From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: richacl(7) man page review comments Date: Tue, 23 Feb 2016 11:58:18 +0100 Message-ID: <56CC3B4A.7070204@gmail.com> References: <56B770B6.7040803@gmail.com> <56B77262.7090107@gmail.com> <56C0F23C.7030902@gmail.com> <56CA2EEB.9080504@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: Sender: linux-fsdevel-owner@vger.kernel.org To: Andreas Gruenbacher Cc: mtk.manpages@gmail.com, "J. Bruce Fields" , linux-ext4 , XFS Developers , lkml , linux-fsdevel , Linux NFS Mailing List , linux-cifs@vger.kernel.org, Linux API , Dave Chinner , Christoph Hellwig , Anna Schumaker , Trond Myklebust , Jeff Layton , Andreas Dilger List-Id: linux-api@vger.kernel.org Hi Andreas, On 02/22/2016 03:46 PM, Andreas Gruenbacher wrote: > Hi Michael, >=20 > On Sun, Feb 21, 2016 at 10:40 PM, Michael Kerrisk (man-pages) > wrote: >> I've once more pulled from the latest git; here's some more comments= =2E >=20 > thanks again. I've updated the repo with your changes. Next round :-). Just a few quick comments while I'm on a train ride. > .\" > .\" RichACL Manual Pages > .\" > .\" Copyright (C) 2015,2016 Red Hat, Inc. > .\" Written by Andreas Gruenbacher > .\" This is free documentation; you can redistribute it and/or > .\" modify it under the terms of the GNU General Public License as > .\" published by the Free Software Foundation; either version 2 of > .\" the License, or (at your option) any later version. > .\" > .\" The GNU General Public License's references to "object code" > .\" and "executables" are to be interpreted as the output of any > .\" document formatting or typesetting system, including > .\" intermediate and printed output. > .\" > .\" This manual is distributed in the hope that it will be useful, > .\" but WITHOUT ANY WARRANTY; without even the implied warranty of > .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > .\" GNU General Public License for more details. > .\" > .\" You should have received a copy of the GNU General Public > .\" License along with this manual. If not, see > .\" . > .\" > .de URL > \\$2 \(laURL: \\$1 \(ra\\$3 > .. > .if \n[.g] .mso www.tmac > .TH RICHACL 7 2015-09-01 "Linux" "Rich Access Control Lists" > .SH NAME > richacl \- Rich Access Control Lists > .SH DESCRIPTION > Rich Access Control Lists (RichACLs) are an extension of the POSIX fi= le > permission model (see > .BR acl (5)) > to support > .URL https://tools.ietf.org/rfc/rfc5661.txt "NFSv4 Access Control Lis= ts" > on local and remote-mounted filesystems. >=20 > A RichACL can always be translated into an equivalent NFSv4 ACL which= grants > the same permissions. >=20 > RichACLs can be enabled on supported local filesystems (currently, ex= t4 and > XFS). The in-kernel NFSv4 server and client also include RichACL sup= port. >=20 > Enabling RichACLs disables POSIX Access Control Lists; the two ACL mo= dels > cannot coexist on the same filesystem. >=20 > When used on a filesystem that does not support RichACLs, the > .BR getrichacl (1) > and > .BR setrichacl (1) > utilities will operate on the file permission bits instead: > .BR getrichacl (1) > will display the file permission bits as a RichACL; when a RichACL > is set with > .BR setrichacl (1) > which can be represented exactly by the file permission bits, > .BR setrichacl (1) > will set the file permission bits instead. An attempt to set a RichA= CL that > cannot be represented exactly by the file permission bits results in = an error. >=20 > .SS Structure of RichACLs >=20 > RichACLs consist of a number of ACL entries, three file masks, and a = set of > flags specifying attributes of the ACL as a whole (by contrast with t= he > per-ACL-entry flags described below). >=20 > Each of the ACL entries allows or denies some permissions to a partic= ular user, > group, or special identifier. An ACL entry consists of four fields: >=20 > .IP \(bu 2 > A tag which specifies the user, group, or special identifier the entr= y applies > to. Special identifiers can be the file owner > .RB ( owner@ ), > the owning group > .RB ( group@ ), > or everyone > .RB ( everyone@ ). > .IP \(bu > A set of permissions the entry allows or denies. > .IP \(bu > A set of flags that indicate whether the user or group identifier is = mapped or > unmapped, and whether the entry has been and can be inherited. > .IP \(bu > A type field indicating whether the entry allows or denies the permis= sions > specified in the second field. > .PP > The owner, group, and other file masks further control which permissi= ons the > ACL grants, subject to the > .BR masked "\ (" m ) > and > .BR write_through "\ (" w ) > ACL flags: when the permissions of a file or directory are changed wi= th > .BR chmod (2), > the file masks are set based on the new file mode, and the > .B masked > and > .B write_through > ACL flags are set. Likewise, when a new file or directory inherits an= ACL from > its parent directory, the file masks are set to the intersection betw= een the > permissions granted by the inherited ACL and the > .I mode > parameter as given to > .BR open "(2), " mkdir (2), > and similar, and the > .B masked > ACL flag is set. In both cases, the file masks limit the permissions = that the > ACL will grant. >=20 > The purpose of the file masks is to allow traditional POSIX applicati= ons which > are unaware of RichACLs to place limits on the permissions granted by= the > RichACL without causing the ACL entries to be modified. Without the = file mask, > the only alternative would be for the kernel to directly modify the A= CL > entries. However, this latter approach could have a "hysteresis effe= ct", > whereby a RichACL-unaware application that performs a transition from= one file > mode to another file mode and then back to the original file mode cou= ld cause > destruction of the permission information in ACL entries. When creat= ing files > or directories, the > .I mode > parameter to > .BR open "(2), " mkdir (2), > and similar would cause the same effect. s/cause/have/ >=20 > Note that entries with the identifier > .B everyone@ > apply to all processes, whereas the \(lqother\(rq file permissions an= d > \(lqother\(rq entries in POSIX ACLs apply to all processes which are = not the So, I still think it's helpful to mention ACL_OTHER here. How about: s/\\(lqother\\(rq/\\(lqother\\(rq (\\fBACL_OTHER\\fP)/ > owner, are not in the owning group, and do not match a user or group = mentioned > in the ACL. >=20 > Unlike POSIX ACLs, RichACLs do not have separate \(lqaccess\(rq ACLs = that > define the access permissions and \(lqdefault\(rq ACLs that define th= e > inheritable permissions. Instead, flags on each ACL entry determine = whether > the entry is effective during access checks and/or inheritable. >=20 >=20 > .SS ACL flags >=20 > The following ACL flags are defined: >=20 > .TP > .BR masked "\ (" m ) > When set, the file masks define upper limits on the permissions the A= CL may > grant. When not set, the file masks are ignored. > .TP > .BR write_through "\ (" w ) > When this flag and the > .B masked > flag are both set, the owner and other file masks define the actual p= ermissions > granted to the file owner and to others instead of defining an upper = limit. > When the > .B masked > flag is not set, the > .B write_through > flag has no effect. > .TP > .BR auto_inherit "\ (" a ) > Automatic Inheritance is enabled. See > .IR "Automatic Inheritance" . > .TP > .BR protected "\ (" p ) > The ACL is protected from modification by Automatic > Inheritance. > .TP > .BR defaulted "\ (" d ) > Indicates that the ACL has been assigned in an application-dependent = way when > the file or directory was created; it has neither been inherited nor = set > explicitly. ACLs of files created on Linux will never have the > .B defaulted > flag set, but the flag may be set on files created on or copied over = from > other operating systems. When this flag is set for an ACL, Automatic > Inheritance will completely replace the ACL. >=20 > .SS ACL entry flags >=20 > The following flags on ACL entries are defined: >=20 > .TP > .BR file_inherit "\ (" f ) > When this flag appears in the ACL entry of a directory, then: > .RS > .IP \(bu 2 > That entry is inherited by new files created in the directory such th= at the > permissions of the entry apply to the file (the inheritance flags of = the > inherited entry are cleared). > .IP \(bu > The entry is is inherited by new subdirectories created in the direct= ory such > that the permissions of the entry will apply to new files created in = the > subdirectory. > .RE > .TP > .BR dir_inherit "\ (" d ) > When this flag appears in the ACL entry of a directory, then that ent= ry is > inherited by new subdirectories created in the directory such that th= e > permissions of the entry apply to the subdirectory (the > .B inherit_only > flag is cleared). > .TP > .BR no_propagate "\ (" n ) > Inheritance stops at the next subdirectory level. When a file or dir= ectory > inherits an entry that has this flag set, the > .BR file_inherit ", " dir_inherit ", " no_propagate ", and " inherit_= only > flags are cleared. > .TP > .BR inherit_only "\ (" i ) > The entry defines inheritable permissions only and is ignored for acc= ess > checking. When a file or directory inherits an entry that has this f= lag set, > the flag is cleared. > .TP > .BR inherited "\ (" a ) > The entry has been automatically inherited from the parent directory. > .TP > .BR unmapped "\ (" u ) > The user or group identifier is a textual string and is not mapped to= a numeric > user or group identifier. ACLs with unmapped identifiers can occur o= n NFSv4 > mounted filesystems when the client cannot determine numeric user or = group > identifiers for some of the NFSv4 user@domain or group@domain who val= ues. They > cannot be assigned to local files or directories. >=20 > .SS Permissions >=20 > The following permissions are defined for RichACL entries and for the= three > file masks: >=20 > .TP > .BR read_data " / " list_directory "\ (" r ) > For a file: read the data of the file. > For a directory: list the contents of the directory. > .TP > .BR write_data " / " add_file "\ (" w ) > For a file: modify the data of the file; does not include opening the= file in > append mode. > For a directory: add a new file in the directory. > .TP > .BR append_data " / " add_subdirectory "\ (" p ) > For a file: open the file in append mode. > For a directory: create a subdirectory in the directory. > .TP > .BR execute "\ (" x ) > For a file: execute the file. > For a directory: traverse (search) the directory. > .TP > .BR delete_child "\ (" d ) > Delete a file or directory within a directory. This permission is me= aningful > only for directories. > .TP > .BR delete "\ (" D ) > Delete the file or directory. > .TP > .BR read_attributes "\ (" a ) > Read basic attributes of a file or directory (see > .BR stat (2)). > This permission is defined by NFSv4. It is stored, but ignored. Rea= ding basic > attributes of files and directories is always allowed on Linux. > .TP > .BR write_attributes "\ (" A ) > Change the times associated with a file or directory to an arbitrary = value. > This permission is always implicitly granted to the file owner. > .TP > .BR read_acl "\ (" c ) > Read the ACL of a file or directory. Like reading the basic file attr= ibutes (the > .B read_attributes > permission), reading ACLs is always allowed in Linux. > .TP > .BR write_acl "\ (" C ) > Change the ACL or file mode of a file or directory. > .TP > .BR write_owner "\ (" o ) > Take ownership of a file or directory. Change the owning group of a = file or > directory to a group of which the calling process is a member. > .TP > .ad l > .BR read_named_attrs "\ (" R "), " write_named_attrs "\ (" W "), " sy= nchronize "\ (" S "), " write_retention "\ (" e "), " write_retention_h= old "\ (" E ) > .ad > These permissions are defined by NFSv4 and NFSv4.1. They are stored,= but ignored. > .PP > For the > .BR r ", " w ", and " p > permissions, which have different long forms for files and directorie= s, the > .BR getrichacl (1) > utility will output the appropriate form(s) depending on the context. > The > .BR setrichacl (1) > utility will accept either form for any file type. >=20 > .SS Text form > The common textual representation of a RichACL consists of the colon-= separated > fields of the ACL flags, file masks, and ACL entries in the following > format: > .TP > \fBflags:\fR\fIacl_flags\fR > The ACL flags. > .TP > \fBowner:\fR\fIperm\fR\fB::mask\fR, \fBgroup:\fR\fIperm\fR\fB::mask\f= R, \fBother:\fR\fIperm\fR\fB::mask\fR > The file masks and their permissions. > .TP > \fIwho\fR\fB:\fR\fIperm\fR\fB:\fR\fIflags\fR\fB:allow\fR, \fIwho\fR\f= B:\fR\fIperm\fR\fB:\fR\fIflags\fR\fB:deny\fR > For each ACL entry, who the entry applies to, the permissions of the = entry, the > entry flags, and the entry type. The \fIwho\fR field is one of the fo= llowing: > .RS > .IP \(bu 2 > One of the special identifiers: > .BR owner@ ", " group@ ", or " everyone@ , > .IP \(bu > A > .BR user: " or " u: > prefix followed by a user name or user ID that designates a specific = user, > .IP \(bu > A > .BR group: " or " g: > prefix followed by a group name or group ID that designates a specifi= c group. > .RE > .PP > The entries are comma, whitespace, or newline separated. s/entries/fields of an ACL entry/ (?) >=20 > Flags and permissions have single-letter as well as long forms, as li= sted under > .IR "ACL flags" , > .IR "ACL entry flags" , > and > .IR Permissions . > When the single-letter forms are used, the flags or permissions are > concatenated. When the long forms are used, the flags or permissions = are > separated by slashes. To align permissions or flags vertically, dash= es can be > used for padding. >=20 > .SS Setting and modifying file permissions > The access permissions for a file can either be set by assigning an A= ccess > Control List > .RB ( setrichacl (1)) > or by changing the file mode permission bits > .RB ( chmod (1)). > In addition, a file can inherit an ACL from its parent directory at c= reation > time as described under > .IR "Permissions at file-creation time" . >=20 > .SS Assigning an Access Control List > When assigning an ACL to a file, unless explicitly specified, the own= er, group, > and other file masks will be computed from the ACL entries as describ= ed in > the section > .IR "Computing the maximum file masks" . > The owner, group, and other file mode permission bits are then each s= et from > the owner, group, and other file mask as follows: > .IP \(bu 2 > If the file mask includes the > .B r > permission, the read > file mode permission bit will be set. > .IP \(bu > If the file mask includes the > .B w > or > .B p > permission, the write file mode permission bit will be set. > .IP \(bu > If the file mask includes the > .B x > permission, the execute file mode permission bit will be set. > .PP > If the ACL can be represented exactly by the file mode permission bit= s, the > file permission bits are set to match the ACL and no ACL is stored. = (When the > ACL of a file is requested which doesn't have an ACL, the file mode p= ermission > bits are converted into an equivalent ACL.) >=20 > .SS Changing the file mode permission bits > When changing the file mode permission bits with > .BR chmod (1), > the owner, group, and other file permission bits are set to the permi= ssion bits > in the new mode, and the owner, group, and other file masks are set b= ased on > the new mode bits as follows: > .IP \(bu 2 > If the read bit in a set of permissions is set, the > .B r > permission in the corresponding file mask will be set. > .IP \(bu > If the write bit in a set of permissions is set, the > .B w > and > .B p > permissions in the corresponding file mask will be set. > .IP \(bu > If the execute bit in a set of permissions is set, the > .B x > permission in the corresponding file mask will be set. > .PP > In addition, the > .B masked > and > .B write_through > ACL flags are set. This has the > effect of limiting the permissions granted by the ACL to the file mod= e > permission bits; in addition, the owner is granted the owner mode bit= s and > others are granted the other mode bits. If the > .B auto_inherit > flag is set, the > .B protected > flag is also set to prevent the Automatic Inheritance algorithm from = modifying > the ACL. >=20 > .SS Permissions at file-creation time > When a directory has any inheritable ACL entries, the following > happens when a file or directory is created inside that directory: > .RS 4 Remove preceding line. > .IP 1. 4 > A file created inside that directory will inherit all of the ACL entr= ies that > have the > .B file_inherit > flag set, and all inheritance-related flags in the inherited entries = flag will > be cleared. >=20 > A subdirectory created inside that directory will inherit all of the = ACL > entries that either have the > .B dir_inherit > flag set, or the > .B file_inherit > flag set and the > .B no_propagate > flag not set. Entries whose > .B dir_inherit > flag is set will have their > .B inherit_only > flag cleared, and entries whose > .B dir_inherit > flag is not set will have their > .B inherit_only > flag set. Finally, entries whose > .B no_propagate > flag is set will have all inheritance-related flags cleared. > .IP 2. > If the parent directory's ACL has the > .B auto_inherit > flag set, the inherited ACL will have its s/the/then the/ (For ease of parsing) > .B auto_inherit > flag set, and all entries will have their > .B inherited > flag set. Otherwise, the > .B auto_inherit > and > .B inherited > flags are cleared. > .IP 3. > The three file masks are computed from the inherited ACL as described= in > the section > .IR "Computing the maximum file masks" . > .IP 4. > The three sets of permissions for the owner, the group, and for other= s in > the \fImode\fR parameter as given to > .BR open (2), > .BR mkdir (2), > and similar are converted into sets of RichACL permissions. The corre= spondence > between mask flags and RichACL permission bits is described in the se= ction > .IR "Changing the file mode permission bits" . > Any RichACL permissions not included in those sets are > removed from the owner, group, and other file masks. The file mode pe= rmission > bits are then computed from the file masks as described in the sectio= n > .IR "Assigning an Access Control List" . > The process umask (see > .BR umask (2)) > is ignored. > .IP 5. > The > .B masked > ACL flag is set. The > .B write_through > ACL flag remains cleared. In addition, if the > .B auto_inherit > flag of the inherited ACL is set, the > .B protected > flag is also set to prevent the Automatic Inheritance algorithm from = modifying > the ACL. > .RE Remove preceding line. > .PP > When a directory does not have inheritable ACL entries, files and dir= ectories > created inside that directory will not be assigned Access Control Lis= ts and the > file mode permission bits will be set to (\fImode\fR\ &\ ~\fIumask\fR= ) where > \fImode\fR is the mode argument of the relevant system call and \fIum= ask\fR is > the process umask (see > .BR umask (2)). >=20 > .SS Automatic Inheritance > Automatic Inheritance is a mechanism that allows permission changes t= o > propagate from a directory to files and subdirectories inside that di= rectory, > recursively. Propagation is carried out by the process changing the = directory > permissions (usually, > .BR setrichacl (1)); > it happens without user intervention albeit not entirely automaticall= y. >=20 > A significant limitation is that this mechanism works only as long as= files s/limitation/limitation of the Automatic Inheritance feature/ > are created without explicitly specifying the file permissions to use= =2E The > standard system calls for creating files and directories > .RB ( creat (2), > .BR open (2), > .BR mkdir (2), > .BR mknod (2)) s/)$/,\nand so on)/ (And, I'd drop creat(2) from that list of examples. It's ancient and obsolete; no need to encourageits use.) > all have mandatory mode parameters which define the maximum allowed p= ermissions > of the new files. To take account of this restriction, the > .B protected > ACL flag must be set if the > .B inherited > flag is set. This effectively disables Automatic Inheritance for that > particular file. >=20 > Notwithstanding the aforementioned limitation, Automatic Inheritance = still > remains useful for network protocols like NFSv4 and SMB, which both s= upport > creating files and directories without defining their permissions. Th= ese > protocols can implement those operations by using the standard system= calls and > by then undoing the effect of applying the mode parameters. >=20 > When the ACL of a directory is changed, the following happens for eac= h entry > (\(lqchild\(rq) inside that directory: > .IP 1. 4 > If the entry is a symbolic link, skip the child. > .IP 2. > If the > .B auto_inherit > flag of the entry's ACL is not set or the > .B protected > flag is set, skip the child. > .IP 3. > With the child's ACL: > .RS 4 > .IP a) 4 > If the > .B defaulted > flag is set, replace the ACL with an empty ACL > with the > .B auto_inherit > flag set. > .IP b) > Delete all entries which have the > .B inherited > flag set. > .IP c) > Append all entries inherited from the parent directory according to s= tep 1 of > the algorithm described under > .IR "Permissions at file-creation time". > Set the > .B inherited > flag of each of these entries. > .IP d) > Recompute the file masks. At th end of the last section, add: as descibed in the section "...." > .RE > .IP 4. > If the child is a directory, recursively apply this algorithm. >=20 > .SS Access check algorithm >=20 > When a process requests a particular kind of access (expressed as a s= et of > RichACL permissions) to a file, the following algorithm determines wh= ether the > access is granted or denied: >=20 > .IP 1. 4 > If the > .B masked > ACL flag is set, then: > .RS 4 > .IP a) 4 > If the > .B write_through > ACL flag is set, then: > .RS 4 > .IP \(bu 2 > If the requesting process is the file owner, then access is granted i= f the > owner mask includes the requested permissions, and is otherwise denie= d. > .IP \(bu > If the requesting process is not the file owner and it is in the owni= ng group or matches any ACL entries other than > .BR everyone@ , > proceed to step b). > .IP \(bu > If the requesting process is not the file owner, is not in the owning= group, > and no ACL entries other than > .B everyone@ > match the process, then access is granted if the other mask includes = the > requested permissions, and is otherwise denied. > .RE > .IP b) > If any of the following is true: > .RS 4 > .IP \(bu 2 > the requesting process is the file owner and the owner mask does not = include all > requested permissions, > .IP \(bu > the requesting process is not the file owner and it is in the owning = group or > matches any ACL entries other than > .BR everyone@ , > and the group mask does not include all requested permissions, > .IP \(bu > the requesting process is not the file owner, not in the owning group= , it > matches no ACL entries other than > .BR everyone@ , > and the other mask does not include all requested permissions, > .PP > then access is denied. > .RE > .RE > .IP 2. > Upon reaching this point, the determination of whether or not access = is granted > is made by scanning all ACL entries to see if one or more applicable = entries > together grant a cumulative set of permissions that matches the reque= sted > permissions or there is an applicable entry that explicitly denies on= e or more > of the requested permissions. The scan of all ACL entries begins by = first > initializing the set of remaining permissions (i.e., those that have = not yet > been satisfied during the scan) to be the set of requested permission= s. Then > the ACL entries are scanned > .IR "in order" , > and for each entry: > .RS 4 > .IP a) 4 > If the > .B inherit_only > or > .B unmapped > flags are set, continue with the next ACL entry. > .IP b) > If any of the following is true: > .RS 4 > .IP \(bu 2 > the entry's identifier is > .B owner@ > and the requesting process is the file owner, > .IP \(bu > the entry's identifier is > .B group@ > and the requesting process is in the owning group, > .IP \(bu > the entry's identifier is a user and the requesting process is owned = by that > user, > .IP \(bu > the entry's identifier is a group and the requesting process is a mem= ber in > that group, > .IP \(bu > the entry's identifier is > .BR everyone@ , > .PP > then the entry matches the process; proceed to the next step. Otherwi= se, > continue with the next ACL entry. > .RE > .IP c) > If the entry denies any of the remaining permissions, access is denie= d. > .IP d) > If the entry allows any of the remaining permissions, then: > .RS 4 > .IP \(bu 2 > If the > .B masked > ACL flag is set and the entry's identifier is not > .B owner@ > or > .BR everyone@ > or is a user entry matching the file owner, remove all permissions fr= om the > remaining permissions which are both allowed by the entry and include= d in the > group mask, > .IP \(bu > Otherwise, remove all permissions from the remaining permissions whic= h are > allowed by the entry. > .RE > .RE > .IP 3. > If there are no more remaining permissions, access is allowed. Otherw= ise, > access is denied. > .PP > In this algorithm, a process can gain the permissions it requires by > accumulating them from multiple RichACL entries. This is in contrast= with > POSIX ACLs, where access is only granted if an ACL entry exists that = matches > the requesting process and includes all the requested permissions. >=20 > .SS Computing the maximum file masks > When setting an ACL and no file masks have been explicitly specified = and when > inheriting an ACL from the parent directory, the following algorithm = is used s/directory/directory (as described in section "....")/ > for computing the file masks: >=20 > .IP 1. 4 > Clear the owner, group, and other file masks. Remember which permissi= ons have > already been processed (initially, the empty set). > .IP 2. > For each ACL entry: > .RS 4 > .IP \(bu 2 > If the > .B inherit_only > flag is set, skip the entry. > .IP \(bu > Otherwise, compute which permissions the entry allows or denies that = have not > been processed yet (the remaining permissions). > .IP \(bu > If the entry is an > .B owner@ > entry, add the remaining permissions to the owner mask for > .B allow > entries, and remove the remaining permissions from the owner mask for > .B deny > entries. > .IP \(bu > Otherwise, if the entry is an > .B everyone@ > entry, proceed as with > .B owner@ > entries but add or remove the remaining permissions from the owner, g= roup, and > other file masks. > .IP \(bu > Otherwise, proceed as with > .B owner@ > entries but add or remove the remaining permissions from the owner an= d group > file masks. > .IP \(bu > Add the entry's permissions to the processed permissions. > .RE > .PP > The resulting file masks represent the ACL as closely as possible. Wi= th these > file masks, the effective permissions that the ACL grants will be the= same when > the > .B masked > flag is set as when it is not set. >=20 > .\" .SH BUGS > .SH AUTHOR > Written by Andreas Gr=C3=BCnbacher . >=20 > Please send your bug reports, suggested features and comments to the = above address. >=20 > .SH CONFORMING TO > Rich Access Control Lists are Linux-specific. > .SH SEE ALSO > .BR chmod (1), > .BR getrichacl (1), > .BR ls (1), > .BR setrichacl (1) > .BR stat (2), > .BR umask (2), > .BR acl (5) > .\" librichacl So, in terms of actually testing this stuff, is it just a matter of applying your patch series to the kernel, building the kernel, pulling the RichACL user-space tools from Git, and mount(8)ing a filesystem wit= h the right option? Cheers, Michael --=20 Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel= " in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f47.google.com ([74.125.82.47]:35110 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750914AbcBWK63 (ORCPT ); Tue, 23 Feb 2016 05:58:29 -0500 Subject: Re: richacl(7) man page review comments To: Andreas Gruenbacher References: <56B770B6.7040803@gmail.com> <56B77262.7090107@gmail.com> <56C0F23C.7030902@gmail.com> <56CA2EEB.9080504@gmail.com> Cc: mtk.manpages@gmail.com, "J. Bruce Fields" , linux-ext4 , XFS Developers , lkml , linux-fsdevel , Linux NFS Mailing List , linux-cifs@vger.kernel.org, Linux API , Dave Chinner , Christoph Hellwig , Anna Schumaker , Trond Myklebust , Jeff Layton , Andreas Dilger From: "Michael Kerrisk (man-pages)" Message-ID: <56CC3B4A.7070204@gmail.com> Date: Tue, 23 Feb 2016 11:58:18 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Sender: linux-nfs-owner@vger.kernel.org List-ID: Hi Andreas, On 02/22/2016 03:46 PM, Andreas Gruenbacher wrote: > Hi Michael, > > On Sun, Feb 21, 2016 at 10:40 PM, Michael Kerrisk (man-pages) > wrote: >> I've once more pulled from the latest git; here's some more comments. > > thanks again. I've updated the repo with your changes. Next round :-). Just a few quick comments while I'm on a train ride. > .\" > .\" RichACL Manual Pages > .\" > .\" Copyright (C) 2015,2016 Red Hat, Inc. > .\" Written by Andreas Gruenbacher > .\" This is free documentation; you can redistribute it and/or > .\" modify it under the terms of the GNU General Public License as > .\" published by the Free Software Foundation; either version 2 of > .\" the License, or (at your option) any later version. > .\" > .\" The GNU General Public License's references to "object code" > .\" and "executables" are to be interpreted as the output of any > .\" document formatting or typesetting system, including > .\" intermediate and printed output. > .\" > .\" This manual is distributed in the hope that it will be useful, > .\" but WITHOUT ANY WARRANTY; without even the implied warranty of > .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > .\" GNU General Public License for more details. > .\" > .\" You should have received a copy of the GNU General Public > .\" License along with this manual. If not, see > .\" . > .\" > .de URL > \\$2 \(laURL: \\$1 \(ra\\$3 > .. > .if \n[.g] .mso www.tmac > .TH RICHACL 7 2015-09-01 "Linux" "Rich Access Control Lists" > .SH NAME > richacl \- Rich Access Control Lists > .SH DESCRIPTION > Rich Access Control Lists (RichACLs) are an extension of the POSIX file > permission model (see > .BR acl (5)) > to support > .URL https://tools.ietf.org/rfc/rfc5661.txt "NFSv4 Access Control Lists" > on local and remote-mounted filesystems. > > A RichACL can always be translated into an equivalent NFSv4 ACL which grants > the same permissions. > > RichACLs can be enabled on supported local filesystems (currently, ext4 and > XFS). The in-kernel NFSv4 server and client also include RichACL support. > > Enabling RichACLs disables POSIX Access Control Lists; the two ACL models > cannot coexist on the same filesystem. > > When used on a filesystem that does not support RichACLs, the > .BR getrichacl (1) > and > .BR setrichacl (1) > utilities will operate on the file permission bits instead: > .BR getrichacl (1) > will display the file permission bits as a RichACL; when a RichACL > is set with > .BR setrichacl (1) > which can be represented exactly by the file permission bits, > .BR setrichacl (1) > will set the file permission bits instead. An attempt to set a RichACL that > cannot be represented exactly by the file permission bits results in an error. > > .SS Structure of RichACLs > > RichACLs consist of a number of ACL entries, three file masks, and a set of > flags specifying attributes of the ACL as a whole (by contrast with the > per-ACL-entry flags described below). > > Each of the ACL entries allows or denies some permissions to a particular user, > group, or special identifier. An ACL entry consists of four fields: > > .IP \(bu 2 > A tag which specifies the user, group, or special identifier the entry applies > to. Special identifiers can be the file owner > .RB ( owner@ ), > the owning group > .RB ( group@ ), > or everyone > .RB ( everyone@ ). > .IP \(bu > A set of permissions the entry allows or denies. > .IP \(bu > A set of flags that indicate whether the user or group identifier is mapped or > unmapped, and whether the entry has been and can be inherited. > .IP \(bu > A type field indicating whether the entry allows or denies the permissions > specified in the second field. > .PP > The owner, group, and other file masks further control which permissions the > ACL grants, subject to the > .BR masked "\ (" m ) > and > .BR write_through "\ (" w ) > ACL flags: when the permissions of a file or directory are changed with > .BR chmod (2), > the file masks are set based on the new file mode, and the > .B masked > and > .B write_through > ACL flags are set. Likewise, when a new file or directory inherits an ACL from > its parent directory, the file masks are set to the intersection between the > permissions granted by the inherited ACL and the > .I mode > parameter as given to > .BR open "(2), " mkdir (2), > and similar, and the > .B masked > ACL flag is set. In both cases, the file masks limit the permissions that the > ACL will grant. > > The purpose of the file masks is to allow traditional POSIX applications which > are unaware of RichACLs to place limits on the permissions granted by the > RichACL without causing the ACL entries to be modified. Without the file mask, > the only alternative would be for the kernel to directly modify the ACL > entries. However, this latter approach could have a "hysteresis effect", > whereby a RichACL-unaware application that performs a transition from one file > mode to another file mode and then back to the original file mode could cause > destruction of the permission information in ACL entries. When creating files > or directories, the > .I mode > parameter to > .BR open "(2), " mkdir (2), > and similar would cause the same effect. s/cause/have/ > > Note that entries with the identifier > .B everyone@ > apply to all processes, whereas the \(lqother\(rq file permissions and > \(lqother\(rq entries in POSIX ACLs apply to all processes which are not the So, I still think it's helpful to mention ACL_OTHER here. How about: s/\\(lqother\\(rq/\\(lqother\\(rq (\\fBACL_OTHER\\fP)/ > owner, are not in the owning group, and do not match a user or group mentioned > in the ACL. > > Unlike POSIX ACLs, RichACLs do not have separate \(lqaccess\(rq ACLs that > define the access permissions and \(lqdefault\(rq ACLs that define the > inheritable permissions. Instead, flags on each ACL entry determine whether > the entry is effective during access checks and/or inheritable. > > > .SS ACL flags > > The following ACL flags are defined: > > .TP > .BR masked "\ (" m ) > When set, the file masks define upper limits on the permissions the ACL may > grant. When not set, the file masks are ignored. > .TP > .BR write_through "\ (" w ) > When this flag and the > .B masked > flag are both set, the owner and other file masks define the actual permissions > granted to the file owner and to others instead of defining an upper limit. > When the > .B masked > flag is not set, the > .B write_through > flag has no effect. > .TP > .BR auto_inherit "\ (" a ) > Automatic Inheritance is enabled. See > .IR "Automatic Inheritance" . > .TP > .BR protected "\ (" p ) > The ACL is protected from modification by Automatic > Inheritance. > .TP > .BR defaulted "\ (" d ) > Indicates that the ACL has been assigned in an application-dependent way when > the file or directory was created; it has neither been inherited nor set > explicitly. ACLs of files created on Linux will never have the > .B defaulted > flag set, but the flag may be set on files created on or copied over from > other operating systems. When this flag is set for an ACL, Automatic > Inheritance will completely replace the ACL. > > .SS ACL entry flags > > The following flags on ACL entries are defined: > > .TP > .BR file_inherit "\ (" f ) > When this flag appears in the ACL entry of a directory, then: > .RS > .IP \(bu 2 > That entry is inherited by new files created in the directory such that the > permissions of the entry apply to the file (the inheritance flags of the > inherited entry are cleared). > .IP \(bu > The entry is is inherited by new subdirectories created in the directory such > that the permissions of the entry will apply to new files created in the > subdirectory. > .RE > .TP > .BR dir_inherit "\ (" d ) > When this flag appears in the ACL entry of a directory, then that entry is > inherited by new subdirectories created in the directory such that the > permissions of the entry apply to the subdirectory (the > .B inherit_only > flag is cleared). > .TP > .BR no_propagate "\ (" n ) > Inheritance stops at the next subdirectory level. When a file or directory > inherits an entry that has this flag set, the > .BR file_inherit ", " dir_inherit ", " no_propagate ", and " inherit_only > flags are cleared. > .TP > .BR inherit_only "\ (" i ) > The entry defines inheritable permissions only and is ignored for access > checking. When a file or directory inherits an entry that has this flag set, > the flag is cleared. > .TP > .BR inherited "\ (" a ) > The entry has been automatically inherited from the parent directory. > .TP > .BR unmapped "\ (" u ) > The user or group identifier is a textual string and is not mapped to a numeric > user or group identifier. ACLs with unmapped identifiers can occur on NFSv4 > mounted filesystems when the client cannot determine numeric user or group > identifiers for some of the NFSv4 user@domain or group@domain who values. They > cannot be assigned to local files or directories. > > .SS Permissions > > The following permissions are defined for RichACL entries and for the three > file masks: > > .TP > .BR read_data " / " list_directory "\ (" r ) > For a file: read the data of the file. > For a directory: list the contents of the directory. > .TP > .BR write_data " / " add_file "\ (" w ) > For a file: modify the data of the file; does not include opening the file in > append mode. > For a directory: add a new file in the directory. > .TP > .BR append_data " / " add_subdirectory "\ (" p ) > For a file: open the file in append mode. > For a directory: create a subdirectory in the directory. > .TP > .BR execute "\ (" x ) > For a file: execute the file. > For a directory: traverse (search) the directory. > .TP > .BR delete_child "\ (" d ) > Delete a file or directory within a directory. This permission is meaningful > only for directories. > .TP > .BR delete "\ (" D ) > Delete the file or directory. > .TP > .BR read_attributes "\ (" a ) > Read basic attributes of a file or directory (see > .BR stat (2)). > This permission is defined by NFSv4. It is stored, but ignored. Reading basic > attributes of files and directories is always allowed on Linux. > .TP > .BR write_attributes "\ (" A ) > Change the times associated with a file or directory to an arbitrary value. > This permission is always implicitly granted to the file owner. > .TP > .BR read_acl "\ (" c ) > Read the ACL of a file or directory. Like reading the basic file attributes (the > .B read_attributes > permission), reading ACLs is always allowed in Linux. > .TP > .BR write_acl "\ (" C ) > Change the ACL or file mode of a file or directory. > .TP > .BR write_owner "\ (" o ) > Take ownership of a file or directory. Change the owning group of a file or > directory to a group of which the calling process is a member. > .TP > .ad l > .BR read_named_attrs "\ (" R "), " write_named_attrs "\ (" W "), " synchronize "\ (" S "), " write_retention "\ (" e "), " write_retention_hold "\ (" E ) > .ad > These permissions are defined by NFSv4 and NFSv4.1. They are stored, but ignored. > .PP > For the > .BR r ", " w ", and " p > permissions, which have different long forms for files and directories, the > .BR getrichacl (1) > utility will output the appropriate form(s) depending on the context. > The > .BR setrichacl (1) > utility will accept either form for any file type. > > .SS Text form > The common textual representation of a RichACL consists of the colon-separated > fields of the ACL flags, file masks, and ACL entries in the following > format: > .TP > \fBflags:\fR\fIacl_flags\fR > The ACL flags. > .TP > \fBowner:\fR\fIperm\fR\fB::mask\fR, \fBgroup:\fR\fIperm\fR\fB::mask\fR, \fBother:\fR\fIperm\fR\fB::mask\fR > The file masks and their permissions. > .TP > \fIwho\fR\fB:\fR\fIperm\fR\fB:\fR\fIflags\fR\fB:allow\fR, \fIwho\fR\fB:\fR\fIperm\fR\fB:\fR\fIflags\fR\fB:deny\fR > For each ACL entry, who the entry applies to, the permissions of the entry, the > entry flags, and the entry type. The \fIwho\fR field is one of the following: > .RS > .IP \(bu 2 > One of the special identifiers: > .BR owner@ ", " group@ ", or " everyone@ , > .IP \(bu > A > .BR user: " or " u: > prefix followed by a user name or user ID that designates a specific user, > .IP \(bu > A > .BR group: " or " g: > prefix followed by a group name or group ID that designates a specific group. > .RE > .PP > The entries are comma, whitespace, or newline separated. s/entries/fields of an ACL entry/ (?) > > Flags and permissions have single-letter as well as long forms, as listed under > .IR "ACL flags" , > .IR "ACL entry flags" , > and > .IR Permissions . > When the single-letter forms are used, the flags or permissions are > concatenated. When the long forms are used, the flags or permissions are > separated by slashes. To align permissions or flags vertically, dashes can be > used for padding. > > .SS Setting and modifying file permissions > The access permissions for a file can either be set by assigning an Access > Control List > .RB ( setrichacl (1)) > or by changing the file mode permission bits > .RB ( chmod (1)). > In addition, a file can inherit an ACL from its parent directory at creation > time as described under > .IR "Permissions at file-creation time" . > > .SS Assigning an Access Control List > When assigning an ACL to a file, unless explicitly specified, the owner, group, > and other file masks will be computed from the ACL entries as described in > the section > .IR "Computing the maximum file masks" . > The owner, group, and other file mode permission bits are then each set from > the owner, group, and other file mask as follows: > .IP \(bu 2 > If the file mask includes the > .B r > permission, the read > file mode permission bit will be set. > .IP \(bu > If the file mask includes the > .B w > or > .B p > permission, the write file mode permission bit will be set. > .IP \(bu > If the file mask includes the > .B x > permission, the execute file mode permission bit will be set. > .PP > If the ACL can be represented exactly by the file mode permission bits, the > file permission bits are set to match the ACL and no ACL is stored. (When the > ACL of a file is requested which doesn't have an ACL, the file mode permission > bits are converted into an equivalent ACL.) > > .SS Changing the file mode permission bits > When changing the file mode permission bits with > .BR chmod (1), > the owner, group, and other file permission bits are set to the permission bits > in the new mode, and the owner, group, and other file masks are set based on > the new mode bits as follows: > .IP \(bu 2 > If the read bit in a set of permissions is set, the > .B r > permission in the corresponding file mask will be set. > .IP \(bu > If the write bit in a set of permissions is set, the > .B w > and > .B p > permissions in the corresponding file mask will be set. > .IP \(bu > If the execute bit in a set of permissions is set, the > .B x > permission in the corresponding file mask will be set. > .PP > In addition, the > .B masked > and > .B write_through > ACL flags are set. This has the > effect of limiting the permissions granted by the ACL to the file mode > permission bits; in addition, the owner is granted the owner mode bits and > others are granted the other mode bits. If the > .B auto_inherit > flag is set, the > .B protected > flag is also set to prevent the Automatic Inheritance algorithm from modifying > the ACL. > > .SS Permissions at file-creation time > When a directory has any inheritable ACL entries, the following > happens when a file or directory is created inside that directory: > .RS 4 Remove preceding line. > .IP 1. 4 > A file created inside that directory will inherit all of the ACL entries that > have the > .B file_inherit > flag set, and all inheritance-related flags in the inherited entries flag will > be cleared. > > A subdirectory created inside that directory will inherit all of the ACL > entries that either have the > .B dir_inherit > flag set, or the > .B file_inherit > flag set and the > .B no_propagate > flag not set. Entries whose > .B dir_inherit > flag is set will have their > .B inherit_only > flag cleared, and entries whose > .B dir_inherit > flag is not set will have their > .B inherit_only > flag set. Finally, entries whose > .B no_propagate > flag is set will have all inheritance-related flags cleared. > .IP 2. > If the parent directory's ACL has the > .B auto_inherit > flag set, the inherited ACL will have its s/the/then the/ (For ease of parsing) > .B auto_inherit > flag set, and all entries will have their > .B inherited > flag set. Otherwise, the > .B auto_inherit > and > .B inherited > flags are cleared. > .IP 3. > The three file masks are computed from the inherited ACL as described in > the section > .IR "Computing the maximum file masks" . > .IP 4. > The three sets of permissions for the owner, the group, and for others in > the \fImode\fR parameter as given to > .BR open (2), > .BR mkdir (2), > and similar are converted into sets of RichACL permissions. The correspondence > between mask flags and RichACL permission bits is described in the section > .IR "Changing the file mode permission bits" . > Any RichACL permissions not included in those sets are > removed from the owner, group, and other file masks. The file mode permission > bits are then computed from the file masks as described in the section > .IR "Assigning an Access Control List" . > The process umask (see > .BR umask (2)) > is ignored. > .IP 5. > The > .B masked > ACL flag is set. The > .B write_through > ACL flag remains cleared. In addition, if the > .B auto_inherit > flag of the inherited ACL is set, the > .B protected > flag is also set to prevent the Automatic Inheritance algorithm from modifying > the ACL. > .RE Remove preceding line. > .PP > When a directory does not have inheritable ACL entries, files and directories > created inside that directory will not be assigned Access Control Lists and the > file mode permission bits will be set to (\fImode\fR\ &\ ~\fIumask\fR) where > \fImode\fR is the mode argument of the relevant system call and \fIumask\fR is > the process umask (see > .BR umask (2)). > > .SS Automatic Inheritance > Automatic Inheritance is a mechanism that allows permission changes to > propagate from a directory to files and subdirectories inside that directory, > recursively. Propagation is carried out by the process changing the directory > permissions (usually, > .BR setrichacl (1)); > it happens without user intervention albeit not entirely automatically. > > A significant limitation is that this mechanism works only as long as files s/limitation/limitation of the Automatic Inheritance feature/ > are created without explicitly specifying the file permissions to use. The > standard system calls for creating files and directories > .RB ( creat (2), > .BR open (2), > .BR mkdir (2), > .BR mknod (2)) s/)$/,\nand so on)/ (And, I'd drop creat(2) from that list of examples. It's ancient and obsolete; no need to encourageits use.) > all have mandatory mode parameters which define the maximum allowed permissions > of the new files. To take account of this restriction, the > .B protected > ACL flag must be set if the > .B inherited > flag is set. This effectively disables Automatic Inheritance for that > particular file. > > Notwithstanding the aforementioned limitation, Automatic Inheritance still > remains useful for network protocols like NFSv4 and SMB, which both support > creating files and directories without defining their permissions. These > protocols can implement those operations by using the standard system calls and > by then undoing the effect of applying the mode parameters. > > When the ACL of a directory is changed, the following happens for each entry > (\(lqchild\(rq) inside that directory: > .IP 1. 4 > If the entry is a symbolic link, skip the child. > .IP 2. > If the > .B auto_inherit > flag of the entry's ACL is not set or the > .B protected > flag is set, skip the child. > .IP 3. > With the child's ACL: > .RS 4 > .IP a) 4 > If the > .B defaulted > flag is set, replace the ACL with an empty ACL > with the > .B auto_inherit > flag set. > .IP b) > Delete all entries which have the > .B inherited > flag set. > .IP c) > Append all entries inherited from the parent directory according to step 1 of > the algorithm described under > .IR "Permissions at file-creation time". > Set the > .B inherited > flag of each of these entries. > .IP d) > Recompute the file masks. At th end of the last section, add: as descibed in the section "...." > .RE > .IP 4. > If the child is a directory, recursively apply this algorithm. > > .SS Access check algorithm > > When a process requests a particular kind of access (expressed as a set of > RichACL permissions) to a file, the following algorithm determines whether the > access is granted or denied: > > .IP 1. 4 > If the > .B masked > ACL flag is set, then: > .RS 4 > .IP a) 4 > If the > .B write_through > ACL flag is set, then: > .RS 4 > .IP \(bu 2 > If the requesting process is the file owner, then access is granted if the > owner mask includes the requested permissions, and is otherwise denied. > .IP \(bu > If the requesting process is not the file owner and it is in the owning group or matches any ACL entries other than > .BR everyone@ , > proceed to step b). > .IP \(bu > If the requesting process is not the file owner, is not in the owning group, > and no ACL entries other than > .B everyone@ > match the process, then access is granted if the other mask includes the > requested permissions, and is otherwise denied. > .RE > .IP b) > If any of the following is true: > .RS 4 > .IP \(bu 2 > the requesting process is the file owner and the owner mask does not include all > requested permissions, > .IP \(bu > the requesting process is not the file owner and it is in the owning group or > matches any ACL entries other than > .BR everyone@ , > and the group mask does not include all requested permissions, > .IP \(bu > the requesting process is not the file owner, not in the owning group, it > matches no ACL entries other than > .BR everyone@ , > and the other mask does not include all requested permissions, > .PP > then access is denied. > .RE > .RE > .IP 2. > Upon reaching this point, the determination of whether or not access is granted > is made by scanning all ACL entries to see if one or more applicable entries > together grant a cumulative set of permissions that matches the requested > permissions or there is an applicable entry that explicitly denies one or more > of the requested permissions. The scan of all ACL entries begins by first > initializing the set of remaining permissions (i.e., those that have not yet > been satisfied during the scan) to be the set of requested permissions. Then > the ACL entries are scanned > .IR "in order" , > and for each entry: > .RS 4 > .IP a) 4 > If the > .B inherit_only > or > .B unmapped > flags are set, continue with the next ACL entry. > .IP b) > If any of the following is true: > .RS 4 > .IP \(bu 2 > the entry's identifier is > .B owner@ > and the requesting process is the file owner, > .IP \(bu > the entry's identifier is > .B group@ > and the requesting process is in the owning group, > .IP \(bu > the entry's identifier is a user and the requesting process is owned by that > user, > .IP \(bu > the entry's identifier is a group and the requesting process is a member in > that group, > .IP \(bu > the entry's identifier is > .BR everyone@ , > .PP > then the entry matches the process; proceed to the next step. Otherwise, > continue with the next ACL entry. > .RE > .IP c) > If the entry denies any of the remaining permissions, access is denied. > .IP d) > If the entry allows any of the remaining permissions, then: > .RS 4 > .IP \(bu 2 > If the > .B masked > ACL flag is set and the entry's identifier is not > .B owner@ > or > .BR everyone@ > or is a user entry matching the file owner, remove all permissions from the > remaining permissions which are both allowed by the entry and included in the > group mask, > .IP \(bu > Otherwise, remove all permissions from the remaining permissions which are > allowed by the entry. > .RE > .RE > .IP 3. > If there are no more remaining permissions, access is allowed. Otherwise, > access is denied. > .PP > In this algorithm, a process can gain the permissions it requires by > accumulating them from multiple RichACL entries. This is in contrast with > POSIX ACLs, where access is only granted if an ACL entry exists that matches > the requesting process and includes all the requested permissions. > > .SS Computing the maximum file masks > When setting an ACL and no file masks have been explicitly specified and when > inheriting an ACL from the parent directory, the following algorithm is used s/directory/directory (as described in section "....")/ > for computing the file masks: > > .IP 1. 4 > Clear the owner, group, and other file masks. Remember which permissions have > already been processed (initially, the empty set). > .IP 2. > For each ACL entry: > .RS 4 > .IP \(bu 2 > If the > .B inherit_only > flag is set, skip the entry. > .IP \(bu > Otherwise, compute which permissions the entry allows or denies that have not > been processed yet (the remaining permissions). > .IP \(bu > If the entry is an > .B owner@ > entry, add the remaining permissions to the owner mask for > .B allow > entries, and remove the remaining permissions from the owner mask for > .B deny > entries. > .IP \(bu > Otherwise, if the entry is an > .B everyone@ > entry, proceed as with > .B owner@ > entries but add or remove the remaining permissions from the owner, group, and > other file masks. > .IP \(bu > Otherwise, proceed as with > .B owner@ > entries but add or remove the remaining permissions from the owner and group > file masks. > .IP \(bu > Add the entry's permissions to the processed permissions. > .RE > .PP > The resulting file masks represent the ACL as closely as possible. With these > file masks, the effective permissions that the ACL grants will be the same when > the > .B masked > flag is set as when it is not set. > > .\" .SH BUGS > .SH AUTHOR > Written by Andreas Grünbacher . > > Please send your bug reports, suggested features and comments to the above address. > > .SH CONFORMING TO > Rich Access Control Lists are Linux-specific. > .SH SEE ALSO > .BR chmod (1), > .BR getrichacl (1), > .BR ls (1), > .BR setrichacl (1) > .BR stat (2), > .BR umask (2), > .BR acl (5) > .\" librichacl So, in terms of actually testing this stuff, is it just a matter of applying your patch series to the kernel, building the kernel, pulling the RichACL user-space tools from Git, and mount(8)ing a filesystem with the right option? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.sgi.com (relay3.corp.sgi.com [198.149.34.15]) by oss.sgi.com (Postfix) with ESMTP id C836D7F8A for ; Tue, 23 Feb 2016 04:58:41 -0600 (CST) Received: from cuda.sgi.com (cuda3.sgi.com [192.48.176.15]) by relay3.corp.sgi.com (Postfix) with ESMTP id F2734AC002 for ; Tue, 23 Feb 2016 02:58:34 -0800 (PST) Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) by cuda.sgi.com with ESMTP id oDGgu0kQAlxrtPvA (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 23 Feb 2016 02:58:28 -0800 (PST) Received: by mail-wm0-f43.google.com with SMTP id c200so214095398wme.0 for ; Tue, 23 Feb 2016 02:58:28 -0800 (PST) Subject: Re: richacl(7) man page review comments References: <56B770B6.7040803@gmail.com> <56B77262.7090107@gmail.com> <56C0F23C.7030902@gmail.com> <56CA2EEB.9080504@gmail.com> From: "Michael Kerrisk (man-pages)" Message-ID: <56CC3B4A.7070204@gmail.com> Date: Tue, 23 Feb 2016 11:58:18 +0100 MIME-Version: 1.0 In-Reply-To: List-Id: XFS Filesystem from SGI List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xfs-bounces@oss.sgi.com Sender: xfs-bounces@oss.sgi.com To: Andreas Gruenbacher Cc: Andreas Dilger , linux-cifs@vger.kernel.org, Linux NFS Mailing List , Christoph Hellwig , Linux API , Trond Myklebust , lkml , XFS Developers , "J. Bruce Fields" , mtk.manpages@gmail.com, linux-fsdevel , Jeff Layton , linux-ext4 , Anna Schumaker SGkgQW5kcmVhcywKCk9uIDAyLzIyLzIwMTYgMDM6NDYgUE0sIEFuZHJlYXMgR3J1ZW5iYWNoZXIg d3JvdGU6Cj4gSGkgTWljaGFlbCwKPiAKPiBPbiBTdW4sIEZlYiAyMSwgMjAxNiBhdCAxMDo0MCBQ TSwgTWljaGFlbCBLZXJyaXNrIChtYW4tcGFnZXMpCj4gPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+ IHdyb3RlOgo+PiBJJ3ZlIG9uY2UgbW9yZSBwdWxsZWQgZnJvbSB0aGUgbGF0ZXN0IGdpdDsgaGVy ZSdzIHNvbWUgbW9yZSBjb21tZW50cy4KPiAKPiB0aGFua3MgYWdhaW4uIEkndmUgdXBkYXRlZCB0 aGUgcmVwbyB3aXRoIHlvdXIgY2hhbmdlcy4KCk5leHQgcm91bmQgOi0pLiBKdXN0IGEgZmV3IHF1 aWNrIGNvbW1lbnRzIHdoaWxlIEknbSBvbiBhIHRyYWluIHJpZGUuCgo+IC5cIgo+IC5cIiBSaWNo QUNMIE1hbnVhbCBQYWdlcwo+IC5cIgo+IC5cIiBDb3B5cmlnaHQgKEMpIDIwMTUsMjAxNiAgUmVk IEhhdCwgSW5jLgo+IC5cIiBXcml0dGVuIGJ5IEFuZHJlYXMgR3J1ZW5iYWNoZXIgPGFncnVlbmJh QHJlZGhhdC5jb20+Cj4gLlwiIFRoaXMgaXMgZnJlZSBkb2N1bWVudGF0aW9uOyB5b3UgY2FuIHJl ZGlzdHJpYnV0ZSBpdCBhbmQvb3IKPiAuXCIgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0 aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgYXMKPiAuXCIgcHVibGlzaGVkIGJ5IHRoZSBG cmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2ZXJzaW9uIDIgb2YKPiAuXCIgdGhlIExp Y2Vuc2UsIG9yIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCj4gLlwiCj4gLlwi IFRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSdzIHJlZmVyZW5jZXMgdG8gIm9iamVjdCBj b2RlIgo+IC5cIiBhbmQgImV4ZWN1dGFibGVzIiBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQgYXMgdGhl IG91dHB1dCBvZiBhbnkKPiAuXCIgZG9jdW1lbnQgZm9ybWF0dGluZyBvciB0eXBlc2V0dGluZyBz eXN0ZW0sIGluY2x1ZGluZwo+IC5cIiBpbnRlcm1lZGlhdGUgYW5kIHByaW50ZWQgb3V0cHV0Lgo+ IC5cIgo+IC5cIiBUaGlzIG1hbnVhbCBpcyBkaXN0cmlidXRlZCBpbiB0aGUgaG9wZSB0aGF0IGl0 IHdpbGwgYmUgdXNlZnVsLAo+IC5cIiBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQg ZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgo+IC5cIiBNRVJDSEFOVEFCSUxJVFkgb3IgRklU TkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlCj4gLlwiIEdOVSBHZW5lcmFs IFB1YmxpYyBMaWNlbnNlIGZvciBtb3JlIGRldGFpbHMuCj4gLlwiCj4gLlwiIFlvdSBzaG91bGQg aGF2ZSByZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYwo+IC5cIiBMaWNl bnNlIGFsb25nIHdpdGggdGhpcyBtYW51YWwuICBJZiBub3QsIHNlZQo+IC5cIiA8aHR0cDovL3d3 dy5nbnUub3JnL2xpY2Vuc2VzLz4uCj4gLlwiCj4gLmRlIFVSTAo+IFxcJDIgXChsYVVSTDogXFwk MSBcKHJhXFwkMwo+IC4uCj4gLmlmIFxuWy5nXSAubXNvIHd3dy50bWFjCj4gLlRIIFJJQ0hBQ0wg NyAyMDE1LTA5LTAxICJMaW51eCIgIlJpY2ggQWNjZXNzIENvbnRyb2wgTGlzdHMiCj4gLlNIIE5B TUUKPiByaWNoYWNsIFwtIFJpY2ggQWNjZXNzIENvbnRyb2wgTGlzdHMKPiAuU0ggREVTQ1JJUFRJ T04KPiBSaWNoIEFjY2VzcyBDb250cm9sIExpc3RzIChSaWNoQUNMcykgYXJlIGFuIGV4dGVuc2lv biBvZiB0aGUgUE9TSVggZmlsZQo+IHBlcm1pc3Npb24gbW9kZWwgKHNlZQo+IC5CUiBhY2wgKDUp KQo+IHRvIHN1cHBvcnQKPiAuVVJMIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvcmZjL3JmYzU2NjEu dHh0ICJORlN2NCBBY2Nlc3MgQ29udHJvbCBMaXN0cyIKPiBvbiBsb2NhbCBhbmQgcmVtb3RlLW1v dW50ZWQgZmlsZXN5c3RlbXMuCj4gCj4gQSBSaWNoQUNMIGNhbiBhbHdheXMgYmUgdHJhbnNsYXRl ZCBpbnRvIGFuIGVxdWl2YWxlbnQgTkZTdjQgQUNMIHdoaWNoIGdyYW50cwo+IHRoZSBzYW1lIHBl cm1pc3Npb25zLgo+IAo+IFJpY2hBQ0xzIGNhbiBiZSBlbmFibGVkIG9uIHN1cHBvcnRlZCBsb2Nh bCBmaWxlc3lzdGVtcyAoY3VycmVudGx5LCBleHQ0IGFuZAo+IFhGUykuICBUaGUgaW4ta2VybmVs IE5GU3Y0IHNlcnZlciBhbmQgY2xpZW50IGFsc28gaW5jbHVkZSBSaWNoQUNMIHN1cHBvcnQuCj4g Cj4gRW5hYmxpbmcgUmljaEFDTHMgZGlzYWJsZXMgUE9TSVggQWNjZXNzIENvbnRyb2wgTGlzdHM7 IHRoZSB0d28gQUNMIG1vZGVscwo+IGNhbm5vdCBjb2V4aXN0IG9uIHRoZSBzYW1lIGZpbGVzeXN0 ZW0uCj4gCj4gV2hlbiB1c2VkIG9uIGEgZmlsZXN5c3RlbSB0aGF0IGRvZXMgbm90IHN1cHBvcnQg UmljaEFDTHMsIHRoZQo+IC5CUiBnZXRyaWNoYWNsICgxKQo+IGFuZAo+IC5CUiBzZXRyaWNoYWNs ICgxKQo+IHV0aWxpdGllcyB3aWxsIG9wZXJhdGUgb24gdGhlIGZpbGUgcGVybWlzc2lvbiBiaXRz IGluc3RlYWQ6Cj4gLkJSIGdldHJpY2hhY2wgKDEpCj4gd2lsbCBkaXNwbGF5IHRoZSBmaWxlIHBl cm1pc3Npb24gYml0cyBhcyBhIFJpY2hBQ0w7IHdoZW4gYSBSaWNoQUNMCj4gaXMgc2V0IHdpdGgK PiAuQlIgc2V0cmljaGFjbCAoMSkKPiB3aGljaCBjYW4gYmUgcmVwcmVzZW50ZWQgZXhhY3RseSBi eSB0aGUgZmlsZSBwZXJtaXNzaW9uIGJpdHMsCj4gLkJSIHNldHJpY2hhY2wgKDEpCj4gd2lsbCBz ZXQgdGhlIGZpbGUgcGVybWlzc2lvbiBiaXRzIGluc3RlYWQuICBBbiBhdHRlbXB0IHRvIHNldCBh IFJpY2hBQ0wgdGhhdAo+IGNhbm5vdCBiZSByZXByZXNlbnRlZCBleGFjdGx5IGJ5IHRoZSBmaWxl IHBlcm1pc3Npb24gYml0cyByZXN1bHRzIGluIGFuIGVycm9yLgo+IAo+IC5TUyBTdHJ1Y3R1cmUg b2YgUmljaEFDTHMKPiAKPiBSaWNoQUNMcyBjb25zaXN0IG9mIGEgbnVtYmVyIG9mIEFDTCBlbnRy aWVzLCB0aHJlZSBmaWxlIG1hc2tzLCBhbmQgYSBzZXQgb2YKPiBmbGFncyBzcGVjaWZ5aW5nIGF0 dHJpYnV0ZXMgb2YgdGhlIEFDTCBhcyBhIHdob2xlIChieSBjb250cmFzdCB3aXRoIHRoZQo+IHBl ci1BQ0wtZW50cnkgZmxhZ3MgZGVzY3JpYmVkIGJlbG93KS4KPiAKPiBFYWNoIG9mIHRoZSBBQ0wg ZW50cmllcyBhbGxvd3Mgb3IgZGVuaWVzIHNvbWUgcGVybWlzc2lvbnMgdG8gYSBwYXJ0aWN1bGFy IHVzZXIsCj4gZ3JvdXAsIG9yIHNwZWNpYWwgaWRlbnRpZmllci4gQW4gQUNMIGVudHJ5IGNvbnNp c3RzIG9mIGZvdXIgZmllbGRzOgo+IAo+IC5JUCBcKGJ1IDIKPiBBIHRhZyB3aGljaCBzcGVjaWZp ZXMgdGhlIHVzZXIsIGdyb3VwLCBvciBzcGVjaWFsIGlkZW50aWZpZXIgdGhlIGVudHJ5IGFwcGxp ZXMKPiB0by4gIFNwZWNpYWwgaWRlbnRpZmllcnMgY2FuIGJlIHRoZSBmaWxlIG93bmVyCj4gLlJC ICggb3duZXJAICksCj4gdGhlIG93bmluZyBncm91cAo+IC5SQiAoIGdyb3VwQCApLAo+IG9yIGV2 ZXJ5b25lCj4gLlJCICggZXZlcnlvbmVAICkuCj4gLklQIFwoYnUKPiBBIHNldCBvZiBwZXJtaXNz aW9ucyB0aGUgZW50cnkgYWxsb3dzIG9yIGRlbmllcy4KPiAuSVAgXChidQo+IEEgc2V0IG9mIGZs YWdzIHRoYXQgaW5kaWNhdGUgd2hldGhlciB0aGUgdXNlciBvciBncm91cCBpZGVudGlmaWVyIGlz IG1hcHBlZCBvcgo+IHVubWFwcGVkLCBhbmQgd2hldGhlciB0aGUgZW50cnkgaGFzIGJlZW4gYW5k IGNhbiBiZSBpbmhlcml0ZWQuCj4gLklQIFwoYnUKPiBBIHR5cGUgZmllbGQgaW5kaWNhdGluZyB3 aGV0aGVyIHRoZSBlbnRyeSBhbGxvd3Mgb3IgZGVuaWVzIHRoZSBwZXJtaXNzaW9ucwo+IHNwZWNp ZmllZCBpbiB0aGUgc2Vjb25kIGZpZWxkLgo+IC5QUAo+IFRoZSBvd25lciwgZ3JvdXAsIGFuZCBv dGhlciBmaWxlIG1hc2tzIGZ1cnRoZXIgY29udHJvbCB3aGljaCBwZXJtaXNzaW9ucyB0aGUKPiBB Q0wgZ3JhbnRzLCBzdWJqZWN0IHRvIHRoZQo+IC5CUiBtYXNrZWQgIlwgKCIgbSApCj4gYW5kCj4g LkJSIHdyaXRlX3Rocm91Z2ggIlwgKCIgdyApCj4gQUNMIGZsYWdzOiB3aGVuIHRoZSBwZXJtaXNz aW9ucyBvZiBhIGZpbGUgb3IgZGlyZWN0b3J5IGFyZSBjaGFuZ2VkIHdpdGgKPiAuQlIgY2htb2Qg KDIpLAo+IHRoZSBmaWxlIG1hc2tzIGFyZSBzZXQgYmFzZWQgb24gdGhlIG5ldyBmaWxlIG1vZGUs IGFuZCB0aGUKPiAuQiBtYXNrZWQKPiBhbmQKPiAuQiB3cml0ZV90aHJvdWdoCj4gQUNMIGZsYWdz IGFyZSBzZXQuIExpa2V3aXNlLCB3aGVuIGEgbmV3IGZpbGUgb3IgZGlyZWN0b3J5IGluaGVyaXRz IGFuIEFDTCBmcm9tCj4gaXRzIHBhcmVudCBkaXJlY3RvcnksIHRoZSBmaWxlIG1hc2tzIGFyZSBz ZXQgdG8gdGhlIGludGVyc2VjdGlvbiBiZXR3ZWVuIHRoZQo+IHBlcm1pc3Npb25zIGdyYW50ZWQg YnkgdGhlIGluaGVyaXRlZCBBQ0wgYW5kIHRoZQo+IC5JIG1vZGUKPiBwYXJhbWV0ZXIgYXMgZ2l2 ZW4gdG8KPiAuQlIgb3BlbiAiKDIpLCAiIG1rZGlyICgyKSwKPiBhbmQgc2ltaWxhciwgYW5kIHRo ZQo+IC5CIG1hc2tlZAo+IEFDTCBmbGFnIGlzIHNldC4gSW4gYm90aCBjYXNlcywgdGhlIGZpbGUg bWFza3MgbGltaXQgdGhlIHBlcm1pc3Npb25zIHRoYXQgdGhlCj4gQUNMIHdpbGwgZ3JhbnQuCj4g Cj4gVGhlIHB1cnBvc2Ugb2YgdGhlIGZpbGUgbWFza3MgaXMgdG8gYWxsb3cgdHJhZGl0aW9uYWwg UE9TSVggYXBwbGljYXRpb25zIHdoaWNoCj4gYXJlIHVuYXdhcmUgb2YgUmljaEFDTHMgdG8gcGxh Y2UgbGltaXRzIG9uIHRoZSBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoZQo+IFJpY2hBQ0wgd2l0 aG91dCBjYXVzaW5nIHRoZSBBQ0wgZW50cmllcyB0byBiZSBtb2RpZmllZC4gIFdpdGhvdXQgdGhl IGZpbGUgbWFzaywKPiB0aGUgb25seSBhbHRlcm5hdGl2ZSB3b3VsZCBiZSBmb3IgdGhlIGtlcm5l bCB0byBkaXJlY3RseSBtb2RpZnkgdGhlIEFDTAo+IGVudHJpZXMuICBIb3dldmVyLCB0aGlzIGxh dHRlciBhcHByb2FjaCBjb3VsZCBoYXZlIGEgImh5c3RlcmVzaXMgZWZmZWN0IiwKPiB3aGVyZWJ5 IGEgUmljaEFDTC11bmF3YXJlIGFwcGxpY2F0aW9uIHRoYXQgcGVyZm9ybXMgYSB0cmFuc2l0aW9u IGZyb20gb25lIGZpbGUKPiBtb2RlIHRvIGFub3RoZXIgZmlsZSBtb2RlIGFuZCB0aGVuIGJhY2sg dG8gdGhlIG9yaWdpbmFsIGZpbGUgbW9kZSBjb3VsZCBjYXVzZQo+IGRlc3RydWN0aW9uIG9mIHRo ZSBwZXJtaXNzaW9uIGluZm9ybWF0aW9uIGluIEFDTCBlbnRyaWVzLiAgV2hlbiBjcmVhdGluZyBm aWxlcwo+IG9yIGRpcmVjdG9yaWVzLCB0aGUKPiAuSSBtb2RlCj4gcGFyYW1ldGVyIHRvCj4gLkJS IG9wZW4gIigyKSwgIiBta2RpciAoMiksCj4gYW5kIHNpbWlsYXIgd291bGQgY2F1c2UgdGhlIHNh bWUgZWZmZWN0LgoKcy9jYXVzZS9oYXZlLwoKPiAKPiBOb3RlIHRoYXQgZW50cmllcyB3aXRoIHRo ZSBpZGVudGlmaWVyCj4gLkIgZXZlcnlvbmVACj4gYXBwbHkgdG8gYWxsIHByb2Nlc3Nlcywgd2hl cmVhcyB0aGUgXChscW90aGVyXChycSBmaWxlIHBlcm1pc3Npb25zIGFuZAo+IFwobHFvdGhlclwo cnEgZW50cmllcyBpbiBQT1NJWCBBQ0xzIGFwcGx5IHRvIGFsbCBwcm9jZXNzZXMgd2hpY2ggYXJl IG5vdCB0aGUKClNvLCBJIHN0aWxsIHRoaW5rIGl0J3MgaGVscGZ1bCB0byBtZW50aW9uIEFDTF9P VEhFUiBoZXJlLiBIb3cgYWJvdXQ6CgpzL1xcKGxxb3RoZXJcXChycS9cXChscW90aGVyXFwocnEg KFxcZkJBQ0xfT1RIRVJcXGZQKS8KCj4gb3duZXIsIGFyZSBub3QgaW4gdGhlIG93bmluZyBncm91 cCwgYW5kIGRvIG5vdCBtYXRjaCBhIHVzZXIgb3IgZ3JvdXAgbWVudGlvbmVkCj4gaW4gdGhlIEFD TC4KPiAKPiBVbmxpa2UgUE9TSVggQUNMcywgUmljaEFDTHMgZG8gbm90IGhhdmUgc2VwYXJhdGUg XChscWFjY2Vzc1wocnEgQUNMcyB0aGF0Cj4gZGVmaW5lIHRoZSBhY2Nlc3MgcGVybWlzc2lvbnMg YW5kIFwobHFkZWZhdWx0XChycSBBQ0xzIHRoYXQgZGVmaW5lIHRoZQo+IGluaGVyaXRhYmxlIHBl cm1pc3Npb25zLiAgSW5zdGVhZCwgZmxhZ3Mgb24gZWFjaCBBQ0wgZW50cnkgZGV0ZXJtaW5lIHdo ZXRoZXIKPiB0aGUgZW50cnkgaXMgZWZmZWN0aXZlIGR1cmluZyBhY2Nlc3MgY2hlY2tzIGFuZC9v ciBpbmhlcml0YWJsZS4KPiAKPiAKPiAuU1MgQUNMIGZsYWdzCj4gCj4gVGhlIGZvbGxvd2luZyBB Q0wgZmxhZ3MgYXJlIGRlZmluZWQ6Cj4gCj4gLlRQCj4gLkJSIG1hc2tlZCAiXCAoIiBtICkKPiBX aGVuIHNldCwgdGhlIGZpbGUgbWFza3MgZGVmaW5lIHVwcGVyIGxpbWl0cyBvbiB0aGUgcGVybWlz c2lvbnMgdGhlIEFDTCBtYXkKPiBncmFudC4gIFdoZW4gbm90IHNldCwgdGhlIGZpbGUgbWFza3Mg YXJlIGlnbm9yZWQuCj4gLlRQCj4gLkJSIHdyaXRlX3Rocm91Z2ggIlwgKCIgdyApCj4gV2hlbiB0 aGlzIGZsYWcgYW5kIHRoZQo+IC5CIG1hc2tlZAo+IGZsYWcgYXJlIGJvdGggc2V0LCB0aGUgb3du ZXIgYW5kIG90aGVyIGZpbGUgbWFza3MgZGVmaW5lIHRoZSBhY3R1YWwgcGVybWlzc2lvbnMKPiBn cmFudGVkIHRvIHRoZSBmaWxlIG93bmVyIGFuZCB0byBvdGhlcnMgaW5zdGVhZCBvZiBkZWZpbmlu ZyBhbiB1cHBlciBsaW1pdC4KPiBXaGVuIHRoZQo+IC5CIG1hc2tlZAo+IGZsYWcgaXMgbm90IHNl dCwgdGhlCj4gLkIgd3JpdGVfdGhyb3VnaAo+IGZsYWcgaGFzIG5vIGVmZmVjdC4KPiAuVFAKPiAu QlIgYXV0b19pbmhlcml0ICJcICgiIGEgKQo+IEF1dG9tYXRpYyBJbmhlcml0YW5jZSBpcyBlbmFi bGVkLiAgU2VlCj4gLklSICJBdXRvbWF0aWMgSW5oZXJpdGFuY2UiIC4KPiAuVFAKPiAuQlIgcHJv dGVjdGVkICJcICgiIHAgKQo+IFRoZSBBQ0wgaXMgcHJvdGVjdGVkIGZyb20gbW9kaWZpY2F0aW9u IGJ5IEF1dG9tYXRpYwo+IEluaGVyaXRhbmNlLgo+IC5UUAo+IC5CUiBkZWZhdWx0ZWQgIlwgKCIg ZCApCj4gSW5kaWNhdGVzIHRoYXQgdGhlIEFDTCBoYXMgYmVlbiBhc3NpZ25lZCBpbiBhbiBhcHBs aWNhdGlvbi1kZXBlbmRlbnQgd2F5IHdoZW4KPiB0aGUgZmlsZSBvciBkaXJlY3Rvcnkgd2FzIGNy ZWF0ZWQ7IGl0IGhhcyBuZWl0aGVyIGJlZW4gaW5oZXJpdGVkIG5vciBzZXQKPiBleHBsaWNpdGx5 LiBBQ0xzIG9mIGZpbGVzIGNyZWF0ZWQgb24gTGludXggd2lsbCBuZXZlciBoYXZlIHRoZQo+IC5C IGRlZmF1bHRlZAo+IGZsYWcgc2V0LCBidXQgdGhlIGZsYWcgbWF5IGJlIHNldCBvbiBmaWxlcyBj cmVhdGVkIG9uIG9yIGNvcGllZCBvdmVyIGZyb20KPiBvdGhlciBvcGVyYXRpbmcgc3lzdGVtcy4g IFdoZW4gdGhpcyBmbGFnIGlzIHNldCBmb3IgYW4gQUNMLCBBdXRvbWF0aWMKPiBJbmhlcml0YW5j ZSB3aWxsIGNvbXBsZXRlbHkgcmVwbGFjZSB0aGUgQUNMLgo+IAo+IC5TUyBBQ0wgZW50cnkgZmxh Z3MKPiAKPiBUaGUgZm9sbG93aW5nIGZsYWdzIG9uIEFDTCBlbnRyaWVzIGFyZSBkZWZpbmVkOgo+ IAo+IC5UUAo+IC5CUiBmaWxlX2luaGVyaXQgIlwgKCIgZiApCj4gV2hlbiB0aGlzIGZsYWcgYXBw ZWFycyBpbiB0aGUgQUNMIGVudHJ5IG9mIGEgZGlyZWN0b3J5LCB0aGVuOgo+IC5SUwo+IC5JUCBc KGJ1IDIKPiBUaGF0IGVudHJ5IGlzIGluaGVyaXRlZCBieSBuZXcgZmlsZXMgY3JlYXRlZCBpbiB0 aGUgZGlyZWN0b3J5IHN1Y2ggdGhhdCB0aGUKPiBwZXJtaXNzaW9ucyBvZiB0aGUgZW50cnkgYXBw bHkgdG8gdGhlIGZpbGUgKHRoZSBpbmhlcml0YW5jZSBmbGFncyBvZiB0aGUKPiBpbmhlcml0ZWQg ZW50cnkgYXJlIGNsZWFyZWQpLgo+IC5JUCBcKGJ1Cj4gVGhlIGVudHJ5IGlzIGlzIGluaGVyaXRl ZCBieSBuZXcgc3ViZGlyZWN0b3JpZXMgY3JlYXRlZCBpbiB0aGUgZGlyZWN0b3J5IHN1Y2gKPiB0 aGF0IHRoZSBwZXJtaXNzaW9ucyBvZiB0aGUgZW50cnkgd2lsbCBhcHBseSB0byBuZXcgZmlsZXMg Y3JlYXRlZCBpbiB0aGUKPiBzdWJkaXJlY3RvcnkuCj4gLlJFCj4gLlRQCj4gLkJSIGRpcl9pbmhl cml0ICJcICgiIGQgKQo+IFdoZW4gdGhpcyBmbGFnIGFwcGVhcnMgaW4gdGhlIEFDTCBlbnRyeSBv ZiBhIGRpcmVjdG9yeSwgdGhlbiB0aGF0IGVudHJ5IGlzCj4gaW5oZXJpdGVkIGJ5IG5ldyBzdWJk aXJlY3RvcmllcyBjcmVhdGVkIGluIHRoZSBkaXJlY3Rvcnkgc3VjaCB0aGF0IHRoZQo+IHBlcm1p c3Npb25zIG9mIHRoZSBlbnRyeSBhcHBseSB0byB0aGUgc3ViZGlyZWN0b3J5ICh0aGUKPiAuQiBp bmhlcml0X29ubHkKPiBmbGFnIGlzIGNsZWFyZWQpLgo+IC5UUAo+IC5CUiBub19wcm9wYWdhdGUg IlwgKCIgbiApCj4gSW5oZXJpdGFuY2Ugc3RvcHMgYXQgdGhlIG5leHQgc3ViZGlyZWN0b3J5IGxl dmVsLiAgV2hlbiBhIGZpbGUgb3IgZGlyZWN0b3J5Cj4gaW5oZXJpdHMgYW4gZW50cnkgdGhhdCBo YXMgdGhpcyBmbGFnIHNldCwgdGhlCj4gLkJSIGZpbGVfaW5oZXJpdCAiLCAiIGRpcl9pbmhlcml0 ICIsICIgbm9fcHJvcGFnYXRlICIsIGFuZCAiIGluaGVyaXRfb25seQo+IGZsYWdzIGFyZSBjbGVh cmVkLgo+IC5UUAo+IC5CUiBpbmhlcml0X29ubHkgIlwgKCIgaSApCj4gVGhlIGVudHJ5IGRlZmlu ZXMgaW5oZXJpdGFibGUgcGVybWlzc2lvbnMgb25seSBhbmQgaXMgaWdub3JlZCBmb3IgYWNjZXNz Cj4gY2hlY2tpbmcuICBXaGVuIGEgZmlsZSBvciBkaXJlY3RvcnkgaW5oZXJpdHMgYW4gZW50cnkg dGhhdCBoYXMgdGhpcyBmbGFnIHNldCwKPiB0aGUgZmxhZyBpcyBjbGVhcmVkLgo+IC5UUAo+IC5C UiBpbmhlcml0ZWQgIlwgKCIgYSApCj4gVGhlIGVudHJ5IGhhcyBiZWVuIGF1dG9tYXRpY2FsbHkg aW5oZXJpdGVkIGZyb20gdGhlIHBhcmVudCBkaXJlY3RvcnkuCj4gLlRQCj4gLkJSIHVubWFwcGVk ICJcICgiIHUgKQo+IFRoZSB1c2VyIG9yIGdyb3VwIGlkZW50aWZpZXIgaXMgYSB0ZXh0dWFsIHN0 cmluZyBhbmQgaXMgbm90IG1hcHBlZCB0byBhIG51bWVyaWMKPiB1c2VyIG9yIGdyb3VwIGlkZW50 aWZpZXIuICBBQ0xzIHdpdGggdW5tYXBwZWQgaWRlbnRpZmllcnMgY2FuIG9jY3VyIG9uIE5GU3Y0 Cj4gbW91bnRlZCBmaWxlc3lzdGVtcyB3aGVuIHRoZSBjbGllbnQgY2Fubm90IGRldGVybWluZSBu dW1lcmljIHVzZXIgb3IgZ3JvdXAKPiBpZGVudGlmaWVycyBmb3Igc29tZSBvZiB0aGUgTkZTdjQg dXNlckBkb21haW4gb3IgZ3JvdXBAZG9tYWluIHdobyB2YWx1ZXMuICBUaGV5Cj4gY2Fubm90IGJl IGFzc2lnbmVkIHRvIGxvY2FsIGZpbGVzIG9yIGRpcmVjdG9yaWVzLgo+IAo+IC5TUyBQZXJtaXNz aW9ucwo+IAo+IFRoZSBmb2xsb3dpbmcgcGVybWlzc2lvbnMgYXJlIGRlZmluZWQgZm9yIFJpY2hB Q0wgZW50cmllcyBhbmQgZm9yIHRoZSB0aHJlZQo+IGZpbGUgbWFza3M6Cj4gCj4gLlRQCj4gLkJS IHJlYWRfZGF0YSAiIC8gIiBsaXN0X2RpcmVjdG9yeSAiXCAoIiByICkKPiBGb3IgYSBmaWxlOiBy ZWFkIHRoZSBkYXRhIG9mIHRoZSBmaWxlLgo+IEZvciBhIGRpcmVjdG9yeTogbGlzdCB0aGUgY29u dGVudHMgb2YgdGhlIGRpcmVjdG9yeS4KPiAuVFAKPiAuQlIgd3JpdGVfZGF0YSAiIC8gIiBhZGRf ZmlsZSAiXCAoIiB3ICkKPiBGb3IgYSBmaWxlOiBtb2RpZnkgdGhlIGRhdGEgb2YgdGhlIGZpbGU7 IGRvZXMgbm90IGluY2x1ZGUgb3BlbmluZyB0aGUgZmlsZSBpbgo+IGFwcGVuZCBtb2RlLgo+IEZv ciBhIGRpcmVjdG9yeTogYWRkIGEgbmV3IGZpbGUgaW4gdGhlIGRpcmVjdG9yeS4KPiAuVFAKPiAu QlIgYXBwZW5kX2RhdGEgIiAvICIgYWRkX3N1YmRpcmVjdG9yeSAiXCAoIiBwICkKPiBGb3IgYSBm aWxlOiBvcGVuIHRoZSBmaWxlIGluIGFwcGVuZCBtb2RlLgo+IEZvciBhIGRpcmVjdG9yeTogY3Jl YXRlIGEgc3ViZGlyZWN0b3J5IGluIHRoZSBkaXJlY3RvcnkuCj4gLlRQCj4gLkJSIGV4ZWN1dGUg IlwgKCIgeCApCj4gRm9yIGEgZmlsZTogZXhlY3V0ZSB0aGUgZmlsZS4KPiBGb3IgYSBkaXJlY3Rv cnk6IHRyYXZlcnNlIChzZWFyY2gpIHRoZSBkaXJlY3RvcnkuCj4gLlRQCj4gLkJSIGRlbGV0ZV9j aGlsZCAiXCAoIiBkICkKPiBEZWxldGUgYSBmaWxlIG9yIGRpcmVjdG9yeSB3aXRoaW4gYSBkaXJl Y3RvcnkuICBUaGlzIHBlcm1pc3Npb24gaXMgbWVhbmluZ2Z1bAo+IG9ubHkgZm9yIGRpcmVjdG9y aWVzLgo+IC5UUAo+IC5CUiBkZWxldGUgIlwgKCIgRCApCj4gRGVsZXRlIHRoZSBmaWxlIG9yIGRp cmVjdG9yeS4KPiAuVFAKPiAuQlIgcmVhZF9hdHRyaWJ1dGVzICJcICgiIGEgKQo+IFJlYWQgYmFz aWMgYXR0cmlidXRlcyBvZiBhIGZpbGUgb3IgZGlyZWN0b3J5IChzZWUKPiAuQlIgc3RhdCAoMikp Lgo+IFRoaXMgcGVybWlzc2lvbiBpcyBkZWZpbmVkIGJ5IE5GU3Y0LiAgSXQgaXMgc3RvcmVkLCBi dXQgaWdub3JlZC4gIFJlYWRpbmcgYmFzaWMKPiBhdHRyaWJ1dGVzIG9mIGZpbGVzIGFuZCBkaXJl Y3RvcmllcyBpcyBhbHdheXMgYWxsb3dlZCBvbiBMaW51eC4KPiAuVFAKPiAuQlIgd3JpdGVfYXR0 cmlidXRlcyAiXCAoIiBBICkKPiBDaGFuZ2UgdGhlIHRpbWVzIGFzc29jaWF0ZWQgd2l0aCBhIGZp bGUgb3IgZGlyZWN0b3J5IHRvIGFuIGFyYml0cmFyeSB2YWx1ZS4KPiBUaGlzIHBlcm1pc3Npb24g aXMgYWx3YXlzIGltcGxpY2l0bHkgZ3JhbnRlZCB0byB0aGUgZmlsZSBvd25lci4KPiAuVFAKPiAu QlIgcmVhZF9hY2wgIlwgKCIgYyApCj4gUmVhZCB0aGUgQUNMIG9mIGEgZmlsZSBvciBkaXJlY3Rv cnkuIExpa2UgcmVhZGluZyB0aGUgYmFzaWMgZmlsZSBhdHRyaWJ1dGVzICh0aGUKPiAuQiByZWFk X2F0dHJpYnV0ZXMKPiBwZXJtaXNzaW9uKSwgcmVhZGluZyBBQ0xzIGlzIGFsd2F5cyBhbGxvd2Vk IGluIExpbnV4Lgo+IC5UUAo+IC5CUiB3cml0ZV9hY2wgIlwgKCIgQyApCj4gQ2hhbmdlIHRoZSBB Q0wgb3IgZmlsZSBtb2RlIG9mIGEgZmlsZSBvciBkaXJlY3RvcnkuCj4gLlRQCj4gLkJSIHdyaXRl X293bmVyICJcICgiIG8gKQo+IFRha2Ugb3duZXJzaGlwIG9mIGEgZmlsZSBvciBkaXJlY3Rvcnku ICBDaGFuZ2UgdGhlIG93bmluZyBncm91cCBvZiBhIGZpbGUgb3IKPiBkaXJlY3RvcnkgdG8gYSBn cm91cCBvZiB3aGljaCB0aGUgY2FsbGluZyBwcm9jZXNzIGlzIGEgbWVtYmVyLgo+IC5UUAo+IC5h ZCBsCj4gLkJSIHJlYWRfbmFtZWRfYXR0cnMgIlwgKCIgUiAiKSwgIiB3cml0ZV9uYW1lZF9hdHRy cyAiXCAoIiBXICIpLCAiIHN5bmNocm9uaXplICJcICgiIFMgIiksICIgd3JpdGVfcmV0ZW50aW9u ICJcICgiIGUgIiksICIgd3JpdGVfcmV0ZW50aW9uX2hvbGQgIlwgKCIgRSApCj4gLmFkCj4gVGhl c2UgcGVybWlzc2lvbnMgYXJlIGRlZmluZWQgYnkgTkZTdjQgYW5kIE5GU3Y0LjEuICBUaGV5IGFy ZSBzdG9yZWQsIGJ1dCBpZ25vcmVkLgo+IC5QUAo+IEZvciB0aGUKPiAuQlIgciAiLCAiIHcgIiwg YW5kICIgcAo+IHBlcm1pc3Npb25zLCB3aGljaCBoYXZlIGRpZmZlcmVudCBsb25nIGZvcm1zIGZv ciBmaWxlcyBhbmQgZGlyZWN0b3JpZXMsIHRoZQo+IC5CUiBnZXRyaWNoYWNsICgxKQo+IHV0aWxp dHkgd2lsbCBvdXRwdXQgdGhlIGFwcHJvcHJpYXRlIGZvcm0ocykgZGVwZW5kaW5nIG9uIHRoZSBj b250ZXh0Lgo+IFRoZQo+IC5CUiBzZXRyaWNoYWNsICgxKQo+IHV0aWxpdHkgd2lsbCBhY2NlcHQg ZWl0aGVyIGZvcm0gZm9yIGFueSBmaWxlIHR5cGUuCj4gCj4gLlNTIFRleHQgZm9ybQo+IFRoZSBj b21tb24gdGV4dHVhbCByZXByZXNlbnRhdGlvbiBvZiBhIFJpY2hBQ0wgY29uc2lzdHMgb2YgdGhl IGNvbG9uLXNlcGFyYXRlZAo+IGZpZWxkcyBvZiB0aGUgQUNMIGZsYWdzLCBmaWxlIG1hc2tzLCBh bmQgQUNMIGVudHJpZXMgaW4gdGhlIGZvbGxvd2luZwo+IGZvcm1hdDoKPiAuVFAKPiBcZkJmbGFn czpcZlJcZklhY2xfZmxhZ3NcZlIKPiBUaGUgQUNMIGZsYWdzLgo+IC5UUAo+IFxmQm93bmVyOlxm UlxmSXBlcm1cZlJcZkI6Om1hc2tcZlIsIFxmQmdyb3VwOlxmUlxmSXBlcm1cZlJcZkI6Om1hc2tc ZlIsIFxmQm90aGVyOlxmUlxmSXBlcm1cZlJcZkI6Om1hc2tcZlIKPiBUaGUgZmlsZSBtYXNrcyBh bmQgdGhlaXIgcGVybWlzc2lvbnMuCj4gLlRQCj4gXGZJd2hvXGZSXGZCOlxmUlxmSXBlcm1cZlJc ZkI6XGZSXGZJZmxhZ3NcZlJcZkI6YWxsb3dcZlIsIFxmSXdob1xmUlxmQjpcZlJcZklwZXJtXGZS XGZCOlxmUlxmSWZsYWdzXGZSXGZCOmRlbnlcZlIKPiBGb3IgZWFjaCBBQ0wgZW50cnksIHdobyB0 aGUgZW50cnkgYXBwbGllcyB0bywgdGhlIHBlcm1pc3Npb25zIG9mIHRoZSBlbnRyeSwgdGhlCj4g ZW50cnkgZmxhZ3MsIGFuZCB0aGUgZW50cnkgdHlwZS4gVGhlIFxmSXdob1xmUiBmaWVsZCBpcyBv bmUgb2YgdGhlIGZvbGxvd2luZzoKPiAuUlMKPiAuSVAgXChidSAyCj4gT25lIG9mIHRoZSBzcGVj aWFsIGlkZW50aWZpZXJzOgo+IC5CUiBvd25lckAgIiwgIiBncm91cEAgIiwgb3IgIiBldmVyeW9u ZUAgLAo+IC5JUCBcKGJ1Cj4gQQo+IC5CUiB1c2VyOiAiIG9yICIgdToKPiBwcmVmaXggZm9sbG93 ZWQgYnkgYSB1c2VyIG5hbWUgb3IgdXNlciBJRCB0aGF0IGRlc2lnbmF0ZXMgYSBzcGVjaWZpYyB1 c2VyLAo+IC5JUCBcKGJ1Cj4gQQo+IC5CUiBncm91cDogIiBvciAiIGc6Cj4gcHJlZml4IGZvbGxv d2VkIGJ5IGEgZ3JvdXAgbmFtZSBvciBncm91cCBJRCB0aGF0IGRlc2lnbmF0ZXMgYSBzcGVjaWZp YyBncm91cC4KPiAuUkUKPiAuUFAKPiBUaGUgZW50cmllcyBhcmUgY29tbWEsIHdoaXRlc3BhY2Us IG9yIG5ld2xpbmUgc2VwYXJhdGVkLgoKcy9lbnRyaWVzL2ZpZWxkcyBvZiBhbiBBQ0wgZW50cnkv ICg/KQoKPiAKPiBGbGFncyBhbmQgcGVybWlzc2lvbnMgaGF2ZSBzaW5nbGUtbGV0dGVyIGFzIHdl bGwgYXMgbG9uZyBmb3JtcywgYXMgbGlzdGVkIHVuZGVyCj4gLklSICJBQ0wgZmxhZ3MiICwKPiAu SVIgIkFDTCBlbnRyeSBmbGFncyIgLAo+IGFuZAo+IC5JUiBQZXJtaXNzaW9ucyAuCj4gV2hlbiB0 aGUgc2luZ2xlLWxldHRlciBmb3JtcyBhcmUgdXNlZCwgdGhlIGZsYWdzIG9yIHBlcm1pc3Npb25z IGFyZQo+IGNvbmNhdGVuYXRlZC4gV2hlbiB0aGUgbG9uZyBmb3JtcyBhcmUgdXNlZCwgdGhlIGZs YWdzIG9yIHBlcm1pc3Npb25zIGFyZQo+IHNlcGFyYXRlZCBieSBzbGFzaGVzLiAgVG8gYWxpZ24g cGVybWlzc2lvbnMgb3IgZmxhZ3MgdmVydGljYWxseSwgZGFzaGVzIGNhbiBiZQo+IHVzZWQgZm9y IHBhZGRpbmcuCj4gCj4gLlNTIFNldHRpbmcgYW5kIG1vZGlmeWluZyBmaWxlIHBlcm1pc3Npb25z Cj4gVGhlIGFjY2VzcyBwZXJtaXNzaW9ucyBmb3IgYSBmaWxlIGNhbiBlaXRoZXIgYmUgc2V0IGJ5 IGFzc2lnbmluZyBhbiBBY2Nlc3MKPiBDb250cm9sIExpc3QKPiAuUkIgKCBzZXRyaWNoYWNsICgx KSkKPiBvciBieSBjaGFuZ2luZyB0aGUgZmlsZSBtb2RlIHBlcm1pc3Npb24gYml0cwo+IC5SQiAo IGNobW9kICgxKSkuCj4gSW4gYWRkaXRpb24sIGEgZmlsZSBjYW4gaW5oZXJpdCBhbiBBQ0wgZnJv bSBpdHMgcGFyZW50IGRpcmVjdG9yeSBhdCBjcmVhdGlvbgo+IHRpbWUgYXMgZGVzY3JpYmVkIHVu ZGVyCj4gLklSICJQZXJtaXNzaW9ucyBhdCBmaWxlLWNyZWF0aW9uIHRpbWUiIC4KPiAKPiAuU1Mg QXNzaWduaW5nIGFuIEFjY2VzcyBDb250cm9sIExpc3QKPiBXaGVuIGFzc2lnbmluZyBhbiBBQ0wg dG8gYSBmaWxlLCB1bmxlc3MgZXhwbGljaXRseSBzcGVjaWZpZWQsIHRoZSBvd25lciwgZ3JvdXAs Cj4gYW5kIG90aGVyIGZpbGUgbWFza3Mgd2lsbCBiZSBjb21wdXRlZCBmcm9tIHRoZSBBQ0wgZW50 cmllcyBhcyBkZXNjcmliZWQgaW4KPiB0aGUgc2VjdGlvbgo+IC5JUiAiQ29tcHV0aW5nIHRoZSBt YXhpbXVtIGZpbGUgbWFza3MiIC4KPiBUaGUgb3duZXIsIGdyb3VwLCBhbmQgb3RoZXIgZmlsZSBt b2RlIHBlcm1pc3Npb24gYml0cyBhcmUgdGhlbiBlYWNoIHNldCBmcm9tCj4gdGhlIG93bmVyLCBn cm91cCwgYW5kIG90aGVyIGZpbGUgbWFzayBhcyBmb2xsb3dzOgo+IC5JUCBcKGJ1IDIKPiBJZiB0 aGUgZmlsZSBtYXNrIGluY2x1ZGVzIHRoZQo+IC5CIHIKPiBwZXJtaXNzaW9uLCB0aGUgcmVhZAo+ IGZpbGUgbW9kZSBwZXJtaXNzaW9uIGJpdCB3aWxsIGJlIHNldC4KPiAuSVAgXChidQo+IElmIHRo ZSBmaWxlIG1hc2sgaW5jbHVkZXMgdGhlCj4gLkIgdwo+IG9yCj4gLkIgcAo+IHBlcm1pc3Npb24s IHRoZSB3cml0ZSBmaWxlIG1vZGUgcGVybWlzc2lvbiBiaXQgd2lsbCBiZSBzZXQuCj4gLklQIFwo YnUKPiBJZiB0aGUgZmlsZSBtYXNrIGluY2x1ZGVzIHRoZQo+IC5CIHgKPiBwZXJtaXNzaW9uLCB0 aGUgZXhlY3V0ZSBmaWxlIG1vZGUgcGVybWlzc2lvbiBiaXQgd2lsbCBiZSBzZXQuCj4gLlBQCj4g SWYgdGhlIEFDTCBjYW4gYmUgcmVwcmVzZW50ZWQgZXhhY3RseSBieSB0aGUgZmlsZSBtb2RlIHBl cm1pc3Npb24gYml0cywgdGhlCj4gZmlsZSBwZXJtaXNzaW9uIGJpdHMgYXJlIHNldCB0byBtYXRj aCB0aGUgQUNMIGFuZCBubyBBQ0wgaXMgc3RvcmVkLiAgKFdoZW4gdGhlCj4gQUNMIG9mIGEgZmls ZSBpcyByZXF1ZXN0ZWQgd2hpY2ggZG9lc24ndCBoYXZlIGFuIEFDTCwgdGhlIGZpbGUgbW9kZSBw ZXJtaXNzaW9uCj4gYml0cyBhcmUgY29udmVydGVkIGludG8gYW4gZXF1aXZhbGVudCBBQ0wuKQo+ IAo+IC5TUyBDaGFuZ2luZyB0aGUgZmlsZSBtb2RlIHBlcm1pc3Npb24gYml0cwo+IFdoZW4gY2hh bmdpbmcgdGhlIGZpbGUgbW9kZSBwZXJtaXNzaW9uIGJpdHMgd2l0aAo+IC5CUiBjaG1vZCAoMSks Cj4gdGhlIG93bmVyLCBncm91cCwgYW5kIG90aGVyIGZpbGUgcGVybWlzc2lvbiBiaXRzIGFyZSBz ZXQgdG8gdGhlIHBlcm1pc3Npb24gYml0cwo+IGluIHRoZSBuZXcgbW9kZSwgYW5kIHRoZSBvd25l ciwgZ3JvdXAsIGFuZCBvdGhlciBmaWxlIG1hc2tzIGFyZSBzZXQgYmFzZWQgb24KPiB0aGUgbmV3 IG1vZGUgYml0cyBhcyBmb2xsb3dzOgo+IC5JUCBcKGJ1IDIKPiBJZiB0aGUgcmVhZCBiaXQgaW4g YSBzZXQgb2YgcGVybWlzc2lvbnMgaXMgc2V0LCB0aGUKPiAuQiByCj4gcGVybWlzc2lvbiBpbiB0 aGUgY29ycmVzcG9uZGluZyBmaWxlIG1hc2sgd2lsbCBiZSBzZXQuCj4gLklQIFwoYnUKPiBJZiB0 aGUgd3JpdGUgYml0IGluIGEgc2V0IG9mIHBlcm1pc3Npb25zIGlzIHNldCwgdGhlCj4gLkIgdwo+ IGFuZAo+IC5CIHAKPiBwZXJtaXNzaW9ucyBpbiB0aGUgY29ycmVzcG9uZGluZyBmaWxlIG1hc2sg d2lsbCBiZSBzZXQuCj4gLklQIFwoYnUKPiBJZiB0aGUgZXhlY3V0ZSBiaXQgaW4gYSBzZXQgb2Yg cGVybWlzc2lvbnMgaXMgc2V0LCB0aGUKPiAuQiB4Cj4gcGVybWlzc2lvbiBpbiB0aGUgY29ycmVz cG9uZGluZyBmaWxlIG1hc2sgd2lsbCBiZSBzZXQuCj4gLlBQCj4gSW4gYWRkaXRpb24sIHRoZQo+ IC5CIG1hc2tlZAo+IGFuZAo+IC5CIHdyaXRlX3Rocm91Z2gKPiBBQ0wgZmxhZ3MgYXJlIHNldC4g VGhpcyBoYXMgdGhlCj4gZWZmZWN0IG9mIGxpbWl0aW5nIHRoZSBwZXJtaXNzaW9ucyBncmFudGVk IGJ5IHRoZSBBQ0wgdG8gdGhlIGZpbGUgbW9kZQo+IHBlcm1pc3Npb24gYml0czsgaW4gYWRkaXRp b24sIHRoZSBvd25lciBpcyBncmFudGVkIHRoZSBvd25lciBtb2RlIGJpdHMgYW5kCj4gb3RoZXJz IGFyZSBncmFudGVkIHRoZSBvdGhlciBtb2RlIGJpdHMuIElmIHRoZQo+IC5CIGF1dG9faW5oZXJp dAo+IGZsYWcgaXMgc2V0LCB0aGUKPiAuQiBwcm90ZWN0ZWQKPiBmbGFnIGlzIGFsc28gc2V0IHRv IHByZXZlbnQgdGhlIEF1dG9tYXRpYyBJbmhlcml0YW5jZSBhbGdvcml0aG0gZnJvbSBtb2RpZnlp bmcKPiB0aGUgQUNMLgo+IAo+IC5TUyBQZXJtaXNzaW9ucyBhdCBmaWxlLWNyZWF0aW9uIHRpbWUK PiBXaGVuIGEgZGlyZWN0b3J5IGhhcyBhbnkgaW5oZXJpdGFibGUgQUNMIGVudHJpZXMsIHRoZSBm b2xsb3dpbmcKPiBoYXBwZW5zIHdoZW4gYSBmaWxlIG9yIGRpcmVjdG9yeSBpcyBjcmVhdGVkIGlu c2lkZSB0aGF0IGRpcmVjdG9yeToKPiAuUlMgNAoKUmVtb3ZlIHByZWNlZGluZyBsaW5lLgoKPiAu SVAgMS4gNAo+IEEgZmlsZSBjcmVhdGVkIGluc2lkZSB0aGF0IGRpcmVjdG9yeSB3aWxsIGluaGVy aXQgYWxsIG9mIHRoZSBBQ0wgZW50cmllcyB0aGF0Cj4gaGF2ZSB0aGUKPiAuQiBmaWxlX2luaGVy aXQKPiBmbGFnIHNldCwgYW5kIGFsbCBpbmhlcml0YW5jZS1yZWxhdGVkIGZsYWdzIGluIHRoZSBp bmhlcml0ZWQgZW50cmllcyBmbGFnIHdpbGwKPiBiZSBjbGVhcmVkLgo+IAo+IEEgc3ViZGlyZWN0 b3J5IGNyZWF0ZWQgaW5zaWRlIHRoYXQgZGlyZWN0b3J5IHdpbGwgaW5oZXJpdCBhbGwgb2YgdGhl IEFDTAo+IGVudHJpZXMgdGhhdCBlaXRoZXIgaGF2ZSB0aGUKPiAuQiBkaXJfaW5oZXJpdAo+IGZs YWcgc2V0LCBvciB0aGUKPiAuQiBmaWxlX2luaGVyaXQKPiBmbGFnIHNldCBhbmQgdGhlCj4gLkIg bm9fcHJvcGFnYXRlCj4gZmxhZyBub3Qgc2V0LiAgRW50cmllcyB3aG9zZQo+IC5CIGRpcl9pbmhl cml0Cj4gZmxhZyBpcyBzZXQgd2lsbCBoYXZlIHRoZWlyCj4gLkIgaW5oZXJpdF9vbmx5Cj4gZmxh ZyBjbGVhcmVkLCBhbmQgZW50cmllcyB3aG9zZQo+IC5CIGRpcl9pbmhlcml0Cj4gZmxhZyBpcyBu b3Qgc2V0IHdpbGwgaGF2ZSB0aGVpcgo+IC5CIGluaGVyaXRfb25seQo+IGZsYWcgc2V0LiAgRmlu YWxseSwgZW50cmllcyB3aG9zZQo+IC5CIG5vX3Byb3BhZ2F0ZQo+IGZsYWcgaXMgc2V0IHdpbGwg aGF2ZSBhbGwgaW5oZXJpdGFuY2UtcmVsYXRlZCBmbGFncyBjbGVhcmVkLgo+IC5JUCAyLgo+IElm IHRoZSBwYXJlbnQgZGlyZWN0b3J5J3MgQUNMIGhhcyB0aGUKPiAuQiBhdXRvX2luaGVyaXQKPiBm bGFnIHNldCwgdGhlIGluaGVyaXRlZCBBQ0wgd2lsbCBoYXZlIGl0cwoKcy90aGUvdGhlbiB0aGUv CihGb3IgZWFzZSBvZiBwYXJzaW5nKQoKPiAuQiBhdXRvX2luaGVyaXQKPiBmbGFnIHNldCwgYW5k IGFsbCBlbnRyaWVzIHdpbGwgaGF2ZSB0aGVpcgo+IC5CIGluaGVyaXRlZAo+IGZsYWcgc2V0LiAg T3RoZXJ3aXNlLCB0aGUKPiAuQiBhdXRvX2luaGVyaXQKPiBhbmQKPiAuQiBpbmhlcml0ZWQKPiBm bGFncyBhcmUgY2xlYXJlZC4KPiAuSVAgMy4KPiBUaGUgdGhyZWUgZmlsZSBtYXNrcyBhcmUgY29t cHV0ZWQgZnJvbSB0aGUgaW5oZXJpdGVkIEFDTCBhcyBkZXNjcmliZWQgaW4KPiB0aGUgc2VjdGlv bgo+IC5JUiAiQ29tcHV0aW5nIHRoZSBtYXhpbXVtIGZpbGUgbWFza3MiIC4KPiAuSVAgNC4KPiBU aGUgdGhyZWUgc2V0cyBvZiBwZXJtaXNzaW9ucyBmb3IgdGhlIG93bmVyLCB0aGUgZ3JvdXAsIGFu ZCBmb3Igb3RoZXJzIGluCj4gdGhlIFxmSW1vZGVcZlIgcGFyYW1ldGVyIGFzIGdpdmVuIHRvCj4g LkJSIG9wZW4gKDIpLAo+IC5CUiBta2RpciAoMiksCj4gYW5kIHNpbWlsYXIgYXJlIGNvbnZlcnRl ZCBpbnRvIHNldHMgb2YgUmljaEFDTCBwZXJtaXNzaW9ucy4gVGhlIGNvcnJlc3BvbmRlbmNlCj4g YmV0d2VlbiBtYXNrIGZsYWdzIGFuZCBSaWNoQUNMIHBlcm1pc3Npb24gYml0cyBpcyBkZXNjcmli ZWQgaW4gdGhlIHNlY3Rpb24KPiAuSVIgIkNoYW5naW5nIHRoZSBmaWxlIG1vZGUgcGVybWlzc2lv biBiaXRzIiAuCj4gQW55IFJpY2hBQ0wgcGVybWlzc2lvbnMgbm90IGluY2x1ZGVkIGluIHRob3Nl IHNldHMgYXJlCj4gcmVtb3ZlZCBmcm9tIHRoZSBvd25lciwgZ3JvdXAsIGFuZCBvdGhlciBmaWxl IG1hc2tzLiBUaGUgZmlsZSBtb2RlIHBlcm1pc3Npb24KPiBiaXRzIGFyZSB0aGVuIGNvbXB1dGVk IGZyb20gdGhlIGZpbGUgbWFza3MgYXMgZGVzY3JpYmVkIGluIHRoZSBzZWN0aW9uCj4gLklSICJB c3NpZ25pbmcgYW4gQWNjZXNzIENvbnRyb2wgTGlzdCIgLgo+IFRoZSBwcm9jZXNzIHVtYXNrIChz ZWUKPiAuQlIgdW1hc2sgKDIpKQo+IGlzIGlnbm9yZWQuCj4gLklQIDUuCj4gVGhlCj4gLkIgbWFz a2VkCj4gQUNMIGZsYWcgaXMgc2V0LiBUaGUKPiAuQiB3cml0ZV90aHJvdWdoCj4gQUNMIGZsYWcg cmVtYWlucyBjbGVhcmVkLiBJbiBhZGRpdGlvbiwgaWYgdGhlCj4gLkIgYXV0b19pbmhlcml0Cj4g ZmxhZyBvZiB0aGUgaW5oZXJpdGVkIEFDTCBpcyBzZXQsIHRoZQo+IC5CIHByb3RlY3RlZAo+IGZs YWcgaXMgYWxzbyBzZXQgdG8gcHJldmVudCB0aGUgQXV0b21hdGljIEluaGVyaXRhbmNlIGFsZ29y aXRobSBmcm9tIG1vZGlmeWluZwo+IHRoZSBBQ0wuCj4gLlJFCgpSZW1vdmUgcHJlY2VkaW5nIGxp bmUuCgo+IC5QUAo+IFdoZW4gYSBkaXJlY3RvcnkgZG9lcyBub3QgaGF2ZSBpbmhlcml0YWJsZSBB Q0wgZW50cmllcywgZmlsZXMgYW5kIGRpcmVjdG9yaWVzCj4gY3JlYXRlZCBpbnNpZGUgdGhhdCBk aXJlY3Rvcnkgd2lsbCBub3QgYmUgYXNzaWduZWQgQWNjZXNzIENvbnRyb2wgTGlzdHMgYW5kIHRo ZQo+IGZpbGUgbW9kZSBwZXJtaXNzaW9uIGJpdHMgd2lsbCBiZSBzZXQgdG8gKFxmSW1vZGVcZlJc ICZcIH5cZkl1bWFza1xmUikgd2hlcmUKPiBcZkltb2RlXGZSIGlzIHRoZSBtb2RlIGFyZ3VtZW50 IG9mIHRoZSByZWxldmFudCBzeXN0ZW0gY2FsbCBhbmQgXGZJdW1hc2tcZlIgaXMKPiB0aGUgcHJv Y2VzcyB1bWFzayAoc2VlCj4gLkJSIHVtYXNrICgyKSkuCj4gCj4gLlNTIEF1dG9tYXRpYyBJbmhl cml0YW5jZQo+IEF1dG9tYXRpYyBJbmhlcml0YW5jZSBpcyBhIG1lY2hhbmlzbSB0aGF0IGFsbG93 cyBwZXJtaXNzaW9uIGNoYW5nZXMgdG8KPiBwcm9wYWdhdGUgZnJvbSBhIGRpcmVjdG9yeSB0byBm aWxlcyBhbmQgc3ViZGlyZWN0b3JpZXMgaW5zaWRlIHRoYXQgZGlyZWN0b3J5LAo+IHJlY3Vyc2l2 ZWx5LiAgUHJvcGFnYXRpb24gaXMgY2FycmllZCBvdXQgYnkgdGhlIHByb2Nlc3MgY2hhbmdpbmcg dGhlIGRpcmVjdG9yeQo+IHBlcm1pc3Npb25zICh1c3VhbGx5LAo+IC5CUiBzZXRyaWNoYWNsICgx KSk7Cj4gaXQgaGFwcGVucyB3aXRob3V0IHVzZXIgaW50ZXJ2ZW50aW9uIGFsYmVpdCBub3QgZW50 aXJlbHkgYXV0b21hdGljYWxseS4KPiAKPiBBIHNpZ25pZmljYW50IGxpbWl0YXRpb24gaXMgdGhh dCB0aGlzIG1lY2hhbmlzbSB3b3JrcyBvbmx5IGFzIGxvbmcgYXMgZmlsZXMKCnMvbGltaXRhdGlv bi9saW1pdGF0aW9uIG9mIHRoZSBBdXRvbWF0aWMgSW5oZXJpdGFuY2UgZmVhdHVyZS8KCj4gYXJl IGNyZWF0ZWQgd2l0aG91dCBleHBsaWNpdGx5IHNwZWNpZnlpbmcgdGhlIGZpbGUgcGVybWlzc2lv bnMgdG8gdXNlLiBUaGUKPiBzdGFuZGFyZCBzeXN0ZW0gY2FsbHMgZm9yIGNyZWF0aW5nIGZpbGVz IGFuZCBkaXJlY3Rvcmllcwo+IC5SQiAoIGNyZWF0ICgyKSwKPiAuQlIgb3BlbiAoMiksCj4gLkJS IG1rZGlyICgyKSwKPiAuQlIgbWtub2QgKDIpKQoKcy8pJC8sXG5hbmQgc28gb24pLwoKKEFuZCwg SSdkIGRyb3AgY3JlYXQoMikgZnJvbSB0aGF0IGxpc3Qgb2YgZXhhbXBsZXMuIEl0J3MgYW5jaWVu dCBhbmQKb2Jzb2xldGU7IG5vIG5lZWQgdG8gZW5jb3VyYWdlaXRzIHVzZS4pCgo+IGFsbCBoYXZl IG1hbmRhdG9yeSBtb2RlIHBhcmFtZXRlcnMgd2hpY2ggZGVmaW5lIHRoZSBtYXhpbXVtIGFsbG93 ZWQgcGVybWlzc2lvbnMKPiBvZiB0aGUgbmV3IGZpbGVzLiBUbyB0YWtlIGFjY291bnQgb2YgdGhp cyByZXN0cmljdGlvbiwgdGhlCj4gLkIgcHJvdGVjdGVkCj4gQUNMIGZsYWcgbXVzdCBiZSBzZXQg aWYgdGhlCj4gLkIgaW5oZXJpdGVkCj4gZmxhZyBpcyBzZXQuIFRoaXMgZWZmZWN0aXZlbHkgZGlz YWJsZXMgQXV0b21hdGljIEluaGVyaXRhbmNlIGZvciB0aGF0Cj4gcGFydGljdWxhciBmaWxlLgo+ IAo+IE5vdHdpdGhzdGFuZGluZyB0aGUgYWZvcmVtZW50aW9uZWQgbGltaXRhdGlvbiwgQXV0b21h dGljIEluaGVyaXRhbmNlIHN0aWxsCj4gcmVtYWlucyB1c2VmdWwgZm9yIG5ldHdvcmsgcHJvdG9j b2xzIGxpa2UgTkZTdjQgYW5kIFNNQiwgd2hpY2ggYm90aCBzdXBwb3J0Cj4gY3JlYXRpbmcgZmls ZXMgYW5kIGRpcmVjdG9yaWVzIHdpdGhvdXQgZGVmaW5pbmcgdGhlaXIgcGVybWlzc2lvbnMuIFRo ZXNlCj4gcHJvdG9jb2xzIGNhbiBpbXBsZW1lbnQgdGhvc2Ugb3BlcmF0aW9ucyBieSB1c2luZyB0 aGUgc3RhbmRhcmQgc3lzdGVtIGNhbGxzIGFuZAo+IGJ5IHRoZW4gdW5kb2luZyB0aGUgZWZmZWN0 IG9mIGFwcGx5aW5nIHRoZSBtb2RlIHBhcmFtZXRlcnMuCj4gCj4gV2hlbiB0aGUgQUNMIG9mIGEg ZGlyZWN0b3J5IGlzIGNoYW5nZWQsIHRoZSBmb2xsb3dpbmcgaGFwcGVucyBmb3IgZWFjaCBlbnRy eQo+IChcKGxxY2hpbGRcKHJxKSBpbnNpZGUgdGhhdCBkaXJlY3Rvcnk6Cj4gLklQIDEuIDQKPiBJ ZiB0aGUgZW50cnkgaXMgYSBzeW1ib2xpYyBsaW5rLCBza2lwIHRoZSBjaGlsZC4KPiAuSVAgMi4K PiBJZiB0aGUKPiAuQiBhdXRvX2luaGVyaXQKPiBmbGFnIG9mIHRoZSBlbnRyeSdzIEFDTCBpcyBu b3Qgc2V0IG9yIHRoZQo+IC5CIHByb3RlY3RlZAo+IGZsYWcgaXMgc2V0LCBza2lwIHRoZSBjaGls ZC4KPiAuSVAgMy4KPiBXaXRoIHRoZSBjaGlsZCdzIEFDTDoKPiAuUlMgNAo+IC5JUCBhKSA0Cj4g SWYgdGhlCj4gLkIgZGVmYXVsdGVkCj4gZmxhZyBpcyBzZXQsIHJlcGxhY2UgdGhlIEFDTCB3aXRo IGFuIGVtcHR5IEFDTAo+IHdpdGggdGhlCj4gLkIgYXV0b19pbmhlcml0Cj4gZmxhZyBzZXQuCj4g LklQIGIpCj4gRGVsZXRlIGFsbCBlbnRyaWVzIHdoaWNoIGhhdmUgdGhlCj4gLkIgaW5oZXJpdGVk Cj4gZmxhZyBzZXQuCj4gLklQIGMpCj4gQXBwZW5kIGFsbCBlbnRyaWVzIGluaGVyaXRlZCBmcm9t IHRoZSBwYXJlbnQgZGlyZWN0b3J5IGFjY29yZGluZyB0byBzdGVwIDEgb2YKPiB0aGUgYWxnb3Jp dGhtIGRlc2NyaWJlZCB1bmRlcgo+IC5JUiAiUGVybWlzc2lvbnMgYXQgZmlsZS1jcmVhdGlvbiB0 aW1lIi4KPiBTZXQgdGhlCj4gLkIgaW5oZXJpdGVkCj4gZmxhZyBvZiBlYWNoIG9mIHRoZXNlIGVu dHJpZXMuCj4gLklQIGQpCj4gUmVjb21wdXRlIHRoZSBmaWxlIG1hc2tzLgoKQXQgdGggZW5kIG9m IHRoZSBsYXN0IHNlY3Rpb24sIGFkZDoKCiAgICAgICAgYXMgZGVzY2liZWQgaW4gdGhlIHNlY3Rp b24gIi4uLi4iCgo+IC5SRQo+IC5JUCA0Lgo+IElmIHRoZSBjaGlsZCBpcyBhIGRpcmVjdG9yeSwg cmVjdXJzaXZlbHkgYXBwbHkgdGhpcyBhbGdvcml0aG0uCj4gCj4gLlNTIEFjY2VzcyBjaGVjayBh bGdvcml0aG0KPiAKPiBXaGVuIGEgcHJvY2VzcyByZXF1ZXN0cyBhIHBhcnRpY3VsYXIga2luZCBv ZiBhY2Nlc3MgKGV4cHJlc3NlZCBhcyBhIHNldCBvZgo+IFJpY2hBQ0wgcGVybWlzc2lvbnMpIHRv IGEgZmlsZSwgdGhlIGZvbGxvd2luZyBhbGdvcml0aG0gZGV0ZXJtaW5lcyB3aGV0aGVyIHRoZQo+ IGFjY2VzcyBpcyBncmFudGVkIG9yIGRlbmllZDoKPiAKPiAuSVAgMS4gNAo+IElmIHRoZQo+IC5C IG1hc2tlZAo+IEFDTCBmbGFnIGlzIHNldCwgdGhlbjoKPiAuUlMgNAo+IC5JUCBhKSA0Cj4gSWYg dGhlCj4gLkIgd3JpdGVfdGhyb3VnaAo+IEFDTCBmbGFnIGlzIHNldCwgdGhlbjoKPiAuUlMgNAo+ IC5JUCBcKGJ1IDIKPiBJZiB0aGUgcmVxdWVzdGluZyBwcm9jZXNzIGlzIHRoZSBmaWxlIG93bmVy LCB0aGVuIGFjY2VzcyBpcyBncmFudGVkIGlmIHRoZQo+IG93bmVyIG1hc2sgaW5jbHVkZXMgdGhl IHJlcXVlc3RlZCBwZXJtaXNzaW9ucywgYW5kIGlzIG90aGVyd2lzZSBkZW5pZWQuCj4gLklQIFwo YnUKPiBJZiB0aGUgcmVxdWVzdGluZyBwcm9jZXNzIGlzIG5vdCB0aGUgZmlsZSBvd25lciBhbmQg aXQgaXMgaW4gdGhlIG93bmluZyBncm91cCBvciBtYXRjaGVzIGFueSBBQ0wgZW50cmllcyBvdGhl ciB0aGFuCj4gLkJSIGV2ZXJ5b25lQCAsCj4gcHJvY2VlZCB0byBzdGVwIGIpLgo+IC5JUCBcKGJ1 Cj4gSWYgdGhlIHJlcXVlc3RpbmcgcHJvY2VzcyBpcyBub3QgdGhlIGZpbGUgb3duZXIsIGlzIG5v dCBpbiB0aGUgb3duaW5nIGdyb3VwLAo+IGFuZCBubyBBQ0wgZW50cmllcyBvdGhlciB0aGFuCj4g LkIgZXZlcnlvbmVACj4gbWF0Y2ggdGhlIHByb2Nlc3MsIHRoZW4gYWNjZXNzIGlzIGdyYW50ZWQg aWYgdGhlIG90aGVyIG1hc2sgaW5jbHVkZXMgdGhlCj4gcmVxdWVzdGVkIHBlcm1pc3Npb25zLCBh bmQgaXMgb3RoZXJ3aXNlIGRlbmllZC4KPiAuUkUKPiAuSVAgYikKPiBJZiBhbnkgb2YgdGhlIGZv bGxvd2luZyBpcyB0cnVlOgo+IC5SUyA0Cj4gLklQIFwoYnUgMgo+IHRoZSByZXF1ZXN0aW5nIHBy b2Nlc3MgaXMgdGhlIGZpbGUgb3duZXIgYW5kIHRoZSBvd25lciBtYXNrIGRvZXMgbm90IGluY2x1 ZGUgYWxsCj4gcmVxdWVzdGVkIHBlcm1pc3Npb25zLAo+IC5JUCBcKGJ1Cj4gdGhlIHJlcXVlc3Rp bmcgcHJvY2VzcyBpcyBub3QgdGhlIGZpbGUgb3duZXIgYW5kIGl0IGlzIGluIHRoZSBvd25pbmcg Z3JvdXAgb3IKPiBtYXRjaGVzIGFueSBBQ0wgZW50cmllcyBvdGhlciB0aGFuCj4gLkJSIGV2ZXJ5 b25lQCAsCj4gYW5kIHRoZSBncm91cCBtYXNrIGRvZXMgbm90IGluY2x1ZGUgYWxsIHJlcXVlc3Rl ZCBwZXJtaXNzaW9ucywKPiAuSVAgXChidQo+IHRoZSByZXF1ZXN0aW5nIHByb2Nlc3MgaXMgbm90 IHRoZSBmaWxlIG93bmVyLCBub3QgaW4gdGhlIG93bmluZyBncm91cCwgaXQKPiBtYXRjaGVzIG5v IEFDTCBlbnRyaWVzIG90aGVyIHRoYW4KPiAuQlIgZXZlcnlvbmVAICwKPiBhbmQgdGhlIG90aGVy IG1hc2sgZG9lcyBub3QgaW5jbHVkZSBhbGwgcmVxdWVzdGVkIHBlcm1pc3Npb25zLAo+IC5QUAo+ IHRoZW4gYWNjZXNzIGlzIGRlbmllZC4KPiAuUkUKPiAuUkUKPiAuSVAgMi4KPiBVcG9uIHJlYWNo aW5nIHRoaXMgcG9pbnQsIHRoZSBkZXRlcm1pbmF0aW9uIG9mIHdoZXRoZXIgb3Igbm90IGFjY2Vz cyBpcyBncmFudGVkCj4gaXMgbWFkZSBieSBzY2FubmluZyBhbGwgQUNMIGVudHJpZXMgdG8gc2Vl IGlmIG9uZSBvciBtb3JlIGFwcGxpY2FibGUgZW50cmllcwo+IHRvZ2V0aGVyIGdyYW50IGEgY3Vt dWxhdGl2ZSBzZXQgb2YgcGVybWlzc2lvbnMgdGhhdCBtYXRjaGVzIHRoZSByZXF1ZXN0ZWQKPiBw ZXJtaXNzaW9ucyBvciB0aGVyZSBpcyBhbiBhcHBsaWNhYmxlIGVudHJ5IHRoYXQgZXhwbGljaXRs eSBkZW5pZXMgb25lIG9yIG1vcmUKPiBvZiB0aGUgcmVxdWVzdGVkIHBlcm1pc3Npb25zLiAgVGhl IHNjYW4gb2YgYWxsIEFDTCBlbnRyaWVzIGJlZ2lucyBieSBmaXJzdAo+IGluaXRpYWxpemluZyB0 aGUgc2V0IG9mIHJlbWFpbmluZyBwZXJtaXNzaW9ucyAoaS5lLiwgdGhvc2UgdGhhdCBoYXZlIG5v dCB5ZXQKPiBiZWVuIHNhdGlzZmllZCBkdXJpbmcgdGhlIHNjYW4pIHRvIGJlIHRoZSBzZXQgb2Yg cmVxdWVzdGVkIHBlcm1pc3Npb25zLiBUaGVuCj4gdGhlIEFDTCBlbnRyaWVzIGFyZSBzY2FubmVk Cj4gLklSICJpbiBvcmRlciIgLAo+IGFuZCBmb3IgZWFjaCBlbnRyeToKPiAuUlMgNAo+IC5JUCBh KSA0Cj4gSWYgdGhlCj4gLkIgaW5oZXJpdF9vbmx5Cj4gb3IKPiAuQiB1bm1hcHBlZAo+IGZsYWdz IGFyZSBzZXQsIGNvbnRpbnVlIHdpdGggdGhlIG5leHQgQUNMIGVudHJ5Lgo+IC5JUCBiKQo+IElm IGFueSBvZiB0aGUgZm9sbG93aW5nIGlzIHRydWU6Cj4gLlJTIDQKPiAuSVAgXChidSAyCj4gdGhl IGVudHJ5J3MgaWRlbnRpZmllciBpcwo+IC5CIG93bmVyQAo+IGFuZCB0aGUgcmVxdWVzdGluZyBw cm9jZXNzIGlzIHRoZSBmaWxlIG93bmVyLAo+IC5JUCBcKGJ1Cj4gdGhlIGVudHJ5J3MgaWRlbnRp ZmllciBpcwo+IC5CIGdyb3VwQAo+IGFuZCB0aGUgcmVxdWVzdGluZyBwcm9jZXNzIGlzIGluIHRo ZSBvd25pbmcgZ3JvdXAsCj4gLklQIFwoYnUKPiB0aGUgZW50cnkncyBpZGVudGlmaWVyIGlzIGEg dXNlciBhbmQgdGhlIHJlcXVlc3RpbmcgcHJvY2VzcyBpcyBvd25lZCBieSB0aGF0Cj4gdXNlciwK PiAuSVAgXChidQo+IHRoZSBlbnRyeSdzIGlkZW50aWZpZXIgaXMgYSBncm91cCBhbmQgdGhlIHJl cXVlc3RpbmcgcHJvY2VzcyBpcyBhIG1lbWJlciBpbgo+IHRoYXQgZ3JvdXAsCj4gLklQIFwoYnUK PiB0aGUgZW50cnkncyBpZGVudGlmaWVyIGlzCj4gLkJSIGV2ZXJ5b25lQCAsCj4gLlBQCj4gdGhl biB0aGUgZW50cnkgbWF0Y2hlcyB0aGUgcHJvY2VzczsgcHJvY2VlZCB0byB0aGUgbmV4dCBzdGVw LiBPdGhlcndpc2UsCj4gY29udGludWUgd2l0aCB0aGUgbmV4dCBBQ0wgZW50cnkuCj4gLlJFCj4g LklQIGMpCj4gSWYgdGhlIGVudHJ5IGRlbmllcyBhbnkgb2YgdGhlIHJlbWFpbmluZyBwZXJtaXNz aW9ucywgYWNjZXNzIGlzIGRlbmllZC4KPiAuSVAgZCkKPiBJZiB0aGUgZW50cnkgYWxsb3dzIGFu eSBvZiB0aGUgcmVtYWluaW5nIHBlcm1pc3Npb25zLCB0aGVuOgo+IC5SUyA0Cj4gLklQIFwoYnUg Mgo+IElmIHRoZQo+IC5CIG1hc2tlZAo+IEFDTCBmbGFnIGlzIHNldCBhbmQgdGhlIGVudHJ5J3Mg aWRlbnRpZmllciBpcyBub3QKPiAuQiBvd25lckAKPiBvcgo+IC5CUiBldmVyeW9uZUAKPiBvciBp cyBhIHVzZXIgZW50cnkgbWF0Y2hpbmcgdGhlIGZpbGUgb3duZXIsIHJlbW92ZSBhbGwgcGVybWlz c2lvbnMgZnJvbSB0aGUKPiByZW1haW5pbmcgcGVybWlzc2lvbnMgd2hpY2ggYXJlIGJvdGggYWxs b3dlZCBieSB0aGUgZW50cnkgYW5kIGluY2x1ZGVkIGluIHRoZQo+IGdyb3VwIG1hc2ssCj4gLklQ IFwoYnUKPiBPdGhlcndpc2UsIHJlbW92ZSBhbGwgcGVybWlzc2lvbnMgZnJvbSB0aGUgcmVtYWlu aW5nIHBlcm1pc3Npb25zIHdoaWNoIGFyZQo+IGFsbG93ZWQgYnkgdGhlIGVudHJ5Lgo+IC5SRQo+ IC5SRQo+IC5JUCAzLgo+IElmIHRoZXJlIGFyZSBubyBtb3JlIHJlbWFpbmluZyBwZXJtaXNzaW9u cywgYWNjZXNzIGlzIGFsbG93ZWQuIE90aGVyd2lzZSwKPiBhY2Nlc3MgaXMgZGVuaWVkLgo+IC5Q UAo+IEluIHRoaXMgYWxnb3JpdGhtLCBhIHByb2Nlc3MgY2FuIGdhaW4gdGhlIHBlcm1pc3Npb25z IGl0IHJlcXVpcmVzIGJ5Cj4gYWNjdW11bGF0aW5nIHRoZW0gZnJvbSBtdWx0aXBsZSBSaWNoQUNM IGVudHJpZXMuICBUaGlzIGlzIGluIGNvbnRyYXN0IHdpdGgKPiBQT1NJWCBBQ0xzLCB3aGVyZSBh Y2Nlc3MgaXMgb25seSBncmFudGVkIGlmIGFuIEFDTCBlbnRyeSBleGlzdHMgdGhhdCBtYXRjaGVz Cj4gdGhlIHJlcXVlc3RpbmcgcHJvY2VzcyBhbmQgaW5jbHVkZXMgYWxsIHRoZSByZXF1ZXN0ZWQg cGVybWlzc2lvbnMuCj4gCj4gLlNTIENvbXB1dGluZyB0aGUgbWF4aW11bSBmaWxlIG1hc2tzCj4g V2hlbiBzZXR0aW5nIGFuIEFDTCBhbmQgbm8gZmlsZSBtYXNrcyBoYXZlIGJlZW4gZXhwbGljaXRs eSBzcGVjaWZpZWQgYW5kIHdoZW4KPiBpbmhlcml0aW5nIGFuIEFDTCBmcm9tIHRoZSBwYXJlbnQg ZGlyZWN0b3J5LCB0aGUgZm9sbG93aW5nIGFsZ29yaXRobSBpcyB1c2VkCgpzL2RpcmVjdG9yeS9k aXJlY3RvcnkgKGFzIGRlc2NyaWJlZCBpbiBzZWN0aW9uICIuLi4uIikvCgo+IGZvciBjb21wdXRp bmcgdGhlIGZpbGUgbWFza3M6Cj4gCj4gLklQIDEuIDQKPiBDbGVhciB0aGUgb3duZXIsIGdyb3Vw LCBhbmQgb3RoZXIgZmlsZSBtYXNrcy4gUmVtZW1iZXIgd2hpY2ggcGVybWlzc2lvbnMgaGF2ZQo+ IGFscmVhZHkgYmVlbiBwcm9jZXNzZWQgKGluaXRpYWxseSwgdGhlIGVtcHR5IHNldCkuCj4gLklQ IDIuCj4gRm9yIGVhY2ggQUNMIGVudHJ5Ogo+IC5SUyA0Cj4gLklQIFwoYnUgMgo+IElmIHRoZQo+ IC5CIGluaGVyaXRfb25seQo+IGZsYWcgaXMgc2V0LCBza2lwIHRoZSBlbnRyeS4KPiAuSVAgXChi dQo+IE90aGVyd2lzZSwgY29tcHV0ZSB3aGljaCBwZXJtaXNzaW9ucyB0aGUgZW50cnkgYWxsb3dz IG9yIGRlbmllcyB0aGF0IGhhdmUgbm90Cj4gYmVlbiBwcm9jZXNzZWQgeWV0ICh0aGUgcmVtYWlu aW5nIHBlcm1pc3Npb25zKS4KPiAuSVAgXChidQo+IElmIHRoZSBlbnRyeSBpcyBhbgo+IC5CIG93 bmVyQAo+IGVudHJ5LCBhZGQgdGhlIHJlbWFpbmluZyBwZXJtaXNzaW9ucyB0byB0aGUgb3duZXIg bWFzayBmb3IKPiAuQiBhbGxvdwo+IGVudHJpZXMsIGFuZCByZW1vdmUgdGhlIHJlbWFpbmluZyBw ZXJtaXNzaW9ucyBmcm9tIHRoZSBvd25lciBtYXNrIGZvcgo+IC5CIGRlbnkKPiBlbnRyaWVzLgo+ IC5JUCBcKGJ1Cj4gT3RoZXJ3aXNlLCBpZiB0aGUgZW50cnkgaXMgYW4KPiAuQiBldmVyeW9uZUAK PiBlbnRyeSwgcHJvY2VlZCBhcyB3aXRoCj4gLkIgb3duZXJACj4gZW50cmllcyBidXQgYWRkIG9y IHJlbW92ZSB0aGUgcmVtYWluaW5nIHBlcm1pc3Npb25zIGZyb20gdGhlIG93bmVyLCBncm91cCwg YW5kCj4gb3RoZXIgZmlsZSBtYXNrcy4KPiAuSVAgXChidQo+IE90aGVyd2lzZSwgcHJvY2VlZCBh cyB3aXRoCj4gLkIgb3duZXJACj4gZW50cmllcyBidXQgYWRkIG9yIHJlbW92ZSB0aGUgcmVtYWlu aW5nIHBlcm1pc3Npb25zIGZyb20gdGhlIG93bmVyIGFuZCBncm91cAo+IGZpbGUgbWFza3MuCj4g LklQIFwoYnUKPiBBZGQgdGhlIGVudHJ5J3MgcGVybWlzc2lvbnMgdG8gdGhlIHByb2Nlc3NlZCBw ZXJtaXNzaW9ucy4KPiAuUkUKPiAuUFAKPiBUaGUgcmVzdWx0aW5nIGZpbGUgbWFza3MgcmVwcmVz ZW50IHRoZSBBQ0wgYXMgY2xvc2VseSBhcyBwb3NzaWJsZS4gV2l0aCB0aGVzZQo+IGZpbGUgbWFz a3MsIHRoZSBlZmZlY3RpdmUgcGVybWlzc2lvbnMgdGhhdCB0aGUgQUNMIGdyYW50cyB3aWxsIGJl IHRoZSBzYW1lIHdoZW4KPiB0aGUKPiAuQiBtYXNrZWQKPiBmbGFnIGlzIHNldCBhcyB3aGVuIGl0 IGlzIG5vdCBzZXQuCj4gCj4gLlwiIC5TSCBCVUdTCj4gLlNIIEFVVEhPUgo+IFdyaXR0ZW4gYnkg QW5kcmVhcyBHcsO8bmJhY2hlciA8YWdydWVuYmFAcmVkaGF0LmNvbT4uCj4gCj4gUGxlYXNlIHNl bmQgeW91ciBidWcgcmVwb3J0cywgc3VnZ2VzdGVkIGZlYXR1cmVzIGFuZCBjb21tZW50cyB0byB0 aGUgYWJvdmUgYWRkcmVzcy4KPiAKPiAuU0ggQ09ORk9STUlORyBUTwo+IFJpY2ggQWNjZXNzIENv bnRyb2wgTGlzdHMgYXJlIExpbnV4LXNwZWNpZmljLgo+IC5TSCBTRUUgQUxTTwo+IC5CUiBjaG1v ZCAoMSksCj4gLkJSIGdldHJpY2hhY2wgKDEpLAo+IC5CUiBscyAoMSksCj4gLkJSIHNldHJpY2hh Y2wgKDEpCj4gLkJSIHN0YXQgKDIpLAo+IC5CUiB1bWFzayAoMiksCj4gLkJSIGFjbCAoNSkKPiAu XCIgbGlicmljaGFjbAoKU28sIGluIHRlcm1zIG9mIGFjdHVhbGx5IHRlc3RpbmcgdGhpcyBzdHVm ZiwgaXMgaXQganVzdCBhIG1hdHRlciBvZgphcHBseWluZyB5b3VyIHBhdGNoIHNlcmllcyB0byB0 aGUga2VybmVsLCBidWlsZGluZyB0aGUga2VybmVsLCBwdWxsaW5nCnRoZSBSaWNoQUNMIHVzZXIt c3BhY2UgdG9vbHMgZnJvbSBHaXQsIGFuZCBtb3VudCg4KWluZyBhIGZpbGVzeXN0ZW0gd2l0aAp0 aGUgcmlnaHQgb3B0aW9uPwoKQ2hlZXJzLAoKTWljaGFlbAoKCgoKLS0gCk1pY2hhZWwgS2Vycmlz awpMaW51eCBtYW4tcGFnZXMgbWFpbnRhaW5lcjsgaHR0cDovL3d3dy5rZXJuZWwub3JnL2RvYy9t YW4tcGFnZXMvCkxpbnV4L1VOSVggU3lzdGVtIFByb2dyYW1taW5nIFRyYWluaW5nOiBodHRwOi8v bWFuNy5vcmcvdHJhaW5pbmcvCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXwp4ZnMgbWFpbGluZyBsaXN0Cnhmc0Bvc3Muc2dpLmNvbQpodHRwOi8vb3NzLnNn aS5jb20vbWFpbG1hbi9saXN0aW5mby94ZnMK