From patchwork Tue Feb 13 20:53:21 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn via Selinux <selinux@tycho.nsa.gov>
X-Patchwork-Id: 10217617
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5916A60329 for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 13 Feb 2018 21:36:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 488A128C17
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 13 Feb 2018 21:36:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3CA4328D6D; Tue, 13 Feb 2018 21:36:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=unavailable version=3.3.1
Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil
	[214.24.24.84])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3106728C17
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 13 Feb 2018 21:36:03 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="444953491"
Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2])
	by UCOL19PA11.eemsg.mail.mil with ESMTP; 13 Feb 2018 21:36:02 +0000
X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="8659270"
IronPort-PHdr: =?us-ascii?q?9a23=3AWkBhBRF2OIl4Rb9vz2jg+Z1GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ7+oMS4bnLW6fgltlLVR4KTs6sC17KN9fqwEjVcsN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?=
	=?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCybL9uIhi6txvdu8oZjYd/Jas8zgbCr2dVde?=
	=?us-ascii?q?hR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/Y?=
	=?us-ascii?q?TQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhS?=
	=?us-ascii?q?EaPDE36mHXjtF7grxdrhyvuhdzx5fYbJyJOPZ7eK7WYNEUSndbXstJSSJPDICy?=
	=?us-ascii?q?YYwSAeoZP+tUsofwqVsUrRSgHgmhH//jxiNSi3Pqx6A2z/gtHAfb1wIgBdIOt3?=
	=?us-ascii?q?HUoc3pOqcTTe+1zLPHzS/eYPhL2zny8onIchY/rvGXQLlwb8vRxlMyHA3YkFqQ?=
	=?us-ascii?q?rY3lPzWI1uUCrmOW6PFgWvyri24mrQFxvzeuy9wwiojJmo0VylfE+T9/wIYuP9?=
	=?us-ascii?q?K0UkF7Ydm6EJZJsSyRKoh4Qts6Tm11tys3xacKtJ6mcCQQ1pgqyADTZ+aaf4SQ?=
	=?us-ascii?q?4R/uVfydLSp2iX9qYr6yhwi+/VKhx+HiUMS/zUxEoTBfktbWs3AAzxnT6s+aRf?=
	=?us-ascii?q?Rj5kqhwjOP1xzL6uFDPEA0ibLXK54/zb40kZoeqVjDETXsmEX3ka+WbV8o+vSo?=
	=?us-ascii?q?6uv7YrXmoYWQN4lohQHlLqsigMm/AeU8MgQWXmib//qz1KH78EHkT7hHgec6n6?=
	=?us-ascii?q?nEvJzAO8gWqbC1DxVI3oo77hawFTam0NAWnXkdK1JFfQqKj5P3NFHKIfD4C+q/?=
	=?us-ascii?q?glu1nDhwwPDGI7vhDYnTIXjYi7rhYbZ85FJcyAo019xf4YlUBasbLPL8XU/xqs?=
	=?us-ascii?q?TUDgUlPAys3+bnFNJ925scWWKIBK+WKr/SsV+S6eIpOOSMZogVuDD4K/c//P7u?=
	=?us-ascii?q?kWE2mUUGfaWz2psXcn+4FOx8I0qFeXrsnssBEWASswo8TuzlkkGNUT1IZ3a1Wa?=
	=?us-ascii?q?I85y87BZmoDYfHW4Csj6eO3Dq9Hp1Ke2BKEFeMEW3nd4+cQfcDdDqSItN9kjwD?=
	=?us-ascii?q?TbWgRY4h1RWrtADk0bpqNeTU9TMFupLkzth6/fXTlQs19Tx2EcuSz32NQ3tznm?=
	=?us-ascii?q?MSSD88xLp/rlBlylefzah4hORVGsFP6PNMVQc6M4Lcw/FhBtDsRA3BZNaJSVeh?=
	=?us-ascii?q?QtWgGz0xSMw+w8MWaUZnB9qilgzD3zatA7INirOLGIY78rjH0nftIMZ9zmrJ27?=
	=?us-ascii?q?M6j1k6WMdPM3OphrJn/QjJG4HJi1mZl7qtdakE3C/M9WCDzWyVsUFdVA58SKTF?=
	=?us-ascii?q?XXYFakvQt9v5/EDCT76wCbs5KAdBz9CNKrdSYN3zkVpGXOvjOMjZY2+plWewHw?=
	=?us-ascii?q?yHxrWQY4rrYGUQxyDdCFAFkwwK5naHOxM+Cj2mo2LEAzxkDUjvbF/08elitHO7?=
	=?us-ascii?q?SVc5zwKQYE1i0Lq15wUYhf+GRPMQ2bIEpT0tqzJuHFayx9jWEcaPpxJ9fKVAZt?=
	=?us-ascii?q?Mw+E1I2n/Dtwx8IJOgNbtviUQCfARypU/u0A93CopYm8gwsHwq1BZyKb6f0F5Z?=
	=?us-ascii?q?bTOXwI3/N6bYKmn38xGjcajW1U/C0NyO4KcA9Ow4q0n/vAGuDkci6Htn08NS03?=
	=?us-ascii?q?uH+pXHFxESUZT2Ukc58hh1vbfabjM754zKyX1mKbO0vSPa29I1GOslzQ6tftlF?=
	=?us-ascii?q?P6OACA/9DdcaB9O1Jew0hVepdAkLPP1X9KIuOMOmbfSG0raxPOl8hDKmkXhH4I?=
	=?us-ascii?q?dl30KK9ip8TurI0Igew/yDxASISS38jFC7vsDwg4BEaikYHnCjxij8GI5Reqpy?=
	=?us-ascii?q?cJ4VCWevP8K32tJ+h4T3V3FE9F6jAFUG2MCydBqWblz92xdf1V4QoXC9niu41T?=
	=?us-ascii?q?N0mSkzrqWDxCzO3/jidB0fN25PRWlilkvsLZGvj98EWEiobg4plAaq5Evh3Khb?=
	=?us-ascii?q?vKV/L2/SQUhUZCj6NWdiXbWstrCaec5A9IsosTlLUOS7eV2aULn9ox8e0yz9BW?=
	=?us-ascii?q?tR2Dc7dj+xt5Xighx1lHmdIGx0rHrDdsF63Q3f68DERf5NwjoGQzF1iTrJCVi6?=
	=?us-ascii?q?JNmk5taUmInFsuClUWKuSIFTfTPszYOauyux/XdqDgGnn/Cvht3nFhA30Tfh2N?=
	=?us-ascii?q?l3USXHsg78bZPt16SmL+1nZFJlBELn68VkAIF+iZE8hIoX2XgHnJWa4WQIkWn0?=
	=?us-ascii?q?MdVB1qLxcmABRTgVzN7J+ALlwlFsLmqVx4LlUXWQ2tVhZ9+nbW4NxCI96d1FCK?=
	=?us-ascii?q?eO4LxCgyR1vkKyrRjNbvhlgjcd1fwu5WYCg+4TpQotyj6QDawTHUlEPS3gjhqI?=
	=?us-ascii?q?4Mq4rKlNY2ava7ew3lJknd+9FLGCvh1cWHHhd5csByBw6Nl/MFXJ0HDo5IHrZs?=
	=?us-ascii?q?TfbdUJthKOixfAle9VKJAvmfUWmSprI2X9vWcqy+QjlxxhwYm6vJSbK2Vq5K+5?=
	=?us-ascii?q?BwRXNjnxZ8wN5jHtkbxRkdyN0oCpAJphBi4LU4fyQvKwDj0er/LnOBiSEDcksH?=
	=?us-ascii?q?eUBaLfHROD6Edht3/PHYqrOG+KK3kC19piQgWdJEtEgA0PRjo1gps5GhqtxMz7?=
	=?us-ascii?q?f0dz/ioR6ULgqhtQ1uJoMAHyUmHFpAiycjc0UIOSLBRX7gFY/EfVLcKe7uN1Hy?=
	=?us-ascii?q?5C+J2usA2NJXafZwhSCmEJQEOEDUj5Pray/dnA7/SYBu2mIvvWf7qBsvJRV/GJ?=
	=?us-ascii?q?xZKz1Ytr5DeMOduRMXZ8FfE73VBDXX9hEcTDhzoPUzAXlz7Kb8ODvxiz4Sp7rs?=
	=?us-ascii?q?S+8PTwRALv/pGDC6BMPtpz4Ry2mrmMN+qRhCZ/NDZZ2YgBymPIybgFwV4SkDti?=
	=?us-ascii?q?dje3HrQcri7NS6TQlrVQDx4BZCN5LNFI4L4k3glRJc7bjcv42aV5jv46DFdFU0?=
	=?us-ascii?q?fsldy3asMRImGyLlXHCFyMNLScKj3B29v3br+kSb1MkOVUsAW9tiyUE0D5IDSM?=
	=?us-ascii?q?iSLkVxe3Me5SiiGbOQZRuIC5chl2DmjiQ8jqahqhMN94lTc226E7hmvWNW4ANj?=
	=?us-ascii?q?hxa19NrrqV7S9CmPV/HG1A4WRjLeafgSaZ6PfXKpUNvPR3BSR0kv5V724hy7tJ?=
	=?us-ascii?q?9i1EQuJ6mDfKpN50v16mivWPyiZgUBdWqDZLhIKKvV1lOaXd95lARWjL8QkI7W?=
	=?us-ascii?q?WRFxQKvcVqBsfou6BKxdjFjLjzJyta89LI4cscANDZKMGHMXolLxXkAzvUDAwL?=
	=?us-ascii?q?TT6lK27fm1BdkPGV9n2QsJc2sJ7sl4QSSrVDTlw6CusaClh5HNwFOJp3WC0rnq?=
	=?us-ascii?q?SfjMMT5nq+qwLRRNlAsZDBTfKSAvTvJCyfjbZaexsC2an4IpgLNo3nx0xibUF3?=
	=?us-ascii?q?nJ7UFErLQ99CuDdhYRM0oEhW63d+T3cz1F/iagOj+H8TD+C7nx4shgt4f+st6C?=
	=?us-ascii?q?/m400rKVrSuCswjE4xlM34jjCWdj7xKrq/Up9SCyr1rEU+KI30QxxybQGomkxk?=
	=?us-ascii?q?LjjETapLj7R8bWBrlBPcuZxXFPFBV6JEfh4QyuyMZ/gzy1tcsD+nxUhJ5OveF5?=
	=?us-ascii?q?RtiBYqcYStr3Jc2wNvdtg1KrLMJKBR1FhfmrqOvjO01uA22AIeI0EN8HmMdy4O?=
	=?us-ascii?q?uU0IMaIrJyWu/uxx8wCCnCFDeGcUXfowvv1q7l89O/iHzy/4yL5MNESxN+2ZL6?=
	=?us-ascii?q?OEtGnNjtKHQlQ11kwUjUZF5qR23d0lc0WKS0Al1KGRGAgRNcreNQFVaNJf9GTS?=
	=?us-ascii?q?fSaLtuXN3ZJ1PoWmG+/1TO+PtLwbjVm+EAYvAYsM8twLHoOw30HAMcfnMLkFxA?=
	=?us-ascii?q?036wTvJVWKEOpGdwqOkDYHpcG/y5l30pNGKz4GAGVyKyO36q/Zpg83mvaDWsk5?=
	=?us-ascii?q?YmsCVIseKn02QNG6mzJev3lYFza4zOQZxROY4DDhuCTfEiP8b8F5a/eOZRJgEt?=
	=?us-ascii?q?a2+S8w86Kuk17Y7o3eJ33mNdRlotLP5v4ap5eDC/NQU7Z9tlzRlJRGSHOxUm7A?=
	=?us-ascii?q?C9i1K4L3a4k2Ytz+Emy6XUCnizIpU8fxO86gLrKOgQHpWYlUsI6b3DQ4NcGlDz?=
	=?us-ascii?q?8QBg1+qv0E6q9neQIDZJ87bgLyuAQlK6yzOgGY3cuyQ2y1MztZU+FfzfmmZ7xQ?=
	=?us-ascii?q?1ycsdPW1yGEnTp4h1OS37VQNS4sUjh7AwfajZo9eUSf3GnxcdAXPpTY5l2Z7Oe?=
	=?us-ascii?q?Yox+cz2hXIvkcAMzqTbuxmdHREv80gBVOVOXh3BHA0SEOcjYrC5w6s3qod/yhG?=
	=?us-ascii?q?ktZVz+JKrmbxsoXYYDK2V6yhsY/VvDY4bdg6v61xNpTuIs6cu5PEnTzQUoXQsg?=
	=?us-ascii?q?yDUC61DPdblMJfICRET/lMnmElJNEJuZFb5Uo3SMg+O6RFCLMwqbCydTpkESkS?=
	=?us-ascii?q?wDcDWIOawTwChP2w27jBmxeRcZQiMQAEv45YjtsbTSF2fjsUpLW/WIXOi2+EVm?=
	=?us-ascii?q?8LLR8S7QRK+AIPiItwcf7g4IXWUJ9M0T5XrulzUivTCJZo8V77RXuXgVj8U/qh?=
	=?us-ascii?q?lOOo0RhVzPL23dkRQAR/BlRFx+ZKiksoL6l6K7UXvo7PqTKIaV/2vGf2x+e8Il?=
	=?us-ascii?q?le19HUfUXiDIXZrWr8TjEc+XoMSI9P0n7fD44dkw5kZ6swuVpDPpimel7g6Dwg?=
	=?us-ascii?q?2YtpBaO0Vcexx1YqtXwGXTulE8JdC+F6t1LaQD9lY5e1p5j+JppdXHRQ94OHq1?=
	=?us-ascii?q?dFjkpiLjS1yZxCJMFR+jQMRiRAoS2BvNuuT81OwdN2AIIRLdd+oXj9HLhJN4SW?=
	=?us-ascii?q?o30zprPg0GTZ+ywmvFe82jqzB7eyT/hF8G0GBgUpO2Oep1E0AOsi7mje7lLAvk?=
	=?us-ascii?q?168upAGrePikBxrypnEZBVGjZFz3alIEpvTHNeqeVVNLzVc9BAQ/k1fRKvIQIx?=
	=?us-ascii?q?GuMm30OT4UF5hnP5YytstgRE5SzSQw40WjQLjbv3nz0RtN2nMycAS51UdTUhcz?=
	=?us-ascii?q?vFKwWDlCBPpxZfd1tlVI0FAtte4LEb2pZU/tDeRkmyLyEFQAZiORg80fZFkk5D?=
	=?us-ascii?q?qkqYczjHDQW0bfbPrgF3fcCJoc61NvT24hlIhZ78veAl86UDW2emlhezQdDfqI?=
	=?us-ascii?q?/8ssOFtleUeKf/Ke28bmfLTCLQghCombckE57K8jDRMAVBMZl6zmEkYZz7Bm7V?=
	=?us-ascii?q?JhlGIr8bJ05HVaB7ddpGo/pVZ8l/eKoT/q9tHB2HTAv1GIOztPlGMkrTRTPGIi?=
	=?us-ascii?q?WD6OO/p4zT7abaSef9eMOB3GrHTLhxPpdh7jn3AbHq3pFC+kDuwPdi6lt6SUTa?=
	=?us-ascii?q?MyCGtNnhIAcL6dKjdkvku50lBzLWAJF+kHr33E5AbNYXQze38JsE1JNZ9WzwRv?=
	=?us-ascii?q?xi3kj0qu1S+KFu6ZMr7LBx1ce0OaDSJOxcsU9mHheUAQFq+Y82AGRlRmBRZegR?=
	=?us-ascii?q?KOzKfakCiMDjpO/2G7YQ6B2P9OxTccHHKF3ZmsmjFjGcTgRJkxsbpj4eMASczO?=
	=?us-ascii?q?KFmq9zScu+vuj2xkMt7Ea4Lh4azbBi/52I+qyWq+/LdxHR16QLWrD2RsPvqbQh?=
	=?us-ascii?q?o0eS5eYhlLMOYWF1bROoH/UaVs4H3Gjg1boqzSUuE8zdA73g5ORPV3UjnjLvg5?=
	=?us-ascii?q?p9BUkZGusIHbqX+oRThmU4m+3cNtANd6BNhGaOGgC+Er8Dz36r5DGbIG97jRHS?=
	=?us-ascii?q?yxvwW3+87EfqrS9kRivB19bjk0tPWbatGUhfRDGpNlFksDyRIAXkrt33ub467E?=
	=?us-ascii?q?suKGzrqMqNlHe9OLNQB8DwP92cITI6pV0Njp0xR8Cv2ZgBFtqgJNcc621xbvzD?=
	=?us-ascii?q?5Gy1iSBBvr1Hh43E4s6P4PnXGmOgj6KCobWX2D9Y0mQ4vU046t24LvHB/cGKTO?=
	=?us-ascii?q?io12cfSCd/oQjBUweuqrPFq1AUOEqL0FrEmYERJtFWx2U42V3m5OktR9Iz7gZe?=
	=?us-ascii?q?GpzDZ/wcvzDzPiX7wVKFb9IwTCme3CNdHkjpHllgBKg8xGXwsdrGlXjK4V0nWJ?=
	=?us-ascii?q?Vwd0z8iBxzDoU4NVwi6FgNzSoeCggBcxabA6+0BU79N4sLSVADaQib3Li9Yqo3?=
	=?us-ascii?q?0lN8wrWz5O/UauxwALENOehZjg6PmlhbB50XvLYaQL1iYV9c9LTYqhLkC4f5Q/?=
	=?us-ascii?q?jsjWAwOuGtQsBG7cAZsGMv7Rq9RxW69ZhO9KoUiJeMdq5AYJjDotp871t56jET?=
	=?us-ascii?q?dixBmh9/jwm2UeoEvuDs/sDbsIa06uapTKstQuIX9x4oB2RxkZT9m1UjodDN2O?=
	=?us-ascii?q?daVILVlYr+8AdXI36Jo4bWyR98JvQSK4izZrZv620HJzQCJ3IJJdeWZOUz4zR2?=
	=?us-ascii?q?MDnK+lJMDcUCZdIePMrQlgFZkULpWLRJ+crdBFCUEYBzd9on72Dv0jA67YM8Uv?=
	=?us-ascii?q?r86D+xPZ3f7VZNP/NFjCl2iN3CpOwVwefPBykW4HmZbQN1wiCDy5SWFfbw/PuM?=
	=?us-ascii?q?x8vQV1wbHy46SYFdKySe+Qa/XOq6iI3pUh+I6s/0mJ8+dVyQSWa3nKketqZMDP?=
	=?us-ascii?q?NPiiT83jhFDIz1gOiVs9W04mtNqlJHCJpz7QHCGKhHPJV0Jxr4lsevRkVnCCrw?=
	=?us-ascii?q?YsfUeQQyuOaMwOcD/fl+PVPkZYAHOhIE16766X1NQwthTL72uViYUvwVZNtiU/?=
	=?us-ascii?q?7EtXdV6YRhK6ATJlSdooLlritQolAsHAApcKMwriBddkTWgA1VWqP0taUcigsd?=
	=?us-ascii?q?TdF5ulFDGWaqNGI4+TXHSbxfjLONB/wN7jWTUqsOXl1tMiN/QBO125JudqCrnf?=
	=?us-ascii?q?9dsWNGmSV9r+Ys0zB8QhuzpzHsrboX2T084LG4qCkBuXtdQ+qFjSjID0lDwe8R?=
	=?us-ascii?q?jacYDHbi9UC8YGcdY4Tv+rVnIt7g9YY56XQlfRojZzEGXfinCyzol6OIBYiPv8?=
	=?us-ascii?q?hGhB+Dv8XOabGzIDMXNrQ6zhLjXGZy3RTEnBZv62sLWTSg7NkrJImnPsYl3CWo?=
	=?us-ascii?q?E3DBdFkQ+qNJrNfxtVkTQes4d1xhxGRj0tCZSSAWRc3PGmM1jg06ZmVedJJM9w?=
	=?us-ascii?q?UWF64ygjaHpqNG5B0bYC/IEoS5/YndhcnJ2WEnTddr2m3ZuLaIhpYr0H15gdN7?=
	=?us-ascii?q?8DSCuHMId+zXS8VsGGT81p9DyeziYPWgqucHSI94x7m6SP8CNtOs+XCq2JVrRk?=
	=?us-ascii?q?Cl2q4eEESnP+MZwLfUTTulQ3WCWeuXa2iMgyo5Mknq6BmsL103btpKrkAkPuvG?=
	=?us-ascii?q?h55cjBHhUahvSyWRv1DbymsjPfkddwIst4etYxYKQ/IJZ+iAOegux+UzCF4WYH?=
	=?us-ascii?q?DVHSt2Cum2sVm2kYhlOnVg51v1YeDs8gDgLduTFQMIEYnArp5+4fa6XH6OOWd8?=
	=?us-ascii?q?zB1uO0l57+XfGE4ytu9baJmchsXQh9Jn0e4FcPdtLCI9ut4Pmo5574mbztuKew?=
	=?us-ascii?q?nLzpnuPdHVvuSYA/rHwkQof2FaVaAZYRn054UhJdM5XafcHb5HshQdH6Q6R4Yh?=
	=?us-ascii?q?N2jp/qFuMAxzahLRZKizgsTyveKLaJ5UqGPX418zNyrcpQMMyua1TQ16aJCqgW?=
	=?us-ascii?q?/+IJYuSTJd/JVRDU59EY9OHd4Qhxa2CJ6T3qeggpm+/F0+8+kHrab9FNjU29mj?=
	=?us-ascii?q?mYZ8RZ5X4QqMJjmVTK1qhFl1y/+5nu/ozJb8E4XhdMkCWew9RXTKLvfCH4OiOn?=
	=?us-ascii?q?eVN8nhYU9a4vuZ175kVhi5ei/0ReyFuTeiOfEi5l80mbZ1ZO7C8Dt41bDQ2NLo?=
	=?us-ascii?q?ayl7ryaloGXBYIFe51zDH+DpVCVUQPuD/X1NF7EWa5f57uEDLZopx93KsCdp6z?=
	=?us-ascii?q?EX6sqOI6G7ogfs00N9eImTMkrgkx00XYgMPQT3ZVAhhW7ft2T1HWVXLs/iL9Jk?=
	=?us-ascii?q?xtmSEEq+tAFKhWgxazsZSSLTTtCLND1egpqz?=
X-IPAS-Result: =?us-ascii?q?A2BmBAAsWYNa/wHyM5BdGwEBAQEDAQEBCQEBAYMlLYFWKI5?=
	=?us-ascii?q?9jTKCfhuWYYF0JogNWBQBAgEBAQEBAQIBaiiCOCSCTwIkUgMDCQJICAMBWhIFi?=
	=?us-ascii?q?AdVgTwBAQEVAwGyETqEE2GECoJDhQGCFRCDL4J4gyGIMwWKa4dikWEJlXeUUZl?=
	=?us-ascii?q?UNiKBUCsIAhgIIQ89gTMaeYIFUByCBniMEyyCHQEBAQ?=
Received: from tarius.tycho.ncsc.mil ([144.51.242.1])
	by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 13 Feb 2018 21:36:01 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1DLZx1I000463;
	Tue, 13 Feb 2018 16:36:00 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	w1DKrho2048405 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 13 Feb 2018 15:53:43 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1DKrkX7017707;
	Tue, 13 Feb 2018 15:53:46 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1A3CACKT4Na/3MaGNZdHQEBBQELAYMlK?=
	=?us-ascii?q?gOBViiOfY0ygn4bmFkPhTaCalgUAQIBAQEBAQECa4V5GQE4ARWBKRKIYYE7AQM?=
	=?us-ascii?q?VAwGyEzqDDAWBAoRjB4IRJgQIhQGBNl+DP4J4gyGIMwWKa4dikWEJlXeUUZlUN?=
	=?us-ascii?q?iKBUDMaI1KCRoIFQQ8cggZ4jBMsgh0BAQE?=
X-IPAS-Result: =?us-ascii?q?A1A3CACKT4Na/3MaGNZdHQEBBQELAYMlKgOBViiOfY0ygn4?=
	=?us-ascii?q?bmFkPhTaCalgUAQIBAQEBAQECa4V5GQE4ARWBKRKIYYE7AQMVAwGyEzqDDAWBA?=
	=?us-ascii?q?oRjB4IRJgQIhQGBNl+DP4J4gyGIMwWKa4dikWEJlXeUUZlUNiKBUDMaI1KCRoI?=
	=?us-ascii?q?FQQ8cggZ4jBMsgh0BAQE?=
X-IronPort-AV: E=Sophos;i="5.46,509,1511845200"; d="scan'208";a="199203"
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35])
	by goalie.tycho.ncsc.mil with ESMTP; 13 Feb 2018 15:53:43 -0500
IronPort-PHdr: =?us-ascii?q?9a23=3A4Z5FCB3wt+Uq2VnnsmDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?seMXI/ad9pjvdHbS+e9qxAeQG9mDsrQc06L/iOPJYSQ4+5GPsXQPItRndiQuro?=
	=?us-ascii?q?EopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZv?=
	=?us-ascii?q?JuTyB4Xek9m72/q99pHPfglEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+?=
	=?us-ascii?q?VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfM?=
	=?us-ascii?q?QA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmlS?=
	=?us-ascii?q?cJOSA3/m/UjcJ9l75XrA67qhBj2YPYfJ2ZOfxjda3dZ9MaQm9BU95NWSxAHoy8?=
	=?us-ascii?q?b5EAD/AcMu1FrYfyvVoOrR2gCgm3GejizSVIhn7q0q06yeshCxzJ0xQ8EN0WsH?=
	=?us-ascii?q?TbttT1NKEMXuCu16TH1inDb/JQ2Tfh9ofIaBYhru+QXb5qbcXRzkwvGhrDg16N?=
	=?us-ascii?q?qoLlJyuY2voQv2WU9eZsS+2ih3Q5pwxwuDSj29ogh4nRio8Wy13I7zh1zYg6KN?=
	=?us-ascii?q?GiSEN3f8SoHZpOuyycKoB4WNktQ3tytyY/0rAGuYC0fCwNyJk/yRHRdvyJfpWV?=
	=?us-ascii?q?7h/nTuicPSp0iXB/dL2hmRmy9FOgyuLmWsmxyllKry5FnsPJtnAM0xzf8smHSv?=
	=?us-ascii?q?1j8Ue9wTuDyR3f5+5eLUwqmqfXMYAtz78qmpYOrEjOHjf6mEDsg6+XckUk9PKo?=
	=?us-ascii?q?6+PiYrj+vJ+cNpN7igHkPaQ0h8OwGfg3PRAOX2eB+OS80qPs/VbiTbpRkv02k6?=
	=?us-ascii?q?/ZsIzEKsQBoK62HRNV3pw/5Ba4CjeqyM4YkmUfLFJZZBKHiJDkO0rTL/DjFvq/?=
	=?us-ascii?q?n1Stnytrx/DBJLHhBI7NIWLZnLfuerZ99VZWyBAvwtBH+5JUFrYBLeroWkDvsN?=
	=?us-ascii?q?zYDxk5MxG7wuv8FNV81p8RWWKIAqODNqPSqkWH6vggI+mLeo9G8Ar6fuMo4//o?=
	=?us-ascii?q?kG8RhU4Wfa7v24AeLn+/ALAuJUiFbXfyqskOHH1MvQckSuHuzlqYXnobY3e0Qr?=
	=?us-ascii?q?J5/TonEKq4AorZAIOgmrqM2GG8BJISLmRHDE2cVGzlfJieWusdLSeVLtJlnxQa?=
	=?us-ascii?q?WrW7DYwszxejsEn90bU0APDT/3gitJnj3cJ5r83alBc/7nQgFcWW02iXQ1Z/qW?=
	=?us-ascii?q?MBRjk7x4h1vU171lqZ16VkxfdfEIoAtLtyTg4mOMuEnKRBANfoV1eZcw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BiBAAXT4Na/3MaGNZdHQEBBQELAYMlK?=
	=?us-ascii?q?oFZKI59kDAbmFkPhTaDQhQBAgEBAQEBAQIBaiiCOCKCdxkBOAEVgSkSiGGBOwE?=
	=?us-ascii?q?DFQMBshI6gwwFgQKEYweCESYECIUBgTaEHoJ4gyGFEQyDFgWKa4dikWEJlXeUU?=
	=?us-ascii?q?ZlUNiKBUDMaI1KCRoIFQQ8cggZ4jBMsgh0BAQE?=
X-IPAS-Result: =?us-ascii?q?A0BiBAAXT4Na/3MaGNZdHQEBBQELAYMlKoFZKI59kDAbmFk?=
	=?us-ascii?q?PhTaDQhQBAgEBAQEBAQIBaiiCOCKCdxkBOAEVgSkSiGGBOwEDFQMBshI6gwwFg?=
	=?us-ascii?q?QKEYweCESYECIUBgTaEHoJ4gyGFEQyDFgWKa4dikWEJlXeUUZlUNiKBUDMaI1K?=
	=?us-ascii?q?CRoIFQQ8cggZ4jBMsgh0BAQE?=
X-IronPort-AV: E=Sophos;i="5.46,509,1511827200"; d="scan'208";a="9305106"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from upbd19pa13.eemsg.mail.mil (HELO USFB19PA17.eemsg.mail.mil)
	([214.24.26.115])
	by emsm-gh1-uea11.NCSC.MIL with ESMTP; 13 Feb 2018 20:53:41 +0000
X-EEMSG-check-005: 0
X-EEMSG-check-006: 000-001;7e9490da-0c9c-461f-b466-b588854fb5aa
Received: from localhost.localdomain (localhost [127.0.0.1])
	by USFBF3ID03.oob.disa.mil (Postfix) with SMTP id 3zgvrz4Sn2zmpph;
	Tue, 13 Feb 2018 20:53:39 +0000 (UTC)
Received: from USFB3CPA02_EEMSG_MP24.eemsg.mil (unknown [192.168.16.19])
	by USFBF3ID03.oob.disa.mil (Postfix) with ESMTP id 3zgvrz3LWvzmpqm;
	Tue, 13 Feb 2018 20:53:39 +0000 (UTC)
X-EEMSG-check-008: 4223072|USFB3CPA02_EEMSG_MP24.csd.disa.mil
X-EEMSG-SBRS: 3.4
X-EEMSG-ORIG-IP: 65.20.0.143
X-EEMSG-check-002: true
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A0CJAQDwTINaho8AFEFdHAEBAQQBAQoBAYMlggMony0bmFkPhTaCalgUAQIBAQEBAQECEwEBAQoJCwgoL4VRGQE4ARWBKRKIYYE7AQMVBLIPOoMMBYEChGMHgjcECIUBgTaEHoJ4gyGFEQyDFgWKa4dikWEJlXeUUZlUNoFyMxojUoJGggUBQA8QDIIGeIwTLIIdAQEB
X-IPAS-Result: 
 A0CJAQDwTINaho8AFEFdHAEBAQQBAQoBAYMlggMony0bmFkPhTaCalgUAQIBAQEBAQECEwEBAQoJCwgoL4VRGQE4ARWBKRKIYYE7AQMVBLIPOoMMBYEChGMHgjcECIUBgTaEHoJ4gyGFEQyDFgWKa4dikWEJlXeUUZlUNoFyMxojUoJGggUBQA8QDIIGeIwTLIIdAQEB
Received: from rgout0703.bt.lon5.cpcloud.co.uk ([65.20.0.143])
	by USFB3CPA02.eemsg.mail.mil with ESMTP; 13 Feb 2018 20:53:35 +0000
X-OWM-Source-IP: 86.134.52.62 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-Junkmail-Premium-Raw: score=8/50, refid=2.7.2:2018.2.13.201815:17:8.510,
	ip=, rules=__HAS_FROM,
	__FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR,
	__MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC,
	__SUBJ_ALPHA_END,
	__HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1,
	__ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __INVOICE_MULTILINGUAL,
	__LINES_OF_YELLING, __NO_HTML_TAG_RAW, BODY_SIZE_10000_PLUS,
	__MIME_TEXT_P1,
	__MIME_TEXT_ONLY, LINES_OF_YELLING_3, __URI_NS, HTML_00_01, HTML_00_10,
	__FRAUD_WEBMAIL, __FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES,
	MULTIPLE_RCPTS,
	__PHISH_SPEAR_STRUCTURE_1, __MIME_TEXT_P, NO_URI_HTTPS
Received: from localhost.localdomain (86.134.52.62) by
	rgout07.bt.lon5.cpcloud.co.uk (9.0.019.21-1) (authenticated as
	richard_c_haines@btinternet.com)
	id 5A5E1EBC0B5F7070; Tue, 13 Feb 2018 20:53:31 +0000
X-EEMSG-check-009: 444-444
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
	linux-security-module@vger.kernel.org
Date: Tue, 13 Feb 2018 20:53:21 +0000
Message-Id: <20180213205321.4497-1-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.14.3
X-Mailman-Approved-At: Tue, 13 Feb 2018 16:34:04 -0500
Subject: [PATCH V6 1/4] security: Add support for SCTP security hooks
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
From: Richard Haines via Selinux <selinux@tycho.nsa.gov>
Reply-To: Richard Haines <richard_c_haines@btinternet.com>
Cc: marcelo.leitner@gmail.com, nhorman@tuxdriver.com, vyasevich@gmail.com,
	james.l.morris@oracle.com, sds@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 Documentation/security/LSM-sctp.rst | 175 ++++++++++++++++++++++++++++++++++++
 include/linux/lsm_hooks.h           |  36 ++++++++
 include/linux/security.h            |  25 ++++++
 security/security.c                 |  22 +++++
 4 files changed, 258 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.rst

diff --git a/Documentation/security/LSM-sctp.rst b/Documentation/security/LSM-sctp.rst
new file mode 100644
index 0000000..6e5a392
--- /dev/null
+++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,175 @@
+SCTP LSM Support
+================
+
+For security module support, three SCTP specific hooks have been implemented::
+
+    security_sctp_assoc_request()
+    security_sctp_bind_connect()
+    security_sctp_sk_clone()
+
+Also the following security hook has been utilised::
+
+    security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux implementation
+described in ``Documentation/security/SELinux-sctp.rst``
+
+
+security_sctp_assoc_request()
+-----------------------------
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+
+    @ep - pointer to sctp endpoint structure.
+    @skb - pointer to skbuff of association packet.
+
+
+security_sctp_bind_connect()
+-----------------------------
+Passes one or more ipv4/ipv6 addresses to the security module for validation
+based on the ``@optname`` that will result in either a bind or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+::
+
+    @sk      - Pointer to sock structure.
+    @optname - Name of the option to validate.
+    @address - One or more ipv4 / ipv6 addresses.
+    @addrlen - The total length of address(s). This is calculated on each
+               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+               sizeof(struct sockaddr_in6).
+
+  ------------------------------------------------------------------
+  |                     BIND Type Checks                           |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+  ------------------------------------------------------------------
+  |                   CONNECT Type Checks                          |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
+  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+A summary of the ``@optname`` entries is as follows::
+
+    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
+                             associated after (optionally) calling
+                             bind(3).
+                             sctp_bindx(3) adds a set of bind
+                             addresses on a socket.
+
+    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
+                            addresses for reaching a peer
+                            (multi-homed).
+                            sctp_connectx(3) initiates a connection
+                            on an SCTP socket using multiple
+                            destination addresses.
+
+    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
+                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.
+
+    SCTP_PRIMARY_ADDR     - Set local primary address.
+
+    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
+                                 association primary.
+
+    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
+    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.
+
+
+To support Dynamic Address Reconfiguration the following parameters must be
+enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
+
+    /proc/sys/net/sctp/addip_enable
+    /proc/sys/net/sctp/addip_noauth_enable
+
+then the following *_PARAM_*'s are sent to the peer in an
+ASCONF chunk when the corresponding ``@optname``'s are present::
+
+          @optname                      ASCONF Parameter
+         ----------                    ------------------
+    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
+    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY
+
+
+security_sctp_sk_clone()
+-------------------------
+Called whenever a new socket is created by **accept**\(2)
+(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
+calls **sctp_peeloff**\(3).
+::
+
+    @ep - pointer to current sctp endpoint structure.
+    @sk - pointer to current sock structure.
+    @sk - pointer to new sock structure.
+
+
+security_inet_conn_established()
+---------------------------------
+Called when a COOKIE ACK is received::
+
+    @sk  - pointer to sock structure.
+    @skb - pointer to skbuff of the COOKIE ACK packet.
+
+
+Security Hooks used for Association Establishment
+=================================================
+The following diagram shows the use of ``security_sctp_bind_connect()``,
+``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
+establishing an association.
+::
+
+      SCTP endpoint "A"                                SCTP endpoint "Z"
+      =================                                =================
+    sctp_sf_do_prm_asoc()
+ Association setup can be initiated
+ by a connect(2), sctp_connectx(3),
+ sendmsg(2) or sctp_sendmsg(3).
+ These will result in a call to
+ security_sctp_bind_connect() to
+ initiate an association to
+ SCTP peer endpoint "Z".
+         INIT --------------------------------------------->
+                                                   sctp_sf_do_5_1B_init()
+                                                 Respond to an INIT chunk.
+                                             SCTP peer endpoint "A" is
+                                             asking for an association. Call
+                                             security_sctp_assoc_request()
+                                             to set the peer label if first
+                                             association.
+                                             If not first association, check
+                                             whether allowed, IF so send:
+          <----------------------------------------------- INIT ACK
+          |                                  ELSE audit event and silently
+          |                                       discard the packet.
+          |
+    COOKIE ECHO ------------------------------------------>
+                                                          |
+                                                          |
+                                                          |
+          <------------------------------------------- COOKIE ACK
+          |                                               |
+    sctp_sf_do_5_1E_ca                                    |
+ Call security_inet_conn_established()                    |
+ to set the peer label.                                   |
+          |                                               |
+          |                               If SCTP_SOCKET_TCP or peeled off
+          |                               socket security_sctp_sk_clone() is
+          |                               called to clone the new socket.
+          |                                               |
+      ESTABLISHED                                    ESTABLISHED
+          |                                               |
+    ------------------------------------------------------------------
+    |                     Association Established                    |
+    ------------------------------------------------------------------
+
+
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 7161d8e..84c0b92 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -906,6 +906,33 @@
  *	associated with the TUN device's security structure.
  *	@security pointer to the TUN devices's security structure.
  *
+ * Security hooks for SCTP
+ *
+ * @sctp_assoc_request:
+ *	Passes the @ep and @chunk->skb of the association INIT packet to
+ *	the security module.
+ *	@ep pointer to sctp endpoint structure.
+ *	@skb pointer to skbuff of association packet.
+ *	Return 0 on success, error on failure.
+ * @sctp_bind_connect:
+ *	Validiate permissions required for each address associated with sock
+ *	@sk. Depending on @optname, the addresses will be treated as either
+ *	for a connect or bind service. The @addrlen is calculated on each
+ *	ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
+ *	sizeof(struct sockaddr_in6).
+ *	@sk pointer to sock structure.
+ *	@optname name of the option to validate.
+ *	@address list containing one or more ipv4/ipv6 addresses.
+ *	@addrlen total length of address(s).
+ *	Return 0 on success, error on failure.
+ * @sctp_sk_clone:
+ *	Called whenever a new socket is created by accept(2) (i.e. a TCP
+ *	style socket) or when a socket is 'peeled off' e.g userspace
+ *	calls sctp_peeloff(3).
+ *	@ep pointer to current sctp endpoint structure.
+ *	@sk pointer to current sock structure.
+ *	@sk pointer to new sock structure.
+ *
  * Security hooks for Infiniband
  *
  * @ib_pkey_access:
@@ -1665,6 +1692,12 @@ union security_list_options {
 	int (*tun_dev_attach_queue)(void *security);
 	int (*tun_dev_attach)(struct sock *sk, void *security);
 	int (*tun_dev_open)(void *security);
+	int (*sctp_assoc_request)(struct sctp_endpoint *ep,
+				  struct sk_buff *skb);
+	int (*sctp_bind_connect)(struct sock *sk, int optname,
+				 struct sockaddr *address, int addrlen);
+	void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk,
+			      struct sock *newsk);
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND
@@ -1914,6 +1947,9 @@ struct security_hook_heads {
 	struct list_head tun_dev_attach_queue;
 	struct list_head tun_dev_attach;
 	struct list_head tun_dev_open;
+	struct list_head sctp_assoc_request;
+	struct list_head sctp_bind_connect;
+	struct list_head sctp_sk_clone;
 #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND
 	struct list_head ib_pkey_access;
diff --git a/include/linux/security.h b/include/linux/security.h
index 2e9690f..41b020a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -115,6 +115,7 @@ struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
 struct seq_file;
+struct sctp_endpoint;
 
 #ifdef CONFIG_MMU
 extern unsigned long mmap_min_addr;
@@ -1229,6 +1230,11 @@ int security_tun_dev_create(void);
 int security_tun_dev_attach_queue(void *security);
 int security_tun_dev_attach(struct sock *sk, void *security);
 int security_tun_dev_open(void *security);
+int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb);
+int security_sctp_bind_connect(struct sock *sk, int optname,
+			       struct sockaddr *address, int addrlen);
+void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+			    struct sock *newsk);
 
 #else	/* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -1421,6 +1427,25 @@ static inline int security_tun_dev_open(void *security)
 {
 	return 0;
 }
+
+static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
+					      struct sk_buff *skb)
+{
+	return 0;
+}
+
+static inline int security_sctp_bind_connect(struct sock *sk, int optname,
+					     struct sockaddr *address,
+					     int addrlen)
+{
+	return 0;
+}
+
+static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
+					  struct sock *sk,
+					  struct sock *newsk)
+{
+}
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND
diff --git a/security/security.c b/security/security.c
index 1cd8526..133bc99 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1473,6 +1473,7 @@ void security_inet_conn_established(struct sock *sk,
 {
 	call_void_hook(inet_conn_established, sk, skb);
 }
+EXPORT_SYMBOL(security_inet_conn_established);
 
 int security_secmark_relabel_packet(u32 secid)
 {
@@ -1528,6 +1529,27 @@ int security_tun_dev_open(void *security)
 }
 EXPORT_SYMBOL(security_tun_dev_open);
 
+int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb)
+{
+	return call_int_hook(sctp_assoc_request, 0, ep, skb);
+}
+EXPORT_SYMBOL(security_sctp_assoc_request);
+
+int security_sctp_bind_connect(struct sock *sk, int optname,
+			       struct sockaddr *address, int addrlen)
+{
+	return call_int_hook(sctp_bind_connect, 0, sk, optname,
+			     address, addrlen);
+}
+EXPORT_SYMBOL(security_sctp_bind_connect);
+
+void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+			    struct sock *newsk)
+{
+	call_void_hook(sctp_sk_clone, ep, sk, newsk);
+}
+EXPORT_SYMBOL(security_sctp_sk_clone);
+
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_INFINIBAND