From patchwork Tue Oct 17 14:02:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 10012205 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E702E601E7 for ; Tue, 17 Oct 2017 14:40:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7988728924 for ; Tue, 17 Oct 2017 14:40:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D3FC28938; Tue, 17 Oct 2017 14:40:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from UPBD19PA09.eemsg.mail.mil (upbd19pa09.eemsg.mail.mil [214.24.27.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CA9A628924 for ; Tue, 17 Oct 2017 14:39:58 +0000 (UTC) Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by UPBD19PA09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 17 Oct 2017 14:39:56 +0000 X-IronPort-AV: E=Sophos;i="5.43,391,1503360000"; d="scan'208";a="4818740" IronPort-PHdr: =?us-ascii?q?9a23=3As8btExTlKMnsVDQrDORywmDx5tpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa6/bReFt8tkgFKBZ4jH8fUM07OQ7/i4HzVcqsne+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?= =?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAmqoQnLq8UbjoRuJ6QzxxDUvnZGZu?= =?us-ascii?q?NayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnD?= =?us-ascii?q?VhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0ji?= =?us-ascii?q?oMKjA28HvTisdtkqxVphyvrAF7z4LNfY2ZKP9yc6XAdt0YWGVBRN5cWSxfDI2y?= =?us-ascii?q?bIUBCPcPPf5aooXgqVYBswC+CBKwCO/z0DJEmmX70bEm3+knDArI3BYgH9ULsH?= =?us-ascii?q?nMsNv1NbsdUeCvw6nS0DrIcvFY1i386IjObB8huuyHULVqccrQ1UYvFxnKjk+N?= =?us-ascii?q?poP9IzyazuQNvHKa7+pmS+2vkHUqpBptojiuwMcslpfGhpgTyl/a6SV12po6Jd?= =?us-ascii?q?q9SENiZ9OvDZVetyafN4RsQ8MiRXlluD07yrIbo5K7ejYFyIghyhXCaPKHa5CF?= =?us-ascii?q?7g/sWeueOzt1hG9pdKihixu970Ss0PDwWtG33VtLtCZJj9fBu38X2xHT5MWLUO?= =?us-ascii?q?Zx80a/1TuJygvd8PtLIVoumqreM5Mhx7kwmYcNvknbBS/2nVn2jLeRdkU55uik?= =?us-ascii?q?8+Tnbavipp+bL4J0lhvxMr4vmsyiGuQ0KBQOXmiH9uS8073v50v5T6lRjvIqiK?= =?us-ascii?q?XZtZHaJcADqq64BQ9azJoj5g6iAzqp39kUh3kKIE9fdB6ZgIXlJUvCLO3gAfe6?= =?us-ascii?q?mVuskTNrx/7cPr3mB5XANmPDn6nlfbZ87U5c1QUywclE6JJTF7EBJu78VVHqtN?= =?us-ascii?q?HDEh84MxC7w+bgCNln0IMeQniADrWWMKPVr1+E/vgvLPWUZI8JpDb9LOAo5/zp?= =?us-ascii?q?jX8/g1AdYamp0oERaH2jHPRmJEOZYX/2jdcaDWcFoBA+TPfwhF2FSz5TaG64X7?= =?us-ascii?q?gg6TEjFIKmEYDDS5ivgLyDxii0Ap5WZntBClCKEHfoaZ6JW/kIaCKPLc5uiSEE?= =?us-ascii?q?Vb69S488zx2usxX6y7V/JOrO5iIYrY7j1MRy5+DLjRE96yd7ANqb02GMU2F0mX?= =?us-ascii?q?gFRz4o069hv0Nx0FCD0bJ3g/ZAD9xc++tJUhsmNZ7b1+F1FtfyWgTHftiUVlmm?= =?us-ascii?q?RtSmDCorQd0v2d8OZFxxG9K4jhDMxyCqGaMal6SXBJwo9aLRx2X+J9pnxHbcz6?= =?us-ascii?q?Quk14mQs5TOmK8na5/6xLfB4jXnEWFj6yqb7gT3DbR9GefymqDpEBYUAhsUarb?= =?us-ascii?q?WXAQeE7Wosrl5kPYT76jErMnMhNfxs6EL6tFcNzpjVFdS/fkN9XSeWWxm32/BR?= =?us-ascii?q?yQ3LODcJLqe3kB3CXaEEUFkwES/XGANQUlAyehp3vSDD1oFV71ZUPj6/N+qHC6?= =?us-ascii?q?Tk8q0Q6GdUth2KSp+hQNn/yTV+sT3q4YuCcmszh1Ele939bTC9WevQpsZ6tcbs?= =?us-ascii?q?0g71dAz2LWrRR9PoanL6BgmFERbxh3s1np1xVtBYVKidIqo28yzApuNaKY10tM?= =?us-ascii?q?dz2C3Z/qPL3YNmjy/Au0Zq7TwlHe0c+a+rwB6fQjsVnjuxupFkU6+XV9z9ZVy2?= =?us-ascii?q?ec5onNDAcKUpL+SEU39x9np7zBYSky/YDU1XpxMaWutT/Cwd0pDvM/yhm8Z9df?= =?us-ascii?q?LL+EFAjqHsIAGseuMu0qlEazbh8fJu9d6Ks0M9mhd/uc166hJPxgky6+jWRb/I?= =?us-ascii?q?B91VqB+DZmRe7MwZkF2O2Y3wuAVzrnl1eursH3lp5CZTEOH2qw0zLoBIhPaa1u?= =?us-ascii?q?ZYwLE3uhI9WrxtVigJ7gQ2RY+0O+CF4d18+pfBWTY0b73QJOyUQduWanljegzz?= =?us-ascii?q?xojzEpqbKS3DfAw+T4cxoHIXJLSXJ5jVfqJoi1gdUaU1KubwQzkhuq+1r6zbBB?= =?us-ascii?q?pKtjN2nTXVtIfy/uImBsSKSwsqaCbNBV6JMzqihXTvqzYUqBRb7gphsWySTjH3?= =?us-ascii?q?FRxDojbTGlpo35nwBmiGKaNHtzsGfWdtxxxRjF4NzRXuJe3j0DRCZkkzbXHUS8?= =?us-ascii?q?M8Ov/dqKi5fJqvq+WH65Vp1PbSnrypuNtDW65WJ2HR2/mOqzlsf7Hgg61i/70d?= =?us-ascii?q?ZqWD7MrBb9ZInkzb66MeV9cklvHl/85NJwGptinYsomJEQxX8ai42R/XoGimfz?= =?us-ascii?q?LcxX2bngY3oJRD4LxcPV4Qf+1U14NnKJxoT5VnSBzct6fdW6ZH0Z2j4l5cBQFK?= =?us-ascii?q?iU9KBEnTdyolegtwLRZvx9njMDxvs09HEahO8ItRE2ziWAHr8SBlNUPSv2lxSH?= =?us-ascii?q?99q+trlYZH6zcbis00pzhdOhA6+EogFHQ3v5eYktHSlr7sV5Ll3MzGf/6ob+eN?= =?us-ascii?q?nfddgTrAGbkw/cj+hJL5I8juIKijB6OWL5o3Il0/Q0jRpy3Z6kpoiKMHht/Lmn?= =?us-ascii?q?DR5CLT35fdgT+jbwjaZEgsmZwY6vHpJ7GjUEQpTkV/SoHywOtf7/LQaBDCU8qm?= =?us-ascii?q?uHGbrYBQKf9kFmoG/UHpC1MXGYOXkZwc9kRBaDOExVmBoUUykinp4lCgCqw9Ts?= =?us-ascii?q?cF9j6TAM4l71sQdDyuN0Nxj/S2vfqh2najEuRJiYNhpW4RlI513JPsyG8uJzAy?= =?us-ascii?q?ZY84WirA2NLmyUeR9FDWQOWkyKCVDsIKWu5cXA8+ifA+qxMeHCYbOQpuxCT/2I?= =?us-ascii?q?346g0pN6/zaQMcWCJndiAOc92kpfWnB5Ht/UmzsRRCMKkCLNddSUpA+m+i1wrM?= =?us-ascii?q?Cw7ujkWB716YuIEbtSPs1l+wqqjqebK+6QmCF5JC5C1p8Wy37E0r0f00QWiyFp?= =?us-ascii?q?dzigCq4PujLITK7Kna9XFREbYTtpNMRU96I8whVNOcnDh9P7zL53kOM6C0xfWl?= =?us-ascii?q?znhsGpYtcKLnqnO1zbAUaHLrOGJSfEw8vve6OzVaVQjPlItx23oTubFVXjMS6b?= =?us-ascii?q?lznxTB2vP+BMjDuAPBxCtoG9cxBtBnLlTN36ax20Ktt3gScxwb0uiXPALXQcPi?= =?us-ascii?q?Rkc0NRsr2Q6jtVje5kFGBG6nplLPKEmzqC7+XCMZYZr+dkDj5vl+1E5HQ6yr1V?= =?us-ascii?q?7DxLRfFuhCTTrsRuo0y9kuWVxDtoSgZOqi1MhIKNp0liPr/Z9pZYU3be4B0N9X?= =?us-ascii?q?mQCwgNp9Z9DN3vuqRQytzRm6LoMzpN6czb/dEbB8TOL8KHKnUhOwLzGDHIFAsF?= =?us-ascii?q?USKrNWbHikNGkfGS+XqVrp4hp5fxhpUBUb5bW0YzFv8ADURlBtMCKo9tXjw4ib?= =?us-ascii?q?6bkNII5X2moRbLS8VVpI7HWeyJDPXoMDaWk79EZx4SzrP5KYQcLYr72kN4Zll9?= =?us-ascii?q?hoTKFFLaXcpRrS15cg80vEJN/WBiTm003kLpcBmt4HgSFPGqmB45kRF+YeMz+z?= =?us-ascii?q?fv+Fo4Ol3KpC4sn0YrgtXlnSqdcDjvI6esRYtWETb7t1AtMpPnRAZ4dQuyklJ+?= =?us-ascii?q?OzfAXL9RjLxgdXt3iADGv5tPAv1cTaxebB8W2/6Xe+0i0U5ApSW/2U9H+ezFBI?= =?us-ascii?q?N4lAQ0ap6jsWhP2xh/Y941PqHfP6tJzkJNiaKJsC+ozvoxzxEeJkoX9mOdZjII?= =?us-ascii?q?slQSNrY6Pyqo4vBs6QualjReYmcMSfsqre9x9k4mIeuA1Tjg07lNK0CqKeOQM7?= =?us-ascii?q?6Zu3LBlc6UQlI8zEUImFdZ/bJuy8csb1KUV1wzzLuWDxkJMc3CKRtLYMpU9XnT?= =?us-ascii?q?ej2DserLwZJoJYm9EfroTeCWvqYOnk2kBBopH5gL7skZBZmjzkXYLcbhLL4Yxh?= =?us-ascii?q?Qg/xjkJFKADPtVYh2LiysHr9u5zJBpwYlXPisdDnllMSWr+rbXoRcnj+efU9cz?= =?us-ascii?q?ZXcaWJcEOm8tVc2khSFZpXVADTiw0uIf0gSC6SHzpjjIBjnmc9VjfOuUZQ9rCN?= =?us-ascii?q?yu5TU/8q22iVnL8pXeJ2D3Lsltut7P6OwAvJmLEfVUQqdhs03EgYlXW2SqU3LT?= =?us-ascii?q?Ed6yP5XwZJMsYsbyCnamSVG/ijU1Tsn3PNaxLqiHnwDoRYBIsIaFxjAvL8m9GS?= =?us-ascii?q?8CGx1oveEM+Lp8ZREfY5o8eRPnrQA+N62jLwiGytquRmasKT1RT/lZ1+q3fKdY?= =?us-ascii?q?zys2Ye+80XcgQIw6w/Ox8UETWJEAlgveyuq7Z4lCTSjzHWRQdB7Rqio/jGVuLP?= =?us-ascii?q?s9wvkhzxPSqlkTKSqLdexzZGxDpdE8CkuYIW9qBWogW1+ckY3D7xa237AU/itS?= =?us-ascii?q?g9ZU0epBsHjlppHReS+iVra3pJvSqCcvcd8mo6htPoP5OcuGqInSnjrBQ5nMqg?= =?us-ascii?q?eFSjK1F+JGmthMJyJVWOVHmWM/NsMaoodO9U0xVsM6J7xOFqYsvKyqZiR4Ai4S?= =?us-ascii?q?1yMZUJmA3DMaiOemx7TajguQcIglMBEcqpVNmMEdUyltbS4FuK+jTZ/Zl3GaRW?= =?us-ascii?q?gPIQcT6wtM5AYBlo9/fuDl/ITIQ4VWyz5Tuf50VDXEFoVw/VvhVm6WmUT4SOmm?= =?us-ascii?q?k+Gx0wNe1u7j0tkaWB56CEhS3eVWm1ApKL5pNaYfoJTGsjiSdUP1pGjt0vepJE?= =?us-ascii?q?FNyc3IcF31FJLFtW34UiIG430VS4hPyHXRFZkJlgp5b6ErpE5SL4+6YEb+4Cck?= =?us-ascii?q?x59oH7m+WsCn3VElrWwJRy2yCdpOF/lmsE7LWD1ie52kso/lO4hUQmNK+52QsF?= =?us-ascii?q?ZZkERsMy6l0pVQMcdN7SAQXDJXuzWSoMOySNFf2c9xF5IMPtB/u3LmFaNYJJSR?= =?us-ascii?q?pmY5tqbpynDH5zA2qE26yymrG6+kU+JZ+HUTGgUzKGSEsEYvC/Yj/3zP/V/Tql?= =?us-ascii?q?B05/lUBryRgkVrujp9GYpOBjlR33C/M1tzVGVGs/ldKKnNccxcROc9aASyNBMg?= =?us-ascii?q?Dv4pwVaJ/V1qknjkeSBysBVV+zzFVQkuSSYVmqvtmSEZqsy/IjAaRY5HYSkjYi?= =?us-ascii?q?vYJQ+WgjxYvBFaa052QZ8ZGcpF96sd3YRK4srIUVysJj0dXBx+KgI41uJSlVRd?= =?us-ascii?q?v0qFeSDSFxaoeO3Lsh1wY8eestClI+j+/AhalIzrquY4+LsfR3e+gw2iXcjer5?= =?us-ascii?q?Pgtt2NrkaObLz4M/GmbnDcUDjBlguwhbA5D5nQ4yfcLgxbK4VgyXU+ZZjtE2nL?= =?us-ascii?q?PQ5JJ6gDPUpUSbh6aclaouBdf8JkZLwJ9rFzCR2aXR7vBYivrOVcLlnJWzTeLi?= =?us-ascii?q?KB8uihroLP97DdTvLgZsOUzXbdX613Jot66SX8G7ry1I9R4E722vNz+UNmVVjJ?= =?us-ascii?q?KTqOoc/nJgwV+MmibVftsYcxHTzIGptwlmTixl1YfcoNXyKq6IgYyI9e6HvoS+?= =?us-ascii?q?J3yFLzsOpJ97lg84Y3/atkycKpJafWNfRasFNoAhmOCQVs7ZUhGm9/R3peYuUJ?= =?us-ascii?q?MvfeYbwZjdzyq+DwD6EX6gea++pXadvdIEHOh9ewByqASRNemgcBsjkaIhGa1/?= =?us-ascii?q?Gbh69+UdylqvTh2kIx/1i+KQYLzL9w5YeF/qqIoPHYbx7KwLcZRKflXcLzoa4q?= =?us-ascii?q?u0+I4v0kjrEOcHRvYwK7COgdStIdxmD4wKAsySIhCMLDH7Tl+PJZVnI5mDzgm4?= =?us-ascii?q?pnEFUNBvMUB6eL8phCnmclgezWKMcacqdYmmaADRSkCKMNyWa36yuLJ2lomhTO?= =?us-ascii?q?0xb2QWOv41/5szR1QS7Nz9j5lEpaSKW3BElVXyqzOk94qymDPAz2u9rroa419l?= =?us-ascii?q?05MnT4tNKRk2usILdXH9b6JNGcOiQ0qkwYg4A2Rty1w48bAcC9INAT8H5gcvTe?= =?us-ascii?q?93mnkyhbo6dIn4De+N2a+u3LHXm8iK2Xs7eNxDFdynUjuFEw9NChOe/U592LRf?= =?us-ascii?q?So2HwdTyFhtAvdRxS1sKDUr0gIOUyX10fGgI0KP9BD0nYiyk7r//MjT8wv9ApA?= =?us-ascii?q?ConMffQCpSr8ODHs21aQf8o3VjWC0ztQBl/6Clh4GLMy2W3qvsLJlGvQ+0UySY?= =?us-ascii?q?ltc0zqngB4D4IlJk0z8lcX3zADEQ8XaR+BFr2oAl7lLYQcX0gZdRuHxKS6ersw?= =?us-ascii?q?3UBr2rOg/vPTYvB8B6sDMfZdlA2OkEFAGp0Ita0eQbR8e0JS9aPMvgjtEZTnUO?= =?us-ascii?q?TmlXs+Mv21WMNa/doat3Q8+Aa/QQSv6ZNZ47YckpCIebZOYYLQs8Bk80dn+TkP?= =?us-ascii?q?ezRRgBhlkRy5VfoTpOb97dXArZWo6+muVKcxR+oN7Bg7HX5+j4bqjFAlv97Xy/?= =?us-ascii?q?9WSpfJhoTn7ABNP3mKtZ7V0xZmM+oBNZ6rfLZ7+nUDJigeO2wBPdqMZPkh+C9h?= =?us-ascii?q?KjPT6EJeAskUf9MXINLNmRxIik3uQLxT+dTUGlmEC4d0cMAk6HH3xy4x8Zs9VO?= =?us-ascii?q?bg9TC3KIvb715TJfNCjD9jmMjEpOcL3frYEDIX7mWBaxhp3iOCzIGAC/Dx/eqQ?= =?us-ascii?q?z9HUU0kJHjUsX4dcIzqC/henRvGumZXsXQ6V5dX/gJUkdEKfXnaxhrgKsr5QEe?= =?us-ascii?q?5cjSX2xjdeGZzuh/KOqtai9WRZuFtGEIZ18B3EF75SPpp+ORvikMmkWFJwBizl?= =?us-ascii?q?eMHbbhAuovaZxv8Q4+ViMEvzfY0bIhUEy7L883ZaUgtuSLrrvlmEXOMRZd1mSO?= =?us-ascii?q?jHrnBU8o9gNa4PPEaHq5zuszhIqUo6AAk3Z78stjZabFXBnBVJW6bov74Nkgoc?= =?us-ascii?q?UcBjtk9KAm+wPH8+6CfGVaRSl6mdEvsV8i+cTqYWSUVnLjt+Qw+p2JVpY7apn+?= =?us-ascii?q?5Ism1IniN5u/Ur3SZpRB2iti3wva4N3ywv+K2gvjUbpXNFVvmekzvPCVhbw/QK?= =?us-ascii?q?iaAcCnj85ly4ZHkOd5Dy4L5hJcTh6YYt+XI/bgs/fyceR+SvFznwj7+UAoyIqN?= =?us-ascii?q?9chh6NucXWbb+0KSgSN6g9xgz4Snh40wjegAxo/3URTjWn9t8kK523Odw5ySqw?= =?us-ascii?q?BWjbaFEM77tVsMvwsF4GV/c2aVJ9z2VgzMeHQjcBRMrRFGYplgIkc3lLcIpf6R?= =?us-ascii?q?8GEKklmjOIvqhF/gEXZzfZCYal9ZPTncfP33kyU9FqynjQpqKbmpMgyGdllM9s?= =?us-ascii?q?7i6SpHQScPTVXNRyDXj1yodS0vf+Z/GqsuAbVItm1qquX+IYPsmk42u2141gWl?= =?us-ascii?q?W5ybQGA1q5LOgDy6/VUyi7TW2YWPyLfHaXkjc4M07y4ByoIUMtaMdOsUAxKOzC?= =?us-ascii?q?hoRTlwf5S7N7Wj2QpUPHzGwkKe4beRo2uJ2mewMWUuEcfO2cJekywP0kFlQAdX?= =?us-ascii?q?jJHTF5C+Wuq16igJB7O2l84UX9eent9QTmP8WJFxkcFY7VtIVx+eC7Rm2dJX9g?= =?us-ascii?q?1gN9M1du++fZCVsxqvdWc4yNktjIm9R7zekFeu9pMS08vN4Th41i5ZCQ0MeLah?= =?us-ascii?q?HR0o3yKMrUoveCBf3fyF4memZAUroWeQn1/Zk1PsYlW73PGrtUpQ8cCrY+QJwg?= =?us-ascii?q?MWfx6a51IAR8fA7NZLS7nNPqqfyTZpROvHLW7Uw/LD3auxIdzvy7VhF7b5+wi3?= =?us-ascii?q?X1OpAwSSpLr8dxBRt+AItPB8QAohKiA5GOhK67i96x+0V9u+IRr6rwC/bK28q9?= =?us-ascii?q?34VwWZha+EOKMCzWBKlxjURvlv6yjevY0pntFcPifssJVOphTW7Gbb/JBZ6yKi?= =?us-ascii?q?+IOsLge05G9KOc0L15UhWNfiz5WbSJtDG8PvV+/Uo70pB4fPbUzDE17bHb3dzy?= =?us-ascii?q?Z3tBpieitn6EL51f40bPBePAXhJYU/2F8HxqHacPd4v76P8OMcA+wNib+wRz9z?= =?us-ascii?q?pC0M6ZLKWgrULBwVx7eozBLEvo2ic5Xo8KLA65MUQynW+K4kjaVG9RKsmiNNlF?= =?us-ascii?q?nMeeDhur4VJ4324qeCoJHGf0SdqPEXYU1tj4ZwCQ8g9PSdEZkKr/fU8+q733Uu?= =?us-ascii?q?J0Ir1bluiw8rYKi9BkL2fIXscedyXRKqJmeyFcBfjVpUQ5JxsDv6UxV68rapWU?= =?us-ascii?q?ZkAKKkGNzWX11wSR/1fzcomW1a2JKTwaulVOzrTIynAYvQiyuf+DjvroZ7DQbZ?= =?us-ascii?q?f7R9bYLCsjSjyAQzkuV02u/AH36LI/oPOELDJH8RgvaSWIBVtW//hi?= X-IPAS-Result: =?us-ascii?q?A2D8AQAXFeZZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwgsZG4njw2OQ4JxjFyKYjADig1DFAEBAQEBAQEBAQEBaiiCO?= =?us-ascii?q?CSCSQIkGQE4AQIDCQIFQwgDAVoSBYhIgTcBAxUDAawhOoMJBYEChF+CbwQIgy6?= =?us-ascii?q?BNlGDO4J2gxOIGwWKDgqHMIFrjhiHX4x/gn6QJ5cpNiGBWTQhJV6CZAmCA0EPH?= =?us-ascii?q?IFodYg3LIIWAQEB?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 17 Oct 2017 14:39:13 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9HEagxs025001; Tue, 17 Oct 2017 10:37:30 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v9HE3lCp045434 for ; Tue, 17 Oct 2017 10:03:47 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9HE3eML008929; Tue, 17 Oct 2017 10:03:40 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DaAgBmDOZZWyYVGNZdGwEBAQMBAQEJA?= =?us-ascii?q?QEBgzMsZG4njw2OQ4JxjFyKcA8WhSCEbUIVAQIBAQEBAQEBBhoVhikZATgBFYE?= =?us-ascii?q?OGxKITYE3AQMVAwGsEjqDCQWBAoRggkkmBAiDLoE2UYM7gnaDE4gbBYoOCocwg?= =?us-ascii?q?WuOGIdfjH+CfpAnlyk1gXs0ISVegmQJggNBDxyBaHWINyyCFgEBAQ?= X-IPAS-Result: =?us-ascii?q?A1DaAgBmDOZZWyYVGNZdGwEBAQMBAQEJAQEBgzMsZG4njw2?= =?us-ascii?q?OQ4JxjFyKcA8WhSCEbUIVAQIBAQEBAQEBBhoVhikZATgBFYEOGxKITYE3AQMVA?= =?us-ascii?q?wGsEjqDCQWBAoRggkkmBAiDLoE2UYM7gnaDE4gbBYoOCocwgWuOGIdfjH+CfpA?= =?us-ascii?q?nlyk1gXs0ISVegmQJggNBDxyBaHWINyyCFgEBAQ?= X-IronPort-AV: E=Sophos;i="5.43,391,1503374400"; d="scan'208";a="86199" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 17 Oct 2017 10:03:33 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AsuxRTBLKUL4vYznOwdmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgfLvXxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ou?= =?us-ascii?q?JSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgpp?= =?us-ascii?q?POT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+?= =?us-ascii?q?RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLd?= =?us-ascii?q?QgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhj?= =?us-ascii?q?oHOTAn/m/Zict+gblHrB69vRFz35TZbJ2JOPd4Y6jTfckaRW1EXstJSyJBA5+z?= =?us-ascii?q?b4sVAOobIOlTsovzqEEPrRu4GwasH/7kxzhShn/3waI60/4uERvb0wM4A90BqH?= =?us-ascii?q?TUo8/0NKcUT++117LFwi7fb/NX3zf99JbHcgonof6SQbJ8a9beyU4qFw7ciFib?= =?us-ascii?q?tILrPzSQ1usXsmib6fJtVfmui2E6sQ1xpCagxtsqh4LUhYwV0kjJ+TtkzIs6P9?= =?us-ascii?q?G0VkF2bcS6HJdNrS2XOYh7TtshTmxpoio217MLtJGhcCUKxpkr3QPTZv2Zf4WO?= =?us-ascii?q?/xntTvyeIS1ii3JgYL+/hwi98UynyuDkS8m00FdKri5YntTIrnACzQDf58qdRv?= =?us-ascii?q?Rj4EihwjOP1w/J5uFBO080lK7bJ4Qkwr4xkpofqUXDHinol0XqlKKaaFgo9+ey?= =?us-ascii?q?5+j5bbjqvIGQO5JuhgzwMakigsm/Dv45MggKUWib4+O81Lj78E3jQbVFkv02nb?= =?us-ascii?q?PDsJ/HPcsUura2Aw9P3YYi7RawESym3c8DknkbLVJFfg6HgJbzO1HIPv/4Ee2z?= =?us-ascii?q?jEirkDdu3/zGJKHuAo3RLnjfl7fsZa195FNHyAco0dBe545bCrEGIP7pXE/xr8?= =?us-ascii?q?bXAgU2Mwyz3ebtEM992Z8GWWKTHq+ZN7vfsUSW6eIrIumMYpIVuTnmJvg55//h?= =?us-ascii?q?kX85mVgHcamvxpsYcmq0HvthI0WHMjLQhYIaHGMLuBcuZPD7g12FFzhIbjC9WL?= =?us-ascii?q?x4rjc2FI6rE6/dSY23xr+MxiG2GttRfG8CQlSNF2r4Mp6PR+8kdi2fOIlinyYC?= =?us-ascii?q?WLznTJUukVmqtQnn2/98I+HJ4CwEpNfm09Ro4+D7ix4/73p3At6b3mXLSHt7zU?= =?us-ascii?q?0SQDpj5qF0oUVnxh+j2Kl+jucQQcZS7PNASAsNPqncxu18BsvaUB7AeMuEUlCr?= =?us-ascii?q?XpOtBjRnHYF5+MMHf0soQ4bqtRvExSf/W7I=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C8AwCZDOZZWyYVGNZdHAEBBAEBCgEBF?= =?us-ascii?q?gEBAQMBAQEJAQEBgwiBEG4njw2RNIxcinAPFoUghS8VAQEBAQEBAQEBAQEFGhV?= =?us-ascii?q?egjgignEZATgBFYEOGxKITYE3AQMVAwGsEjqDCQWBAoRggkkmBAiDLoE2hAyCd?= =?us-ascii?q?oMThH0MgxIFig4KhzCBa44Yh1+Mf4J+kCeXKTWBezQhJV6CZAmCA0EPHIFodYg?= =?us-ascii?q?3LIIWAQEB?= X-IPAS-Result: =?us-ascii?q?A0C8AwCZDOZZWyYVGNZdHAEBBAEBCgEBFgEBAQMBAQEJAQE?= =?us-ascii?q?BgwiBEG4njw2RNIxcinAPFoUghS8VAQEBAQEBAQEBAQEFGhVegjgignEZATgBF?= =?us-ascii?q?YEOGxKITYE3AQMVAwGsEjqDCQWBAoRggkkmBAiDLoE2hAyCdoMThH0MgxIFig4?= =?us-ascii?q?KhzCBa44Yh1+Mf4J+kCeXKTWBezQhJV6CZAmCA0EPHIFodYg3LIIWAQEB?= X-IronPort-AV: E=Sophos;i="5.43,391,1503360000"; d="scan'208";a="4796104" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uhil19pa07.eemsg.mail.mil (HELO uhil19pa07.eesmg.mail.mil) ([214.24.21.38]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 17 Oct 2017 14:03:30 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;bc18c790-43e3-405a-9974-77d11ea7ccae X-EEMSG-check-008: 232282281|UHIL19PA07_EEMSG_MP5.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 65.20.0.157 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0C2AAAAC+ZZh50AFEFdGgEBAQECAQEBAQgBAQEBgzOBEG4noEGMXIpwDxaFIIRtQhUBAgEBAQEBAQETAQEBCgsJCCgvhUsZATgBFYEpEohNgTcBAxUErAY6gwkFgQKEYIJvBAiDLoE2hAyCdoMThH0MgxIFig4KhzCBa44Yh1+Mf4J+kCeXKTWBezQhJV6CZAmCAwFADxAMgWh1iDcsghYBAQE X-IPAS-Result: A0C2AAAAC+ZZh50AFEFdGgEBAQECAQEBAQgBAQEBgzOBEG4noEGMXIpwDxaFIIRtQhUBAgEBAQEBAQETAQEBCgsJCCgvhUsZATgBFYEpEohNgTcBAxUErAY6gwkFgQKEYIJvBAiDLoE2hAyCdoMThH0MgxIFig4KhzCBa44Yh1+Mf4J+kCeXKTWBezQhJV6CZAmCAwFADxAMgWh1iDcsghYBAQE Received: from rgout07.bt.lon5.cpcloud.co.uk ([65.20.0.157]) by uhil19pa07.eesmg.mail.mil with ESMTP; 17 Oct 2017 14:03:07 +0000 X-OWM-Source-IP: 86.134.53.162 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2017.10.17.134816:17:8.317, ip=, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __LINES_OF_YELLING, __NO_HTML_TAG_RAW, BODY_SIZE_10000_PLUS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, __FRAUD_WEBMAIL, __FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES, MULTIPLE_RCPTS, __PHISH_SPEAR_STRUCTURE_1, __MIME_TEXT_P, NO_URI_HTTPS Received: from localhost.localdomain (86.134.53.162) by rgout07.bt.lon5.cpcloud.co.uk (9.0.019.13-1) (authenticated as richard_c_haines@btinternet.com) id 598528DE072CB3DD; Tue, 17 Oct 2017 15:02:54 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1508248989; bh=1srgP6aNfxzp3izkiZL7i2i3tXkAK0W2zxl+hmYsh94=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=MHHKqC9dAySYAXS+ku5Am9FZYU2XlUBmwfKFi7rR2TDKPkiweRWEl+lDje2aP67A/OmA2v2fklqIWST/nPwI5ns2y4omuJSOV66NV4jfz5/UfsfStQUDg4NBrvnN20/h0UYlBtfvEBCnqyXTqg8yReqDO277gMlZPY05ZzztJrA= X-EEMSG-check-009: 444-444 From: Richard Haines To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-sctp@vger.kernel.org, linux-security-module@vger.kernel.org Date: Tue, 17 Oct 2017 15:02:47 +0100 Message-Id: <20171017140247.4604-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.13.6 X-Mailman-Approved-At: Tue, 17 Oct 2017 10:36:38 -0400 Subject: [RFC PATCH 1/5] security: Add support for SCTP security hooks X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: marcelo.leitner@gmail.com, nhorman@tuxdriver.com, vyasevich@gmail.com, sds@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP The SCTP security hooks are explained in: Documentation/security/LSM-sctp.txt Signed-off-by: Richard Haines Reviewed-by: James Morris --- Documentation/security/LSM-sctp.txt | 212 ++++++++++++++++++++++++++++++++++++ include/linux/lsm_hooks.h | 37 +++++++ include/linux/security.h | 27 +++++ security/security.c | 23 ++++ 4 files changed, 299 insertions(+) create mode 100644 Documentation/security/LSM-sctp.txt diff --git a/Documentation/security/LSM-sctp.txt b/Documentation/security/LSM-sctp.txt new file mode 100644 index 0000000..30fe9b5 --- /dev/null +++ b/Documentation/security/LSM-sctp.txt @@ -0,0 +1,212 @@ + SCTP LSM Support + ================== + +For security module support, three sctp specific hooks have been implemented: + security_sctp_assoc_request() + security_sctp_bind_connect() + security_sctp_sk_clone() + +Also the following security hook has been utilised: + security_inet_conn_established() + +The usage of these hooks are described below with the SELinux implementation +described in Documentation/security/SELinux-sctp.txt + + +security_sctp_assoc_request() +------------------------------ +This new hook has been added to net/sctp/sm_statefuns.c where it passes the +@ep and @chunk->skb (the association INIT or INIT ACK packet) to the security +module. Returns 0 on success, error on failure. + + @ep - pointer to sctp endpoint structure. + @skb - pointer to skbuff of association packet. + @sctp_cid - set to sctp packet type (SCTP_CID_INIT or SCTP_CID_INIT_ACK). + +The security module performs the following operations: + 1) If this is the first association on @ep->base.sk, then set the peer sid + to that in @skb. This will ensure there is only one peer sid assigned + to @ep->base.sk that may support multiple associations. + + 2) If not the first association, validate the @ep->base.sk peer_sid against + the @skb peer sid to determine whether the association should be allowed + or denied. + + 3) If @sctp_cid = SCTP_CID_INIT, then set the sctp @ep sid to socket's sid + (from ep->base.sk) with MLS portion taken from @skb peer sid. This will + only be used by SCTP TCP style sockets and peeled off connections as they + cause a new socket to be generated. + + If IP security options are configured (CIPSO/CALIPSO), then the ip options + are set on the socket. + + To support this hook include/net/sctp/structs.h "struct sctp_endpoint" + has been updated with the following: + + /* Security identifiers from incoming (INIT). These are set by + * security_sctp_assoc_request(). These will only be used by + * SCTP TCP type sockets and peeled off connections as they + * cause a new socket to be generated. security_sctp_sk_clone() + * will then plug these into the new socket. + */ + u32 secid; + u32 peer_secid; + + +security_sctp_bind_connect() +----------------------------- +This new hook has been added to net/sctp/socket.c and net/sctp/sm_make_chunk.c. +It passes one or more ipv4/ipv6 addresses to the security module for +validation based on the @optname that will result in either a bind or connect +service as shown in the permission check tables below. +Returns 0 on success, error on failure. + + @sk - Pointer to sock structure. + @optname - Name of the option to validate. + @address - One or more ipv4 / ipv6 addresses. + @addrlen - The total length of address(s). This is calculated on each + ipv4 or ipv6 address using sizeof(struct sockaddr_in) or + sizeof(struct sockaddr_in6). + + ------------------------------------------------------------------ + | BIND Type Checks | + | @optname | @address contains | + |----------------------------|-----------------------------------| + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | + ------------------------------------------------------------------ + + ------------------------------------------------------------------ + | CONNECT Type Checks | + | @optname | @address contains | + |----------------------------|-----------------------------------| + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | + ------------------------------------------------------------------ + +A summary of the @optname entries is as follows: + + SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be + associated after (optionally) calling + bind(3). + sctp_bindx(3) adds a set of bind + addresses on a socket. + + SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple + addresses for reaching a peer + (multi-homed). + sctp_connectx(3) initiates a connection + on an SCTP socket using multiple + destination addresses. + + SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a + sendmsg(2) or sctp_sendmsg(3) on a new asociation. + + SCTP_PRIMARY_ADDR - Set local primary address. + + SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as + association primary. + + SCTP_PARAM_ADD_IP - These are used when Dynamic Address + SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below. + + +To support Dynamic Address Reconfiguration the following parameters must be +enabled on both endpoints (or use the appropriate setsockopts): + /proc/sys/net/sctp/addip_enable + /proc/sys/net/sctp/addip_noauth_enable + +then the following *_PARAM_*'s are sent to the peer in an +ASCONF chunk when the corresponding @optname's are present: + + @optname ASCONF Parameter + SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP + SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY + + +security_sctp_sk_clone() +------------------------- +This new hook has been added to net/sctp/socket.c sctp_sock_migrate() that is +called whenever a new socket is created by accept(2) (i.e. a TCP style socket) +or when a socket is 'peeled off' e.g userspace calls sctp_peeloff(3). +security_sctp_sk_clone() will set the new sockets sid and peer sid to that +contained in the @ep sid and @ep peer sid respectively. + + @ep - pointer to old sctp endpoint structure. + @sk - pointer to old sock structure. + @sk - pointer to new sock structure. + +security_inet_conn_established() +--------------------------------- +This hook has been added to net/sctp/sm_statefuns.c COOKIE ECHO processing +where it sets the connection's peer sid to that in @skb. + + @sk - pointer to sock structure. + @skb - pointer to skbuff of the COOKIE ECHO packet. + + +Security Hooks used for Association Establishment +================================================== +The following diagram shows the use of security_sctp_connect_bind(), +security_sctp_assoc_request(), security_inet_conn_established() in +net/sctp/sm_statefuns.c and security_sctp_sk_clone() in net/sctp/socket.c, +when establishing an association. + + SCTP endpoint "A" SCTP endpoint "Z" + ================= ================= + sctp_sf_do_prm_asoc() + Association setup can be initiated + by a connect(2), sctp_connectx(3), + sendmsg(2) or sctp_sendmsg(3). + These will result in a call to + security_sctp_bind_connect() to + initiate an association to + SCTP peer endpoint "Z". + INIT ---------------------------------------------> + sctp_sf_do_5_1B_init() + Respond to an INIT chunk. + SCTP peer endpoint "A" is + asking for an association. Call + security_sctp_assoc_request() + to set the peer label if first + association. + If not first association, check + whether allowed, IF so send: + <----------------------------------------------- INIT ACK + | ELSE audit event and silently + | discard the packet. + sctp_sf_do_5_1C_ack + Respond to an INIT ACK chunk. + SCTP peer endpoint"A" initiated + this association to SCTP peer + endpoint "Z". Call + security_sctp_assoc_request() + to set the peer label if first + association. If not first + association, check whether + allowed, IF so send: + COOKIE ECHO ------------------------------------------> + ELSE audit event and silently | + discard the packet. | + | + <------------------------------------------- COOKIE ACK + | | + sctp_sf_do_5_1E_ca | + Call security_inet_conn_established() | + to set the correct peer sid. | + | | + | net/sctp/socket.c sctp_copy_sock() + | If SCTP_SOCKET_TCP or peeled off + | socket security_sctp_sk_clone() is + | called to clone the new socket. + | | + ESTABLISHED ESTABLISHED + | | + ------------------------------------------------------------------ + | Association Established | + ------------------------------------------------------------------ + + diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 3a90feb..42370a7 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -913,6 +913,33 @@ * associated with the TUN device's security structure. * @security pointer to the TUN devices's security structure. * + * Security hooks for SCTP + * + * @sctp_assoc_request: + * If first association, then set the peer sid to that in @skb. If + * @sctp_cid is from an INIT chunk, then set the sctp endpoint sid to + * socket's sid (ep->base.sk) with MLS portion taken from peer sid. + * @ep pointer to sctp endpoint structure. + * @skb pointer to skbuff of association packet. + * @sctp_cid whether association from INIT or INIT_ACK chunk. + * Return 0 on success, error on failure. + * @sctp_bind_connect: + * Validiate permissions required for each address associated with sock + * @sk. Depending on @optname, the addresses will be treated as either + * for a connect or bind service. The @addrlen is calculated on each + * ipv4 and ipv6 address using sizeof(struct sockaddr_in) or + * sizeof(struct sockaddr_in6). + * @sk pointer to sock structure. + * @optname name of the option to validate. + * @address list containing one or more ipv4/ipv6 addresses. + * @addrlen total length of address(s). + * Return 0 on success, error on failure. + * @sctp_sk_clone: + * Sets the new child socket's sid to the old endpoint sid. + * @ep pointer to old sctp endpoint structure. + * @sk pointer to old sock structure. + * @sk pointer to new sock structure. + * * Security hooks for Infiniband * * @ib_pkey_access: @@ -1640,6 +1667,13 @@ union security_list_options { int (*tun_dev_attach_queue)(void *security); int (*tun_dev_attach)(struct sock *sk, void *security); int (*tun_dev_open)(void *security); + int (*sctp_assoc_request)(struct sctp_endpoint *ep, + struct sk_buff *skb, + int sctp_cid); + int (*sctp_bind_connect)(struct sock *sk, int optname, + struct sockaddr *address, int addrlen); + void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk, + struct sock *newsk); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND @@ -1880,6 +1914,9 @@ struct security_hook_heads { struct list_head tun_dev_attach_queue; struct list_head tun_dev_attach; struct list_head tun_dev_open; + struct list_head sctp_assoc_request; + struct list_head sctp_bind_connect; + struct list_head sctp_sk_clone; #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND struct list_head ib_pkey_access; diff --git a/include/linux/security.h b/include/linux/security.h index 834b355..2054023 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -114,6 +114,7 @@ struct xfrm_policy; struct xfrm_state; struct xfrm_user_sec_ctx; struct seq_file; +struct sctp_endpoint; #ifdef CONFIG_MMU extern unsigned long mmap_min_addr; @@ -1240,6 +1241,12 @@ int security_tun_dev_create(void); int security_tun_dev_attach_queue(void *security); int security_tun_dev_attach(struct sock *sk, void *security); int security_tun_dev_open(void *security); +int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb, + int sctp_cid); +int security_sctp_bind_connect(struct sock *sk, int optname, + struct sockaddr *address, int addrlen); +void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, + struct sock *newsk); #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1432,6 +1439,26 @@ static inline int security_tun_dev_open(void *security) { return 0; } + +static inline int security_sctp_assoc_request(struct sctp_endpoint *ep, + struct sk_buff *skb, + int sctp_cid) +{ + return 0; +} + +static inline int security_sctp_bind_connect(struct sock *sk, int optname, + struct sockaddr *address, + int addrlen) +{ + return 0; +} + +static inline void security_sctp_sk_clone(struct sctp_endpoint *ep, + struct sock *sk, + struct sock *newsk) +{ +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/security/security.c b/security/security.c index 3013237..798fc6e 100644 --- a/security/security.c +++ b/security/security.c @@ -1482,6 +1482,7 @@ void security_inet_conn_established(struct sock *sk, { call_void_hook(inet_conn_established, sk, skb); } +EXPORT_SYMBOL(security_inet_conn_established); int security_secmark_relabel_packet(u32 secid) { @@ -1537,6 +1538,28 @@ int security_tun_dev_open(void *security) } EXPORT_SYMBOL(security_tun_dev_open); +int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb, + int sctp_cid) +{ + return call_int_hook(sctp_assoc_request, 0, ep, skb, sctp_cid); +} +EXPORT_SYMBOL(security_sctp_assoc_request); + +int security_sctp_bind_connect(struct sock *sk, int optname, + struct sockaddr *address, int addrlen) +{ + return call_int_hook(sctp_bind_connect, 0, sk, optname, + address, addrlen); +} +EXPORT_SYMBOL(security_sctp_bind_connect); + +void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, + struct sock *newsk) +{ + call_void_hook(sctp_sk_clone, ep, sk, newsk); +} +EXPORT_SYMBOL(security_sctp_sk_clone); + #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND