Discussion:
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
David Howells
2017-04-05 20:15:54 UTC
Permalink
From: Chun-Yi Lee <***@gmail.com>

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett <***@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <***@suse.com>
Signed-off-by: David Howells <***@redhat.com>
cc: ***@lists.infradead.org
---

kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;

+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
David Howells
2017-04-05 20:15:37 UTC
Permalink
From: Matthew Garrett <***@nebula.com>

kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.

This does not affect kexec_file_load() which can check for a signature on the
image to be booted.

Signed-off-by: Matthew Garrett <***@nebula.com>
Signed-off-by: David Howells <***@redhat.com>
cc: ***@lists.infradead.org
---

kernel/kexec.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a90ee6..46de8e6b42f4 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;

/*
+ * kexec can be used to circumvent module loading restrictions, so
+ * prevent loading in that case
+ */
+ if (kernel_is_locked_down())
+ return -EPERM;
+
+ /*
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
Dave Young
2017-04-07 03:07:05 UTC
Permalink
Post by David Howells
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.
This does not affect kexec_file_load() which can check for a signature on the
image to be booted.
---
kernel/kexec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a90ee6..46de8e6b42f4 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
/*
+ * kexec can be used to circumvent module loading restrictions, so
+ * prevent loading in that case
+ */
+ if (kernel_is_locked_down())
+ return -EPERM;
+
+ /*
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Acked-by: Dave Young <***@redhat.com>

Thanks
Dave
David Howells
2017-04-05 20:15:45 UTC
Permalink
From: Dave Young <***@redhat.com>

Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original
kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <***@redhat.com>
Signed-off-by: David Howells <***@redhat.com>
cc: ***@lists.infradead.org
---

arch/x86/kernel/kexec-bzimage64.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index d0a814a9d96a..3551bcaa1eaf 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;

+ params->secure_boot = boot_params.secure_boot;
ei->efi_loader_signature = current_ei->efi_loader_signature;
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
Dave Young
2017-04-07 03:05:45 UTC
Permalink
Post by David Howells
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
https://lkml.org/lkml/2015/3/13/778
---
kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Acked-by: Dave Young <***@redhat.com>

Thanks
Dave
Mimi Zohar
2017-04-07 03:49:10 UTC
Permalink
Post by David Howells
Post by David Howells
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
https://lkml.org/lkml/2015/3/13/778
---
kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.

Mimi
Post by David Howells
/* Make sure we have a legal set of flags */
Post by David Howells
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Dave Young
2017-04-07 06:19:35 UTC
Permalink
Post by Mimi Zohar
Post by David Howells
Post by David Howells
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
https://lkml.org/lkml/2015/3/13/778
---
kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
Post by Mimi Zohar
Mimi
Post by David Howells
/* Make sure we have a legal set of flags */
Post by David Howells
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Mimi Zohar
2017-04-07 07:45:01 UTC
Permalink
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
Post by David Howells
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
https://lkml.org/lkml/2015/3/13/778
I specifically checked to make sure that either kexec_file() signature
verification was acceptable and would have commented then, if it had
not been included.
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
Post by David Howells
---
kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
Right, we discussed that the same method of measuring the kexec image
and initramfs, for extending trusted boot to the OS, could also be
used for verifying the kexec image and initramfs signatures, for
extending secure boot to the OS.  The file hash would be calculated
once for both.

All of your concerns could be addressed with very minor changes to
IMA.  (Continued in response to David.)
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
/* Make sure we have a legal set of flags */
Post by David Howells
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Dave Young
2017-04-07 08:01:44 UTC
Permalink
Post by Mimi Zohar
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
Post by David Howells
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
https://lkml.org/lkml/2015/3/13/778
I specifically checked to make sure that either kexec_file() signature
verification was acceptable and would have commented then, if it had
not been included.
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
Post by David Howells
---
kernel/kexec_file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
Right, we discussed that the same method of measuring the kexec image
and initramfs, for extending trusted boot to the OS, could also be
used for verifying the kexec image and initramfs signatures, for
extending secure boot to the OS.  The file hash would be calculated
once for both.
All of your concerns could be addressed with very minor changes to
IMA.  (Continued in response to David.)
Thanks! As long as IMA can ensure not breaking the lockdown it should be
fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA
enforced.
Post by Mimi Zohar
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
/* Make sure we have a legal set of flags */
Post by David Howells
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
_______________________________________________
kexec mailing list
http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
David Howells
2017-04-07 07:07:55 UTC
Permalink
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
I guess I should lock down the parameter to disable IMA too.

David
Dave Young
2017-04-07 07:41:59 UTC
Permalink
Post by David Howells
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
I guess I should lock down the parameter to disable IMA too.
That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.

Thanks
Dave
Mimi Zohar
2017-04-07 08:28:08 UTC
Permalink
Post by Dave Young
Post by David Howells
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
I guess I should lock down the parameter to disable IMA too.
That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.
I'm not sure how this relates to the question of whether IMA verifies
the kexec kernel image signature, as the test would not be based on a
Kconfig option, but on a runtime variable.

To answer your question, the rule for requiring the policy to be
signed is:  appraise func=POLICY_CHECK appraise_type=imasig

When the ability to append rules is Kconfig enabled, the builtin
policy requires the new policy or additional rules to be signed.
 Unfortunately, always requiring the policy to be signed, would have
broken userspace.

Mimi
Dave Young
2017-04-07 08:42:42 UTC
Permalink
Post by Mimi Zohar
Post by Dave Young
Post by David Howells
Post by Dave Young
Post by Mimi Zohar
Post by David Howells
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Mimi, I remember we talked somthing before about the two signature
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..
I guess I should lock down the parameter to disable IMA too.
That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.
I'm not sure how this relates to the question of whether IMA verifies
the kexec kernel image signature, as the test would not be based on a
Kconfig option, but on a runtime variable.
I assumed one can change the policy to avoid kexec and initramfs check
And we use a global IMA status in the -EPERM check for the lockdown
checking. But if there is some fine grained checking to ensure kernel
signature verification it should be fine.
Post by Mimi Zohar
To answer your question, the rule for requiring the policy to be
signed is:  appraise func=POLICY_CHECK appraise_type=imasig
When the ability to append rules is Kconfig enabled, the builtin
policy requires the new policy or additional rules to be signed.
 Unfortunately, always requiring the policy to be signed, would have
broken userspace.
Mimi
Thanks
Dave
David Howells
2017-04-07 07:09:54 UTC
Permalink
Post by Mimi Zohar
Post by David Howells
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA
symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled?

David
Mimi Zohar
2017-04-07 07:46:20 UTC
Permalink
Post by David Howells
Post by Mimi Zohar
Post by David Howells
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+ return -EPERM;
+
IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.
Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA
symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled?
Not quite, since as Dave pointed out, IMA is policy driven.  As a
policy is installed, we could set a flag.

Mimi
David Howells
2017-04-07 09:17:18 UTC
Permalink
Post by David Howells
Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA
symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled?
Not quite, since as Dave pointed out, IMA is policy driven. As a
policy is installed, we could set a flag.
Does such a flag exist as yet?

David
Mimi Zohar
2017-04-07 12:36:17 UTC
Permalink
Post by David Howells
Post by David Howells
Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA
symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled?
Not quite, since as Dave pointed out, IMA is policy driven. As a
policy is installed, we could set a flag.
Does such a flag exist as yet?
Not exactly what is needed.  There's a flag named ima_appraise, which
is used internally in IMA. A temporary flag is created, while
validating the rules.

if (default_appraise_rules[i].func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

if (!result && (entry->action == UNKNOWN))
result = -EINVAL;
else if (entry->func == MODULE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_MODULES;
else if (entry->func == FIRMWARE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
else if (entry->func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

If the entire policy is valid, ima_update_policy_flag() sets the ima_appraise flag.

ima_appraise |= temp_ima_appraise;

From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.  So in addition to testing
entry->func, above, entry->flags would need to be tested as well to
detect if IMA_DIGSIG_REQUIRED is set.

Mimi
David Howells
2017-04-10 13:19:52 UTC
Permalink
Post by Mimi Zohar
From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.
Not necessarily. If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David
Mimi Zohar
2017-05-02 19:01:22 UTC
Permalink
Hi David,
Post by David Howells
Post by Mimi Zohar
From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.
Not necessarily. If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.
File hashes can be modified on the running system, so they're normally
used, in conjunction with EVM, to detect off line modification of
mutable files and prevent their usage.

These patches https://lkml.org/lkml/2017/5/2/465 should provide some
of the missing functionality.

Mimi

Loading...