From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simo Sorce Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Tue, 17 Oct 2017 11:28:40 -0400 Message-ID: <1508254120.6230.34.camel@redhat.com> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <75b7d6a6-42ba-2dff-1836-1091c7c024e7@schaufler-ca.com> <20171017003340.whjdkqmkw4lydwy7@madcap2.tricolour.ca> <2319693.5l3M4ZINGd@x2> <1508243469.6230.24.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Casey Schaufler , Steve Grubb , linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org, jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux API , Linux Containers , Linux Kernel , David Howells , Carlos O'Donell , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "Eric W. Biederman" , Andy Lutomirski , Linux Network Development , Linux FS Devel , Eric Paris , Al Viro List-Id: containers.vger.kernel.org T24gVHVlLCAyMDE3LTEwLTE3IGF0IDA3OjU5IC0wNzAwLCBDYXNleSBTY2hhdWZsZXIgd3JvdGU6 Cj4gT24gMTAvMTcvMjAxNyA1OjMxIEFNLCBTaW1vIFNvcmNlIHdyb3RlOgo+ID4gT24gTW9uLCAy MDE3LTEwLTE2IGF0IDIxOjQyIC0wNDAwLCBTdGV2ZSBHcnViYiB3cm90ZToKPiA+ID4gT24gTW9u ZGF5LCBPY3RvYmVyIDE2LCAyMDE3IDg6MzM6NDAgUE0gRURUIFJpY2hhcmQgR3V5IEJyaWdncwo+ ID4gPiB3cm90ZToKPiA+ID4gPiBUaGVyZSBpcyBzdWNoIGEgdGhpbmcsIGJ1dCB0aGUga2VybmVs IGRvZXNuJ3Qga25vdyBhYm91dCBpdAo+ID4gPiA+IHlldC7CoMKgVGhpcyBzYW1lIHNpdHVhdGlv biBleGlzdHMgZm9yIGxvZ2ludWlkIGFuZCBzZXNzaW9uaWQKPiA+ID4gPiB3aGljaAo+ID4gPiA+ IGFyZSB1c2Vyc3BhY2UgY29uY2VwdHMgdGhhdCB0aGUga2VybmVsIHRyYWNrcyBmb3IgdGhlCj4g PiA+ID4gY29udmVuaWVuY2UKPiA+ID4gPiBvZiB1c2Vyc3BhY2UuwqDCoEFzIGZvciBpdHMgbmFt ZSwgSSdtIG5vdCBwYXJ0aWN1bGFybHkgcGlja3ksIHNvCj4gPiA+ID4gaWYKPiA+ID4gPiB5b3Ug ZG9uJ3QgbGlrZSBDQVBfQ09OVEFJTkVSXyogdGhlbiBJJ20gZmluZSB3aXRoCj4gPiA+ID4gQ0FQ X0FVRElUX0NPTlRBSU5FUklELsKgwqBJdCByZWFsbHkgbmVlZHMgdG8gYmUgZGlzdGluY3QgZnJv bQo+ID4gPiA+IENBUF9BVURJVF9XUklURSBhbmQgQ0FQX0FVRElUX0NPTlRST0wgc2luY2Ugd2Ug ZG9uJ3Qgd2FudCB0bwo+ID4gPiA+IGdpdmUKPiA+ID4gPiB0aGUgYWJpbGl0eSB0byBzZXQgYSBj b250YWluZXJJRCB0byBhbnkgcHJvY2VzcyB0aGF0IGlzIGFibGUgdG8KPiA+ID4gPiBkbwo+ID4g PiA+IGF1ZGl0IGxvZ2dpbmcgKHN1Y2ggYXMgdnNmdHBkKSBhbmQgc2ltaWxhcmx5IHdlIGRvbid0 IHdhbnQgdG8KPiA+ID4gPiBnaXZlCj4gPiA+ID4gdGhlIG9yY2hlc3RyYXRvciB0aGUgYWJpbGl0 eSB0byBjb250cm9sIHRoZSBzZXR1cCBvZiB0aGUgYXVkaXQKPiA+ID4gPiBkYWVtb24uCj4gPiA+ IAo+ID4gPiBBIGxvbmcgdGltZSBhZ28sIHdlIHdlcmUgZGViYXRpbmcgd2hhdCBzaG91bGQgZ3Vh cmQgYWdhaW5zdCByb3VnZQo+ID4gPiBwcm9jZXNzZXPCoGZyb20gc2V0dGluZyB0aGUgbG9naW51 aWQuIENhc2V5IGFyZ3VlZCB0aGF0IHRoZQo+ID4gPiBhYmlsaXR5IHRvCj4gPiA+IHNldCB0aGUg bG9naW51aWTCoG1lYW5zIHRoZXkgaGF2ZSB0aGUgYWJpbGl0eSB0byBjb250cm9sIHRoZSBhdWRp dAo+ID4gPiB0cmFpbC4gVGhhdCBtZWFucyB0aGF0IGl0wqBzaG91bGQgYmUgZ3VhcmRlZCBieSBD QVBfQVVESVRfQ09OVFJPTC4KPiA+ID4gSQo+ID4gPiB0aGluayB0aGUgc2FtZSBsb2dpYyBhcHBs aWVzIHRvZGF5LsKgCj4gPiAKPiA+IFRoZSBkaWZmZXJlbmNlIGlzIHRoYXQgd2l0aCBsb2dpbnVp ZCB5b3UgbmVlZGVkIHRvIGdpdmUgcHJvY2Vzc2VzCj4gPiBhYmxlCj4gPiB0byBhdWRpdCBhbHNv IHRoZSBhYmlsaXR5IHRvIGNoYW5nZSBpdC4gWW91IGRvIG5vdCB3YW50IHRvIHRpZSB0aGUKPiA+ IGFiaWxpdHkgdG8gY2hhbmdlIGNvbnRhaW5lciBpZHMgdG8gdGhlIGFiaWxpdHkgdG8gYXVkaXQu IFlvdSB3YW50Cj4gPiB0byBiZQo+ID4gYWJsZSB0byBkbyBhdWRpdCBzdHVmZiAod2l0aGluIHRo ZSBjb250YWluZXIpIHdpdGhvdXQgYWxsb3dpbmcgaXQKPiA+IHRvCj4gPiBjaGFuZ2UgdGhlIGNv bnRhaW5lciBpZC4KPiAKPiBXaXRob3V0IGEgKmtlcm5lbCogcG9saWN5IG9uIGNvbnRhaW5lcklE cyB5b3UgY2FuJ3Qgc2F5IHdoYXQKPiBzZWN1cml0eSBwb2xpY3kgaXMgYmVpbmcgZXhlbXB0ZWQu CgpUaGUgcG9saWN5IGhhcyBiZWVuIGJhc2ljYWxseSBzdGF0ZWQgZWFybGllci4KCkEgd2F5IHRv IHRyYWNrIGEgc2V0IG9mIHByb2Nlc3NlcyBmcm9tIGEgc3BlY2lmaWMgcG9pbnQgaW4gdGltZQpm b3J3YXJkLiBUaGUgbmFtZSB1c2VkIGlzICJjb250YWluZXIgaWQiLCBidXQgaXQgY291bGQgYmUg YW55dGhpbmcuClRoaXMgbWFya2VyIGlzIG1vc3RseSB1c2VkIGJ5IHVzZXIgc3BhY2UgdG8gdHJh Y2sgcHJvY2VzcyBoaWVyYXJjaGllcwp3aXRob3V0IHJhY2VzLCB0aGVzZSBwcm9jZXNzZXMgY2Fu IGJlIHZlcnkgcHJpdmlsZWdlZCwgYW5kIG11c3Qgbm90IGJlCmFsbG93ZWQgdG8gY2hhbmdlIHRo ZSBtYXJrZXIgdGhlbXNlbHZlcyB3aGVuIGdyYW50ZWQgdGhlIGN1cnJlbnQgY29tbW9uCmNhcGFi aWxpdGllcy4KCklzIHRoaXMgYSBnb29kIGVub3VnaCBkZXNjcmlwdGlvbiA/IElmIG5vdCBjYW4g eW91IGNsYXJpZnkgeW91cgpleHBlY3RhdGlvbnMgPwoKPiAgV2l0aG91dCB0aGF0IHlvdSBjYW4n dCBzYXkgd2hhdCBjYXBhYmlsaXR5IGlzIChvciBpc24ndCkKPiBhcHByb3ByaWF0ZS4KClNlZSBp ZiB0aGUgYWJvdmUgaXMgc3VmZmljaWVudCBwbGVhc2UuCgo+IFlvdSBuZWVkIGEgcmVhc29uIHRv IGhhdmUgYSBjYXBhYmlsaXR5IGNoZWNrIHRoYXQgbWFrZXMgc2Vuc2UgaW4gdGhlCj4gY29udGV4 dCBvZiB0aGUga2VybmVsIHNlY3VyaXR5IHBvbGljeS4KCkkgdGhpbmsgdGhlIHByb3Bvc2FsIGhh ZCBhIHJlYXNvbiwgd2UgbWF5IGRlYmF0ZSBvbiB3aGV0aGVyIHRoYXQgcmVhc29uCmlzIGdvb2Qg ZW5vdWdoLgoKPiBTaW5jZSB3ZSBkb24ndCBrbm93IHdoYXQgYSBjb250YWluZXIgaXMgaW4gdGhl IGtlcm5lbCwKClBsZWFzZSBkbyBub3QgZml4YXRlIG9uIHRoZSB3b3JkIGNvbnRhaW5lci4KCj4g IHRoYXQncyBwcmV0dHkgaGFyZC4gV2UgZG9uJ3QgY3JlYXRlICJmdXp6eSIgY2FwYWJpbGl0aWVz Cj4gYmFzZWQgb24gdGhlIHRyZW5keSBhcHBsaWNhdGlvbiBiZWhhdmlvciBvZiB0aGUgbW9tZW50 LiBJZiB0aGUKPiBiZWhhdmlvciBpcyBub3QgcmVsYXRlZCBpdCBhdWRpdCwgdGhlcmUncyBubyBy ZWFzb24gZm9yIGl0LCBhbmQKPiBpZiBpdCBpcywgQ0FQX0FVRElUX0NPTlRST0wgd29ya3MganVz dCBmaW5lLiBJZiB0aGlzIGRvZXNuJ3Qgd29yawo+IGluIHlvdXIgYXBwbGljYXRpb24gc2VjdXJp dHkgbW9kZWwgSSBzdWdnZXN0IHRoYXQgaXMgd2hlcmUgeW91Cj4gbmVlZCB0byBtYWtlIGNoYW5n ZXMuCgpUaGUgYXV0aG9ycyBvZiB0aGUgcHJvcG9zYWwgY2FtZSB0byB0aGUgY29uY2x1c2lvbiB0 aGF0IGtlcm5lbAphc3Npc3RhbmNlIGlzIG5lZWRlZC4gSXQgd291bGQgYmUgbmljZSB0byBkaXNj dXNzIHRoZSBtZXJpdHMgb2YgaXQuCklmIHlvdSBkbyBub3QgdW5kZXJzdGFuZCB3aHkgdGhlIHJl cXVlc3QgaGFzIGJlZW4gbWFkZSBpdCB3b3VsZCBiZSBtb3JlCnVzZWZ1bCB0byBhc2sgc3BlY2lm aWMgcXVlc3Rpb25zIHRvIHVuZGVyc3RhbmQgd2hhdCBhbmQgd2h5IGlzIHRoZSBhc2suCgpQdXNo aW5nIGJhY2sgaXMgZmluZSwgaWYgeW91IGhhdmUgdW5kZXJzdG9vZCB0aGUgcHJvYmxlbSBhbmQg aGF2ZSB2YWxpZAphcmd1bWVudHMgYWdhaW5zdCBhIGtlcm5lbCBsZXZlbCBzb2x1dGlvbiAoYW5k IHBvc3NpYmx5IHN1Z2dlc3Rpb25zIGZvcgphIHdvcmtpbmcgdXNlciBzcGFjZSBzb2x1dGlvbiks IG90aGVyd2lzZSB5b3UgYXJlIG5vdCBhZGRpbmcgdmFsdWUgdG8KdGhlIGRpc2N1c3Npb24uIAoK U2ltby4KCi0tIApTaW1vIFNvcmNlClNyLiBQcmluY2lwYWwgU29mdHdhcmUgRW5naW5lZXIKUmVk IEhhdCwgSW5jCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f XwpDb250YWluZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRp b24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZv L2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965155AbdJQP26 (ORCPT ); Tue, 17 Oct 2017 11:28:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:43986 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933928AbdJQP2y (ORCPT ); Tue, 17 Oct 2017 11:28:54 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DED1D20276 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com Message-ID: <1508254120.6230.34.camel@redhat.com> Subject: Re: RFC(v2): Audit Kernel Container IDs From: Simo Sorce To: Casey Schaufler , Steve Grubb , linux-audit@redhat.com Cc: Richard Guy Briggs , mszeredi@redhat.com, "Eric W. Biederman" , jlayton@redhat.com, "Carlos O'Donell" , Linux API , Linux Containers , Linux Kernel , Eric Paris , David Howells , Al Viro , Andy Lutomirski , Linux Network Development , Linux FS Devel , cgroups@vger.kernel.org, "Serge E. Hallyn" , trondmy@primarydata.com Date: Tue, 17 Oct 2017 11:28:40 -0400 In-Reply-To: References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <75b7d6a6-42ba-2dff-1836-1091c7c024e7@schaufler-ca.com> <20171017003340.whjdkqmkw4lydwy7@madcap2.tricolour.ca> <2319693.5l3M4ZINGd@x2> <1508243469.6230.24.camel@redhat.com> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 17 Oct 2017 15:28:53 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2017-10-17 at 07:59 -0700, Casey Schaufler wrote: > On 10/17/2017 5:31 AM, Simo Sorce wrote: > > On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote: > > > On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs > > > wrote: > > > > There is such a thing, but the kernel doesn't know about it > > > > yet.  This same situation exists for loginuid and sessionid > > > > which > > > > are userspace concepts that the kernel tracks for the > > > > convenience > > > > of userspace.  As for its name, I'm not particularly picky, so > > > > if > > > > you don't like CAP_CONTAINER_* then I'm fine with > > > > CAP_AUDIT_CONTAINERID.  It really needs to be distinct from > > > > CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL since we don't want to > > > > give > > > > the ability to set a containerID to any process that is able to > > > > do > > > > audit logging (such as vsftpd) and similarly we don't want to > > > > give > > > > the orchestrator the ability to control the setup of the audit > > > > daemon. > > > > > > A long time ago, we were debating what should guard against rouge > > > processes from setting the loginuid. Casey argued that the > > > ability to > > > set the loginuid means they have the ability to control the audit > > > trail. That means that it should be guarded by CAP_AUDIT_CONTROL. > > > I > > > think the same logic applies today.  > > > > The difference is that with loginuid you needed to give processes > > able > > to audit also the ability to change it. You do not want to tie the > > ability to change container ids to the ability to audit. You want > > to be > > able to do audit stuff (within the container) without allowing it > > to > > change the container id. > > Without a *kernel* policy on containerIDs you can't say what > security policy is being exempted. The policy has been basically stated earlier. A way to track a set of processes from a specific point in time forward. The name used is "container id", but it could be anything. This marker is mostly used by user space to track process hierarchies without races, these processes can be very privileged, and must not be allowed to change the marker themselves when granted the current common capabilities. Is this a good enough description ? If not can you clarify your expectations ? > Without that you can't say what capability is (or isn't) > appropriate. See if the above is sufficient please. > You need a reason to have a capability check that makes sense in the > context of the kernel security policy. I think the proposal had a reason, we may debate on whether that reason is good enough. > Since we don't know what a container is in the kernel, Please do not fixate on the word container. > that's pretty hard. We don't create "fuzzy" capabilities > based on the trendy application behavior of the moment. If the > behavior is not related it audit, there's no reason for it, and > if it is, CAP_AUDIT_CONTROL works just fine. If this doesn't work > in your application security model I suggest that is where you > need to make changes. The authors of the proposal came to the conclusion that kernel assistance is needed. It would be nice to discuss the merits of it. If you do not understand why the request has been made it would be more useful to ask specific questions to understand what and why is the ask. Pushing back is fine, if you have understood the problem and have valid arguments against a kernel level solution (and possibly suggestions for a working user space solution), otherwise you are not adding value to the discussion. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simo Sorce Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Tue, 17 Oct 2017 11:28:40 -0400 Message-ID: <1508254120.6230.34.camel@redhat.com> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <75b7d6a6-42ba-2dff-1836-1091c7c024e7@schaufler-ca.com> <20171017003340.whjdkqmkw4lydwy7@madcap2.tricolour.ca> <2319693.5l3M4ZINGd@x2> <1508243469.6230.24.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org, jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux API , Linux Containers , Linux Kernel , David Howells , Carlos O'Donell , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "Eric W. Biederman" , Andy Lutomirski , Linux Network Development , Linux FS Devel , Eric Paris , Al Viro To: Casey Schaufler , Steve Grubb , linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: netdev.vger.kernel.org T24gVHVlLCAyMDE3LTEwLTE3IGF0IDA3OjU5IC0wNzAwLCBDYXNleSBTY2hhdWZsZXIgd3JvdGU6 Cj4gT24gMTAvMTcvMjAxNyA1OjMxIEFNLCBTaW1vIFNvcmNlIHdyb3RlOgo+ID4gT24gTW9uLCAy MDE3LTEwLTE2IGF0IDIxOjQyIC0wNDAwLCBTdGV2ZSBHcnViYiB3cm90ZToKPiA+ID4gT24gTW9u ZGF5LCBPY3RvYmVyIDE2LCAyMDE3IDg6MzM6NDAgUE0gRURUIFJpY2hhcmQgR3V5IEJyaWdncwo+ ID4gPiB3cm90ZToKPiA+ID4gPiBUaGVyZSBpcyBzdWNoIGEgdGhpbmcsIGJ1dCB0aGUga2VybmVs IGRvZXNuJ3Qga25vdyBhYm91dCBpdAo+ID4gPiA+IHlldC7CoMKgVGhpcyBzYW1lIHNpdHVhdGlv biBleGlzdHMgZm9yIGxvZ2ludWlkIGFuZCBzZXNzaW9uaWQKPiA+ID4gPiB3aGljaAo+ID4gPiA+ IGFyZSB1c2Vyc3BhY2UgY29uY2VwdHMgdGhhdCB0aGUga2VybmVsIHRyYWNrcyBmb3IgdGhlCj4g PiA+ID4gY29udmVuaWVuY2UKPiA+ID4gPiBvZiB1c2Vyc3BhY2UuwqDCoEFzIGZvciBpdHMgbmFt ZSwgSSdtIG5vdCBwYXJ0aWN1bGFybHkgcGlja3ksIHNvCj4gPiA+ID4gaWYKPiA+ID4gPiB5b3Ug ZG9uJ3QgbGlrZSBDQVBfQ09OVEFJTkVSXyogdGhlbiBJJ20gZmluZSB3aXRoCj4gPiA+ID4gQ0FQ X0FVRElUX0NPTlRBSU5FUklELsKgwqBJdCByZWFsbHkgbmVlZHMgdG8gYmUgZGlzdGluY3QgZnJv bQo+ID4gPiA+IENBUF9BVURJVF9XUklURSBhbmQgQ0FQX0FVRElUX0NPTlRST0wgc2luY2Ugd2Ug ZG9uJ3Qgd2FudCB0bwo+ID4gPiA+IGdpdmUKPiA+ID4gPiB0aGUgYWJpbGl0eSB0byBzZXQgYSBj b250YWluZXJJRCB0byBhbnkgcHJvY2VzcyB0aGF0IGlzIGFibGUgdG8KPiA+ID4gPiBkbwo+ID4g PiA+IGF1ZGl0IGxvZ2dpbmcgKHN1Y2ggYXMgdnNmdHBkKSBhbmQgc2ltaWxhcmx5IHdlIGRvbid0 IHdhbnQgdG8KPiA+ID4gPiBnaXZlCj4gPiA+ID4gdGhlIG9yY2hlc3RyYXRvciB0aGUgYWJpbGl0 eSB0byBjb250cm9sIHRoZSBzZXR1cCBvZiB0aGUgYXVkaXQKPiA+ID4gPiBkYWVtb24uCj4gPiA+ IAo+ID4gPiBBIGxvbmcgdGltZSBhZ28sIHdlIHdlcmUgZGViYXRpbmcgd2hhdCBzaG91bGQgZ3Vh cmQgYWdhaW5zdCByb3VnZQo+ID4gPiBwcm9jZXNzZXPCoGZyb20gc2V0dGluZyB0aGUgbG9naW51 aWQuIENhc2V5IGFyZ3VlZCB0aGF0IHRoZQo+ID4gPiBhYmlsaXR5IHRvCj4gPiA+IHNldCB0aGUg bG9naW51aWTCoG1lYW5zIHRoZXkgaGF2ZSB0aGUgYWJpbGl0eSB0byBjb250cm9sIHRoZSBhdWRp dAo+ID4gPiB0cmFpbC4gVGhhdCBtZWFucyB0aGF0IGl0wqBzaG91bGQgYmUgZ3VhcmRlZCBieSBD QVBfQVVESVRfQ09OVFJPTC4KPiA+ID4gSQo+ID4gPiB0aGluayB0aGUgc2FtZSBsb2dpYyBhcHBs aWVzIHRvZGF5LsKgCj4gPiAKPiA+IFRoZSBkaWZmZXJlbmNlIGlzIHRoYXQgd2l0aCBsb2dpbnVp ZCB5b3UgbmVlZGVkIHRvIGdpdmUgcHJvY2Vzc2VzCj4gPiBhYmxlCj4gPiB0byBhdWRpdCBhbHNv IHRoZSBhYmlsaXR5IHRvIGNoYW5nZSBpdC4gWW91IGRvIG5vdCB3YW50IHRvIHRpZSB0aGUKPiA+ IGFiaWxpdHkgdG8gY2hhbmdlIGNvbnRhaW5lciBpZHMgdG8gdGhlIGFiaWxpdHkgdG8gYXVkaXQu IFlvdSB3YW50Cj4gPiB0byBiZQo+ID4gYWJsZSB0byBkbyBhdWRpdCBzdHVmZiAod2l0aGluIHRo ZSBjb250YWluZXIpIHdpdGhvdXQgYWxsb3dpbmcgaXQKPiA+IHRvCj4gPiBjaGFuZ2UgdGhlIGNv bnRhaW5lciBpZC4KPiAKPiBXaXRob3V0IGEgKmtlcm5lbCogcG9saWN5IG9uIGNvbnRhaW5lcklE cyB5b3UgY2FuJ3Qgc2F5IHdoYXQKPiBzZWN1cml0eSBwb2xpY3kgaXMgYmVpbmcgZXhlbXB0ZWQu CgpUaGUgcG9saWN5IGhhcyBiZWVuIGJhc2ljYWxseSBzdGF0ZWQgZWFybGllci4KCkEgd2F5IHRv IHRyYWNrIGEgc2V0IG9mIHByb2Nlc3NlcyBmcm9tIGEgc3BlY2lmaWMgcG9pbnQgaW4gdGltZQpm b3J3YXJkLiBUaGUgbmFtZSB1c2VkIGlzICJjb250YWluZXIgaWQiLCBidXQgaXQgY291bGQgYmUg YW55dGhpbmcuClRoaXMgbWFya2VyIGlzIG1vc3RseSB1c2VkIGJ5IHVzZXIgc3BhY2UgdG8gdHJh Y2sgcHJvY2VzcyBoaWVyYXJjaGllcwp3aXRob3V0IHJhY2VzLCB0aGVzZSBwcm9jZXNzZXMgY2Fu IGJlIHZlcnkgcHJpdmlsZWdlZCwgYW5kIG11c3Qgbm90IGJlCmFsbG93ZWQgdG8gY2hhbmdlIHRo ZSBtYXJrZXIgdGhlbXNlbHZlcyB3aGVuIGdyYW50ZWQgdGhlIGN1cnJlbnQgY29tbW9uCmNhcGFi aWxpdGllcy4KCklzIHRoaXMgYSBnb29kIGVub3VnaCBkZXNjcmlwdGlvbiA/IElmIG5vdCBjYW4g eW91IGNsYXJpZnkgeW91cgpleHBlY3RhdGlvbnMgPwoKPiAgV2l0aG91dCB0aGF0IHlvdSBjYW4n dCBzYXkgd2hhdCBjYXBhYmlsaXR5IGlzIChvciBpc24ndCkKPiBhcHByb3ByaWF0ZS4KClNlZSBp ZiB0aGUgYWJvdmUgaXMgc3VmZmljaWVudCBwbGVhc2UuCgo+IFlvdSBuZWVkIGEgcmVhc29uIHRv IGhhdmUgYSBjYXBhYmlsaXR5IGNoZWNrIHRoYXQgbWFrZXMgc2Vuc2UgaW4gdGhlCj4gY29udGV4 dCBvZiB0aGUga2VybmVsIHNlY3VyaXR5IHBvbGljeS4KCkkgdGhpbmsgdGhlIHByb3Bvc2FsIGhh ZCBhIHJlYXNvbiwgd2UgbWF5IGRlYmF0ZSBvbiB3aGV0aGVyIHRoYXQgcmVhc29uCmlzIGdvb2Qg ZW5vdWdoLgoKPiBTaW5jZSB3ZSBkb24ndCBrbm93IHdoYXQgYSBjb250YWluZXIgaXMgaW4gdGhl IGtlcm5lbCwKClBsZWFzZSBkbyBub3QgZml4YXRlIG9uIHRoZSB3b3JkIGNvbnRhaW5lci4KCj4g IHRoYXQncyBwcmV0dHkgaGFyZC4gV2UgZG9uJ3QgY3JlYXRlICJmdXp6eSIgY2FwYWJpbGl0aWVz Cj4gYmFzZWQgb24gdGhlIHRyZW5keSBhcHBsaWNhdGlvbiBiZWhhdmlvciBvZiB0aGUgbW9tZW50 LiBJZiB0aGUKPiBiZWhhdmlvciBpcyBub3QgcmVsYXRlZCBpdCBhdWRpdCwgdGhlcmUncyBubyBy ZWFzb24gZm9yIGl0LCBhbmQKPiBpZiBpdCBpcywgQ0FQX0FVRElUX0NPTlRST0wgd29ya3MganVz dCBmaW5lLiBJZiB0aGlzIGRvZXNuJ3Qgd29yawo+IGluIHlvdXIgYXBwbGljYXRpb24gc2VjdXJp dHkgbW9kZWwgSSBzdWdnZXN0IHRoYXQgaXMgd2hlcmUgeW91Cj4gbmVlZCB0byBtYWtlIGNoYW5n ZXMuCgpUaGUgYXV0aG9ycyBvZiB0aGUgcHJvcG9zYWwgY2FtZSB0byB0aGUgY29uY2x1c2lvbiB0 aGF0IGtlcm5lbAphc3Npc3RhbmNlIGlzIG5lZWRlZC4gSXQgd291bGQgYmUgbmljZSB0byBkaXNj dXNzIHRoZSBtZXJpdHMgb2YgaXQuCklmIHlvdSBkbyBub3QgdW5kZXJzdGFuZCB3aHkgdGhlIHJl cXVlc3QgaGFzIGJlZW4gbWFkZSBpdCB3b3VsZCBiZSBtb3JlCnVzZWZ1bCB0byBhc2sgc3BlY2lm aWMgcXVlc3Rpb25zIHRvIHVuZGVyc3RhbmQgd2hhdCBhbmQgd2h5IGlzIHRoZSBhc2suCgpQdXNo aW5nIGJhY2sgaXMgZmluZSwgaWYgeW91IGhhdmUgdW5kZXJzdG9vZCB0aGUgcHJvYmxlbSBhbmQg aGF2ZSB2YWxpZAphcmd1bWVudHMgYWdhaW5zdCBhIGtlcm5lbCBsZXZlbCBzb2x1dGlvbiAoYW5k IHBvc3NpYmx5IHN1Z2dlc3Rpb25zIGZvcgphIHdvcmtpbmcgdXNlciBzcGFjZSBzb2x1dGlvbiks IG90aGVyd2lzZSB5b3UgYXJlIG5vdCBhZGRpbmcgdmFsdWUgdG8KdGhlIGRpc2N1c3Npb24uIAoK U2ltby4KCi0tIApTaW1vIFNvcmNlClNyLiBQcmluY2lwYWwgU29mdHdhcmUgRW5naW5lZXIKUmVk IEhhdCwgSW5jCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f XwpDb250YWluZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRp b24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZv L2NvbnRhaW5lcnM=