From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53CE3C38145 for ; Thu, 8 Sep 2022 18:53:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232500AbiIHSxb (ORCPT ); Thu, 8 Sep 2022 14:53:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232493AbiIHSxV (ORCPT ); Thu, 8 Sep 2022 14:53:21 -0400 Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D96E103033 for ; Thu, 8 Sep 2022 11:53:09 -0700 (PDT) Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-1278624b7c4so28620255fac.5 for ; Thu, 08 Sep 2022 11:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=UGWr8neW2kZVvnYmU4foAjz85tjsLBPCReYEfGouu3o=; b=Zfv+f/tcECQO+in83mDqvC9nt1YoHnY0higsjVcA0ETwcM2064UVteVhVebC0O/ynC H3x3uVjbW1YaOM1yMxxB1/01wi1+sVxpOaZVu1IPS5HuR9u9oKhfnDdraZ8Av5kFf7IG HxyV9QUpSUBqZv+xbiZFPXQGNVpPkZAqypiwfIC/qJZWeMJqsCForwDwvMq2p6NZQtyd y+Ezn19Xw0mGBoOLQLS1m/rr6wrW3jq1PmNL5eZQcw3fov3xgPofLPUu+mL20azCOyfb cACwbPAu2Ob43WEQNzzbitP82ByBBiAw6f8WdLgrq5rd80R53dsJBrnAP8FPHJth1ga6 EIHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=UGWr8neW2kZVvnYmU4foAjz85tjsLBPCReYEfGouu3o=; b=LSbn5nb30cb4AL/Ud2Kt3QJbVGotVinU1WcJ9mTOnrM4IAYW6uG8/4Cxw42z3297F4 7NPNAD+W/UZLT5zyQptQ19BJ92rtYZSJjjXS8rjWsOSGRB+jz+5aW1JRIKHNrps/J+EU J7QCbKHCgj7OgvOBtF81/Z06fgwJGQouU60wakRPRPoJC1KznmjuPOlqhHDxjcnogDZr oXKXCZTJovYQbknR56EiybaEkJE1rqEhUcgAbdNTp6PeEXrqOAY6DUhLnrR7/3dP8t3P VduP3sbxwNp4Zz6cCHkBByF9iTGhOL7+2/AZBpXzyHISGwWsOuERi58N/dwFuxXDjoVR F4MQ== X-Gm-Message-State: ACgBeo3pGCKQD40Zpuhf6dY9kZfgpbE6t+c7QGkuEDSXyksZGsYqnds0 gfYqDrF2X4AxNETR6fEfSnjEXyCeNDQ3G8itGIPS X-Google-Smtp-Source: AA6agR5JkrTnbm7jIqCq8klhdUoP5ILTdl0E8T8trQmm7e7YtT+UULusyktIYzKRB4qUzLGXLiTnkVg+uShHcpjjyvs= X-Received: by 2002:a05:6870:5808:b0:128:afd5:491f with SMTP id r8-20020a056870580800b00128afd5491fmr2846197oap.136.1662663188353; Thu, 08 Sep 2022 11:53:08 -0700 (PDT) MIME-Version: 1.0 References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> In-Reply-To: <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> From: Paul Moore Date: Thu, 8 Sep 2022 14:52:57 -0400 Message-ID: Subject: Re: LSM stacking in next for 6.1? To: Tetsuo Handa Cc: Casey Schaufler , LSM List , James Morris , linux-audit@redhat.com, John Johansen , Mimi Zohar , keescook@chromium.org, SElinux list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On Thu, Sep 8, 2022 at 11:19 AM Tetsuo Handa wrote: > On 2022/08/03 9:01, Casey Schaufler wrote: > > I would like very much to get v38 or v39 of the LSM stacking for Apparm= or > > patch set in the LSM next branch for 6.1. The audit changes have polish= ed > > up nicely and I believe that all comments on the integrity code have be= en > > addressed. The interface_lsm mechanism has been beaten to a frothy peak= . > > There are serious binder changes, but I think they address issues beyon= d > > the needs of stacking. Changes outside these areas are pretty well limi= ted > > to LSM interface improvements. > Many modules > > SimpleFlow =EF=BC=88 2016/04/21 https://lwn.net/Articles/684825/ =EF= =BC=89 > HardChroot =EF=BC=88 2016/07/29 https://lwn.net/Articles/695984/ =EF= =BC=89 > Checmate =EF=BC=88 2016/08/04 https://lwn.net/Articles/696344/ =EF=BC= =89 > LandLock =EF=BC=88 2016/08/25 https://lwn.net/Articles/698226/ =EF=BC= =89 > PTAGS =EF=BC=88 2016/09/29 https://lwn.net/Articles/702639/ =EF=BC=89 > CaitSith =EF=BC=88 2016/10/21 https://lwn.net/Articles/704262/ =EF=BC= =89 > SafeName =EF=BC=88 2016/05/03 https://lwn.net/Articles/686021/ =EF=BC= =89 > WhiteEgret =EF=BC=88 2017/05/30 https://lwn.net/Articles/724192/ =EF= =BC=89 > shebang =EF=BC=88 2017/06/09 https://lwn.net/Articles/725285/ =EF=BC= =89 > S.A.R.A. =EF=BC=88 2017/06/13 https://lwn.net/Articles/725230/ =EF=BC= =89 > > are proposed 5 or 6 years ago, but mostly became silent... At least one of those, Landlock, has been merged upstream and is now available in modern released Linux Kernels. As far as the other LSMs are concerned, I don't recall there ever being significant interest among other developers or users to warrant their inclusion upstream. If the authors believe that has changed, or is simply not true, they are always welcome to post their patches again for discussion, review, and potential upstreaming. However, I will caution that it is becoming increasingly difficult for people to find time to review potential new LSMs so it may a while to attract sufficient comments and feedback. > I still need byte-code analysis for finding the hook and code for making = the hook > writable in AKARI/CaitSith due to lack of EXPORT_SYMBOL_GPL(security_add_= hooks). > I wonder when I can stop questions like https://osdn.net/projects/tomoyo/= lists/archive/users-en/2022-September/000740.html > caused by https://patchwork.kernel.org/project/linux-security-module/patc= h/alpine.LRH.2.20.1702131631490.8914@namei.org/ . As has been discussed before, this isn't so much an issue with the __ro_after_init change, it's really more of an issue of running out-of-tree kernel code on pre-built distribution kernels, with "pre-built" being the most important part. It is my understanding that if the user/developer built their own patched kernel this would not likely be an issue as the out-of-tree LSM could be patched into the kernel source. The problem comes when the user/developer wants to dynamically load their out-of-tree LSM into a pre-built distribution kernel, presumably to preserve a level of distribution support. Unfortunately, to the best of my knowledge, none of the major enterprise Linux distributions will provide support for arbitrary third-party kernel modules (it may work, but if something fails the user is on their own to triage and resolve). Beyond the support issue, there are likely to be other problems as well since the kernel interfaces, including the LSM hooks themselves, are not guaranteed to be stable across kernel releases. > Last 10 years, my involvement with Linux kernel is "fixing bugs" rather t= han > "developing security mechanisms". Changes what I found in the past 10 yea= rs are: > > As far as I'm aware, more than 99% of systems still disable SELinux. I would challenge you to support that claim with data. Granted, we are coming from very different LSM backgrounds, but I find that number very suspect. It has been several years since I last looked, but I believe the latest published Android numbers would give some support to the idea that more than 1% of SELinux based systems are running in enforcing (or permissive) mode. Significantly more. > People use RHEL, > but the reason to choose RHEL is not because RHEL supports SELinux. Once again, if you are going to make strong claims such as this, please provide data. I know of several RHEL users that are only able to run SELinux based systems as it is the only LSM which meets their security requirements. > Instead, Ubuntu users are increasing, but the reason people choose Ubun= tu is not because > Ubuntu supports AppArmor. Maybe because easy to use container environme= nt. Maybe because > available as Windows Subsystem for Linux. I suspect IBM/RH's decision to change CentOS' relationship to RHEL also resulted in a number of users moving to Ubuntu, and that has nothing to do with the LSMs. > However, in many cases, it seems that whether the OS is Windows or Linu= x no longer > matters. Programs are written using frameworks/languages which develope= rs hardly care > about Windows API or Linux syscall. LSM significantly focuses on syscal= ls, but the > trend might no longer be trying to solve in the LSM layer... Every LSM is different, that is partly why it is so interesting as a security framework. Look at Yama, look at AppArmor, look at Smack, look at the BPF LSM ... there is no one security model, and claiming that the LSM focuses on syscalls is misleading. If you had to pick only one concept that the LSM focuses on, I believe it would be providing visibility and access controls for security relevant interactions between entities on the system. Processes opening files, processes executing other processes, processes talking to each other both across the network and on the local system. Some of these things involve syscalls, but as most of us know, making meaningful access control decisions often involves much more than just the syscall. > Also, Linux servers started using AntiVirus software. Enterprise AntiViru= s software uses > loadable kernel module that rewrites system call table rather than using = LSM interface. > It seems that people prefer out-of-the-box security over fine grained acc= ess control rule > based security. I would caution against confusing the security policy driven access controls provided by many in-tree LSMs with out-of-tree antivirus software. They have different goals, different use cases, and different user groups (markets). I think that is about the nicest thing I can think to say about those antivirus products ;) -- paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9FD56C38145 for ; Thu, 8 Sep 2022 18:53:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662663198; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=XRT0p7N7Llv0QXyZwTueU+89u8JZAwphOJMZ4gVk3g4=; b=Jpo60/+cq2zZnCWNSUucFuVAnwdnn0OsFOlXTH6UWgerk4PaGZAcFrNEWHi45KSeTSWURZ yrTtwE21FjOtRizVSwRfx92LYvDjuXOx22b/SeqCn+uCSqQc7pidWum+MHpsuu8/VQUq+5 o1YcnE+emD44MbIul9I82doQH5f2tqE= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-648-gSZrJ8s-NCy5Tiks7maxhg-1; Thu, 08 Sep 2022 14:53:15 -0400 X-MC-Unique: gSZrJ8s-NCy5Tiks7maxhg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 09CED85A58C; Thu, 8 Sep 2022 18:53:14 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7998940CF8F0; Thu, 8 Sep 2022 18:53:13 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 49DFD1946A44; Thu, 8 Sep 2022 18:53:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 578241946A41 for ; Thu, 8 Sep 2022 18:53:11 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 13E5F112131B; Thu, 8 Sep 2022 18:53:11 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast09.extmail.prod.ext.rdu2.redhat.com [10.11.55.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0FFC81121315 for ; Thu, 8 Sep 2022 18:53:11 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E1AC429AA3AE for ; Thu, 8 Sep 2022 18:53:10 +0000 (UTC) Received: from mail-oa1-f45.google.com (mail-oa1-f45.google.com [209.85.160.45]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-482-KRxE2wUAOQW-qqP8pH341A-1; Thu, 08 Sep 2022 14:53:09 -0400 X-MC-Unique: KRxE2wUAOQW-qqP8pH341A-1 Received: by mail-oa1-f45.google.com with SMTP id 586e51a60fabf-127ba06d03fso23278802fac.3 for ; Thu, 08 Sep 2022 11:53:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=UGWr8neW2kZVvnYmU4foAjz85tjsLBPCReYEfGouu3o=; b=7swtIf/qJ2srTF2tCTCh7Gk0IKuWsueGe+o2102Hj7PDy6lPu2WNEMbJehR2gGQRJ2 nFr5CCoBkfEt5fa0A71rIc4qUL34/DsBlFSXvl7K5SYpSuVnwcyn7I/exj04TWcgexwC kALHkyLyGZgzP8kJbmYzQ+Mc/tmadB1911atMG1ZdtL5nfy2JHJuqEOI0174nKniVf35 Ac18SC1g2fkCdSMMhgP1mqrwUmmbeid406nAuOSNN0IWoqAezlPFqrMrHluh5INtD+uk FP3N7eqPEnwQqV0vM7/Ecz93GFF0ZER9dafbtcBzMUAE3cFpWq1icNogDW7pdakIwXlX 2ojg== X-Gm-Message-State: ACgBeo079B2Se/iG2kXQ6cQd7kWzS1RbY7tV2U0Rf19D95Too35I3GaJ vmplWEodkD/Y+pUm4NiTvhJo+6dxbp4qBsgkeodO X-Google-Smtp-Source: AA6agR5JkrTnbm7jIqCq8klhdUoP5ILTdl0E8T8trQmm7e7YtT+UULusyktIYzKRB4qUzLGXLiTnkVg+uShHcpjjyvs= X-Received: by 2002:a05:6870:5808:b0:128:afd5:491f with SMTP id r8-20020a056870580800b00128afd5491fmr2846197oap.136.1662663188353; Thu, 08 Sep 2022 11:53:08 -0700 (PDT) MIME-Version: 1.0 References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <791e13b5-bebd-12fc-53de-e9a86df23836@schaufler-ca.com> <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> In-Reply-To: <8ac2731c-a1db-df7b-3690-dac2b371e431@I-love.SAKURA.ne.jp> From: Paul Moore Date: Thu, 8 Sep 2022 14:52:57 -0400 Message-ID: Subject: Re: LSM stacking in next for 6.1? To: Tetsuo Handa X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Mimecast-Bulk-Signature: yes X-Mimecast-Spam-Signature: bulk X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: John Johansen , SElinux list , James Morris , Mimi Zohar , LSM List , linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gVGh1LCBTZXAgOCwgMjAyMiBhdCAxMToxOSBBTSBUZXRzdW8gSGFuZGEKPHBlbmd1aW4ta2Vy bmVsQGktbG92ZS5zYWt1cmEubmUuanA+IHdyb3RlOgo+IE9uIDIwMjIvMDgvMDMgOTowMSwgQ2Fz ZXkgU2NoYXVmbGVyIHdyb3RlOgo+ID4gSSB3b3VsZCBsaWtlIHZlcnkgbXVjaCB0byBnZXQgdjM4 IG9yIHYzOSBvZiB0aGUgTFNNIHN0YWNraW5nIGZvciBBcHBhcm1vcgo+ID4gcGF0Y2ggc2V0IGlu IHRoZSBMU00gbmV4dCBicmFuY2ggZm9yIDYuMS4gVGhlIGF1ZGl0IGNoYW5nZXMgaGF2ZSBwb2xp c2hlZAo+ID4gdXAgbmljZWx5IGFuZCBJIGJlbGlldmUgdGhhdCBhbGwgY29tbWVudHMgb24gdGhl IGludGVncml0eSBjb2RlIGhhdmUgYmVlbgo+ID4gYWRkcmVzc2VkLiBUaGUgaW50ZXJmYWNlX2xz bSBtZWNoYW5pc20gaGFzIGJlZW4gYmVhdGVuIHRvIGEgZnJvdGh5IHBlYWsuCj4gPiBUaGVyZSBh cmUgc2VyaW91cyBiaW5kZXIgY2hhbmdlcywgYnV0IEkgdGhpbmsgdGhleSBhZGRyZXNzIGlzc3Vl cyBiZXlvbmQKPiA+IHRoZSBuZWVkcyBvZiBzdGFja2luZy4gQ2hhbmdlcyBvdXRzaWRlIHRoZXNl IGFyZWFzIGFyZSBwcmV0dHkgd2VsbCBsaW1pdGVkCj4gPiB0byBMU00gaW50ZXJmYWNlIGltcHJv dmVtZW50cy4KCj4gTWFueSBtb2R1bGVzCj4KPiAgICAgU2ltcGxlRmxvdyDvvIggMjAxNi8wNC8y MSBodHRwczovL2x3bi5uZXQvQXJ0aWNsZXMvNjg0ODI1LyDvvIkKPiAgICAgSGFyZENocm9vdCDv vIggMjAxNi8wNy8yOSBodHRwczovL2x3bi5uZXQvQXJ0aWNsZXMvNjk1OTg0LyDvvIkKPiAgICAg Q2hlY21hdGUg77yIIDIwMTYvMDgvMDQgaHR0cHM6Ly9sd24ubmV0L0FydGljbGVzLzY5NjM0NC8g 77yJCj4gICAgIExhbmRMb2NrIO+8iCAyMDE2LzA4LzI1IGh0dHBzOi8vbHduLm5ldC9BcnRpY2xl cy82OTgyMjYvIO+8iQo+ICAgICBQVEFHUyDvvIggMjAxNi8wOS8yOSBodHRwczovL2x3bi5uZXQv QXJ0aWNsZXMvNzAyNjM5LyDvvIkKPiAgICAgQ2FpdFNpdGgg77yIIDIwMTYvMTAvMjEgaHR0cHM6 Ly9sd24ubmV0L0FydGljbGVzLzcwNDI2Mi8g77yJCj4gICAgIFNhZmVOYW1lIO+8iCAyMDE2LzA1 LzAzIGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy82ODYwMjEvIO+8iQo+ICAgICBXaGl0ZUVncmV0 IO+8iCAyMDE3LzA1LzMwIGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy83MjQxOTIvIO+8iQo+ICAg ICBzaGViYW5nIO+8iCAyMDE3LzA2LzA5IGh0dHBzOi8vbHduLm5ldC9BcnRpY2xlcy83MjUyODUv IO+8iQo+ICAgICBTLkEuUi5BLiDvvIggMjAxNy8wNi8xMyBodHRwczovL2x3bi5uZXQvQXJ0aWNs ZXMvNzI1MjMwLyDvvIkKPgo+IGFyZSBwcm9wb3NlZCA1IG9yIDYgeWVhcnMgYWdvLCBidXQgbW9z dGx5IGJlY2FtZSBzaWxlbnQuLi4KCkF0IGxlYXN0IG9uZSBvZiB0aG9zZSwgTGFuZGxvY2ssIGhh cyBiZWVuIG1lcmdlZCB1cHN0cmVhbSBhbmQgaXMgbm93CmF2YWlsYWJsZSBpbiBtb2Rlcm4gcmVs ZWFzZWQgTGludXggS2VybmVscy4gIEFzIGZhciBhcyB0aGUgb3RoZXIgTFNNcwphcmUgY29uY2Vy bmVkLCBJIGRvbid0IHJlY2FsbCB0aGVyZSBldmVyIGJlaW5nIHNpZ25pZmljYW50IGludGVyZXN0 CmFtb25nIG90aGVyIGRldmVsb3BlcnMgb3IgdXNlcnMgdG8gd2FycmFudCB0aGVpciBpbmNsdXNp b24gdXBzdHJlYW0uCklmIHRoZSBhdXRob3JzIGJlbGlldmUgdGhhdCBoYXMgY2hhbmdlZCwgb3Ig aXMgc2ltcGx5IG5vdCB0cnVlLCB0aGV5CmFyZSBhbHdheXMgd2VsY29tZSB0byBwb3N0IHRoZWly IHBhdGNoZXMgYWdhaW4gZm9yIGRpc2N1c3Npb24sIHJldmlldywKYW5kIHBvdGVudGlhbCB1cHN0 cmVhbWluZy4gIEhvd2V2ZXIsIEkgd2lsbCBjYXV0aW9uIHRoYXQgaXQgaXMKYmVjb21pbmcgaW5j cmVhc2luZ2x5IGRpZmZpY3VsdCBmb3IgcGVvcGxlIHRvIGZpbmQgdGltZSB0byByZXZpZXcKcG90 ZW50aWFsIG5ldyBMU01zIHNvIGl0IG1heSBhIHdoaWxlIHRvIGF0dHJhY3Qgc3VmZmljaWVudCBj b21tZW50cwphbmQgZmVlZGJhY2suCgo+IEkgc3RpbGwgbmVlZCBieXRlLWNvZGUgYW5hbHlzaXMg Zm9yIGZpbmRpbmcgdGhlIGhvb2sgYW5kIGNvZGUgZm9yIG1ha2luZyB0aGUgaG9vawo+IHdyaXRh YmxlIGluIEFLQVJJL0NhaXRTaXRoIGR1ZSB0byBsYWNrIG9mIEVYUE9SVF9TWU1CT0xfR1BMKHNl Y3VyaXR5X2FkZF9ob29rcykuCj4gSSB3b25kZXIgd2hlbiBJIGNhbiBzdG9wIHF1ZXN0aW9ucyBs aWtlIGh0dHBzOi8vb3Nkbi5uZXQvcHJvamVjdHMvdG9tb3lvL2xpc3RzL2FyY2hpdmUvdXNlcnMt ZW4vMjAyMi1TZXB0ZW1iZXIvMDAwNzQwLmh0bWwKPiBjYXVzZWQgYnkgaHR0cHM6Ly9wYXRjaHdv cmsua2VybmVsLm9yZy9wcm9qZWN0L2xpbnV4LXNlY3VyaXR5LW1vZHVsZS9wYXRjaC9hbHBpbmUu TFJILjIuMjAuMTcwMjEzMTYzMTQ5MC44OTE0QG5hbWVpLm9yZy8gLgoKQXMgaGFzIGJlZW4gZGlz Y3Vzc2VkIGJlZm9yZSwgdGhpcyBpc24ndCBzbyBtdWNoIGFuIGlzc3VlIHdpdGggdGhlCl9fcm9f YWZ0ZXJfaW5pdCBjaGFuZ2UsIGl0J3MgcmVhbGx5IG1vcmUgb2YgYW4gaXNzdWUgb2YgcnVubmlu ZwpvdXQtb2YtdHJlZSBrZXJuZWwgY29kZSBvbiBwcmUtYnVpbHQgZGlzdHJpYnV0aW9uIGtlcm5l bHMsIHdpdGgKInByZS1idWlsdCIgYmVpbmcgdGhlIG1vc3QgaW1wb3J0YW50IHBhcnQuICBJdCBp cyBteSB1bmRlcnN0YW5kaW5nCnRoYXQgaWYgdGhlIHVzZXIvZGV2ZWxvcGVyIGJ1aWx0IHRoZWly IG93biBwYXRjaGVkIGtlcm5lbCB0aGlzIHdvdWxkCm5vdCBsaWtlbHkgYmUgYW4gaXNzdWUgYXMg dGhlIG91dC1vZi10cmVlIExTTSBjb3VsZCBiZSBwYXRjaGVkIGludG8KdGhlIGtlcm5lbCBzb3Vy Y2UuICBUaGUgcHJvYmxlbSBjb21lcyB3aGVuIHRoZSB1c2VyL2RldmVsb3BlciB3YW50cyB0bwpk eW5hbWljYWxseSBsb2FkIHRoZWlyIG91dC1vZi10cmVlIExTTSBpbnRvIGEgcHJlLWJ1aWx0IGRp c3RyaWJ1dGlvbgprZXJuZWwsIHByZXN1bWFibHkgdG8gcHJlc2VydmUgYSBsZXZlbCBvZiBkaXN0 cmlidXRpb24gc3VwcG9ydC4KVW5mb3J0dW5hdGVseSwgdG8gdGhlIGJlc3Qgb2YgbXkga25vd2xl ZGdlLCBub25lIG9mIHRoZSBtYWpvcgplbnRlcnByaXNlIExpbnV4IGRpc3RyaWJ1dGlvbnMgd2ls bCBwcm92aWRlIHN1cHBvcnQgZm9yIGFyYml0cmFyeQp0aGlyZC1wYXJ0eSBrZXJuZWwgbW9kdWxl cyAoaXQgbWF5IHdvcmssIGJ1dCBpZiBzb21ldGhpbmcgZmFpbHMgdGhlCnVzZXIgaXMgb24gdGhl aXIgb3duIHRvIHRyaWFnZSBhbmQgcmVzb2x2ZSkuCgpCZXlvbmQgdGhlIHN1cHBvcnQgaXNzdWUs IHRoZXJlIGFyZSBsaWtlbHkgdG8gYmUgb3RoZXIgcHJvYmxlbXMgYXMKd2VsbCBzaW5jZSB0aGUg a2VybmVsIGludGVyZmFjZXMsIGluY2x1ZGluZyB0aGUgTFNNIGhvb2tzIHRoZW1zZWx2ZXMsCmFy ZSBub3QgZ3VhcmFudGVlZCB0byBiZSBzdGFibGUgYWNyb3NzIGtlcm5lbCByZWxlYXNlcy4KCj4g TGFzdCAxMCB5ZWFycywgbXkgaW52b2x2ZW1lbnQgd2l0aCBMaW51eCBrZXJuZWwgaXMgImZpeGlu ZyBidWdzIiByYXRoZXIgdGhhbgo+ICJkZXZlbG9waW5nIHNlY3VyaXR5IG1lY2hhbmlzbXMiLiBD aGFuZ2VzIHdoYXQgSSBmb3VuZCBpbiB0aGUgcGFzdCAxMCB5ZWFycyBhcmU6Cj4KPiAgIEFzIGZh ciBhcyBJJ20gYXdhcmUsIG1vcmUgdGhhbiA5OSUgb2Ygc3lzdGVtcyBzdGlsbCBkaXNhYmxlIFNF TGludXguCgpJIHdvdWxkIGNoYWxsZW5nZSB5b3UgdG8gc3VwcG9ydCB0aGF0IGNsYWltIHdpdGgg ZGF0YS4gIEdyYW50ZWQsIHdlCmFyZSBjb21pbmcgZnJvbSB2ZXJ5IGRpZmZlcmVudCBMU00gYmFj a2dyb3VuZHMsIGJ1dCBJIGZpbmQgdGhhdCBudW1iZXIKdmVyeSBzdXNwZWN0LiAgSXQgaGFzIGJl ZW4gc2V2ZXJhbCB5ZWFycyBzaW5jZSBJIGxhc3QgbG9va2VkLCBidXQgSQpiZWxpZXZlIHRoZSBs YXRlc3QgcHVibGlzaGVkIEFuZHJvaWQgbnVtYmVycyB3b3VsZCBnaXZlIHNvbWUgc3VwcG9ydAp0 byB0aGUgaWRlYSB0aGF0IG1vcmUgdGhhbiAxJSBvZiBTRUxpbnV4IGJhc2VkIHN5c3RlbXMgYXJl IHJ1bm5pbmcgaW4KZW5mb3JjaW5nIChvciBwZXJtaXNzaXZlKSBtb2RlLiAgU2lnbmlmaWNhbnRs eSBtb3JlLgoKPiAgIFBlb3BsZSB1c2UgUkhFTCwKPiAgIGJ1dCB0aGUgcmVhc29uIHRvIGNob29z ZSBSSEVMIGlzIG5vdCBiZWNhdXNlIFJIRUwgc3VwcG9ydHMgU0VMaW51eC4KCk9uY2UgYWdhaW4s IGlmIHlvdSBhcmUgZ29pbmcgdG8gbWFrZSBzdHJvbmcgY2xhaW1zIHN1Y2ggYXMgdGhpcywKcGxl YXNlIHByb3ZpZGUgZGF0YS4gIEkga25vdyBvZiBzZXZlcmFsIFJIRUwgdXNlcnMgdGhhdCBhcmUg b25seSBhYmxlCnRvIHJ1biBTRUxpbnV4IGJhc2VkIHN5c3RlbXMgYXMgaXQgaXMgdGhlIG9ubHkg TFNNIHdoaWNoIG1lZXRzIHRoZWlyCnNlY3VyaXR5IHJlcXVpcmVtZW50cy4KCj4gICBJbnN0ZWFk LCBVYnVudHUgdXNlcnMgYXJlIGluY3JlYXNpbmcsIGJ1dCB0aGUgcmVhc29uIHBlb3BsZSBjaG9v c2UgVWJ1bnR1IGlzIG5vdCBiZWNhdXNlCj4gICBVYnVudHUgc3VwcG9ydHMgQXBwQXJtb3IuIE1h eWJlIGJlY2F1c2UgZWFzeSB0byB1c2UgY29udGFpbmVyIGVudmlyb25tZW50LiBNYXliZSBiZWNh dXNlCj4gICBhdmFpbGFibGUgYXMgV2luZG93cyBTdWJzeXN0ZW0gZm9yIExpbnV4LgoKSSBzdXNw ZWN0IElCTS9SSCdzIGRlY2lzaW9uIHRvIGNoYW5nZSBDZW50T1MnIHJlbGF0aW9uc2hpcCB0byBS SEVMCmFsc28gcmVzdWx0ZWQgaW4gYSBudW1iZXIgb2YgdXNlcnMgbW92aW5nIHRvIFVidW50dSwg YW5kIHRoYXQgaGFzCm5vdGhpbmcgdG8gZG8gd2l0aCB0aGUgTFNNcy4KCj4gICBIb3dldmVyLCBp biBtYW55IGNhc2VzLCBpdCBzZWVtcyB0aGF0IHdoZXRoZXIgdGhlIE9TIGlzIFdpbmRvd3Mgb3Ig TGludXggbm8gbG9uZ2VyCj4gICBtYXR0ZXJzLiBQcm9ncmFtcyBhcmUgd3JpdHRlbiB1c2luZyBm cmFtZXdvcmtzL2xhbmd1YWdlcyB3aGljaCBkZXZlbG9wZXJzIGhhcmRseSBjYXJlCj4gICBhYm91 dCBXaW5kb3dzIEFQSSBvciBMaW51eCBzeXNjYWxsLiBMU00gc2lnbmlmaWNhbnRseSBmb2N1c2Vz IG9uIHN5c2NhbGxzLCBidXQgdGhlCj4gICB0cmVuZCBtaWdodCBubyBsb25nZXIgYmUgdHJ5aW5n IHRvIHNvbHZlIGluIHRoZSBMU00gbGF5ZXIuLi4KCkV2ZXJ5IExTTSBpcyBkaWZmZXJlbnQsIHRo YXQgaXMgcGFydGx5IHdoeSBpdCBpcyBzbyBpbnRlcmVzdGluZyBhcyBhCnNlY3VyaXR5IGZyYW1l d29yay4gIExvb2sgYXQgWWFtYSwgbG9vayBhdCBBcHBBcm1vciwgbG9vayBhdCBTbWFjaywKbG9v ayBhdCB0aGUgQlBGIExTTSAuLi4gdGhlcmUgaXMgbm8gb25lIHNlY3VyaXR5IG1vZGVsLCBhbmQg Y2xhaW1pbmcKdGhhdCB0aGUgTFNNIGZvY3VzZXMgb24gc3lzY2FsbHMgaXMgbWlzbGVhZGluZy4g IElmIHlvdSBoYWQgdG8gcGljawpvbmx5IG9uZSBjb25jZXB0IHRoYXQgdGhlIExTTSBmb2N1c2Vz IG9uLCBJIGJlbGlldmUgaXQgd291bGQgYmUKcHJvdmlkaW5nIHZpc2liaWxpdHkgYW5kIGFjY2Vz cyBjb250cm9scyBmb3Igc2VjdXJpdHkgcmVsZXZhbnQKaW50ZXJhY3Rpb25zIGJldHdlZW4gZW50 aXRpZXMgb24gdGhlIHN5c3RlbS4gIFByb2Nlc3NlcyBvcGVuaW5nIGZpbGVzLApwcm9jZXNzZXMg ZXhlY3V0aW5nIG90aGVyIHByb2Nlc3NlcywgcHJvY2Vzc2VzIHRhbGtpbmcgdG8gZWFjaCBvdGhl cgpib3RoIGFjcm9zcyB0aGUgbmV0d29yayBhbmQgb24gdGhlIGxvY2FsIHN5c3RlbS4gIFNvbWUg b2YgdGhlc2UgdGhpbmdzCmludm9sdmUgc3lzY2FsbHMsIGJ1dCBhcyBtb3N0IG9mIHVzIGtub3cs IG1ha2luZyBtZWFuaW5nZnVsIGFjY2Vzcwpjb250cm9sIGRlY2lzaW9ucyBvZnRlbiBpbnZvbHZl cyBtdWNoIG1vcmUgdGhhbiBqdXN0IHRoZSBzeXNjYWxsLgoKPiBBbHNvLCBMaW51eCBzZXJ2ZXJz IHN0YXJ0ZWQgdXNpbmcgQW50aVZpcnVzIHNvZnR3YXJlLiBFbnRlcnByaXNlIEFudGlWaXJ1cyBz b2Z0d2FyZSB1c2VzCj4gbG9hZGFibGUga2VybmVsIG1vZHVsZSB0aGF0IHJld3JpdGVzIHN5c3Rl bSBjYWxsIHRhYmxlIHJhdGhlciB0aGFuIHVzaW5nIExTTSBpbnRlcmZhY2UuCj4gSXQgc2VlbXMg dGhhdCBwZW9wbGUgcHJlZmVyIG91dC1vZi10aGUtYm94IHNlY3VyaXR5IG92ZXIgZmluZSBncmFp bmVkIGFjY2VzcyBjb250cm9sIHJ1bGUKPiBiYXNlZCBzZWN1cml0eS4KCkkgd291bGQgY2F1dGlv biBhZ2FpbnN0IGNvbmZ1c2luZyB0aGUgc2VjdXJpdHkgcG9saWN5IGRyaXZlbiBhY2Nlc3MKY29u dHJvbHMgcHJvdmlkZWQgYnkgbWFueSBpbi10cmVlIExTTXMgd2l0aCBvdXQtb2YtdHJlZSBhbnRp dmlydXMKc29mdHdhcmUuICBUaGV5IGhhdmUgZGlmZmVyZW50IGdvYWxzLCBkaWZmZXJlbnQgdXNl IGNhc2VzLCBhbmQKZGlmZmVyZW50IHVzZXIgZ3JvdXBzIChtYXJrZXRzKS4KCkkgdGhpbmsgdGhh dCBpcyBhYm91dCB0aGUgbmljZXN0IHRoaW5nIEkgY2FuIHRoaW5rIHRvIHNheSBhYm91dCB0aG9z ZQphbnRpdmlydXMgcHJvZHVjdHMgOykKCi0tCnBhdWwtbW9vcmUuY29tCgotLQpMaW51eC1hdWRp dCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRAcmVkaGF0LmNvbQpodHRwczovL2xpc3RtYW4ucmVk aGF0LmNvbS9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4LWF1ZGl0Cg==