From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C17DC433E6 for ; Tue, 2 Feb 2021 18:11:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 41FC364E3F for ; Tue, 2 Feb 2021 18:11:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238250AbhBBSLa (ORCPT ); Tue, 2 Feb 2021 13:11:30 -0500 Received: from sonic307-15.consmr.mail.ne1.yahoo.com ([66.163.190.38]:36164 "EHLO sonic307-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238164AbhBBSHY (ORCPT ); Tue, 2 Feb 2021 13:07:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1612289198; bh=j8x44LpoTFfUH4HOzyDNCNzfG3hSJ0gj9lo3px1hSNo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=SOG3MkzI/xo4NHO773dKiJqmfifbW10ppO5VX0RDiEtsVo2tYzrW3vQKUAVMkNA5lIvQREOwdvy1OoVIqnmQ0shXGFSE4BsxQgpHUkyVipBSy4igv7D8oUF4p3OO1/Etx7BlLAOPJ+A3624Hh2xvrYNTAC31HVUqRN36gZdfm0MShcpXLZrFeDsGn2GbTVzfsJkLLyGZqpXAvmVVCJjeCweKLVOACnrLE7T8NOUXwQ3Z8ZQxxYpo3ix3xBG5ZkerR6nRqfk3FnnMDmKLBEHEUuu9CFbnBKy/PbYnqOSarHsIDWiJQMmnZRoYdxSAbD8ED9JVgN2/JzSwOT0ZwfxLdw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1612289198; bh=KsrlqM5OHzy9Aywsqwu8aQS1km6LVWfDIQYwYdfcds/=; h=Subject:To:From:Date:From:Subject:Reply-To; b=p4M/nKQ3YAoXqA//DTGYpdM6RKd+Xo0RUt8RwX2vhm1c5oTViGJrwxvkEmBDt8PaWdaWrItJ78O76dsceq+In8g5e208AkusaDmDrI5FnvX8vKAD2OqhVhp1Fk8c6vIv+lTQH6Fwp4qsOUHYxV5UBxeZ+Ak23fxuyGdjuDtbpYtE/nrPD8HGyPffXyNVlUzAuerv3zkRaKf1kSzHgtfVUiTA7JCvBW1zP1bg/cBubnu0DnVQIRYvOuXqnZTxD8+/hwGb0ealTR86Ka9mJgJd7g8LWdmuo2AoI2nyWDGIUEiKJHg3/I8QxaX8dfmjb7DWMFCymcgGiYk5H1RjvBdASQ== X-YMail-OSG: cPypzh0VM1kMwv2Q4BIswcIGJhfwCxn6Shchaipebl27u6A.Af9a.DcAPg.WJrD x4Mz4rM1uoYhq.KY1SUqgiK294YKKfYi6aryGPPTFnSOr37TyBqlKY7u1FkN0Y.vaaeCyTEmm7RK 8l5PE4XqSdr.X9U6WSo7EnS00zXHrVhRJV.Tx75QjBjcaJ6gXd8qCHykL7.2z8yglQRfaLuHIAGA ZNnc4kXiDHc0VGaanVuuBV99VobFladV69iDURM6dNkJPdt_Hnhq971uG4tqIq6DboY60AvyTozd ibQAeJs8gmKeeTpBoCXBhR0QiuBBaO6Ai3QHEsh8D19.ZXGnQjb7LZ5SkoPg1abzHr76V6XHuqEA mvVlRmXLPWkWlblSIkTWBgRxzNd8WxJYyuk10fqfrqhEor_W29XeBGreHZB9Hw25VLccYjnTRrJ8 1OBKtYb1pRgMWfhWTGCVzH1qZ_Nm9fd7b77YIrUTFbOuQbECV0MF2uHtg9bnD4EdxJ8ODOKQzXmr nrz.hAMCyoR9.T63WVNkpdQ3sEcV3hVu4m7aZAH_itrJjjCwuqEyRQMXTMrvyuIYLut4Ys816QDN RCZdv5nRrR8s62vZNJm9aYVhOus6fNn24oRIgYotcFZvvBfXOKEUKCfbb6BjBtJbGzVwqAAdppdS qUQ3EbEEKucDjJRO5CHNo.3f8vfRMjHgbuucKCsf4KF_uRGEDikScMauo9_p4ZZvkJQ0kbYbkAiV LTY0aBWjos3WwgLZ0ORQES7bsKJSffqokJt1V44bEcekOz1qnZr33e6G6zP7717wRt9lf5RJL8xS aFJH75VMI39TG4GE.TWwPO0q83ADn3dF6VxuipAGCEOxWJNcuWKSA8kinSS257suWIG58USHt_Tt Z6d.V7rMlyDmuXeoNbuJRW5884aqQDLC8SFJ8fqu099ZfKtUnsnIQwU6KWbAHOuLutVybAJ6RJBZ iCaEXNK7nMO7a_nIM8IL321QfINSkwQnEVY3BDTcJme9ifKZWPEMUeHxyGmbzM8bdPmeb7o19h13 EA5av_uoxLMartOAmen5OcgVWBXZ1mUFjYUa_4Lj0h_K5mj2MjsH0wk8guOM1lH6MUbShmNakNQJ g0pRXUFHFyRuEgE_lvDFgw_MAk2YXHPqk1kbrseELbeJ1rVqtjCuYNdkii2iWnbMVi3BCiflGbV7 w49BEkfNuIMr0bi4ggSmVelV8YUeo8GnycuThWpXTcM_1YFQiPXCIJwlZ.fkbE0F.1UmR1R6ViTJ B6x7jFouqLuYoBQsUFmwZT2UnpUQKlBUhm4owCQ929q0FV8aprf8HKH75TXY1e1igfluJak6vj17 FgpycGeK1xd.gMhZO6oD.Cdmm8g6hrH3rbt2nf4cebHhmi3PWSMaCPilMPIg5hXNWTs_fkDpi9AO y6BIxhzfytEpTFhqZEqfdKRqndIY9nbJ2G_IOf3_nRiAguq8a.SPEyxA1vDg_BS0JIBryG149d9L G6nOmpyZ1yy_.N4CbdPwUgvZkOBLyS17fEjd4vGfakOB6U9cbfQuW27e.8dM4btkBrVOzA3JtJrF WXBVjS3N_pUrGNqBrpacNG_u8bpKkbkeHyTLNqSpMeZauR06cBaCjVMT2Q0IRmEqllL5yZLgCKzH xxnhAY.3zmizzLQyTJ7X5AhZIr6g8DIrd7NHcMYkEYonccMGqUl0DOMHDS_bv7qFqeUPIlbMCnC0 xcRJFDrRlHkglk8ynbA7na4ClINraCdIaxlQZH.A9q4tragNyt1r.Xl1bThFnbqV.SSEqVWczUQG L5gcR8CLSdHOsgCx4moX97boRoQ5sqqsRgE2MJpAqlHw352JXTIaKb82BA06UMkSUW.oCiyDvpI9 ZeVpnSEdbVOTUziP2lpblX1HbxV8_2F0w.mA0uBQl7apFVrOEsQIxGKO5yFB_T2wC2AQY50hD.yv IehWRTp_ZuX1PxnKThFhZPkndKMHtZuF6jtbMvJs0t1Tt1EdynXxcHpj30ukiHon4XoEX7Dn5ecE uCZZQo8DHGULqvoM6fqUC0KUphsJksAV6h0wnCCgIXs1FWK8p6pNTpO8bZ81_BuHtAZh6eTZKmzO ralT___MZKfXBekMxkwmVl5_nX9_dlKirFIya7QLqqJdut25B.XFyz.tg02QxEDzyYK6kKNEuQ_x J8FMnxJJtlPXMa.VN6vOqN2G5_sdk36zd7fRTDFSi4H89J0dnGKrBEN5YJK1fxTbfd.nznIpi0YV fAPmpWK29uk.CaQN4F_8jOhfKCiMhV7P74odyTK3BOiTDiYpZMNND64h8TOYj7jMhnvAfTXtgPnZ alnhB75_P8ZyqJ3D9MaedP5afHKJ3R140VSCXAF90J.TK9JxA6K_PNmIyxLzHPvlLtPc6OKMJ_hB EOMdxdREKDzaIsF5VkHfUiTwD9voJVZW1M0B3xTqo0KP.iDYwSst2C6J.Z_8vKxpBKWejrT35Oqm DnjiNnEVS95a8gWJE4CEAsHokLw0xu9.9V9EenNj.tivumCMgqfMUPJ636f3gkjgAPmk98n5M.ua jfzXHF0iqp.t4ofq5pZmC_KeX7sbyyT35T9TjbY8NATMATTDU6cd5_.S4zjnPMo43eHkzgqdWzoa ZTkosvZBlpSkphV85dNzTWWFgEknX4LxwkIX1z.J_bCuGCR1JQDdPlA4D7.txzjPXbpYKBzD.JDA DwiVDKBbn2yTKSceYA9G8MK8ZxWbuNVaUHvIz8ifMC9KXdp6xwIwJzRWdibAIT2UlV3wTB112dvu LNJ_5ujqKyV2XXt6BtQIxnYOC2tBUphLOtjQByV.YuerFhDMzaXVEx.gjSZzu8xcQxVV44mIhsaS llYDdFU23ZsOTW.jMScmIq785tWfY3mmzkpLJHX4F5mwghNMYajtBMjrd6j0Ur_g5BiSkiLZopS8 g7sdRxILm26sj84ClbjAZyPqZ.ieVOC0WGTDLuG9CjHmThjrTngkoCRzv.0_i9GrrVliKxCdEG66 mwoSUFWYMVMIqe.3ByGHgIFns6NPSQq_znXT8f32_uLhVZQnrQ_KzySATQjWQ6JdKW5BZ7addHb2 1IAsvzcrts2hpujDumdU1DYPzfkE6JTeJwsMXEe3D2bxClHKK7XjGAA2oMcuzZJQ- Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 2 Feb 2021 18:06:38 +0000 Received: by smtp415.mail.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2e19b6b38051dbf5ab33afec7d37668e; Tue, 02 Feb 2021 18:06:31 +0000 (UTC) Subject: Re: [PATCH v24 00/25] LSM: Module stacking for AppArmor To: Topi Miettinen , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Casey Schaufler References: <20210126164108.1958-1-casey.ref@schaufler-ca.com> <20210126164108.1958-1-casey@schaufler-ca.com> <31ba0fe7-afdf-8f7d-e7a7-8f15d8c690a4@gmail.com> From: Casey Schaufler Message-ID: <3ac446c9-1af7-04dd-561d-6ec1dbb146b9@schaufler-ca.com> Date: Tue, 2 Feb 2021 10:06:29 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Mailer: WebService/1.1.17648 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Apache-HttpAsyncClient/4.1.4 (Java/11.0.8) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/2/2021 9:12 AM, Topi Miettinen wrote: > On 2.2.2021 17.30, Casey Schaufler wrote: >> On 2/2/2021 4:05 AM, Topi Miettinen wrote: >>> On 26.1.2021 18.40, Casey Schaufler wrote: >>>> This patchset provides the changes required for >>>> the AppArmor security module to stack safely with any other. >>> >>> In my test, when kernel command line has apparmor before selinux in l= sm=3D entry, the boot is not successful with enforcing=3D1: >>> systemd[1]: Failed to compute init label, ignoring. >>> systemd[1]: Failed to set SELinux security context system_u:object_r:= cgroup_t:s0 for /sys/fs/cgroup: Invalid argument >>> systemd[1]: Failed to set SELinux security context system_u:object_r:= pstore_t:s0 for /sys/fs/pstore: Invalid argument >>> systemd[1]: Failed to set SELinux security context system_u:object_r:= sysfs_t:s0 for /sys/firmware/efi/efivars: Invalid argument >>> ... >>> Failed to drop capability bounding set of usermode helpers: Operation= not permitted >>> Failed to drop capability bounding set of usermode helpers. >>> systemd[1]: Freezing execution. >> >> Systemd has extensive support for SELinux. That's good. >> It doesn't have an understanding of what needs to be done >> if SELinux is active but not the default security module >> for interfaces including SO_PEERSEC and /proc/*/attr/*. >> That's going to take some work. > > Ok. What will be the replacement for SO_PEERSEC? Systemd calls getsocko= pt(fd, SOL_SOCKET, SO_PEERSEC, s, &n). Dealing with SO_PEERSEC has been discussed at length, and I wouldn't say that anyone is really happy with the conclusions. The patch set presented uses the interface_lsm to determine which module's data is presented in SO_PEERSEC. The interface_lsm is controlled by writing the desired security module name to /proc/self/attr/interface_lsm. The addition of SO_PEERCONTEXT, which would contain all active security module data, has been proposed as a follow-on but is not included in this patch set. > > Is the /proc part something that should be fixed on systemd side, or ca= n perhaps the SELinux libraries hide this from applications? It's unfortunate that the early days of the LSM where dominated by the mindset that security had to be a complete solution. I was in that camp myself for a good long time, but came to recognize that attempting to solve all security problems for everyone using one mechanism was destined to excess. Because user-space development has assumed a single LSM for so long it's hard to imagine that there won't need to be changes in both the libraries and the programs. Because SELinux has the longest history and most complete distribution integration it will also have the most trouble with sharing the LSM stack.=20 > >> >>> >>> Probably SELinux libraries can't find or set the labels for the PID1 = or any file systems. Before the init label message, systemd calls getcon_= raw(), getfilecon_raw(), string_to_security_class() and security_compute_= create_raw(), so one of these don't understand the LSM stacking. >> >> That is correct. >> >>> >>> Also the policy needs updating to handle process2:setdisplay: >>> SELinux:=C2=A0 Permission setdisplay in class process2 not defined in= policy. >>> SELinux: the above unknown classes and permissions will be denied >>> >>> With enforcing=3D0, many services start, but for example systemd-jour= nald doesn't. This is probably related to the earlier problem with labels= (maybe libraries try to use SELinux labels where kernel wants AppArmor p= rofiles): >>> systemd[1]: Failed to set SELinux security context system_u:object_r:= init_runtime_t:s0 for /run/systemd/units/invocation:systemd-user-sessions= =2Eservice: Invalid argument >> >> This is also an artifact of systemd seeing AppArmor information >> instead of SELinux contexts. > > Will SELinux libraries choose automatically the correct way to set labe= ls in the future? I expect so eventually. The SELinux developers have not been especially enthusiastic about the prospect of module stacking. Once it is available I expect to see some accommodation, but not necessarily to the level you might like. The patch set here is strongly influenced by the assumption that putting the most highly integrated module first (SELinux on Fedora, AppArmor on Ubuntu, Smack on Tizen, ...) is going to get you most of what you need. Whoever wants to add Smack to Ubuntu is going to have some work to do. Stacking AppArmor with SELinux is a real use case in the container world, but that's not the real focus of this effort. I have seen several cases where security features have not been implemented because they couldn't be added to a system that also required SELinux, AppArmor or Smack. I have seen many proposals for changes to existing security modules that where outside their scope just because there was no other way. > >>> >>> Switching the order so that apparmor is after selinux, boot is succes= sful. Loading AppArmor profiles needs a permission from SELinux: >>> >>> Feb 02 08:53:15 audit[963]: AVC avc:=C2=A0 denied=C2=A0 { mac_admin }= for=C2=A0 pid=3D963 comm=3D"apparmor_parser" capability=3D33 scontext=3D= system_u:system_r:initrc_t:s0 tcontext=3Dsystem_u:system_r:initrc_t:s0 tc= lass=3Dcapability2 permissive=3D0 >>> Feb 02 08:53:15 audit[963]: AVC apparmor=3D"STATUS" operation=3D"prof= ile_replace" info=3D"not policy admin" error=3D-13 profile=3D"unconfined"= pid=3D963 comm=3D"apparmor_parser" >>> Feb 02 08:53:15 audit: AUDIT1420 subj_selinux=3Dsystem_u:system_r:ini= trc_t:s0 subj_apparmor=3D=3Dunconfined >>> Feb 02 08:53:15 audit[963]: SYSCALL arch=3Dc000003e syscall=3D1 succe= ss=3Dno exit=3D-13 a0=3D7 a1=3D7a8f2ff04f80 a2=3D1e09 a3=3D0 items=3D0 pp= id=3D961 pid=3D963 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fs= uid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D= "apparmor_parser" exe=3D"/usr/sbin/apparmor_parser" subj=3D? key=3D(null)= >>> Feb 02 08:53:15 audit: PROCTITLE proctitle=3D2F7362696E2F61707061726D= 6F725F706172736572002D2D77726974652D6361636865002D2D7265706C616365002D2D0= 02F6574632F61707061726D6F722E64 >>> Feb 02 08:53:15 apparmor.systemd[963]: /sbin/apparmor_parser: Unable = to replace "/lib/systemd/systemd-resolved".=C2=A0 Permission denied; atte= mpted to load a profile while confined? >>> >>> This just seems to need TE rules for the apparmor_parser. >>> >>> Double equal sign in subj_apparmor=3D=3Dunconfined looks odd, should = that be just one like subj_selinux? >> >> The audit code is reporting what AppArmor provides. >> I agree that this looks odd. >> >>> >>> >>> Tools like ps, and KDE and Gnome System Monitors only show SELinux co= ntext, but it would be nice if MAC contexts for all enabled LSMs were sho= wn. >> >> I agree. How this should be done has been a topic of >> lively debate for some time. >> >>> >>> -Topi >> >> Thank you for this report. Which distribution are you using? >> I have been testing with Fedora (SELinux + AppArmor) and Ubuntu >> (AppArmor + Smack). I would be very interested to see how a >> distribution that doesn't use systemd behaves. > > This is Debian with systemd, I'm using SELinux + TOMOYO + AppArmor. Great to hear. Thanks again. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E14D4C433DB for ; Tue, 2 Feb 2021 18:07:12 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4FF2064FAE for ; Tue, 2 Feb 2021 18:07:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4FF2064FAE Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-559-pE5ZL9TmNfmrKGOFO7e_nA-1; Tue, 02 Feb 2021 13:07:09 -0500 X-MC-Unique: pE5ZL9TmNfmrKGOFO7e_nA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6C6121005501; Tue, 2 Feb 2021 18:07:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B88B42D103; Tue, 2 Feb 2021 18:07:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DADCC50039; Tue, 2 Feb 2021 18:06:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 112I6iwq023222 for ; Tue, 2 Feb 2021 13:06:44 -0500 Received: by smtp.corp.redhat.com (Postfix) id 2F5792166B2A; Tue, 2 Feb 2021 18:06:44 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2A1772166B27 for ; Tue, 2 Feb 2021 18:06:41 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3E8E4101A560 for ; Tue, 2 Feb 2021 18:06:41 +0000 (UTC) Received: from sonic307-15.consmr.mail.ne1.yahoo.com (sonic307-15.consmr.mail.ne1.yahoo.com [66.163.190.38]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-ddFKyN2WPvy_PhocnAsNeQ-1; Tue, 02 Feb 2021 13:06:38 -0500 X-MC-Unique: ddFKyN2WPvy_PhocnAsNeQ-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1612289198; bh=KsrlqM5OHzy9Aywsqwu8aQS1km6LVWfDIQYwYdfcds/=; h=Subject:To:From:Date:From:Subject:Reply-To; b=p4M/nKQ3YAoXqA//DTGYpdM6RKd+Xo0RUt8RwX2vhm1c5oTViGJrwxvkEmBDt8PaWdaWrItJ78O76dsceq+In8g5e208AkusaDmDrI5FnvX8vKAD2OqhVhp1Fk8c6vIv+lTQH6Fwp4qsOUHYxV5UBxeZ+Ak23fxuyGdjuDtbpYtE/nrPD8HGyPffXyNVlUzAuerv3zkRaKf1kSzHgtfVUiTA7JCvBW1zP1bg/cBubnu0DnVQIRYvOuXqnZTxD8+/hwGb0ealTR86Ka9mJgJd7g8LWdmuo2AoI2nyWDGIUEiKJHg3/I8QxaX8dfmjb7DWMFCymcgGiYk5H1RjvBdASQ== X-YMail-OSG: cPypzh0VM1kMwv2Q4BIswcIGJhfwCxn6Shchaipebl27u6A.Af9a.DcAPg.WJrD x4Mz4rM1uoYhq.KY1SUqgiK294YKKfYi6aryGPPTFnSOr37TyBqlKY7u1FkN0Y.vaaeCyTEmm7RK 8l5PE4XqSdr.X9U6WSo7EnS00zXHrVhRJV.Tx75QjBjcaJ6gXd8qCHykL7.2z8yglQRfaLuHIAGA ZNnc4kXiDHc0VGaanVuuBV99VobFladV69iDURM6dNkJPdt_Hnhq971uG4tqIq6DboY60AvyTozd ibQAeJs8gmKeeTpBoCXBhR0QiuBBaO6Ai3QHEsh8D19.ZXGnQjb7LZ5SkoPg1abzHr76V6XHuqEA mvVlRmXLPWkWlblSIkTWBgRxzNd8WxJYyuk10fqfrqhEor_W29XeBGreHZB9Hw25VLccYjnTRrJ8 1OBKtYb1pRgMWfhWTGCVzH1qZ_Nm9fd7b77YIrUTFbOuQbECV0MF2uHtg9bnD4EdxJ8ODOKQzXmr nrz.hAMCyoR9.T63WVNkpdQ3sEcV3hVu4m7aZAH_itrJjjCwuqEyRQMXTMrvyuIYLut4Ys816QDN RCZdv5nRrR8s62vZNJm9aYVhOus6fNn24oRIgYotcFZvvBfXOKEUKCfbb6BjBtJbGzVwqAAdppdS qUQ3EbEEKucDjJRO5CHNo.3f8vfRMjHgbuucKCsf4KF_uRGEDikScMauo9_p4ZZvkJQ0kbYbkAiV LTY0aBWjos3WwgLZ0ORQES7bsKJSffqokJt1V44bEcekOz1qnZr33e6G6zP7717wRt9lf5RJL8xS aFJH75VMI39TG4GE.TWwPO0q83ADn3dF6VxuipAGCEOxWJNcuWKSA8kinSS257suWIG58USHt_Tt Z6d.V7rMlyDmuXeoNbuJRW5884aqQDLC8SFJ8fqu099ZfKtUnsnIQwU6KWbAHOuLutVybAJ6RJBZ iCaEXNK7nMO7a_nIM8IL321QfINSkwQnEVY3BDTcJme9ifKZWPEMUeHxyGmbzM8bdPmeb7o19h13 EA5av_uoxLMartOAmen5OcgVWBXZ1mUFjYUa_4Lj0h_K5mj2MjsH0wk8guOM1lH6MUbShmNakNQJ g0pRXUFHFyRuEgE_lvDFgw_MAk2YXHPqk1kbrseELbeJ1rVqtjCuYNdkii2iWnbMVi3BCiflGbV7 w49BEkfNuIMr0bi4ggSmVelV8YUeo8GnycuThWpXTcM_1YFQiPXCIJwlZ.fkbE0F.1UmR1R6ViTJ B6x7jFouqLuYoBQsUFmwZT2UnpUQKlBUhm4owCQ929q0FV8aprf8HKH75TXY1e1igfluJak6vj17 FgpycGeK1xd.gMhZO6oD.Cdmm8g6hrH3rbt2nf4cebHhmi3PWSMaCPilMPIg5hXNWTs_fkDpi9AO y6BIxhzfytEpTFhqZEqfdKRqndIY9nbJ2G_IOf3_nRiAguq8a.SPEyxA1vDg_BS0JIBryG149d9L G6nOmpyZ1yy_.N4CbdPwUgvZkOBLyS17fEjd4vGfakOB6U9cbfQuW27e.8dM4btkBrVOzA3JtJrF WXBVjS3N_pUrGNqBrpacNG_u8bpKkbkeHyTLNqSpMeZauR06cBaCjVMT2Q0IRmEqllL5yZLgCKzH xxnhAY.3zmizzLQyTJ7X5AhZIr6g8DIrd7NHcMYkEYonccMGqUl0DOMHDS_bv7qFqeUPIlbMCnC0 xcRJFDrRlHkglk8ynbA7na4ClINraCdIaxlQZH.A9q4tragNyt1r.Xl1bThFnbqV.SSEqVWczUQG L5gcR8CLSdHOsgCx4moX97boRoQ5sqqsRgE2MJpAqlHw352JXTIaKb82BA06UMkSUW.oCiyDvpI9 ZeVpnSEdbVOTUziP2lpblX1HbxV8_2F0w.mA0uBQl7apFVrOEsQIxGKO5yFB_T2wC2AQY50hD.yv IehWRTp_ZuX1PxnKThFhZPkndKMHtZuF6jtbMvJs0t1Tt1EdynXxcHpj30ukiHon4XoEX7Dn5ecE uCZZQo8DHGULqvoM6fqUC0KUphsJksAV6h0wnCCgIXs1FWK8p6pNTpO8bZ81_BuHtAZh6eTZKmzO ralT___MZKfXBekMxkwmVl5_nX9_dlKirFIya7QLqqJdut25B.XFyz.tg02QxEDzyYK6kKNEuQ_x J8FMnxJJtlPXMa.VN6vOqN2G5_sdk36zd7fRTDFSi4H89J0dnGKrBEN5YJK1fxTbfd.nznIpi0YV fAPmpWK29uk.CaQN4F_8jOhfKCiMhV7P74odyTK3BOiTDiYpZMNND64h8TOYj7jMhnvAfTXtgPnZ alnhB75_P8ZyqJ3D9MaedP5afHKJ3R140VSCXAF90J.TK9JxA6K_PNmIyxLzHPvlLtPc6OKMJ_hB EOMdxdREKDzaIsF5VkHfUiTwD9voJVZW1M0B3xTqo0KP.iDYwSst2C6J.Z_8vKxpBKWejrT35Oqm DnjiNnEVS95a8gWJE4CEAsHokLw0xu9.9V9EenNj.tivumCMgqfMUPJ636f3gkjgAPmk98n5M.ua jfzXHF0iqp.t4ofq5pZmC_KeX7sbyyT35T9TjbY8NATMATTDU6cd5_.S4zjnPMo43eHkzgqdWzoa ZTkosvZBlpSkphV85dNzTWWFgEknX4LxwkIX1z.J_bCuGCR1JQDdPlA4D7.txzjPXbpYKBzD.JDA DwiVDKBbn2yTKSceYA9G8MK8ZxWbuNVaUHvIz8ifMC9KXdp6xwIwJzRWdibAIT2UlV3wTB112dvu LNJ_5ujqKyV2XXt6BtQIxnYOC2tBUphLOtjQByV.YuerFhDMzaXVEx.gjSZzu8xcQxVV44mIhsaS llYDdFU23ZsOTW.jMScmIq785tWfY3mmzkpLJHX4F5mwghNMYajtBMjrd6j0Ur_g5BiSkiLZopS8 g7sdRxILm26sj84ClbjAZyPqZ.ieVOC0WGTDLuG9CjHmThjrTngkoCRzv.0_i9GrrVliKxCdEG66 mwoSUFWYMVMIqe.3ByGHgIFns6NPSQq_znXT8f32_uLhVZQnrQ_KzySATQjWQ6JdKW5BZ7addHb2 1IAsvzcrts2hpujDumdU1DYPzfkE6JTeJwsMXEe3D2bxClHKK7XjGAA2oMcuzZJQ- Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 2 Feb 2021 18:06:38 +0000 Received: by smtp415.mail.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2e19b6b38051dbf5ab33afec7d37668e; Tue, 02 Feb 2021 18:06:31 +0000 (UTC) Subject: Re: [PATCH v24 00/25] LSM: Module stacking for AppArmor To: Topi Miettinen , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org References: <20210126164108.1958-1-casey.ref@schaufler-ca.com> <20210126164108.1958-1-casey@schaufler-ca.com> <31ba0fe7-afdf-8f7d-e7a7-8f15d8c690a4@gmail.com> From: Casey Schaufler Message-ID: <3ac446c9-1af7-04dd-561d-6ec1dbb146b9@schaufler-ca.com> Date: Tue, 2 Feb 2021 10:06:29 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 112I6iwq023222 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gMi8yLzIwMjEgOToxMiBBTSwgVG9waSBNaWV0dGluZW4gd3JvdGU6Cj4gT24gMi4yLjIwMjEg MTcuMzAsIENhc2V5IFNjaGF1ZmxlciB3cm90ZToKPj4gT24gMi8yLzIwMjEgNDowNSBBTSwgVG9w aSBNaWV0dGluZW4gd3JvdGU6Cj4+PiBPbiAyNi4xLjIwMjEgMTguNDAsIENhc2V5IFNjaGF1Zmxl ciB3cm90ZToKPj4+PiBUaGlzIHBhdGNoc2V0IHByb3ZpZGVzIHRoZSBjaGFuZ2VzIHJlcXVpcmVk IGZvcgo+Pj4+IHRoZSBBcHBBcm1vciBzZWN1cml0eSBtb2R1bGUgdG8gc3RhY2sgc2FmZWx5IHdp dGggYW55IG90aGVyLgo+Pj4KPj4+IEluIG15IHRlc3QsIHdoZW4ga2VybmVsIGNvbW1hbmQgbGlu ZSBoYXMgYXBwYXJtb3IgYmVmb3JlIHNlbGludXggaW4gbHNtPSBlbnRyeSwgdGhlIGJvb3QgaXMg bm90IHN1Y2Nlc3NmdWwgd2l0aCBlbmZvcmNpbmc9MToKPj4+IHN5c3RlbWRbMV06IEZhaWxlZCB0 byBjb21wdXRlIGluaXQgbGFiZWwsIGlnbm9yaW5nLgo+Pj4gc3lzdGVtZFsxXTogRmFpbGVkIHRv IHNldCBTRUxpbnV4IHNlY3VyaXR5IGNvbnRleHQgc3lzdGVtX3U6b2JqZWN0X3I6Y2dyb3VwX3Q6 czAgZm9yIC9zeXMvZnMvY2dyb3VwOiBJbnZhbGlkIGFyZ3VtZW50Cj4+PiBzeXN0ZW1kWzFdOiBG YWlsZWQgdG8gc2V0IFNFTGludXggc2VjdXJpdHkgY29udGV4dCBzeXN0ZW1fdTpvYmplY3Rfcjpw c3RvcmVfdDpzMCBmb3IgL3N5cy9mcy9wc3RvcmU6IEludmFsaWQgYXJndW1lbnQKPj4+IHN5c3Rl bWRbMV06IEZhaWxlZCB0byBzZXQgU0VMaW51eCBzZWN1cml0eSBjb250ZXh0IHN5c3RlbV91Om9i amVjdF9yOnN5c2ZzX3Q6czAgZm9yIC9zeXMvZmlybXdhcmUvZWZpL2VmaXZhcnM6IEludmFsaWQg YXJndW1lbnQKPj4+IC4uLgo+Pj4gRmFpbGVkIHRvIGRyb3AgY2FwYWJpbGl0eSBib3VuZGluZyBz ZXQgb2YgdXNlcm1vZGUgaGVscGVyczogT3BlcmF0aW9uIG5vdCBwZXJtaXR0ZWQKPj4+IEZhaWxl ZCB0byBkcm9wIGNhcGFiaWxpdHkgYm91bmRpbmcgc2V0IG9mIHVzZXJtb2RlIGhlbHBlcnMuCj4+ PiBzeXN0ZW1kWzFdOiBGcmVlemluZyBleGVjdXRpb24uCj4+Cj4+IFN5c3RlbWQgaGFzIGV4dGVu c2l2ZSBzdXBwb3J0IGZvciBTRUxpbnV4LiBUaGF0J3MgZ29vZC4KPj4gSXQgZG9lc24ndCBoYXZl IGFuIHVuZGVyc3RhbmRpbmcgb2Ygd2hhdCBuZWVkcyB0byBiZSBkb25lCj4+IGlmIFNFTGludXgg aXMgYWN0aXZlIGJ1dCBub3QgdGhlIGRlZmF1bHQgc2VjdXJpdHkgbW9kdWxlCj4+IGZvciBpbnRl cmZhY2VzIGluY2x1ZGluZyBTT19QRUVSU0VDIGFuZCAvcHJvYy8qL2F0dHIvKi4KPj4gVGhhdCdz IGdvaW5nIHRvIHRha2Ugc29tZSB3b3JrLgo+Cj4gT2suIFdoYXQgd2lsbCBiZSB0aGUgcmVwbGFj ZW1lbnQgZm9yIFNPX1BFRVJTRUM/IFN5c3RlbWQgY2FsbHMgZ2V0c29ja29wdChmZCwgU09MX1NP Q0tFVCwgU09fUEVFUlNFQywgcywgJm4pLgoKRGVhbGluZyB3aXRoIFNPX1BFRVJTRUMgaGFzIGJl ZW4gZGlzY3Vzc2VkIGF0IGxlbmd0aCwgYW5kIEkKd291bGRuJ3Qgc2F5IHRoYXQgYW55b25lIGlz IHJlYWxseSBoYXBweSB3aXRoIHRoZSBjb25jbHVzaW9ucy4KVGhlIHBhdGNoIHNldCBwcmVzZW50 ZWQgdXNlcyB0aGUgaW50ZXJmYWNlX2xzbSB0byBkZXRlcm1pbmUKd2hpY2ggbW9kdWxlJ3MgZGF0 YSBpcyBwcmVzZW50ZWQgaW4gU09fUEVFUlNFQy4gVGhlIGludGVyZmFjZV9sc20KaXMgY29udHJv bGxlZCBieSB3cml0aW5nIHRoZSBkZXNpcmVkIHNlY3VyaXR5IG1vZHVsZSBuYW1lIHRvCi9wcm9j L3NlbGYvYXR0ci9pbnRlcmZhY2VfbHNtLiBUaGUgYWRkaXRpb24gb2YgU09fUEVFUkNPTlRFWFQs CndoaWNoIHdvdWxkIGNvbnRhaW4gYWxsIGFjdGl2ZSBzZWN1cml0eSBtb2R1bGUgZGF0YSwgaGFz IGJlZW4KcHJvcG9zZWQgYXMgYSBmb2xsb3ctb24gYnV0IGlzIG5vdCBpbmNsdWRlZCBpbiB0aGlz IHBhdGNoIHNldC4KCj4KPiBJcyB0aGUgL3Byb2MgcGFydCBzb21ldGhpbmcgdGhhdCBzaG91bGQg YmUgZml4ZWQgb24gc3lzdGVtZCBzaWRlLCBvciBjYW4gcGVyaGFwcyB0aGUgU0VMaW51eCBsaWJy YXJpZXMgaGlkZSB0aGlzIGZyb20gYXBwbGljYXRpb25zPwoKSXQncyB1bmZvcnR1bmF0ZSB0aGF0 IHRoZSBlYXJseSBkYXlzIG9mIHRoZSBMU00gd2hlcmUgZG9taW5hdGVkCmJ5IHRoZSBtaW5kc2V0 IHRoYXQgc2VjdXJpdHkgaGFkIHRvIGJlIGEgY29tcGxldGUgc29sdXRpb24uIEkKd2FzIGluIHRo YXQgY2FtcCBteXNlbGYgZm9yIGEgZ29vZCBsb25nIHRpbWUsIGJ1dCBjYW1lIHRvCnJlY29nbml6 ZSB0aGF0IGF0dGVtcHRpbmcgdG8gc29sdmUgYWxsIHNlY3VyaXR5IHByb2JsZW1zIGZvcgpldmVy eW9uZSB1c2luZyBvbmUgbWVjaGFuaXNtIHdhcyBkZXN0aW5lZCB0byBleGNlc3MuIEJlY2F1c2UK dXNlci1zcGFjZSBkZXZlbG9wbWVudCBoYXMgYXNzdW1lZCBhIHNpbmdsZSBMU00gZm9yIHNvIGxv bmcgaXQncwpoYXJkIHRvIGltYWdpbmUgdGhhdCB0aGVyZSB3b24ndCBuZWVkIHRvIGJlIGNoYW5n ZXMgaW4gYm90aCB0aGUKbGlicmFyaWVzIGFuZCB0aGUgcHJvZ3JhbXMuIEJlY2F1c2UgU0VMaW51 eCBoYXMgdGhlIGxvbmdlc3QKaGlzdG9yeSBhbmQgbW9zdCBjb21wbGV0ZSBkaXN0cmlidXRpb24g aW50ZWdyYXRpb24gaXQgd2lsbCBhbHNvCmhhdmUgdGhlIG1vc3QgdHJvdWJsZSB3aXRoIHNoYXJp bmcgdGhlIExTTSBzdGFjay4gCgo+Cj4+Cj4+Pgo+Pj4gUHJvYmFibHkgU0VMaW51eCBsaWJyYXJp ZXMgY2FuJ3QgZmluZCBvciBzZXQgdGhlIGxhYmVscyBmb3IgdGhlIFBJRDEgb3IgYW55IGZpbGUg c3lzdGVtcy4gQmVmb3JlIHRoZSBpbml0IGxhYmVsIG1lc3NhZ2UsIHN5c3RlbWQgY2FsbHMgZ2V0 Y29uX3JhdygpLCBnZXRmaWxlY29uX3JhdygpLCBzdHJpbmdfdG9fc2VjdXJpdHlfY2xhc3MoKSBh bmQgc2VjdXJpdHlfY29tcHV0ZV9jcmVhdGVfcmF3KCksIHNvIG9uZSBvZiB0aGVzZSBkb24ndCB1 bmRlcnN0YW5kIHRoZSBMU00gc3RhY2tpbmcuCj4+Cj4+IFRoYXQgaXMgY29ycmVjdC4KPj4KPj4+ Cj4+PiBBbHNvIHRoZSBwb2xpY3kgbmVlZHMgdXBkYXRpbmcgdG8gaGFuZGxlIHByb2Nlc3MyOnNl dGRpc3BsYXk6Cj4+PiBTRUxpbnV4OsKgIFBlcm1pc3Npb24gc2V0ZGlzcGxheSBpbiBjbGFzcyBw cm9jZXNzMiBub3QgZGVmaW5lZCBpbiBwb2xpY3kuCj4+PiBTRUxpbnV4OiB0aGUgYWJvdmUgdW5r bm93biBjbGFzc2VzIGFuZCBwZXJtaXNzaW9ucyB3aWxsIGJlIGRlbmllZAo+Pj4KPj4+IFdpdGgg ZW5mb3JjaW5nPTAsIG1hbnkgc2VydmljZXMgc3RhcnQsIGJ1dCBmb3IgZXhhbXBsZSBzeXN0ZW1k LWpvdXJuYWxkIGRvZXNuJ3QuIFRoaXMgaXMgcHJvYmFibHkgcmVsYXRlZCB0byB0aGUgZWFybGll ciBwcm9ibGVtIHdpdGggbGFiZWxzIChtYXliZSBsaWJyYXJpZXMgdHJ5IHRvIHVzZSBTRUxpbnV4 IGxhYmVscyB3aGVyZSBrZXJuZWwgd2FudHMgQXBwQXJtb3IgcHJvZmlsZXMpOgo+Pj4gc3lzdGVt ZFsxXTogRmFpbGVkIHRvIHNldCBTRUxpbnV4IHNlY3VyaXR5IGNvbnRleHQgc3lzdGVtX3U6b2Jq ZWN0X3I6aW5pdF9ydW50aW1lX3Q6czAgZm9yIC9ydW4vc3lzdGVtZC91bml0cy9pbnZvY2F0aW9u OnN5c3RlbWQtdXNlci1zZXNzaW9ucy5zZXJ2aWNlOiBJbnZhbGlkIGFyZ3VtZW50Cj4+Cj4+IFRo aXMgaXMgYWxzbyBhbiBhcnRpZmFjdCBvZiBzeXN0ZW1kIHNlZWluZyBBcHBBcm1vciBpbmZvcm1h dGlvbgo+PiBpbnN0ZWFkIG9mIFNFTGludXggY29udGV4dHMuCj4KPiBXaWxsIFNFTGludXggbGli cmFyaWVzIGNob29zZSBhdXRvbWF0aWNhbGx5IHRoZSBjb3JyZWN0IHdheSB0byBzZXQgbGFiZWxz IGluIHRoZSBmdXR1cmU/CgpJIGV4cGVjdCBzbyBldmVudHVhbGx5LiBUaGUgU0VMaW51eCBkZXZl bG9wZXJzIGhhdmUgbm90IGJlZW4KZXNwZWNpYWxseSBlbnRodXNpYXN0aWMgYWJvdXQgdGhlIHBy b3NwZWN0IG9mIG1vZHVsZSBzdGFja2luZy4KT25jZSBpdCBpcyBhdmFpbGFibGUgSSBleHBlY3Qg dG8gc2VlIHNvbWUgYWNjb21tb2RhdGlvbiwgYnV0Cm5vdCBuZWNlc3NhcmlseSB0byB0aGUgbGV2 ZWwgeW91IG1pZ2h0IGxpa2UuIFRoZSBwYXRjaCBzZXQgaGVyZQppcyBzdHJvbmdseSBpbmZsdWVu Y2VkIGJ5IHRoZSBhc3N1bXB0aW9uIHRoYXQgcHV0dGluZyB0aGUgbW9zdApoaWdobHkgaW50ZWdy YXRlZCBtb2R1bGUgZmlyc3QgKFNFTGludXggb24gRmVkb3JhLCBBcHBBcm1vciBvbgpVYnVudHUs IFNtYWNrIG9uIFRpemVuLCAuLi4pIGlzIGdvaW5nIHRvIGdldCB5b3UgbW9zdCBvZiB3aGF0Cnlv dSBuZWVkLiBXaG9ldmVyIHdhbnRzIHRvIGFkZCBTbWFjayB0byBVYnVudHUgaXMgZ29pbmcgdG8g aGF2ZQpzb21lIHdvcmsgdG8gZG8uCgpTdGFja2luZyBBcHBBcm1vciB3aXRoIFNFTGludXggaXMg YSByZWFsIHVzZSBjYXNlIGluIHRoZSBjb250YWluZXIKd29ybGQsIGJ1dCB0aGF0J3Mgbm90IHRo ZSByZWFsIGZvY3VzIG9mIHRoaXMgZWZmb3J0LiBJIGhhdmUgc2VlbgpzZXZlcmFsIGNhc2VzIHdo ZXJlIHNlY3VyaXR5IGZlYXR1cmVzIGhhdmUgbm90IGJlZW4gaW1wbGVtZW50ZWQKYmVjYXVzZSB0 aGV5IGNvdWxkbid0IGJlIGFkZGVkIHRvIGEgc3lzdGVtIHRoYXQgYWxzbyByZXF1aXJlZApTRUxp bnV4LCBBcHBBcm1vciBvciBTbWFjay4gSSBoYXZlIHNlZW4gbWFueSBwcm9wb3NhbHMgZm9yIGNo YW5nZXMKdG8gZXhpc3Rpbmcgc2VjdXJpdHkgbW9kdWxlcyB0aGF0IHdoZXJlIG91dHNpZGUgdGhl aXIgc2NvcGUganVzdApiZWNhdXNlIHRoZXJlIHdhcyBubyBvdGhlciB3YXkuCgo+Cj4+Pgo+Pj4g U3dpdGNoaW5nIHRoZSBvcmRlciBzbyB0aGF0IGFwcGFybW9yIGlzIGFmdGVyIHNlbGludXgsIGJv b3QgaXMgc3VjY2Vzc2Z1bC4gTG9hZGluZyBBcHBBcm1vciBwcm9maWxlcyBuZWVkcyBhIHBlcm1p c3Npb24gZnJvbSBTRUxpbnV4Ogo+Pj4KPj4+IEZlYiAwMiAwODo1MzoxNSBhdWRpdFs5NjNdOiBB VkMgYXZjOsKgIGRlbmllZMKgIHsgbWFjX2FkbWluIH0gZm9ywqAgcGlkPTk2MyBjb21tPSJhcHBh cm1vcl9wYXJzZXIiIGNhcGFiaWxpdHk9MzMgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5p dHJjX3Q6czAgdGNvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAgdGNsYXNzPWNh cGFiaWxpdHkyIHBlcm1pc3NpdmU9MAo+Pj4gRmViIDAyIDA4OjUzOjE1IGF1ZGl0Wzk2M106IEFW QyBhcHBhcm1vcj0iU1RBVFVTIiBvcGVyYXRpb249InByb2ZpbGVfcmVwbGFjZSIgaW5mbz0ibm90 IHBvbGljeSBhZG1pbiIgZXJyb3I9LTEzIHByb2ZpbGU9InVuY29uZmluZWQiIHBpZD05NjMgY29t bT0iYXBwYXJtb3JfcGFyc2VyIgo+Pj4gRmViIDAyIDA4OjUzOjE1IGF1ZGl0OiBBVURJVDE0MjAg c3Vial9zZWxpbnV4PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwIHN1YmpfYXBwYXJtb3I9 PXVuY29uZmluZWQKPj4+IEZlYiAwMiAwODo1MzoxNSBhdWRpdFs5NjNdOiBTWVNDQUxMIGFyY2g9 YzAwMDAwM2Ugc3lzY2FsbD0xIHN1Y2Nlc3M9bm8gZXhpdD0tMTMgYTA9NyBhMT03YThmMmZmMDRm ODAgYTI9MWUwOSBhMz0wIGl0ZW1zPTAgcHBpZD05NjEgcGlkPTk2MyBhdWlkPTQyOTQ5NjcyOTUg dWlkPTAgZ2lkPTAgZXVpZD0wIHN1aWQ9MCBmc3VpZD0wIGVnaWQ9MCBzZ2lkPTAgZnNnaWQ9MCB0 dHk9KG5vbmUpIHNlcz00Mjk0OTY3Mjk1IGNvbW09ImFwcGFybW9yX3BhcnNlciIgZXhlPSIvdXNy L3NiaW4vYXBwYXJtb3JfcGFyc2VyIiBzdWJqPT8ga2V5PShudWxsKQo+Pj4gRmViIDAyIDA4OjUz OjE1IGF1ZGl0OiBQUk9DVElUTEUgcHJvY3RpdGxlPTJGNzM2MjY5NkUyRjYxNzA3MDYxNzI2RDZG NzI1RjcwNjE3MjczNjU3MjAwMkQyRDc3NzI2OTc0NjUyRDYzNjE2MzY4NjUwMDJEMkQ3MjY1NzA2 QzYxNjM2NTAwMkQyRDAwMkY2NTc0NjMyRjYxNzA3MDYxNzI2RDZGNzIyRTY0Cj4+PiBGZWIgMDIg MDg6NTM6MTUgYXBwYXJtb3Iuc3lzdGVtZFs5NjNdOiAvc2Jpbi9hcHBhcm1vcl9wYXJzZXI6IFVu YWJsZSB0byByZXBsYWNlICIvbGliL3N5c3RlbWQvc3lzdGVtZC1yZXNvbHZlZCIuwqAgUGVybWlz c2lvbiBkZW5pZWQ7IGF0dGVtcHRlZCB0byBsb2FkIGEgcHJvZmlsZSB3aGlsZSBjb25maW5lZD8K Pj4+Cj4+PiBUaGlzIGp1c3Qgc2VlbXMgdG8gbmVlZCBURSBydWxlcyBmb3IgdGhlIGFwcGFybW9y X3BhcnNlci4KPj4+Cj4+PiBEb3VibGUgZXF1YWwgc2lnbiBpbiBzdWJqX2FwcGFybW9yPT11bmNv bmZpbmVkIGxvb2tzIG9kZCwgc2hvdWxkIHRoYXQgYmUganVzdCBvbmUgbGlrZSBzdWJqX3NlbGlu dXg/Cj4+Cj4+IFRoZSBhdWRpdCBjb2RlIGlzIHJlcG9ydGluZyB3aGF0IEFwcEFybW9yIHByb3Zp ZGVzLgo+PiBJIGFncmVlIHRoYXQgdGhpcyBsb29rcyBvZGQuCj4+Cj4+Pgo+Pj4KPj4+IFRvb2xz IGxpa2UgcHMsIGFuZCBLREUgYW5kIEdub21lIFN5c3RlbSBNb25pdG9ycyBvbmx5IHNob3cgU0VM aW51eCBjb250ZXh0LCBidXQgaXQgd291bGQgYmUgbmljZSBpZiBNQUMgY29udGV4dHMgZm9yIGFs bCBlbmFibGVkIExTTXMgd2VyZSBzaG93bi4KPj4KPj4gSSBhZ3JlZS4gSG93IHRoaXMgc2hvdWxk IGJlIGRvbmUgaGFzIGJlZW4gYSB0b3BpYyBvZgo+PiBsaXZlbHkgZGViYXRlIGZvciBzb21lIHRp bWUuCj4+Cj4+Pgo+Pj4gLVRvcGkKPj4KPj4gVGhhbmsgeW91IGZvciB0aGlzIHJlcG9ydC4gV2hp Y2ggZGlzdHJpYnV0aW9uIGFyZSB5b3UgdXNpbmc/Cj4+IEkgaGF2ZSBiZWVuIHRlc3Rpbmcgd2l0 aCBGZWRvcmEgKFNFTGludXggKyBBcHBBcm1vcikgYW5kIFVidW50dQo+PiAoQXBwQXJtb3IgKyBT bWFjaykuIEkgd291bGQgYmUgdmVyeSBpbnRlcmVzdGVkIHRvIHNlZSBob3cgYQo+PiBkaXN0cmli dXRpb24gdGhhdCBkb2Vzbid0IHVzZSBzeXN0ZW1kIGJlaGF2ZXMuCj4KPiBUaGlzIGlzIERlYmlh biB3aXRoIHN5c3RlbWQsIEknbSB1c2luZyBTRUxpbnV4ICsgVE9NT1lPICsgQXBwQXJtb3IuCgpH cmVhdCB0byBoZWFyLiBUaGFua3MgYWdhaW4uCgoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlz dApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9s aXN0aW5mby9saW51eC1hdWRpdA==