From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91FEBC11F64 for ; Mon, 28 Jun 2021 17:34:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7525F61220 for ; Mon, 28 Jun 2021 17:34:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232498AbhF1Rg7 (ORCPT ); Mon, 28 Jun 2021 13:36:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232266AbhF1Rg7 (ORCPT ); Mon, 28 Jun 2021 13:36:59 -0400 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FE79C061574 for ; Mon, 28 Jun 2021 10:34:33 -0700 (PDT) Received: by mail-ed1-x52f.google.com with SMTP id s15so27037986edt.13 for ; Mon, 28 Jun 2021 10:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kEAJ6KsZJw1puT1jMPblXJZXTzXVzkngKqIZOq+rtkM=; b=R2CfX4X/4lYBnNyh/Zcdl5j+zoHNMtSFzyIRfcUbUgwuTncuSNBrS83CW6/zZel0eu UtTBv6YMztwpKEHCua9CGKsnSIMotMpZa+5q2XNjVZQPOfCZtZkSC6Dkh8dOcoojdq1z 6A/PhhgMlYr/3eO0KxVyyIinPjU4N3HygXRj2wRaLnLJtD8ID4cxEVtmJQSUjrBe8Xm+ 1gX2KfYTPxAyi7TNxFPyz4g/Y75XTc+tknr9s3wMvMILSIe1+KOBv9pzwM8PVxKZhcB2 dEI8ZJeapZXZC3TUJQ+P9UOn/cyip+dPIkHr6pnNWpPTirfODFBJyRBq5o+X3uO7jK0I 5eRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kEAJ6KsZJw1puT1jMPblXJZXTzXVzkngKqIZOq+rtkM=; b=oalXetpxa2hp5QUdEJZETONpJpSqgqMj0/FhEAcZO7sTRqGVYzJGO6aghRYou94T9I 0JY+wUG6mtcUyszrtxhCVadBRxjaSp6S1gHg+hcTLkeNLUIhBpvHIxaND/o3fD7bCxpU TyKsKxTeFuOQFMIrq2ms+55C72qZOQPGvSoVT5DpKO44VK9zs+22yomZBgytwhN0jFnl 5KWv9Qwj2Fq9h5U8XoXpMn8MIm45/EadnqoU5JeZP5nk8n/dl/Ut4go7NgMcMO9mx0zH qJ2zkKPtAEKX6eBMeS8YPxlcBzzjm4t10wRhuBUG4E69oudXCR4c4xCp0u3oZqXo6eTf KvZA== X-Gm-Message-State: AOAM530wdZrUPU+9tVwnU/hheZJVrEgx/yQ3v3rpYeSj1e8uhoqPcb22 EoKeyaNIJWC+DcScgO+Xv/t5MdHpPG30WuX3mhFv X-Google-Smtp-Source: ABdhPJxYtdKNQmB50YsT/24qNwNE0W1Szb9yVtsfwRafME7wghQsUuuXBwob8Mt1UUG1rUZDwD+ylWNG+5DmxZjDlKQ= X-Received: by 2002:aa7:d592:: with SMTP id r18mr44230edq.269.1624901672066; Mon, 28 Jun 2021 10:34:32 -0700 (PDT) MIME-Version: 1.0 References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> In-Reply-To: <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> From: Paul Moore Date: Mon, 28 Jun 2021 13:34:20 -0400 Message-ID: Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters To: =?UTF-8?Q?Thomas_Wei=C3=9Fschuh?= Cc: linux-audit@redhat.com, bpf@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Mon, Jun 28, 2021 at 1:13 PM Thomas Wei=C3=9Fschuh wrote: > > Hi Paul, > > thanks for your response! Hi :) > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Wei=C3=9Fschuh wrote: > > > > > > Hi everyone, > > > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant th= at matches > > > the currently visible syscall numbers (__NR_...) from the kernel uapi= headers. > > > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > > include/uapi/linux/audit.h; looking on my system right now I see the > > defines in /usr/include/linux/audit.h. What kernel repository and > > distribution are you using? > > I am using ArchLinux and also have all these defines. > > > > Questions: > > > > > > Is it really necessary to validate the arch value when syscall number= s are > > > already target-specific? > > > (If not, should this be added to the docs?) > > > > Checking the arch/ABI value is important so that you can ensure that > > you are using the syscall number in the proper context. For example, > > look at the access(2) syscall: it is undefined on some ABIs and can > > take either a value of 20, 21, or 33 depending on the arch/ABI. > > Unfortunately this is rather common. > > But when if I am not hardcoding the syscall numbers but use the > __NR_access kernel define then I should always get the correct number for= the > ABI I am compiling for (or an error if the syscall does not exist), no? Remember that seccomp filters are inherited across forks, so if your application loads an ABI specific filter and then fork()/exec()'s an application with a different ABI you could be in trouble. We saw this some years ago when people started running containers with ABIs other than the native system; if the container orchestrator didn't load a filter that knew about these non-native ABIs Bad Things happened. I'm sure you are already aware of libseccomp, but if not you may want to consider it for your application. Not only does it provide a safe and easy way to handle multiple ABIs in a single filter, it handles other seccomp problem areas like build/runtime system differences in the syscall tables/defines as well as the oddball nature of direct-call and multiplexed socket related syscalls, i.e. socketcall() vs socket(), etc. > > Checking the arch/ABI value is also handy if you want to quickly > > disallow certain ABIs on a system that supports multiple ABI, e.g. > > disabling 32-bit x86 on a 64-bit x86_64 system. > > > > > Would it make sense to expose the audit arch matching the syscall num= bers in > > > the uapi headers? > > > > Yes, which is why the existing headers do so ;) If you don't see the > > header files I mentioned above, it may be worth checking your kernel > > source repository and your distribution's installed kernel header > > files. > > I do see constants for all the possible ABIs but not one constant that al= ways > represents the one I am currently compiling for. > The same way the syscall number defines always give me the syscall number= for > the currently targeted ABI. I'm sorry, but I don't quite understand what you are looking for in the header files ... ? It might help if you could provide a concrete example of what you would like to see in the header files? --=20 paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7537C11F66 for ; Mon, 28 Jun 2021 17:34:49 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2ADC861C4D for ; Mon, 28 Jun 2021 17:34:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2ADC861C4D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-403-XVx5aZG6PbmO4R03mjGQBw-1; Mon, 28 Jun 2021 13:34:46 -0400 X-MC-Unique: XVx5aZG6PbmO4R03mjGQBw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BA4FCBBEE0; Mon, 28 Jun 2021 17:34:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 73E9019C79; Mon, 28 Jun 2021 17:34:42 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D220A4E9F5; Mon, 28 Jun 2021 17:34:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15SHYdfI018094 for ; Mon, 28 Jun 2021 13:34:39 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6AE97568DD; Mon, 28 Jun 2021 17:34:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6623F42ADC for ; Mon, 28 Jun 2021 17:34:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 786DE800B35 for ; Mon, 28 Jun 2021 17:34:36 +0000 (UTC) Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-443-n3UaFeVNPkiz8uG7TZos6g-1; Mon, 28 Jun 2021 13:34:33 -0400 X-MC-Unique: n3UaFeVNPkiz8uG7TZos6g-1 Received: by mail-ed1-f50.google.com with SMTP id h2so27141549edt.3 for ; Mon, 28 Jun 2021 10:34:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kEAJ6KsZJw1puT1jMPblXJZXTzXVzkngKqIZOq+rtkM=; b=CfI6KaHS1ArOkr2CTgL71dFYvEAVRg2iZ5JWNNWKtmF7PVZaf+WCOi2RVSeRxA9E4O 0rrI1vQR2OKIpWd2Tp3VZSvRpwY5IEm93OHytbLwdL/dT4puz5sWZHrH79n2BW0eZjxT 0Ks3dtzbhspkLMVsWPosZwHpxP9zEb2iSO9OG8hwEYcZMw/B/LWc+qkvhbeG5DzIELcF jUAMNY7H7zzb0oqZ7dkI4dtOrtMUi6cA3WnuO8V0VPYez61JFuE9ii4vcy5uXYAFY6QG jYLdsBccNNCoClk5hjQUiJKtArk6vzmbPKqKhhsZFxKqdzGwheytDY2CW9SWUwPc8lQK +xXg== X-Gm-Message-State: AOAM532ai8WlumLA615UbulqB80Ci14umsY7jv5jJ+3on3ruBabK7MrO KwUpAoREbx4OyvVpNiLuXz9ocaoRwj+dDKr+11loQiU9oA== X-Google-Smtp-Source: ABdhPJxYtdKNQmB50YsT/24qNwNE0W1Szb9yVtsfwRafME7wghQsUuuXBwob8Mt1UUG1rUZDwD+ylWNG+5DmxZjDlKQ= X-Received: by 2002:aa7:d592:: with SMTP id r18mr44230edq.269.1624901672066; Mon, 28 Jun 2021 10:34:32 -0700 (PDT) MIME-Version: 1.0 References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> In-Reply-To: <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> From: Paul Moore Date: Mon, 28 Jun 2021 13:34:20 -0400 Message-ID: Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters To: =?UTF-8?Q?Thomas_Wei=C3=9Fschuh?= X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15SHYdfI018094 X-loop: linux-audit@redhat.com Cc: bpf@vger.kernel.org, linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gTW9uLCBKdW4gMjgsIDIwMjEgYXQgMToxMyBQTSBUaG9tYXMgV2Vpw59zY2h1aCA8bGludXhA d2Vpc3NzY2h1aC5uZXQ+IHdyb3RlOgo+Cj4gSGkgUGF1bCwKPgo+IHRoYW5rcyBmb3IgeW91ciBy ZXNwb25zZSEKCkhpIDopCgo+IE9uIE1vLCAyMDIxLTA2LTI4VDEyOjU5LTA0MDAsIFBhdWwgTW9v cmUgd3JvdGU6Cj4gPiBPbiBNb24sIEp1biAyOCwgMjAyMSBhdCA5OjI1IEFNIFRob21hcyBXZWnD n3NjaHVoIDxsaW51eEB3ZWlzc3NjaHVoLm5ldD4gd3JvdGU6Cj4gPiA+Cj4gPiA+IEhpIGV2ZXJ5 b25lLAo+ID4gPgo+ID4gPiB0aGVyZSBkb2VzIG5vdCBzZWVtIHRvIGJlIGEgd2F5IHRvIGFjY2Vz cyB0aGUgQVVESVRfQVJDSF8gY29uc3RhbnQgdGhhdCBtYXRjaGVzCj4gPiA+IHRoZSBjdXJyZW50 bHkgdmlzaWJsZSBzeXNjYWxsIG51bWJlcnMgKF9fTlJfLi4uKSBmcm9tIHRoZSBrZXJuZWwgdWFw aSBoZWFkZXJzLgo+ID4KPiA+IExvb2tpbmcgYXQgTGludXMnIGN1cnJlbnQgdHJlZSBJIHNlZSB0 aGUgQVVESVRfQVJDSF8qIGRlZmluZXMgaW4KPiA+IGluY2x1ZGUvdWFwaS9saW51eC9hdWRpdC5o OyBsb29raW5nIG9uIG15IHN5c3RlbSByaWdodCBub3cgSSBzZWUgdGhlCj4gPiBkZWZpbmVzIGlu IC91c3IvaW5jbHVkZS9saW51eC9hdWRpdC5oLiAgV2hhdCBrZXJuZWwgcmVwb3NpdG9yeSBhbmQK PiA+IGRpc3RyaWJ1dGlvbiBhcmUgeW91IHVzaW5nPwo+Cj4gSSBhbSB1c2luZyBBcmNoTGludXgg YW5kIGFsc28gaGF2ZSBhbGwgdGhlc2UgZGVmaW5lcy4KPgo+ID4gPiBRdWVzdGlvbnM6Cj4gPiA+ Cj4gPiA+IElzIGl0IHJlYWxseSBuZWNlc3NhcnkgdG8gdmFsaWRhdGUgdGhlIGFyY2ggdmFsdWUg d2hlbiBzeXNjYWxsIG51bWJlcnMgYXJlCj4gPiA+IGFscmVhZHkgdGFyZ2V0LXNwZWNpZmljPwo+ ID4gPiAoSWYgbm90LCBzaG91bGQgdGhpcyBiZSBhZGRlZCB0byB0aGUgZG9jcz8pCj4gPgo+ID4g Q2hlY2tpbmcgdGhlIGFyY2gvQUJJIHZhbHVlIGlzIGltcG9ydGFudCBzbyB0aGF0IHlvdSBjYW4g ZW5zdXJlIHRoYXQKPiA+IHlvdSBhcmUgdXNpbmcgdGhlIHN5c2NhbGwgbnVtYmVyIGluIHRoZSBw cm9wZXIgY29udGV4dC4gIEZvciBleGFtcGxlLAo+ID4gbG9vayBhdCB0aGUgYWNjZXNzKDIpIHN5 c2NhbGw6IGl0IGlzIHVuZGVmaW5lZCBvbiBzb21lIEFCSXMgYW5kIGNhbgo+ID4gdGFrZSBlaXRo ZXIgYSB2YWx1ZSBvZiAyMCwgMjEsIG9yIDMzIGRlcGVuZGluZyBvbiB0aGUgYXJjaC9BQkkuCj4g PiBVbmZvcnR1bmF0ZWx5IHRoaXMgaXMgcmF0aGVyIGNvbW1vbi4KPgo+IEJ1dCB3aGVuIGlmIEkg YW0gbm90IGhhcmRjb2RpbmcgdGhlIHN5c2NhbGwgbnVtYmVycyBidXQgdXNlIHRoZQo+IF9fTlJf YWNjZXNzIGtlcm5lbCBkZWZpbmUgdGhlbiBJIHNob3VsZCBhbHdheXMgZ2V0IHRoZSBjb3JyZWN0 IG51bWJlciBmb3IgdGhlCj4gQUJJIEkgYW0gY29tcGlsaW5nIGZvciAob3IgYW4gZXJyb3IgaWYg dGhlIHN5c2NhbGwgZG9lcyBub3QgZXhpc3QpLCBubz8KClJlbWVtYmVyIHRoYXQgc2VjY29tcCBm aWx0ZXJzIGFyZSBpbmhlcml0ZWQgYWNyb3NzIGZvcmtzLCBzbyBpZiB5b3VyCmFwcGxpY2F0aW9u IGxvYWRzIGFuIEFCSSBzcGVjaWZpYyBmaWx0ZXIgYW5kIHRoZW4gZm9yaygpL2V4ZWMoKSdzIGFu CmFwcGxpY2F0aW9uIHdpdGggYSBkaWZmZXJlbnQgQUJJIHlvdSBjb3VsZCBiZSBpbiB0cm91Ymxl LiAgV2Ugc2F3IHRoaXMKc29tZSB5ZWFycyBhZ28gd2hlbiBwZW9wbGUgc3RhcnRlZCBydW5uaW5n IGNvbnRhaW5lcnMgd2l0aCBBQklzIG90aGVyCnRoYW4gdGhlIG5hdGl2ZSBzeXN0ZW07IGlmIHRo ZSBjb250YWluZXIgb3JjaGVzdHJhdG9yIGRpZG4ndCBsb2FkIGEKZmlsdGVyIHRoYXQga25ldyBh Ym91dCB0aGVzZSBub24tbmF0aXZlIEFCSXMgQmFkIFRoaW5ncyBoYXBwZW5lZC4KCkknbSBzdXJl IHlvdSBhcmUgYWxyZWFkeSBhd2FyZSBvZiBsaWJzZWNjb21wLCBidXQgaWYgbm90IHlvdSBtYXkg d2FudAp0byBjb25zaWRlciBpdCBmb3IgeW91ciBhcHBsaWNhdGlvbi4gIE5vdCBvbmx5IGRvZXMg aXQgcHJvdmlkZSBhIHNhZmUKYW5kIGVhc3kgd2F5IHRvIGhhbmRsZSBtdWx0aXBsZSBBQklzIGlu IGEgc2luZ2xlIGZpbHRlciwgaXQgaGFuZGxlcwpvdGhlciBzZWNjb21wIHByb2JsZW0gYXJlYXMg bGlrZSBidWlsZC9ydW50aW1lIHN5c3RlbSBkaWZmZXJlbmNlcyBpbgp0aGUgc3lzY2FsbCB0YWJs ZXMvZGVmaW5lcyBhcyB3ZWxsIGFzIHRoZSBvZGRiYWxsIG5hdHVyZSBvZgpkaXJlY3QtY2FsbCBh bmQgbXVsdGlwbGV4ZWQgc29ja2V0IHJlbGF0ZWQgc3lzY2FsbHMsIGkuZS4gc29ja2V0Y2FsbCgp CnZzIHNvY2tldCgpLCBldGMuCgo+ID4gQ2hlY2tpbmcgdGhlIGFyY2gvQUJJIHZhbHVlIGlzIGFs c28gaGFuZHkgaWYgeW91IHdhbnQgdG8gcXVpY2tseQo+ID4gZGlzYWxsb3cgY2VydGFpbiBBQklz IG9uIGEgc3lzdGVtIHRoYXQgc3VwcG9ydHMgbXVsdGlwbGUgQUJJLCBlLmcuCj4gPiBkaXNhYmxp bmcgMzItYml0IHg4NiBvbiBhIDY0LWJpdCB4ODZfNjQgc3lzdGVtLgo+ID4KPiA+ID4gV291bGQg aXQgbWFrZSBzZW5zZSB0byBleHBvc2UgdGhlIGF1ZGl0IGFyY2ggbWF0Y2hpbmcgdGhlIHN5c2Nh bGwgbnVtYmVycyBpbgo+ID4gPiB0aGUgdWFwaSBoZWFkZXJzPwo+ID4KPiA+IFllcywgd2hpY2gg aXMgd2h5IHRoZSBleGlzdGluZyBoZWFkZXJzIGRvIHNvIDspICBJZiB5b3UgZG9uJ3Qgc2VlIHRo ZQo+ID4gaGVhZGVyIGZpbGVzIEkgbWVudGlvbmVkIGFib3ZlLCBpdCBtYXkgYmUgd29ydGggY2hl Y2tpbmcgeW91ciBrZXJuZWwKPiA+IHNvdXJjZSByZXBvc2l0b3J5IGFuZCB5b3VyIGRpc3RyaWJ1 dGlvbidzIGluc3RhbGxlZCBrZXJuZWwgaGVhZGVyCj4gPiBmaWxlcy4KPgo+IEkgZG8gc2VlIGNv bnN0YW50cyBmb3IgYWxsIHRoZSBwb3NzaWJsZSBBQklzIGJ1dCBub3Qgb25lIGNvbnN0YW50IHRo YXQgYWx3YXlzCj4gcmVwcmVzZW50cyB0aGUgb25lIEkgYW0gY3VycmVudGx5IGNvbXBpbGluZyBm b3IuCj4gVGhlIHNhbWUgd2F5IHRoZSBzeXNjYWxsIG51bWJlciBkZWZpbmVzIGFsd2F5cyBnaXZl IG1lIHRoZSBzeXNjYWxsIG51bWJlciBmb3IKPiB0aGUgY3VycmVudGx5IHRhcmdldGVkIEFCSS4K CkknbSBzb3JyeSwgYnV0IEkgZG9uJ3QgcXVpdGUgdW5kZXJzdGFuZCB3aGF0IHlvdSBhcmUgbG9v a2luZyBmb3IgaW4KdGhlIGhlYWRlciBmaWxlcyAuLi4gPyAgSXQgbWlnaHQgaGVscCBpZiB5b3Ug Y291bGQgcHJvdmlkZSBhIGNvbmNyZXRlCmV4YW1wbGUgb2Ygd2hhdCB5b3Ugd291bGQgbGlrZSB0 byBzZWUgaW4gdGhlIGhlYWRlciBmaWxlcz8KCi0tIApwYXVsIG1vb3JlCnd3dy5wYXVsLW1vb3Jl LmNvbQoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29t Cmh0dHBzOi8vbGlzdG1hbi5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ=