From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15ABEC11F66 for ; Tue, 29 Jun 2021 10:41:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0156861DC1 for ; Tue, 29 Jun 2021 10:41:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233210AbhF2Kn1 (ORCPT ); Tue, 29 Jun 2021 06:43:27 -0400 Received: from todd.t-8ch.de ([159.69.126.157]:44609 "EHLO todd.t-8ch.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233111AbhF2KnZ (ORCPT ); Tue, 29 Jun 2021 06:43:25 -0400 Date: Tue, 29 Jun 2021 12:40:55 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1624963257; bh=xAiXp/C06ag7DbcOfG/lfgCJixhQy0QwXW4k57bDNDs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=rWltZpvKlQXIQKIoBTYCd3fOzZ0U+WFEP81IdMSzhlGKCH/jsilJuGn19H1YxY8Q4 HPt3cOzbmUUu0ehSQJBmqeCGu5deAmVHEJu+Y7rvkdccijaHGmgL6HW3T2zIQ8rh2r 8AK/FP6ufXImwp/8s+dEaILVKypc2247kIQp4RxU= From: Thomas =?utf-8?Q?Wei=C3=9Fschuh?= To: Paul Moore Cc: linux-audit@redhat.com, bpf@vger.kernel.org Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Message-ID: <60ba7e11-36af-4b24-9132-c5214f32bdad@t-8ch.de> References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Mo, 2021-06-28T18:43-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh wrote: > > > > Hi again! > > !!! :) Indeed, hi! > > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh wrote: > > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh wrote: > > ... > > > > Remember that seccomp filters are inherited across forks, so if your > > > application loads an ABI specific filter and then fork()/exec()'s an > > > application with a different ABI you could be in trouble. We saw this > > > some years ago when people started running containers with ABIs other > > > than the native system; if the container orchestrator didn't load a > > > filter that knew about these non-native ABIs Bad Things happened. > > > > My application will not be able to spawn any new processes. > > It is limited to write() and exit(). > > Also this is a low-level system application so it should always be compiled for > > the native ABI. > > So this should not be an issue. > > > > > I'm sure you are already aware of libseccomp, but if not you may want > > > to consider it for your application. Not only does it provide a safe > > > and easy way to handle multiple ABIs in a single filter, it handles > > > other seccomp problem areas like build/runtime system differences in > > > the syscall tables/defines as well as the oddball nature of > > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > > vs socket(), etc. > > > > For a larger application this would be indeed my choice. > > But for a small application like mine I don't think it is worth it. > > libseccomp for example does provide a way to get the native audit arch: > > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > > various compiler defines to detect the ABI compiled for. > > > > I'd like the kernel to provide this out-of-the box, so I don't have to have the > > same ifdefs in my application(s) and keep them up to date. > > > > I found that the kernel internally already has a definition for my usecase: > > SECCOMP_ARCH_NATIVE. > > It is just not exported to userspace. > > I'm not sure that keeping the ifdefs up to date is going to be that > hard, and honestly that is the right place to do it IMHO. The kernel > can support any number of ABIs, but in the narrow use case you are > describing in this thread you only care about the ABI of your own > application; it doesn't sound like you really care about the kernel's > ABI, but rather your application's ABI. Ok, fair enough. My goal was to keep the amount of support code in my application small. Out of 250 lines of code 100 are actual business logic, 50 are the current seccomp code and the ifdefs would be another 50 (looking at those in libseccomp). Having a #define provided by the kernel headers, which already cares about my application ABI when providing the syscall numbers, would have sidestepped all clutter and maintenance issues neatly. I'll add my own logic then. To get back to my other question: Is there any chance a single given process can have multiple different ABIs active at the same time? Without using special syscalls to switch between them. Because if that is not possible I can skip the checks for the arch completely because the filter is constructed at compile time for the specific ABI targetted and all funky syscalls are forbidden anyways. > > > I'm sorry, but I don't quite understand what you are looking for in > > > the header files ... ? It might help if you could provide a concrete > > > example of what you would like to see in the header files? > > > > I want to do something like the follwing inside my program to assemble a > > seccomp filter that will be loaded before the error-prone parts of the > > application will begin. > > > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > > > In line 4 I can already have the kernel headers provide me the correct syscall > > number for the ABI my application is compiled for. > > > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of > > having a kernel header provide the correct value. PS: I know that this seems to be a lot of discussion for fairly little gain in this specific case, but I'd like to use seccomp filters in the future more and am trying to find the most unobtrusive way to add them to applications for each given usecase. (For any larger applications that will certainly include libseccomp, but that feels overkill for very specific, zero-runtime-dependency utilities) Thanks again! Thomas From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7D49C11F66 for ; Tue, 29 Jun 2021 12:22:27 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C7A85613E0 for ; Tue, 29 Jun 2021 12:22:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C7A85613E0 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=weissschuh.net Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-444-yVO2zX0KPCGgedG5YaQA2Q-1; Tue, 29 Jun 2021 08:22:20 -0400 X-MC-Unique: yVO2zX0KPCGgedG5YaQA2Q-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D52F8800D62; Tue, 29 Jun 2021 12:22:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 97E6C5D719; Tue, 29 Jun 2021 12:22:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 45A9C1809C99; Tue, 29 Jun 2021 12:22:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15TAf5sL001551 for ; Tue, 29 Jun 2021 06:41:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5B280AECA9; Tue, 29 Jun 2021 10:41:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 55486D74D4 for ; Tue, 29 Jun 2021 10:41:02 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7E65A18A01A0 for ; Tue, 29 Jun 2021 10:41:02 +0000 (UTC) Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-417-ijohnNMfOjeBt6GWoKmeRw-1; Tue, 29 Jun 2021 06:40:59 -0400 X-MC-Unique: ijohnNMfOjeBt6GWoKmeRw-1 Date: Tue, 29 Jun 2021 12:40:55 +0200 From: Thomas =?utf-8?Q?Wei=C3=9Fschuh?= To: Paul Moore Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Message-ID: <60ba7e11-36af-4b24-9132-c5214f32bdad@t-8ch.de> References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> MIME-Version: 1.0 In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15TAf5sL001551 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Tue, 29 Jun 2021 08:19:00 -0400 Cc: bpf@vger.kernel.org, linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gTW8sIDIwMjEtMDYtMjhUMTg6NDMtMDQwMCwgUGF1bCBNb29yZSB3cm90ZToKPiBPbiBNb24s IEp1biAyOCwgMjAyMSBhdCAxOjU4IFBNIFRob21hcyBXZWnDn3NjaHVoIDxsaW51eEB3ZWlzc3Nj aHVoLm5ldD4gd3JvdGU6Cj4gPgo+ID4gSGkgYWdhaW4hCj4gCj4gISEhIDopCgpJbmRlZWQsIGhp IQoKPiA+IE9uIE1vLCAyMDIxLTA2LTI4VDEzOjM0LTA0MDAsIFBhdWwgTW9vcmUgd3JvdGU6Cj4g PiA+IE9uIE1vbiwgSnVuIDI4LCAyMDIxIGF0IDE6MTMgUE0gVGhvbWFzIFdlacOfc2NodWggPGxp bnV4QHdlaXNzc2NodWgubmV0PiB3cm90ZToKPiA+ID4gPiBPbiBNbywgMjAyMS0wNi0yOFQxMjo1 OS0wNDAwLCBQYXVsIE1vb3JlIHdyb3RlOgo+ID4gPiA+ID4gT24gTW9uLCBKdW4gMjgsIDIwMjEg YXQgOToyNSBBTSBUaG9tYXMgV2Vpw59zY2h1aCA8bGludXhAd2Vpc3NzY2h1aC5uZXQ+IHdyb3Rl Ogo+IAo+IC4uLgo+IAo+ID4gPiBSZW1lbWJlciB0aGF0IHNlY2NvbXAgZmlsdGVycyBhcmUgaW5o ZXJpdGVkIGFjcm9zcyBmb3Jrcywgc28gaWYgeW91cgo+ID4gPiBhcHBsaWNhdGlvbiBsb2FkcyBh biBBQkkgc3BlY2lmaWMgZmlsdGVyIGFuZCB0aGVuIGZvcmsoKS9leGVjKCkncyBhbgo+ID4gPiBh cHBsaWNhdGlvbiB3aXRoIGEgZGlmZmVyZW50IEFCSSB5b3UgY291bGQgYmUgaW4gdHJvdWJsZS4g IFdlIHNhdyB0aGlzCj4gPiA+IHNvbWUgeWVhcnMgYWdvIHdoZW4gcGVvcGxlIHN0YXJ0ZWQgcnVu bmluZyBjb250YWluZXJzIHdpdGggQUJJcyBvdGhlcgo+ID4gPiB0aGFuIHRoZSBuYXRpdmUgc3lz dGVtOyBpZiB0aGUgY29udGFpbmVyIG9yY2hlc3RyYXRvciBkaWRuJ3QgbG9hZCBhCj4gPiA+IGZp bHRlciB0aGF0IGtuZXcgYWJvdXQgdGhlc2Ugbm9uLW5hdGl2ZSBBQklzIEJhZCBUaGluZ3MgaGFw cGVuZWQuCj4gPgo+ID4gTXkgYXBwbGljYXRpb24gd2lsbCBub3QgYmUgYWJsZSB0byBzcGF3biBh bnkgbmV3IHByb2Nlc3Nlcy4KPiA+IEl0IGlzIGxpbWl0ZWQgdG8gd3JpdGUoKSBhbmQgZXhpdCgp Lgo+ID4gQWxzbyB0aGlzIGlzIGEgbG93LWxldmVsIHN5c3RlbSBhcHBsaWNhdGlvbiBzbyBpdCBz aG91bGQgYWx3YXlzIGJlIGNvbXBpbGVkIGZvcgo+ID4gdGhlIG5hdGl2ZSBBQkkuCj4gPiBTbyB0 aGlzIHNob3VsZCBub3QgYmUgYW4gaXNzdWUuCj4gPgo+ID4gPiBJJ20gc3VyZSB5b3UgYXJlIGFs cmVhZHkgYXdhcmUgb2YgbGlic2VjY29tcCwgYnV0IGlmIG5vdCB5b3UgbWF5IHdhbnQKPiA+ID4g dG8gY29uc2lkZXIgaXQgZm9yIHlvdXIgYXBwbGljYXRpb24uICBOb3Qgb25seSBkb2VzIGl0IHBy b3ZpZGUgYSBzYWZlCj4gPiA+IGFuZCBlYXN5IHdheSB0byBoYW5kbGUgbXVsdGlwbGUgQUJJcyBp biBhIHNpbmdsZSBmaWx0ZXIsIGl0IGhhbmRsZXMKPiA+ID4gb3RoZXIgc2VjY29tcCBwcm9ibGVt IGFyZWFzIGxpa2UgYnVpbGQvcnVudGltZSBzeXN0ZW0gZGlmZmVyZW5jZXMgaW4KPiA+ID4gdGhl IHN5c2NhbGwgdGFibGVzL2RlZmluZXMgYXMgd2VsbCBhcyB0aGUgb2RkYmFsbCBuYXR1cmUgb2YK PiA+ID4gZGlyZWN0LWNhbGwgYW5kIG11bHRpcGxleGVkIHNvY2tldCByZWxhdGVkIHN5c2NhbGxz LCBpLmUuIHNvY2tldGNhbGwoKQo+ID4gPiB2cyBzb2NrZXQoKSwgZXRjLgo+ID4KPiA+IEZvciBh IGxhcmdlciBhcHBsaWNhdGlvbiB0aGlzIHdvdWxkIGJlIGluZGVlZCBteSBjaG9pY2UuCj4gPiBC dXQgZm9yIGEgc21hbGwgYXBwbGljYXRpb24gbGlrZSBtaW5lIEkgZG9uJ3QgdGhpbmsgaXQgaXMg d29ydGggaXQuCj4gPiBsaWJzZWNjb21wIGZvciBleGFtcGxlIGRvZXMgcHJvdmlkZSBhIHdheSB0 byBnZXQgdGhlIG5hdGl2ZSBhdWRpdCBhcmNoOgo+ID4gYHVpbnQzMl90IHNlY2NvbXBfYXJjaF9u YXRpdmUodm9pZCk7YC4gSXQgaXMgaW1wbGVtZW50ZWQgYnkgaWZkZWYtaW5nIG9uCj4gPiB2YXJp b3VzIGNvbXBpbGVyIGRlZmluZXMgdG8gZGV0ZWN0IHRoZSBBQkkgY29tcGlsZWQgZm9yLgo+ID4K PiA+IEknZCBsaWtlIHRoZSBrZXJuZWwgdG8gcHJvdmlkZSB0aGlzIG91dC1vZi10aGUgYm94LCBz byBJIGRvbid0IGhhdmUgdG8gaGF2ZSB0aGUKPiA+IHNhbWUgaWZkZWZzIGluIG15IGFwcGxpY2F0 aW9uKHMpIGFuZCBrZWVwIHRoZW0gdXAgdG8gZGF0ZS4KPiA+Cj4gPiBJIGZvdW5kIHRoYXQgdGhl IGtlcm5lbCBpbnRlcm5hbGx5IGFscmVhZHkgaGFzIGEgZGVmaW5pdGlvbiBmb3IgbXkgdXNlY2Fz ZToKPiA+IFNFQ0NPTVBfQVJDSF9OQVRJVkUuCj4gPiBJdCBpcyBqdXN0IG5vdCBleHBvcnRlZCB0 byB1c2Vyc3BhY2UuCj4gCj4gSSdtIG5vdCBzdXJlIHRoYXQga2VlcGluZyB0aGUgaWZkZWZzIHVw IHRvIGRhdGUgaXMgZ29pbmcgdG8gYmUgdGhhdAo+IGhhcmQsIGFuZCBob25lc3RseSB0aGF0IGlz IHRoZSByaWdodCBwbGFjZSB0byBkbyBpdCBJTUhPLiAgVGhlIGtlcm5lbAo+IGNhbiBzdXBwb3J0 IGFueSBudW1iZXIgb2YgQUJJcywgYnV0IGluIHRoZSBuYXJyb3cgdXNlIGNhc2UgeW91IGFyZQo+ IGRlc2NyaWJpbmcgaW4gdGhpcyB0aHJlYWQgeW91IG9ubHkgY2FyZSBhYm91dCB0aGUgQUJJIG9m IHlvdXIgb3duCj4gYXBwbGljYXRpb247IGl0IGRvZXNuJ3Qgc291bmQgbGlrZSB5b3UgcmVhbGx5 IGNhcmUgYWJvdXQgdGhlIGtlcm5lbCdzCj4gQUJJLCBidXQgcmF0aGVyIHlvdXIgYXBwbGljYXRp b24ncyBBQkkuCgpPaywgZmFpciBlbm91Z2guCgpNeSBnb2FsIHdhcyB0byBrZWVwIHRoZSBhbW91 bnQgb2Ygc3VwcG9ydCBjb2RlIGluIG15IGFwcGxpY2F0aW9uIHNtYWxsLgpPdXQgb2YgMjUwIGxp bmVzIG9mIGNvZGUKMTAwIGFyZSBhY3R1YWwgYnVzaW5lc3MgbG9naWMsCjUwIGFyZSB0aGUgY3Vy cmVudCBzZWNjb21wIGNvZGUKYW5kIHRoZSBpZmRlZnMgd291bGQgYmUgYW5vdGhlciA1MCAobG9v a2luZyBhdCB0aG9zZSBpbiBsaWJzZWNjb21wKS4KCkhhdmluZyBhICNkZWZpbmUgcHJvdmlkZWQg YnkgdGhlIGtlcm5lbCBoZWFkZXJzLCB3aGljaCBhbHJlYWR5IGNhcmVzIGFib3V0Cm15IGFwcGxp Y2F0aW9uIEFCSSB3aGVuIHByb3ZpZGluZyB0aGUgc3lzY2FsbCBudW1iZXJzLCB3b3VsZCBoYXZl IHNpZGVzdGVwcGVkCmFsbCBjbHV0dGVyIGFuZCBtYWludGVuYW5jZSBpc3N1ZXMgbmVhdGx5LgoK SSdsbCBhZGQgbXkgb3duIGxvZ2ljIHRoZW4uCgpUbyBnZXQgYmFjayB0byBteSBvdGhlciBxdWVz dGlvbjoKCklzIHRoZXJlIGFueSBjaGFuY2UgYSBzaW5nbGUgZ2l2ZW4gcHJvY2VzcyBjYW4gaGF2 ZSBtdWx0aXBsZSBkaWZmZXJlbnQgQUJJcwphY3RpdmUgYXQgdGhlIHNhbWUgdGltZT8KV2l0aG91 dCB1c2luZyBzcGVjaWFsIHN5c2NhbGxzIHRvIHN3aXRjaCBiZXR3ZWVuIHRoZW0uCgpCZWNhdXNl IGlmIHRoYXQgaXMgbm90IHBvc3NpYmxlIEkgY2FuIHNraXAgdGhlIGNoZWNrcyBmb3IgdGhlIGFy Y2ggY29tcGxldGVseQpiZWNhdXNlIHRoZSBmaWx0ZXIgaXMgY29uc3RydWN0ZWQgYXQgY29tcGls ZSB0aW1lIGZvciB0aGUgc3BlY2lmaWMgQUJJCnRhcmdldHRlZCBhbmQgYWxsIGZ1bmt5IHN5c2Nh bGxzIGFyZSBmb3JiaWRkZW4gYW55d2F5cy4KCj4gPiA+IEknbSBzb3JyeSwgYnV0IEkgZG9uJ3Qg cXVpdGUgdW5kZXJzdGFuZCB3aGF0IHlvdSBhcmUgbG9va2luZyBmb3IgaW4KPiA+ID4gdGhlIGhl YWRlciBmaWxlcyAuLi4gPyAgSXQgbWlnaHQgaGVscCBpZiB5b3UgY291bGQgcHJvdmlkZSBhIGNv bmNyZXRlCj4gPiA+IGV4YW1wbGUgb2Ygd2hhdCB5b3Ugd291bGQgbGlrZSB0byBzZWUgaW4gdGhl IGhlYWRlciBmaWxlcz8KPiA+Cj4gPiBJIHdhbnQgdG8gZG8gc29tZXRoaW5nIGxpa2UgdGhlIGZv bGx3aW5nIGluc2lkZSBteSBwcm9ncmFtIHRvIGFzc2VtYmxlIGEKPiA+IHNlY2NvbXAgZmlsdGVy IHRoYXQgd2lsbCBiZSBsb2FkZWQgYmVmb3JlIHRoZSBlcnJvci1wcm9uZSBwYXJ0cyBvZiB0aGUK PiA+IGFwcGxpY2F0aW9uIHdpbGwgYmVnaW4uCj4gPgo+ID4gMTogQlBGX1NUTVQoQlBGX0xEIHwg QlBGX1cgfCBCUEZfQUJTLCBzeXNjYWxsX2FyY2gpLAo+ID4gMjogQlBGX0pVTVAoQlBGX0pNUCB8 IEJQRl9KRVEgfCBCUEZfSywgU0VDQ09NUF9BUkNIX05BVElWRSwgMCwgJEtJTEwpCj4gPiAzOiBC UEZfU1RNVChCUEZfTEQgfCBCUEZfVyB8IEJQRl9BQlMsIHN5c2NhbGxfbnIpLAo+ID4gNDogQlBG X0pVTVAoQlBGX0pNUCB8IEJQRl9KRVEgfCBCUEZfSywgX19OUl93cml0ZSwgJEFMTE9XLCAkS0lM TCksCj4gPgo+ID4gSW4gbGluZSA0IEkgY2FuIGFscmVhZHkgaGF2ZSB0aGUga2VybmVsIGhlYWRl cnMgcHJvdmlkZSBtZSB0aGUgY29ycmVjdCBzeXNjYWxsCj4gPiBudW1iZXIgZm9yIHRoZSBBQkkg bXkgYXBwbGljYXRpb24gaXMgY29tcGlsZWQgZm9yLgo+ID4KPiA+IEZvciBsaW5lIDIgaG93ZXZl ciBJIG5lZWQgdG8gZGVmaW5lIEFVRElUX0FSQ0hfQ1VSUkVOVCBvbiBteSBvd24gaW5zdGVhZCBv Zgo+ID4gaGF2aW5nIGEga2VybmVsIGhlYWRlciBwcm92aWRlIHRoZSBjb3JyZWN0IHZhbHVlLgoK UFM6IEkga25vdyB0aGF0IHRoaXMgc2VlbXMgdG8gYmUgYSBsb3Qgb2YgZGlzY3Vzc2lvbiBmb3Ig ZmFpcmx5IGxpdHRsZSBnYWluIGluCnRoaXMgc3BlY2lmaWMgY2FzZSwgYnV0IEknZCBsaWtlIHRv IHVzZSBzZWNjb21wIGZpbHRlcnMgaW4gdGhlIGZ1dHVyZSBtb3JlIGFuZAphbSB0cnlpbmcgdG8g ZmluZCB0aGUgbW9zdCB1bm9idHJ1c2l2ZSB3YXkgdG8gYWRkIHRoZW0gdG8gYXBwbGljYXRpb25z IGZvciBlYWNoCmdpdmVuIHVzZWNhc2UuCihGb3IgYW55IGxhcmdlciBhcHBsaWNhdGlvbnMgdGhh dCB3aWxsIGNlcnRhaW5seSBpbmNsdWRlIGxpYnNlY2NvbXAsIGJ1dCB0aGF0CmZlZWxzIG92ZXJr aWxsIGZvciB2ZXJ5IHNwZWNpZmljLCB6ZXJvLXJ1bnRpbWUtZGVwZW5kZW5jeSB1dGlsaXRpZXMp CgpUaGFua3MgYWdhaW4hClRob21hcwoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51 eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vbGlzdG1hbi5yZWRoYXQuY29tL21haWxtYW4vbGlz dGluZm8vbGludXgtYXVkaXQ=