From patchwork Sat Sep 22 00:19:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10612367 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E7B36913 for ; Mon, 24 Sep 2018 12:30:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D5DAF29EB1 for ; Mon, 24 Sep 2018 12:30:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C87BE29EB9; Mon, 24 Sep 2018 12:30:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from ucol19pa13.eemsg.mail.mil (ucol19pa13.eemsg.mail.mil [214.24.24.86]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 688F429EB1 for ; Mon, 24 Sep 2018 12:30:25 +0000 (UTC) X-EEMSG-check-008: 627428624|UCOL19PA13_EEMSG_MP11.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="627428624" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa13.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 24 Sep 2018 12:30:22 +0000 X-IronPort-AV: E=Sophos;i="5.54,297,1534809600"; d="scan'208";a="16142287" IronPort-PHdr: 9a23:Fg6FaR/KNPkt4P9uRHKM819IXTAuvvDOBiVQ1KB61OkUIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo+hc4cDCuwMMuFaoIbnp1sOqhy+CRC1CO7zxDJFh2L60bQm3+g8DArK2BIsE84LvHnSsd77NrodUfqtwafWwzXNb/BY1znz54fHcB8vvOmMULBtfcff1UYhGB3Kjk6LpIz5PT6YzPgBv3SV4uZ+U++klm4pqxt2ojiq3sohlJPGhpkLxVHE6C533Zo6Jd2iR05mb96kFIVftzuHPIZxXswtWXpotzg6y7Adop60YCgKx446xx7Rb/yIbZKI7gv/W+mLOzt3mHVleLemihu07EOuyfX8W9Gp3FtFoSdJiNnBum0X2xDN5cWLVOFx8lq51TuO1Q3f8PxILEEwmKbBKpMswqQ8moQNvUnMGCL9hV/4g7WMdko+/+il8+HnYrL7qZCCL4J0kQT+Mrg2msy4HOQ4LhACX2iF9uS4073u5VH5T69Qjv03j6nZq4rWJdgbp6GlAw9V1Zwv6xCjADe9zNsUh3wHLFNBeB6fjojpPU/BIOzgAPuijFmhny1nyvDbMrH7HJnAIWbPnK38cbpl7k5T0gszzdRR55JODbEBJer+WlTvu9zcDx85NRG0wun+BNpm0YMeRGSPDbOHP6PJqlKI+uIuLPWMZI8Sojr9LeMl6OT0gX82nl8dY7Gl3YELZ3CgAvRmP0KZbGLugtcGF2cFpBY+TOzwh12ESjNTZXGyX6Q55j4hE4KmEZnMRpq2gLCb2ye7BJJWbHhcCl+QCXfoa5mEW/AUZSKQIM9uiCALVbu6S48m0xGutRH6xqFpLurQ5y0Zuons1MVz5+3PiBE+7zt0D96S02uVVWF7gnsIRyMq3KB4uUF90kmM3rNmjPxeFNxT+/RJXxw7NZHC0eN1Fcr+WgXbfteGUFymWMmpASktTtItxN8De1tyG9KkjhDFwiWlHbsVl72QCZMu7K3cxX/xK9x6y3bc26krl0MmTddXNW26mq5/8BDeBoDIk0Wdkqala74c0TXD9Gid0GWOu1tYXxRoUaXfWnAfZFXZosjl5k/YSL+uE7snOBNbycGeMqtKdsHpjVJeSfftItTReWSxlHuxBRaT3b6MaZLqe2QE0CXGBkkEiBof/XGcNQgxHi2huX7RDCRyFVLzZEPh6ep+p2m4Tk8z0gGHdE5h2KC2+h4SmPyQUfQT3qgLuC05sTV7AE69387KC9qHvwduZrhTYck84FhZz2LUrBZyMYClL6x4gV4eaQt3tVv01xprEoVAjdQqrHQywQVuM62Y1E1OdyiE3ZHwPb3aMXLy8wyua6HI3FHezNeW9b0V5PQ+tVrjoBmjFlA+/HV/z9lVz3yc643QDAUPTJ38SUk39x11pr3AZCky+Z/U32V2Maaoqj/Cx84pBOw9xxa7cddfKqSEFBTuE8ABHMiuLusqmlasbh0eOuBe7qg0MN26d/Gewq6kIP5gnC66jWRA+I183FiD9y5gSuHWxZYF2OqV3hWZWDfml1ihr8X3lZpDZTEIEWq10TLkC5JJZq1uYYYLDn+jI8u2xtV6g57iRWVY+UW5CFwYws+pfgCeb1vn3Q1fzU4Xu2ComTOkzzxolDEktreQ3DDUzOT4bxcIJmlLRGx+glj2Ooi0k8oWXE62YAg1jBGl/1r1x7BHpKRjKGneWVlIfynqIGF+VauwrKCObNJP6JMvtyVXX/+xYVSbSr77uRQaySTjE3FZxDAheDGgoo/5kABiiGKBMHZzq2LUecVxxRfE+NzQXOVR0SQCRCl5jznXG1e9MsKy/dWMlpfDtOG+WH66VpFJdynk05+AvjOh5WJ2GR2/g+yzmtr/HAgg1i/7091qWjvSrBngZYnq2b+3Mfl6fkZ0H1/w8c16GptxkoEonpEfxWAahomJ/XoAiWrzMstU2aTlbHcWRj4E3djV4BPj2EJ9MnKF3YX5Vm+SwsF5fdm1fnsW2j4h78BNEKqU9KZLnTZxolWmtQLee/59nisDxvs083ManvoJtxQ3ziWGGLwSBk5YPTH2lxuU8d++oqJXZHygcbeuzkZ+m86uDK2aqAFGRHn5YosiHTN37shnLlLM1mD855r6eNnWcN0TtgeYkxHegOhJMJgxjOYFhTJ7OWLhun0o0/Y7ggZz3ZG+p4WIN2Rt/L65AxJBOD36fcUT9ivqjaZEkcacx5qvEYl5GjUXQJvoSuqlEDEStPTjKQmDCzg8qnCVGbrRAwCf9Ftmr3LIE5CuKX6bPn8Zwst+RBOFPkxQnBgUXCkmnp4+Dg2qytbucEFl5jAW4171sRVMxfx1OBn4SGfQvh+oai0zSJidMhVZ8h1C613SMcyE4eJ5BztY8YG5rAyRNmybYBxFDW8TWkOaGl/jJaOh5d/c8+ifHeqzNOHBbqmLqeBEUPeI352v2JN8/zmQLsWPImViD/oj10VYRn91HMDZmzQUSywLjCLBddWbqwmg9SFttcCw7vDrWAPp5YuSBLpfKslg+hCsgaeeLO6cnih4JixE1pMXwn/IzqIT3FkIiyFhbzOtC6gPtTbRTKLMna9aFwUUayJ8NMtP6aIxxRRCNtDAhdP0zLF4iOQ5C1BfVVzugsupf9AFI3mhNFPbA0aGLLaGJT3LwsHvZqO8TbxQjPlKuBCrvDabElPjPi6dmDXzUBCvK+5MhjmBPBNCoIG9bgptCW/7Qd34ch20KsV3jTwtwbAvnnPFL3QcMTlnc0NVqr2f9z9XjetlF2xG9HplIvGOmzyF4OnANpYWrfxrDzxyl+1E+ns6z6BY7CJDRPxuhCvdtNhuo0qlkumO0DZnVgRBqipTjoKRoUpiIbnZ9oVHWXvc5hIC836QBAoQqNt/FtLvu7tdxcPOlKLpNThC9NzU/dMGB8fKKMOLKnwhPgT1GDTMFgsKUSarNX3Dh0xaiPyd62earoY7qpfxg5oDUaVUVEYvFvMdBEVlB8INL4tqXjM+kL6bkM4J6WC4rBbPWMVQporHWe6KAfXzNDaZiqFJZx8PwbPiM4sTMIz620t5Z1l1moTKBlDcXddXoi1udgU0ullC8GBiTm0v3ELochit72EXFf61mB42lwR/bP8x+zfr5lc4OkDFpDAskEUrn9XqnyyReibrLKisRYFWFzb0t08pP5zmXwl1aAqynUp4NDvZXL9RkaVvdXpqiA7dvptPH+RQTatabx8M3fuXfekn0UxAqiW7wk9K/ffFCZpnlAstbZ6sr3JB1hl+Y940Ja3fPrFGwkJWhq2Qoi+izvoxzxMGJ0YR7GOSfzYFt1YMNrknOyWn4PRj6QmCmjtFf2gMUeAlr+lx+UM8IeuAyTvs07BeKkyrMeyQMb+ZsXDalcGUWlMwyl8Il05d8Ldtz8gjdVGZWFoyw7uPCRsJL9HCJhtPb8tS7nTTejyOserVy5JvI4q9DvzoTfOJtKsMmEKkGgcpEJgM7sQGGpmsy1nWI976IrAf1Rgj4x/mK0mCDPRMZB2EiiwHo92lwJ9xw4ZdOikXAX9hPiWv+rbXuggqjeKfU9c0eHgVQpAJOW4xWM2+ny5ZvmpPDCOr0u0H1AeC7yXwpiPKDDnzd9BjfuubZQtwCNGq/jUy67K2hkTN8pXZPG73LshiusXV5uMEuZmHD/JUTb9ys0fYmolYSHyqU3LBEdGvPZjwbpMgbdrqBXamSla/kS46T9/tPNaxKaiFmQ/pSZxIv4mb3TAjMM69GSsdGxprpuEM+rxzahMZb5o8ex7ouBw0N7ajLweAztWuX2GtJCNTT/ZF1+W6ZKJYzzYtbu+8x3stVZ87wPOx8UERQJEKiQzeyuu4Z4VEVyj8BGBdcR3VpSUlj2hhKvoywuAnzRPQtlkcNyqEdPZnaWxDu9E8C0ifIXBxCmo/XF+Tk5bM4hSr37AJ5CtdntBU0eJfvHj5pJ/fbyqmWLa3ppXNryogcd8mrrVrPoz5P8uGsonSnj/EQZnRsw2FUTK6GOFAlthWPi1YXOFCmXs5NswepYpB9U0xW98iJ7xIDakhvayqZSZhDSEJ1yMZUZ2P3CAaiOemx7TajguQcIglMBEcspVChcUSXjVrbSwAv6+sSZ/Wl3OaRWcWOgsT6xpD5B4YnI9qYu/l+JbITINLyzNOv/J7TzbEFphy+Fv/UWyZnV/4SPC9nOOzxgJS0Ojg0t8FVx5jEUJd3fpZllM0KLFrLKkdppbKsiSUdUzgoW3t1PCrJEJWyc3JbV33EJTKtWzgUi0G43IUQZVDyHbFFZQdiwB5crokpE1QIIC6fUbz/ycrx4p1ELWkV82n2lgooG0aSCetFtpOF/tpsEnLWDF/ZZCktonlMY1IQmBM4J2dt0tZkEJ1Pi6j15VTNsFN7SQQXDVUpTWdu8WyR9Nd1cBqCJ8DP8lwt237GKxaJJibu2c2taD3yn/F5zA8t0+3xCmpG6CmUe1W4nYTGhgtJ2SCsEkgFfUs8mbV8lDJrF904/1XBr+VjUV+uDx9BIxBBi5V1XC5KFR+VHxGvP9eKKTRbcNcX+UyagW1NBElE/4pwVCJ/Vpoknjjeyx9qBFW+ybDUAkoTSMVmKvimSUCqsG7Pj8XU5BIYi87byfCMAKbnTpYvAhEZkFvRpAZBspF+7AH0otV5MXCT12sJTsCXBx4OQIyyeBfmlJbsEWEZSDdChKldfTVvR1xc8eRtsmpI+nn8wpcloPoquY4974ER3G8nw2iX8zepZfmttKWrkuOaLv4M+qkbH/OUTjMjBSwhbM6AJnP5CXcLRRUJIJ7yXU+Z5jtE2nLPQ5JJ6gDPUpUSbh6aclaouBdf8JkeqcJ+ap2CxKCWBzuGJKgrONHLlbVSjTSNSOB/fKjoYjL97zSVfDgZtCQx3bAW693OJN65CL6G7fs1I9S4Ev22vFj9kNgU1fGKDyBrM78JgwX+Mmia1HisYMzETPRGpdwn2LnxltceMoPXy2q7JMYxYtc6Hb3T+J4zkfzv/NJ+rlh6Ik4+bZpxtmoJabcLvRaq0xnAgOOCgVs6JotHHB1R3pNbe8JNPfRYaMZgNjqq+DsEqwa6AaY++JHZtTaIEHBgNOwCimGSRxDngcOtyIVLheG2/6Cga90Rt6vpfLl1UI1/1i+MhkGwahs5YaF4KWHvvPYYgDKzbcaRqjlWN/8oq4ru0OI6v0ujKQOdXBtYw27DOgdUdYQyXzhzaAxwyMjCcHDH7P8+P5bTX05gzbglothEFURB/wbA6CE/ZlEnmc/gezWLMcacqdYmmaADRSkCKMNyWa36yuLJ2lomgnO3AvsQWyv7F/3oyh4QTHPz9v6iUpaSL23BUZUXyq0Nk51qyuPMxD0tNXruaQ04kY2MnbntN6Xl2uuJqlXH8vhK9yYOyU0o0gXjJIpTNy1xY8bAca9IMsW8HxmYfvR9WWrkzNGo6dAgIbe+d+a+vHWHXmmkq2bpK6AxDRGxXgivVAw8MqsNvfQ6N2WW/6ozXoeTz9juwvdWB64srrbr1EINkyM1EfEgpcKMstY3Xk/0UHm//MjTck29AhRGYfMffQCpSr8ODHs21aQf8o3VjWC0ztQBl/1HkV3GLMn2G7poczHmnHe+1wuRolteE3qnhN3D4AiJkIr9lcb2C0DERICaRqDFrGnGVzlLZcYVUgEcRmH3r+6eqcx3UFp3ryv5OvTbfFhCKsMN/ZdiBWOnFtaGp8Nr60eQax8dEVZ9KHKpwjuEY7nUOb6lXAoL/26Xtha8dwFt3sl+gu/RgSg5o1F77sAjJCIa7NLYZnLvMBn9Utn4iQPdiNVihhlkxy5SfwcpPzk4tXDspqn9OiuVKgpR+gM+Rk7HWJ+gIXsgFw5p9HYyftcQJXPiYvj6ABNP2KKuIHC3hlzLeoOLIyqc6hk93UDPCUePHUOPdyXa/Yg+SNtNivc50BaCMMWedwYJNbNmRxTikDxXbFT98nbGlyfC4podcAn9Wn3yDcz8ZQiVObs8jm2Ko7D71tVJfNMkD1slM7epOgS2ffdEzYY4X+FaxVu2SOCz56NC+rs/eWS1t7bSkkKHiksU4dSPDCC4xCoRvKplJX1VQOZ8sHzj4w6dEKRXny+gr8Is6dNEe5FjyX0wCJeFoTriP6PtNqs8mRXvEVdEIlv9R3FBLlfPpJjNBX2jsmrXEl8CTfhd8zPcxouufaWxv0S7OlkMEv+f4AbKAoey73m8XpVUhduSLnus1aeWeIeesBrSOvArn9P8oJgN64PM0SBpJzwsDhHtko6AAk3Z78stjZabFXBnBVJW6bov74Nkg8cUd9/uU9RFmO8IWY+5zvcVaRJl6mcE/0V/S+VTqwJSUloNTl+Qxyt0pV0Z7SphexHsn9Bni5lpfglySBpRBu9uS3qoKIAwiwg+LC+tDofvXxFT+OekzrHCFlZy/QKl6gcAW746VOgeHkDcJfy4L5/KMTi74Yh4HM/bg44ci0bW+SgFyHwj6SVAoyAsNJcmASBuMPQYr+vNSISLKgyyQr/R3hh1QjThA1o8GUOQjq87dIpJ56wOdg7ySqyGGjadVEM4qVTvMv3q1ELULh+VVQ05F5GmpyDRysQVInUFm0olAk4eCBBd55e7RIyCaYlmHCLs7NA8wVSZy3bRMDt2IDVkNyA/H4nV9ZxjjbUo6qfnJIx+Htsnt51qCmUtyJWP9f1G+ttBGXjntNExOj/Yei9mvwWQ4thjrK6WbkNNdf1vSOS+7FPEhuhx7IDDx+6PfUFy7PzTSioUyubVP6NfmzKmCw2ZAq6xx6oKBUVb8dDqVQwNKOWhJlckUvjVrN9QD6do3fQxWokN+IRfgZws4CiLUhCb+McfKC3Iu8tiKk9BVYXZHjOHgN9C/WxtF+wmc58IXo2pQ3GbPj27weuENKUFhBMRZbXqJFs+Pr/RW+bP3Jk5Bw3OE5q+qHEHlcsrOYadZvXn8CGw5xD2PMBP9JqNjcw8ooLk59nwZGdzcPPdBbW1Ju0LtbQ9LzQOOHS10QnfClhV7MdZQ7kr9EhMsURR6zYHbwfuw8VQ6c9Xsplfy319adpPEZ9aQLcermwqtflq/jNZZZOoXLSqFUqI22U7xkCzOGkCAJgY520inHaPp89XHRCosdrBx8gG5FATYdIhg6qE5OF0I28gcWw6kp887sDva36EPHb3dKR0IB4Xpwc7kuOanKZIahggU3mitOJi/PJRp+5XcbjcvsIVed6QWnJLLnLAtP7YgmHPtz1Z0lc/va53al+SByabWitROyDuTajLvxv6Bxl4oN9devXijcq6ueI9sH1YjRwrzyuvDayP5tW8VLOCPaWCxldUveU2H1uHaQKY4/57qIFOJopx93KsFo71yhLzMbQe/vplUTLwE8uMMODdhG70jslWYQMPBW0OFcthmmcsHnGHHBANZL4cptwi9GRV0317hEv32wgY3VOXG/hRNPXPGkfiKfcLBaS+ldtCNAO1/WyZVZ+rre7HOJhIZhUsf6htLwan9JkMWTETY5ROCSDSd0+JSJfW8PIolVgeRsYq/4wU4Yxa4KJJRYMOVyN2AvpxgvLzEPwesbp36/PKyEToRAlh6nd321qoA+08e2cntWlUL3da8TuW+XONSM+SjyAbS81F0eiog/6/qNc+vGfJ3wauBYRayOWTgQd/OZ+pNjXCSnYnugwGf9CiPObXnXoQTZj3OopBylNvFyRWfdLCwTMbnHgjWYd8AyvL/NB5zTkOpWJz6pSXKodBY5B X-IPAS-Result: A2AZBQDM16hb/wHyM5BaHAEBAQQBAQcEAQGDXAOBCFwojGiLSYFogR2BYZQKgV8qEwGFBIMWITgUAQMBAQEBAQECAWwcDII1JIJgAwMBAiQTBgEBDCAMAgMJAQFACAgDAS0UAREGAQcFBgIBAQEYBIMAgWoDFQOXEYocgWozgnUBAQWBBAEBdYIwA4JTCBeKYReCAIESJwyCKgeCAoJ3ARIBhXeIJhqGADFGjUoJggyOFx1ZiDuGGI57h2chZHFNIxU7gmyCGQwXg0aKHAFVT3sBAYl9gj0BAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 24 Sep 2018 12:30:21 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8OCUGu4028834; Mon, 24 Sep 2018 08:30:17 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8M0JlDc018302 for ; Fri, 21 Sep 2018 20:19:47 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8M0JlMk009921 for ; Fri, 21 Sep 2018 20:19:47 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AUAAD5iaVbly0YGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4FogR2BYZN2gXqEdwJCgwQhNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOYHYocb3szgnUBAQWBBAEBdYI+A4JRCBd0iWUXggCBEicMgiqCCYYrgleIJhqFfjFGjUcJggyOFx1ZiDuGFI53h0yCDU0jFTuCbIIZDA4JEYM1ihwBVU+OVAEB X-IPAS-Result: A1AUAAD5iaVbly0YGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4FogR2BYZN2gXqEdwJCgwQhNBgBAwEBAQEBAQIUAQEBAQEGGAZMhUUDAyMEGQEBOA8lAiYCAkUSBgEMBgIBAYMdgWoDFQOYHYocb3szgnUBAQWBBAEBdYI+A4JRCBd0iWUXggCBEicMgiqCCYYrgleIJhqFfjFGjUcJggyOFx1ZiDuGFI53h0yCDU0jFTuCbIIZDA4JEYM1ihwBVU+OVAEB X-IronPort-AV: E=Sophos;i="5.54,287,1534824000"; d="scan'208";a="375842" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 21 Sep 2018 20:19:46 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0ATAACWiaVbly0YGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4FogR2BYZN2gXqEdwJCgwQhNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5ggihxvezOCdQEBBYEEAQF1gj4DglEIF3SJZReCAIESJwyCKoIJhiuCV4gmGoV+MUaNRwmCDI4XHVmIO4YUjneHTIINTSMVO4JsghkMDgkRgzWKHAFVT45UAQE X-IPAS-Result: A0ATAACWiaVbly0YGNZbHQEBBQEHBQGBUYILgWcog3OIFV+LS4FogR2BYZN2gXqEdwJCgwQhNBgBAwEBAQEBAQIBEwEBAQEBBhgGTAyCNSSCYAMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5ggihxvezOCdQEBBYEEAQF1gj4DglEIF3SJZReCAIESJwyCKoIJhiuCV4gmGoV+MUaNRwmCDI4XHVmIO4YUjneHTIINTSMVO4JsghkMDgkRgzWKHAFVT45UAQE X-IronPort-AV: E=Sophos;i="5.54,287,1534809600"; d="scan'208";a="16120238" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa07.eemsg.mail.mil ([214.24.24.45]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 22 Sep 2018 00:19:46 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;989d2448-7b0e-41cc-a0a1-2166a10c6dd3 Authentication-Results: ucol19pa06.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic306-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 455142665|UCOL19PA06_EEMSG_MP4.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.132.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CfAAD5iaVbhzGEBkpbHQEBBQEHBQGBUoNxKINziHSNM4EdgWGTdoF6hHcCQoMEGQYGMRcBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWYIIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iXyCAIESJwyCKgeCAoYrgleIJhqFfjFGjUcJggyOFx1ZiDuGFI53h00BggtNIxU7gmyCGQwOCYNGihwBVR8wjlQBAQ X-IPAS-Result: A0CfAAD5iaVbhzGEBkpbHQEBBQEHBQGBUoNxKINziHSNM4EdgWGTdoF6hHcCQoMEGQYGMRcBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWYIIocb3szgnUBAQWBBAEBdYI+A4JRCBd0iXyCAIESJwyCKgeCAoYrgleIJhqFfjFGjUcJggyOFx1ZiDuGFI53h00BggtNIxU7gmyCGQwOCYNGihwBVR8wjlQBAQ Received: from sonic306-10.consmr.mail.bf2.yahoo.com ([74.6.132.49]) by ucol19pa06.eemsg.mail.mil with ESMTP; 22 Sep 2018 00:19:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537575584; bh=OWbjbkt+snNEhCUmrmjIci3hCL14wj7C75UEtPPSZ3U=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=FvOrbNY8/XEbuZcP/Cd5ZS0wZ5JN3NrTngkMftn+oMOJnapMQL6G3nrbzTPVLTYPl3wK12DLkxjviUxzIEHVU/1xY2DvVonSSQ3uVNywoWE2ExOqMOw6XfbaUIa3ushk0GTUTyUbx1lVhvgIePfez/CH50cRj7aC0XozFpuVEYv5IpKBur7anhSXcpA6vDSlJJIM68fD20cdMu00hZPawLvHs4zoX0NF541r33jl8mKj6jFt9hf2SN+hnDpHxUtsZyReL/jSDaMukIIywa/8Mv57BXXLfeBxpG0l+fDNKmCEy2JyyUbfuFBXj+tijPYSOzGFPbMlwNpClWON42mWMw== X-YMail-OSG: VyCpJWsVM1kP2ObNOWJumZBnBHyTwunzkRhk_v6EtD_xug60lTEHxVCPtSyu0.M yA1mmnE2s3laz7vgqpSyeGklHhhhi7yvVVSIji4E0sW70KMjgmCmv1iGV3NiBk9X7HPu8OQigL15 Z5b9457r_4x9ozusuY48onHn1KRO5dSbps0Jga8TAFTrVd4G5l5Q2huPQiPddrPzqy26mZD2.7Iq aMt74HFZrJ0kFXZT7r_TTo0iBdL4_hljVBJrLgY5.S0HPH04sHVhCiyrTXU1gQKGzekxfetUsrpu sxbmVS0cwbJSns4147XrBbIVs3WeRMhDg87STL_tJ64pd2LSkhayDSHb.h7PbOJSlfZ1KfYfLyQj KvOgPo9do5mbo8uVOZvTKLPfvqPQRaPzECCAaqoxrNaFVmTfNidM374uB0jIXWTiZUCDCW1eA4I. toeUUEAvpO8gmkGQhs4DwvoWA8dw_V8p34NBz2PuOR6RFmg_7nW8hcOJSQD2ACHm.kf1G90tKwrY h.nVCBRzd.0oTwOeYNmHy3M2GkMtVQhAqUd.PEB.kSJ6uGv5H72OAeNJH06ktW827e7DY2j8s2wp JTRgeQkyh7qmh2d833.TKHHMQarLMB9mcB8ietMEtTjBPh3eqb0_ph.v52M4OD7E0VbIhRms07Jr X2UYg6HOTiVxdBDch2XIGwdFwOXV2Kr6KPppz49e7jvDXOEmEDsukwBhtRDDsU2CBDXAuhUYBVAj Y5gAj2g1a6DxpOBv9a5vcP3qyGWBuaunUoCari7eaVm26aTDB1bcrxen7aToj2estyGzNBMOgXy0 DYTrkJOL.DZfmzb6kEblCohWscvZqoP9fThOoRwmHznL5P3VGw4vU6egwnsTgmq3zvZz2_HUoH68 thW3FSeCuBT3g_IG7ohBPYtCAuLypQnC..eyyuydzcgRelFWvZ.9HulOaKYN7avauX2eUVpO7cHp nyQcIjIEPkJpo5q52hACsmj2WgKhFIcbJddZT6v57xswm3VZgNfjA20PEAUrYQSioHwOI0Iu._Lr dgPeWvlO8mopBjdUn8rDgz6R_k7Vyg4b3oR5hQIB_Aw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Sat, 22 Sep 2018 00:19:44 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp410.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 2da6bf2e7da10257b8d53ab831bafb85; Sat, 22 Sep 2018 00:19:42 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: Date: Fri, 21 Sep 2018 17:19:37 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mailman-Approved-At: Mon, 24 Sep 2018 08:26:06 -0400 Subject: [PATCH v4 15/19] LSM: Infrastructure management of the task security X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. The only user of this blob is AppArmor. The AppArmor use is abstracted to avoid future conflict. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook --- include/linux/lsm_hooks.h | 2 ++ security/apparmor/include/task.h | 18 +++-------- security/apparmor/lsm.c | 15 ++------- security/security.c | 54 +++++++++++++++++++++++++++++++- 4 files changed, 62 insertions(+), 27 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 416b20c3795b..6057c603b979 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2031,6 +2031,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_task; }; /* @@ -2098,6 +2099,7 @@ extern int lsm_inode_alloc(struct inode *inode); #ifdef CONFIG_SECURITY void lsm_early_cred(struct cred *cred); void lsm_early_inode(struct inode *inode); +void lsm_early_task(struct task_struct *task); #endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h index 55edaa1d83f8..039c1e60887a 100644 --- a/security/apparmor/include/task.h +++ b/security/apparmor/include/task.h @@ -14,7 +14,10 @@ #ifndef __AA_TASK_H #define __AA_TASK_H -#define task_ctx(X) ((X)->security) +static inline struct aa_task_ctx *task_ctx(struct task_struct *task) +{ + return task->security; +} /* * struct aa_task_ctx - information for current task label change @@ -36,17 +39,6 @@ int aa_set_current_hat(struct aa_label *label, u64 token); int aa_restore_previous_label(u64 cookie); struct aa_label *aa_get_task_label(struct task_struct *task); -/** - * aa_alloc_task_ctx - allocate a new task_ctx - * @flags: gfp flags for allocation - * - * Returns: allocated buffer or NULL on failure - */ -static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) -{ - return kzalloc(sizeof(struct aa_task_ctx), flags); -} - /** * aa_free_task_ctx - free a task_ctx * @ctx: task_ctx to free (MAYBE NULL) @@ -57,8 +49,6 @@ static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) aa_put_label(ctx->nnp); aa_put_label(ctx->previous); aa_put_label(ctx->onexec); - - kzfree(ctx); } } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 15716b6ff860..c97dc3dbb515 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -91,19 +91,14 @@ static void apparmor_task_free(struct task_struct *task) { aa_free_task_ctx(task_ctx(task)); - task_ctx(task) = NULL; } static int apparmor_task_alloc(struct task_struct *task, unsigned long clone_flags) { - struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); - - if (!new) - return -ENOMEM; + struct aa_task_ctx *new = task_ctx(task); aa_dup_task_ctx(new, task_ctx(current)); - task_ctx(task) = new; return 0; } @@ -1132,6 +1127,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) struct lsm_blob_sizes apparmor_blob_sizes = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), + .lbs_task = sizeof(struct aa_task_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1457,15 +1453,10 @@ static int param_set_mode(const char *val, const struct kernel_param *kp) static int __init set_init_ctx(void) { struct cred *cred = (struct cred *)current->real_cred; - struct aa_task_ctx *ctx; - - ctx = aa_alloc_task_ctx(GFP_KERNEL); - if (!ctx) - return -ENOMEM; lsm_early_cred(cred); + lsm_early_task(current); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); - task_ctx(current) = ctx; return 0; } diff --git a/security/security.c b/security/security.c index a8f00fdff4d8..7e11de7eec21 100644 --- a/security/security.c +++ b/security/security.c @@ -117,6 +117,7 @@ int __init security_init(void) pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode); + pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task); #endif return 0; @@ -301,6 +302,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) if (needed->lbs_inode && blob_sizes.lbs_inode == 0) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_size(&needed->lbs_inode, &blob_sizes.lbs_inode); + lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task); } /** @@ -364,6 +366,46 @@ void lsm_early_inode(struct inode *inode) panic("%s: Early inode alloc failed.\n", __func__); } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ + if (blob_sizes.lbs_task == 0) { + task->security = NULL; + return 0; + } + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + +/** + * lsm_early_task - during initialization allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules if it's not already there + */ +void lsm_early_task(struct task_struct *task) +{ + int rc; + + if (task == NULL) + panic("%s: task cred.\n", __func__); + if (task->security != NULL) + return; + rc = lsm_task_alloc(task); + if (rc) + panic("%s: Early task alloc failed.\n", __func__); +} + /* * Hook list operation macros. * @@ -1196,12 +1238,22 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { - return call_int_hook(task_alloc, 0, task, clone_flags); + int rc = lsm_task_alloc(task); + + if (rc) + return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); + if (unlikely(rc)) + security_task_free(task); + return rc; } void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)