap_alwaysnetwork; int selinux_policycap_cgroupseclabel; +int selinux_policycap_nnp_nosuid_transition; static DEFINE_RWLOCK(policy_rwlock); @@ -2009,6 +2011,9 @@ static void security_load_policycaps(void) selinux_policycap_cgroupseclabel = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_CGROUPSECLABEL); + selinux_policycap_nnp_nosuid_transition = + ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION); for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) pr_info("SELinux: policy capability %s=%d\n",