From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A23DC11F64 for ; Mon, 28 Jun 2021 22:44:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F87E61CF9 for ; Mon, 28 Jun 2021 22:44:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232992AbhF1Wq2 (ORCPT ); Mon, 28 Jun 2021 18:46:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232642AbhF1Wq1 (ORCPT ); Mon, 28 Jun 2021 18:46:27 -0400 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DFB2C061574 for ; Mon, 28 Jun 2021 15:43:59 -0700 (PDT) Received: by mail-ed1-x535.google.com with SMTP id l24so265821edr.11 for ; Mon, 28 Jun 2021 15:43:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=73hLMKdVoRqxwgfRW2NqWRHvgNVWFIhcX75t56intpI=; b=T94NfHr8X2vFc56fEztBgSPItjLSlacIfow9DzN/QEbltrt7+fAEhvX0rS924z5ev7 zC4nR/5VzX+loaQf1fg01aQjUhDEpprpYgCHKSS4VTT1iIkxhAMEAwGJXrcW1El2i6A1 7r+UqhYwUe37RjjaFUP3k4ZFp924PnxTasvPgjjTDPW47QDut963yQygBlBmA+eW/e0W /P2A8mrgDrzjlwUH+cdL8qcgFVBM4CYMcY5O0WsDGRGGLGpsC6EB3Aw4jCdVi/0x9zvD gWrkbL+fqmRU+CZqkmc0WRD6Twi8gTVMtbFNIid5D3COW18+0AAZBBMxHIa8KCND/ZTA WxwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=73hLMKdVoRqxwgfRW2NqWRHvgNVWFIhcX75t56intpI=; b=MoQlI7Su0WY1Fi/xo8VT1nZRwXgvnwFuG47Zu+S9NGkNpzHT0fOTKv1zLk3Sbcvxm/ CIrayFur2S7EDOY8mh3SxAxDmLjpPlo/kU1F8ju4Z+meTR7hmrmGGmGKd+sXOV+cmYOa sRoW2I0QIae9aBjQLaO0ujdN08OB0ihwEPlzCxHASp6FFYvPPkmP4eWX6WxAi1AuA892 gFx6VpDACetuvvo6t9xECUf0cHLi65hWfNf1LokiEt7iVJdyiLoFYFxdtgzqZhq6GewY 0F8FGDe5IhJMKWGF1lonvQ0VNIGnMClF3YCBJZ6j4hdPwRfdhBXgm/ltE0jjBBVcwEcZ +gdA== X-Gm-Message-State: AOAM532OSrd1sXSLUldBKv3d92tUQLOwTpGpp/jsGJtkpKwm6c/rgMJB NXmrdH0KPM8aRIsggYbQ29CEZYZ7ubywOl4LU/ra X-Google-Smtp-Source: ABdhPJw+cPBBLNiR5YTeSVbi5e3DXb/AzCzyp2HNoXUOnsAMd8AlumYblSXH514TyE0NP7bPcOHFVg/m0Zc4pJOvqRo= X-Received: by 2002:aa7:d592:: with SMTP id r18mr1593035edq.269.1624920237966; Mon, 28 Jun 2021 15:43:57 -0700 (PDT) MIME-Version: 1.0 References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> In-Reply-To: From: Paul Moore Date: Mon, 28 Jun 2021 18:43:46 -0400 Message-ID: Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters To: =?UTF-8?Q?Thomas_Wei=C3=9Fschuh?= Cc: linux-audit@redhat.com, bpf@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Mon, Jun 28, 2021 at 1:58 PM Thomas Wei=C3=9Fschuh wrote: > > Hi again! !!! :) > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Wei=C3=9Fschuh wrote: > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Wei=C3=9Fschuh wrote: ... > > Remember that seccomp filters are inherited across forks, so if your > > application loads an ABI specific filter and then fork()/exec()'s an > > application with a different ABI you could be in trouble. We saw this > > some years ago when people started running containers with ABIs other > > than the native system; if the container orchestrator didn't load a > > filter that knew about these non-native ABIs Bad Things happened. > > My application will not be able to spawn any new processes. > It is limited to write() and exit(). > Also this is a low-level system application so it should always be compil= ed for > the native ABI. > So this should not be an issue. > > > I'm sure you are already aware of libseccomp, but if not you may want > > to consider it for your application. Not only does it provide a safe > > and easy way to handle multiple ABIs in a single filter, it handles > > other seccomp problem areas like build/runtime system differences in > > the syscall tables/defines as well as the oddball nature of > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > vs socket(), etc. > > For a larger application this would be indeed my choice. > But for a small application like mine I don't think it is worth it. > libseccomp for example does provide a way to get the native audit arch: > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > various compiler defines to detect the ABI compiled for. > > I'd like the kernel to provide this out-of-the box, so I don't have to ha= ve the > same ifdefs in my application(s) and keep them up to date. > > I found that the kernel internally already has a definition for my usecas= e: > SECCOMP_ARCH_NATIVE. > It is just not exported to userspace. I'm not sure that keeping the ifdefs up to date is going to be that hard, and honestly that is the right place to do it IMHO. The kernel can support any number of ABIs, but in the narrow use case you are describing in this thread you only care about the ABI of your own application; it doesn't sound like you really care about the kernel's ABI, but rather your application's ABI. > > I'm sorry, but I don't quite understand what you are looking for in > > the header files ... ? It might help if you could provide a concrete > > example of what you would like to see in the header files? > > I want to do something like the follwing inside my program to assemble a > seccomp filter that will be loaded before the error-prone parts of the > application will begin. > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > In line 4 I can already have the kernel headers provide me the correct sy= scall > number for the ABI my application is compiled for. > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead = of > having a kernel header provide the correct value. --=20 paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6CE8C11F64 for ; Mon, 28 Jun 2021 22:44:17 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4C66361CC4 for ; Mon, 28 Jun 2021 22:44:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4C66361CC4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-317-R9r64idNPNaDBjNdWvbxzA-1; Mon, 28 Jun 2021 18:44:14 -0400 X-MC-Unique: R9r64idNPNaDBjNdWvbxzA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8A0AE804141; Mon, 28 Jun 2021 22:44:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B690B1970E; Mon, 28 Jun 2021 22:44:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4FB111809C99; Mon, 28 Jun 2021 22:44:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15SMi4sF009319 for ; Mon, 28 Jun 2021 18:44:04 -0400 Received: by smtp.corp.redhat.com (Postfix) id DFBC7AEC98; Mon, 28 Jun 2021 22:44:03 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D9DD1AEC8F for ; Mon, 28 Jun 2021 22:44:01 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7685B100DE6B for ; Mon, 28 Jun 2021 22:44:01 +0000 (UTC) Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-230-EdMjnYbQOiOD1Myvi73BfA-1; Mon, 28 Jun 2021 18:43:59 -0400 X-MC-Unique: EdMjnYbQOiOD1Myvi73BfA-1 Received: by mail-ed1-f42.google.com with SMTP id df12so28420399edb.2 for ; Mon, 28 Jun 2021 15:43:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=73hLMKdVoRqxwgfRW2NqWRHvgNVWFIhcX75t56intpI=; b=ZksZnA/21363quau2Kc02pOra/fgWHd2AdvvwG/zFbM0BdSCKoBxyDCr+lMXaAZq/l TwPBSEfVz6SEq5F0jywkroaLeJ2rE8/3t5aY4SkPGA/Hu4XvKIZkIFVV5S5svMz5uygg jxpLKe2rGMiofYz5EL2XMT2yu+ICoAWqAy2Wsx2iP/aZMqP2b8NjeavTFDLhuGohyMsR ExSnImoiDWeQVlPnd9xLDd1vhpv7Aqh7GqIXICwWNjV4Y+5WGSLcgxbmXVE4a4O/i1Nl ABG4Kn5mm1lcE0wGRgICw6Vi8gxpFg7tJ3kjHHpaolatpyZoxVZArBGJU2yonGPLpFz0 vTSg== X-Gm-Message-State: AOAM530U1Xm7YjoAorPakiHG6+kyNZlHCFRI4D/BLK6wBYSdRfkug9/h +gmxf31r2EcIl/0ZVmXBHeNUuFPj0hm2fsMEVu4c X-Google-Smtp-Source: ABdhPJw+cPBBLNiR5YTeSVbi5e3DXb/AzCzyp2HNoXUOnsAMd8AlumYblSXH514TyE0NP7bPcOHFVg/m0Zc4pJOvqRo= X-Received: by 2002:aa7:d592:: with SMTP id r18mr1593035edq.269.1624920237966; Mon, 28 Jun 2021 15:43:57 -0700 (PDT) MIME-Version: 1.0 References: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de> <696bf938-c9d2-4b18-9f53-b6ff27035a97@t-8ch.de> In-Reply-To: From: Paul Moore Date: Mon, 28 Jun 2021 18:43:46 -0400 Message-ID: Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters To: =?UTF-8?Q?Thomas_Wei=C3=9Fschuh?= X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15SMi4sF009319 X-loop: linux-audit@redhat.com Cc: bpf@vger.kernel.org, linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gTW9uLCBKdW4gMjgsIDIwMjEgYXQgMTo1OCBQTSBUaG9tYXMgV2Vpw59zY2h1aCA8bGludXhA d2Vpc3NzY2h1aC5uZXQ+IHdyb3RlOgo+Cj4gSGkgYWdhaW4hCgohISEgOikKCj4gT24gTW8sIDIw MjEtMDYtMjhUMTM6MzQtMDQwMCwgUGF1bCBNb29yZSB3cm90ZToKPiA+IE9uIE1vbiwgSnVuIDI4 LCAyMDIxIGF0IDE6MTMgUE0gVGhvbWFzIFdlacOfc2NodWggPGxpbnV4QHdlaXNzc2NodWgubmV0 PiB3cm90ZToKPiA+ID4gT24gTW8sIDIwMjEtMDYtMjhUMTI6NTktMDQwMCwgUGF1bCBNb29yZSB3 cm90ZToKPiA+ID4gPiBPbiBNb24sIEp1biAyOCwgMjAyMSBhdCA5OjI1IEFNIFRob21hcyBXZWnD n3NjaHVoIDxsaW51eEB3ZWlzc3NjaHVoLm5ldD4gd3JvdGU6CgouLi4KCj4gPiBSZW1lbWJlciB0 aGF0IHNlY2NvbXAgZmlsdGVycyBhcmUgaW5oZXJpdGVkIGFjcm9zcyBmb3Jrcywgc28gaWYgeW91 cgo+ID4gYXBwbGljYXRpb24gbG9hZHMgYW4gQUJJIHNwZWNpZmljIGZpbHRlciBhbmQgdGhlbiBm b3JrKCkvZXhlYygpJ3MgYW4KPiA+IGFwcGxpY2F0aW9uIHdpdGggYSBkaWZmZXJlbnQgQUJJIHlv dSBjb3VsZCBiZSBpbiB0cm91YmxlLiAgV2Ugc2F3IHRoaXMKPiA+IHNvbWUgeWVhcnMgYWdvIHdo ZW4gcGVvcGxlIHN0YXJ0ZWQgcnVubmluZyBjb250YWluZXJzIHdpdGggQUJJcyBvdGhlcgo+ID4g dGhhbiB0aGUgbmF0aXZlIHN5c3RlbTsgaWYgdGhlIGNvbnRhaW5lciBvcmNoZXN0cmF0b3IgZGlk bid0IGxvYWQgYQo+ID4gZmlsdGVyIHRoYXQga25ldyBhYm91dCB0aGVzZSBub24tbmF0aXZlIEFC SXMgQmFkIFRoaW5ncyBoYXBwZW5lZC4KPgo+IE15IGFwcGxpY2F0aW9uIHdpbGwgbm90IGJlIGFi bGUgdG8gc3Bhd24gYW55IG5ldyBwcm9jZXNzZXMuCj4gSXQgaXMgbGltaXRlZCB0byB3cml0ZSgp IGFuZCBleGl0KCkuCj4gQWxzbyB0aGlzIGlzIGEgbG93LWxldmVsIHN5c3RlbSBhcHBsaWNhdGlv biBzbyBpdCBzaG91bGQgYWx3YXlzIGJlIGNvbXBpbGVkIGZvcgo+IHRoZSBuYXRpdmUgQUJJLgo+ IFNvIHRoaXMgc2hvdWxkIG5vdCBiZSBhbiBpc3N1ZS4KPgo+ID4gSSdtIHN1cmUgeW91IGFyZSBh bHJlYWR5IGF3YXJlIG9mIGxpYnNlY2NvbXAsIGJ1dCBpZiBub3QgeW91IG1heSB3YW50Cj4gPiB0 byBjb25zaWRlciBpdCBmb3IgeW91ciBhcHBsaWNhdGlvbi4gIE5vdCBvbmx5IGRvZXMgaXQgcHJv dmlkZSBhIHNhZmUKPiA+IGFuZCBlYXN5IHdheSB0byBoYW5kbGUgbXVsdGlwbGUgQUJJcyBpbiBh IHNpbmdsZSBmaWx0ZXIsIGl0IGhhbmRsZXMKPiA+IG90aGVyIHNlY2NvbXAgcHJvYmxlbSBhcmVh cyBsaWtlIGJ1aWxkL3J1bnRpbWUgc3lzdGVtIGRpZmZlcmVuY2VzIGluCj4gPiB0aGUgc3lzY2Fs bCB0YWJsZXMvZGVmaW5lcyBhcyB3ZWxsIGFzIHRoZSBvZGRiYWxsIG5hdHVyZSBvZgo+ID4gZGly ZWN0LWNhbGwgYW5kIG11bHRpcGxleGVkIHNvY2tldCByZWxhdGVkIHN5c2NhbGxzLCBpLmUuIHNv Y2tldGNhbGwoKQo+ID4gdnMgc29ja2V0KCksIGV0Yy4KPgo+IEZvciBhIGxhcmdlciBhcHBsaWNh dGlvbiB0aGlzIHdvdWxkIGJlIGluZGVlZCBteSBjaG9pY2UuCj4gQnV0IGZvciBhIHNtYWxsIGFw cGxpY2F0aW9uIGxpa2UgbWluZSBJIGRvbid0IHRoaW5rIGl0IGlzIHdvcnRoIGl0Lgo+IGxpYnNl Y2NvbXAgZm9yIGV4YW1wbGUgZG9lcyBwcm92aWRlIGEgd2F5IHRvIGdldCB0aGUgbmF0aXZlIGF1 ZGl0IGFyY2g6Cj4gYHVpbnQzMl90IHNlY2NvbXBfYXJjaF9uYXRpdmUodm9pZCk7YC4gSXQgaXMg aW1wbGVtZW50ZWQgYnkgaWZkZWYtaW5nIG9uCj4gdmFyaW91cyBjb21waWxlciBkZWZpbmVzIHRv IGRldGVjdCB0aGUgQUJJIGNvbXBpbGVkIGZvci4KPgo+IEknZCBsaWtlIHRoZSBrZXJuZWwgdG8g cHJvdmlkZSB0aGlzIG91dC1vZi10aGUgYm94LCBzbyBJIGRvbid0IGhhdmUgdG8gaGF2ZSB0aGUK PiBzYW1lIGlmZGVmcyBpbiBteSBhcHBsaWNhdGlvbihzKSBhbmQga2VlcCB0aGVtIHVwIHRvIGRh dGUuCj4KPiBJIGZvdW5kIHRoYXQgdGhlIGtlcm5lbCBpbnRlcm5hbGx5IGFscmVhZHkgaGFzIGEg ZGVmaW5pdGlvbiBmb3IgbXkgdXNlY2FzZToKPiBTRUNDT01QX0FSQ0hfTkFUSVZFLgo+IEl0IGlz IGp1c3Qgbm90IGV4cG9ydGVkIHRvIHVzZXJzcGFjZS4KCkknbSBub3Qgc3VyZSB0aGF0IGtlZXBp bmcgdGhlIGlmZGVmcyB1cCB0byBkYXRlIGlzIGdvaW5nIHRvIGJlIHRoYXQKaGFyZCwgYW5kIGhv bmVzdGx5IHRoYXQgaXMgdGhlIHJpZ2h0IHBsYWNlIHRvIGRvIGl0IElNSE8uICBUaGUga2VybmVs CmNhbiBzdXBwb3J0IGFueSBudW1iZXIgb2YgQUJJcywgYnV0IGluIHRoZSBuYXJyb3cgdXNlIGNh c2UgeW91IGFyZQpkZXNjcmliaW5nIGluIHRoaXMgdGhyZWFkIHlvdSBvbmx5IGNhcmUgYWJvdXQg dGhlIEFCSSBvZiB5b3VyIG93bgphcHBsaWNhdGlvbjsgaXQgZG9lc24ndCBzb3VuZCBsaWtlIHlv dSByZWFsbHkgY2FyZSBhYm91dCB0aGUga2VybmVsJ3MKQUJJLCBidXQgcmF0aGVyIHlvdXIgYXBw bGljYXRpb24ncyBBQkkuCgo+ID4gSSdtIHNvcnJ5LCBidXQgSSBkb24ndCBxdWl0ZSB1bmRlcnN0 YW5kIHdoYXQgeW91IGFyZSBsb29raW5nIGZvciBpbgo+ID4gdGhlIGhlYWRlciBmaWxlcyAuLi4g PyAgSXQgbWlnaHQgaGVscCBpZiB5b3UgY291bGQgcHJvdmlkZSBhIGNvbmNyZXRlCj4gPiBleGFt cGxlIG9mIHdoYXQgeW91IHdvdWxkIGxpa2UgdG8gc2VlIGluIHRoZSBoZWFkZXIgZmlsZXM/Cj4K PiBJIHdhbnQgdG8gZG8gc29tZXRoaW5nIGxpa2UgdGhlIGZvbGx3aW5nIGluc2lkZSBteSBwcm9n cmFtIHRvIGFzc2VtYmxlIGEKPiBzZWNjb21wIGZpbHRlciB0aGF0IHdpbGwgYmUgbG9hZGVkIGJl Zm9yZSB0aGUgZXJyb3ItcHJvbmUgcGFydHMgb2YgdGhlCj4gYXBwbGljYXRpb24gd2lsbCBiZWdp bi4KPgo+IDE6IEJQRl9TVE1UKEJQRl9MRCB8IEJQRl9XIHwgQlBGX0FCUywgc3lzY2FsbF9hcmNo KSwKPiAyOiBCUEZfSlVNUChCUEZfSk1QIHwgQlBGX0pFUSB8IEJQRl9LLCBTRUNDT01QX0FSQ0hf TkFUSVZFLCAwLCAkS0lMTCkKPiAzOiBCUEZfU1RNVChCUEZfTEQgfCBCUEZfVyB8IEJQRl9BQlMs IHN5c2NhbGxfbnIpLAo+IDQ6IEJQRl9KVU1QKEJQRl9KTVAgfCBCUEZfSkVRIHwgQlBGX0ssIF9f TlJfd3JpdGUsICRBTExPVywgJEtJTEwpLAo+Cj4gSW4gbGluZSA0IEkgY2FuIGFscmVhZHkgaGF2 ZSB0aGUga2VybmVsIGhlYWRlcnMgcHJvdmlkZSBtZSB0aGUgY29ycmVjdCBzeXNjYWxsCj4gbnVt YmVyIGZvciB0aGUgQUJJIG15IGFwcGxpY2F0aW9uIGlzIGNvbXBpbGVkIGZvci4KPgo+IEZvciBs aW5lIDIgaG93ZXZlciBJIG5lZWQgdG8gZGVmaW5lIEFVRElUX0FSQ0hfQ1VSUkVOVCBvbiBteSBv d24gaW5zdGVhZCBvZgo+IGhhdmluZyBhIGtlcm5lbCBoZWFkZXIgcHJvdmlkZSB0aGUgY29ycmVj dCB2YWx1ZS4KCi0tIApwYXVsIG1vb3JlCnd3dy5wYXVsLW1vb3JlLmNvbQoKCi0tCkxpbnV4LWF1 ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vbGlzdG1hbi5y ZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ=