From patchwork Wed Oct 31 12:27:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10662589 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01EF615E9 for ; Wed, 31 Oct 2018 12:32:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDF142A3F1 for ; Wed, 31 Oct 2018 12:32:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D0B9D2A400; Wed, 31 Oct 2018 12:32:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from uhil19pa11.eemsg.mail.mil (uhil19pa11.eemsg.mail.mil [214.24.21.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 66FC52A3F1 for ; Wed, 31 Oct 2018 12:32:38 +0000 (UTC) X-EEMSG-check-008: 352077010|UHIL19PA11_EEMSG_MP9.csd.disa.mil Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by uhil19pa11.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 31 Oct 2018 12:32:34 +0000 X-IronPort-AV: E=Sophos;i="5.54,447,1534809600"; d="scan'208";a="17390258" IronPort-PHdr: 9a23:Fwdi4RLQoXv7SNo5mNmcpTZWNBhigK39O0sv0rFitYgTKvX7rarrMEGX3/hxlliBBdydt6obzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlKiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxcLndfdcHTmRfWMhfWTFKDoelY4cSE+YNOOBVpJT/qVQTtxuzHQmiCv3hxDFLgXH536M63fk5EQzEwQAtEd0Bv2jbotrrL6cfSvy1wavSwDnfdf5axSnx5Y7VeR4hu/GMWrdwfNLIx0kpCgzFlEufqY74ND2S0eQNqG6b4PB8Wu2xiG4stgZ8oj+qxscrkYnJgJgaxUza+ihi2oY6O8C3SE5hbt64CpdfqyaaN45vT84kXmpmuz46x6UbtZO0cyUG0pQqywPFZ/CZfIWE/AjvWPuJLTtmmX5odqiziwuw/EWg0OHxWMu53ExXoiZZlNTHq2oD2AbJ6sedT/tw5kKh2TGS2A/N8uxEOkU0lbbDK54m374wioIfsUTdES/yn0X7lLOWeV8++uip9uTnea/qpoOcNoBoigH+Nb4imsqjDuQjLgcCRW2b+eW41LH7/E35RqtFjuEun6XEv53XKt4Xq66kDwNPzIou5AizAy273NgAmHkINlNFeBaJj4jzPFHOJej1DeyhjFSokTdrwe3GP7L4DprWKXjDjbHhcqpj5E5H0wcz0dBe6I5UCrEGOv7zXFTxu8bCAh82NAy03f7rCM9h2YMGRWKPHqiZPbvQsV+P4OIgOfWMZI8Ptzb7MPUl5fnujXk8mVAHZqmpwYUYaGqjHvh8JEWZe3XsiM8bEWgWpgo+UPDqiFqaXD5RZXa9Rb4z5jIgCIKhC4fDR56tjaeP3Ce/A51XaXtJCk2KEXf0aoWIQfAMaDidIsV5iDwLSaChS5M91RGprAL7xbtnLu7R+iIGr5Luz9Z16PPOmhE17zx7Fdyd03uKT2F2gGwHWyM20Lp4oUxnxVeJybJ4jOBAFdxP+/NJVR83OoPAwOx/DNDyXB7BcsqSRVa4XNqmGzAxT9M2w98IeUp9Hcutjgzb1SqwH7AVj6CLBIAz8q/E3Hj+PcV9y3Hb1KQ6jFkpWMhPNWq7hqJl8AjTHYHJmV2Dl6m2baQcwDLN9GCbwGWUoU5YSg9wXrvfXX0EfETZsdH56lnFT7+0BrQtKhFBxtKaKqtWdt3pik1LS+v5N9TafW2xgHuwBBaPxr6Xd4rlZ2Qd0zvbCEgYkgAc52yKNQ4gCSe9u2jeFiBhFUrzY0Pw9ulzsGm7QVIpwAyRYE1h0rW09gQThfOCV/MZxqgEtzs5qzVoAFa92MrbC8GOpwp7e6Vces897Uxc1WLfsAx8MJmgILpkhlIEdQR4oV/u3Q1tCopcicgqsG8qzA1qJKOWylxBcy+Y0o7qOr3MMWTy4g6ga7TN1VHD1daa4KAP6O43q1/7pgGmClIi82l709lSy3ac4JTKDA4WUZ3vSUY67AJ1qK/AYik6/Y/U0mdsMaasuD/Yx90pHPclygqnf9pHLayECBX9E9cBCseyL+wqnkSmYQgfPOBO7qI0Od2pd+ee0q6xIOlghC6mjXhA4I1lzEKM9jZzSvLP35Yf2f2XwguHVzD6jFeuqc33nYFEZTcIEWqlzijoHolRZrd9fYwTE2ehP9W3xslih57qQ3NY8F+jB0ga2MOwYhqdcVj93QxW1UQKrn2qgjC4zyR1kzEvr6qQwDfOz/7kdBUZJm5BXHNigkv0IYiok9AaW1ClbxIulBuh4Ub12bJbq7h4L2jdWkpIZDX2IH15UqeqsbqCecFP4osysSpLSOS8fUyaSrnlrhsZzSzjGXBeySs4dz60vJX5hBp6h3yBLHppq3rZY85wzw/F5NPAXf5RwiYGRC5ghDnPHFe8It2p8suMl5jZtOC+S3yuVodIfCn21oOPqjG75XZwDR2kmPCzh8fnHhQk3i/10NlqTyrIowjmbontyau6LfptflN0C1/k98p6BoZ+n5MuhJEWxHcXnYuV/XwanmfzK9lb37zxbGYVTz4R39HV+BTl2FFkLn+R34L2TGidws96atamY2MWxiI849lECKiO6rxIhyx1okC3rQjJe/hygi8dyecy6H4dm+wJthAiziOBArAVGElVJiLsmAqV4NC5tqVYfn6vcaK31Ep8g9+uEK2CrhtbWHbjdZcoBTVw4dlnMFLQzH3z7ZnpeNzKYtIXsh2bjQvAj/RPJ50rjfcKgzRoOX7mvXI50eE7lQJh0Yu8vIeZN2Vn5Li5DQJANj3pe8MT/SngjahEnsmIwo+vBY9uGjMXXJvvVvKlCygduujiNwqUFz08sHibE6LFHQCD8Edms27PE5ezOnGPOnYW1sttRB+cJExDhwAZRzQ6kYAnGQ+03sDhd1155j8J7F7ithRM0v5oNwX4UmrHvwincTA4SJyeLBpN8gFC/F3ZMdeA4e1vBS1Y5YOurAiMKmydegRJAnoEVVCEBlD5I7mu/sPM8uaCCeqiNPvOZrOOpfZZV/eSypKlypFm8CqUNsWTInliCOU21VFCXXB2HMTZnS4CRDEJmC3Wbs6UvhG89jdwrsCl//ThQBjv6peXC7tOLdVv/Ai7gaWDN++QnCZ5LjJY1pIQxXDW07Uf2V8Siz10dzazC7gAsjTNTK3IkK9NExEbcz9zNNdP768k3QlMOcrbhc3u2759if41BVlFWkL9msG1ZcwKJGS9O03dCEaNKruGOSXBw9vrbqOkVb1QkOJUugWutjaDCUDjJDWDlyLyWhC3K+5MliCbPAdGuIG5aBliFXbsQMjhah2hP999lSc2zqEshnPWKW4cNiBxc0VTobKK6SNVmfZ/G2ta7np5N+aEnT2Z7+rZKpoMt/tkHDh0nfpA4Hsm07tV8D1ERPttlSvIsNFuuE+pnfOVyjV7UBpDsS1EhIORvUp/PqXZ+IFAWWza8xMN92mQDQoFp8d9AN31p69Q0sTPlL70KDpa7t3U+s0cB87JJ82ZNHohMAHkFyTKAwsfSj6nL2bfh1ZSkPuK7H2asoA6qoTwmJoJUrJUSUY6Fu0bCkt4B9wPO414Xik+kb6cgs8I/mSxowXMRMVAv5DHSvKTDe/pKDmHkblOfwEIzq/gLYQPKo373FRval19nITQBUXQW9FMoip6Yw87pkVN7WJyTmop20Lqcgmt+mMcFeaonh4qjQtzef8t+yno41c2IFrKuSQxnVItltXihDCebCT+LLysXY1MDSr7qVQxOIvhQwlpdQ2ygVBkNDDcSrJNjrtgcGdriBPcuZpPAvNTUKxEYR8Kyv6Mffko10pTqjm/z09d+eTFEYdilBctcZO0tX1A3wNjY8IrKqPIIapIzl5QhqWIviCyze0+2w4eKFwL8G+Ldi4IpVYENr84KCq05uZs8xCNmyNfeGgQUPonuull+V07O+mb1S3vzqBDJV6rN+yENayZoWjBmdSPQlMq2UMCj1NF8qRu0cc/b0qUUFgizLSMFxQIMcrCLR9ab89J+XfOYymBquTNzohzP4mnEeDoV+COvr4Ogk24BAYpA5gM7sMZE5m21kHYLNvoLL4CyRUp/wTlPEyLAulTdh+XlzkKuN2wzJhy3YZBPD4dGnl9PT+x5rnJug8gmOCDU8suYncGQosEMWo7WNeglC5DuHRPFyK60v4DyAeY8T/zuCDQDDj6b9psYPeUZBxsCNGq+TUx6ae2k1vX/o/YJ27kKdRoosXP5v8Cp5abF/NUSqFwsknGl4ZER3yqUmvPEd+vKJjzcIQsbML7BWikXVCljDI1VcjxNs63LqeUmQHoWZpUsI6D0TAmL8C9DDIeFAlsp+EC4qJ8ahYOYpQhbh7uqws+M6u/IBqF3dW1WWqtLyVZT+VHx+Wge7NX1zYsbvO9yHY4VJ461fS38UgXSJEJlRzexPejZ4hCUSfoAHBdfRvApTYhnWh7Kuky2vs/wA/PsVQELzCLc+lpZXdYv90gAFOdOm96CmwmSF+AlYDD+BKj36gO/ytBmNZZye9FsH/gsZLEfT2jRrerpovPsyo8c9cpvrd9MYr9LcuarJnehCDQTIHMsg2ZVy63D+ZalcVNLyJZWvZInXooNtABuYpE9UU+TNw+J6BVBKkquL+qdSJuDTQOwi8BS4OAwDsCj/+k27vBihefaoktMAAfvZVZhdsdTjR2bT8Aq6+lS4XWjXWLSmwRLAcU9wRM6xoKlpVsceD9/IrIUJhMxiZNrPJ6TiTHCptl+0b1R2yNnVf4T/ChnPCz0gJJ0PLgyN8bVwBjCUJF3eZZilMoKK1rK6kXpoPKriWIel3ks23w0+amOV1RydHOd1LiEorFtG38UikC9n0IX4NPz2vfFZsKmQpjdKkrvElMIJyhekvm5Twr3Z5pH76jVcCv3Vkls20LRyK3E9pFF+FmsU7YWDx/bJCts5XpIZJSQnVf+JeFsVdWjF1tMzKlyZpbM8xN4CQDXD5BoTWHu9u9VdNM1NRqD5AWJNd/oHD9FLlCOJePv308oqbvxWPB+zAgrFe6wy2+G6m8T+9C/m0eHAApK36fqkkpAess6H3d8kvRslBu4udUGqSPjVhroDljBJxOASxJ1X+9JVRpUHZGq/laKLjSc8FERfkyZAOgOxs6FfE8xEyF50B0nXD+YyxprQtX4CXdUgY7VCUPhbftgzIeoNm9OTAGU5JIcSkhbyDdJgKfgiBXuRZSZlpkW58HH9lF/Ksb0pFM/srYTkasKz8KUwB+Ng4i1vpfj0FDul2CeS/BFQqoaerPshpvcMeTrc6pKe/0/AJZhYLnru847aQDR3upmQG3R9DRsZP8vMWQtkSSbKf4L/G8YXjZQTjNjBG/n60rAIXR8ijILgVbN4d1xmY+bZjmE27LMgxMJ7gHKEpDSaB6ddJGr/hBaM9lY6YI97ViBhCGRhPzAIygtuRGLlLISDvCKCWO7/KwrpjO7bzHTujgfNaDy2zAQ6JtMZdw8SP7FKvy0Y9C5kr23e9g9ltgRljaLy+BrNrgJgQR5Mmhb0fipYMmHTfXAJd2jXrsyVpNd9INTC227JsYyJ1Y6HHqSeJ7yETzs/Nd96Ni6YYp57Bl08C0Jb3dKf5Cq09oHgCUBhl29pUqGGVwW2JRbfUNJ/rKYasZisTuq+T2F6MJ8h2V5/JWZsfHJ03bncm/ED6cQwRenAgdsT4aMhec1/mdlq9xTsalo/T52k0z7FWlKx4Gzapi5YGa9aqUqu7XaAHRzbsfWqTwQMP8sKgssVuI5fI4jL4OZnB1Ywq/HegSSsEd3Xzgwbk3wywjFc3DHrTg+ONMVn8ikTLgnopyH1MIFf8OGrqL54telH8im+PFLt0WbrxCmmGXGB6mFb8CyXir5zGLL2llhhHOzgz/QGKy7F/wti94QirMwsz9kkpUSLm4H0NSUDeoOUNitjOAIhbovsLtuasp9EE2LnDktNWVmWugJrNYBcv/KceYISkpuV0XjZoxRse11YAcA9q9L88b8GtiYfvG92OrjyhBrr9Ih4ra5cGU9OvYHX2kj6CBsLWNwzZYynkksl0l7NCvKO3O7cWQQ/u0z2YRUzt/uwzZUh67sLzUtVYUNlCK0EfQg4EKO8lZ3Xgh2kH96ukjW8g/9AJEFobPf/kCvyz8OCPowVaDZNI6Tiye0zpUHlL2Fll1A6o813jzvMLOk3ff5VsoSpN2d0P5mRx9F584Jl416FgL3ioDFhAAZguFA7GuGUToNpAEVUwEaRSbwLi6ZLk40lBpzrOo/u/TYvR2B7AROfZFkg6OgF9bF4oOsa0ZRLJzYUVd9aDQpgjmBYjqRP3mlX03Nf2uXM9V7doZt3w54gakRhqg75hD46wciJCSea5OeYLMs9xk70d7+T4PcTRAgBZhgBO9UOAcvP7s78PasZqp7+auUbgiR/8T9xcqHWh+iIHwgF87q9HNy+hcUpHViZj48A1VLX+KoJza0xhgJuUQMI+rebdg92kdJycAPX4OOsCWa/Yk6S93LDrT/0BCAt8LZd4AO8rNnR5bh1bxWLFX7MXbAUOYC4ZveMA09Wr41i46/YE6Uun+9D+8PYrf4E1VP/NfkCVsk8rPpOwUwfrUFSgW7mCVaxx0wiOZ15mNEO39/eSWx9HSUFMKBCk2U51SJDCa4wyoWvK1lIn1UgOT8sLzhYgxe16QRnywmqQFtb1BEfBBiiX9wDdeEoH1h/SIs9uj8mdXsUdHEIlr5x3fBKpfJol7OQj/lsSzREhzHCj/eMbPeRc1peqWwPsM4+V5N0vjao8bIg4Ex6j86XVLUgtkUKT2sUqBXeINeNtmT+vJrnJQ6YJnMa8PJlmdpIfxozdOsl82BREmaL4qojxdbEnOkxVfW7zot74YlgscTdl5tFdXGWK+PWIx+zvKWKdOgamPFvMV6DSTT60JU0VuKC9+RQ262Ik9M4euyOtKtmJAgzNVvvcnyXplSQG6tCmqoLgCnXoY8ay8/BAGvmZIBrGGmjrMIU1K0fBPiKAbEXuk4lu5Niotdoz3tZ5hKd7t98EE5G85aB4ufGVSWuGnECf5hK6gGIGDsNtAwhWKvZOdPveIMSEOO+FlmlrYTH9n312bxU8wqjFZSyi87NIiOIS2MNokwSztA2XAaVIQ+fkX6pnMjXIgF8AOQAo5hmhu19OIACgERciJHmcx3W1GIWlHcZcW7xgcGuFohzuTpaBJ80kSZyucCYWq/ITc3I/I1HAxQM0sxzfQoauI1fZImGZ9lYZS6SiD8G8Xa/SeS9VlV3/20ZxZwOfzT++gvuAOVM1tz7HyNZ1KKdGtrFO/w44iQUq53vIbFlu9PvUEw+LcViC+T2STVMyRfmSMlip/OUn3tnzKZkYvZpJsqEkwevDHmoYalwDlVuZsQT6MoFbA0GE5GeYTdgZzp53+PgJUE6geYO+TIeVoy/o7Wz5uJ3PMFDF9Xve/qkXl3JAuPXJm7A32YP+49AfgPZraFkweHILap4I38vu/Sw== X-IPAS-Result: A2A1AABMoNlb/wHyM5BkGgEBAQEBAgEBAQEHAgEBAQGBVAIBAQEBCwGCAQOBCVwojG2WTY4sgWMOAQEYEwGHdyI3Cg0BAwEBAQEBAQIBbCiCNiQBgmADAwECFwEMExQgCwMDCQEBQAgIAwEtAwEFAQsRBgEHCwUYBIMAgXUNAwGcVjyMBzOFPIRsEocxhCYXgUE/gRGHXQESAYV6AokCBIVqQ49sCYYvg2CGcAsYiTSHG5cKBgIJBw8hgTgiQSNxTSMVO4JsgiYXjhtugQUBAYkPgj4BAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 31 Oct 2018 12:32:32 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9VCWVl0005193; Wed, 31 Oct 2018 08:32:31 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w9VCSgxA014672 for ; Wed, 31 Oct 2018 08:28:42 -0400 Received: from goalie.tycho.ncsc.mil (goalie.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9VCSfx2005132 for ; Wed, 31 Oct 2018 08:28:41 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1B9AAAen9lbly0bGNZkHAEBAQQBAQcEAQGBVAQBAQsBggGBaCiMbZZNkBILAQGEbAKDNSI3Cg0BAwEBAQEBAQIUAQEBAQEGGAaGEwMDGg1SEFE0AQUBHAYBEoMhgXUNAwGcVTyMBzOKKBKHMYQmF4FBP4ERjWsCiQIEhWqQLwmGL4NghnALGIk0hxuXCgYCCQcPIYE4Y4EUTSMVgyeCJg4JjhtujFQBAQ X-IPAS-Result: A1B9AAAen9lbly0bGNZkHAEBAQQBAQcEAQGBVAQBAQsBggGBaCiMbZZNkBILAQGEbAKDNSI3Cg0BAwEBAQEBAQIUAQEBAQEGGAaGEwMDGg1SEFE0AQUBHAYBEoMhgXUNAwGcVTyMBzOKKBKHMYQmF4FBP4ERjWsCiQIEhWqQLwmGL4NghnALGIk0hxuXCgYCCQcPIYE4Y4EUTSMVgyeCJg4JjhtujFQBAQ X-IronPort-AV: E=Sophos;i="5.54,447,1534824000"; d="scan'208";a="403660" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 31 Oct 2018 08:28:40 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BiAACRn9lbly0bGNZkHAEBAQQBAQcEAQGBVAQBAQsBggGBaCiMbZZNkBILAQGEbAKDNSI3Cg0BAwEBAQEBAQIBEwEBAQEBBhgGWII2JAGCYAMDGg1SEFE0AQUBHAYBEoMhgXUNAwGcVzyMBzOKKBKHMYQmF4FBP4ERjWsCiQIEhWqQLwmGL4NghnALGIk0hxuXCgYCCQcPIYE4Y4EUTSMVgyeCJg4JjhtujFQBAQ X-IPAS-Result: A0BiAACRn9lbly0bGNZkHAEBAQQBAQcEAQGBVAQBAQsBggGBaCiMbZZNkBILAQGEbAKDNSI3Cg0BAwEBAQEBAQIBEwEBAQEBBhgGWII2JAGCYAMDGg1SEFE0AQUBHAYBEoMhgXUNAwGcVzyMBzOKKBKHMYQmF4FBP4ERjWsCiQIEhWqQLwmGL4NghnALGIk0hxuXCgYCCQcPIYE4Y4EUTSMVgyeCJg4JjhtujFQBAQ X-IronPort-AV: E=Sophos;i="5.54,447,1534809600"; d="scan'208";a="20094524" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from updc3cpa06.eemsg.mail.mil ([214.24.27.45]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 31 Oct 2018 12:28:24 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;9b69261f-b4f5-42d7-affd-4d8602d3fcfc Authentication-Results: UPDC3CPA10.eemsg.mail.mil; dkim=none (message not signed) header.i=none; spf=None smtp.pra=omosnace@redhat.com; spf=Pass smtp.mailfrom=omosnace@redhat.com; spf=None smtp.helo=postmaster@mail-wr1-f67.google.com; dmarc=pass (p=none dis=none) d=redhat.com X-EEMSG-check-008: 55696945|UPDC3CPA10_EEMSG_MP26.csd.disa.mil X-EEMSG-SBRS: 2.7 X-EEMSG-ORIG-IP: 209.85.221.67 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CdAABan9lbf0PdVdFkHAEBAQQBAQcEAQGBVAQBAQsBhBGMbZZNkBILAQGEbAKDNRoHAQQzCg0BAwEBAQEBAQEBARMBAQkLCwgbDDGCNiQBgmADAxoNUhBRNAEFARwGARKDIYF1DQScVTyMBzOKKAkBCIcxhCYXgUE/gRGNawKJAgSFapAvCYYvg2CGcAsYiTSHG5cKBgIJBw8hgThjgRRNIxWDJ4ImF44bboxUAQE X-IPAS-Result: A0CdAABan9lbf0PdVdFkHAEBAQQBAQcEAQGBVAQBAQsBhBGMbZZNkBILAQGEbAKDNRoHAQQzCg0BAwEBAQEBAQEBARMBAQkLCwgbDDGCNiQBgmADAxoNUhBRNAEFARwGARKDIYF1DQScVTyMBzOKKAkBCIcxhCYXgUE/gRGNawKJAgSFapAvCYYvg2CGcAsYiTSHG5cKBgIJBw8hgThjgRRNIxWDJ4ImF44bboxUAQE Received: from mail-wr1-f67.google.com ([209.85.221.67]) by UPDC3CPA10.eemsg.mail.mil with ESMTP/TLS/AES128-SHA; 31 Oct 2018 12:28:20 +0000 Received: by mail-wr1-f67.google.com with SMTP id t10-v6so16259999wrn.10 for ; Wed, 31 Oct 2018 05:28:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=n8bzctSRLzQeCAPsoW3GGmvQWvyQQuHM3dKsY+z6qOI=; b=p6EsMLs0F4Vrm9lXuZTb0aQmd13bRH8X/mwxlQAQ0X04lLBFPYbgih1LrVjxv0L42A neWDHSHNlPHpAUv7p0k7c7a2NYA3Lvnyv+Sq0QzN5tBmuWfe8cTUfl/Uube3vVvxgLQm P0UZznx0OqEzMbesllhd+k4KRNLTWbFh6Q6zQbvvCNvnAwIxjy528hhUOXkDw4SCLz93 b3RcSyhk8PWGk+pU63xsxmmr9gB7+qqTjgeLXBdNo4D20yZT7FY7IRtR4m7d6v5O/Nfr CmSeWR2HSYjuo6fD4AFf6aXY522Gqp7Cz7g3TyL9328oITnzEl1OfVRL+WQ3yqOXffkl C3CA== X-Gm-Message-State: AGRZ1gL79aOB4psGWSyGKxEX6hTetVLkHsVB9kPU33Fan5ONP+279bPs 61JzkGVfrSalP+paI391YW9gBw== X-Google-Smtp-Source: AJdET5et9DwQFLBb6fcgm/SyAuDNImuI6n9yEKFC3Ir/exQAxTTVkc91ZzzJNc77+EQ7j2OCYHTOkw== X-Received: by 2002:adf:ff05:: with SMTP id k5-v6mr2558359wrr.73.1540988899426; Wed, 31 Oct 2018 05:28:19 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id m192-v6sm9131737wmb.29.2018.10.31.05.28.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Oct 2018 05:28:18 -0700 (PDT) X-EEMSG-check-009: 444-444 From: Ondrej Mosnacek To: selinux@vger.kernel.org, Paul Moore Date: Wed, 31 Oct 2018 13:27:17 +0100 Message-Id: <20181031122718.18735-2-omosnace@redhat.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20181031122718.18735-1-omosnace@redhat.com> References: <20181031122718.18735-1-omosnace@redhat.com> Subject: [PATCH 1/2] selinux: use separate table for initial SID lookup X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley , selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP This patch separates the lookup of the initial SIDs into a separate lookup table (implemented simply by a fixed-size array), in order to pave the way for improving the process of converting the sidtab to a new policy during a policy reload. The initial SIDs are loaded directly and are skipped during sidtab conversion, so handling them separately makes things somewhat simpler. Since there is only a small fixed number of them, they can be stored in a simple lookup table. This patch also moves the fallback-to-unlabeled logic from sidtab.c to the new helper functions in services.c that now handle the unified lookup in both sidtab and isidtab, simplifying the sidtab interface. Signed-off-by: Ondrej Mosnacek --- security/selinux/include/security.h | 3 + security/selinux/ss/mls.c | 6 +- security/selinux/ss/mls.h | 2 +- security/selinux/ss/policydb.c | 24 ++- security/selinux/ss/policydb.h | 26 ++- security/selinux/ss/services.c | 238 +++++++++++++++------------- security/selinux/ss/services.h | 1 + security/selinux/ss/sidtab.c | 29 +--- security/selinux/ss/sidtab.h | 3 +- 9 files changed, 187 insertions(+), 145 deletions(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 23e762d529fa..a1b4b13c2300 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -221,6 +221,9 @@ struct extended_perms { /* definitions of av_decision.flags */ #define AVD_FLAGS_PERMISSIVE 0x0001 +struct context *security_sid_to_context_struct(struct selinux_state *state, + u32 sid, int force); + void security_compute_av(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd, diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 2fe459df3c85..cd637ee3fb11 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -235,7 +235,7 @@ int mls_context_to_sid(struct policydb *pol, char oldc, char *scontext, struct context *context, - struct sidtab *s, + struct selinux_state *state, u32 def_sid) { char *sensitivity, *cur_cat, *next_cat, *rngptr; @@ -257,10 +257,10 @@ int mls_context_to_sid(struct policydb *pol, if (!oldc) { struct context *defcon; - if (def_sid == SECSID_NULL) + if (def_sid == SECSID_NULL || state == NULL) return -EINVAL; - defcon = sidtab_search(s, def_sid); + defcon = security_sid_to_context_struct(state, def_sid, 0); if (!defcon) return -EINVAL; diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index 67093647576d..1eca02c8bc5f 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h @@ -36,7 +36,7 @@ int mls_context_to_sid(struct policydb *p, char oldc, char *scontext, struct context *context, - struct sidtab *s, + struct selinux_state *state, u32 def_sid); int mls_from_string(struct policydb *p, char *str, struct context *context, diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index f4eadd3f7350..8f7cd5f6e033 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -892,16 +892,12 @@ void policydb_destroy(struct policydb *p) * Load the initial SIDs specified in a policy database * structure into a SID table. */ -int policydb_load_isids(struct policydb *p, struct sidtab *s) +int policydb_load_isids(struct policydb *p, struct isidtab *s) { struct ocontext *head, *c; int rc; - rc = sidtab_init(s); - if (rc) { - pr_err("SELinux: out of memory on SID table init\n"); - goto out; - } + isidtab_init(s); head = p->ocontexts[OCON_ISID]; for (c = head; c; c = c->next) { @@ -911,16 +907,30 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s) c->u.name); goto out; } + if (c->sid[0] > SECINITSID_NUM) { + pr_err("SELinux: Initial SID %u out of range.\n", + (unsigned)c->sid[0]); + goto out; + } + if (s->entries[c->sid[0]].set) { + pr_err("SELinux: Duplicit initial SID %u.\n", + (unsigned)c->sid[0]); + goto out; + } - rc = sidtab_insert(s, c->sid[0], &c->context[0]); + rc = context_cpy(&s->entries[c->sid[0]].context, &c->context[0]); if (rc) { pr_err("SELinux: unable to load initial SID %s.\n", c->u.name); goto out; } + + s->entries[c->sid[0]].set = 1; } rc = 0; out: + if (rc != 0) + isidtab_destroy(s); return rc; } diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 215f8f30ac5a..0e246bc45c72 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -312,8 +312,32 @@ struct policydb { u32 process_trans_perms; }; +struct isidtab_entry { + int set; + struct context context; +}; + +struct isidtab { + struct isidtab_entry entries[SECINITSID_NUM + 1]; +}; + +static inline void isidtab_init(struct isidtab *t) +{ + u32 i; + for (i = 0; i <= SECINITSID_NUM; i++) + t->entries[i].set = 0; +} + +static inline void isidtab_destroy(struct isidtab *t) +{ + u32 i; + for (i = 0; i <= SECINITSID_NUM; i++) + if (t->entries[i].set) + context_destroy(&t->entries[i].context); +} + extern void policydb_destroy(struct policydb *p); -extern int policydb_load_isids(struct policydb *p, struct sidtab *s); +extern int policydb_load_isids(struct policydb *p, struct isidtab *s); extern int policydb_context_isvalid(struct policydb *p, struct context *c); extern int policydb_class_isvalid(struct policydb *p, unsigned int class); extern int policydb_type_isvalid(struct policydb *p, unsigned int type); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 12e414394530..550a00004139 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -89,6 +89,42 @@ void selinux_ss_init(struct selinux_ss **ss) *ss = &selinux_ss; } +struct context *security_sid_to_context_struct(struct selinux_state *state, + u32 sid, int force) +{ + struct isidtab *isidtab = state->ss->isidtab; + struct sidtab *sidtab = &state->ss->sidtab; + + if (sid <= SECINITSID_NUM) { + if (isidtab->entries[sid].set) + return &isidtab->entries[sid].context; + } else { + struct context *context = sidtab_lookup(sidtab, sid); + if (context && (!context->len || force)) + return context; + } + if (isidtab->entries[SECINITSID_UNLABELED].set) + return &isidtab->entries[SECINITSID_UNLABELED].context; + return NULL; +} + +static int security_context_struct_to_sid(struct selinux_state *state, + struct context *context, u32 *sid) +{ + struct isidtab *isidtab = state->ss->isidtab; + struct sidtab *sidtab = &state->ss->sidtab; + u32 i; + + for (i = 0; i <= SECINITSID_NUM; i++) + if (isidtab->entries[i].set && + context_cmp(context, &isidtab->entries[i].context)) { + *sid = i; + return 0; + } + + return sidtab_context_to_sid(sidtab, context, sid); +} + /* Forward declaration. */ static int context_struct_to_string(struct policydb *policydb, struct context *context, @@ -760,7 +796,6 @@ static int security_compute_validatetrans(struct selinux_state *state, u16 orig_tclass, bool user) { struct policydb *policydb; - struct sidtab *sidtab; struct context *ocontext; struct context *ncontext; struct context *tcontext; @@ -776,7 +811,6 @@ static int security_compute_validatetrans(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; if (!user) tclass = unmap_class(&state->ss->map, orig_tclass); @@ -789,7 +823,7 @@ static int security_compute_validatetrans(struct selinux_state *state, } tclass_datum = policydb->class_val_to_struct[tclass - 1]; - ocontext = sidtab_search(sidtab, oldsid); + ocontext = security_sid_to_context_struct(state, oldsid, 0); if (!ocontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, oldsid); @@ -797,7 +831,7 @@ static int security_compute_validatetrans(struct selinux_state *state, goto out; } - ncontext = sidtab_search(sidtab, newsid); + ncontext = security_sid_to_context_struct(state, newsid, 0); if (!ncontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, newsid); @@ -805,7 +839,7 @@ static int security_compute_validatetrans(struct selinux_state *state, goto out; } - tcontext = sidtab_search(sidtab, tasksid); + tcontext = security_sid_to_context_struct(state, tasksid, 0); if (!tcontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, tasksid); @@ -864,7 +898,6 @@ int security_bounded_transition(struct selinux_state *state, u32 old_sid, u32 new_sid) { struct policydb *policydb; - struct sidtab *sidtab; struct context *old_context, *new_context; struct type_datum *type; int index; @@ -876,10 +909,9 @@ int security_bounded_transition(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; rc = -EINVAL; - old_context = sidtab_search(sidtab, old_sid); + old_context = security_sid_to_context_struct(state, old_sid, 0); if (!old_context) { pr_err("SELinux: %s: unrecognized SID %u\n", __func__, old_sid); @@ -887,7 +919,7 @@ int security_bounded_transition(struct selinux_state *state, } rc = -EINVAL; - new_context = sidtab_search(sidtab, new_sid); + new_context = security_sid_to_context_struct(state, new_sid, 0); if (!new_context) { pr_err("SELinux: %s: unrecognized SID %u\n", __func__, new_sid); @@ -1014,7 +1046,6 @@ void security_compute_xperms_decision(struct selinux_state *state, struct extended_perms_decision *xpermd) { struct policydb *policydb; - struct sidtab *sidtab; u16 tclass; struct context *scontext, *tcontext; struct avtab_key avkey; @@ -1034,16 +1065,15 @@ void security_compute_xperms_decision(struct selinux_state *state, goto allow; policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - scontext = sidtab_search(sidtab, ssid); + scontext = security_sid_to_context_struct(state, ssid, 0); if (!scontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, ssid); goto out; } - tcontext = sidtab_search(sidtab, tsid); + tcontext = security_sid_to_context_struct(state, tsid, 0); if (!tcontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, tsid); @@ -1112,7 +1142,6 @@ void security_compute_av(struct selinux_state *state, struct extended_perms *xperms) { struct policydb *policydb; - struct sidtab *sidtab; u16 tclass; struct context *scontext = NULL, *tcontext = NULL; @@ -1123,9 +1152,8 @@ void security_compute_av(struct selinux_state *state, goto allow; policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - scontext = sidtab_search(sidtab, ssid); + scontext = security_sid_to_context_struct(state, ssid, 0); if (!scontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, ssid); @@ -1136,7 +1164,7 @@ void security_compute_av(struct selinux_state *state, if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) avd->flags |= AVD_FLAGS_PERMISSIVE; - tcontext = sidtab_search(sidtab, tsid); + tcontext = security_sid_to_context_struct(state, tsid, 0); if (!tcontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, tsid); @@ -1168,7 +1196,6 @@ void security_compute_av_user(struct selinux_state *state, struct av_decision *avd) { struct policydb *policydb; - struct sidtab *sidtab; struct context *scontext = NULL, *tcontext = NULL; read_lock(&state->ss->policy_rwlock); @@ -1177,9 +1204,8 @@ void security_compute_av_user(struct selinux_state *state, goto allow; policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - scontext = sidtab_search(sidtab, ssid); + scontext = security_sid_to_context_struct(state, ssid, 0); if (!scontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, ssid); @@ -1190,7 +1216,7 @@ void security_compute_av_user(struct selinux_state *state, if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) avd->flags |= AVD_FLAGS_PERMISSIVE; - tcontext = sidtab_search(sidtab, tsid); + tcontext = security_sid_to_context_struct(state, tsid, 0); if (!tcontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, tsid); @@ -1284,7 +1310,6 @@ static int security_sid_to_context_core(struct selinux_state *state, u32 *scontext_len, int force) { struct policydb *policydb; - struct sidtab *sidtab; struct context *context; int rc = 0; @@ -1315,11 +1340,7 @@ static int security_sid_to_context_core(struct selinux_state *state, } read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - if (force) - context = sidtab_search_force(sidtab, sid); - else - context = sidtab_search(sidtab, sid); + context = security_sid_to_context_struct(state, sid, force); if (!context) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, sid); @@ -1363,7 +1384,7 @@ int security_sid_to_context_force(struct selinux_state *state, u32 sid, * Caveat: Mutates scontext. */ static int string_to_context_struct(struct policydb *pol, - struct sidtab *sidtabp, + struct selinux_state *state, char *scontext, struct context *ctx, u32 def_sid) @@ -1425,7 +1446,7 @@ static int string_to_context_struct(struct policydb *pol, ctx->type = typdatum->value; - rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); + rc = mls_context_to_sid(pol, oldc, p, ctx, state, def_sid); if (rc) goto out; @@ -1446,7 +1467,6 @@ static int security_context_to_sid_core(struct selinux_state *state, int force) { struct policydb *policydb; - struct sidtab *sidtab; char *scontext2, *str = NULL; struct context context; int rc = 0; @@ -1483,16 +1503,17 @@ static int security_context_to_sid_core(struct selinux_state *state, } read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - rc = string_to_context_struct(policydb, sidtab, scontext2, + + rc = string_to_context_struct(policydb, state, scontext2, &context, def_sid); + if (rc == -EINVAL && force) { context.str = str; context.len = strlen(str) + 1; str = NULL; } else if (rc) goto out_unlock; - rc = sidtab_context_to_sid(sidtab, &context, sid); + rc = security_context_struct_to_sid(state, &context, sid); context_destroy(&context); out_unlock: read_unlock(&state->ss->policy_rwlock); @@ -1631,7 +1652,6 @@ static int security_compute_sid(struct selinux_state *state, bool kern) { struct policydb *policydb; - struct sidtab *sidtab; struct class_datum *cladatum = NULL; struct context *scontext = NULL, *tcontext = NULL, newcontext; struct role_trans *roletr = NULL; @@ -1668,16 +1688,15 @@ static int security_compute_sid(struct selinux_state *state, } policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; - scontext = sidtab_search(sidtab, ssid); + scontext = security_sid_to_context_struct(state, ssid, 0); if (!scontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, ssid); rc = -EINVAL; goto out_unlock; } - tcontext = sidtab_search(sidtab, tsid); + tcontext = security_sid_to_context_struct(state, tsid, 0); if (!tcontext) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, tsid); @@ -1793,7 +1812,7 @@ static int security_compute_sid(struct selinux_state *state, goto out_unlock; } /* Obtain the sid for the context. */ - rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid); + rc = security_context_struct_to_sid(state, &newcontext, out_sid); out_unlock: read_unlock(&state->ss->policy_rwlock); context_destroy(&newcontext); @@ -1881,16 +1900,9 @@ int security_change_sid(struct selinux_state *state, } /* Clone the SID into the new SID table. */ -static int clone_sid(u32 sid, - struct context *context, - void *arg) +static int clone_sid(u32 sid, struct context *context, void *arg) { - struct sidtab *s = arg; - - if (sid > SECINITSID_NUM) - return sidtab_insert(s, sid, context); - else - return 0; + return sidtab_insert((struct sidtab *)arg, sid, context); } static inline int convert_context_handle_invalid_context( @@ -1925,9 +1937,7 @@ struct convert_context_args { * in the policy `p->newp'. Verify that the * context is valid under the new policy. */ -static int convert_context(u32 key, - struct context *c, - void *p) +static int convert_context(u32 key, struct context *c, void *p) { struct convert_context_args *args; struct context oldc; @@ -1938,10 +1948,7 @@ static int convert_context(u32 key, struct user_datum *usrdatum; char *s; u32 len; - int rc = 0; - - if (key <= SECINITSID_NUM) - goto out; + int rc; args = p; @@ -2104,6 +2111,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) { struct policydb *policydb; struct sidtab *sidtab; + struct isidtab *newisidtab = NULL; struct policydb *oldpolicydb, *newpolicydb; struct sidtab oldsidtab, newsidtab; struct selinux_mapping *oldmapping; @@ -2120,6 +2128,12 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) } newpolicydb = oldpolicydb + 1; + newisidtab = kmalloc(sizeof(*newisidtab), GFP_KERNEL); + if (!newisidtab) { + rc = -ENOMEM; + goto out; + } + policydb = &state->ss->policydb; sidtab = &state->ss->sidtab; @@ -2128,20 +2142,31 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) if (rc) goto out; + rc = sidtab_init(sidtab); + if (rc) { + policydb_destroy(policydb); + goto out; + } + policydb->len = len; rc = selinux_set_mapping(policydb, secclass_map, &state->ss->map); if (rc) { + sidtab_destroy(sidtab); policydb_destroy(policydb); goto out; } - rc = policydb_load_isids(policydb, sidtab); + rc = policydb_load_isids(policydb, newisidtab); if (rc) { + sidtab_destroy(sidtab); policydb_destroy(policydb); goto out; } + state->ss->isidtab = newisidtab; + newisidtab = NULL; /* do not free new isidtab */ + security_load_policycaps(state); state->initialized = 1; seqno = ++state->ss->latest_granting; @@ -2162,6 +2187,12 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) if (rc) goto out; + rc = sidtab_init(&newsidtab); + if (rc) { + policydb_destroy(newpolicydb); + goto out; + } + newpolicydb->len = len; /* If switching between different policy types, log MLS status */ if (policydb->mls_enabled && !newpolicydb->mls_enabled) @@ -2169,9 +2200,10 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) else if (!policydb->mls_enabled && newpolicydb->mls_enabled) pr_info("SELinux: Enabling MLS support...\n"); - rc = policydb_load_isids(newpolicydb, &newsidtab); + rc = policydb_load_isids(newpolicydb, newisidtab); if (rc) { pr_err("SELinux: unable to load the initial SIDs\n"); + sidtab_destroy(&newsidtab); policydb_destroy(newpolicydb); goto out; } @@ -2214,13 +2246,21 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) /* Install the new policydb and SID table. */ write_lock_irq(&state->ss->policy_rwlock); + memcpy(policydb, newpolicydb, sizeof(*policydb)); sidtab_set(sidtab, &newsidtab); + + isidtab_destroy(state->ss->isidtab); + kfree(state->ss->isidtab); + state->ss->isidtab = newisidtab; + newisidtab = NULL; + security_load_policycaps(state); oldmapping = state->ss->map.mapping; state->ss->map.mapping = newmap.mapping; state->ss->map.size = newmap.size; seqno = ++state->ss->latest_granting; + write_unlock_irq(&state->ss->policy_rwlock); /* Free the old policydb and SID table. */ @@ -2241,8 +2281,10 @@ err: kfree(newmap.mapping); sidtab_destroy(&newsidtab); policydb_destroy(newpolicydb); + isidtab_destroy(newisidtab); out: + kfree(newisidtab); kfree(oldpolicydb); return rc; } @@ -2269,14 +2311,12 @@ int security_port_sid(struct selinux_state *state, u8 protocol, u16 port, u32 *out_sid) { struct policydb *policydb; - struct sidtab *sidtab; struct ocontext *c; int rc = 0; read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; c = policydb->ocontexts[OCON_PORT]; while (c) { @@ -2289,9 +2329,9 @@ int security_port_sid(struct selinux_state *state, if (c) { if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, - &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2315,14 +2355,12 @@ int security_ib_pkey_sid(struct selinux_state *state, u64 subnet_prefix, u16 pkey_num, u32 *out_sid) { struct policydb *policydb; - struct sidtab *sidtab; struct ocontext *c; int rc = 0; read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; c = policydb->ocontexts[OCON_IBPKEY]; while (c) { @@ -2336,9 +2374,9 @@ int security_ib_pkey_sid(struct selinux_state *state, if (c) { if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, - &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2361,14 +2399,12 @@ int security_ib_endport_sid(struct selinux_state *state, const char *dev_name, u8 port_num, u32 *out_sid) { struct policydb *policydb; - struct sidtab *sidtab; struct ocontext *c; int rc = 0; read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; c = policydb->ocontexts[OCON_IBENDPORT]; while (c) { @@ -2383,9 +2419,9 @@ int security_ib_endport_sid(struct selinux_state *state, if (c) { if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, - &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2407,14 +2443,12 @@ int security_netif_sid(struct selinux_state *state, char *name, u32 *if_sid) { struct policydb *policydb; - struct sidtab *sidtab; int rc = 0; struct ocontext *c; read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; c = policydb->ocontexts[OCON_NETIF]; while (c) { @@ -2425,14 +2459,14 @@ int security_netif_sid(struct selinux_state *state, if (c) { if (!c->sid[0] || !c->sid[1]) { - rc = sidtab_context_to_sid(sidtab, - &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; - rc = sidtab_context_to_sid(sidtab, - &c->context[1], - &c->sid[1]); + rc = security_context_struct_to_sid(state, + &c->context[1], + &c->sid[1]); if (rc) goto out; } @@ -2472,14 +2506,12 @@ int security_node_sid(struct selinux_state *state, u32 *out_sid) { struct policydb *policydb; - struct sidtab *sidtab; int rc; struct ocontext *c; read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; switch (domain) { case AF_INET: { @@ -2521,9 +2553,9 @@ int security_node_sid(struct selinux_state *state, if (c) { if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, - &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2561,7 +2593,6 @@ int security_get_user_sids(struct selinux_state *state, u32 *nel) { struct policydb *policydb; - struct sidtab *sidtab; struct context *fromcon, usercon; u32 *mysids = NULL, *mysids2, sid; u32 mynel = 0, maxnel = SIDS_NEL; @@ -2579,12 +2610,11 @@ int security_get_user_sids(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; context_init(&usercon); rc = -EINVAL; - fromcon = sidtab_search(sidtab, fromsid); + fromcon = security_sid_to_context_struct(state, fromsid, 0); if (!fromcon) goto out_unlock; @@ -2610,7 +2640,7 @@ int security_get_user_sids(struct selinux_state *state, &usercon)) continue; - rc = sidtab_context_to_sid(sidtab, &usercon, &sid); + rc = security_context_struct_to_sid(state, &usercon, &sid); if (rc) goto out_unlock; if (mynel < maxnel) { @@ -2681,7 +2711,6 @@ static inline int __security_genfs_sid(struct selinux_state *state, u32 *sid) { struct policydb *policydb = &state->ss->policydb; - struct sidtab *sidtab = &state->ss->sidtab; int len; u16 sclass; struct genfs *genfs; @@ -2716,7 +2745,8 @@ static inline int __security_genfs_sid(struct selinux_state *state, goto out; if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); + rc = security_context_struct_to_sid(state, &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2758,7 +2788,6 @@ int security_genfs_sid(struct selinux_state *state, int security_fs_use(struct selinux_state *state, struct super_block *sb) { struct policydb *policydb; - struct sidtab *sidtab; int rc = 0; struct ocontext *c; struct superblock_security_struct *sbsec = sb->s_security; @@ -2767,7 +2796,6 @@ int security_fs_use(struct selinux_state *state, struct super_block *sb) read_lock(&state->ss->policy_rwlock); policydb = &state->ss->policydb; - sidtab = &state->ss->sidtab; c = policydb->ocontexts[OCON_FSUSE]; while (c) { @@ -2779,8 +2807,9 @@ int security_fs_use(struct selinux_state *state, struct super_block *sb) if (c) { sbsec->behavior = c->v.behavior; if (!c->sid[0]) { - rc = sidtab_context_to_sid(sidtab, &c->context[0], - &c->sid[0]); + rc = security_context_struct_to_sid(state, + &c->context[0], + &c->sid[0]); if (rc) goto out; } @@ -2973,7 +3002,6 @@ int security_sid_mls_copy(struct selinux_state *state, u32 sid, u32 mls_sid, u32 *new_sid) { struct policydb *policydb = &state->ss->policydb; - struct sidtab *sidtab = &state->ss->sidtab; struct context *context1; struct context *context2; struct context newcon; @@ -2992,7 +3020,7 @@ int security_sid_mls_copy(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); rc = -EINVAL; - context1 = sidtab_search(sidtab, sid); + context1 = security_sid_to_context_struct(state, sid, 0); if (!context1) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, sid); @@ -3000,7 +3028,7 @@ int security_sid_mls_copy(struct selinux_state *state, } rc = -EINVAL; - context2 = sidtab_search(sidtab, mls_sid); + context2 = security_sid_to_context_struct(state, mls_sid, 0); if (!context2) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, mls_sid); @@ -3030,7 +3058,7 @@ int security_sid_mls_copy(struct selinux_state *state, } } - rc = sidtab_context_to_sid(sidtab, &newcon, new_sid); + rc = security_context_struct_to_sid(state, &newcon, new_sid); out_unlock: read_unlock(&state->ss->policy_rwlock); context_destroy(&newcon); @@ -3064,7 +3092,6 @@ int security_net_peersid_resolve(struct selinux_state *state, u32 *peer_sid) { struct policydb *policydb = &state->ss->policydb; - struct sidtab *sidtab = &state->ss->sidtab; int rc; struct context *nlbl_ctx; struct context *xfrm_ctx; @@ -3097,14 +3124,14 @@ int security_net_peersid_resolve(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); rc = -EINVAL; - nlbl_ctx = sidtab_search(sidtab, nlbl_sid); + nlbl_ctx = security_sid_to_context_struct(state, nlbl_sid, 0); if (!nlbl_ctx) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, nlbl_sid); goto out; } rc = -EINVAL; - xfrm_ctx = sidtab_search(sidtab, xfrm_sid); + xfrm_ctx = security_sid_to_context_struct(state, xfrm_sid, 0); if (!xfrm_ctx) { pr_err("SELinux: %s: unrecognized SID %d\n", __func__, xfrm_sid); @@ -3425,7 +3452,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, goto out; } - ctxt = sidtab_search(&state->ss->sidtab, sid); + ctxt = security_sid_to_context_struct(state, sid, 0); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", sid); @@ -3588,7 +3615,6 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, u32 *sid) { struct policydb *policydb = &state->ss->policydb; - struct sidtab *sidtab = &state->ss->sidtab; int rc; struct context *ctx; struct context ctx_new; @@ -3606,7 +3632,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, *sid = secattr->attr.secid; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; - ctx = sidtab_search(sidtab, SECINITSID_NETMSG); + ctx = security_sid_to_context_struct(state, SECINITSID_NETMSG, 0); if (ctx == NULL) goto out; @@ -3624,7 +3650,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (!mls_context_isvalid(policydb, &ctx_new)) goto out_free; - rc = sidtab_context_to_sid(sidtab, &ctx_new, sid); + rc = security_context_struct_to_sid(state, &ctx_new, sid); if (rc) goto out_free; @@ -3666,7 +3692,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, read_lock(&state->ss->policy_rwlock); rc = -ENOENT; - ctx = sidtab_search(&state->ss->sidtab, sid); + ctx = security_sid_to_context_struct(state, sid, 0); if (ctx == NULL) goto out; diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h index 24c7bdcc8075..18a2fb386120 100644 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@ -25,6 +25,7 @@ struct selinux_map { struct selinux_ss { struct sidtab sidtab; + struct isidtab *isidtab; struct policydb policydb; rwlock_t policy_rwlock; u32 latest_granting; diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index fd75a12fa8fc..98710657a596 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -25,7 +25,7 @@ int sidtab_init(struct sidtab *s) for (i = 0; i < SIDTAB_SIZE; i++) s->htable[i] = NULL; s->nel = 0; - s->next_sid = 1; + s->next_sid = SECINITSID_NUM + 1; s->shutdown = 0; spin_lock_init(&s->lock); return 0; @@ -76,7 +76,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context) return 0; } -static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force) +struct context *sidtab_lookup(struct sidtab *s, u32 sid) { int hvalue; struct sidtab_node *cur; @@ -89,33 +89,12 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force) while (cur && sid > cur->sid) cur = cur->next; - if (force && cur && sid == cur->sid && cur->context.len) - return &cur->context; - - if (!cur || sid != cur->sid || cur->context.len) { - /* Remap invalid SIDs to the unlabeled SID. */ - sid = SECINITSID_UNLABELED; - hvalue = SIDTAB_HASH(sid); - cur = s->htable[hvalue]; - while (cur && sid > cur->sid) - cur = cur->next; - if (!cur || sid != cur->sid) - return NULL; - } + if (!cur || sid != cur->sid) + return NULL; return &cur->context; } -struct context *sidtab_search(struct sidtab *s, u32 sid) -{ - return sidtab_search_core(s, sid, 0); -} - -struct context *sidtab_search_force(struct sidtab *s, u32 sid) -{ - return sidtab_search_core(s, sid, 1); -} - int sidtab_map(struct sidtab *s, int (*apply) (u32 sid, struct context *context, diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h index a1a1d2617b6f..2eadd09a1100 100644 --- a/security/selinux/ss/sidtab.h +++ b/security/selinux/ss/sidtab.h @@ -34,8 +34,7 @@ struct sidtab { int sidtab_init(struct sidtab *s); int sidtab_insert(struct sidtab *s, u32 sid, struct context *context); -struct context *sidtab_search(struct sidtab *s, u32 sid); -struct context *sidtab_search_force(struct sidtab *s, u32 sid); +struct context *sidtab_lookup(struct sidtab *s, u32 sid); int sidtab_map(struct sidtab *s, int (*apply) (u32 sid,