From patchwork Mon Jul 31 14:15:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9871881 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6D92B60365 for ; Mon, 31 Jul 2017 14:14:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A1DE28409 for ; Mon, 31 Jul 2017 14:14:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5D02628473; Mon, 31 Jul 2017 14:14:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from ucol19pa09.eemsg.mail.mil (ucol19pa09.eemsg.mail.mil [214.24.24.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFE7528409 for ; Mon, 31 Jul 2017 14:14:22 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.40,442,1496102400"; d="scan'208";a="500449420" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa09.eemsg.mail.mil with ESMTP; 31 Jul 2017 14:14:21 +0000 X-IronPort-AV: E=Sophos;i="5.40,442,1496102400"; d="scan'208";a="583232" IronPort-PHdr: =?us-ascii?q?9a23=3A7ucHzBG2Aq0EQbT8PUgAb51GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7+rs68bnLW6fgltlLVR4KTs6sC0LuG9f6/EjBfqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdxIRmsrAjctMYajIRgJ60s1hbHv3xEdv?= =?us-ascii?q?hMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTD?= =?us-ascii?q?QhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlS?= =?us-ascii?q?kINyQ98GrKlMJ+iqxVqw+lqxBm3YLYfISZOfxjda3fYNwaX3JMUMZPWSJPAY2y?= =?us-ascii?q?aJYBD/IDMOpFoYTyuUAOoACiCQWwHu7j1iVFimPq0aA8zu8vERvG3AslH98WrX?= =?us-ascii?q?rUsMv6NL8SUe+ryqnD0CjNb/ZM1jf57IjHbBAgquyLULJrbMXR0lIiFx/Fj1qM?= =?us-ascii?q?qYzlOCmZ1uIWs2eB9eZgWuWvi3A+pgx3vzOhxd8sh5HUio8axV3I7yV0zJsvKd?= =?us-ascii?q?GmR0N3f8SoHIZWuiqHLYV5WNkiTHttuCsiz70GvoO0czYSxZQ8wh7fd+SHc4+V?= =?us-ascii?q?4hL/TOqRISl3hHZieL+nmxa961KgyuzhVsmvylpKsipEncXMtnAKzRDT7NSISu?= =?us-ascii?q?Bh8Uu73DaP1gTT5vlFIUAyi6XbN4YszqM/m5ccq0jOHjL6lF/ogKKZaEko4PWk?= =?us-ascii?q?5/ziYrr8p5+cM4F0ihv5MqQrgsG/Gvo3MgwPX2id5OS926Tv8lb+QLVXiP05jr?= =?us-ascii?q?fWsIvBKMQHpq+2Hw9V0oE55xa5FDepys4UnXYALFJbYB6HlZTmO0nSIPDkCvey?= =?us-ascii?q?m1askDBtx//cIr3hAo/CLn7YnbfjerZ97UtcxxAozdBD+Z1UEKoBLOj0Wk/ru9?= =?us-ascii?q?zSFgU5PBCsw+b7FNV90ZsTWWCNAqCDLKzSskSI5uUpI+mNeo8Yozj9K/w45//h?= =?us-ascii?q?lnA5hFkdfbW03ZcNb3C4BPtmKV2DYXXwmtcBDXsKvg0mQe3kiV2CVTtTaGioX6?= =?us-ascii?q?8n6DE0Fp+pDYDZRo+3mLyBxiC7Hp9IaW9aFlCAC3Dod5+LW/0UciKdPtdhkiAY?= =?us-ascii?q?VbimU4IuyA2htAr9y7phMurY5zYVtYz929hv5u3SlBYy9TpuA8SbzW6NU3l+nn?= =?us-ascii?q?kUSD8uwKB/vUt9x0+e3qhkmfNYD8de6O9OUgc/KZHT1fd6C8zoVgLHYNiJVE6s?= =?us-ascii?q?Qs+6DjEpUtIx39gObl59GtSjiRDD2TGnA7oRl7CSBZw09LjQ337rKMZnyHbG1b?= =?us-ascii?q?chgEc8TstJK2KmmrZ19xLPCI7Rj0WZi6GqeLwC0y7V7miD12uOvFpDXQ5oS6rF?= =?us-ascii?q?R3EfZlDOrdT9/EzNU6GhBa4gMgtbxs6IMrFKZcHxjVVaWPfjP8zTY2yrm2iqAx?= =?us-ascii?q?aH2rKMbJHxdmUYxCXdCVEIkxsd/HadLwQ+AT2ho23GBjx0CV3ve1/s8fV5qH6j?= =?us-ascii?q?TU871QKKb0p817eu+R4an/+cS/QO3r4evychsTp0Fk6n393KE9qAuxZhfKJEbN?= =?us-ascii?q?wn/VhHz2PZuBJnPpG7Na9tmlsefx5wv0P02BV9Ep9AntQyrHM20ApyLrqV0Elc?= =?us-ascii?q?eDyFxp3wNbjXK2bo8BCpdaHWxknU0MyK9acX9PQ4t1LjsRmyFkos6XVn1MJV02?= =?us-ascii?q?eH65XRCgoSVpzwUkMt+Bh8vb3aZDcy55/M3312Laa0qiPC284uBOY9xBevZdNf?= =?us-ascii?q?ML+aGw/oCM0XHNauJ/Iwm1eycxIEOfpe9KkuP8Opb/GGwrKkPP58nDK6imRK+J?= =?us-ascii?q?x93V+R+Cp9UOHI240IzO2f3guCSzjzlkyhstztlYBCez4SAnK1yTL4C45Jeq1y?= =?us-ascii?q?YYELBH+oI822wtV+g4DiW2VD+VG5GVwGwsipdQCVb1zn0g1azV4XrmC/mSuk0z?= =?us-ascii?q?x0lCkkrrSe3CPS3+TicwAHNnRXS2liilfsJ4e0gsseXEipaQgmjgGl5UHgy6hc?= =?us-ascii?q?vqR/IHHZQV1UcCjuM2FiTqywu6KGY85O85MorTxbUP+iblCeS779pQYa0iz4Em?= =?us-ascii?q?tF3DA7djequpTlkBxhkm6dKmh8rGbBc8Fq2Rjf/MDcReJW3jceXil4jj3XBlyi?= =?us-ascii?q?MNmz4dqUkJnCv/ulV2K8SpJTajPnzYSatCu0/WdqGwGwn+ivmt37Fgg3ySz72M?= =?us-ascii?q?dsVSXTtxv8YZfk16KhMeJhYEZoGEXw681gGoFxioEwno0f2WAGhpWJ+noKiX/z?= =?us-ascii?q?Ps9G2aL6cnUNXSQEw9jJ4Af7wk1uNW+Jx5nnWXWH2cttfcK6YmQL2iIn889FFq?= =?us-ascii?q?mU7LtenSt6vFW0twTRbuZhnj0F0/sh9GYag/0VuAoq1iidHLYSElRDMCzykRSH?= =?us-ascii?q?8tC+oL9RZGmxbbi6zFB+ksy5DLGevgFcX270eo84Ei9t6sVyK07D0Hzv6oDkYd?= =?us-ascii?q?XQY8gcthuOnxfHlehVJ4o7luAWiip/JWL9oXolxvY1jRN025G6oI+HK2B28aK3?= =?us-ascii?q?HBFXKzr1Z9kJ9TH1l6ZemcSW0J6zEZV9ADkLW4HoTf2wGjIIqfvnLxqOECE7qn?= =?us-ascii?q?qDHLrQBwuf6EN4oHLTD5CkLWuYKWIfzdp8WBmdP1BQjxoMXDokhJI5EB6lxND5?= =?us-ascii?q?ekdj+j8R/kL4qgdLyu9wLRnzSGneqB2tajguTJifKxpX4xpY6EjJNMyS9OVzHz?= =?us-ascii?q?tX/pe5tgyCNnSbZxhUDWEOQkGECUrjMaez6tnb6eeYAPa+L/zVYbiVs+NRS/KI?= =?us-ascii?q?yYio0ot88DaGLt+PMWV6D/0nxkpDWmh0G8LDmzoVUywXjznAb8CapBem4S13ss?= =?us-ascii?q?6/8PXtWA3144uAF7pSPs9r+xyshqeDLeGQjj5jKTlEzpMM2WPIyL8H0V4KlS5h?= =?us-ascii?q?bCeiEbIBtS7RS6Ldga5XAAAFZCxtLsdI6Lg83gZVM87Bltz1zqJ4juIyC1pdTl?= =?us-ascii?q?PugcalZcgLI2GmKFPHH1yHNK+YKjLX2c33er2zSblRjOVSqh2xti2WHFPjPzSZ?= =?us-ascii?q?ijnpTAqjMO9WgyGHJxxev4e9fgxqCWj5Q9Lscge7P8NvjT0q3b00gWvHOnUdMT?= =?us-ascii?q?hzdENNqKad4j5GjfpkGmxO9HxlIfODmyaD4OnSMowWvudzAiRoi+Ja52w3xKFa?= =?us-ascii?q?7C5eWvx6hjDfrtl2o164lOmPzyBoUBtKqjlQg4KKsl9uOaLD9plPQXzE5g4C7X?= =?us-ascii?q?2MCxQWoNtoEsHvu6dVytTVjqLzLzZD/MzS/cQHHcjUL9yIMHk6PBX1Hz7UCRcK?= =?us-ascii?q?QiSwNWHDnUBdlu+d9mGNpJggtpfsgIYOSqNcVFEtFfMbCkBlE8IZLZdyWTMkn7?= =?us-ascii?q?Cbg9AU5XqirBnRQ8BasY7dWvKUH/rvNC6TjaNYaBsQ3bP4MYMTO5X920N8cFZ6?= =?us-ascii?q?mJ/HG0nXXdBWvi1udAk0oF5O8Hh/VGEz3Vzqah+16n8JCfG0hgI2ihd5Yek17j?= =?us-ascii?q?fj/Uw3KUTQqysqjEYxmc7ojiuQcD7rMaiwWo9WCzLut0cvMpL3WQB1YhOunUZ8?= =?us-ascii?q?LjfLW6pRj6d8dWBskALTpJxPGfhaTaJZfhAQwfCXau4y3ltCsCWnwlVL5ezfCZ?= =?us-ascii?q?ttjAEqa4Kjr2pc2wJ/a944PbHfK7BXzlhRm62OpTSl2forwA8EIEYM/niSdzAU?= =?us-ascii?q?t0wVLLkmJjao/+x25QyEhTRDZHAGV+A2rfJy6kM9J+OAwjr93L5YNE++LeOfL7?= =?us-ascii?q?mDtGjejsOIWUk/1kAVl0lf57d6y8Mjc1eSV0811rudDggJNc3BKQBVaMpe7n7T?= =?us-ascii?q?cjiSse/V25J6I529Fvz0Te+JrKsUhkWkHBw3EIQK78UBGYKh0E7eLcf6NrIFzg?= =?us-ascii?q?8t5AvzLlWfEPtJYA6LkCsAo8yn1594w41dJjAbAWVgPiS6/arYpggvgPWfRtg2?= =?us-ascii?q?eWsaUpECNn0oRM2wgzRZsGhYDDmrzuIZzxCP7zzmpiXQFjb8acZjZPePaBNjD9?= =?us-ascii?q?G24Skw/7KwiVHJ7pXUP3v6Osh6ut/T9eMaoI6KC+9VTbl4tEfch4lYRnyxXmHS?= =?us-ascii?q?EN60J4L/ZJI2YdzyFHm6TkS1iygpQMfpINatMq+IjBnySoZQsYmUwC4sOte4Fj?= =?us-ascii?q?AeHRdwoOcD67hnaAIYYpo0exjoux0wN6yiOguY1MuhQ3q1IztMU/Zf1fm6Z6BQ?= =?us-ascii?q?zyc0deC11n0gQ4ogwOaq704CWosKjgrEyva5Z4hSSy/zGmZSew/Xvyo2i3BhNv?= =?us-ascii?q?ouwuc42B7IvkQcMzGPdOxtdmNEusoxCk6MLnptC2o3XVmcgZDE4g620LAY5zFd?= =?us-ascii?q?kMpM0e1ZrHj+uYfSYCiqWKyqtZrVsy0gbdw9o6NpKILtP9GIuY/ZkDHEUJbQtQ?= =?us-ascii?q?iFXzKgGPpBhthcOiRYT+dUmWs9I8wJpZJB6VYtVsc5P7FPErMjpqqtaTV/FiMS?= =?us-ascii?q?0TUZWJme3DMchue82r3alhiUcJQjPxwEsIlCgtUHXC5sZyMSvqmjWJvKl2WcUG?= =?us-ascii?q?gEPB8T7RhQ5AIHjoJxcPrp75bITJ9Nzj5Wouh7UijQG5lp6VT0VH+ZjUL/SPW7?= =?us-ascii?q?nOyjxRhSw+700tkHRB5/DlBQyPxMlks1LrF7MaoQs5XLsj+JdEP6oHnixPGgJF?= =?us-ascii?q?ZP1c3eb0f4A5bdtWrgTi0c/mUZRY5JyHHDC5sSlxR2aKM1q1VQOoCnel3z5zs8?= =?us-ascii?q?x4t3Gbm4UNqkx1chrXkdQCerHMBNC+Z8sFLYQDdleYykqI35O5VORW9d4JKdq0?= =?us-ascii?q?1Dn0VrLy600ptcK8ZD4z4KQDhPoSuSvNq0SM1fx8B2FYUAItFhtHfhAKlEIoSe?= =?us-ascii?q?o2UqurzzzX/U4yw8sFC/xDioB6+0U+dZ8HYEFgUvOWuetlElD/Ew/WfK7lDNrl?= =?us-ascii?q?d08v9bBreVl0V+ujJ9EY1VCzlUy3+lN0xzQ2dCs+pEMqTZactcQ+M9ZRW3IRwx?= =?us-ascii?q?CeYm31CV/UFzhXr5YStyuRVB9i/AQQY0Tjcagq3xmTIAt86rIzkaRIxUbT85dS?= =?us-ascii?q?fKNxqbmTxLvBZYc0xlQJ4ZDcpZ97wZwIdZ8NHPRlqrKSEAQBNtLBk40eZFmU5F?= =?us-ascii?q?rkqYZTjXDRC0evbXrh13YcCRodazLPvn4QhHipnosPwj+qUHQH2mhxOiTc7CoI?= =?us-ascii?q?/7q9KFqFGCdKHmPO2geXXBViTDjQishbc4CJnH5zDTMBFHK5Zg1HUkfYPsCXXM?= =?us-ascii?q?PRRbPaIUO1RUVaZmadVcuO9aY9VoeKET+a9iHhiHXA/gGJSzrPlaKVbeXSjeLz?= =?us-ascii?q?+f/eOhvI3e9qHdSez8ZsyW3XnHXaN3PpB+6TblB7fmy4he+lD52v117EN1VUDG?= =?us-ascii?q?MzydrNTmPg4L5tOtdlHlvp0yGTPZGolwnWHoxkFdc8oXXyyq/4gZyJxD7nbwUv?= =?us-ascii?q?h00k/psO1d77Nk85U446h1yceoIqffMfZavlVhAhiaHAVq8YgiD3ZkSmBNeOAR?= =?us-ascii?q?LuzRfaMDgcDote/3C7Qd6AeJ9OxBddvHO0bBl9G5CjGYUhFEnQEBqTsAIgud0f?= =?us-ascii?q?6FlbV0Rty+pejlwEIt/kSxLgIbzLB3+4iI4K2IpPXYbxHJ17gLRrDqRt/vrrQr?= =?us-ascii?q?o06S4/wkm6IJemxxeQKnC/IRVs8axmfn1qAq1jkhE8bMErPv4vJDUGg5nj34kZ?= =?us-ascii?q?BnA1oWAu8UHaaM/YlGgmg3gejZOcMNcqBemmePEgWpEqQexn6q9SSXJnVlghDU?= =?us-ascii?q?3B3qR2O88kP2pzdiQSTQ19fjjlZVVr6vCEdWRCqpPE91vSiBPAX2qdX3vr4141?= =?us-ascii?q?suMmz+s9KNlnWuN69LH8HlI9ycOyY0rkoNjJItXtyvxZwbGd2lLdcT8XF+a+DT?= =?us-ascii?q?62a1nC5BvahHnYve4sea+vnNG3mvkbGaoa2XxD9E0ng4oU0/6te4O/HP5tyFWe?= =?us-ascii?q?6n2HoKQidkpQTBQwC6paDBo1ATI0yL31/BmJYWMdFBwXk4ykbm6fA4T9Iy7wVf?= =?us-ascii?q?GJzPZ/EDpTDvIDv720ufY9YsWyaC1DtYA0z6HkNlGKgm32LwptjGmW3X+10ySY?= =?us-ascii?q?l6b1bnigBvD4UkNUIt70AawjIZHggRdR+bDL+pBUP/LYsHTEQDcgqI3Ly7eqcx?= =?us-ascii?q?wE1yzaii5PfJYuxgG6UNNvhcjgmUnFhYAJ4WsrMRQKh6e1BD8K7bvA/iC5LoX/?= =?us-ascii?q?L+j3o/KeW1QtxG8cAer3Yi/hy/SASk6ZhZ6bYUlouFebNFYZjDvcB8811o5SUV?= =?us-ascii?q?eSxXnRhzlRW5Xv4ApOr7+NjUrIKo6vqyVKYqX+gX+AI7B35ggJvsgFAuutXX1+?= =?us-ascii?q?ZASoLLiYTw6h1NI2WQtIbczRZ8NfIEK5i3c7Z463UHOy8eKmoBPdWIbfk8/yht?= =?us-ascii?q?MDLU61xZHMwMYdIYPMzQmQFbkUDpXK9c9tDbG1CCEYtzcd4n73bvwjAv7ZQ8Sv?= =?us-ascii?q?rg6COxJZ3H815NPelMgzl3md3eo+gVxf7SCCkJ7nmDdxh63D+Ny5mXB/b35+WM?= =?us-ascii?q?x8neV0kaES4uT4ddOD2C9BSiRuqykpXpTgyU5dHojZI7dUKfXHqxk7oZsqdCFu?= =?us-ascii?q?5AkCb73iNEGoDzmf2Vr8Km6HFLuV1fDIZz8RrFFb1QPppnIhT4jdCnSFVzCCX5?= =?us-ascii?q?ecHUcAcuueWNy+cD5uVxLU3+apEBLhID0bL65mJfThFyR77uolaZQeURacNkSP?= =?us-ascii?q?PDrnBV75hsJLMPPFiZuZzlszZJqFEwAA8ya78wrydXdlfPnA1LQan0vKMPigoG?= =?us-ascii?q?Xd5/p0BMBXq6OHgi6DrfSaRVkK6RBeQU8jWNVKMOVV5lMidjQxyo2ZVufKCpke?= =?us-ascii?q?pAsmNckSN3uOIq3CB+RBugpS3soLoA2TA+97G2ujUBvWdIT+uEnCfOF1pD0O4G?= =?us-ascii?q?jaECBHb+8Va8emUMbJPu4Ll7IsTt7YYh43A4YRQtYSIGWeCgBjrrj6OPBIyPsc?= =?us-ascii?q?5TiASLuMrQcb+5NTISOaglyRL/W3h91RDTnBRo8GoLWjWg69skJIShOck73Seo?= =?us-ascii?q?HGnbdEoW4qxXqsfxskQLTOQuY1N73GpjytSHRjEKRMHXB2Y1jw0kZH5YcJJC9R?= =?us-ascii?q?AaFLcngjKSsqlA4A4UfC/eEp659YnIgcfIxX49QM9vxmLXpa2FhZQq3WZnm9xu?= =?us-ascii?q?7S6Ov3ISePLeU8N2BHj8yJtfw/TkZ/qxquAHVJdmyLO5XfAZLMaj/3e21Y5xWk?= =?us-ascii?q?+hwbQeA0a5MPEdybjGSSulTneYWeuTeWiWgzk5KlLy5QWvLlAvcMdKqEs9PfHY?= =?us-ascii?q?hp9SkA3hVb10Sz6VpV/cy2wjKv0VeB4suIegYAwKV+8RZ+6TJeQ0x/0+ElQMZW?= =?us-ascii?q?fTHSRqE++2rUKtnI9jNnVu/0r6ZeXt8hj4P9aJGxgEEIvarptv9vygQmKOJ2Vs?= =?us-ascii?q?zBpoPEl77+3fDUg+tvdAc5aNmtjdn9p60fYfd/dsLSIypMUemodi6YmIyseFbw?= =?us-ascii?q?vdzpHoJdHauvKYGeHQz1w2emFGVboUeQT154EkMdMiQ73TGaFWvQ8ABag7XJMh?= =?us-ascii?q?K33x+79qIw9pdA7eeqi0iNHwpu2XfptUu2PW7lUoISfYuh0DzOG0TANiY5Cuhn?= =?us-ascii?q?XyO4wwRilaot1sEBRmGoxPF9kHrwq9DJ6egLu7hMOp+0Nmp+8KtrL9CuvU29S9?= =?us-ascii?q?3oVxWYVa5EOMMDjeGKlrglpqjv6sjffYyJb8EsDids0eVOh9XGHFbqTJHpiwKj?= =?us-ascii?q?6UPcL8YUFG+aaG0L1lShWReDz5X62euS2hLvpr/UU7yo1+fOrU1zEt8bDb2N3s?= =?us-ascii?q?aGFfpyejq2OJNZRF4FzNH+zeUApeSeCZ/2Z9Aa0XcYz0+f8MMdM4w9ic5BJ84S?= =?us-ascii?q?9f0MuDP6ihrkjM2l90dZLbMEvlwSA5VpcWIB6nK0sjnXfZqmjBAXRbNsWkK8xt?= =?us-ascii?q?gNGPDhz35klxgnogZmhbFWrtW9iROHIX28WkZA2F7AhLFcoMn/areU4ksa2/Uf?= =?us-ascii?q?JoOptAmeq2tbgKks1kKz/RS8hAPiHRLbh2PjxLAuXJulcofk1Mj79gQYoxZJ6T?= =?us-ascii?q?MGsbIUyAzmX01gKE3krqJPK206PcGzob6nVKyfr+1DFIowSo8aKCjtbLTKHSbJ?= =?us-ascii?q?awWuXbdiUiSGfJFnwJDU+19AL86LI/t/2CLDJa+AgZ?= X-IPAS-Result: =?us-ascii?q?A2CdAgD7OX9Z/wHyM5BcGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwQrgWUTjwCPBZl9LIkmVwEBAQEBAQEBAgFqKIIzJIJJAnYDA?= =?us-ascii?q?wkCFzEIAwFsBYgJT4FFDbBvIgKLSoMokz0FiWGIbI0ilBoNi0qGc5VyV4EKKAo?= =?us-ascii?q?CHwgiD4UPDEQcggNaii8BAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 31 Jul 2017 14:14:02 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6VEDcHK001640; Mon, 31 Jul 2017 10:13:43 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6VEAFXG055095 for ; Mon, 31 Jul 2017 10:10:15 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6VEABor000860; Mon, 31 Jul 2017 10:10:11 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Mon, 31 Jul 2017 10:15:01 -0400 Message-Id: <20170731141501.14430-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 Subject: [PATCH v2] selinux-testsuite: Add tests for transitions under NNP/nosuid X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Duplicate the existing tests for transitions under NNP for transitions on a nosuid mount, and then augment both the NNP and nosuid tests to also test the new support for allowing transitions based on nnp_transition and/or nosuid_transition permission if the nnp_nosuid_transition policy capability is enabled. Test NNP and nosuid independently and together. Signed-off-by: Stephen Smalley --- v2 merges the nnp and nosuid tests together since they overlap significantly in policy and code, and adds new tests for the case where both NNP and nosuid are enabled. policy/Makefile | 6 +- policy/test_nnp.te | 34 ------- policy/test_nnp_nosuid.te | 85 +++++++++++++++++ tests/Makefile | 10 +- tests/nnp/test | 44 --------- tests/{nnp => nnp_nosuid}/Makefile | 0 tests/{nnp => nnp_nosuid}/checkcon.c | 0 tests/{nnp => nnp_nosuid}/execnnp.c | 38 ++++++-- tests/nnp_nosuid/test | 179 +++++++++++++++++++++++++++++++++++ 9 files changed, 303 insertions(+), 93 deletions(-) delete mode 100644 policy/test_nnp.te create mode 100644 policy/test_nnp_nosuid.te delete mode 100755 tests/nnp/test rename tests/{nnp => nnp_nosuid}/Makefile (100%) rename tests/{nnp => nnp_nosuid}/checkcon.c (100%) rename tests/{nnp => nnp_nosuid}/execnnp.c (62%) create mode 100755 tests/nnp_nosuid/test diff --git a/policy/Makefile b/policy/Makefile index b728a9e..1dafc65 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -16,7 +16,7 @@ TARGETS = \ test_entrypoint.te test_execshare.te test_exectrace.te \ test_execute_no_trans.te test_fdreceive.te test_file.te \ test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \ - test_nnp.te test_open.te test_ptrace.te test_readlink.te \ + test_nnp_nosuid.te test_open.te test_ptrace.te test_readlink.te \ test_relabel.te test_rename.te test_rxdir.te test_setattr.te \ test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ @@ -57,6 +57,10 @@ ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.sp export M4PARAM = -Dmap_permission_defined endif +ifeq ($(shell grep -q nnp_transition $(POLDEV)/include/support/all_perms.spt && echo true),true) +export M4PARAM += -Dnnp_nosuid_transition_permission_defined +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_nnp.te b/policy/test_nnp.te deleted file mode 100644 index 54ebfd3..0000000 --- a/policy/test_nnp.te +++ /dev/null @@ -1,34 +0,0 @@ -################################# -# -# Policy for testing NO_NEW_PRIVS transitions. -# - -# A domain bounded by the unconfined domain. -type test_nnp_bounded_t; -domain_type(test_nnp_bounded_t) -typeattribute test_nnp_bounded_t testdomain; -typebounds unconfined_t test_nnp_bounded_t; - -# The entrypoint type for this domain. -type test_nnp_bounded_exec_t; -files_type(test_nnp_bounded_exec_t) -domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t) -domain_entry_file(unconfined_t, test_nnp_bounded_exec_t) - -# Run it! This should succeed on v3.18 or later, fail on older kernels. -unconfined_runs_test(test_nnp_bounded_t) -unconfined_run_to(test_nnp_bounded_t, test_nnp_bounded_exec_t) - -# A domain that is not bounded by the unconfined domain. -type test_nnp_notbounded_t; -domain_type(test_nnp_notbounded_t) -typeattribute test_nnp_notbounded_t testdomain; - -# The entrypoint type for this domain. -type test_nnp_notbounded_exec_t; -files_type(test_nnp_notbounded_exec_t) -domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) - -# Run it! This should fail always. -unconfined_runs_test(test_nnp_notbounded_t) -unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te new file mode 100644 index 0000000..06fe145 --- /dev/null +++ b/policy/test_nnp_nosuid.te @@ -0,0 +1,85 @@ +################################# +# +# Policy for testing NO_NEW_PRIVS and nosuid transitions. +# + +# A domain bounded by the unconfined domain. +type test_bounded_t; +domain_type(test_bounded_t) +typeattribute test_bounded_t testdomain; +typebounds unconfined_t test_bounded_t; + +# The entrypoint type for this domain. +type test_bounded_exec_t; +files_type(test_bounded_exec_t) +domain_entry_file(test_bounded_t, test_bounded_exec_t) +domain_entry_file(unconfined_t, test_bounded_exec_t) + +# Run it! This should succeed on v3.18 or later, fail on older kernels. +unconfined_runs_test(test_bounded_t) +unconfined_run_to(test_bounded_t, test_bounded_exec_t) + +# A domain that is not bounded by the unconfined domain. +type test_notbounded_t; +domain_type(test_notbounded_t) +typeattribute test_notbounded_t testdomain; + +# The entrypoint type for this domain. +type test_notbounded_exec_t; +files_type(test_notbounded_exec_t) +domain_entry_file(test_notbounded_t, test_notbounded_exec_t) + +# Run it! This should fail always. +unconfined_runs_test(test_notbounded_t) +unconfined_run_to(test_notbounded_t, test_notbounded_exec_t) + +# A domain to which the unconfined domain is allowed nnp_transition. +type test_nnptransition_t; +domain_type(test_nnptransition_t) +typeattribute test_nnptransition_t testdomain; + +# The entrypoint type for this domain. +type test_nnptransition_exec_t; +files_type(test_nnptransition_exec_t) +domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nnptransition_t) +unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nnptransition_t:process2 nnp_transition; +') + +# A domain to which the unconfined domain is allowed nosuid_transition. +type test_nosuidtransition_t; +domain_type(test_nosuidtransition_t) +typeattribute test_nosuidtransition_t testdomain; + +# The entrypoint type for this domain. +type test_nosuidtransition_exec_t; +files_type(test_nosuidtransition_exec_t) +domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nosuidtransition_t) +unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition; +') + +# A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition. +type test_nnpnosuidtransition_t; +domain_type(test_nnpnosuidtransition_t) +typeattribute test_nnpnosuidtransition_t testdomain; + +# The entrypoint type for this domain. +type test_nnpnosuidtransition_exec_t; +files_type(test_nosuidtransition_exec_t) +domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) + +# Run it! This should succeed on v4.14 or later. +unconfined_runs_test(test_nnpnosuidtransition_t) +unconfined_run_to(test_nosuidtransition_t, test_nnpnosuidtransition_exec_t) +ifdef(`nnp_nosuid_transition_permission_defined', ` +allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; +') diff --git a/tests/Makefile b/tests/Makefile index f42fe7e..f9cc5ac 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -9,8 +9,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ rxdir sem setattr setnice shm sigkill stat sysctl task_create \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ - capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue mac_admin infiniband_pkey \ + capable_sys dyntrans dyntrace bounds nnp_nosuid mmap unix_socket \ + inet_socket overlay checkreqprot mqueue mac_admin infiniband_pkey \ infiniband_endport atsecure ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) @@ -32,15 +32,15 @@ SUBDIRS += prlimit endif ifeq ($(DISTRO),RHEL4) - SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) + SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL5) - SUBDIRS:=$(filter-out bounds inet_socket mmap nnp overlay unix_socket, $(SUBDIRS)) + SUBDIRS:=$(filter-out bounds inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL6) - SUBDIRS:=$(filter-out nnp overlay, $(SUBDIRS)) + SUBDIRS:=$(filter-out nnp_nosuid overlay, $(SUBDIRS)) endif ifeq ($(DISTRO),RHEL7) diff --git a/tests/nnp/test b/tests/nnp/test deleted file mode 100755 index 4c7e010..0000000 --- a/tests/nnp/test +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/perl - -use Test; -BEGIN { plan tests => 4 } - -$basedir = $0; -$basedir =~ s|(.*)/[^/]*|$1|; - -# Remove any leftover programs from prior failed runs. -system("rm -f $basedir/true"); - -# Set entrypoint type for bounded domain. -system("chcon -t test_nnp_bounded_exec_t $basedir/checkcon"); - -# Transition to bounded type via setexec. -$result = system( -"$basedir/execnnp runcon -t test_nnp_bounded_t $basedir/checkcon test_nnp_bounded_t 2>&1" -); -ok( $result, 0 ); #this should pass - -# Automatic transition to bounded domain via exec. -$result = system("$basedir/execnnp $basedir/checkcon test_nnp_bounded_t 2>&1"); -ok( $result, 0 ); #this should pass - -# Use true as an entrypoint program to test ability to exec at all. -system("cp /bin/true $basedir/true"); - -# Set entrypoint type for notbounded domain. -system("chcon -t test_nnp_notbounded_exec_t $basedir/checkcon $basedir/true"); - -# Transition to notbounded domain via setexec. -$result = - system("$basedir/execnnp runcon -t test_nnp_notbounded_t $basedir/true 2>&1"); -ok($result); #this should fail - -# Automatic transition to notbounded domain via exec. -$result = - system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t 2>&1"); -ok($result); #this should fail - -# Cleanup. -system("rm -f $basedir/true"); - -exit; diff --git a/tests/nnp/Makefile b/tests/nnp_nosuid/Makefile similarity index 100% rename from tests/nnp/Makefile rename to tests/nnp_nosuid/Makefile diff --git a/tests/nnp/checkcon.c b/tests/nnp_nosuid/checkcon.c similarity index 100% rename from tests/nnp/checkcon.c rename to tests/nnp_nosuid/checkcon.c diff --git a/tests/nnp/execnnp.c b/tests/nnp_nosuid/execnnp.c similarity index 62% rename from tests/nnp/execnnp.c rename to tests/nnp_nosuid/execnnp.c index d8f1986..822336c 100644 --- a/tests/nnp/execnnp.c +++ b/tests/nnp_nosuid/execnnp.c @@ -2,24 +2,42 @@ #include #include #include +#include #include #include #include #include #include +static void usage(const char *progname) +{ + fprintf(stderr, "usage: %s [-n] command [args...]\n", progname); + exit(-1); +} + int main(int argc, char **argv) { bool nobounded; struct utsname uts; pid_t pid; int rc, status; + int opt; + bool nnp = false; - if (argc < 2) { - fprintf(stderr, "usage: %s command [args...]\n", argv[0]); - exit(-1); + while ((opt = getopt(argc, argv, "n")) != -1) { + switch (opt) { + case 'n': + nnp = true; + break; + default: + usage(argv[0]); + break; + } } + if ((argc - optind) < 2) + usage(argv[0]); + if (uname(&uts) < 0) { perror("uname"); exit(-1); @@ -28,10 +46,12 @@ int main(int argc, char **argv) nobounded = ((strcmp(argv[argc - 1], "test_nnp_bounded_t") == 0) && (strverscmp(uts.release, "3.18") < 0)); - rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if (rc < 0) { - perror("prctl PR_SET_NO_NEW_PRIVS"); - exit(-1); + if (nnp) { + rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if (rc < 0) { + perror("prctl PR_SET_NO_NEW_PRIVS"); + exit(-1); + } } pid = fork(); @@ -41,8 +61,8 @@ int main(int argc, char **argv) } if (pid == 0) { - execvp(argv[1], &argv[1]); - perror(argv[1]); + execvp(argv[optind], &argv[optind]); + perror(argv[optind]); exit(-1); } diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test new file mode 100755 index 0000000..cf2e6b4 --- /dev/null +++ b/tests/nnp_nosuid/test @@ -0,0 +1,179 @@ +#!/usr/bin/perl + +use Test; + +BEGIN { + $test_count = 8; + $test_nnp_nosuid_transition = 0; + + if ( + system( +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null" + ) == 0 + ) + { + $test_nnp_nosuid_transition = 1; + $test_count += 9; + } + + plan tests => $test_count; +} + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +# Remove any leftover programs from prior failed runs. +system("rm -f $basedir/true"); + +# Set entrypoint type for bounded domain under NNP. +system("chcon -t test_bounded_exec_t $basedir/checkcon"); + +# Create nosuid mount. +system("mkdir -p $basedir/testdir"); +system("mount -t tmpfs -o nosuid none $basedir/testdir"); + +# Set entrypoint type for bounded domain under nosuid. +system("cp $basedir/checkcon $basedir/testdir"); +system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon"); + +# Transition under NNP to bounded type via setexec. +$result = system( +"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" +); +ok( $result, 0 ); #this should pass + +# Transition on nosuid to bounded type via setexec. +$result = system( +"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" +); +ok( $result, 0 ); #this should pass + +# Automatic transition under NNP to bounded domain via exec. +$result = + system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); +ok( $result, 0 ); #this should pass + +# Automatic transition on nosuid to bounded domain via exec. +$result = + system( "$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1" ); +ok( $result, 0 ); #this should pass + +# Use true as an entrypoint program to test ability to exec at all. +system("cp /bin/true $basedir/true"); +system("cp /bin/true $basedir/testdir/true"); + +# Set entrypoint type for notbounded domain. +system( "chcon -t test_notbounded_exec_t $basedir/checkcon $basedir/true" ); +system( +"chcon -t test_notbounded_exec_t $basedir/testdir/checkcon $basedir/testdir/true" +); + +# Transition under NNP to notbounded domain via setexec. +$result = + system( + "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1" ); +ok($result); #this should fail + +# Transition on nosuid to notbounded domain via setexec. +$result = + system( + "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" + ); +ok($result); #this should fail + +# Automatic transition under NNP to notbounded domain via exec. +$result = + system( "$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1" ); +ok($result); #this should fail + +# Automatic transition on nosuid to notbounded domain via exec. +$result = + system( + "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1" ); +ok($result); #this should fail + +if ($test_nnp_nosuid_transition) { + + # Set entrypoint type for nnptransition domain. + system( + "chcon -t test_nnptransition_exec_t $basedir/checkcon $basedir/true" ); + + # Set entrypoint type for nosuid domain. + system( +"chcon -t test_nosuidtransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition under NNP to nnptransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Transition under NNP+nosuid to nnptransition domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" + ); + ok($result); #this should fail + + # Transition on nosuid to nosuid domain via setexec. + $result = + system( +"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Transition on NNP+nosuid to nosuid domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok($result); #this should fail + + # Automatic transition under NNP to nnptransition domain via exec. + $result = + system( + "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1" ); + ok( $result, 0 ); #this should succeed + + # Automatic transition on NNP+nosuid to nnptransition domain via exec. + $result = + system( +"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" + ); + ok($result); #this should fail + + # Automatic transition on nosuid to nosuid domain via exec. + $result = + system( +"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" + ); + ok( $result, 0 ); #this should succeed + + # Automatic transition on NNP+nosuid to nosuid domain via exec. + $result = + system( +"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" + ); + ok($result); #this should fail + + # Set entrypoint type for nnpnosuid domain. + system( +"chcon -t test_nnpnosuidtransition_exec_t $basedir/testdir/checkcon $basedir/testdir/true" + ); + + # Transition on NNP+nosuid to nnpnosuid domain via setexec. + $result = + system( +"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" + ); + ok( $result, 0 ); #this should succeed +} + +# Cleanup. +system("rm -f $basedir/true"); +system("umount $basedir/testdir"); +system("rmdir $basedir/testdir"); + +exit;