From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DD02C3B188 for ; Thu, 13 Feb 2020 09:05:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C30692173E for ; Thu, 13 Feb 2020 09:05:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729511AbgBMJFk (ORCPT ); Thu, 13 Feb 2020 04:05:40 -0500 Received: from mga04.intel.com ([192.55.52.120]:54713 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729459AbgBMJFk (ORCPT ); Thu, 13 Feb 2020 04:05:40 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:05:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="267006589" Received: from linux.intel.com ([10.54.29.200]) by fmsmga002.fm.intel.com with ESMTP; 13 Feb 2020 01:05:33 -0800 Received: from [10.125.252.71] (abudanko-mobl.ccr.corp.intel.com [10.125.252.71]) by linux.intel.com (Postfix) with ESMTP id 49A115802C1; Thu, 13 Feb 2020 01:05:25 -0800 (PST) Subject: Re: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space To: Stephen Smalley Cc: Alexei Starovoitov , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "jani.nikula@linux.intel.com" , "joonas.lahtinen@linux.intel.com" , "rodrigo.vivi@intel.com" , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "james.bottomley@hansenpartnership.com" , Serge Hallyn , James Morris , Will Deacon , Mark Rutland , Robert Richter , Alexei Starovoitov , Jiri Olsa , Andi Kleen , Stephane Eranian , Igor Lubashev , Alexander Shishkin , Namhyung Kim , Song Liu , Lionel Landwerlin , Thomas Gleixner , linux-kernel , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "linux-parisc@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , linux-arm-kernel , "linux-perf-users@vger.kernel.org" , oprofile-list@lists.sf.net, Andy Lutomirski References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> <64cab472-806e-38c4-fb26-0ffbee485367@tycho.nsa.gov> <05297eff-8e14-ccdf-55a4-870c64516de8@linux.intel.com> <537bdb28-c9e4-f44f-d665-25250065a6bb@linux.intel.com> <63d9700f-231d-7973-5307-3e56a48c54cb@linux.intel.com> <2e38c33d-f085-1320-8cc2-45f74b6ad86d@linux.intel.com> <8141da2e-49cf-c02d-69e9-8a7cbdc91431@linux.intel.com> <7c367905-e8c9-7665-d923-c850e05c757a@tycho.nsa.gov> <280e6644-c129-15f6-ea5c-0f66bf764e0f@tycho.nsa.gov> <950cc6a4-5823-d607-1210-6f62c96cf67f@linux.intel.com> <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> From: Alexey Budankov Organization: Intel Corp. Message-ID: <874115a9-fb11-b7f4-7e92-46aedc5f26af@linux.intel.com> Date: Thu, 13 Feb 2020 12:05:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-parisc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-parisc@vger.kernel.org On 12.02.2020 20:09, Stephen Smalley wrote: > On 2/12/20 11:56 AM, Alexey Budankov wrote: >> >> >> On 12.02.2020 18:45, Stephen Smalley wrote: >>> On 2/12/20 10:21 AM, Stephen Smalley wrote: >>>> On 2/12/20 8:53 AM, Alexey Budankov wrote: >>>>> On 12.02.2020 16:32, Stephen Smalley wrote: >>>>>> On 2/12/20 3:53 AM, Alexey Budankov wrote: >>>>>>> Hi Stephen, >>>>>>> >>>>>>> On 22.01.2020 17:07, Stephen Smalley wrote: >>>>>>>> On 1/22/20 5:45 AM, Alexey Budankov wrote: >>>>>>>>> >>>>>>>>> On 21.01.2020 21:27, Alexey Budankov wrote: >>>>>>>>>> >>>>>>>>>> On 21.01.2020 20:55, Alexei Starovoitov wrote: >>>>>>>>>>> On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 21.01.2020 17:43, Stephen Smalley wrote: >>>>>>>>>>>>> On 1/20/20 6:23 AM, Alexey Budankov wrote: >>>>>>>>>>>>>> >>>>>>> >>>>>>>>>>>>>> Introduce CAP_PERFMON capability designed to secure system performance >>>>>>>>>>>>> >>>>>>>>>>>>> Why _noaudit()?  Normally only used when a permission failure is non-fatal to the operation.  Otherwise, we want the audit message. >>>>>>>>> >>>>>>>>> So far so good, I suggest using the simplest version for v6: >>>>>>>>> >>>>>>>>> static inline bool perfmon_capable(void) >>>>>>>>> { >>>>>>>>>        return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); >>>>>>>>> } >>>>>>>>> >>>>>>>>> It keeps the implementation simple and readable. The implementation is more >>>>>>>>> performant in the sense of calling the API - one capable() call for CAP_PERFMON >>>>>>>>> privileged process. >>>>>>>>> >>>>>>>>> Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged processes, >>>>>>>>> but this bloating also advertises and leverages using more secure CAP_PERFMON >>>>>>>>> based approach to use perf_event_open system call. >>>>>>>> >>>>>>>> I can live with that.  We just need to document that when you see both a CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing CAP_PERFMON first and see if that resolves the issue.  We have a similar issue with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE. >>>>>>> >>>>>>> I am trying to reproduce this double logging with CAP_PERFMON. >>>>>>> I am using the refpolicy version with enabled perf_event tclass [1], in permissive mode. >>>>>>> When running perf stat -a I am observing this AVC audit messages: >>>>>>> >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { open } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { kernel } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { cpu } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8692): avc:  denied  { write } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> >>>>>>> However there is no capability related messages around. I suppose my refpolicy should >>>>>>> be modified somehow to observe capability related AVCs. >>>>>>> >>>>>>> Could you please comment or clarify on how to enable caps related AVCs in order >>>>>>> to test the concerned logging. >>>>>> >>>>>> The new perfmon permission has to be defined in your policy; you'll have a message in dmesg about "Permission perfmon in class capability2 not defined in policy.".  You can either add it to the common cap2 definition in refpolicy/policy/flask/access_vectors and rebuild your policy or extract your base module as CIL, add it there, and insert the updated module. >>>>> >>>>> Yes, I already have it like this: >>>>> common cap2 >>>>> { >>>>> <------>mac_override<--># unused by SELinux >>>>> <------>mac_admin >>>>> <------>syslog >>>>> <------>wake_alarm >>>>> <------>block_suspend >>>>> <------>audit_read >>>>> <------>perfmon >>>>> } >>>>> >>>>> dmesg stopped reporting perfmon as not defined but audit.log still doesn't report CAP_PERFMON denials. >>>>> BTW, audit even doesn't report CAP_SYS_ADMIN denials, however perfmon_capable() does check for it. >>>> >>>> Some denials may be silenced by dontaudit rules; semodule -DB will strip those and semodule -B will restore them.  Other possibility is that the process doesn't have CAP_PERFMON in its effective set and therefore never reaches SELinux at all; denied first by the capability module. >>> >>> Also, the fact that your denials are showing up in user_systemd_t suggests that something is off in your policy or userspace/distro; I assume that is a domain type for the systemd --user instance, but your shell and commands shouldn't be running in that domain (user_t would be more appropriate for that). >> >> It is user_t for local terminal session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t            11317 pts/9    00:00:00 bash >> user_u:user_r:user_t            11796 pts/9    00:00:00 ps >> >> For local terminal root session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_su_t          2926 pts/3    00:00:00 bash >> user_u:user_r:user_su_t         10995 pts/3    00:00:00 ps >> >> For remote ssh session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t             7540 pts/8    00:00:00 ps >> user_u:user_r:user_systemd_t     8875 pts/8    00:00:00 bash > > That's a bug in either your policy or your userspace/distro integration.  In any event, unless user_systemd_t is allowed all capability2 permissions by your policy, you should see the denials if CAP_PERFMON is set in the effective capability set of the process. > That all seems to be true. After instrumentation, rebuilding and rebooting, in CAP_PERFMON case: $ getcap perf perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep $ perf stat -a type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 dmesg: [ 137.877713] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877774] cread_has_capability(CAP_PERFMON) = 0 [ 137.877775] prior avc_audit(CAP_PERFMON) [ 137.877779] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877784] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877785] cread_has_capability(CAP_PERFMON) = 0 [ 137.877786] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877794] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877795] cread_has_capability(CAP_PERFMON) = 0 [ 137.877796] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 ... in CAP_SYS_ADMIN case: $ getcap perf perf = cap_sys_ptrace,cap_sys_admin,cap_syslog+ep $ perf stat -a type=AVC msg=audit(1581580747.928:835): avc: denied { open } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:836): avc: denied { cpu } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:837): avc: denied { kernel } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:838): avc: denied { read } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:839): avc: denied { write } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 ... $ perf record -- ls ... type=AVC msg=audit(1581580747.930:843): avc: denied { sys_ptrace } for pid=8927 comm="perf" capability=19 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability permissive=1 ... dmesg: [ 276.714266] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714268] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714269] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714270] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714270] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714288] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714288] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714289] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714294] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714296] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714296] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 ... in unprivileged case: $ getcap perf perf = $ perf stat -a; perf record -a ... dmesg: [ 947.275611] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275613] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275614] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275615] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 [ 947.275636] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275637] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 ... So it looks like CAP_PERFMON and CAP_SYS_ADMIN are not ever logged by AVC simultaneously, in the current LSM and perfmon_capable() implementations. If perfmon is granted: perfmon is not logged by capabilities, perfmon is logged by AVC, no check for sys_admin by perfmon_capable(). If perfmon is not granted but sys_admin is granted: perfmon is not logged by capabilities, AVC logging is not called for perfmon, sys_admin is not logged by capabilities, sys_admin is not logged by AVC, for some intended reason? No caps are granted: AVC logging is not called either for perfmon or for sys_admin. BTW, is there a way to may be drop some AV cache so denials would appear in audit in the next AV access? Well, I guess you have initially mentioned some case similar to this (note that ids are not the same but pids= are): type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit( . : ): avc: denied { sys_admin } for pid=8859 comm="perf" capability=21 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 So the message could be like this: "If audit logs for a process using perf_events related syscalls i.e. perf_event_open(), read(), write(), ioctl(), mmap() contain denials both for CAP_PERFMON and CAP_SYS_ADMIN capabilities then providing the process with CAP_PERFMON capability singly is the secure preferred approach to resolve access denials to performance monitoring and observability operations." ~Alexey From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexey Budankov Subject: Re: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space Date: Thu, 13 Feb 2020 12:05:24 +0300 Message-ID: <874115a9-fb11-b7f4-7e92-46aedc5f26af@linux.intel.com> References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> <64cab472-806e-38c4-fb26-0ffbee485367@tycho.nsa.gov> <05297eff-8e14-ccdf-55a4-870c64516de8@linux.intel.com> <537bdb28-c9e4-f44f-d665-25250065a6bb@linux.intel.com> <63d9700f-231d-7973-5307-3e56a48c54cb@linux.intel.com> <2e38c33d-f085-1320-8cc2-45f74b6ad86d@linux.intel.com> <8141da2e-49cf-c02d-69e9-8a7cbdc91431@linux.intel.com> <7c367905-e8c9-7665-d923-c850e05c757a@tycho.nsa.gov> <280e6644-c129-15f6-ea5c-0f66bf764e0f@tycho.nsa.gov> <950cc6a4-5823-d607-1210-6f62c96cf67f@linux.intel.com> <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org To: Stephen Smalley Cc: Alexei Starovoitov , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "jani.nikula@linux.intel.com" , "joonas.lahtinen@linux.intel.com" , "rodrigo.vivi@intel.com" , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "james.bottomley@hansenpartnership.com" , Serge Hallyn , James Morris , Will Deacon , Mark Rutland , Robert Richter , Alexei Starovoitov List-Id: linux-perf-users.vger.kernel.org On 12.02.2020 20:09, Stephen Smalley wrote: > On 2/12/20 11:56 AM, Alexey Budankov wrote: >> >> >> On 12.02.2020 18:45, Stephen Smalley wrote: >>> On 2/12/20 10:21 AM, Stephen Smalley wrote: >>>> On 2/12/20 8:53 AM, Alexey Budankov wrote: >>>>> On 12.02.2020 16:32, Stephen Smalley wrote: >>>>>> On 2/12/20 3:53 AM, Alexey Budankov wrote: >>>>>>> Hi Stephen, >>>>>>> >>>>>>> On 22.01.2020 17:07, Stephen Smalley wrote: >>>>>>>> On 1/22/20 5:45 AM, Alexey Budankov wrote: >>>>>>>>> >>>>>>>>> On 21.01.2020 21:27, Alexey Budankov wrote: >>>>>>>>>> >>>>>>>>>> On 21.01.2020 20:55, Alexei Starovoitov wrote: >>>>>>>>>>> On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 21.01.2020 17:43, Stephen Smalley wrote: >>>>>>>>>>>>> On 1/20/20 6:23 AM, Alexey Budankov wrote: >>>>>>>>>>>>>> >>>>>>> >>>>>>>>>>>>>> Introduce CAP_PERFMON capability designed to secure system performance >>>>>>>>>>>>> >>>>>>>>>>>>> Why _noaudit()?  Normally only used when a permission failure is non-fatal to the operation.  Otherwise, we want the audit message. >>>>>>>>> >>>>>>>>> So far so good, I suggest using the simplest version for v6: >>>>>>>>> >>>>>>>>> static inline bool perfmon_capable(void) >>>>>>>>> { >>>>>>>>>        return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); >>>>>>>>> } >>>>>>>>> >>>>>>>>> It keeps the implementation simple and readable. The implementation is more >>>>>>>>> performant in the sense of calling the API - one capable() call for CAP_PERFMON >>>>>>>>> privileged process. >>>>>>>>> >>>>>>>>> Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged processes, >>>>>>>>> but this bloating also advertises and leverages using more secure CAP_PERFMON >>>>>>>>> based approach to use perf_event_open system call. >>>>>>>> >>>>>>>> I can live with that.  We just need to document that when you see both a CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing CAP_PERFMON first and see if that resolves the issue.  We have a similar issue with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE. >>>>>>> >>>>>>> I am trying to reproduce this double logging with CAP_PERFMON. >>>>>>> I am using the refpolicy version with enabled perf_event tclass [1], in permissive mode. >>>>>>> When running perf stat -a I am observing this AVC audit messages: >>>>>>> >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { open } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { kernel } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { cpu } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8692): avc:  denied  { write } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> >>>>>>> However there is no capability related messages around. I suppose my refpolicy should >>>>>>> be modified somehow to observe capability related AVCs. >>>>>>> >>>>>>> Could you please comment or clarify on how to enable caps related AVCs in order >>>>>>> to test the concerned logging. >>>>>> >>>>>> The new perfmon permission has to be defined in your policy; you'll have a message in dmesg about "Permission perfmon in class capability2 not defined in policy.".  You can either add it to the common cap2 definition in refpolicy/policy/flask/access_vectors and rebuild your policy or extract your base module as CIL, add it there, and insert the updated module. >>>>> >>>>> Yes, I already have it like this: >>>>> common cap2 >>>>> { >>>>> <------>mac_override<--># unused by SELinux >>>>> <------>mac_admin >>>>> <------>syslog >>>>> <------>wake_alarm >>>>> <------>block_suspend >>>>> <------>audit_read >>>>> <------>perfmon >>>>> } >>>>> >>>>> dmesg stopped reporting perfmon as not defined but audit.log still doesn't report CAP_PERFMON denials. >>>>> BTW, audit even doesn't report CAP_SYS_ADMIN denials, however perfmon_capable() does check for it. >>>> >>>> Some denials may be silenced by dontaudit rules; semodule -DB will strip those and semodule -B will restore them.  Other possibility is that the process doesn't have CAP_PERFMON in its effective set and therefore never reaches SELinux at all; denied first by the capability module. >>> >>> Also, the fact that your denials are showing up in user_systemd_t suggests that something is off in your policy or userspace/distro; I assume that is a domain type for the systemd --user instance, but your shell and commands shouldn't be running in that domain (user_t would be more appropriate for that). >> >> It is user_t for local terminal session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t            11317 pts/9    00:00:00 bash >> user_u:user_r:user_t            11796 pts/9    00:00:00 ps >> >> For local terminal root session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_su_t          2926 pts/3    00:00:00 bash >> user_u:user_r:user_su_t         10995 pts/3    00:00:00 ps >> >> For remote ssh session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t             7540 pts/8    00:00:00 ps >> user_u:user_r:user_systemd_t     8875 pts/8    00:00:00 bash > > That's a bug in either your policy or your userspace/distro integration.  In any event, unless user_systemd_t is allowed all capability2 permissions by your policy, you should see the denials if CAP_PERFMON is set in the effective capability set of the process. > That all seems to be true. After instrumentation, rebuilding and rebooting, in CAP_PERFMON case: $ getcap perf perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep $ perf stat -a type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 dmesg: [ 137.877713] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877774] cread_has_capability(CAP_PERFMON) = 0 [ 137.877775] prior avc_audit(CAP_PERFMON) [ 137.877779] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877784] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877785] cread_has_capability(CAP_PERFMON) = 0 [ 137.877786] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877794] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877795] cread_has_capability(CAP_PERFMON) = 0 [ 137.877796] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 ... in CAP_SYS_ADMIN case: $ getcap perf perf = cap_sys_ptrace,cap_sys_admin,cap_syslog+ep $ perf stat -a type=AVC msg=audit(1581580747.928:835): avc: denied { open } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:836): avc: denied { cpu } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:837): avc: denied { kernel } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:838): avc: denied { read } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:839): avc: denied { write } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 ... $ perf record -- ls ... type=AVC msg=audit(1581580747.930:843): avc: denied { sys_ptrace } for pid=8927 comm="perf" capability=19 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability permissive=1 ... dmesg: [ 276.714266] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714268] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714269] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714270] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714270] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714288] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714288] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714289] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714294] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714296] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714296] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 ... in unprivileged case: $ getcap perf perf = $ perf stat -a; perf record -a ... dmesg: [ 947.275611] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275613] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275614] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275615] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 [ 947.275636] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275637] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 ... So it looks like CAP_PERFMON and CAP_SYS_ADMIN are not ever logged by AVC simultaneously, in the current LSM and perfmon_capable() implementations. If perfmon is granted: perfmon is not logged by capabilities, perfmon is logged by AVC, no check for sys_admin by perfmon_capable(). If perfmon is not granted but sys_admin is granted: perfmon is not logged by capabilities, AVC logging is not called for perfmon, sys_admin is not logged by capabilities, sys_admin is not logged by AVC, for some intended reason? No caps are granted: AVC logging is not called either for perfmon or for sys_admin. BTW, is there a way to may be drop some AV cache so denials would appear in audit in the next AV access? Well, I guess you have initially mentioned some case similar to this (note that ids are not the same but pids= are): type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit( . : ): avc: denied { sys_admin } for pid=8859 comm="perf" capability=21 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 So the message could be like this: "If audit logs for a process using perf_events related syscalls i.e. perf_event_open(), read(), write(), ioctl(), mmap() contain denials both for CAP_PERFMON and CAP_SYS_ADMIN capabilities then providing the process with CAP_PERFMON capability singly is the secure preferred approach to resolve access denials to performance monitoring and observability operations." ~Alexey From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F33EAC3B189 for ; Thu, 13 Feb 2020 09:07:27 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3D85220848 for ; Thu, 13 Feb 2020 09:07:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3D85220848 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 48J9d82zdKzDqWb for ; Thu, 13 Feb 2020 20:07:24 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.intel.com (client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=alexey.budankov@linux.intel.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.intel.com Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 48J9b90YkMzDqTD for ; Thu, 13 Feb 2020 20:05:39 +1100 (AEDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:05:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="267006589" Received: from linux.intel.com ([10.54.29.200]) by fmsmga002.fm.intel.com with ESMTP; 13 Feb 2020 01:05:33 -0800 Received: from [10.125.252.71] (abudanko-mobl.ccr.corp.intel.com [10.125.252.71]) by linux.intel.com (Postfix) with ESMTP id 49A115802C1; Thu, 13 Feb 2020 01:05:25 -0800 (PST) Subject: Re: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space To: Stephen Smalley References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> <64cab472-806e-38c4-fb26-0ffbee485367@tycho.nsa.gov> <05297eff-8e14-ccdf-55a4-870c64516de8@linux.intel.com> <537bdb28-c9e4-f44f-d665-25250065a6bb@linux.intel.com> <63d9700f-231d-7973-5307-3e56a48c54cb@linux.intel.com> <2e38c33d-f085-1320-8cc2-45f74b6ad86d@linux.intel.com> <8141da2e-49cf-c02d-69e9-8a7cbdc91431@linux.intel.com> <7c367905-e8c9-7665-d923-c850e05c757a@tycho.nsa.gov> <280e6644-c129-15f6-ea5c-0f66bf764e0f@tycho.nsa.gov> <950cc6a4-5823-d607-1210-6f62c96cf67f@linux.intel.com> <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> From: Alexey Budankov Organization: Intel Corp. Message-ID: <874115a9-fb11-b7f4-7e92-46aedc5f26af@linux.intel.com> Date: Thu, 13 Feb 2020 12:05:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Song Liu , Peter Zijlstra , "joonas.lahtinen@linux.intel.com" , Will Deacon , Alexei Starovoitov , Stephane Eranian , "james.bottomley@hansenpartnership.com" , Paul Mackerras , Jiri Olsa , Alexei Starovoitov , Andi Kleen , Igor Lubashev , James Morris , Alexander Shishkin , Ingo Molnar , oprofile-list@lists.sf.net, Serge Hallyn , Robert Richter , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "jani.nikula@linux.intel.com" , Arnaldo Carvalho de Melo , "rodrigo.vivi@intel.com" , Namhyung Kim , Thomas Gleixner , linux-arm-kernel , "linux-parisc@vger.kernel.org" , linux-kernel , Lionel Landwerlin , Andy Lutomirski , "linux-perf-users@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On 12.02.2020 20:09, Stephen Smalley wrote: > On 2/12/20 11:56 AM, Alexey Budankov wrote: >> >> >> On 12.02.2020 18:45, Stephen Smalley wrote: >>> On 2/12/20 10:21 AM, Stephen Smalley wrote: >>>> On 2/12/20 8:53 AM, Alexey Budankov wrote: >>>>> On 12.02.2020 16:32, Stephen Smalley wrote: >>>>>> On 2/12/20 3:53 AM, Alexey Budankov wrote: >>>>>>> Hi Stephen, >>>>>>> >>>>>>> On 22.01.2020 17:07, Stephen Smalley wrote: >>>>>>>> On 1/22/20 5:45 AM, Alexey Budankov wrote: >>>>>>>>> >>>>>>>>> On 21.01.2020 21:27, Alexey Budankov wrote: >>>>>>>>>> >>>>>>>>>> On 21.01.2020 20:55, Alexei Starovoitov wrote: >>>>>>>>>>> On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 21.01.2020 17:43, Stephen Smalley wrote: >>>>>>>>>>>>> On 1/20/20 6:23 AM, Alexey Budankov wrote: >>>>>>>>>>>>>> >>>>>>> >>>>>>>>>>>>>> Introduce CAP_PERFMON capability designed to secure system performance >>>>>>>>>>>>> >>>>>>>>>>>>> Why _noaudit()?  Normally only used when a permission failure is non-fatal to the operation.  Otherwise, we want the audit message. >>>>>>>>> >>>>>>>>> So far so good, I suggest using the simplest version for v6: >>>>>>>>> >>>>>>>>> static inline bool perfmon_capable(void) >>>>>>>>> { >>>>>>>>>        return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); >>>>>>>>> } >>>>>>>>> >>>>>>>>> It keeps the implementation simple and readable. The implementation is more >>>>>>>>> performant in the sense of calling the API - one capable() call for CAP_PERFMON >>>>>>>>> privileged process. >>>>>>>>> >>>>>>>>> Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged processes, >>>>>>>>> but this bloating also advertises and leverages using more secure CAP_PERFMON >>>>>>>>> based approach to use perf_event_open system call. >>>>>>>> >>>>>>>> I can live with that.  We just need to document that when you see both a CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing CAP_PERFMON first and see if that resolves the issue.  We have a similar issue with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE. >>>>>>> >>>>>>> I am trying to reproduce this double logging with CAP_PERFMON. >>>>>>> I am using the refpolicy version with enabled perf_event tclass [1], in permissive mode. >>>>>>> When running perf stat -a I am observing this AVC audit messages: >>>>>>> >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { open } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { kernel } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8691): avc:  denied  { cpu } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> type=AVC msg=audit(1581496695.666:8692): avc:  denied  { write } for  pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1 >>>>>>> >>>>>>> However there is no capability related messages around. I suppose my refpolicy should >>>>>>> be modified somehow to observe capability related AVCs. >>>>>>> >>>>>>> Could you please comment or clarify on how to enable caps related AVCs in order >>>>>>> to test the concerned logging. >>>>>> >>>>>> The new perfmon permission has to be defined in your policy; you'll have a message in dmesg about "Permission perfmon in class capability2 not defined in policy.".  You can either add it to the common cap2 definition in refpolicy/policy/flask/access_vectors and rebuild your policy or extract your base module as CIL, add it there, and insert the updated module. >>>>> >>>>> Yes, I already have it like this: >>>>> common cap2 >>>>> { >>>>> <------>mac_override<--># unused by SELinux >>>>> <------>mac_admin >>>>> <------>syslog >>>>> <------>wake_alarm >>>>> <------>block_suspend >>>>> <------>audit_read >>>>> <------>perfmon >>>>> } >>>>> >>>>> dmesg stopped reporting perfmon as not defined but audit.log still doesn't report CAP_PERFMON denials. >>>>> BTW, audit even doesn't report CAP_SYS_ADMIN denials, however perfmon_capable() does check for it. >>>> >>>> Some denials may be silenced by dontaudit rules; semodule -DB will strip those and semodule -B will restore them.  Other possibility is that the process doesn't have CAP_PERFMON in its effective set and therefore never reaches SELinux at all; denied first by the capability module. >>> >>> Also, the fact that your denials are showing up in user_systemd_t suggests that something is off in your policy or userspace/distro; I assume that is a domain type for the systemd --user instance, but your shell and commands shouldn't be running in that domain (user_t would be more appropriate for that). >> >> It is user_t for local terminal session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t            11317 pts/9    00:00:00 bash >> user_u:user_r:user_t            11796 pts/9    00:00:00 ps >> >> For local terminal root session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_su_t          2926 pts/3    00:00:00 bash >> user_u:user_r:user_su_t         10995 pts/3    00:00:00 ps >> >> For remote ssh session: >> ps -Z >> LABEL                             PID TTY          TIME CMD >> user_u:user_r:user_t             7540 pts/8    00:00:00 ps >> user_u:user_r:user_systemd_t     8875 pts/8    00:00:00 bash > > That's a bug in either your policy or your userspace/distro integration.  In any event, unless user_systemd_t is allowed all capability2 permissions by your policy, you should see the denials if CAP_PERFMON is set in the effective capability set of the process. > That all seems to be true. After instrumentation, rebuilding and rebooting, in CAP_PERFMON case: $ getcap perf perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep $ perf stat -a type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 dmesg: [ 137.877713] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877774] cread_has_capability(CAP_PERFMON) = 0 [ 137.877775] prior avc_audit(CAP_PERFMON) [ 137.877779] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877784] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877785] cread_has_capability(CAP_PERFMON) = 0 [ 137.877786] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 [ 137.877794] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 137.877795] cread_has_capability(CAP_PERFMON) = 0 [ 137.877796] security_capable(0000000071f7ee6e, 000000009dd7a5fc, CAP_PERFMON, 0) = 0 ... in CAP_SYS_ADMIN case: $ getcap perf perf = cap_sys_ptrace,cap_sys_admin,cap_syslog+ep $ perf stat -a type=AVC msg=audit(1581580747.928:835): avc: denied { open } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:836): avc: denied { cpu } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:837): avc: denied { kernel } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:838): avc: denied { read } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580747.928:839): avc: denied { write } for pid=8927 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 ... $ perf record -- ls ... type=AVC msg=audit(1581580747.930:843): avc: denied { sys_ptrace } for pid=8927 comm="perf" capability=19 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability permissive=1 ... dmesg: [ 276.714266] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714268] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714269] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714270] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714270] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714287] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714288] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714288] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714289] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 [ 276.714294] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 276.714295] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 276.714296] cread_has_capability(CAP_SYS_ADMIN) = 0 [ 276.714296] security_capable(000000006b09ad8a, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = 0 ... in unprivileged case: $ getcap perf perf = $ perf stat -a; perf record -a ... dmesg: [ 947.275611] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275613] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275614] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275615] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 [ 947.275636] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = ? [ 947.275637] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_PERFMON, 0) = -1 [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = ? [ 947.275638] security_capable(00000000d3a75377, 000000009dd7a5fc, CAP_SYS_ADMIN, 0) = -1 ... So it looks like CAP_PERFMON and CAP_SYS_ADMIN are not ever logged by AVC simultaneously, in the current LSM and perfmon_capable() implementations. If perfmon is granted: perfmon is not logged by capabilities, perfmon is logged by AVC, no check for sys_admin by perfmon_capable(). If perfmon is not granted but sys_admin is granted: perfmon is not logged by capabilities, AVC logging is not called for perfmon, sys_admin is not logged by capabilities, sys_admin is not logged by AVC, for some intended reason? No caps are granted: AVC logging is not called either for perfmon or for sys_admin. BTW, is there a way to may be drop some AV cache so denials would appear in audit in the next AV access? Well, I guess you have initially mentioned some case similar to this (note that ids are not the same but pids= are): type=AVC msg=audit(1581580399.165:784): avc: denied { open } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:785): avc: denied { perfmon } for pid=8859 comm="perf" capability=38 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit( . : ): avc: denied { sys_admin } for pid=8859 comm="perf" capability=21 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability2 permissive=1 type=AVC msg=audit(1581580399.165:786): avc: denied { kernel } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:787): avc: denied { cpu } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580399.165:788): avc: denied { write } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 type=AVC msg=audit(1581580408.078:791): avc: denied { read } for pid=8859 comm="perf" scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=perf_event permissive=1 So the message could be like this: "If audit logs for a process using perf_events related syscalls i.e. perf_event_open(), read(), write(), ioctl(), mmap() contain denials both for CAP_PERFMON and CAP_SYS_ADMIN capabilities then providing the process with CAP_PERFMON capability singly is the secure preferred approach to resolve access denials to performance monitoring and observability operations." ~Alexey From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90A89C3B189 for ; Thu, 13 Feb 2020 09:05:42 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 620C02173E for ; Thu, 13 Feb 2020 09:05:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="TRhHaLx2" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 620C02173E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:Reply-To:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=wqi4gX07bw41rbfo+ePC+IIg3IEPlpLEQoBFN1FM/KA=; b=TRhHaLx2WtQCgH nnwnzYAihQnuRPpGmMGEU6+WVGPy8zUF8oFVUksK4eHBiZxCWHYoZRbGWMk2ZvGKxISr9caCu9lCA VDeIcm/UeJL7ZP+mB8C76OTjT0Ir2qXhhsrpdw3ZQpEqx5uyyG12FyyrjlWEWf4Xw+vhR2sa/oxtP 24AGXH4dQhrlKTOLz9JEtriCdu/nQSon7OWI8FNyQHfXWOSkxwYhC+g25sY45YhbNXeULRLA3hulD PKiT/NNbv7TQm7Rq96eAMCoWSLg6j8oZOlO7ygdIvk+9IAOg2vQMLm+a0WGSHOr37NeVX3wcLfan7 y+xGbiUlHMNjb56wTMUA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j2ARJ-0000Ph-VO; Thu, 13 Feb 2020 09:05:41 +0000 Received: from mga12.intel.com ([192.55.52.136]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j2ARG-0000PE-Lg for linux-arm-kernel@lists.infradead.org; Thu, 13 Feb 2020 09:05:40 +0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:05:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="267006589" Received: from linux.intel.com ([10.54.29.200]) by fmsmga002.fm.intel.com with ESMTP; 13 Feb 2020 01:05:33 -0800 Received: from [10.125.252.71] (abudanko-mobl.ccr.corp.intel.com [10.125.252.71]) by linux.intel.com (Postfix) with ESMTP id 49A115802C1; Thu, 13 Feb 2020 01:05:25 -0800 (PST) Subject: Re: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space To: Stephen Smalley References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> <64cab472-806e-38c4-fb26-0ffbee485367@tycho.nsa.gov> <05297eff-8e14-ccdf-55a4-870c64516de8@linux.intel.com> <537bdb28-c9e4-f44f-d665-25250065a6bb@linux.intel.com> <63d9700f-231d-7973-5307-3e56a48c54cb@linux.intel.com> <2e38c33d-f085-1320-8cc2-45f74b6ad86d@linux.intel.com> <8141da2e-49cf-c02d-69e9-8a7cbdc91431@linux.intel.com> <7c367905-e8c9-7665-d923-c850e05c757a@tycho.nsa.gov> <280e6644-c129-15f6-ea5c-0f66bf764e0f@tycho.nsa.gov> <950cc6a4-5823-d607-1210-6f62c96cf67f@linux.intel.com> <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> From: Alexey Budankov Organization: Intel Corp. Message-ID: <874115a9-fb11-b7f4-7e92-46aedc5f26af@linux.intel.com> Date: Thu, 13 Feb 2020 12:05:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200213_010538_731636_0F048929 X-CRM114-Status: GOOD ( 20.16 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Song Liu , Peter Zijlstra , "benh@kernel.crashing.org" , "joonas.lahtinen@linux.intel.com" , Will Deacon , Alexei Starovoitov , Stephane Eranian , "james.bottomley@hansenpartnership.com" , Paul Mackerras , Jiri Olsa , Alexei Starovoitov , Andi Kleen , Michael Ellerman , Igor Lubashev , James Morris , Alexander Shishkin , Ingo Molnar , oprofile-list@lists.sf.net, Serge Hallyn , Robert Richter , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "jani.nikula@linux.intel.com" , Arnaldo Carvalho de Melo , "rodrigo.vivi@intel.com" , Namhyung Kim , Thomas Gleixner , linux-arm-kernel , "linux-parisc@vger.kernel.org" , linux-kernel , Lionel Landwerlin , Andy Lutomirski , "linux-perf-users@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org Ck9uIDEyLjAyLjIwMjAgMjA6MDksIFN0ZXBoZW4gU21hbGxleSB3cm90ZToKPiBPbiAyLzEyLzIw IDExOjU2IEFNLCBBbGV4ZXkgQnVkYW5rb3Ygd3JvdGU6Cj4+Cj4+Cj4+IE9uIDEyLjAyLjIwMjAg MTg6NDUsIFN0ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+IE9uIDIvMTIvMjAgMTA6MjEgQU0sIFN0 ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+PiBPbiAyLzEyLzIwIDg6NTMgQU0sIEFsZXhleSBCdWRh bmtvdiB3cm90ZToKPj4+Pj4gT24gMTIuMDIuMjAyMCAxNjozMiwgU3RlcGhlbiBTbWFsbGV5IHdy b3RlOgo+Pj4+Pj4gT24gMi8xMi8yMCAzOjUzIEFNLCBBbGV4ZXkgQnVkYW5rb3Ygd3JvdGU6Cj4+ Pj4+Pj4gSGkgU3RlcGhlbiwKPj4+Pj4+Pgo+Pj4+Pj4+IE9uIDIyLjAxLjIwMjAgMTc6MDcsIFN0 ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+Pj4+Pj4gT24gMS8yMi8yMCA1OjQ1IEFNLCBBbGV4ZXkg QnVkYW5rb3Ygd3JvdGU6Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gT24gMjEuMDEuMjAyMCAyMToyNywg QWxleGV5IEJ1ZGFua292IHdyb3RlOgo+Pj4+Pj4+Pj4+Cj4+Pj4+Pj4+Pj4gT24gMjEuMDEuMjAy MCAyMDo1NSwgQWxleGVpIFN0YXJvdm9pdG92IHdyb3RlOgo+Pj4+Pj4+Pj4+PiBPbiBUdWUsIEph biAyMSwgMjAyMCBhdCA5OjMxIEFNIEFsZXhleSBCdWRhbmtvdgo+Pj4+Pj4+Pj4+PiA8YWxleGV5 LmJ1ZGFua292QGxpbnV4LmludGVsLmNvbT4gd3JvdGU6Cj4+Pj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4+ Pj4KPj4+Pj4+Pj4+Pj4+IE9uIDIxLjAxLjIwMjAgMTc6NDMsIFN0ZXBoZW4gU21hbGxleSB3cm90 ZToKPj4+Pj4+Pj4+Pj4+PiBPbiAxLzIwLzIwIDY6MjMgQU0sIEFsZXhleSBCdWRhbmtvdiB3cm90 ZToKPj4+Pj4+Pj4+Pj4+Pj4KPj4+Pj4+PiA8U05JUD4KPj4+Pj4+Pj4+Pj4+Pj4gSW50cm9kdWNl IENBUF9QRVJGTU9OIGNhcGFiaWxpdHkgZGVzaWduZWQgdG8gc2VjdXJlIHN5c3RlbSBwZXJmb3Jt YW5jZQo+Pj4+Pj4+Pj4+Pj4+Cj4+Pj4+Pj4+Pj4+Pj4gV2h5IF9ub2F1ZGl0KCk/wqAgTm9ybWFs bHkgb25seSB1c2VkIHdoZW4gYSBwZXJtaXNzaW9uIGZhaWx1cmUgaXMgbm9uLWZhdGFsIHRvIHRo ZSBvcGVyYXRpb24uwqAgT3RoZXJ3aXNlLCB3ZSB3YW50IHRoZSBhdWRpdCBtZXNzYWdlLgo+Pj4+ Pj4+Pj4KPj4+Pj4+Pj4+IFNvIGZhciBzbyBnb29kLCBJIHN1Z2dlc3QgdXNpbmcgdGhlIHNpbXBs ZXN0IHZlcnNpb24gZm9yIHY2Ogo+Pj4+Pj4+Pj4KPj4+Pj4+Pj4+IHN0YXRpYyBpbmxpbmUgYm9v bCBwZXJmbW9uX2NhcGFibGUodm9pZCkKPj4+Pj4+Pj4+IHsKPj4+Pj4+Pj4+IMKgwqDCoMKgwqDC oMKgcmV0dXJuIGNhcGFibGUoQ0FQX1BFUkZNT04pIHx8IGNhcGFibGUoQ0FQX1NZU19BRE1JTik7 Cj4+Pj4+Pj4+PiB9Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gSXQga2VlcHMgdGhlIGltcGxlbWVudGF0 aW9uIHNpbXBsZSBhbmQgcmVhZGFibGUuIFRoZSBpbXBsZW1lbnRhdGlvbiBpcyBtb3JlCj4+Pj4+ Pj4+PiBwZXJmb3JtYW50IGluIHRoZSBzZW5zZSBvZiBjYWxsaW5nIHRoZSBBUEkgLSBvbmUgY2Fw YWJsZSgpIGNhbGwgZm9yIENBUF9QRVJGTU9OCj4+Pj4+Pj4+PiBwcml2aWxlZ2VkIHByb2Nlc3Mu Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gWWVzLCBpdCBibG9hdHMgYXVkaXQgbG9nIGZvciBDQVBfU1lT X0FETUlOIHByaXZpbGVnZWQgYW5kIHVucHJpdmlsZWdlZCBwcm9jZXNzZXMsCj4+Pj4+Pj4+PiBi dXQgdGhpcyBibG9hdGluZyBhbHNvIGFkdmVydGlzZXMgYW5kIGxldmVyYWdlcyB1c2luZyBtb3Jl IHNlY3VyZSBDQVBfUEVSRk1PTgo+Pj4+Pj4+Pj4gYmFzZWQgYXBwcm9hY2ggdG8gdXNlIHBlcmZf ZXZlbnRfb3BlbiBzeXN0ZW0gY2FsbC4KPj4+Pj4+Pj4KPj4+Pj4+Pj4gSSBjYW4gbGl2ZSB3aXRo IHRoYXQuwqAgV2UganVzdCBuZWVkIHRvIGRvY3VtZW50IHRoYXQgd2hlbiB5b3Ugc2VlIGJvdGgg YSBDQVBfUEVSRk1PTiBhbmQgYSBDQVBfU1lTX0FETUlOIGF1ZGl0IG1lc3NhZ2UgZm9yIGEgcHJv Y2VzcywgdHJ5IG9ubHkgYWxsb3dpbmcgQ0FQX1BFUkZNT04gZmlyc3QgYW5kIHNlZSBpZiB0aGF0 IHJlc29sdmVzIHRoZSBpc3N1ZS7CoCBXZSBoYXZlIGEgc2ltaWxhciBpc3N1ZSB3aXRoIENBUF9E QUNfUkVBRF9TRUFSQ0ggdmVyc3VzIENBUF9EQUNfT1ZFUlJJREUuCj4+Pj4+Pj4KPj4+Pj4+PiBJ IGFtIHRyeWluZyB0byByZXByb2R1Y2UgdGhpcyBkb3VibGUgbG9nZ2luZyB3aXRoIENBUF9QRVJG TU9OLgo+Pj4+Pj4+IEkgYW0gdXNpbmcgdGhlIHJlZnBvbGljeSB2ZXJzaW9uIHdpdGggZW5hYmxl ZCBwZXJmX2V2ZW50IHRjbGFzcyBbMV0sIGluIHBlcm1pc3NpdmUgbW9kZS4KPj4+Pj4+PiBXaGVu IHJ1bm5pbmcgcGVyZiBzdGF0IC1hIEkgYW0gb2JzZXJ2aW5nIHRoaXMgQVZDIGF1ZGl0IG1lc3Nh Z2VzOgo+Pj4+Pj4+Cj4+Pj4+Pj4gdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE0OTY2OTUuNjY2Ojg2 OTEpOiBhdmM6wqAgZGVuaWVkwqAgeyBvcGVuIH0gZm9ywqAgcGlkPTI3NzkgY29tbT0icGVyZiIg c2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3N5c3RlbWRfdCB0Y29udGV4dD11c2VyX3U6dXNl cl9yOnVzZXJfc3lzdGVtZF90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQo+Pj4+Pj4+ IHR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNDk2Njk1LjY2Njo4NjkxKTogYXZjOsKgIGRlbmllZMKg IHsga2VybmVsIH0gZm9ywqAgcGlkPTI3NzkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVz ZXJfcjp1c2VyX3N5c3RlbWRfdCB0Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90 IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQo+Pj4+Pj4+IHR5cGU9QVZDIG1zZz1hdWRp dCgxNTgxNDk2Njk1LjY2Njo4NjkxKTogYXZjOsKgIGRlbmllZMKgIHsgY3B1IH0gZm9ywqAgcGlk PTI3NzkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3N5c3RlbWRfdCB0 Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90IHRjbGFzcz1wZXJmX2V2ZW50IHBl cm1pc3NpdmU9MQo+Pj4+Pj4+IHR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNDk2Njk1LjY2Njo4Njky KTogYXZjOsKgIGRlbmllZMKgIHsgd3JpdGUgfSBmb3LCoCBwaWQ9Mjc3OSBjb21tPSJwZXJmIiBz Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90IHRjb250ZXh0PXVzZXJfdTp1c2Vy X3I6dXNlcl9zeXN0ZW1kX3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCj4+Pj4+Pj4K Pj4+Pj4+PiBIb3dldmVyIHRoZXJlIGlzIG5vIGNhcGFiaWxpdHkgcmVsYXRlZCBtZXNzYWdlcyBh cm91bmQuIEkgc3VwcG9zZSBteSByZWZwb2xpY3kgc2hvdWxkCj4+Pj4+Pj4gYmUgbW9kaWZpZWQg c29tZWhvdyB0byBvYnNlcnZlIGNhcGFiaWxpdHkgcmVsYXRlZCBBVkNzLgo+Pj4+Pj4+Cj4+Pj4+ Pj4gQ291bGQgeW91IHBsZWFzZSBjb21tZW50IG9yIGNsYXJpZnkgb24gaG93IHRvIGVuYWJsZSBj YXBzIHJlbGF0ZWQgQVZDcyBpbiBvcmRlcgo+Pj4+Pj4+IHRvIHRlc3QgdGhlIGNvbmNlcm5lZCBs b2dnaW5nLgo+Pj4+Pj4KPj4+Pj4+IFRoZSBuZXcgcGVyZm1vbiBwZXJtaXNzaW9uIGhhcyB0byBi ZSBkZWZpbmVkIGluIHlvdXIgcG9saWN5OyB5b3UnbGwgaGF2ZSBhIG1lc3NhZ2UgaW4gZG1lc2cg YWJvdXQgIlBlcm1pc3Npb24gcGVyZm1vbiBpbiBjbGFzcyBjYXBhYmlsaXR5MiBub3QgZGVmaW5l ZCBpbiBwb2xpY3kuIi7CoCBZb3UgY2FuIGVpdGhlciBhZGQgaXQgdG8gdGhlIGNvbW1vbiBjYXAy IGRlZmluaXRpb24gaW4gcmVmcG9saWN5L3BvbGljeS9mbGFzay9hY2Nlc3NfdmVjdG9ycyBhbmQg cmVidWlsZCB5b3VyIHBvbGljeSBvciBleHRyYWN0IHlvdXIgYmFzZSBtb2R1bGUgYXMgQ0lMLCBh ZGQgaXQgdGhlcmUsIGFuZCBpbnNlcnQgdGhlIHVwZGF0ZWQgbW9kdWxlLgo+Pj4+Pgo+Pj4+PiBZ ZXMsIEkgYWxyZWFkeSBoYXZlIGl0IGxpa2UgdGhpczoKPj4+Pj4gY29tbW9uIGNhcDIKPj4+Pj4g ewo+Pj4+PiA8LS0tLS0tPm1hY19vdmVycmlkZTwtLT4jIHVudXNlZCBieSBTRUxpbnV4Cj4+Pj4+ IDwtLS0tLS0+bWFjX2FkbWluCj4+Pj4+IDwtLS0tLS0+c3lzbG9nCj4+Pj4+IDwtLS0tLS0+d2Fr ZV9hbGFybQo+Pj4+PiA8LS0tLS0tPmJsb2NrX3N1c3BlbmQKPj4+Pj4gPC0tLS0tLT5hdWRpdF9y ZWFkCj4+Pj4+IDwtLS0tLS0+cGVyZm1vbgo+Pj4+PiB9Cj4+Pj4+Cj4+Pj4+IGRtZXNnIHN0b3Bw ZWQgcmVwb3J0aW5nIHBlcmZtb24gYXMgbm90IGRlZmluZWQgYnV0IGF1ZGl0LmxvZyBzdGlsbCBk b2Vzbid0IHJlcG9ydCBDQVBfUEVSRk1PTiBkZW5pYWxzLgo+Pj4+PiBCVFcsIGF1ZGl0IGV2ZW4g ZG9lc24ndCByZXBvcnQgQ0FQX1NZU19BRE1JTiBkZW5pYWxzLCBob3dldmVyIHBlcmZtb25fY2Fw YWJsZSgpIGRvZXMgY2hlY2sgZm9yIGl0Lgo+Pj4+Cj4+Pj4gU29tZSBkZW5pYWxzIG1heSBiZSBz aWxlbmNlZCBieSBkb250YXVkaXQgcnVsZXM7IHNlbW9kdWxlIC1EQiB3aWxsIHN0cmlwIHRob3Nl IGFuZCBzZW1vZHVsZSAtQiB3aWxsIHJlc3RvcmUgdGhlbS7CoCBPdGhlciBwb3NzaWJpbGl0eSBp cyB0aGF0IHRoZSBwcm9jZXNzIGRvZXNuJ3QgaGF2ZSBDQVBfUEVSRk1PTiBpbiBpdHMgZWZmZWN0 aXZlIHNldCBhbmQgdGhlcmVmb3JlIG5ldmVyIHJlYWNoZXMgU0VMaW51eCBhdCBhbGw7IGRlbmll ZCBmaXJzdCBieSB0aGUgY2FwYWJpbGl0eSBtb2R1bGUuCj4+Pgo+Pj4gQWxzbywgdGhlIGZhY3Qg dGhhdCB5b3VyIGRlbmlhbHMgYXJlIHNob3dpbmcgdXAgaW4gdXNlcl9zeXN0ZW1kX3Qgc3VnZ2Vz dHMgdGhhdCBzb21ldGhpbmcgaXMgb2ZmIGluIHlvdXIgcG9saWN5IG9yIHVzZXJzcGFjZS9kaXN0 cm87IEkgYXNzdW1lIHRoYXQgaXMgYSBkb21haW4gdHlwZSBmb3IgdGhlIHN5c3RlbWQgLS11c2Vy IGluc3RhbmNlLCBidXQgeW91ciBzaGVsbCBhbmQgY29tbWFuZHMgc2hvdWxkbid0IGJlIHJ1bm5p bmcgaW4gdGhhdCBkb21haW4gKHVzZXJfdCB3b3VsZCBiZSBtb3JlIGFwcHJvcHJpYXRlIGZvciB0 aGF0KS4KPj4KPj4gSXQgaXMgdXNlcl90IGZvciBsb2NhbCB0ZXJtaW5hbCBzZXNzaW9uOgo+PiBw cyAtWgo+PiBMQUJFTMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgIFBJRCBUVFnCoMKgwqDCoMKgwqDCoMKgwqAgVElNRSBDTUQKPj4gdXNlcl91 OnVzZXJfcjp1c2VyX3TCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDExMzE3IHB0cy85wqDCoMKgIDAw OjAwOjAwIGJhc2gKPj4gdXNlcl91OnVzZXJfcjp1c2VyX3TCoMKgwqDCoMKgwqDCoMKgwqDCoMKg IDExNzk2IHB0cy85wqDCoMKgIDAwOjAwOjAwIHBzCj4+Cj4+IEZvciBsb2NhbCB0ZXJtaW5hbCBy b290IHNlc3Npb246Cj4+IHBzIC1aCj4+IExBQkVMwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgUElEIFRUWcKgwqDCoMKgwqDCoMKgwqDCoCBU SU1FIENNRAo+PiB1c2VyX3U6dXNlcl9yOnVzZXJfc3VfdMKgwqDCoMKgwqDCoMKgwqDCoCAyOTI2 IHB0cy8zwqDCoMKgIDAwOjAwOjAwIGJhc2gKPj4gdXNlcl91OnVzZXJfcjp1c2VyX3N1X3TCoMKg wqDCoMKgwqDCoMKgIDEwOTk1IHB0cy8zwqDCoMKgIDAwOjAwOjAwIHBzCj4+Cj4+IEZvciByZW1v dGUgc3NoIHNlc3Npb246Cj4+IHBzIC1aCj4+IExBQkVMwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgUElEIFRUWcKgwqDCoMKgwqDCoMKgwqDC oCBUSU1FIENNRAo+PiB1c2VyX3U6dXNlcl9yOnVzZXJfdMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oCA3NTQwIHB0cy84wqDCoMKgIDAwOjAwOjAwIHBzCj4+IHVzZXJfdTp1c2VyX3I6dXNlcl9zeXN0 ZW1kX3TCoMKgwqDCoCA4ODc1IHB0cy84wqDCoMKgIDAwOjAwOjAwIGJhc2gKPiAKPiBUaGF0J3Mg YSBidWcgaW4gZWl0aGVyIHlvdXIgcG9saWN5IG9yIHlvdXIgdXNlcnNwYWNlL2Rpc3RybyBpbnRl Z3JhdGlvbi4gwqBJbiBhbnkgZXZlbnQsIHVubGVzcyB1c2VyX3N5c3RlbWRfdCBpcyBhbGxvd2Vk IGFsbCBjYXBhYmlsaXR5MiBwZXJtaXNzaW9ucyBieSB5b3VyIHBvbGljeSwgeW91IHNob3VsZCBz ZWUgdGhlIGRlbmlhbHMgaWYgQ0FQX1BFUkZNT04gaXMgc2V0IGluIHRoZSBlZmZlY3RpdmUgY2Fw YWJpbGl0eSBzZXQgb2YgdGhlIHByb2Nlc3MuCj4gCgpUaGF0IGFsbCBzZWVtcyB0byBiZSB0cnVl LiBBZnRlciBpbnN0cnVtZW50YXRpb24sIHJlYnVpbGRpbmcgYW5kIHJlYm9vdGluZywgaW4gQ0FQ X1BFUkZNT04gY2FzZToKCiQgZ2V0Y2FwIHBlcmYKcGVyZiA9IGNhcF9zeXNfcHRyYWNlLGNhcF9z eXNsb2csY2FwX3BlcmZtb24rZXAKCiQgcGVyZiBzdGF0IC1hCgp0eXBlPUFWQyBtc2c9YXVkaXQo MTU4MTU4MDM5OS4xNjU6Nzg0KTogYXZjOiAgZGVuaWVkICB7IG9wZW4gfSBmb3IgIHBpZD04ODU5 IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBt c2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg1KTogYXZjOiAgZGVuaWVkICB7IHBlcmZtb24gfSBm b3IgIHBpZD04ODU5IGNvbW09InBlcmYiIGNhcGFiaWxpdHk9MzggIHNjb250ZXh0PXVzZXJfdTp1 c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBhYmls aXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODAzOTkuMTY1Ojc4Nik6 IGF2YzogIGRlbmllZCAgeyBrZXJuZWwgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250 ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRj bGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDM5 OS4xNjU6Nzg3KTogYXZjOiAgZGVuaWVkICB7IGNwdSB9IGZvciAgcGlkPTg4NTkgY29tbT0icGVy ZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1 c2VyX3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgx NTgxNTgwMzk5LjE2NTo3ODgpOiBhdmM6ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04ODU5 IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBt c2c9YXVkaXQoMTU4MTU4MDQwOC4wNzg6NzkxKTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBmb3Ig IHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250 ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQoK ZG1lc2c6CgpbICAxMzcuODc3NzEzXSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNzFmN2VlNmUs IDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMTM3Ljg3Nzc3NF0gY3Jl YWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1BFUkZNT04pID0gMApbICAxMzcuODc3Nzc1XSBwcmlvciBh dmNfYXVkaXQoQ0FQX1BFUkZNT04pClsgIDEzNy44Nzc3NzldIHNlY3VyaXR5X2NhcGFibGUoMDAw MDAwMDA3MWY3ZWU2ZSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1BFUkZNT04sIDApID0gMAoKWyAg MTM3Ljg3Nzc4NF0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDcxZjdlZTZlLCAwMDAwMDAwMDlk ZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSA/ClsgIDEzNy44Nzc3ODVdIGNyZWFkX2hhc19jYXBh YmlsaXR5KENBUF9QRVJGTU9OKSA9IDAKWyAgMTM3Ljg3Nzc4Nl0gc2VjdXJpdHlfY2FwYWJsZSgw MDAwMDAwMDcxZjdlZTZlLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSAwCgpb ICAxMzcuODc3Nzk0XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNzFmN2VlNmUsIDAwMDAwMDAw OWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMTM3Ljg3Nzc5NV0gY3JlYWRfaGFzX2Nh cGFiaWxpdHkoQ0FQX1BFUkZNT04pID0gMApbICAxMzcuODc3Nzk2XSBzZWN1cml0eV9jYXBhYmxl KDAwMDAwMDAwNzFmN2VlNmUsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IDAK Ci4uLgoKaW4gQ0FQX1NZU19BRE1JTiBjYXNlOgoKJCBnZXRjYXAgcGVyZgpwZXJmID0gY2FwX3N5 c19wdHJhY2UsY2FwX3N5c19hZG1pbixjYXBfc3lzbG9nK2VwCgokIHBlcmYgc3RhdCAtYQoKdHlw ZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODA3NDcuOTI4OjgzNSk6IGF2YzogIGRlbmllZCAgeyBvcGVu IH0gZm9yICBwaWQ9ODkyNyBjb21tPSJwZXJmIiBzY29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJf dCB0Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfdCB0Y2xhc3M9cGVyZl9ldmVudCBwZXJtaXNz aXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODA3NDcuOTI4OjgzNik6IGF2YzogIGRlbmll ZCAgeyBjcHUgfSBmb3IgIHBpZD04OTI3IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2Vy X3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50 IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDc0Ny45Mjg6ODM3KTogYXZj OiAgZGVuaWVkICB7IGtlcm5lbCB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIgc2NvbnRleHQ9 dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNsYXNz PXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwNzQ3Ljky ODo4MzgpOiBhdmM6ICBkZW5pZWQgIHsgcmVhZCB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIg c2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2Vy X3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgx NTgwNzQ3LjkyODo4MzkpOiBhdmM6ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04OTI3IGNv bW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1 c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQouLi4KCiQgcGVyZiBy ZWNvcmQgLS0gbHMKLi4uCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwNzQ3LjkzMDo4NDMpOiBh dmM6ICBkZW5pZWQgIHsgc3lzX3B0cmFjZSB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIgY2Fw YWJpbGl0eT0xOSAgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91 OnVzZXJfcjp1c2VyX3QgdGNsYXNzPWNhcGFiaWxpdHkgcGVybWlzc2l2ZT0xCi4uLgoKZG1lc2c6 CgpbICAyNzYuNzE0MjY2XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNmIwOWFkOGEsIDAwMDAw MDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMjc2LjcxNDI2OF0gc2VjdXJpdHlf Y2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwg MCkgPSAtMQoKWyAgMjc2LjcxNDI2OV0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhh LCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lTX0FETUlOLCAwKSA9ID8KWyAgMjc2LjcxNDI3MF0g Y3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZU19BRE1JTikgPSAwClsgIDI3Ni43MTQyNzBdIHNl Y3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5YWQ4YSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1NZ U19BRE1JTiwgMCkgPSAwCgpbICAyNzYuNzE0Mjg3XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAw NmIwOWFkOGEsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMjc2Ljcx NDI4N10gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZj LCBDQVBfUEVSRk1PTiwgMCkgPSAtMQoKWyAgMjc2LjcxNDI4OF0gc2VjdXJpdHlfY2FwYWJsZSgw MDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lTX0FETUlOLCAwKSA9ID8K WyAgMjc2LjcxNDI4OF0gY3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZU19BRE1JTikgPSAwClsg IDI3Ni43MTQyODldIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5YWQ4YSwgMDAwMDAwMDA5 ZGQ3YTVmYywgQ0FQX1NZU19BRE1JTiwgMCkgPSAwCgpbICAyNzYuNzE0Mjk0XSBzZWN1cml0eV9j YXBhYmxlKDAwMDAwMDAwNmIwOWFkOGEsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAw KSA9ID8KWyAgMjc2LjcxNDI5NV0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAw MDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSAtMQoKWyAgMjc2LjcxNDI5NV0gc2Vj dXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lT X0FETUlOLCAwKSA9ID8KWyAgMjc2LjcxNDI5Nl0gY3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZ U19BRE1JTikgPSAwClsgIDI3Ni43MTQyOTZdIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5 YWQ4YSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1NZU19BRE1JTiwgMCkgPSAwCgouLi4KCmluIHVu cHJpdmlsZWdlZCBjYXNlOgoKJCBnZXRjYXAgcGVyZgpwZXJmID0KCiQgcGVyZiBzdGF0IC1hOyBw ZXJmIHJlY29yZCAtYQoKLi4uCgpkbWVzZzoKClsgIDk0Ny4yNzU2MTFdIHNlY3VyaXR5X2NhcGFi bGUoMDAwMDAwMDBkM2E3NTM3NywgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1BFUkZNT04sIDApID0g PwpbICA5NDcuMjc1NjEzXSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAw MDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IC0xCgpbICA5NDcuMjc1NjE0XSBzZWN1cml0 eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURN SU4sIDApID0gPwpbICA5NDcuMjc1NjE1XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUz NzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURNSU4sIDApID0gLTEKClsgIDk0Ny4yNzU2 MzZdIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDBkM2E3NTM3NywgMDAwMDAwMDA5ZGQ3YTVmYywg Q0FQX1BFUkZNT04sIDApID0gPwpbICA5NDcuMjc1NjM3XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAw MDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IC0xCgpbICA5 NDcuMjc1NjM4XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRk N2E1ZmMsIENBUF9TWVNfQURNSU4sIDApID0gPwpbICA5NDcuMjc1NjM4XSBzZWN1cml0eV9jYXBh YmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURNSU4sIDAp ID0gLTEKCi4uLgoKU28gaXQgbG9va3MgbGlrZSBDQVBfUEVSRk1PTiBhbmQgQ0FQX1NZU19BRE1J TiBhcmUgbm90IGV2ZXIgbG9nZ2VkIGJ5IEFWQyBzaW11bHRhbmVvdXNseSwKaW4gdGhlIGN1cnJl bnQgTFNNIGFuZCBwZXJmbW9uX2NhcGFibGUoKSBpbXBsZW1lbnRhdGlvbnMuCgpJZiBwZXJmbW9u IGlzIGdyYW50ZWQ6CglwZXJmbW9uIGlzIG5vdCBsb2dnZWQgYnkgY2FwYWJpbGl0aWVzLCBwZXJm bW9uIGlzIGxvZ2dlZCBieSBBVkMsCglubyBjaGVjayBmb3Igc3lzX2FkbWluIGJ5IHBlcmZtb25f Y2FwYWJsZSgpLgoKSWYgcGVyZm1vbiBpcyBub3QgZ3JhbnRlZCBidXQgc3lzX2FkbWluIGlzIGdy YW50ZWQ6CglwZXJmbW9uIGlzIG5vdCBsb2dnZWQgYnkgY2FwYWJpbGl0aWVzLCBBVkMgbG9nZ2lu ZyBpcyBub3QgY2FsbGVkIGZvciBwZXJmbW9uLAoJc3lzX2FkbWluIGlzIG5vdCBsb2dnZWQgYnkg Y2FwYWJpbGl0aWVzLCBzeXNfYWRtaW4gaXMgbm90IGxvZ2dlZCBieSBBVkMsIGZvciBzb21lIGlu dGVuZGVkIHJlYXNvbj8KCk5vIGNhcHMgYXJlIGdyYW50ZWQ6CglBVkMgbG9nZ2luZyBpcyBub3Qg Y2FsbGVkIGVpdGhlciBmb3IgcGVyZm1vbiBvciBmb3Igc3lzX2FkbWluLgoKQlRXLCBpcyB0aGVy ZSBhIHdheSB0byBtYXkgYmUgZHJvcCBzb21lIEFWIGNhY2hlIHNvIGRlbmlhbHMgd291bGQgYXBw ZWFyIGluIGF1ZGl0IGluIHRoZSBuZXh0IEFWIGFjY2Vzcz8KCldlbGwsIEkgZ3Vlc3MgeW91IGhh dmUgaW5pdGlhbGx5IG1lbnRpb25lZCBzb21lIGNhc2Ugc2ltaWxhciB0byB0aGlzIChub3RlIHRo YXQgaWRzIGFyZSBub3QgdGhlIHNhbWUgYnV0IHBpZHM9IGFyZSk6Cgp0eXBlPUFWQyBtc2c9YXVk aXQoMTU4MTU4MDM5OS4xNjU6Nzg0KTogYXZjOiAgZGVuaWVkICB7IG9wZW4gfSBmb3IgIHBpZD04 ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFW QyBtc2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg1KTogYXZjOiAgZGVuaWVkICB7IHBlcmZtb24g fSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIGNhcGFiaWxpdHk9MzggIHNjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBh YmlsaXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KCAgICAgICAgICAuICAgOiAg ICk6IGF2YzogIGRlbmllZCAgeyBzeXNfYWRtaW4gfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYi IGNhcGFiaWxpdHk9MjEgIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBhYmlsaXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1B VkMgbXNnPWF1ZGl0KDE1ODE1ODAzOTkuMTY1Ojc4Nik6IGF2YzogIGRlbmllZCAgeyBrZXJuZWwg fSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90 IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3Np dmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg3KTogYXZjOiAgZGVuaWVk ICB7IGNwdSB9IGZvciAgcGlkPTg4NTkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJf cjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNsYXNzPXBlcmZfZXZlbnQg cGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwMzk5LjE2NTo3ODgpOiBhdmM6 ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1w ZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDQwOC4wNzg6 NzkxKTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNj b250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90 IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQoKU28gdGhlIG1lc3NhZ2UgY291bGQgYmUg bGlrZSB0aGlzOgoKIklmIGF1ZGl0IGxvZ3MgZm9yIGEgcHJvY2VzcyB1c2luZyBwZXJmX2V2ZW50 cyByZWxhdGVkIHN5c2NhbGxzIGkuZS4gcGVyZl9ldmVudF9vcGVuKCksIHJlYWQoKSwgd3JpdGUo KSwKIGlvY3RsKCksIG1tYXAoKSBjb250YWluIGRlbmlhbHMgYm90aCBmb3IgQ0FQX1BFUkZNT04g YW5kIENBUF9TWVNfQURNSU4gY2FwYWJpbGl0aWVzIHRoZW4gcHJvdmlkaW5nIHRoZQogcHJvY2Vz cyB3aXRoIENBUF9QRVJGTU9OIGNhcGFiaWxpdHkgc2luZ2x5IGlzIHRoZSBzZWN1cmUgcHJlZmVy cmVkIGFwcHJvYWNoIHRvIHJlc29sdmUgYWNjZXNzIGRlbmlhbHMgCiB0byBwZXJmb3JtYW5jZSBt b25pdG9yaW5nIGFuZCBvYnNlcnZhYmlsaXR5IG9wZXJhdGlvbnMuIgoKfkFsZXhleQoKX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGludXgtYXJtLWtlcm5l bCBtYWlsaW5nIGxpc3QKbGludXgtYXJtLWtlcm5lbEBsaXN0cy5pbmZyYWRlYWQub3JnCmh0dHA6 Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8vbGludXgtYXJtLWtlcm5lbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E19EC2BA83 for ; Thu, 13 Feb 2020 09:05:38 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 35B1F20848 for ; Thu, 13 Feb 2020 09:05:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 35B1F20848 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id D0C306F571; Thu, 13 Feb 2020 09:05:37 +0000 (UTC) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by gabe.freedesktop.org (Postfix) with ESMTPS id 28D976F571 for ; Thu, 13 Feb 2020 09:05:36 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:05:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="267006589" Received: from linux.intel.com ([10.54.29.200]) by fmsmga002.fm.intel.com with ESMTP; 13 Feb 2020 01:05:33 -0800 Received: from [10.125.252.71] (abudanko-mobl.ccr.corp.intel.com [10.125.252.71]) by linux.intel.com (Postfix) with ESMTP id 49A115802C1; Thu, 13 Feb 2020 01:05:25 -0800 (PST) To: Stephen Smalley References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> <64cab472-806e-38c4-fb26-0ffbee485367@tycho.nsa.gov> <05297eff-8e14-ccdf-55a4-870c64516de8@linux.intel.com> <537bdb28-c9e4-f44f-d665-25250065a6bb@linux.intel.com> <63d9700f-231d-7973-5307-3e56a48c54cb@linux.intel.com> <2e38c33d-f085-1320-8cc2-45f74b6ad86d@linux.intel.com> <8141da2e-49cf-c02d-69e9-8a7cbdc91431@linux.intel.com> <7c367905-e8c9-7665-d923-c850e05c757a@tycho.nsa.gov> <280e6644-c129-15f6-ea5c-0f66bf764e0f@tycho.nsa.gov> <950cc6a4-5823-d607-1210-6f62c96cf67f@linux.intel.com> <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> From: Alexey Budankov Organization: Intel Corp. Message-ID: <874115a9-fb11-b7f4-7e92-46aedc5f26af@linux.intel.com> Date: Thu, 13 Feb 2020 12:05:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <46751eb9-deca-53cc-95fb-1602cfdf62a2@tycho.nsa.gov> Content-Language: en-US Subject: Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Song Liu , Peter Zijlstra , "benh@kernel.crashing.org" , Will Deacon , Alexei Starovoitov , Stephane Eranian , "james.bottomley@hansenpartnership.com" , Paul Mackerras , Jiri Olsa , Alexei Starovoitov , Andi Kleen , Michael Ellerman , Igor Lubashev , James Morris , Alexander Shishkin , Ingo Molnar , oprofile-list@lists.sf.net, Serge Hallyn , Robert Richter , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , Arnaldo Carvalho de Melo , Namhyung Kim , Thomas Gleixner , linux-arm-kernel , "linux-parisc@vger.kernel.org" , linux-kernel , Andy Lutomirski , "linux-perf-users@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Ck9uIDEyLjAyLjIwMjAgMjA6MDksIFN0ZXBoZW4gU21hbGxleSB3cm90ZToKPiBPbiAyLzEyLzIw IDExOjU2IEFNLCBBbGV4ZXkgQnVkYW5rb3Ygd3JvdGU6Cj4+Cj4+Cj4+IE9uIDEyLjAyLjIwMjAg MTg6NDUsIFN0ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+IE9uIDIvMTIvMjAgMTA6MjEgQU0sIFN0 ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+PiBPbiAyLzEyLzIwIDg6NTMgQU0sIEFsZXhleSBCdWRh bmtvdiB3cm90ZToKPj4+Pj4gT24gMTIuMDIuMjAyMCAxNjozMiwgU3RlcGhlbiBTbWFsbGV5IHdy b3RlOgo+Pj4+Pj4gT24gMi8xMi8yMCAzOjUzIEFNLCBBbGV4ZXkgQnVkYW5rb3Ygd3JvdGU6Cj4+ Pj4+Pj4gSGkgU3RlcGhlbiwKPj4+Pj4+Pgo+Pj4+Pj4+IE9uIDIyLjAxLjIwMjAgMTc6MDcsIFN0 ZXBoZW4gU21hbGxleSB3cm90ZToKPj4+Pj4+Pj4gT24gMS8yMi8yMCA1OjQ1IEFNLCBBbGV4ZXkg QnVkYW5rb3Ygd3JvdGU6Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gT24gMjEuMDEuMjAyMCAyMToyNywg QWxleGV5IEJ1ZGFua292IHdyb3RlOgo+Pj4+Pj4+Pj4+Cj4+Pj4+Pj4+Pj4gT24gMjEuMDEuMjAy MCAyMDo1NSwgQWxleGVpIFN0YXJvdm9pdG92IHdyb3RlOgo+Pj4+Pj4+Pj4+PiBPbiBUdWUsIEph biAyMSwgMjAyMCBhdCA5OjMxIEFNIEFsZXhleSBCdWRhbmtvdgo+Pj4+Pj4+Pj4+PiA8YWxleGV5 LmJ1ZGFua292QGxpbnV4LmludGVsLmNvbT4gd3JvdGU6Cj4+Pj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4+ Pj4KPj4+Pj4+Pj4+Pj4+IE9uIDIxLjAxLjIwMjAgMTc6NDMsIFN0ZXBoZW4gU21hbGxleSB3cm90 ZToKPj4+Pj4+Pj4+Pj4+PiBPbiAxLzIwLzIwIDY6MjMgQU0sIEFsZXhleSBCdWRhbmtvdiB3cm90 ZToKPj4+Pj4+Pj4+Pj4+Pj4KPj4+Pj4+PiA8U05JUD4KPj4+Pj4+Pj4+Pj4+Pj4gSW50cm9kdWNl IENBUF9QRVJGTU9OIGNhcGFiaWxpdHkgZGVzaWduZWQgdG8gc2VjdXJlIHN5c3RlbSBwZXJmb3Jt YW5jZQo+Pj4+Pj4+Pj4+Pj4+Cj4+Pj4+Pj4+Pj4+Pj4gV2h5IF9ub2F1ZGl0KCk/wqAgTm9ybWFs bHkgb25seSB1c2VkIHdoZW4gYSBwZXJtaXNzaW9uIGZhaWx1cmUgaXMgbm9uLWZhdGFsIHRvIHRo ZSBvcGVyYXRpb24uwqAgT3RoZXJ3aXNlLCB3ZSB3YW50IHRoZSBhdWRpdCBtZXNzYWdlLgo+Pj4+ Pj4+Pj4KPj4+Pj4+Pj4+IFNvIGZhciBzbyBnb29kLCBJIHN1Z2dlc3QgdXNpbmcgdGhlIHNpbXBs ZXN0IHZlcnNpb24gZm9yIHY2Ogo+Pj4+Pj4+Pj4KPj4+Pj4+Pj4+IHN0YXRpYyBpbmxpbmUgYm9v bCBwZXJmbW9uX2NhcGFibGUodm9pZCkKPj4+Pj4+Pj4+IHsKPj4+Pj4+Pj4+IMKgwqDCoMKgwqDC oMKgcmV0dXJuIGNhcGFibGUoQ0FQX1BFUkZNT04pIHx8IGNhcGFibGUoQ0FQX1NZU19BRE1JTik7 Cj4+Pj4+Pj4+PiB9Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gSXQga2VlcHMgdGhlIGltcGxlbWVudGF0 aW9uIHNpbXBsZSBhbmQgcmVhZGFibGUuIFRoZSBpbXBsZW1lbnRhdGlvbiBpcyBtb3JlCj4+Pj4+ Pj4+PiBwZXJmb3JtYW50IGluIHRoZSBzZW5zZSBvZiBjYWxsaW5nIHRoZSBBUEkgLSBvbmUgY2Fw YWJsZSgpIGNhbGwgZm9yIENBUF9QRVJGTU9OCj4+Pj4+Pj4+PiBwcml2aWxlZ2VkIHByb2Nlc3Mu Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4gWWVzLCBpdCBibG9hdHMgYXVkaXQgbG9nIGZvciBDQVBfU1lT X0FETUlOIHByaXZpbGVnZWQgYW5kIHVucHJpdmlsZWdlZCBwcm9jZXNzZXMsCj4+Pj4+Pj4+PiBi dXQgdGhpcyBibG9hdGluZyBhbHNvIGFkdmVydGlzZXMgYW5kIGxldmVyYWdlcyB1c2luZyBtb3Jl IHNlY3VyZSBDQVBfUEVSRk1PTgo+Pj4+Pj4+Pj4gYmFzZWQgYXBwcm9hY2ggdG8gdXNlIHBlcmZf ZXZlbnRfb3BlbiBzeXN0ZW0gY2FsbC4KPj4+Pj4+Pj4KPj4+Pj4+Pj4gSSBjYW4gbGl2ZSB3aXRo IHRoYXQuwqAgV2UganVzdCBuZWVkIHRvIGRvY3VtZW50IHRoYXQgd2hlbiB5b3Ugc2VlIGJvdGgg YSBDQVBfUEVSRk1PTiBhbmQgYSBDQVBfU1lTX0FETUlOIGF1ZGl0IG1lc3NhZ2UgZm9yIGEgcHJv Y2VzcywgdHJ5IG9ubHkgYWxsb3dpbmcgQ0FQX1BFUkZNT04gZmlyc3QgYW5kIHNlZSBpZiB0aGF0 IHJlc29sdmVzIHRoZSBpc3N1ZS7CoCBXZSBoYXZlIGEgc2ltaWxhciBpc3N1ZSB3aXRoIENBUF9E QUNfUkVBRF9TRUFSQ0ggdmVyc3VzIENBUF9EQUNfT1ZFUlJJREUuCj4+Pj4+Pj4KPj4+Pj4+PiBJ IGFtIHRyeWluZyB0byByZXByb2R1Y2UgdGhpcyBkb3VibGUgbG9nZ2luZyB3aXRoIENBUF9QRVJG TU9OLgo+Pj4+Pj4+IEkgYW0gdXNpbmcgdGhlIHJlZnBvbGljeSB2ZXJzaW9uIHdpdGggZW5hYmxl ZCBwZXJmX2V2ZW50IHRjbGFzcyBbMV0sIGluIHBlcm1pc3NpdmUgbW9kZS4KPj4+Pj4+PiBXaGVu IHJ1bm5pbmcgcGVyZiBzdGF0IC1hIEkgYW0gb2JzZXJ2aW5nIHRoaXMgQVZDIGF1ZGl0IG1lc3Nh Z2VzOgo+Pj4+Pj4+Cj4+Pj4+Pj4gdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE0OTY2OTUuNjY2Ojg2 OTEpOiBhdmM6wqAgZGVuaWVkwqAgeyBvcGVuIH0gZm9ywqAgcGlkPTI3NzkgY29tbT0icGVyZiIg c2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3N5c3RlbWRfdCB0Y29udGV4dD11c2VyX3U6dXNl cl9yOnVzZXJfc3lzdGVtZF90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQo+Pj4+Pj4+ IHR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNDk2Njk1LjY2Njo4NjkxKTogYXZjOsKgIGRlbmllZMKg IHsga2VybmVsIH0gZm9ywqAgcGlkPTI3NzkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVz ZXJfcjp1c2VyX3N5c3RlbWRfdCB0Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90 IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQo+Pj4+Pj4+IHR5cGU9QVZDIG1zZz1hdWRp dCgxNTgxNDk2Njk1LjY2Njo4NjkxKTogYXZjOsKgIGRlbmllZMKgIHsgY3B1IH0gZm9ywqAgcGlk PTI3NzkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3N5c3RlbWRfdCB0 Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90IHRjbGFzcz1wZXJmX2V2ZW50IHBl cm1pc3NpdmU9MQo+Pj4+Pj4+IHR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNDk2Njk1LjY2Njo4Njky KTogYXZjOsKgIGRlbmllZMKgIHsgd3JpdGUgfSBmb3LCoCBwaWQ9Mjc3OSBjb21tPSJwZXJmIiBz Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfc3lzdGVtZF90IHRjb250ZXh0PXVzZXJfdTp1c2Vy X3I6dXNlcl9zeXN0ZW1kX3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCj4+Pj4+Pj4K Pj4+Pj4+PiBIb3dldmVyIHRoZXJlIGlzIG5vIGNhcGFiaWxpdHkgcmVsYXRlZCBtZXNzYWdlcyBh cm91bmQuIEkgc3VwcG9zZSBteSByZWZwb2xpY3kgc2hvdWxkCj4+Pj4+Pj4gYmUgbW9kaWZpZWQg c29tZWhvdyB0byBvYnNlcnZlIGNhcGFiaWxpdHkgcmVsYXRlZCBBVkNzLgo+Pj4+Pj4+Cj4+Pj4+ Pj4gQ291bGQgeW91IHBsZWFzZSBjb21tZW50IG9yIGNsYXJpZnkgb24gaG93IHRvIGVuYWJsZSBj YXBzIHJlbGF0ZWQgQVZDcyBpbiBvcmRlcgo+Pj4+Pj4+IHRvIHRlc3QgdGhlIGNvbmNlcm5lZCBs b2dnaW5nLgo+Pj4+Pj4KPj4+Pj4+IFRoZSBuZXcgcGVyZm1vbiBwZXJtaXNzaW9uIGhhcyB0byBi ZSBkZWZpbmVkIGluIHlvdXIgcG9saWN5OyB5b3UnbGwgaGF2ZSBhIG1lc3NhZ2UgaW4gZG1lc2cg YWJvdXQgIlBlcm1pc3Npb24gcGVyZm1vbiBpbiBjbGFzcyBjYXBhYmlsaXR5MiBub3QgZGVmaW5l ZCBpbiBwb2xpY3kuIi7CoCBZb3UgY2FuIGVpdGhlciBhZGQgaXQgdG8gdGhlIGNvbW1vbiBjYXAy IGRlZmluaXRpb24gaW4gcmVmcG9saWN5L3BvbGljeS9mbGFzay9hY2Nlc3NfdmVjdG9ycyBhbmQg cmVidWlsZCB5b3VyIHBvbGljeSBvciBleHRyYWN0IHlvdXIgYmFzZSBtb2R1bGUgYXMgQ0lMLCBh ZGQgaXQgdGhlcmUsIGFuZCBpbnNlcnQgdGhlIHVwZGF0ZWQgbW9kdWxlLgo+Pj4+Pgo+Pj4+PiBZ ZXMsIEkgYWxyZWFkeSBoYXZlIGl0IGxpa2UgdGhpczoKPj4+Pj4gY29tbW9uIGNhcDIKPj4+Pj4g ewo+Pj4+PiA8LS0tLS0tPm1hY19vdmVycmlkZTwtLT4jIHVudXNlZCBieSBTRUxpbnV4Cj4+Pj4+ IDwtLS0tLS0+bWFjX2FkbWluCj4+Pj4+IDwtLS0tLS0+c3lzbG9nCj4+Pj4+IDwtLS0tLS0+d2Fr ZV9hbGFybQo+Pj4+PiA8LS0tLS0tPmJsb2NrX3N1c3BlbmQKPj4+Pj4gPC0tLS0tLT5hdWRpdF9y ZWFkCj4+Pj4+IDwtLS0tLS0+cGVyZm1vbgo+Pj4+PiB9Cj4+Pj4+Cj4+Pj4+IGRtZXNnIHN0b3Bw ZWQgcmVwb3J0aW5nIHBlcmZtb24gYXMgbm90IGRlZmluZWQgYnV0IGF1ZGl0LmxvZyBzdGlsbCBk b2Vzbid0IHJlcG9ydCBDQVBfUEVSRk1PTiBkZW5pYWxzLgo+Pj4+PiBCVFcsIGF1ZGl0IGV2ZW4g ZG9lc24ndCByZXBvcnQgQ0FQX1NZU19BRE1JTiBkZW5pYWxzLCBob3dldmVyIHBlcmZtb25fY2Fw YWJsZSgpIGRvZXMgY2hlY2sgZm9yIGl0Lgo+Pj4+Cj4+Pj4gU29tZSBkZW5pYWxzIG1heSBiZSBz aWxlbmNlZCBieSBkb250YXVkaXQgcnVsZXM7IHNlbW9kdWxlIC1EQiB3aWxsIHN0cmlwIHRob3Nl IGFuZCBzZW1vZHVsZSAtQiB3aWxsIHJlc3RvcmUgdGhlbS7CoCBPdGhlciBwb3NzaWJpbGl0eSBp cyB0aGF0IHRoZSBwcm9jZXNzIGRvZXNuJ3QgaGF2ZSBDQVBfUEVSRk1PTiBpbiBpdHMgZWZmZWN0 aXZlIHNldCBhbmQgdGhlcmVmb3JlIG5ldmVyIHJlYWNoZXMgU0VMaW51eCBhdCBhbGw7IGRlbmll ZCBmaXJzdCBieSB0aGUgY2FwYWJpbGl0eSBtb2R1bGUuCj4+Pgo+Pj4gQWxzbywgdGhlIGZhY3Qg dGhhdCB5b3VyIGRlbmlhbHMgYXJlIHNob3dpbmcgdXAgaW4gdXNlcl9zeXN0ZW1kX3Qgc3VnZ2Vz dHMgdGhhdCBzb21ldGhpbmcgaXMgb2ZmIGluIHlvdXIgcG9saWN5IG9yIHVzZXJzcGFjZS9kaXN0 cm87IEkgYXNzdW1lIHRoYXQgaXMgYSBkb21haW4gdHlwZSBmb3IgdGhlIHN5c3RlbWQgLS11c2Vy IGluc3RhbmNlLCBidXQgeW91ciBzaGVsbCBhbmQgY29tbWFuZHMgc2hvdWxkbid0IGJlIHJ1bm5p bmcgaW4gdGhhdCBkb21haW4gKHVzZXJfdCB3b3VsZCBiZSBtb3JlIGFwcHJvcHJpYXRlIGZvciB0 aGF0KS4KPj4KPj4gSXQgaXMgdXNlcl90IGZvciBsb2NhbCB0ZXJtaW5hbCBzZXNzaW9uOgo+PiBw cyAtWgo+PiBMQUJFTMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgIFBJRCBUVFnCoMKgwqDCoMKgwqDCoMKgwqAgVElNRSBDTUQKPj4gdXNlcl91 OnVzZXJfcjp1c2VyX3TCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIDExMzE3IHB0cy85wqDCoMKgIDAw OjAwOjAwIGJhc2gKPj4gdXNlcl91OnVzZXJfcjp1c2VyX3TCoMKgwqDCoMKgwqDCoMKgwqDCoMKg IDExNzk2IHB0cy85wqDCoMKgIDAwOjAwOjAwIHBzCj4+Cj4+IEZvciBsb2NhbCB0ZXJtaW5hbCBy b290IHNlc3Npb246Cj4+IHBzIC1aCj4+IExBQkVMwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgUElEIFRUWcKgwqDCoMKgwqDCoMKgwqDCoCBU SU1FIENNRAo+PiB1c2VyX3U6dXNlcl9yOnVzZXJfc3VfdMKgwqDCoMKgwqDCoMKgwqDCoCAyOTI2 IHB0cy8zwqDCoMKgIDAwOjAwOjAwIGJhc2gKPj4gdXNlcl91OnVzZXJfcjp1c2VyX3N1X3TCoMKg wqDCoMKgwqDCoMKgIDEwOTk1IHB0cy8zwqDCoMKgIDAwOjAwOjAwIHBzCj4+Cj4+IEZvciByZW1v dGUgc3NoIHNlc3Npb246Cj4+IHBzIC1aCj4+IExBQkVMwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgUElEIFRUWcKgwqDCoMKgwqDCoMKgwqDC oCBUSU1FIENNRAo+PiB1c2VyX3U6dXNlcl9yOnVzZXJfdMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oCA3NTQwIHB0cy84wqDCoMKgIDAwOjAwOjAwIHBzCj4+IHVzZXJfdTp1c2VyX3I6dXNlcl9zeXN0 ZW1kX3TCoMKgwqDCoCA4ODc1IHB0cy84wqDCoMKgIDAwOjAwOjAwIGJhc2gKPiAKPiBUaGF0J3Mg YSBidWcgaW4gZWl0aGVyIHlvdXIgcG9saWN5IG9yIHlvdXIgdXNlcnNwYWNlL2Rpc3RybyBpbnRl Z3JhdGlvbi4gwqBJbiBhbnkgZXZlbnQsIHVubGVzcyB1c2VyX3N5c3RlbWRfdCBpcyBhbGxvd2Vk IGFsbCBjYXBhYmlsaXR5MiBwZXJtaXNzaW9ucyBieSB5b3VyIHBvbGljeSwgeW91IHNob3VsZCBz ZWUgdGhlIGRlbmlhbHMgaWYgQ0FQX1BFUkZNT04gaXMgc2V0IGluIHRoZSBlZmZlY3RpdmUgY2Fw YWJpbGl0eSBzZXQgb2YgdGhlIHByb2Nlc3MuCj4gCgpUaGF0IGFsbCBzZWVtcyB0byBiZSB0cnVl LiBBZnRlciBpbnN0cnVtZW50YXRpb24sIHJlYnVpbGRpbmcgYW5kIHJlYm9vdGluZywgaW4gQ0FQ X1BFUkZNT04gY2FzZToKCiQgZ2V0Y2FwIHBlcmYKcGVyZiA9IGNhcF9zeXNfcHRyYWNlLGNhcF9z eXNsb2csY2FwX3BlcmZtb24rZXAKCiQgcGVyZiBzdGF0IC1hCgp0eXBlPUFWQyBtc2c9YXVkaXQo MTU4MTU4MDM5OS4xNjU6Nzg0KTogYXZjOiAgZGVuaWVkICB7IG9wZW4gfSBmb3IgIHBpZD04ODU5 IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBt c2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg1KTogYXZjOiAgZGVuaWVkICB7IHBlcmZtb24gfSBm b3IgIHBpZD04ODU5IGNvbW09InBlcmYiIGNhcGFiaWxpdHk9MzggIHNjb250ZXh0PXVzZXJfdTp1 c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBhYmls aXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODAzOTkuMTY1Ojc4Nik6 IGF2YzogIGRlbmllZCAgeyBrZXJuZWwgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250 ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRj bGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDM5 OS4xNjU6Nzg3KTogYXZjOiAgZGVuaWVkICB7IGNwdSB9IGZvciAgcGlkPTg4NTkgY29tbT0icGVy ZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1 c2VyX3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgx NTgxNTgwMzk5LjE2NTo3ODgpOiBhdmM6ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04ODU5 IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBt c2c9YXVkaXQoMTU4MTU4MDQwOC4wNzg6NzkxKTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBmb3Ig IHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250 ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQoK ZG1lc2c6CgpbICAxMzcuODc3NzEzXSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNzFmN2VlNmUs IDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMTM3Ljg3Nzc3NF0gY3Jl YWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1BFUkZNT04pID0gMApbICAxMzcuODc3Nzc1XSBwcmlvciBh dmNfYXVkaXQoQ0FQX1BFUkZNT04pClsgIDEzNy44Nzc3NzldIHNlY3VyaXR5X2NhcGFibGUoMDAw MDAwMDA3MWY3ZWU2ZSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1BFUkZNT04sIDApID0gMAoKWyAg MTM3Ljg3Nzc4NF0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDcxZjdlZTZlLCAwMDAwMDAwMDlk ZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSA/ClsgIDEzNy44Nzc3ODVdIGNyZWFkX2hhc19jYXBh YmlsaXR5KENBUF9QRVJGTU9OKSA9IDAKWyAgMTM3Ljg3Nzc4Nl0gc2VjdXJpdHlfY2FwYWJsZSgw MDAwMDAwMDcxZjdlZTZlLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSAwCgpb ICAxMzcuODc3Nzk0XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNzFmN2VlNmUsIDAwMDAwMDAw OWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMTM3Ljg3Nzc5NV0gY3JlYWRfaGFzX2Nh cGFiaWxpdHkoQ0FQX1BFUkZNT04pID0gMApbICAxMzcuODc3Nzk2XSBzZWN1cml0eV9jYXBhYmxl KDAwMDAwMDAwNzFmN2VlNmUsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IDAK Ci4uLgoKaW4gQ0FQX1NZU19BRE1JTiBjYXNlOgoKJCBnZXRjYXAgcGVyZgpwZXJmID0gY2FwX3N5 c19wdHJhY2UsY2FwX3N5c19hZG1pbixjYXBfc3lzbG9nK2VwCgokIHBlcmYgc3RhdCAtYQoKdHlw ZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODA3NDcuOTI4OjgzNSk6IGF2YzogIGRlbmllZCAgeyBvcGVu IH0gZm9yICBwaWQ9ODkyNyBjb21tPSJwZXJmIiBzY29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJf dCB0Y29udGV4dD11c2VyX3U6dXNlcl9yOnVzZXJfdCB0Y2xhc3M9cGVyZl9ldmVudCBwZXJtaXNz aXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KDE1ODE1ODA3NDcuOTI4OjgzNik6IGF2YzogIGRlbmll ZCAgeyBjcHUgfSBmb3IgIHBpZD04OTI3IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2Vy X3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50 IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDc0Ny45Mjg6ODM3KTogYXZj OiAgZGVuaWVkICB7IGtlcm5lbCB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIgc2NvbnRleHQ9 dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNsYXNz PXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwNzQ3Ljky ODo4MzgpOiBhdmM6ICBkZW5pZWQgIHsgcmVhZCB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIg c2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2Vy X3QgdGNsYXNzPXBlcmZfZXZlbnQgcGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgx NTgwNzQ3LjkyODo4MzkpOiBhdmM6ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04OTI3IGNv bW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1 c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQouLi4KCiQgcGVyZiBy ZWNvcmQgLS0gbHMKLi4uCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwNzQ3LjkzMDo4NDMpOiBh dmM6ICBkZW5pZWQgIHsgc3lzX3B0cmFjZSB9IGZvciAgcGlkPTg5MjcgY29tbT0icGVyZiIgY2Fw YWJpbGl0eT0xOSAgc2NvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91 OnVzZXJfcjp1c2VyX3QgdGNsYXNzPWNhcGFiaWxpdHkgcGVybWlzc2l2ZT0xCi4uLgoKZG1lc2c6 CgpbICAyNzYuNzE0MjY2XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwNmIwOWFkOGEsIDAwMDAw MDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMjc2LjcxNDI2OF0gc2VjdXJpdHlf Y2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwg MCkgPSAtMQoKWyAgMjc2LjcxNDI2OV0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhh LCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lTX0FETUlOLCAwKSA9ID8KWyAgMjc2LjcxNDI3MF0g Y3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZU19BRE1JTikgPSAwClsgIDI3Ni43MTQyNzBdIHNl Y3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5YWQ4YSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1NZ U19BRE1JTiwgMCkgPSAwCgpbICAyNzYuNzE0Mjg3XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAw NmIwOWFkOGEsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9ID8KWyAgMjc2Ljcx NDI4N10gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZj LCBDQVBfUEVSRk1PTiwgMCkgPSAtMQoKWyAgMjc2LjcxNDI4OF0gc2VjdXJpdHlfY2FwYWJsZSgw MDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lTX0FETUlOLCAwKSA9ID8K WyAgMjc2LjcxNDI4OF0gY3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZU19BRE1JTikgPSAwClsg IDI3Ni43MTQyODldIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5YWQ4YSwgMDAwMDAwMDA5 ZGQ3YTVmYywgQ0FQX1NZU19BRE1JTiwgMCkgPSAwCgpbICAyNzYuNzE0Mjk0XSBzZWN1cml0eV9j YXBhYmxlKDAwMDAwMDAwNmIwOWFkOGEsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAw KSA9ID8KWyAgMjc2LjcxNDI5NV0gc2VjdXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAw MDAwMDAwMDlkZDdhNWZjLCBDQVBfUEVSRk1PTiwgMCkgPSAtMQoKWyAgMjc2LjcxNDI5NV0gc2Vj dXJpdHlfY2FwYWJsZSgwMDAwMDAwMDZiMDlhZDhhLCAwMDAwMDAwMDlkZDdhNWZjLCBDQVBfU1lT X0FETUlOLCAwKSA9ID8KWyAgMjc2LjcxNDI5Nl0gY3JlYWRfaGFzX2NhcGFiaWxpdHkoQ0FQX1NZ U19BRE1JTikgPSAwClsgIDI3Ni43MTQyOTZdIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDA2YjA5 YWQ4YSwgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1NZU19BRE1JTiwgMCkgPSAwCgouLi4KCmluIHVu cHJpdmlsZWdlZCBjYXNlOgoKJCBnZXRjYXAgcGVyZgpwZXJmID0KCiQgcGVyZiBzdGF0IC1hOyBw ZXJmIHJlY29yZCAtYQoKLi4uCgpkbWVzZzoKClsgIDk0Ny4yNzU2MTFdIHNlY3VyaXR5X2NhcGFi bGUoMDAwMDAwMDBkM2E3NTM3NywgMDAwMDAwMDA5ZGQ3YTVmYywgQ0FQX1BFUkZNT04sIDApID0g PwpbICA5NDcuMjc1NjEzXSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAw MDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IC0xCgpbICA5NDcuMjc1NjE0XSBzZWN1cml0 eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURN SU4sIDApID0gPwpbICA5NDcuMjc1NjE1XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUz NzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURNSU4sIDApID0gLTEKClsgIDk0Ny4yNzU2 MzZdIHNlY3VyaXR5X2NhcGFibGUoMDAwMDAwMDBkM2E3NTM3NywgMDAwMDAwMDA5ZGQ3YTVmYywg Q0FQX1BFUkZNT04sIDApID0gPwpbICA5NDcuMjc1NjM3XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAw MDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9QRVJGTU9OLCAwKSA9IC0xCgpbICA5 NDcuMjc1NjM4XSBzZWN1cml0eV9jYXBhYmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRk N2E1ZmMsIENBUF9TWVNfQURNSU4sIDApID0gPwpbICA5NDcuMjc1NjM4XSBzZWN1cml0eV9jYXBh YmxlKDAwMDAwMDAwZDNhNzUzNzcsIDAwMDAwMDAwOWRkN2E1ZmMsIENBUF9TWVNfQURNSU4sIDAp ID0gLTEKCi4uLgoKU28gaXQgbG9va3MgbGlrZSBDQVBfUEVSRk1PTiBhbmQgQ0FQX1NZU19BRE1J TiBhcmUgbm90IGV2ZXIgbG9nZ2VkIGJ5IEFWQyBzaW11bHRhbmVvdXNseSwKaW4gdGhlIGN1cnJl bnQgTFNNIGFuZCBwZXJmbW9uX2NhcGFibGUoKSBpbXBsZW1lbnRhdGlvbnMuCgpJZiBwZXJmbW9u IGlzIGdyYW50ZWQ6CglwZXJmbW9uIGlzIG5vdCBsb2dnZWQgYnkgY2FwYWJpbGl0aWVzLCBwZXJm bW9uIGlzIGxvZ2dlZCBieSBBVkMsCglubyBjaGVjayBmb3Igc3lzX2FkbWluIGJ5IHBlcmZtb25f Y2FwYWJsZSgpLgoKSWYgcGVyZm1vbiBpcyBub3QgZ3JhbnRlZCBidXQgc3lzX2FkbWluIGlzIGdy YW50ZWQ6CglwZXJmbW9uIGlzIG5vdCBsb2dnZWQgYnkgY2FwYWJpbGl0aWVzLCBBVkMgbG9nZ2lu ZyBpcyBub3QgY2FsbGVkIGZvciBwZXJmbW9uLAoJc3lzX2FkbWluIGlzIG5vdCBsb2dnZWQgYnkg Y2FwYWJpbGl0aWVzLCBzeXNfYWRtaW4gaXMgbm90IGxvZ2dlZCBieSBBVkMsIGZvciBzb21lIGlu dGVuZGVkIHJlYXNvbj8KCk5vIGNhcHMgYXJlIGdyYW50ZWQ6CglBVkMgbG9nZ2luZyBpcyBub3Qg Y2FsbGVkIGVpdGhlciBmb3IgcGVyZm1vbiBvciBmb3Igc3lzX2FkbWluLgoKQlRXLCBpcyB0aGVy ZSBhIHdheSB0byBtYXkgYmUgZHJvcCBzb21lIEFWIGNhY2hlIHNvIGRlbmlhbHMgd291bGQgYXBw ZWFyIGluIGF1ZGl0IGluIHRoZSBuZXh0IEFWIGFjY2Vzcz8KCldlbGwsIEkgZ3Vlc3MgeW91IGhh dmUgaW5pdGlhbGx5IG1lbnRpb25lZCBzb21lIGNhc2Ugc2ltaWxhciB0byB0aGlzIChub3RlIHRo YXQgaWRzIGFyZSBub3QgdGhlIHNhbWUgYnV0IHBpZHM9IGFyZSk6Cgp0eXBlPUFWQyBtc2c9YXVk aXQoMTU4MTU4MDM5OS4xNjU6Nzg0KTogYXZjOiAgZGVuaWVkICB7IG9wZW4gfSBmb3IgIHBpZD04 ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFW QyBtc2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg1KTogYXZjOiAgZGVuaWVkICB7IHBlcmZtb24g fSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIGNhcGFiaWxpdHk9MzggIHNjb250ZXh0PXVzZXJf dTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBh YmlsaXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1BVkMgbXNnPWF1ZGl0KCAgICAgICAgICAuICAgOiAg ICk6IGF2YzogIGRlbmllZCAgeyBzeXNfYWRtaW4gfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYi IGNhcGFiaWxpdHk9MjEgIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1jYXBhYmlsaXR5MiBwZXJtaXNzaXZlPTEKdHlwZT1B VkMgbXNnPWF1ZGl0KDE1ODE1ODAzOTkuMTY1Ojc4Nik6IGF2YzogIGRlbmllZCAgeyBrZXJuZWwg fSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90 IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3Np dmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDM5OS4xNjU6Nzg3KTogYXZjOiAgZGVuaWVk ICB7IGNwdSB9IGZvciAgcGlkPTg4NTkgY29tbT0icGVyZiIgc2NvbnRleHQ9dXNlcl91OnVzZXJf cjp1c2VyX3QgdGNvbnRleHQ9dXNlcl91OnVzZXJfcjp1c2VyX3QgdGNsYXNzPXBlcmZfZXZlbnQg cGVybWlzc2l2ZT0xCnR5cGU9QVZDIG1zZz1hdWRpdCgxNTgxNTgwMzk5LjE2NTo3ODgpOiBhdmM6 ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNjb250ZXh0PXVz ZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjbGFzcz1w ZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQp0eXBlPUFWQyBtc2c9YXVkaXQoMTU4MTU4MDQwOC4wNzg6 NzkxKTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBmb3IgIHBpZD04ODU5IGNvbW09InBlcmYiIHNj b250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90IHRjb250ZXh0PXVzZXJfdTp1c2VyX3I6dXNlcl90 IHRjbGFzcz1wZXJmX2V2ZW50IHBlcm1pc3NpdmU9MQoKU28gdGhlIG1lc3NhZ2UgY291bGQgYmUg bGlrZSB0aGlzOgoKIklmIGF1ZGl0IGxvZ3MgZm9yIGEgcHJvY2VzcyB1c2luZyBwZXJmX2V2ZW50 cyByZWxhdGVkIHN5c2NhbGxzIGkuZS4gcGVyZl9ldmVudF9vcGVuKCksIHJlYWQoKSwgd3JpdGUo KSwKIGlvY3RsKCksIG1tYXAoKSBjb250YWluIGRlbmlhbHMgYm90aCBmb3IgQ0FQX1BFUkZNT04g YW5kIENBUF9TWVNfQURNSU4gY2FwYWJpbGl0aWVzIHRoZW4gcHJvdmlkaW5nIHRoZQogcHJvY2Vz cyB3aXRoIENBUF9QRVJGTU9OIGNhcGFiaWxpdHkgc2luZ2x5IGlzIHRoZSBzZWN1cmUgcHJlZmVy cmVkIGFwcHJvYWNoIHRvIHJlc29sdmUgYWNjZXNzIGRlbmlhbHMgCiB0byBwZXJmb3JtYW5jZSBt b25pdG9yaW5nIGFuZCBvYnNlcnZhYmlsaXR5IG9wZXJhdGlvbnMuIgoKfkFsZXhleQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpJbnRlbC1nZnggbWFpbGlu ZyBsaXN0CkludGVsLWdmeEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0cy5mcmVl ZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9pbnRlbC1nZngK