From patchwork Wed Sep 19 23:14:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jann Horn via Selinux X-Patchwork-Id: 10607565 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 45B676CB for ; Thu, 20 Sep 2018 12:30:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3311B2D3C7 for ; Thu, 20 Sep 2018 12:30:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 307752D3D1; Thu, 20 Sep 2018 12:30:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from USFB19PA14.eemsg.mail.mil (uphb19pa11.eemsg.mail.mil [214.24.26.85]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5031B2D3CC for ; Thu, 20 Sep 2018 12:30:57 +0000 (UTC) X-EEMSG-check-008: 82792544|USFB19PA14_EEMSG_MP10.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USFB19PA14.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 20 Sep 2018 12:30:55 +0000 X-IronPort-AV: E=Sophos;i="5.53,398,1531785600"; d="scan'208";a="18464338" IronPort-PHdr: 9a23:ltxsjx+gmv7/vP9uRHKM819IXTAuvvDOBiVQ1KB61uoUIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsL4V7A0XSmp4bltRhHmlSwLMyc1/HzLhsB1iq9QvRCvqAFlw4PMfo+bOvlwcKTSctwAWGRBRsRcWzFPD428dYsAE+UPMvhDr4Tmu1sBtgGzCRW2Ce/zyDJFgGL9060g0+QmFAHLxBItH9IUsHTVt9X1KKYSXvqzzKLVzDvbae9W2Svm6IfUchAuv+yHXaxxccXL1EIhCh3KjlGRqYzjIjOU2fkGvm+A7+V+UeKvimgnqxx+ozW02sctipXGhoISylze8yV525w6Kce3SE58f96pCZ1dvDyZOYtuWs4uXm5ltSkgxrAGpJK3ZjYGxZs5yxLFdvCLa4qF7xD5WOqMIjp1hWhpdbyhixqo80WtzPD3WNOu31ZQtCVFl8HBtnUK1xPO9MeKUuB9/kK92TaX0ADT9/1ELVg0laXFL54hxaY9loYJvkTZHy/2hV72gLWKdkQk5ueo6+Pnbq/gppCALI97lhvyMqEvmsy7Geg4Mw4OUHaH+emkybHu8kL0TK9Kg/EriKXVrp/XKdoBqqKkGwNV15ws6xe7DzeoytQYmnwHIUpeeB2Zi4jpOlfOIO33DPummFuslyprx/baMbL/GZXANWTDkbf9crZ97E5Q0gwzzctF6J5OBbEBJ+zzVlfrtNPEFh85LxC0w+H/BdV/0YMeX3iAArOZMKzIt1+F/eAvI+6KZI8Qojn9MOQl6OD0jX8ig1MderOp3ZQPYnCiAvtmO1mZYWbrgtoZE2cKvBAxQ/DpiF2ZVj5TYXeyX7wn6zE1DIKmEIjCSZuwgLyHwCe7A4daZmdcClCDCX3obZmLW+8QaCKOJc9siiQEWqa6RIA/0xGutRP6y718I+rV5CIXq4zs2MJy5+3JmhE47SZ0ANiF02GRU2F0mXsFSCIx3KB5p0xy10mM0ax5g/FDD9Nc+elJUgAgOZ7b1ex6BMj4WhjdcdeRVFamXtKmDCk/T9Iwx98OZlhyG8+5gxDNwSWlHrgVl6aRC5ws6KLc2HrxKNhhxHbazqUhiEMmQsRXP228mqF/7xTTB5LOk0iBlKalb6cc3CnQ9GqYzmqBpkJYUAltUanfWnAffETWp8zj5kzeV7+uFagnMgxZxMGYN6RKcNzpgktcRPr4ItvRf2exl323BRaSybOGdJDqdHkF3CXBFEgElBge8mqcOgg6GCihuH7eDTxpFV/0eEPj7eh+p229Tk8ozgGFdVdt17yr9R4JnfacUe8c3qoYuCc9rDV5BEy90M/LBNebqApheapdbck74FhZyWLTrxZ9MYC4L6B+ml4edBx6v1jg1xVtDYVAitQqoWgxzAp0LqKZ3lZBeCme3ZzqPL3YNHXy9gi1a6HKwlHezMqW+qAX5fU2sVrjuB2pGVQ483V8yNRVzWWT5o/RAwoPVJL9SEE39wJ1p7vCeCky+5vU1WFwMamzqjLC3dMpBO8hyhm+ZNdSK7mLGxHoE80dHcSuL/Yqm1exZBIeIO9S7LI0P9+hd/aexaGrIPxvnCi9gGtb54B9116D+DBnSu7UxZoFxe+X3hefXTfmkFihqtz3mZxDZTwKAGq/yDTrBJJWZq1oZ4oEFWeuI8qxxtVxnJPtX39Y9Fi5CFMc38+lYx2Sb0by3QdIz0QYvWSnmTekzzxzizwpqquf3DfSw+j7bxoIJGpLRGhkjVfxLom5lMsaXFCpbwgvlRuq+V36y7JdpKthM2nZWV1IcDTuL2F+TquwsaKPY9RI6JMstSVYTv68bkydSr/zuBYayD7jEHdFxDwhcDGqoJr5lQRgiG2BNHZzsGbZecZoyBfc+tPcQ+VR0yEFRCZmjznXHV68MMe1/dmOkJfDqO++XXq7VpJPaSnr0Z+AtCyj6G1yGxK/gvSzlcP/EQcg1y/7y8dlVT/ToRbheYnkyb66Mfl9cklzA1/89tB6FZ1gnYs+g5EQw3caiYuP8XoBj2jzLc1R2bjiY3oVWT4L39nV7RD72E1lM32E3Jz5VnOAzcthfdW6ZH0Z2j4l5cBQFKiU9KBEnTdyolegtQLee+V9njMGxPQy6X4an+EItBMjziqHBLAeB05YPTbjlx6Q9dCxsL1XZHqzcbi3zEd+ntCgDLWcrQxHXXb5fZkiHSFu4cVjLFLM0Hrz6oT6d9XKa9IcqAGUmQ/aj+dJMJIxiuYKhS1/NGLzp3IlzfI7jRtr3ZyhsoiINXhi/KWjAhFCLj31fcQT+jPzgqlCgsaaxYevHo9uGj8TRpvnUeqoEC4OtfTgLwuOHic8pWmGFrrEBwCf7ltmr3XUE52wLX6YOHwZwc9lRBmHK0xVmBoUUykinp4lCgCqw9Tsf1xi6TwW4l74qwBMyv5zNxXlSWfQuhunZi0vSJeBKBpW7wdC51raMMGF8u1yHztY/oC6rACXJG2UfRhIDXoOWkyCHVzjOaOu5dbY+eiCGuW+N+fOYamJqeFGTPiIxJ2v0oxg/zuXK8qAIGJtD/wh1UpFR3x5HN7ZmzoXQSwNiy3Nd9KbpAu7+iBvrMC/8PTqWBro5YuLCrtSLctg9guzgaeCK+6Qnjh2JSxf1pMWyn/C0KIf00IKiyFyazmtFqwNtSjTQ63Knq9aFB0bayRoNMtU9a082BJNOc3ait/v0L53kOI1AU9fVVP9gsGpedAKI2alOVPdGkmLL6qJKifRw87rYaOxUqZfjOROtxKtvjabHVfjPi6dmDjpTRyvN/9DjD2DNhxEpI69agptCXTkTN/+dxK0KsF3jTwrzr0vnX7FL3QcMSJ7c0JDtb2f8z9XguhlG2xA8npkLfOImyCH4OnEMpwWq+dkAjxol+JG53Q3079V7CZeRPNrnivTr9lurkqpkumJ1zprSh1OqixEhIiTp0VtJb3Z9oVcWXbD5B8N9nufCxALp9tjF93utLtdxcTIlKL2NDhN6cnU/dcGC8jSNs2HLGIrMQD1Fz7MEAsFUTmrOHnCiENBlfGS8XuVroQnppX3hpoBVKVbVF00F/MdDERpBtoCL4lrXjk8i76UkNYI5WairBnWXMhaopHHVveVAfXzKDaYjaJJaAYJwbL4N4scLZf320p8ZVlmhI7KAVbfXchRoi19aQ85uF9C8Hx/TmIvxU3qcgat4X8VFf6zmB45kBBzbv8s9Dj25Vc7P1TKpDYqnEk3h9rlnSibcCTtI6eoQYFWFy30ulAqPZzlRQZ4dhe9klF6NDjaXbJRlKFvdXpriQPGvptPA/FcR7VeYBAM3fGXe+ko0VNEpyW9w09H5PfKCZtllAsuap6it2tO1R95YtMpIqLdP7ZGzl9Vhq2SpCCozfwxzBUYJ0kT7GOYYDQIt1AQNrk6Oyqo+fRh5hCAmzRZZGcBTOYlovVu9kM5OuSP0Tjg06JdJU+tN+yTNaSZu3LPlcSQWFM/ylsIl1VZ/bhxycojaVCbV1oozLSKDBkJKdDCJhtLb8VM8HjTfCCOserJwZJ0MIW9FvzoTeGUu6YOh0KoBgApEJoQ7s4ZBJmjzFnYLdv7LL4C0Rgs6h7nK0mFDPRIfRKLkS0Io8KkwZ92w4ZSOC8SDX96MSWt6bbdvhUqj+abXNcqfncaWZMJNncsV82gmC5WoWhADDix0uIW0wWD4SXzpiLMAzn4aNpjeeqbZQh2BNGw5zo/77C8iUTL/ZXGO2H6KdNit8fX6eMdo5aIEelUTLd6s0fYlYlVXHmqU2nIEd6uOZf/d5MsbdvvCnahU1y/jT01Q932PNa3IaiCmRvoSppMsImHwDAjMtewGSsEGxdtoeEP/qF8aBYCY5o6YB7oqx8xO7a5IAiGztWkW3ytJidOT/lD0eW6YKRazzYrbu+/03YgUo02z+ys/kIXQpEFkA3ez+65Z4ZCSSjzBmBdewLXqCo7kGhuKP0/zfohzxPTr1YcKSyLe/J0Z2BeudEzG0+SK21sCmUkX1+ckZbD4gm00rAc5StShdBU3vFEsHjlpZLfZSqsWK2ypZXOvSsgdsIqo6prMYzsOsGGro/RniTDTJnMtQ2ISDK6GOdHldhROi1YROJFln0iOcwDpYVO81ExVtskK7xJFqYsuqigaSB4Ai4K0S8ZS4SA0SQaguenx7vVjAqfcIg5PRwft5VCn8EdXDJobSMYuK+jTZ/Zl2ueRmgMOgcT4hxG5BgcmY9oYuDl/I3IQYdXxD5Yv/14TinGGoRm+lbgVm6Whl34R+m7nOyywQJe1vTs3ccHWBRnE0hS2/5Wllc0KLFwM6QQpJDFvSKIdUzgoGLg0++mJF5PycLKaVH3EI3FunfiXSEG/30bW5NPwmnFFZsOiwp5dLorpFJULYC6YEbx+SIryJlyErmlUcCr20wlomwYRyerFNpBD/9psE7NVD1ieZCrp43vO49OTW9I5J2dt1BZnV1oMyGjzZpcL99C4iIQXDdVuzqQp92yR9Nf2c9tE5ADOM9/tGnnFKNCJpeRv2U8uqbzxX/B5zA8rFC6yS2xG6CiVeJZ+HYeGgEzKGSAsUQvCvYs8mPO8lDMrl90/v1UBr6UjUlrpzZ9BJ9ODC5T1X+5N1RzUGVGs+JCJaTXacNcRfcyZQWoOxMjC/ErxFCJ8ltynXfiZCx+rA1a9D7BXwMsTykanq/tmSECqsGgITIaRI9IbTQlbyfBNQ2bnDtaswtBZE5xWpAWGNBF96sc3YtO8crIUVysJj0dXBx+KgI41uJSlUxCsEWdYi3dCBSndPbRvR1tfMeRqsGpIO7//AhZloPtqPo4+LkbR326hQ2tRsjTr4n4ttCRt0uOcqL4P/e9YX/HQjjMlwq/haw4D5nQ4ijcLBZbK4RgyXU6e5ThDnTLPRteLaIBO0VbTbx6aclBou1CYs9kf6AJ+bNiBh2ZXR7vHY2vo+NALlnNWTTfISKB8va8oYLI97DdT/bvZtCUzXbdX613Jot66SX8G7ry1Y9e4U/21/d2+0N0V1fJLieBrM77KQMT/smicUnisYM1EjPKGptwl2Dtxk5YfcoNXyKq6IgYyI9e6HvoSOJ501L8v/dO+LR/8ok4/axpxtmoKqvILvRaq0BnCACOBgp27pUtHHR/R2dJb+AKKffRZqoYgtrsq+D2C6wX8Aea+/FdadbcO07BndSwBS+GRhxZhgcBriQaIRGG2/6Cga90Rt6vpfLl1UI1/1i+MhkGwah15Yie5qqHuO/XbhXWzbgeWajmX9jzoaoou0OT4/0kibEPd3dtYwK9DOgSSs4dx2nnzaAwziIgCcDDEKz6+P5FSX05mijsm5dnH1UZAvkUB6aE/ZxCnmcknOzULtIWfb5EmmaTEh6kFbgOyWW15CuTIWllhAzO0h7rTGO38lD2ty95TjHWw9fljEVVSqG9BV1OUCqxJU94rDSPMRLutNr2pas160U2PXb/tN6XlWuhP7RXH9bkJNGHJCk5q10WgIc2Rty11oARAcC9L8sJ8HFicvve7HumkyBdrKdcnIrS+9yb9PrRE3mhia2atrqMyStXyng9p14/7M6vOuvJ592QTPSiz3wRQDtnuwvdQx61raTWr1ITOUyL1kfHgpAFPtFd3Xkly07n5ekjQNQo9AVdF4bNfO0CpTHtODTuxVaQftM3WjOY0zRJAlL/CUN4F7Qk2GLsoMLJkm/d+1w2RoZqcUzqnhh3D5glJkIs71gX2TAPEQ8XaRCUFLuoH1jqLZMYVUgfbhSKxLq6dbk53U19xrOi/+HSYvZ6B6UTKvZRlAiOk0ZHGpgOq60RXKp8e0NB9K7QvgXiBIznX//olHUuMf21RttX8dset3sk4wawWwCs6ZFd4LYHkJqIbLJLYYDQvMBg6Edq/TsPdi1OgBh8iBO0SuIcq/rg4tjctpqn9OCuWLwrR+oJ6xg+H35+gIfogFA/vdHX0P9RRZbLhoT57ABAOGWKuILd0xlgNeoONZykc6t6+3UAPSgeKGoEPcCKZPkk/y9tLDLT6kRMAswSYdMYPdLNlh5Ph0zoWbFT88/bFUGCC4d3ac8k9W33yCo68ZEkSObv9Ce2JYzD71FKJ/5Cgj1slMjDpOcJ3/XfEy0X4XiFaxhv3CyO0Z6NC+z//e+U0tHbS0sGHjIqU4daPDeC/ginSfSumZXxVgOb8NTzgI4/dE2MWnyxhroKvbhWHe5GlCr7wiBUFprpiPKNr9qs9GxXu0VDEIZy6x3FBapeMox/ORT5jcmrWlN8CzD+eM7OcBouv/CaxuAW4+VxL0H+f5MUIgoYy7Lm7npYVg5uR6TqsVaZXOIRYtxmRejarnBU74JvNasPPFmbpJz3oTZEslc2ABUmaLUotDxValHOnBFJW6bzoLMAiBETUd1+uUBXAm+wJWQ+5ybHVaRSkamRB/wV8imJQqwITUpoLjt0Qwmp15V2Z7upgfdHv3tdniNzpfglzz1rSRintC3yua0NwzMg+bC/tDUHo3BFSPuRkzubQWlEmewDh6MbI3Dv9VK9ZGUOds31+rYjbcfp+Y0s6Fw1ZRwofC0BWenmCC/zjuWIH8jHvs10nwKXvMjIK7O+aWAeP6owzDrvTmZw1wzZkgou9mYXBn2m4cMqJYGhNNxgyie2FGzzalkB+OVKvdH3uFpNS/E5LRtqx39uzsWOQwULSdDBGmIpgxJibn9LNNpF5AMWGrcAnDmFpO9F8xsSbTOSFZ6qvsHUnMHVyTw+QM1sy2b+uKKInNUp3Wdjltcy6TSB/DwKfvHce9dlH3y204BY0+G4bPKo9qgcRJBO1KWqUPhENNKqv2SxxtEiV1es3LUFN0KwKu4Y3rPSWCrjTneXHayJdm+WhTciGkj74BSpaFotZ4MCtEInPebqhpdYkxznF7hzQ2HYvlLfzWo+IcsGZgk2v8GhYAVMQ+kPI6CYJO4z0LglBVARdX7VDG5zDOOrtVOFgod2ITNj7F/8bOCr9RrpY+GfAh0VLYmPhZ5r+OemR2uHcVD+0AFpN0l5v7PUGEY2sOJHW5mWmtfUitFy0OpDfPBoZ34ToNkWz6lj84iPzMaDd1n+UIruPtrVr7CGAvSX9Ekue2dHQvJNeg7x5oMnLvYlSrbTGv1fph1aCq8kFs9yf1zt/b15eVsgOjXaY66514yz/u8= X-IPAS-Result: A2BgAAA+kqNb/wHyM5BbGwEBAQEDAQEBCQEBAYFQgV4qgQhcKINziBVfi1GFHJM/FAyBUxIYEwGEWYMpITQYAQMBAQEBAQECAWwogjUkgmcCIAQNGiAOAwkCJAIiBAICAgEBLQMBBQEDAQcBFwcLBRgEgkE/gWoBAQEVAwGYHzyLC3szhAABZ4ItBAoYDYEKgUUSeYVOhBYOCYIAgRKFaIF1ARIBCIMYglcCiEuUGQoJkBkiiGQKhjMBK5QjAgQCBAUCBQ8hOGk4ZHErChgpDzsxBnwagR+CJReNYjUDbXoBAQGKOoI9AQE Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 20 Sep 2018 12:30:53 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8KCU73o025415; Thu, 20 Sep 2018 08:30:19 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8JNEXbn024080 for ; Wed, 19 Sep 2018 19:14:33 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8JNETBg010696; Wed, 19 Sep 2018 19:14:30 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AbAAAu16Jbly0YGNZdHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSinmNYBSBZgssh30hNBgBAwEBAQEBAQIUAQEBAQEGGAZMhW4EGQE5AxIfAiYCNgEFASMSgyGBaQEDFQMBmUI8iwt7M4J2BYEFAYJuCj8NgQqBPQIGEnmFTIQWF4IAgRKFaIIRgxiCVwKIRJQLCgmQFyKIYQqGLyuUHQIEAgQFAgUPIYEhgg00PBVsgjuCGQwOCYNFihw1A216jGMBAQ X-IPAS-Result: A1AbAAAu16Jbly0YGNZdHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSinmNYBSBZgssh30hNBgBAwEBAQEBAQIUAQEBAQEGGAZMhW4EGQE5AxIfAiYCNgEFASMSgyGBaQEDFQMBmUI8iwt7M4J2BYEFAYJuCj8NgQqBPQIGEnmFTIQWF4IAgRKFaIIRgxiCVwKIRJQLCgmQFyKIYQqGLyuUHQIEAgQFAgUPIYEhgg00PBVsgjuCGQwOCYNFihw1A216jGMBAQ X-IronPort-AV: E=Sophos;i="5.53,395,1531800000"; d="scan'208";a="373880" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2018 19:14:29 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AbAAAu16Jbly0YGNZdHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSinmNYBSBZgssh30hNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSKDCwQZATkDEh8CJgI2AQUBIxKDIYFpAQMVAwGZQjyLC3szgnYFgQUBgm4KPw2BCoE9AgYSeYVMhBYXggCBEoVoghGDGIJXAohElAsKCZAXIohhCoYvK5QdAgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDA4Jg0WKHDUDbXqMYwEB X-IPAS-Result: A0AbAAAu16Jbly0YGNZdHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSinmNYBSBZgssh30hNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSKDCwQZATkDEh8CJgI2AQUBIxKDIYFpAQMVAwGZQjyLC3szgnYFgQUBgm4KPw2BCoE9AgYSeYVMhBYXggCBEoVoghGDGIJXAohElAsKCZAXIohhCoYvK5QdAgQCBAUCBQ8hgSGCDTQ8FWyCO4IZDA4Jg0WKHDUDbXqMYwEB X-IronPort-AV: E=Sophos;i="5.53,395,1531785600"; d="scan'208";a="18451041" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa07.eemsg.mail.mil ([214.24.24.45]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 19 Sep 2018 23:14:28 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;d907f8a3-8d6b-442f-9bbf-8d5ef19bb833 X-EEMSG-check-008: 595276770|UCOL19PA15_EEMSG_MP13.csd.disa.mil X-EEMSG-SBRS: -0.2 X-EEMSG-ORIG-IP: 209.85.128.65 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BmAAAu16JbYkGAVdFdHAEBAQQBAQoBAYFQggiCDINziBVfi1KKeY1gFIFmCwUnh30ZBwEEMBgBAwEBAQEBAQEBAQYYFggbDCUMgjUigwsECwENATkDEh8CJgI2AQUBIxKDIYFpAQMVBJlCPIsLezOCdgWBBQGCbgo/DYEKgT0CBgkBCHmFTIQWF4IAgRKFaIIRgxiCVwKIRJQLCgmQFyKIYQqGLgErlB0CBAIEBQIFDyGBIYINNDwVbII7ghkMF4NFihw1A216jGMBAQ X-IPAS-Result: A0BmAAAu16JbYkGAVdFdHAEBAQQBAQoBAYFQggiCDINziBVfi1KKeY1gFIFmCwUnh30ZBwEEMBgBAwEBAQEBAQEBAQYYFggbDCUMgjUigwsECwENATkDEh8CJgI2AQUBIxKDIYFpAQMVBJlCPIsLezOCdgWBBQGCbgo/DYEKgT0CBgkBCHmFTIQWF4IAgRKFaIIRgxiCVwKIRJQLCgmQFyKIYQqGLgErlB0CBAIEBQIFDyGBIYINNDwVbII7ghkMF4NFihw1A216jGMBAQ Received: from mail-wm1-f65.google.com ([209.85.128.65]) by ucol19pa15.eemsg.mail.mil with ESMTP/TLS/AES128-SHA; 19 Sep 2018 23:14:15 +0000 Received: by mail-wm1-f65.google.com with SMTP id b19-v6so7941084wme.3; Wed, 19 Sep 2018 16:14:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=1ZkCy9BDjKtS+RtDTCXwFfQMhHVf0s2rtMCS0C9ZKTc=; b=HP86kLBjkd6QzcQeLU7ZjFutCqGHP0aZxwKr6YBADbfkGsKbkDYH2uur91IijIKLpv uBW4p7DKnlHWELBfieiNlerkSNzQfDBzJFg4cPHVHXNcUbPrv53ZhUSIcb5Cw5CvKj2I h0P6c2xtqvcmm2SqQqT003T8Mu8JliOvtbwYMaiBaTWohovZE2RbRFqygvZ6ISmzuAfL wnNa+vSXjjUrOu7pDurPkNnrc7YitLTy+I2+H79peA0Or9cwDzgH9+IswgzZy0NsTq69 jbqlK7dO5+4R/YBa2eiH8Rds1rVN1LKI1cuy+dh04AxRIvF2oOorgj2zVJBBEJ1ek6ml 4vCA== X-Gm-Message-State: APzg51BiFcJvsuYGpk9FIHUeeIH3BPHZIUbqBitIMZbgSgo8FTpQFm5i c9qUOOpm8A2/CyKKKmPmdUM= X-Google-Smtp-Source: ANB0Vdbro5bVyKjET5N/MCDt94qhbNZ7xcQsiPvJcsaV507LRLMyDolYlgrRdIQw/HhA20rtaMoQQg== X-Received: by 2002:a1c:d98a:: with SMTP id q132-v6mr117391wmg.78.1537398855558; Wed, 19 Sep 2018 16:14:15 -0700 (PDT) Received: from desktopdebian.localdomain (x4dba2007.dyn.telefonica.de. [77.186.32.7]) by smtp.gmail.com with ESMTPSA id d12-v6sm23398624wru.36.2018.09.19.16.14.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Sep 2018 16:14:15 -0700 (PDT) X-EEMSG-check-009: 444-444 To: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, jmorris@namei.org, serge@hallyn.com, selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Date: Thu, 20 Sep 2018 01:14:02 +0200 Message-Id: <20180919231402.4482-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.19.0 MIME-Version: 1.0 X-MIME-Autoconverted: from quoted-printable to 8bit by prometheus.infosec.tycho.ncsc.mil id w8JNEXbn024080 X-Mailman-Approved-At: Thu, 20 Sep 2018 08:30:05 -0400 Subject: [PATCH] netfilter: nf_tables: add SECMARK support X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: From: =?utf-8?q?Christian_G=C3=B6ttsche?= via Selinux Reply-To: =?utf-8?q?Christian_G=C3=B6ttsche?= Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add the ability to set the security context of packets within the nf_tables framework. Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. The contexts are kept as strings and are evaluated to security identifiers at runtime (packet arrival), so that the nft_objects do not need to be refreshed after security changes. The maximum security context length is set to 256. Based on v4.18.6 Signed-off-by: Christian Göttsche --- include/net/netfilter/nf_tables_core.h | 4 + include/uapi/linux/netfilter/nf_tables.h | 18 ++++- net/netfilter/nf_tables_core.c | 28 ++++++- net/netfilter/nft_meta.c | 95 ++++++++++++++++++++++++ 4 files changed, 140 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h index a0513450..0d1f3b96 100644 --- a/include/net/netfilter/nf_tables_core.h +++ b/include/net/netfilter/nf_tables_core.h @@ -16,6 +16,10 @@ extern struct nft_expr_type nft_meta_type; extern struct nft_expr_type nft_rt_type; extern struct nft_expr_type nft_exthdr_type; +#ifdef CONFIG_NETWORK_SECMARK +extern struct nft_object_type nft_secmark_obj_type; +#endif + int nf_tables_core_module_init(void); void nf_tables_core_module_exit(void); diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 89438e68..f1527962 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1169,6 +1169,21 @@ enum nft_quota_attributes { }; #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) +/** + * enum nft_secmark_attributes - nf_tables secmark object netlink attributes + * + * @NFTA_SECMARK_CTX: security context (NLA_STRING) + */ +enum nft_secmark_attributes { + NFTA_SECMARK_UNSPEC, + NFTA_SECMARK_CTX, + __NFTA_SECMARK_MAX, +}; +#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) + +/* Max security context length */ +#define NFT_SECMARK_CTX_MAXLEN 256 + /** * enum nft_reject_types - nf_tables reject expression reject types * @@ -1398,7 +1413,8 @@ enum nft_ct_helper_attributes { #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_CONNLIMIT 5 -#define __NFT_OBJECT_MAX 6 +#define NFT_OBJECT_SECMARK 6 +#define __NFT_OBJECT_MAX 7 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index 8de912ca..d59ebba0 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -235,12 +235,24 @@ static struct nft_expr_type *nft_basic_types[] = { &nft_exthdr_type, }; +static struct nft_object_type *nft_basic_objects[] = { +#ifdef CONFIG_NETWORK_SECMARK + &nft_secmark_obj_type, +#endif +}; + int __init nf_tables_core_module_init(void) { - int err, i; + int err, i, j = 0; + + for (i = 0; i < ARRAY_SIZE(nft_basic_objects); i++) { + err = nft_register_obj(nft_basic_objects[i]); + if (err) + goto err; + } - for (i = 0; i < ARRAY_SIZE(nft_basic_types); i++) { - err = nft_register_expr(nft_basic_types[i]); + for (j = 0; j < ARRAY_SIZE(nft_basic_types); j++) { + err = nft_register_expr(nft_basic_types[j]); if (err) goto err; } @@ -248,8 +260,12 @@ int __init nf_tables_core_module_init(void) return 0; err: + while (j-- > 0) + nft_unregister_expr(nft_basic_types[j]); + while (i-- > 0) - nft_unregister_expr(nft_basic_types[i]); + nft_unregister_obj(nft_basic_objects[i]); + return err; } @@ -260,4 +276,8 @@ void nf_tables_core_module_exit(void) i = ARRAY_SIZE(nft_basic_types); while (i-- > 0) nft_unregister_expr(nft_basic_types[i]); + + i = ARRAY_SIZE(nft_basic_objects); + while (i-- > 0) + nft_unregister_obj(nft_basic_objects[i]); } diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 1105a23b..26b79a3c 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -540,3 +540,98 @@ struct nft_expr_type nft_meta_type __read_mostly = { .maxattr = NFTA_META_MAX, .owner = THIS_MODULE, }; + +#ifdef CONFIG_NETWORK_SECMARK + +struct nft_secmark { + char ctx[NFT_SECMARK_CTX_MAXLEN]; + int len; +}; + +static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { + [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN }, +}; + + +static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs, const struct nft_pktinfo *pkt) +{ + const struct nft_secmark *priv = nft_obj_data(obj); + struct sk_buff *skb = pkt->skb; + int err; + u32 secid = 0; + + /* skip if packet has already a secmark */ + if (skb->secmark) + return; + + err = security_secctx_to_secid(priv->ctx, priv->len, &secid); + if (err) { + if (err == -EINVAL) + pr_notice_ratelimited("invalid security context \'%s\'\n", priv->ctx); + else + pr_notice_ratelimited("unable to convert security context \'%s\': %d\n", priv->ctx, -err); + return; + } + + if (!secid) { + pr_notice_ratelimited("unable to map security context \'%s\'\n", priv->ctx); + return; + } + + err = security_secmark_relabel_packet(secid); + if (err) { + pr_notice_ratelimited("unable to obtain relabeling permission: %d\n", -err); + return; + } + + skb->secmark = secid; +} + + +static int nft_secmark_obj_init(const struct nft_ctx *ctx, const struct nlattr * const tb[], struct nft_object *obj) +{ + struct nft_secmark *priv = nft_obj_data(obj); + + if (tb[NFTA_SECMARK_CTX] == NULL) + return -EINVAL; + + nla_strlcpy(priv->ctx, tb[NFTA_SECMARK_CTX], NFT_SECMARK_CTX_MAXLEN); + priv->len = strlen(priv->ctx); + + security_secmark_refcount_inc(); + + return 0; +} + +static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj, bool reset) +{ + const struct nft_secmark *priv = nft_obj_data(obj); + + if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx)) + return -1; + + return 0; +} + +static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) +{ + security_secmark_refcount_dec(); +} + +static const struct nft_object_ops nft_secmark_obj_ops = { + .type = &nft_secmark_obj_type, + .size = sizeof(struct nft_secmark), + .init = nft_secmark_obj_init, + .eval = nft_secmark_obj_eval, + .dump = nft_secmark_obj_dump, + .destroy = nft_secmark_obj_destroy, +}; +struct nft_object_type nft_secmark_obj_type __read_mostly = { + .type = NFT_OBJECT_SECMARK, + .ops = &nft_secmark_obj_ops, + .maxattr = NFTA_SECMARK_MAX, + .policy = nft_secmark_policy, + .owner = THIS_MODULE, +}; + +#endif /* CONFIG_NETWORK_SECMARK */