From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF431C38145 for ; Thu, 8 Sep 2022 15:19:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230140AbiIHPTe (ORCPT ); Thu, 8 Sep 2022 11:19:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231574AbiIHPTc (ORCPT ); Thu, 8 Sep 2022 11:19:32 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DAF755AD for ; Thu, 8 Sep 2022 08:19:29 -0700 (PDT) Received: from fsav119.sakura.ne.jp (fsav119.sakura.ne.jp [27.133.134.246]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 288FIxPP039482; Fri, 9 Sep 2022 00:18:59 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav119.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp); Fri, 09 Sep 2022 00:18:59 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 288FIwG7039479 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 9 Sep 2022 00:18:58 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> Date: Fri, 9 Sep 2022 00:18:52 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.1 Subject: Re: LSM stacking in next for 6.1? Content-Language: en-US To: Casey Schaufler , paul Moore , LSM List Cc: James Morris , linux-audit@redhat.com, John Johansen , Mimi Zohar , keescook@chromium.org, SElinux list References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> From: Tetsuo Handa In-Reply-To: <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On 2022/08/03 9:01, Casey Schaufler wrote: > I would like very much to get v38 or v39 of the LSM stacking for Apparmor > patch set in the LSM next branch for 6.1. The audit changes have polished > up nicely and I believe that all comments on the integrity code have been > addressed. The interface_lsm mechanism has been beaten to a frothy peak. > There are serious binder changes, but I think they address issues beyond > the needs of stacking. Changes outside these areas are pretty well limited > to LSM interface improvements. > After ((SELinux xor Smack) and AppArmor) is made possible in next for 6.1, what comes next? Are you planning to make (SELinux and Smack and AppArmor) possible? My concern is, when loadable LSM modules becomes legal, for I'm refraining from again proposing CaitSith until LSM stacking completes. Linus Torvalds said You security people are insane. I'm tired of this "only my version is correct" crap. at https://lkml.kernel.org/r/alpine.LFD.0.999.0710010803280.3579@woody.linux-foundation.org . Many modules SimpleFlow ( 2016/04/21 https://lwn.net/Articles/684825/ ) HardChroot ( 2016/07/29 https://lwn.net/Articles/695984/ ) Checmate ( 2016/08/04 https://lwn.net/Articles/696344/ ) LandLock ( 2016/08/25 https://lwn.net/Articles/698226/ ) PTAGS ( 2016/09/29 https://lwn.net/Articles/702639/ ) CaitSith ( 2016/10/21 https://lwn.net/Articles/704262/ ) SafeName ( 2016/05/03 https://lwn.net/Articles/686021/ ) WhiteEgret ( 2017/05/30 https://lwn.net/Articles/724192/ ) shebang ( 2017/06/09 https://lwn.net/Articles/725285/ ) S.A.R.A. ( 2017/06/13 https://lwn.net/Articles/725230/ ) are proposed 5 or 6 years ago, but mostly became silent... I still need byte-code analysis for finding the hook and code for making the hook writable in AKARI/CaitSith due to lack of EXPORT_SYMBOL_GPL(security_add_hooks). I wonder when I can stop questions like https://osdn.net/projects/tomoyo/lists/archive/users-en/2022-September/000740.html caused by https://patchwork.kernel.org/project/linux-security-module/patch/alpine.LRH.2.20.1702131631490.8914@namei.org/ . Last 10 years, my involvement with Linux kernel is "fixing bugs" rather than "developing security mechanisms". Changes what I found in the past 10 years are: As far as I'm aware, more than 99% of systems still disable SELinux. People use RHEL, but the reason to choose RHEL is not because RHEL supports SELinux. The only thing changed is that the way to disable SELinux changed from SELINUX=disabled in /etc/selinux/config to selinux=0 on kernel command line options. Instead, Ubuntu users are increasing, but the reason people choose Ubuntu is not because Ubuntu supports AppArmor. Maybe because easy to use container environment. Maybe because available as Windows Subsystem for Linux. However, in many cases, it seems that whether the OS is Windows or Linux no longer matters. Programs are written using frameworks/languages which developers hardly care about Windows API or Linux syscall. LSM significantly focuses on syscalls, but the trend might no longer be trying to solve in the LSM layer... Also, Linux servers started using AntiVirus software. Enterprise AntiVirus software uses loadable kernel module that rewrites system call table rather than using LSM interface. It seems that people prefer out-of-the-box security over fine grained access control rule based security. In other words, it seems that allowlist based LSM modules are too difficult for normal users. Maybe it is better for normal users to develop and use single-function LSMs than try to utilize ((SELinux xor Smack) and AppArmor)... But still loadable LSM modules are not legally available... From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7958AC38145 for ; Thu, 8 Sep 2022 16:06:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662653177; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=LrAyEDzEhJwjUN2k5yKOe/OAi/5MYFUrw1Qro096YdY=; b=B9rAoHpB1kPiM22MpVtQeeAPi0Yb+DYgm3jLBws5TjmT+XnRQovyxlvRHzEDOmdgBMmeWL v9Mko7bc/REUt/AWHG3n3ZBeLqHoN/PjdSl4C/hMr0boVjG6kHpCaaHbEZJuz7wCqrkxla vjWjUB2JedFelHCAmQsVfZIixaaDzsQ= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-630-6RBu_b2YOnuGeZjUrUni6Q-1; Thu, 08 Sep 2022 12:06:14 -0400 X-MC-Unique: 6RBu_b2YOnuGeZjUrUni6Q-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C36A71C1B113; Thu, 8 Sep 2022 16:06:12 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id C51E740D296C; Thu, 8 Sep 2022 16:06:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 66D1A1946A44; Thu, 8 Sep 2022 16:06:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id F1AA31946A41 for ; Thu, 8 Sep 2022 16:06:10 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id E338EC15BBA; Thu, 8 Sep 2022 16:06:10 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast09.extmail.prod.ext.rdu2.redhat.com [10.11.55.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DEF9AC15BB3 for ; Thu, 8 Sep 2022 16:06:10 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5C7A8296A607 for ; Thu, 8 Sep 2022 16:06:10 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-435-6Z63An0fPBeppM23ZtpYKg-1; Thu, 08 Sep 2022 12:06:07 -0400 X-MC-Unique: 6Z63An0fPBeppM23ZtpYKg-1 Received: from fsav119.sakura.ne.jp (fsav119.sakura.ne.jp [27.133.134.246]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 288FIxPP039482; Fri, 9 Sep 2022 00:18:59 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav119.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp); Fri, 09 Sep 2022 00:18:59 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 288FIwG7039479 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 9 Sep 2022 00:18:58 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> Date: Fri, 9 Sep 2022 00:18:52 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.1 Subject: Re: LSM stacking in next for 6.1? To: Casey Schaufler , paul Moore , LSM List References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> From: Tetsuo Handa In-Reply-To: <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> X-MIME-Autoconverted: from 8bit to quoted-printable by www262.sakura.ne.jp id 288FIxPP039482 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Mimecast-Bulk-Signature: yes X-Mimecast-Spam-Signature: yes X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: John Johansen , SElinux list , James Morris , Mimi Zohar , linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gMjAyMi8wOC8wMyA5OjAxLCBDYXNleSBTY2hhdWZsZXIgd3JvdGU6Cj4gSSB3b3VsZCBsaWtl IHZlcnkgbXVjaCB0byBnZXQgdjM4IG9yIHYzOSBvZiB0aGUgTFNNIHN0YWNraW5nIGZvciBBcHBh cm1vcgo+IHBhdGNoIHNldCBpbiB0aGUgTFNNIG5leHQgYnJhbmNoIGZvciA2LjEuIFRoZSBhdWRp dCBjaGFuZ2VzIGhhdmUgcG9saXNoZWQKPiB1cCBuaWNlbHkgYW5kIEkgYmVsaWV2ZSB0aGF0IGFs bCBjb21tZW50cyBvbiB0aGUgaW50ZWdyaXR5IGNvZGUgaGF2ZSBiZWVuCj4gYWRkcmVzc2VkLiBU aGUgaW50ZXJmYWNlX2xzbSBtZWNoYW5pc20gaGFzIGJlZW4gYmVhdGVuIHRvIGEgZnJvdGh5IHBl YWsuCj4gVGhlcmUgYXJlIHNlcmlvdXMgYmluZGVyIGNoYW5nZXMsIGJ1dCBJIHRoaW5rIHRoZXkg YWRkcmVzcyBpc3N1ZXMgYmV5b25kCj4gdGhlIG5lZWRzIG9mIHN0YWNraW5nLiBDaGFuZ2VzIG91 dHNpZGUgdGhlc2UgYXJlYXMgYXJlIHByZXR0eSB3ZWxsIGxpbWl0ZWQKPiB0byBMU00gaW50ZXJm YWNlIGltcHJvdmVtZW50cy4KPiAKCkFmdGVyICgoU0VMaW51eCB4b3IgU21hY2spIGFuZCBBcHBB cm1vcikgaXMgbWFkZSBwb3NzaWJsZSBpbiBuZXh0IGZvciA2LjEsIHdoYXQKY29tZXMgbmV4dD8g QXJlIHlvdSBwbGFubmluZyB0byBtYWtlIChTRUxpbnV4IGFuZCBTbWFjayBhbmQgQXBwQXJtb3Ip IHBvc3NpYmxlPwoKTXkgY29uY2VybiBpcywgd2hlbiBsb2FkYWJsZSBMU00gbW9kdWxlcyBiZWNv bWVzIGxlZ2FsLCBmb3IgSSdtIHJlZnJhaW5pbmcgZnJvbQphZ2FpbiBwcm9wb3NpbmcgQ2FpdFNp dGggdW50aWwgTFNNIHN0YWNraW5nIGNvbXBsZXRlcy4KCkxpbnVzIFRvcnZhbGRzIHNhaWQKCiAg WW91IHNlY3VyaXR5IHBlb3BsZSBhcmUgaW5zYW5lLiBJJ20gdGlyZWQgb2YgdGhpcyAib25seSBt eSB2ZXJzaW9uIGlzIGNvcnJlY3QiIGNyYXAuCgphdCBodHRwczovL2xrbWwua2VybmVsLm9yZy9y L2FscGluZS5MRkQuMC45OTkuMDcxMDAxMDgwMzI4MC4zNTc5QHdvb2R5LmxpbnV4LWZvdW5kYXRp b24ub3JnIC4KCk1hbnkgbW9kdWxlcwoKICAgIFNpbXBsZUZsb3cg77yIIDIwMTYvMDQvMjEgaHR0 cHM6Ly9sd24ubmV0L0FydGljbGVzLzY4NDgyNS8g77yJCiAgICBIYXJkQ2hyb290IO+8iCAyMDE2 LzA3LzI5IGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy82OTU5ODQvIO+8iQogICAgQ2hlY21hdGUg 77yIIDIwMTYvMDgvMDQgaHR0cHM6Ly9sd24ubmV0L0FydGljbGVzLzY5NjM0NC8g77yJCiAgICBM YW5kTG9jayDvvIggMjAxNi8wOC8yNSBodHRwczovL2x3bi5uZXQvQXJ0aWNsZXMvNjk4MjI2LyDv vIkKICAgIFBUQUdTIO+8iCAyMDE2LzA5LzI5IGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy83MDI2 MzkvIO+8iQogICAgQ2FpdFNpdGgg77yIIDIwMTYvMTAvMjEgaHR0cHM6Ly9sd24ubmV0L0FydGlj bGVzLzcwNDI2Mi8g77yJCiAgICBTYWZlTmFtZSDvvIggMjAxNi8wNS8wMyBodHRwczovL2x3bi5u ZXQvQXJ0aWNsZXMvNjg2MDIxLyDvvIkKICAgIFdoaXRlRWdyZXQg77yIIDIwMTcvMDUvMzAgaHR0 cHM6Ly9sd24ubmV0L0FydGljbGVzLzcyNDE5Mi8g77yJCiAgICBzaGViYW5nIO+8iCAyMDE3LzA2 LzA5IGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy83MjUyODUvIO+8iQogICAgUy5BLlIuQS4g77yI IDIwMTcvMDYvMTMgaHR0cHM6Ly9sd24ubmV0L0FydGljbGVzLzcyNTIzMC8g77yJCgphcmUgcHJv cG9zZWQgNSBvciA2IHllYXJzIGFnbywgYnV0IG1vc3RseSBiZWNhbWUgc2lsZW50Li4uCgpJIHN0 aWxsIG5lZWQgYnl0ZS1jb2RlIGFuYWx5c2lzIGZvciBmaW5kaW5nIHRoZSBob29rIGFuZCBjb2Rl IGZvciBtYWtpbmcgdGhlIGhvb2sKd3JpdGFibGUgaW4gQUtBUkkvQ2FpdFNpdGggZHVlIHRvIGxh Y2sgb2YgRVhQT1JUX1NZTUJPTF9HUEwoc2VjdXJpdHlfYWRkX2hvb2tzKS4KSSB3b25kZXIgd2hl biBJIGNhbiBzdG9wIHF1ZXN0aW9ucyBsaWtlIGh0dHBzOi8vb3Nkbi5uZXQvcHJvamVjdHMvdG9t b3lvL2xpc3RzL2FyY2hpdmUvdXNlcnMtZW4vMjAyMi1TZXB0ZW1iZXIvMDAwNzQwLmh0bWwKY2F1 c2VkIGJ5IGh0dHBzOi8vcGF0Y2h3b3JrLmtlcm5lbC5vcmcvcHJvamVjdC9saW51eC1zZWN1cml0 eS1tb2R1bGUvcGF0Y2gvYWxwaW5lLkxSSC4yLjIwLjE3MDIxMzE2MzE0OTAuODkxNEBuYW1laS5v cmcvIC4KCkxhc3QgMTAgeWVhcnMsIG15IGludm9sdmVtZW50IHdpdGggTGludXgga2VybmVsIGlz ICJmaXhpbmcgYnVncyIgcmF0aGVyIHRoYW4KImRldmVsb3Bpbmcgc2VjdXJpdHkgbWVjaGFuaXNt cyIuIENoYW5nZXMgd2hhdCBJIGZvdW5kIGluIHRoZSBwYXN0IDEwIHllYXJzIGFyZToKCiAgQXMg ZmFyIGFzIEknbSBhd2FyZSwgbW9yZSB0aGFuIDk5JSBvZiBzeXN0ZW1zIHN0aWxsIGRpc2FibGUg U0VMaW51eC4gUGVvcGxlIHVzZSBSSEVMLAogIGJ1dCB0aGUgcmVhc29uIHRvIGNob29zZSBSSEVM IGlzIG5vdCBiZWNhdXNlIFJIRUwgc3VwcG9ydHMgU0VMaW51eC4gVGhlIG9ubHkgdGhpbmcKICBj aGFuZ2VkIGlzIHRoYXQgdGhlIHdheSB0byBkaXNhYmxlIFNFTGludXggY2hhbmdlZCBmcm9tIFNF TElOVVg9ZGlzYWJsZWQgaW4KICAvZXRjL3NlbGludXgvY29uZmlnIHRvIHNlbGludXg9MCBvbiBr ZXJuZWwgY29tbWFuZCBsaW5lIG9wdGlvbnMuCgogIEluc3RlYWQsIFVidW50dSB1c2VycyBhcmUg aW5jcmVhc2luZywgYnV0IHRoZSByZWFzb24gcGVvcGxlIGNob29zZSBVYnVudHUgaXMgbm90IGJl Y2F1c2UKICBVYnVudHUgc3VwcG9ydHMgQXBwQXJtb3IuIE1heWJlIGJlY2F1c2UgZWFzeSB0byB1 c2UgY29udGFpbmVyIGVudmlyb25tZW50LiBNYXliZSBiZWNhdXNlCiAgYXZhaWxhYmxlIGFzIFdp bmRvd3MgU3Vic3lzdGVtIGZvciBMaW51eC4KCiAgSG93ZXZlciwgaW4gbWFueSBjYXNlcywgaXQg c2VlbXMgdGhhdCB3aGV0aGVyIHRoZSBPUyBpcyBXaW5kb3dzIG9yIExpbnV4IG5vIGxvbmdlcgog IG1hdHRlcnMuIFByb2dyYW1zIGFyZSB3cml0dGVuIHVzaW5nIGZyYW1ld29ya3MvbGFuZ3VhZ2Vz IHdoaWNoIGRldmVsb3BlcnMgaGFyZGx5IGNhcmUKICBhYm91dCBXaW5kb3dzIEFQSSBvciBMaW51 eCBzeXNjYWxsLiBMU00gc2lnbmlmaWNhbnRseSBmb2N1c2VzIG9uIHN5c2NhbGxzLCBidXQgdGhl CiAgdHJlbmQgbWlnaHQgbm8gbG9uZ2VyIGJlIHRyeWluZyB0byBzb2x2ZSBpbiB0aGUgTFNNIGxh eWVyLi4uCgpBbHNvLCBMaW51eCBzZXJ2ZXJzIHN0YXJ0ZWQgdXNpbmcgQW50aVZpcnVzIHNvZnR3 YXJlLiBFbnRlcnByaXNlIEFudGlWaXJ1cyBzb2Z0d2FyZSB1c2VzCmxvYWRhYmxlIGtlcm5lbCBt b2R1bGUgdGhhdCByZXdyaXRlcyBzeXN0ZW0gY2FsbCB0YWJsZSByYXRoZXIgdGhhbiB1c2luZyBM U00gaW50ZXJmYWNlLgpJdCBzZWVtcyB0aGF0IHBlb3BsZSBwcmVmZXIgb3V0LW9mLXRoZS1ib3gg c2VjdXJpdHkgb3ZlciBmaW5lIGdyYWluZWQgYWNjZXNzIGNvbnRyb2wgcnVsZQpiYXNlZCBzZWN1 cml0eS4gSW4gb3RoZXIgd29yZHMsIGl0IHNlZW1zIHRoYXQgYWxsb3dsaXN0IGJhc2VkIExTTSBt b2R1bGVzIGFyZSB0b28KZGlmZmljdWx0IGZvciBub3JtYWwgdXNlcnMuIE1heWJlIGl0IGlzIGJl dHRlciBmb3Igbm9ybWFsIHVzZXJzIHRvIGRldmVsb3AgYW5kIHVzZQpzaW5nbGUtZnVuY3Rpb24g TFNNcyB0aGFuIHRyeSB0byB1dGlsaXplICgoU0VMaW51eCB4b3IgU21hY2spIGFuZCBBcHBBcm1v cikuLi4gQnV0CnN0aWxsIGxvYWRhYmxlIExTTSBtb2R1bGVzIGFyZSBub3QgbGVnYWxseSBhdmFp bGFibGUuLi4KCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQu Y29tCmh0dHBzOi8vbGlzdG1hbi5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVk aXQK