From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Joshua Brindle <joshua.brindle@crunchydata.com>, selinux@vger.kernel.org
Subject: Re: [Non-DoD Source] [PATCH v4] Add default_range glblub support
Date: Tue, 10 Sep 2019 13:22:07 -0400 [thread overview]
Message-ID: <0ea96cc4-11bb-5c4a-5f0a-75411a58e546@tycho.nsa.gov> (raw)
In-Reply-To: <20190909180557.8093-1-joshua.brindle@crunchydata.com>
On 9/9/19 2:05 PM, Joshua Brindle wrote:
> Policy developers can set a default_range default to glblub and
> computed contexts will be the intersection of the ranges of the
> source and target contexts. This can be used by MLS userspace
> object managers to find the range of clearances that two contexts
> have in common. An example usage is computing a transition between
> the network context and the context of a user logging into an MLS
> application.
>
> For example, one can add a default with
> this cil:
>
> (defaultrange db_table glblub)
>
> or in te (base module only):
>
> default_range db_table glblub;
>
> and then test using the compute_create utility:
>
> $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
> system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
>
> Some example range transitions are:
>
> User Permitted Range | Network Device Label | Computed Label
> ---------------------|----------------------|----------------
> s0-s1:c0.c12 | s0 | s0
> s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12
> s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512
> s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2
> s0-s4 | s2-s6 | s2-s4
> s0-s4 | s5-s8 | INVALID
> s5-s8 | s0-s4 | INVALID
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
Merged.
Thanks,
Jim
> ---
> checkpolicy/policy_parse.y | 4 ++-
> checkpolicy/policy_scan.l | 2 ++
> libsepol/cil/src/cil.c | 1 +
> libsepol/cil/src/cil_build_ast.c | 11 ++++++---
> libsepol/cil/src/cil_internal.h | 2 ++
> libsepol/cil/src/cil_policy.c | 3 +++
> libsepol/include/sepol/policydb/context.h | 5 ++++
> libsepol/include/sepol/policydb/mls_types.h | 26 ++++++++++++++++++++
> libsepol/include/sepol/policydb/policydb.h | 7 ++++--
> libsepol/src/kernel_to_cil.c | 3 +++
> libsepol/src/kernel_to_conf.c | 3 +++
> libsepol/src/mls.c | 2 ++
> libsepol/src/module_to_cil.c | 1 +
> libsepol/src/policydb.c | 22 +++++++++++++++++
> libsepol/src/write.c | 12 +++++++++
> secilc/docs/cil_default_object_statements.md | 12 ++++++---
> 16 files changed, 105 insertions(+), 11 deletions(-)
>
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 247bd4ee..abb7d885 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -155,7 +155,7 @@ typedef int (* require_func_t)(int pass);
> %token PERMISSIVE
> %token FILESYSTEM
> %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
> -%token LOW_HIGH LOW HIGH
> +%token LOW_HIGH LOW HIGH GLBLUB
>
> %left OR
> %left XOR
> @@ -247,6 +247,8 @@ default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
> {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
> | DEFAULT_RANGE names TARGET LOW_HIGH ';'
> {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
> + | DEFAULT_RANGE names GLBLUB';'
> + {if (define_default_range(DEFAULT_GLBLUB)) return -1; }
> ;
> opt_mls : mls
> |
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index e93ccb64..e2f676e4 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -256,6 +256,8 @@ high |
> HIGH { return(HIGH); }
> low |
> LOW { return(LOW); }
> +glblub |
> +GLBLUB { return(GLBLUB); }
> "/"[^ \n\r\t\f]* { return(PATH); }
> \""/"[^\"\n]*\" { return(QPATH); }
> \"[^"/"\"\n]+\" { return(FILENAME); }
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index 2a7ec063..de729cf8 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -227,6 +227,7 @@ static void cil_init_keys(void)
> CIL_KEY_LOW = cil_strpool_add("low");
> CIL_KEY_HIGH = cil_strpool_add("high");
> CIL_KEY_LOW_HIGH = cil_strpool_add("low-high");
> + CIL_KEY_GLBLUB = cil_strpool_add("glblub");
> CIL_KEY_ROOT = cil_strpool_add("<root>");
> CIL_KEY_NODE = cil_strpool_add("<node>");
> CIL_KEY_PERM = cil_strpool_add("perm");
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index b90b0f60..ee1c51ce 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -5894,7 +5894,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> CIL_SYN_STRING,
> CIL_SYN_STRING | CIL_SYN_LIST,
> CIL_SYN_STRING,
> - CIL_SYN_STRING,
> + CIL_SYN_STRING | CIL_SYN_END,
> CIL_SYN_END
> };
> int syntax_len = sizeof(syntax)/sizeof(*syntax);
> @@ -5917,8 +5917,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> }
>
> object = parse_current->next->next->data;
> - range = parse_current->next->next->next->data;
> if (object == CIL_KEY_SOURCE) {
> + range = parse_current->next->next->next->data;
> if (range == CIL_KEY_LOW) {
> def->object_range = CIL_DEFAULT_SOURCE_LOW;
> } else if (range == CIL_KEY_HIGH) {
> @@ -5930,7 +5930,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> rc = SEPOL_ERR;
> goto exit;
> }
> - } else if (parse_current->next->next->data == CIL_KEY_TARGET) {
> + } else if (object == CIL_KEY_TARGET) {
> + range = parse_current->next->next->next->data;
> if (range == CIL_KEY_LOW) {
> def->object_range = CIL_DEFAULT_TARGET_LOW;
> } else if (range == CIL_KEY_HIGH) {
> @@ -5942,8 +5943,10 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> rc = SEPOL_ERR;
> goto exit;
> }
> + } else if (object == CIL_KEY_GLBLUB) {
> + def->object_range = CIL_DEFAULT_GLBLUB;
> } else {
> - cil_log(CIL_ERR,"Expected either \'source\' or \'target\'\n");
> + cil_log(CIL_ERR,"Expected \'source\', \'target\', or \'glblub\'\n");
> rc = SEPOL_ERR;
> goto exit;
> }
> diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
> index 6ff32285..30fab649 100644
> --- a/libsepol/cil/src/cil_internal.h
> +++ b/libsepol/cil/src/cil_internal.h
> @@ -149,6 +149,7 @@ char *CIL_KEY_TARGET;
> char *CIL_KEY_LOW;
> char *CIL_KEY_HIGH;
> char *CIL_KEY_LOW_HIGH;
> +char *CIL_KEY_GLBLUB;
> char *CIL_KEY_HANDLEUNKNOWN;
> char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
> char *CIL_KEY_HANDLEUNKNOWN_DENY;
> @@ -941,6 +942,7 @@ enum cil_default_object_range {
> CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW,
> CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH,
> CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH,
> + CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB,
> };
>
> /* Default labeling behavior for range */
> diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
> index 1adf22a3..06d7d74e 100644
> --- a/libsepol/cil/src/cil_policy.c
> +++ b/libsepol/cil/src/cil_policy.c
> @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
> case CIL_DEFAULT_TARGET_LOW_HIGH:
> fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
> break;
> + case CIL_DEFAULT_GLBLUB:
> + fprintf(out," %s", CIL_KEY_GLBLUB);
> + break;
> default:
> break;
> }
> diff --git a/libsepol/include/sepol/policydb/context.h b/libsepol/include/sepol/policydb/context.h
> index c27c3341..37cdc591 100644
> --- a/libsepol/include/sepol/policydb/context.h
> +++ b/libsepol/include/sepol/policydb/context.h
> @@ -92,6 +92,11 @@ out:
> return rc;
> }
>
> +static inline int mls_context_glblub(context_struct_t *dst, context_struct_t *c1, context_struct_t *c2)
> +{
> + return mls_range_glblub(&dst->range, &c1->range, &c2->range);
> +}
> +
> static inline int mls_context_cmp(context_struct_t * c1, context_struct_t * c2)
> {
> return (mls_level_eq(&c1->range.level[0], &c2->range.level[0]) &&
> diff --git a/libsepol/include/sepol/policydb/mls_types.h b/libsepol/include/sepol/policydb/mls_types.h
> index a06723be..0ba6d9de 100644
> --- a/libsepol/include/sepol/policydb/mls_types.h
> +++ b/libsepol/include/sepol/policydb/mls_types.h
> @@ -30,8 +30,10 @@
> #ifndef _SEPOL_POLICYDB_MLS_TYPES_H_
> #define _SEPOL_POLICYDB_MLS_TYPES_H_
>
> +#include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> +#include <sys/param.h>
> #include <sepol/policydb/ebitmap.h>
> #include <sepol/policydb/flask_types.h>
>
> @@ -48,6 +50,30 @@ typedef struct mls_range {
> mls_level_t level[2]; /* low == level[0], high == level[1] */
> } mls_range_t;
>
> +static inline int mls_range_glblub(struct mls_range *dst, struct mls_range *r1, struct mls_range *r2)
> +{
> + if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens) {
> + /* These ranges have no common sensitivities */
> + return -EINVAL;
> + }
> +
> + /* Take the greatest of the low */
> + dst->level[0].sens = MAX(r1->level[0].sens, r2->level[0].sens);
> + /* Take the least of the high */
> + dst->level[1].sens = MIN(r1->level[1].sens, r2->level[1].sens);
> +
> + if (ebitmap_and(&dst->level[0].cat, &r1->level[0].cat, &r2->level[0].cat) < 0) {
> + return -1;
> + }
> +
> + if (ebitmap_and(&dst->level[1].cat, &r1->level[1].cat, &r2->level[1].cat) < 0) {
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +
> static inline int mls_level_cpy(struct mls_level *dst, struct mls_level *src)
> {
>
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index a279382e..b0d2fdfc 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -130,6 +130,7 @@ typedef struct class_datum {
> #define DEFAULT_TARGET_LOW 4
> #define DEFAULT_TARGET_HIGH 5
> #define DEFAULT_TARGET_LOW_HIGH 6
> +#define DEFAULT_GLBLUB 7
> char default_range;
> } class_datum_t;
>
> @@ -741,10 +742,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
> #define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */
> #define POLICYDB_VERSION_XPERMS_IOCTL 30 /* Linux-specific */
> #define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */
> +#define POLICYDB_VERSION_GLBLUB 32
>
> /* Range of policy versions we understand*/
> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB
>
> /* Module versions and specific changes*/
> #define MOD_POLICYDB_VERSION_BASE 4
> @@ -765,9 +767,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
> #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17
> #define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18
> #define MOD_POLICYDB_VERSION_INFINIBAND 19
> +#define MOD_POLICYDB_VERSION_GLBLUB 20
>
> #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_INFINIBAND
> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB
>
> #define POLICYDB_CONFIG_MLS 1
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index 320af37b..01f5bc5b 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -698,6 +698,9 @@ static int write_default_range_to_cil(FILE *out, char *class_name, class_datum_t
> case DEFAULT_TARGET_LOW_HIGH:
> dft = "target low-high";
> break;
> + case DEFAULT_GLBLUB:
> + dft = "glblub";
> + break;
> default:
> sepol_log_err("Unknown default type value: %i", class->default_range);
> return -1;
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index 930bafab..a44ba30a 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
> case DEFAULT_TARGET_LOW_HIGH:
> dft = "target low-high";
> break;
> + case DEFAULT_GLBLUB:
> + dft = "glblub";
> + break;
> default:
> sepol_log_err("Unknown default type value: %i", class->default_range);
> return -1;
> diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
> index 63ad1bcb..6ff9a846 100644
> --- a/libsepol/src/mls.c
> +++ b/libsepol/src/mls.c
> @@ -643,6 +643,8 @@ int mls_compute_sid(policydb_t * policydb,
> return mls_context_cpy_high(newcontext, tcontext);
> case DEFAULT_TARGET_LOW_HIGH:
> return mls_context_cpy(newcontext, tcontext);
> + case DEFAULT_GLBLUB:
> + return mls_context_glblub(newcontext, scontext, tcontext);
> }
>
> /* Fallthrough */
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 1af166c9..c48a897d 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2033,6 +2033,7 @@ static int class_to_cil(int indent, struct policydb *pdb, struct avrule_block *U
> case DEFAULT_TARGET_LOW: dflt = "target low"; break;
> case DEFAULT_TARGET_HIGH: dflt = "target high"; break;
> case DEFAULT_TARGET_LOW_HIGH: dflt = "target low-high"; break;
> + case DEFAULT_GLBLUB: dflt = "glblub"; break;
> default:
> log_err("Unknown default range value: %i", class->default_range);
> rc = -1;
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 69bcb4d5..67037b6d 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -194,6 +194,13 @@ static struct policydb_compat_info policydb_compat[] = {
> .ocon_num = OCON_IBENDPORT + 1,
> .target_platform = SEPOL_TARGET_SELINUX,
> },
> + {
> + .type = POLICY_KERN,
> + .version = POLICYDB_VERSION_GLBLUB,
> + .sym_num = SYM_NUM,
> + .ocon_num = OCON_IBENDPORT + 1,
> + .target_platform = SEPOL_TARGET_SELINUX,
> + },
> {
> .type = POLICY_BASE,
> .version = MOD_POLICYDB_VERSION_BASE,
> @@ -306,6 +313,13 @@ static struct policydb_compat_info policydb_compat[] = {
> .ocon_num = OCON_IBENDPORT + 1,
> .target_platform = SEPOL_TARGET_SELINUX,
> },
> + {
> + .type = POLICY_BASE,
> + .version = MOD_POLICYDB_VERSION_GLBLUB,
> + .sym_num = SYM_NUM,
> + .ocon_num = OCON_IBENDPORT + 1,
> + .target_platform = SEPOL_TARGET_SELINUX,
> + },
> {
> .type = POLICY_MOD,
> .version = MOD_POLICYDB_VERSION_BASE,
> @@ -418,6 +432,14 @@ static struct policydb_compat_info policydb_compat[] = {
> .ocon_num = 0,
> .target_platform = SEPOL_TARGET_SELINUX,
> },
> + {
> + .type = POLICY_MOD,
> + .version = MOD_POLICYDB_VERSION_GLBLUB,
> + .sym_num = SYM_NUM,
> + .ocon_num = 0,
> + .target_platform = SEPOL_TARGET_SELINUX,
> + },
> +
> };
>
> #if 0
> diff --git a/libsepol/src/write.c b/libsepol/src/write.c
> index dee7b4a3..c6be2be2 100644
> --- a/libsepol/src/write.c
> +++ b/libsepol/src/write.c
> @@ -46,6 +46,11 @@
> #include "private.h"
> #include "mls.h"
>
> +#define glblub_version ((p->policy_type == POLICY_KERN && \
> + p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
> + (p->policy_type == POLICY_BASE && \
> + p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
> +
> struct policy_data {
> struct policy_file *fp;
> struct policydb *p;
> @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
> buf[0] = cpu_to_le32(cladatum->default_user);
> buf[1] = cpu_to_le32(cladatum->default_role);
> + if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> + WARN(fp->handle,
> + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> + cladatum->default_range = 0;
> + }
> buf[2] = cpu_to_le32(cladatum->default_range);
> items = put_entry(buf, sizeof(uint32_t), 3, fp);
> if (items != 3)
> diff --git a/secilc/docs/cil_default_object_statements.md b/secilc/docs/cil_default_object_statements.md
> index 73d84d6d..80ccabe7 100644
> --- a/secilc/docs/cil_default_object_statements.md
> +++ b/secilc/docs/cil_default_object_statements.md
> @@ -143,11 +143,11 @@ When creating a new `socket` object, the [`type`](cil_type_statements.md#type) c
> defaultrange
> ------------
>
> -Allows the default level or range to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
> +Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32.
>
> **Statement definition:**
>
> - (defaultrange class_id default range)
> + (defaultrange class_id default <range>)
>
> **Where:**
>
> @@ -167,11 +167,11 @@ Allows the default level or range to be taken from the source or target context
> </tr>
> <tr class="odd">
> <td align="left"><p><code>default</code></p></td>
> -<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
> +<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td>
> </tr>
> <tr class="even">
> <td align="left"><p><code>range</code></p></td>
> -<td align="left"><p>A keyword of either <code>low</code>, <code>high</code> or <code>low-high</code>.</p></td>
> +<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td>
> </tr>
> </tbody>
> </table>
> @@ -181,3 +181,7 @@ Allows the default level or range to be taken from the source or target context
> When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context:
>
> (defaultrange file target low_high)
> +
> +MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:
> +
> + (defaultrange db_table glblub)
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2019-09-10 17:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-09 18:05 [PATCH v4] Add default_range glblub support Joshua Brindle
2019-09-10 17:22 ` jwcart2 [this message]
2019-09-11 23:52 ` [Non-DoD Source] " Paul Moore
2019-10-04 20:10 ` Stephen Smalley
2019-10-04 21:27 ` Paul Moore
2019-10-07 23:08 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ea96cc4-11bb-5c4a-5f0a-75411a58e546@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=joshua.brindle@crunchydata.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).