From patchwork Thu Sep 20 00:20:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10607587 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B4FF14DA for ; Thu, 20 Sep 2018 12:34:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1A41F2C88F for ; Thu, 20 Sep 2018 12:34:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0EE7D2C9EB; Thu, 20 Sep 2018 12:34:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,NO_RDNS_DOTCOM_HELO,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from upbd19pa10.eemsg.mail.mil (upbd19pa10.eemsg.mail.mil [214.24.27.85]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 36EA02C88F for ; Thu, 20 Sep 2018 12:34:29 +0000 (UTC) X-EEMSG-check-008: 169706742|UPBD19PA10_EEMSG_MP10.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa10.eemsg.mail.mil with ESMTP; 20 Sep 2018 12:34:24 +0000 X-IronPort-AV: E=Sophos;i="5.53,398,1531785600"; d="scan'208";a="18464570" IronPort-PHdr: 9a23:PQRIvBdXE4O2nJ/OaWvjt2bnlGMj4u6mDksu8pMizoh2WeGdxcm9ZxaN2/xhgRfzUJnB7Loc0qyK6/+mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwUX2pBWttaWTJHDI2ycoADC/MNMftEo4X4oVYBqhmxChOsBOPozT9En2b60LE03ukgDA3KxRAsE88Tu3jQstn5KKIeXOaox6fK0DrDdetb1ynz6IbIcR4vr/+DUr1yfsTM0UkiFR7Jg1uMpoLqITyVzf8As3SZ4ud6Se6jl2Aqpx93rzOyxskskI7JhocNx13a7yp525g6JN2lQ0BmfdGkEIFftzyUN4tyXMwiWXxjtSEmxbIcop60YigLxY88xxHDa/yIaZWI4hznVOmPOzd0nW5qd6ilixmu9kigz/TxW8+p21hJtipIisTAu38C2hDJ6sWLV+Fx8lmu1DqRzQzf9/lILEE2mKbBNpIsw7o9moASvEnDBCP6hlv6gaCQe0454Oan8f7nba/jppKEMo90jRzxPbo2l8ykBOQ4LhAOX2+G+eSgzLHj/VP2QLFNjvAujqnWqoraJcUGpq6iGQNVzoYi5Aq/DzehytgYm2UILElZdx6diojpOlXOLOj5Dfe5nVusjC9my+3JM7DuGJnALmXPnK3/cbty9UJQ0hc/wcha551OC7EBJPzzWlX2tNzdFhI5KBK7w+LmCNV7y4MfVnuDDbSeMKPPt1+H+vwgI/KXaY8JuDfyN/gl5/n0gX8/gl8SZ7Ol3ZQQaHCmBvhmOVmWYWLwgtcdFmcHpgg+TOvsiFKYTT5TZ2y9X6Qn6zE5D4KmC4LDSZq2gLydwii7BIZWanpBClCWHnfib5+EVOsUaCKOPs9hlSQJVbqjS4A7yR6utxT6y71hLurV5C0Vrpzj1Nxo5+zcjh4y6Dp0D9iA022XSGF0hGwITScs3K9juUx91kuD0a9gjv1WFNxT4/ZJXRkgNZPHwex1Fc39WgXbftiTUFamWNKmATMvQd0t398CeUF9G8+tjhrbxSqlH6cVl6CXBJwz6q/TwmT+J8N6y3bAyKktkkIrQtVROm28h65+9g/TB4jTn0WfiamqabwW3DTR+2eb0WqOoEZYXRZuXqXdR38ffErWrc/i60PaVbCuE7UnMhBZyc6GMKRFdsPmgU9BRPf5N9TUe3ixlHuoBRaU2rOMa5Lne2YH0yXeD0gEjhse/XWcOgg9ASehvnjSDDt0FVLge0ns6/VxqGunTk8oyAGHd1du2Kev+h4Um/OcUege0agYtycksTl0G0y9393OAdqauwVhZLlcYc864FpfyW3WrQh9MYK7L6B+hl8edB96v1jy2BV2FIpAl9QqrHIwwwZoL6KXzk9BfSuC3Z/sIr3XNnXy/Be3Zq7Mx17Rzc2b+qgK6PU3sVnjuh+mFlY6+XV9z9ZVy2ec5onNDAcKSpLxXFw39x9hp7HGeSQ9/IXU1XpiMKmxqDDC3cglBO07xRa8Z91fKr+LFBfuE80GAMijMOIrlEKtbhIYIu9S7rU0Mti4d/SYwq6kJ/tgnDe8gWRA+oB93VqG9zBgRe7Qw5YF3/aY0xOBVzf9iFehtt74mZtfaD4IAGW/0y/kCJRWZq1ocoYBEX2uLNGvxtVim57tXGZV+0O/B1wcws+kYgadb1v43QJMz0sXumCnlTG+zzNqjzEjtrCf0zDWw+T+aBoHPXZGRHdjjVjwPYi0iMoaUFK0YAgpkxul40n6yrNfpKR+KWncW11Ify/sI2FlSKuwuaKIY9RT55MwrSVXTOO8bEieSr78uBsazzrvH3BAyzA/djGqvIj5nhNhhWKGNHZzrXzZecBsyhfE/tDcQ+Be3iYeTililTbXHkS8P8Wu/diMjZfDteS+V2a/WZ1JbSbryo2BuTCg5W13HRK/hOq/mtr9EQg1ySX7zcVlVT3UrBbgZYnmz6e6PvxhfklzH1L86NR1Godlkos2mp4QxWIWhpKP/XoIiW3zK8lU2bribHoRQj4G28bV7xL42E1nMH2J35j2VnOBwsR/fdm3eX4W2jkj4MBQE6eY9qdEnSxoolqisQ3ef/Z9njAHyfsh9nEWmecJtxQxzi+FGLAdAVFYPTDwlxSP992+sqNXa3u0fLiu0kpxgNChAKuEog5CRHbzYo0iEjNo7sVjLFLM12X+6pn+d9nNadIerQGbkxbcj+lVMZ4xmOAFhSx9NWL6p30lxPYxjQZy0pGioIiHN2Jt8bq3AhFCMD31e8QT+jT2gKZQgMmZwoevHo97FTUTRpvoSvCoHywOuvT7LQqOFyc8qniDE7rFAQCf8Ftmr27IE52zMnGYPn0ZzdF8SxmBOExQmhobUS48npEnCgCq39Duf11h5j8P/FL4rAVDyv5wPRnlTmjfvBuoaiszSJWHIhpW9B9N6FrOMcOE6OJzAyZY/oa6oQOXNmObYh5EDWYTWkyLH1rjJKWh5cHc8+iEAeqzN+PObquVpuNAUfeIxI6v0ox98jaNKMqAIGdtA+c82kpZUnBzA97ZlCkXSywLiyLNaNaWqwyn9SFwqsC/8e/rWB705YeVELtdL8lg9wqtgaidM+6QhSB5KStX154X2XDJyKIf3EMJiy10eTiiC6gAtTXKTKLWgKNXCAQbayxrPstS8608xhVNOdLcit7tzbF4j/E1C1BDVVH6h86me9cFI2CnO1PBHkqLM66GJTLTycHtfay8UaFQjPlTtxCouzabE0/iPiyElzntVhCvLf9DgTqePBxfpIG9aAhiBXLkTNL8ZR2xKMV3giEuwb0omnPKMnYRMTt8ckNJsLKd9iZYgvJxG2xP8HVlMfWEmyae7+ndNJkaq/1rDTpol+hC+nQ116NV7D1YRPxygCbSqMBhrEuikuSUyTpnVwFOqipRi4KNpkViOqTZ+oNGWXna4BIH9X+QBAgSp9t5Ft3vvLhdysLRm6LoNjhN6cjU8tccB8XPM82HMWAhPgfuGD7aFAsFVyCkNGHFi0xbjv6S6mWfroImpZj0hJoOVrhbWUQoGfMdDERlGsENL4lzXjMlirOUltAH5WC5rBXLQ8VapJ/HXOqIAfrzMDaZkaVEZxwQzLzlN4sTKIz71FF5alRhhovKAVDQXddDoy16cAA7vFhN8GJ/Tm0v20PpcAWt72EPFfSshB45lhN+Yfgx9Dfr+1o3Il3KpDEun0k3mNTlhiuccDH3LKetR41WDDD0t0cpOJPhXwl1dRGynVBjNDrcXLJekb9gdWFtiA/BtppCAuJTTapBYBAM3/6XfOko3U5aqiq52U9N/fHFBod6lAs2bZ6sqGpN2x5ibN4wIqzQOKpJz1hLi62Tvy+p1vo+zxQEK0YL7mySZDYCuFYUObk+Oyqo4uts5BSYlDtHeWgDS+Qlrepv9kI9PeSAyCTg3KRYJ0+qNuyQNaWZt3HOlc6VWF8w0F0Hl1Vd97hszcgja1aUV1wozLaJDBsGK8zCJBpPYMVP6njcYzyOsf7XzpJvP4SxDOfoTfWBtKwMmEKrAB4pH5gQ7sQGBpSs31zYLcbjLL4B1xot4R/mK0ibA/tSeRKEijEHr9u4zJ9t0olXPisdDnllMSWr+rbXoRcngOCFXNc3fngaXowENnYtWMOigiBXom5OASWw3O8C1AeC6Dr8qTjKAznnc9pvfvGUag1wCNuu4zUw77C2iULL8pXZP2z6L85tusXI6ewBvJuHF+lUQqNjs0jCn4lYRnqqU2HLEd60KJjwa5UsbdLuBXagV1yzkTQ1QNntPNy1NKiHnRnoRZpIsImcxD0iO9WxGS0eGxdxouED5bhzZQ4Ybpo6fxHnqRoxO7a4IAeC3dWkW3ytJidOT/lD0eW6YKRazy82Ye+gy3svUI06z+ix8U4CX5wLgAvRxfC/aIlaVijzB2FSex7VqSo/iWdhKv44wv0jzxPQrVkcLzeLefRzZ2xeotE8A0meIXZtB2o5Rl+cjJbD7RW207AU4SRdg85e0fdZv3jmop/ffDWsVbS3qZXStiotdsQmr7F0MYP4OMeGso3RniDHRpnKrgKFSDK6F+ZdmtVIIiJYR+dHlHo4NsMYoopO91AxVtsgKLNSEqUsoK6laSZ8By4I0SAZT5+A3CAFguqk1bvajA2fcJI+PxwFq5VPmd4dUzZ3Yi8Hv6+iWZ7Wm3WDSmgRLwcZ9R5M6x4Ylo9sYuDl55LFTINRxDFLovJ7SC/LG4J0+Fv8T2GZnUL3SO69k+Cz2wJd0u7s2MEBWBFjEUhd2/pWlkwwJbFvMKkQopTFvSKUdU7hp2Ltz/amJENNxsLKcV34EJDFunD4UiEG/n0UX4BPwmnFFZsOiwp5dLorpFJULY+9dEbx+yAoyoZ0E7S2Ts2k21ElrXMaSCiwCNpBF/tqsFTJVz15e5qrsonqO41OQm9M/52Qs01Zn1twPC6505VcN9pA4joLXDhRvzqRose9SMpe1sBoFZMMJMlwu2vlEqNeJJeRu2E2uqDoynLB5zA8qkm1yyuuFKKjUuJZ+3EeGh8zKGSAq0kvCO8s/XnO8lzXtVB05ehbDKCVjUptuDZ9AoxOBjFR2HCnNVtzVn5Gs/5eKKvPbcxRWPwyZQKrOxwiFP4pw02J8ltynXfieSBysRFa+y/FVQkuSSYVmqvtmSEZqsy/Oz8VUZRIbTs7byfCNg2UhztavApFZEFsQJAZBcxJ+7cF0otI5sDCU1qjKTkZXBx+MQI1yfxflUpYvUWZfyDdCBCkdffJsh15Z8eettWpLOjj/AdaloznrP04978dSHG8ng2tW9/epZfmttKWrkuOaLv4M+qkbH/HTTjDkRewhbM+AJnR5STTMQ1bK55hyXo/epXhDGHGPBtcK6IcPUpbWrhwac9areBCe89kZKEJ9LdpBhKcQxPiGJeirPdYIVnOQjTeNT+O8vSloYLU77zSV/TvZtCWy3bAWaJ3MY9w6SPnFLfyzY9e5k321+9v9kN7TFjLKCWBo8rhJwwV/smid03ivpIzETPQHphwjGLnxltceMoPXy2q7JMYxYtY6HfxU+13yFT8vfZJ97Z69Yk4/axmxd2zJafIJvRQqVVnDQSMBgV26pUtB3BySHtQYu8KJvbeZ6YZjcHyq+DvDaMX9RmV9vdFZtvAOk7OhNOwCiyGSRxDhgcOsyQWLgyG1/6Kg6V0U9qqpfDl2kIx5FizNgYGw6px5YiY+qqJqujXbwHSzbQdQajlWMfzrrUqu0OP6vwpj6YOdXZpYwK7EOgcWMkdxn3jzawwziIjDdnDH7T+9/5HTX45mSjgm59lFVUMBvwUBaaL/ZhZnmoglOzWKNsWcrxFmmaIEhKkCaENyXqq6yuRPWlkjQrD0xXuTmOp7F75tzV0QS3SwNf/ikBVTKW4BV9OXyq1Pk91qC+APAjyu9Xroqk68EY2MmjgtNKMimShIq9XENPjK9ycOyU0o0gXjJIpTNy1xY8bAca9IMsW8Hxma/ve7GWrkzNOo6hZnIfe58CV9e/RHXa+k62bpbKNxCpbyngjp10/7M6vNu3W7d2QX/uoz3oRTzt4uwbZUB66tqfbr0sNNUKW30nFno0KPtdE3Xg3zUzm6+0jT8g19ApADIrAYOkCpT/rMjvu3Vmfe843VjWZ0zZPHFL1Fll4GK4m1G3svMLJkWrQ9EApR4lxcUznnh93D4QjJEIz6VgX3DAMEQwQZhCaFr2oA1rqLZccX0gZdRuHxKS6ersw3UBrw7Ov+vXcbepnCqoJK/ZSkw+OnF9AGp4Mtq0eWr18cUdH9KHLvgjiF5TnX//+mHoyK/K1TM5a8cQCunos+Am/QQSv6YtZ47Ydlp+IarZOYYLQs8Bk80dn+TkPezRCgBh7iBO4X/4TpOTn4tXAq5qo7eCuVKcxSOkN8Rg7GXh+hYPqgF8/udHXy/tcSorNhIT68QBNIH2KuIHB3hl+M+UOKIWrfLB++HUBPSQeIWwBPcaOYfkm/yBtKCnT50BFAs4UftwXIszNmRxPh03yXLFT8dbbGkOGC4htas8k9W33yCo68ZEkSObv9Ce2JYzD71FKJ/5DlCJslNbYq+gPz/vSDywX4XeCZhhwxSOCzIKNBOjs8uWWz9HUTEgGHi8wU4dSPjaC/hanRuWtnpXzTgyU8tPzgI45dE+ISHy+gqAFsqdUEeFekSj63zleFoXwh/2Lqdqs7HVYukdAEIZp4h3PAL9fMYljORTkismrQVBxByXneMHOdxohpPSZy/wJ4+V/K0v+f5EULggDy7Lg5npfVhFuR6LuvlaFQeIRY8NrSPTArn9L8o9gM6sPM0KGpJz2rzdHtEw2ABU3Z7AutDBacFfBnBFNUabupLEAkhccUcJ+uUJUHWKwOWQ+5yfIVKhMiKmRCecV8imITqEVUkVnKCV+QxSv1JVpYbupkuhNsnlakSNlvPgqzztmSQO5uSL2u60N2TMg+Le/tDgap3xFT+OenDnMCVVCyvQKkKgdB2zl6Vymb3kJdJHy76V/JcT86Ykh5GwyYRc5cC0FWuSvEDr9j76OAoyTsNJcgwONuMrObb+vNyQSMKoyyQ77TXhnzgfehApo8HcMQji4998kKoC9NtokyyerAmXbakgD4rlIsMrwsl4LSvE6aVV/z2V/gYC7QXgpf+mHT2I0iBU0LH5Je49Z6AMLUqwvjiuMs4FY8QwOJjTZCIKo/s/Xh8ienTEfRNJn3Srzobefh4hihH9gnMlu7zWmvn0Xeu2eVNVjVDy77aoX7e34euXl5vsKTIpg1aSJTO4JMs7l/3C/npptRBnhjpA9O3/xZOsCwKrLFiSoU2uVXcyVfGWW2TU0KEj/4V+vNFJhLI9oqE87esnFhpdajADnGed2QSWW413czGUlKu4cXwk/voChegcDSKgaYO3KYaANzfAlQHALaHyBSSh7BvS9tlmutIN7IXJl4Fj/J+P3/VaieOefBgIZFsb6p5h98LTuXm+HNmJhylhxMVNy+uP3FhE1sfFRNY2YnsXKjpJ93KgHb6EpeRU0p9pbv4Vk84TchN+DbBX51p/vIZTQpf+CDrvUyEF8PilhTrcBYQ7zr74/N9o9VqybSaBVpjwAFKM6R9onLG63+6Zqekc7OArQYqmkx8fxqu+Va598uXDb9BQzIT3athlFzea7B0Qva5GsmmW3Los8SyxMq/VzBRZ8WohCAcUNq0ygGZHC3OmSj9Kh9lIyl+gAq6vhA/aCgN212I9rXolT42SEOT/QAO9ghUEzyqyXg/zD2xr1PvjrfdqQUqAvR2/OQrPHEYS8LT7IPM/gLQoOyLeYzrtlVQ+cLAX0RK2cvSatfKF/p0A20YtideHalWIF4LTS2d+0bGZe8HSNt3mMYbBW91HbTdfVXxtJR/6I6i4xFqQMYJrc7+wOOMEsxNWGpgJ6qj9F1Z3WcOCaskbQ1xcjJtrgJ0zz1nN8CNFQeka2LFcsjGnFq3/UHXVbKI2+JNJwhMqOVEC2tXRavkV2TVZoQzOuSNqUImdd3su/YEuP9QYYarRLhPa5LGg/sKD6Uux0ItNdg+z/v7wcnMdBMCrPTdVUOyzKabR/eDFWC7aqxhAzehBRlb8zV88uYISWZkYOMUOO0yT3mADLykDlX8en1K+ULiIb6DBMxvTO1j0fwmvxou6X1+vkVr2Rd5TqRLjSPS4iAymdXig3GF219E2MoP0CvfHDeTpa+whSaSWUEwsJ4KVmrNyWBGGJ3/xqfJoNwvudXnOVKmV0l6s3Uz5CrlvEA+ECGg/fc2L7jSJCtRajKP5B8TOtb7CRyqdPHe1DKppFcvqeBdDffP0= X-IPAS-Result: A2CRAABUk6Nb/wHyM5BbHAEBAQQBAQoBAYFQggUDgQhcKIwIX4tRgwWBYZN1FIFfKhMBhQSCfiE0GAEDAQEBAQEBAgFsHAyCNSSCYAMDAQIkEwYBAQwgDAIDCQEBQAgIAwEtFAERBgEHBQYCAQEBGASDAIFqAxUDmFOKHIFqM4J1AQEFgQQBAXWCRAOCUQgXilgXggCBEieCNgeEeQESAYV3jXdBMY4HCYIMjhIdWGyHTYYRiGiGBIdLOGRxTSMVO4JsghkMF4NGihwBVU97AQGKOoI9AQE Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 20 Sep 2018 12:34:18 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8KCYIK1025528; Thu, 20 Sep 2018 08:34:18 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w8K0KrTd024225 for ; Wed, 19 Sep 2018 20:20:53 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w8K0Krhq020773 for ; Wed, 19 Sep 2018 20:20:53 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AOAAB15qJblywYGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWCBJYFhk3SBeoR3AkKCeSE0GAEDAQEBAQEBAhQBAQEBAQgWBkyFRQMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5lxihxvezOCdQEBBYEEAQF1gksDglEIF3SJYheCAIESJ4I2B4gtgleNcEExjXwJggyOER1Ya4dLhgyIaIYCh0mCDU0jFYMnghkMDgmDRYocAVVPjWwBAQ X-IPAS-Result: A1AOAAB15qJblywYGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWCBJYFhk3SBeoR3AkKCeSE0GAEDAQEBAQEBAhQBAQEBAQgWBkyFRQMDIwQZAQE4DyUCJgICRRIGAQwGAgEBgx2BagMVA5lxihxvezOCdQEBBYEEAQF1gksDglEIF3SJYheCAIESJ4I2B4gtgleNcEExjXwJggyOER1Ya4dLhgyIaIYCh0mCDU0jFYMnghkMDgmDRYocAVVPjWwBAQ X-IronPort-AV: E=Sophos;i="5.53,396,1531800000"; d="scan'208";a="373929" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2018 20:20:53 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0ANAAAv56JblywYGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWCBJYFhk3SBeoR3AkKCeSE0GAEDAQEBAQEBAgETAQEBAQEIFgZMDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXOKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRIngjYHiC2CV41wQTGNfAmCDI4RHVhrh0uGDIhohgKHSYINTSMVgyeCGQwOCYNFihwBVU+NbAEB X-IPAS-Result: A0ANAAAv56JblywYGNZcHAEBAQQBAQoBAYFQggWBZyiDc4gVX4tSgWCBJYFhk3SBeoR3AkKCeSE0GAEDAQEBAQEBAgETAQEBAQEIFgZMDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxUDmXOKHG97M4J1AQEFgQQBAXWCSwOCUQgXdIliF4IAgRIngjYHiC2CV41wQTGNfAmCDI4RHVhrh0uGDIhohgKHSYINTSMVgyeCGQwOCYNFihwBVU+NbAEB X-IronPort-AV: E=Sophos;i="5.53,396,1531785600"; d="scan'208";a="16038252" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from ucol3cpa06.eemsg.mail.mil ([214.24.24.44]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 20 Sep 2018 00:20:52 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;e42cfd7a-b078-4755-b7f8-e13f661941a6 Authentication-Results: UCOL3CPA11.eemsg.mail.mil; spf=None smtp.pra=casey@schaufler-ca.com; spf=None smtp.mailfrom=casey@schaufler-ca.com; spf=None smtp.helo=postmaster@sonic305-10.consmr.mail.bf2.yahoo.com; dkim=pass (signature verified) header.i=@yahoo.com X-EEMSG-check-008: 62330615|UCOL3CPA11_EEMSG_MP26.csd.disa.mil X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 74.6.133.49 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BPAABr56JbhzGFBkpcHQEBBQELAYFQg2wog3OIFV+NMoElgWGTdIF6hHcCQoJ5GQYGMBgBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZdoocb3szgnUBAQWBBAEBdYJLA4JRCBd0iXmCAIESJ4I2B4gtgleNcEExjXwJggyOER1Ya4dLhgyIaIYCh0mCDU0jFYMnghkMDgmDRYocAVUfMI1sAQE X-IPAS-Result: A0BPAABr56JbhzGFBkpcHQEBBQELAYFQg2wog3OIFV+NMoElgWGTdIF6hHcCQoJ5GQYGMBgBAwEBAQEBAQEBARMBAQEIDQkIGw4jDII1JIJgAwMjBBkBATgPJQImAgJFEgYBDAYCAQGDHYFqAxWZdoocb3szgnUBAQWBBAEBdYJLA4JRCBd0iXmCAIESJ4I2B4gtgleNcEExjXwJggyOER1Ya4dLhgyIaIYCh0mCDU0jFYMnghkMDgmDRYocAVUfMI1sAQE Received: from sonic305-10.consmr.mail.bf2.yahoo.com ([74.6.133.49]) by UCOL3CPA11.eemsg.mail.mil with ESMTP; 20 Sep 2018 00:20:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537402846; bh=FJJkoSJ8Xo+ddLuyjQ53dOgH+/r7caIk8iD36W+r2k8=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=kftmXddTYGvZvIog7yOL1ttlyMsYBPx8214z88CSCQkUcQjFwbmuxYMmGt2v/SBKG/vdYJ1GulgWXx3ujVd6AGcr6319ADSh3Ox1a7RAu/slhv0JsyGHReNKEhGLZ/S5BnlNcLSIBjyMf/xB56JYMO2P+/JflFcfSvXoNTkAuB7CT9qs+jX+cTFe1+Y7cLk2omMZAPk5PC3Co/YxGbynb4+7wJBdm3PxbKO2J0WODRtjZDWU/Hx4OnhPEIfeXsp8w+9LAlfTgdRuQqKVjKDuj4TpmAb/4SWxcFefaQR8YJCbTPXOhl+GzaQ4hz1ebpkE+z6hf+tyaB6eueNQ9RREww== X-YMail-OSG: OwZ4NKMVM1ndti97IoBSrVRCqcRVDnyy0nLs7hyffl_hefRZPhoPRcuqI1qVfIK Ea38tHVt4Fpz8O3RysIfnJFsxrBMFcXVTtpfKLJGWb3ryTswmu6ZD5zWzbxyD9bgd1fVI7HP0LWs 5U3UCMgA7QDymTRvtZ1NxSBI5q4rJ_HkrEvRkGUeAwZbsuQWgrwl8TTqhj0FSB2x41dwX5QpGwyt Axj0S_8l11v_7ljtl7G7Lglogc6Nrpz870w0lXQWH5Nqz3iHhI8zDJXLdtiIotvwPZxKnRa3cxxI jRnj_N3Emcj6Nv8l.OdHwzai2e7xscroN4LPiNGOTsANItOpOqgaz1UPP4Athts2qRRTaTFTriFv wci5lp8mb25i4KWThwnwY4TbjIthXiWMTONCw8yuRRT1aB0RxPfXoed0cyivGZSbhI1CJpHGoOWd 5_9jW2S89mN0zdF1vBjDgGesoH6ZGcgOKawSHCJkxLiMjeHbON4cCb6NKfAdfyl5Hwog0BLoC7bE qv4GE29LrylLDP7k4MrNUqX129S9VIIabYSqEnuMKwO1iqA7vFOZGsB15_0Au9yVdMayCemf2S0. V5SqPtEf5nQIq_hdFdPYmih6qje1e3VBvGLYMZG8lJxd5ZtlERVdh8ekJIX6NVZEWlZ8itPEVITn BU62rluBLBfAnD41nUrJfsUorVav35eQiLA8qfsTW.4i6YhsmhdERbzouQepeFFOKCJz2rkLvZA9 HzjgvUj1uESvFztqZO2BrRMemFUm.LMqopaKalX532Au.p_S_723UE6v.HB8_IwM_J0qQjI2LCCJ O6Q2pwXzVRn7ja2TdvOHPCUn1tdDK6FHmt.Z1B.k.zmghIcAGtul_q_8qAHLlURJE1_VeWtH8JoQ RDiU7Sv1C5Sbw3OiHCh6oB_FZQy6cuRm38O0w56tJabdvxa8Yj7kc3g0GGwJHDhsuLFEini7gZq5 d1AC1RsdTYy1CFmhk_yhAGGJjLAJzzTfesn3rqjYGPvU0TEkkFc1VI_803fPwL.Qcsy0ewFeuTX_ OqKOQvdX8R_S94EHlnEmhVuZD Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Thu, 20 Sep 2018 00:20:46 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp430.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID d7b940e3a0aa168118a93b792a05ab1f; Thu, 20 Sep 2018 00:20:41 +0000 (UTC) To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> X-EEMSG-check-009: 444-444 From: Casey Schaufler Message-ID: Date: Wed, 19 Sep 2018 17:20:38 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <748c61cb-b6fa-c36d-a7b3-2315ff6292af@schaufler-ca.com> Content-Language: en-US X-Mailman-Approved-At: Thu, 20 Sep 2018 08:30:05 -0400 Subject: [PATCH v3 07/16] TOMOYO: Abstract use of cred security blob X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP TOMOYO: Abstract use of cred security blob Don't use the cred->security pointer directly. Provide helper functions that provide the security blob pointer. Signed-off-by: Casey Schaufler --- security/tomoyo/common.h | 21 ++++++++++++++++-- security/tomoyo/domain.c | 4 +++- security/tomoyo/securityfs_if.c | 15 +++++++++---- security/tomoyo/tomoyo.c | 39 +++++++++++++++++++++++++-------- 4 files changed, 63 insertions(+), 16 deletions(-) diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 539bcdd30bb8..c9d8c49e3210 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, /********** External variable definitions. **********/ extern bool tomoyo_policy_loaded; +extern bool tomoyo_enabled; extern const char * const tomoyo_condition_keyword [TOMOYO_MAX_CONDITION_KEYWORD]; extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; @@ -1196,6 +1198,17 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) atomic_dec(&group->head.users); } +/** + * tomoyo_cred - Get a pointer to the tomoyo cred security blob + * @cred - the relevant cred + * + * Returns pointer to the tomoyo cred blob. + */ +static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred) +{ + return (struct tomoyo_domain_info **)&cred->security; +} + /** * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread. * @@ -1203,7 +1216,9 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) */ static inline struct tomoyo_domain_info *tomoyo_domain(void) { - return current_cred()->security; + struct tomoyo_domain_info **blob = tomoyo_cred(current_cred()); + + return *blob; } /** @@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void) static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct *task) { - return task_cred_xxx(task, security); + struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task)); + + return *blob; } /** diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index f6758dad981f..b7469fdbff01 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -678,6 +678,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee) */ int tomoyo_find_next_domain(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; struct tomoyo_domain_info *old_domain = tomoyo_domain(); struct tomoyo_domain_info *domain = NULL; const char *original_name = bprm->filename; @@ -843,7 +844,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) domain = old_domain; /* Update reference count on "struct tomoyo_domain_info". */ atomic_inc(&domain->users); - bprm->cred->security = domain; + blob = tomoyo_cred(bprm->cred); + *blob = domain; kfree(exename.name); if (!retval) { ee->r.domain = domain; diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c index 1d3d7e7a1f05..768dff9608b1 100644 --- a/security/tomoyo/securityfs_if.c +++ b/security/tomoyo/securityfs_if.c @@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf, if (!cred) { error = -ENOMEM; } else { - struct tomoyo_domain_info *old_domain = - cred->security; - cred->security = new_domain; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *old_domain; + + blob = tomoyo_cred(cred); + old_domain = *blob; + *blob = new_domain; atomic_inc(&new_domain->users); atomic_dec(&old_domain->users); commit_creds(cred); @@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode, */ static int __init tomoyo_initerface_init(void) { + struct tomoyo_domain_info *domain; struct dentry *tomoyo_dir; + if (!tomoyo_enabled) + return 0; + domain = tomoyo_domain(); /* Don't create securityfs entries unless registered. */ - if (current_cred()->security != &tomoyo_kernel_domain) + if (domain != &tomoyo_kernel_domain) return 0; tomoyo_dir = securityfs_create_dir("tomoyo", NULL); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9f932e2d6852..622ffa74a124 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -18,7 +18,9 @@ */ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) { - new->security = NULL; + struct tomoyo_domain_info **blob = tomoyo_cred(new); + + *blob = NULL; return 0; } @@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - struct tomoyo_domain_info *domain = old->security; - new->security = domain; + struct tomoyo_domain_info **old_blob = tomoyo_cred(old); + struct tomoyo_domain_info **new_blob = tomoyo_cred(new); + struct tomoyo_domain_info *domain; + + domain = *old_blob; + *new_blob = domain; + if (domain) atomic_inc(&domain->users); return 0; @@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) */ static void tomoyo_cred_free(struct cred *cred) { - struct tomoyo_domain_info *domain = cred->security; + struct tomoyo_domain_info **blob = tomoyo_cred(cred); + struct tomoyo_domain_info *domain = *blob; + if (domain) atomic_dec(&domain->users); } @@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred *cred) */ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + /* * Do only if this function is called for the first time of an execve * operation. @@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) * stored inside "bprm->cred->security" will be acquired later inside * tomoyo_find_next_domain(). */ - atomic_dec(&((struct tomoyo_domain_info *) - bprm->cred->security)->users); + blob = tomoyo_cred(bprm->cred); + domain = *blob; + atomic_dec(&domain->users); /* * Tell tomoyo_bprm_check_security() is called for the first time of an * execve operation. */ - bprm->cred->security = NULL; + *blob = NULL; return 0; } @@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) */ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) { - struct tomoyo_domain_info *domain = bprm->cred->security; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + blob = tomoyo_cred(bprm->cred); + domain = *blob; /* * Execute permission is checked against pathname passed to do_execve() * using current domain. @@ -531,6 +547,8 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { /* Lock for GC. */ DEFINE_SRCU(tomoyo_ss); +bool tomoyo_enabled; + /** * tomoyo_init - Register TOMOYO Linux as a LSM module. * @@ -539,13 +557,16 @@ DEFINE_SRCU(tomoyo_ss); static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); + struct tomoyo_domain_info **blob; if (!security_module_enable("tomoyo")) return 0; + /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); - cred->security = &tomoyo_kernel_domain; + blob = tomoyo_cred(cred); + *blob = &tomoyo_kernel_domain; tomoyo_mm_init(); return 0; }