From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: For review: user_namespace(7) man page Date: Sat, 30 Aug 2014 16:53:11 -0500 Message-ID: <87d2bhfxvc.fsf@x220.int.ebiederm.org> References: <53F5310A.5080503@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <53F5310A.5080503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> (Michael Kerrisk's message of "Wed, 20 Aug 2014 18:36:42 -0500") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Michael Kerrisk (man-pages)" Cc: "linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, lkml , Andy Lutomirski List-Id: containers.vger.kernel.org Ik1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2VzKSIgPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdy aXRlczoKCj4gSGVsbG8gRXJpYyBldCBhbC4sCj4KPiBGb3IgdmFyaW91cyByZWFzb25zLCBteSB3 b3JrIG9uIHRoZSBuYW1lc3BhY2VzIG1hbiBwYWdlcyAKPiBmZWxsIG9mZiB0aGUgdGFibGUgYSB3 aGlsZSBiYWNrLiBOZXZlcnRoZWxlc3MsIHRoZSBwYWdlcyBoYXZlCj4gYmVlbiBjbG9zZSB0byBj b21wbGV0aW9uIGZvciBhIHdoaWxlIG5vdywgYW5kIEkgcmVjZW50bHkgcmVzdGFydGVkLAo+IGlu IGFuIGVmZm9ydCB0byBmaW5pc2ggdGhlbS4gQXMgeW91IGFsc28gbm90ZWQgdG8gbWUgZjJmLCB0 aGVyZSBoYXZlCj4gYmVlbiByZWNlbnRseSBiZWVuIHNvbWUgc21hbGwgbmFtZXNwYWNlIGNoYW5n ZXMgdGhhdCB5b3UgbWF5IGFmZmVjdAo+IHRoZSBjb250ZW50IG9mIHRoZSBwYWdlcy4gVGhlcmVm b3JlLCBJJ2xsIHRha2UgdGhlIG9wcG9ydHVuaXR5IHRvCj4gc2VuZCB0aGUgbmFtZXNwYWNlLXJl bGF0ZWQgcGFnZXMgb3V0IGZvciBmdXJ0aGVyIChmaW5hbD8pIHJldmlldy4KPgo+IFNvLCBoZXJl LCBJIHN0YXJ0IHdpdGggdGhlIHVzZXJfbmFtZXNwYWNlcyg3KSBwYWdlLCB3aGljaCBpcyBzaG93 biAKPiBpbiByZW5kZXJlZCBmb3JtIGJlbG93LCB3aXRoIHNvdXJjZSBhdHRhY2hlZCB0byB0aGlz IG1haWwuIEknbGwKPiBzZW5kIHZhcmlvdXMgb3RoZXIgcGFnZXMgaW4gZm9sbG93LW9uIG1haWxz Lgo+Cj4gUmV2aWV3IGNvbW1lbnRzL3N1Z2dlc3Rpb25zIGZvciBpbXByb3ZlbWVudHMgLyBidWcg Zml4ZXMgd2VsY29tZS4KPgo+IENoZWVycywKPgo+IE1pY2hhZWwKPgo+ID09Cj4KPiBOQU1FCj4g ICAgICAgIHVzZXJfbmFtZXNwYWNlcyAtIG92ZXJ2aWV3IG9mIExpbnV4IHVzZXJfbmFtZXNwYWNl cwo+Cj4gREVTQ1JJUFRJT04KPiAgICAgICAgRm9yIGFuIG92ZXJ2aWV3IG9mIG5hbWVzcGFjZXMs IHNlZSBuYW1lc3BhY2VzKDcpLgo+Cj4gICAgICAgIFVzZXIgICBuYW1lc3BhY2VzICAgaXNvbGF0 ZSAgIHNlY3VyaXR5LXJlbGF0ZWQgICBpZGVudGlmaWVycyAgYW5kCj4gICAgICAgIGF0dHJpYnV0 ZXMsIGluIHBhcnRpY3VsYXIsIHVzZXIgSURzIGFuZCBncm91cCAgSURzICAoc2VlICBjcmVkZW7i gJAKPiAgICAgICAgdGlhbHMoNyksIHRoZSByb290IGRpcmVjdG9yeSwga2V5cyAoc2VlIGtleWN0 bCgyKSksIGFuZCBjYXBhYmlsaeKAkAo+ICAgICAgICB0aWVzIChzZWUgY2FwYWJpbGl0aWVzKDcp KS4gIEEgcHJvY2VzcydzIHVzZXIgYW5kIGdyb3VwICBJRHMgIGNhbgo+ICAgICAgICBiZSBkaWZm ZXJlbnQgaW5zaWRlIGFuZCBvdXRzaWRlIGEgdXNlciBuYW1lc3BhY2UuICBJbiBwYXJ0aWN1bGFy LAo+ICAgICAgICBhIHByb2Nlc3MgY2FuIGhhdmUgYSBub3JtYWwgdW5wcml2aWxlZ2VkIHVzZXIg SUQgb3V0c2lkZSAgYSAgdXNlcgo+ICAgICAgICBuYW1lc3BhY2Ugd2hpbGUgYXQgdGhlIHNhbWUg dGltZSBoYXZpbmcgYSB1c2VyIElEIG9mIDAgaW5zaWRlIHRoZQo+ICAgICAgICBuYW1lc3BhY2U7 IGluIG90aGVyIHdvcmRzLCB0aGUgcHJvY2VzcyBoYXMgIGZ1bGwgIHByaXZpbGVnZXMgIGZvcgo+ ICAgICAgICBvcGVyYXRpb25zICBpbnNpZGUgIHRoZSAgdXNlciAgbmFtZXNwYWNlLCBidXQgaXMg dW5wcml2aWxlZ2VkIGZvcgo+ICAgICAgICBvcGVyYXRpb25zIG91dHNpZGUgdGhlIG5hbWVzcGFj ZS4KPgo+ICAgIE5lc3RlZCBuYW1lc3BhY2VzLCBuYW1lc3BhY2UgbWVtYmVyc2hpcAo+ICAgICAg ICBVc2VyIG5hbWVzcGFjZXMgY2FuIGJlIG5lc3RlZDsgIHRoYXQgIGlzLCAgZWFjaCAgdXNlciAg bmFtZXNwYWNl4oCUCj4gICAgICAgIGV4Y2VwdCAgdGhlICBpbml0aWFsICAoInJvb3QiKSBuYW1l c3BhY2XigJRoYXMgYSBwYXJlbnQgdXNlciBuYW1lc+KAkAo+ICAgICAgICBwYWNlLCBhbmQgY2Fu IGhhdmUgemVybyBvciBtb3JlIGNoaWxkIHVzZXIgbmFtZXNwYWNlcy4gIFRoZSAgcGFy4oCQCj4g ICAgICAgIGVudCB1c2VyIG5hbWVzcGFjZSBpcyB0aGUgdXNlciBuYW1lc3BhY2Ugb2YgdGhlIHBy b2Nlc3MgdGhhdCBjcmXigJAKPiAgICAgICAgYXRlcyB0aGUgdXNlciBuYW1lc3BhY2UgdmlhIGEg Y2FsbCB0byB1bnNoYXJlKDIpIG9yIGNsb25lKDIpIHdpdGgKPiAgICAgICAgdGhlIENMT05FX05F V1VTRVIgZmxhZy4KPgo+ICAgICAgICBUaGUga2VybmVsIGltcG9zZXMgKHNpbmNlIHZlcnNpb24g My4xMSkgYSBsaW1pdCBvZiAzMiBuZXN0ZWQgbGV24oCQCj4gICAgICAgIGVscyBvZiB1c2VyIG5h bWVzcGFjZXMuICBDYWxscyB0byAgdW5zaGFyZSgyKSAgb3IgIGNsb25lKDIpICB0aGF0Cj4gICAg ICAgIHdvdWxkIGNhdXNlIHRoaXMgbGltaXQgdG8gYmUgZXhjZWVkZWQgZmFpbCB3aXRoIHRoZSBl cnJvciBFVVNFUlMuCj4KPiAgICAgICAgRWFjaCAgcHJvY2VzcyAgaXMgIGEgIG1lbWJlciAgb2Yg IGV4YWN0bHkgIG9uZSB1c2VyIG5hbWVzcGFjZS4gIEEKPiAgICAgICAgcHJvY2VzcyBjcmVhdGVk IHZpYSBmb3JrKDIpIG9yIGNsb25lKDIpIHdpdGhvdXQgdGhlIENMT05FX05FV1VTRVIKPiAgICAg ICAgZmxhZyAgaXMgIGEgIG1lbWJlciAgb2YgdGhlIHNhbWUgdXNlciBuYW1lc3BhY2UgYXMgaXRz IHBhcmVudC4KPiAgICAgICAgQQogICAgICAgICAgIF4gc2luZ2xlLXRocmVhZGVkCgpCZWNhdXNl IG9mIGNocm9vdCBhbmQgb3RoZXIgdGhpbmdzIG11bHRpLXRocmVhZGVkIHByb2Nlc3NlcyBhcmUg bm90CmFsbG93ZWQgdG8gam9pbiBhIHVzZXIgbmFtZXNwYWNlLiAgRm9yIHRoZSBkb2N1bWVudGF0 aW9uIGp1c3Qgc2F5aW5nCnNpbmdsZS10aHJlYWRlZCBzb3VuZHMgbGlrZSBlbm91Z2ggaGVyZS4K Cj4gICAgICAgIHByb2Nlc3MgY2FuIGpvaW4gYW5vdGhlciB1c2VyIG5hbWVzcGFjZSB3aXRoIHNl dG5zKDIpIGlmICBpdCAgaGFzCj4gICAgICAgIHRoZSAgQ0FQX1NZU19BRE1JTiAgaW4gIHRoYXQg bmFtZXNwYWNlOyB1cG9uIGRvaW5nIHNvLCBpdCBnYWlucyBhCj4gICAgICAgIGZ1bGwgc2V0IG9m IGNhcGFiaWxpdGllcyBpbiB0aGF0IG5hbWVzcGFjZS4KPgo+ICAgICAgICBBIGNhbGwgdG8gY2xv bmUoMikgb3IgIHVuc2hhcmUoMikgIHdpdGggIHRoZSAgQ0xPTkVfTkVXVVNFUiAgZmxhZwo+ICAg ICAgICBtYWtlcyAgdGhlICBuZXcgIGNoaWxkICBwcm9jZXNzIChmb3IgY2xvbmUoMikpIG9yIHRo ZSBjYWxsZXIgKGZvcgo+ICAgICAgICB1bnNoYXJlKDIpKSBhIG1lbWJlciBvZiB0aGUgbmV3IHVz ZXIgIG5hbWVzcGFjZSAgY3JlYXRlZCAgYnkgIHRoZQo+ICAgICAgICBjYWxsLgo+Cj4gICAgQ2Fw YWJpbGl0aWVzCj4gICAgICAgIFRoZSBjaGlsZCBwcm9jZXNzIGNyZWF0ZWQgYnkgY2xvbmUoMikg d2l0aCB0aGUgQ0xPTkVfTkVXVVNFUiBmbGFnCj4gICAgICAgIHN0YXJ0cyBvdXQgd2l0aCBhIGNv bXBsZXRlIHNldCBvZiBjYXBhYmlsaXRpZXMgaW4gIHRoZSAgbmV3ICB1c2VyCj4gICAgICAgIG5h bWVzcGFjZS4gIExpa2V3aXNlLCBhIHByb2Nlc3MgdGhhdCBjcmVhdGVzIGEgbmV3IHVzZXIgbmFt ZXNwYWNlCj4gICAgICAgIHVzaW5nIHVuc2hhcmUoMikgIG9yICBqb2lucyAgYW4gIGV4aXN0aW5n ICB1c2VyICBuYW1lc3BhY2UgIHVzaW5nCj4gICAgICAgIHNldG5zKDIpICBnYWlucyBhIGZ1bGwg c2V0IG9mIGNhcGFiaWxpdGllcyBpbiB0aGF0IG5hbWVzcGFjZS4gIE9uCj4gICAgICAgIHRoZSBv dGhlciBoYW5kLCB0aGF0IHByb2Nlc3MgaGFzIG5vIGNhcGFiaWxpdGllcyAgaW4gIHRoZSAgcGFy ZW50Cj4gICAgICAgIChpbiAgdGhlIGNhc2Ugb2YgY2xvbmUoMikpIG9yIHByZXZpb3VzIChpbiB0 aGUgY2FzZSBvZiB1bnNoYXJlKDIpCj4gICAgICAgIGFuZCBzZXRucygyKSkgdXNlciBuYW1lc3Bh Y2UsIGV2ZW4gaWYgdGhlIG5ldyBuYW1lc3BhY2UgIGlzICBjcmXigJAKPiAgICAgICAgYXRlZCAg b3IgIGpvaW5lZCBieSB0aGUgcm9vdCB1c2VyIChpLmUuLCBhIHByb2Nlc3Mgd2l0aCB1c2VyIElE IDAKPiAgICAgICAgaW4gdGhlIHJvb3QgbmFtZXNwYWNlKS4KPgo+ICAgICAgICBOb3RlIHRoYXQg YSBjYWxsIHRvIGV4ZWN2ZSgyKSB3aWxsIGNhdXNlIGEgcHJvY2VzcyAgdG8gIGxvc2UgIGFueQo+ ICAgICAgICBjYXBhYmlsaXRpZXMgdGhhdCBpdCBoYXMsIHVubGVzcyBpdCBoYXMgYSB1c2VyIElE IG9mIDAgd2l0aGluIHRoZQo+ICAgICAgICBuYW1lc3BhY2UuICBTZWUgdGhlIGRpc2N1c3Npb24g b2YgdXNlciAgYW5kICBncm91cCAgSUQgIG1hcHBpbmdzLAo+ICAgICAgICBiZWxvdy4KPgo+ICAg ICAgICBBICAgY2FsbCAgIHRvICAgY2xvbmUoMiksICAgdW5zaGFyZSgyKSwgIG9yICBzZXRucygy KSAgdXNpbmcgIHRoZQo+ICAgICAgICBDTE9ORV9ORVdVU0VSIGZsYWcgc2V0cyB0aGUgICJzZWN1 cmViaXRzIiAgZmxhZ3MgIChzZWUgIGNhcGFiaWxp4oCQCj4gICAgICAgIHRpZXMoNykpICB0byAg dGhlaXIgIGRlZmF1bHQgIHZhbHVlcyAgKGFsbCBmbGFncyBkaXNhYmxlZCkgaW4gdGhlCj4gICAg ICAgIGNoaWxkIChmb3IgY2xvbmUoMikpIG9yIGNhbGxlciAgKGZvciAgdW5zaGFyZSgyKSwgIG9y ICBzZXRucygyKSkuCj4gICAgICAgIE5vdGUgIHRoYXQgIGJlY2F1c2UgIHRoZSBjYWxsZXIgbm8g bG9uZ2VyIGhhcyBjYXBhYmlsaXRpZXMgaW4gaXRzCj4gICAgICAgIG9yaWdpbmFsIHVzZXIgbmFt ZXNwYWNlIGFmdGVyIGEgY2FsbCB0byBzZXRucygyKSwgaXQgaXMgbm90ICBwb3PigJAKPiAgICAg ICAgc2libGUgZm9yIGEgcHJvY2VzcyB0byByZXNldCBpdHMgInNlY3VyZWJpdHMiIGZsYWdzIHdo aWxlIHJldGFpbuKAkAo+ICAgICAgICBpbmcgaXRzIHVzZXIgbmFtZXNwYWNlIG1lbWJlcnNoaXAg YnkgdXNpbmcgIGEgIHBhaXIgIG9mICBzZXRucygyKQo+ICAgICAgICBjYWxscyAgdG8gIG1vdmUg IHRvIGFub3RoZXIgdXNlciBuYW1lc3BhY2UgYW5kIHRoZW4gcmV0dXJuIHRvIGl0cwo+ICAgICAg ICBvcmlnaW5hbCB1c2VyIG5hbWVzcGFjZS4KPgo+ICAgICAgICBIYXZpbmcgYSBjYXBhYmlsaXR5 IGluc2lkZSBhIHVzZXIgbmFtZXNwYWNlIHBlcm1pdHMgYSBwcm9jZXNzICB0bwo+ICAgICAgICBw ZXJmb3JtICBvcGVyYXRpb25zICAodGhhdCAgcmVxdWlyZSAgcHJpdmlsZWdlKSBvbmx5IG9uIHJl c291cmNlcwo+ICAgICAgICBnb3Zlcm5lZCBieSB0aGF0IG5hbWVzcGFjZS4gIFRoZSBydWxlcyBm b3IgZGV0ZXJtaW5pbmcgd2hldGhlciBvcgo+ICAgICAgICBub3QgYSBwcm9jZXNzIGhhcyBhIGNh cGFiaWxpdHkgaW4gYSBwYXJ0aWN1bGFyIHVzZXIgbmFtZXNwYWNlIGFyZQo+ICAgICAgICBhcyBm b2xsb3dzOgo+Cj4gICAgICAgIDEuIEEgcHJvY2VzcyBoYXMgYSBjYXBhYmlsaXR5IGluc2lkZSBh IHVzZXIgbmFtZXNwYWNlIGlmIGl0IGlzICBhCj4gICAgICAgICAgIG1lbWJlciAgb2YgIHRoYXQg IG5hbWVzcGFjZSAgYW5kICBpdCBoYXMgdGhlIGNhcGFiaWxpdHkgaW4gaXRzCj4gICAgICAgICAg IGVmZmVjdGl2ZSBjYXBhYmlsaXR5IHNldC4gIEEgcHJvY2VzcyBjYW4gZ2FpbiBjYXBhYmlsaXRp ZXMgIGluCj4gICAgICAgICAgIGl0cyBlZmZlY3RpdmUgY2FwYWJpbGl0eSBzZXQgaW4gdmFyaW91 cyB3YXlzLiAgRm9yIGV4YW1wbGUsIGl0Cj4gICAgICAgICAgIG1heSBleGVjdXRlIGEgc2V0LXVz ZXItSUQgcHJvZ3JhbSBvciBhbiBleGVjdXRhYmxlIHdpdGggIGFzc2/igJAKPiAgICAgICAgICAg Y2lhdGVkICBmaWxlICBjYXBhYmlsaXRpZXMuICAgSW4gIGFkZGl0aW9uLCBhIHByb2Nlc3MgbWF5 IGdhaW4KPiAgICAgICAgICAgY2FwYWJpbGl0aWVzICB2aWEgIHRoZSAgZWZmZWN0ICBvZiAgY2xv bmUoMiksICB1bnNoYXJlKDIpLCAgb3IKPiAgICAgICAgICAgc2V0bnMoMiksIGFzIGFscmVhZHkg ZGVzY3JpYmVkLgo+Cj4gICAgICAgIDIuIElmIGEgcHJvY2VzcyBoYXMgYSBjYXBhYmlsaXR5IGlu IGEgdXNlciBuYW1lc3BhY2UsIHRoZW4gaXQgaGFzCj4gICAgICAgICAgIHRoYXQgY2FwYWJpbGl0 eSBpbiBhbGwgY2hpbGQgKGFuZCBmdXJ0aGVyIHJlbW92ZWQgIGRlc2NlbmRhbnQpCj4gICAgICAg ICAgIG5hbWVzcGFjZXMgYXMgd2VsbC4KPgo+ICAgICAgICAzLiBXaGVuICBhICB1c2VyICBuYW1l c3BhY2UgIGlzICBjcmVhdGVkLCAgdGhlIGtlcm5lbCByZWNvcmRzIHRoZQo+ICAgICAgICAgICBl ZmZlY3RpdmUgdXNlciBJRCBvZiB0aGUgY3JlYXRpbmcgcHJvY2VzcyBhcyBiZWluZyB0aGUgIm93 bmVyIgo+ICAgICAgICAgICBvZiB0aGUgbmFtZXNwYWNlLiAgQSBwcm9jZXNzIHRoYXQgcmVzaWRl cyBpbiB0aGUgcGFyZW50IG9mIHRoZQo+ICAgICAgICAgICB1c2VyIG5hbWVzcGFjZSBhbmQgd2hv c2UgZWZmZWN0aXZlIHVzZXIgSUQgbWF0Y2hlcyAgdGhlICBvd25lcgo+ICAgICAgICAgICBvZiAg dGhlICBuYW1lc3BhY2UgIGhhcyBhbGwgY2FwYWJpbGl0aWVzIGluIHRoZSBuYW1lc3BhY2UuICBC eQo+ICAgICAgICAgICB2aXJ0dWUgb2YgdGhlIHByZXZpb3VzIHJ1bGUsIHRoaXMgbWVhbnMgdGhh dCB0aGUgIHByb2Nlc3MgIGhhcwo+ICAgICAgICAgICBhbGwgY2FwYWJpbGl0aWVzIGluIGFsbCBm dXJ0aGVyIHJlbW92ZWQgZGVzY2VuZGFudCB1c2VyIG5hbWVz4oCQCj4gICAgICAgICAgIHBhY2Vz IGFzIHdlbGwuCj4KPiAgICBJbnRlcmFjdGlvbiBvZiB1c2VyIG5hbWVzcGFjZXMgYW5kIG90aGVy IHR5cGVzIG9mIG5hbWVzcGFjZXMKPiAgICAgICAgU3RhcnRpbmcgaW4gTGludXggMy44LCB1bnBy aXZpbGVnZWQgIHByb2Nlc3NlcyAgY2FuICBjcmVhdGUgIHVzZXIKPiAgICAgICAgbmFtZXNwYWNl cywgIGFuZCBtb3VudCwgUElELCBJUEMsIG5ldHdvcmssIGFuZCBVVFMgbmFtZXNwYWNlcyBjYW4K PiAgICAgICAgYmUgY3JlYXRlZCB3aXRoIGp1c3QgdGhlIENBUF9TWVNfQURNSU4gY2FwYWJpbGl0 eSBpbiB0aGUgY2FsbGVyJ3MKPiAgICAgICAgdXNlciBuYW1lc3BhY2UuCj4KPiAgICAgICAgSWYg IENMT05FX05FV1VTRVIgIGlzIHNwZWNpZmllZCBhbG9uZyB3aXRoIG90aGVyIENMT05FX05FVyog ZmxhZ3MKPiAgICAgICAgaW4gYSBzaW5nbGUgY2xvbmUoMikgb3IgdW5zaGFyZSgyKSBjYWxsLCB0 aGUgIHVzZXIgIG5hbWVzcGFjZSAgaXMKPiAgICAgICAgZ3VhcmFudGVlZCAgdG8gIGJlICBjcmVh dGVkIGZpcnN0LCBnaXZpbmcgdGhlIGNoaWxkIChjbG9uZSgyKSkgb3IKPiAgICAgICAgY2FsbGVy ICh1bnNoYXJlKDIpKSBwcml2aWxlZ2VzIG92ZXIgdGhlIHJlbWFpbmluZyBuYW1lc3BhY2VzIGNy ZeKAkAo+ICAgICAgICBhdGVkIGJ5IHRoZSBjYWxsLiAgVGh1cywgaXQgaXMgcG9zc2libGUgZm9y IGFuIHVucHJpdmlsZWdlZCBjYWxs4oCQCj4gICAgICAgIGVyIHRvIHNwZWNpZnkgdGhpcyBjb21i aW5hdGlvbiBvZiBmbGFncy4KPgo+ICAgICAgICBXaGVuIGEgbmV3IElQQywgbW91bnQsIG5ldHdv cmssIFBJRCwgb3IgVVRTIG5hbWVzcGFjZSBpcyAgY3JlYXRlZAo+ICAgICAgICB2aWEgY2xvbmUo Mikgb3IgdW5zaGFyZSgyKSwgdGhlIGtlcm5lbCByZWNvcmRzIHRoZSB1c2VyIG5hbWVzcGFjZQo+ ICAgICAgICBvZiB0aGUgY3JlYXRpbmcgcHJvY2VzcyBhZ2FpbnN0IHRoZSBuZXcgbmFtZXNwYWNl LiAgKFRoaXMgYXNzb2Np4oCQCj4gICAgICAgIGF0aW9uICBjYW4ndCAgYmUgIGNoYW5nZWQuKSAg IFdoZW4gYSBwcm9jZXNzIGluIHRoZSBuZXcgbmFtZXNwYWNlCj4gICAgICAgIHN1YnNlcXVlbnRs eSAgcGVyZm9ybXMgIHByaXZpbGVnZWQgIG9wZXJhdGlvbnMgIHRoYXQgIG9wZXJhdGUgIG9uCj4g ICAgICAgIGdsb2JhbCByZXNvdXJjZXMgaXNvbGF0ZWQgYnkgdGhlIG5hbWVzcGFjZSwgdGhlIHBl cm1pc3Npb24gY2hlY2tzCj4gICAgICAgIGFyZSBwZXJmb3JtZWQgYWNjb3JkaW5nIHRvIHRoZSBw cm9jZXNzJ3MgY2FwYWJpbGl0aWVzIGluIHRoZSB1c2VyCj4gICAgICAgIG5hbWVzcGFjZSB0aGF0 IHRoZSBrZXJuZWwgYXNzb2NpYXRlZCB3aXRoIHRoZSBuZXcgbmFtZXNwYWNlLgoKUmVzdHJpY3Rp b25zIG9uIG1vdW50IG5hbWVzcGFjZXMuCgotIEEgbW91bnQgbmFtZXNwYWNlIGhhcyBhIG93bmVy IHVzZXIgbmFtZXNwYWNlLiAgQSBtb3VudCBuYW1lc3BhY2Ugd2hvc2UKICBvd25lciB1c2VyIG5h bWVzcGFjZSBpcyBkaWZmZXJlbnQgdGhhbiB0aGUgb3dlcm5lciB1c2VyIG5hbWVzcGFjZSBvZgog IGl0J3MgcGFyZW50IG1vdW50IG5hbWVzcGFjZSBpcyBjb25zaWRlcmVkIGEgbGVzcyBwcml2aWxl Z2VkIG1vdW50CiAgbmFtZXNwYWNlLgoKLSBXaGVuIGNyZWF0aW5nIGEgbGVzcyBwcml2aWxlZ2Vk IG1vdW50IG5hbWVzcGFjZSBzaGFyZWQgbW91bnRzIGFyZQogIHJlZHVjZWQgdG8gc2xhdmUgbW91 bnRzLiAgVGhpcyBlbnN1cmVzIHRoYXQgbWFwcGluZ3MgcGVyZm9ybWVkIGluIGxlc3MKICBwcml2 aWxlZ2VkIG1vdW50IG5hbWVzcGFjZXMgd2lsbCBub3QgcHJvcG9nYXRlIHRvIG1vcmUgcHJpdmll bGdlZAogIG1vdW50IG5hbWVzcGFjZXMuCgotIE1vdW50cyB0aGF0IGNvbWUgYXMgYSBzaW5nbGUg dW5pdCBmcm9tIG1vcmUgcHJpdmlsZWdlZCBtb3VudCBhcmUKICBsb2NrZWQgdG9nZXRoZXIgYW5k IG1heSBub3QgYmUgc2VwYXJhdGVkIGluIGEgbGVzcyBwcml2aWVsZ2VkIG1vdW50CiAgbmFtZXNw YWNlLgoKLSBUaGUgbW91bnQgZmxhZ3MgcmVhZG9ubHksIG5vZGV2LCBub3N1aWQsIG5vZXhlYywg YW5kIHRoZSBtb3VudCBhdGltZQogIHNldHRpbmdzIHdoZW4gcHJvcG9nYXRlZCBmcm9tIGEgbW9y ZSBwcml2aWVsZ2VkIHRvIGEgbGVzcyBwcml2aWxlZ2VkCiAgbW91bnQgbmFtZXNwYWNlIGJlY29t ZSBsb2NrZWQsIGFuZCBtYXkgbm90IGJlIGNoYW5nZWQgaW4gdGhlIGxlc3MKICBwcml2aWVsZ2Vk IG1vdW50IG5hbWVzcGFjZS4KCi0gKEFzIG9mIDMuMTgtcmMxIChpbiB0b2RheXMgQWwgVmlyb3Mg dmZzLmdpdCNmb3ItbmV4dCB0cmVlKSkgQSBmaWxlIG9yCiAgZGlyZWN0b3J5IHRoYXQgaXMgYSBt b3VudHBvaW50IGluIG9uZSBuYW1lc3BhY2UgdGhhdCBpcyBub3QgYSBtb3VudAogIHBvaW50IGlu IGFub3RoZXIgbmFtZXNwYWNlLCBtYXkgYmUgcmVuYW1lZCwgdW5saW5rZWQsIG9yIHJtZGlyZWQg aW4KICB0aGUgbW91bnQgbmFtZXNwYWNlIGluIHdoaWNoIGl0IGlzIG5vdCBhIG1vdW50IG5hbWVz cGFjZSBpZiB0aGUKICBvcmRpbmFyeSBwZXJtaXNzaW9uIGNoZWNrcyBwYXNzLgoKICBQcmV2aW91 c2x5IGF0dGVtcGluZyB0byBybWRpciwgdW5saW5rIG9yIHJlbmFtZSBhIGZpbGUgb3IgZGlyZWN0 b3J5CiAgdGhhdCB3YXMgYSBtb3VudCBwb2ludCBpbiBhbm90aGVyIG1vdW50IG5hbWVzcGFjZSB3 b3VsZCByZXN1bHQgaW4KICAtRUJVU1kuICBUaGlzIGJlaGF2aW9yIGhhZCB0ZWNobmljYWwgcHJv YmxlbXMgb2YgZW5mb3JjZW1lbnQgKG5mcykKICBhbmQgcmVzdWx0ZWQgaW4gYSBuaWNlIGRlbmlh bCBvZiBzZXJ2aWFsIGF0dGFjayBhZ2FpbnN0IG1vcmUKICBwcml2aWxlZ2VkIHVzZXJzLiAgKEFr YSBwcmV2ZW50aW5nIGluZGl2aWR1YWwgZmlsZXMgZnJvbSBiZWluZyB1cGRhdGVkCiAgYnkgYmlu ZCBtb3VudGluZyBvbiB0b3Agb2YgdGhlbSkuCgo+ICAgIFVzZXIgYW5kIGdyb3VwIElEIG1hcHBp bmdzOiB1aWRfbWFwIGFuZCBnaWRfbWFwCj4gICAgICAgIFdoZW4gYSB1c2VyIG5hbWVzcGFjZSBp cyBjcmVhdGVkLCBpdCBzdGFydHMgb3V0IHdpdGhvdXQgYSBtYXBwaW5nCj4gICAgICAgIG9mIHVz ZXIgSURzIChncm91cCAgSURzKSAgdG8gIHRoZSAgcGFyZW50ICB1c2VyICBuYW1lc3BhY2UuICAg VGhlCj4gICAgICAgIC9wcm9jL1twaWRdL3VpZF9tYXAgICBhbmQgIC9wcm9jL1twaWRdL2dpZF9t YXAgIGZpbGVzICAoYXZhaWxhYmxlCj4gICAgICAgIHNpbmNlIExpbnV4IDMuNSkgZXhwb3NlIHRo ZSAgbWFwcGluZ3MgIGZvciAgdXNlciAgYW5kICBncm91cCAgSURzCj4gICAgICAgIGluc2lkZSAg dGhlICB1c2VyIG5hbWVzcGFjZSBmb3IgdGhlIHByb2Nlc3MgcGlkLiAgVGhlc2UgZmlsZXMgY2Fu Cj4gICAgICAgIGJlIHJlYWQgdG8gdmlldyB0aGUgbWFwcGluZ3MgaW4gYSB1c2VyIG5hbWVzcGFj ZSBhbmQgIHdyaXR0ZW4gIHRvCj4gICAgICAgIChvbmNlKSB0byBkZWZpbmUgdGhlIG1hcHBpbmdz Lgo+Cj4gICAgICAgIFRoZSAgZGVzY3JpcHRpb24gaW4gdGhlIGZvbGxvd2luZyBwYXJhZ3JhcGhz IGV4cGxhaW5zIHRoZSBkZXRhaWxzCj4gICAgICAgIGZvciB1aWRfbWFwOyBnaWRfbWFwIGlzIGV4 YWN0bHkgdGhlIHNhbWUsIGJ1dCAgZWFjaCAgaW5zdGFuY2UgIG9mCj4gICAgICAgICJ1c2VyIElE IiBpcyByZXBsYWNlZCBieSAiZ3JvdXAgSUQiLgo+Cj4gICAgICAgIFRoZSAgdWlkX21hcCAgZmls ZSAgZXhwb3NlcyB0aGUgbWFwcGluZyBvZiB1c2VyIElEcyBmcm9tIHRoZSB1c2VyCj4gICAgICAg IG5hbWVzcGFjZSBvZiB0aGUgcHJvY2VzcyBwaWQgdG8gdGhlIHVzZXIgbmFtZXNwYWNlIG9mIHRo ZSBwcm9jZXNzCj4gICAgICAgIHRoYXQgIG9wZW5lZCAgdWlkX21hcCAgKGJ1dCAgc2VlICBhICBx dWFsaWZpY2F0aW9uICB0byB0aGlzIHBvaW50Cj4gICAgICAgIGJlbG93KS4gIEluIG90aGVyIHdv cmRzLCBwcm9jZXNzZXMgdGhhdCAgYXJlICBpbiAgZGlmZmVyZW50ICB1c2VyCj4gICAgICAgIG5h bWVzcGFjZXMgIHdpbGwgIHBvdGVudGlhbGx5ICBzZWUgIGRpZmZlcmVudCB2YWx1ZXMgd2hlbiBy ZWFkaW5nCj4gICAgICAgIGZyb20gYSBwYXJ0aWN1bGFyIHVpZF9tYXAgZmlsZSwgZGVwZW5kaW5n IG9uIHRoZSB1c2VyIElEIG1hcHBpbmdzCj4gICAgICAgIGZvciB0aGUgdXNlciBuYW1lc3BhY2Vz IG9mIHRoZSByZWFkaW5nIHByb2Nlc3Nlcy4KPgo+ICAgICAgICBFYWNoICBsaW5lICBpbiAgdGhl ICB1aWRfbWFwIGZpbGUgc3BlY2lmaWVzIGEgMS10by0xIG1hcHBpbmcgb2YgYQo+ICAgICAgICBy YW5nZSBvZiBjb250aWd1b3VzIHVzZXIgSURzIGJldHdlZW4gdHdvIHVzZXIgbmFtZXNwYWNlcy4g ICAoV2hlbgo+ICAgICAgICBhICB1c2VyICBuYW1lc3BhY2UgIGlzICBmaXJzdCAgY3JlYXRlZCwg dGhpcyBmaWxlIGlzIGVtcHR5LikgIFRoZQo+ICAgICAgICBzcGVjaWZpY2F0aW9uIGluIGVhY2gg bGluZSB0YWtlcyB0aGUgZm9ybSBvZiB0aHJlZSBudW1iZXJzIGRlbGlt4oCQCj4gICAgICAgIGl0 ZWQgIGJ5IHdoaXRlIHNwYWNlLiAgVGhlIGZpcnN0IHR3byBudW1iZXJzIHNwZWNpZnkgdGhlIHN0 YXJ0aW5nCj4gICAgICAgIHVzZXIgSUQgaW4gZWFjaCBvZiB0aGUgdHdvIHVzZXIgIG5hbWVzcGFj ZXMuICAgVGhlICB0aGlyZCAgbnVtYmVyCj4gICAgICAgIHNwZWNpZmllcyAgdGhlIGxlbmd0aCBv ZiB0aGUgbWFwcGVkIHJhbmdlLiAgSW4gZGV0YWlsLCB0aGUgZmllbGRzCj4gICAgICAgIGFyZSBp bnRlcnByZXRlZCBhcyBmb2xsb3dzOgo+Cj4gICAgICAgICgxKSBUaGUgc3RhcnQgb2YgdGhlIHJh bmdlIG9mIHVzZXIgSURzIGluIHRoZSB1c2VyICBuYW1lc3BhY2UgIG9mCj4gICAgICAgICAgICB0 aGUgcHJvY2VzcyBwaWQuCj4KPiAgICAgICAgKDIpIFRoZSAgc3RhcnQgIG9mICB0aGUgIHJhbmdl ICBvZiB1c2VyIElEcyB0byB3aGljaCB0aGUgdXNlciBJRHMKPiAgICAgICAgICAgIHNwZWNpZmll ZCBieSBmaWVsZCBvbmUgbWFwLiAgSG93ICBmaWVsZCAgdHdvICBpcyAgaW50ZXJwcmV0ZWQKPiAg ICAgICAgICAgIGRlcGVuZHMgIG9uICB3aGV0aGVyICB0aGUgcHJvY2VzcyB0aGF0IG9wZW5lZCB1 aWRfbWFwIGFuZCB0aGUKPiAgICAgICAgICAgIHByb2Nlc3MgcGlkIGFyZSBpbiB0aGUgc2FtZSB1 c2VyIG5hbWVzcGFjZSwgYXMgZm9sbG93czoKPgo+ICAgICAgICAgICAgYSkgSWYgdGhlIHR3byBw cm9jZXNzZXMgYXJlICBpbiAgZGlmZmVyZW50ICB1c2VyICBuYW1lc3BhY2VzOgo+ICAgICAgICAg ICAgICAgZmllbGQgIHR3byBpcyB0aGUgc3RhcnQgb2YgYSByYW5nZSBvZiB1c2VyIElEcyBpbiB0 aGUgdXNlcgo+ICAgICAgICAgICAgICAgbmFtZXNwYWNlIG9mIHRoZSBwcm9jZXNzIHRoYXQgb3Bl bmVkIHVpZF9tYXAuCj4KPiAgICAgICAgICAgIGIpIElmIHRoZSB0d28gcHJvY2Vzc2VzIGFyZSBp biB0aGUgc2FtZSB1c2VyIG5hbWVzcGFjZTogZmllbGQKPiAgICAgICAgICAgICAgIHR3byAgaXMg IHRoZSAgc3RhcnQgb2YgdGhlIHJhbmdlIG9mIHVzZXIgSURzIGluIHRoZSBwYXJlbnQKPiAgICAg ICAgICAgICAgIHVzZXIgbmFtZXNwYWNlIG9mIHRoZSBwcm9jZXNzIHBpZC4gIFRoaXMgY2FzZSBl bmFibGVzICB0aGUKPiAgICAgICAgICAgICAgIG9wZW5lciAgb2YgIHVpZF9tYXAgICh0aGUgIGNv bW1vbiAgY2FzZSAgaGVyZSAgaXMgIG9wZW5pbmcKPiAgICAgICAgICAgICAgIC9wcm9jL3NlbGYv dWlkX21hcCkgdG8gc2VlIHRoZSBtYXBwaW5nIG9mICB1c2VyICBJRHMgIGludG8KPiAgICAgICAg ICAgICAgIHRoZSAgdXNlciAgbmFtZXNwYWNlIG9mIHRoZSBwcm9jZXNzIHRoYXQgY3JlYXRlZCB0 aGlzIHVzZXIKPiAgICAgICAgICAgICAgIG5hbWVzcGFjZS4KPgo+ICAgICAgICAoMykgVGhlIGxl bmd0aCBvZiB0aGUgcmFuZ2Ugb2YgdXNlciBJRHMgdGhhdCAgaXMgIG1hcHBlZCAgYmV0d2Vlbgo+ ICAgICAgICAgICAgdGhlIHR3byB1c2VyIG5hbWVzcGFjZXMuCj4KPiAgICAgICAgU3lzdGVtICBj YWxscyAgdGhhdCAgcmV0dXJuICB1c2VyICBJRHMgIChncm91cCAgSURzKeKAlGZvciBleGFtcGxl LAo+ICAgICAgICBnZXR1aWQoMiksIGdldGdpZCgyKSwgYW5kIHRoZSBjcmVkZW50aWFsIGZpZWxk cyBpbiB0aGUgIHN0cnVjdHVyZQo+ICAgICAgICByZXR1cm5lZCBieSBzdGF0KDIp4oCUcmV0dXJu IHRoZSB1c2VyIElEIChncm91cCBJRCkgbWFwcGVkIGludG8gdGhlCj4gICAgICAgIGNhbGxlcidz IHVzZXIgbmFtZXNwYWNlLgo+Cj4gICAgICAgIFdoZW4gYSBwcm9jZXNzIGFjY2Vzc2VzIGEgZmls ZSwgaXRzIHVzZXIgYW5kIGdyb3VwIElEcyBhcmUgbWFwcGVkCj4gICAgICAgIGludG8gIHRoZSAg aW5pdGlhbCAgdXNlciAgbmFtZXNwYWNlIGZvciB0aGUgcHVycG9zZSBvZiBwZXJtaXNzaW9uCj4g ICAgICAgIGNoZWNraW5nIGFuZCBhc3NpZ25pbmcgSURzIHdoZW4gY3JlYXRpbmcgYSBmaWxlLiAg V2hlbiBhICBwcm9jZXNzCj4gICAgICAgIHJldHJpZXZlcyBmaWxlIHVzZXIgYW5kIGdyb3VwIElE cyB2aWEgc3RhdCgyKSwgdGhlIElEcyBhcmUgbWFwcGVkCj4gICAgICAgIGluIHRoZSBvcHBvc2l0 ZSBkaXJlY3Rpb24sIHRvICBwcm9kdWNlICB2YWx1ZXMgIHJlbGF0aXZlICB0byAgdGhlCj4gICAg ICAgIHByb2Nlc3MgdXNlciBhbmQgZ3JvdXAgSUQgbWFwcGluZ3MuCj4KPiAgICAgICAgVGhlIGlu aXRpYWwgdXNlciBuYW1lc3BhY2UgaGFzIG5vIHBhcmVudCBuYW1lc3BhY2UsIGJ1dCwgZm9yIGNv buKAkAo+ICAgICAgICBzaXN0ZW5jeSwgdGhlIGtlcm5lbCBwcm92aWRlcyBkdW1teSB1c2VyICBh bmQgIGdyb3VwICBJRCAgbWFwcGluZwo+ICAgICAgICBmaWxlcyAgZm9yICB0aGlzIG5hbWVzcGFj ZS4gIExvb2tpbmcgYXQgdGhlIHVpZF9tYXAgZmlsZSAoZ2lkX21hcAo+ICAgICAgICBpcyB0aGUg c2FtZSkgZnJvbSBhIHNoZWxsIGluIHRoZSBpbml0aWFsIG5hbWVzcGFjZSBzaG93czoKPgo+ICAg ICAgICAgICAgJCBjYXQgL3Byb2MvJCQvdWlkX21hcAo+ICAgICAgICAgICAgICAgICAgICAgMCAg ICAgICAgICAwIDQyOTQ5NjcyOTUKPgo+ICAgICAgICBUaGlzIG1hcHBpbmcgdGVsbHMgdXMgdGhh dCB0aGUgcmFuZ2Ugc3RhcnRpbmcgYXQgIHVzZXIgIElEICAwICBpbgo+ICAgICAgICB0aGlzIG5h bWVzcGFjZSBtYXBzIHRvIGEgcmFuZ2Ugc3RhcnRpbmcgYXQgMCBpbiB0aGUgKG5vbmV4aXN0ZW50 KQo+ICAgICAgICBwYXJlbnQgbmFtZXNwYWNlLCBhbmQgdGhlIGxlbmd0aCBvZiAgdGhlICByYW5n ZSAgaXMgIHRoZSAgbGFyZ2VzdAo+ICAgICAgICAzMi1iaXQgdW5zaWduZWQgaW50ZWdlci4KCldo aWNoIGRlbGliZXJhdGVseSBsZWF2ZXMgNDI5NDk2NzI5NSAzMmJpdCAoLTEpIHVubWFwcGVkLiAg KHVpZF90KS0xIGlzCnVzZWQgaW4gc2V2ZXJhbCBpbnRlcmZhY2VzIChsaWtlIHNldHJldWlkKSBh cyBhIHdheSB0byBzcGVjaWZ5IG5vIHVpZApsZWF2aW5nIGl0IHVubWFwcGVkIGFuZCB1bnVzdWFi bGUgZ3VhcmFudGVlcyB0aGF0IHRoZXJlIHdpbGwgYmUgbm8KY29uZnVzaW9uIHdoZW4gdXNpbmcg dGhvc2Uga2VybmVsIG1ldGhvZHMuCgo+ICAgIERlZmluaW5nIHVzZXIgYW5kIGdyb3VwIElEIG1h cHBpbmdzOiB3cml0aW5nIHRvIHVpZF9tYXAgYW5kIGdpZF9tYXAKPiAgICAgICAgQWZ0ZXIgIHRo ZSAgY3JlYXRpb24gb2YgYSBuZXcgdXNlciBuYW1lc3BhY2UsIHRoZSB1aWRfbWFwIGZpbGUgb2YK PiAgICAgICAgb25lIG9mIHRoZSBwcm9jZXNzZXMgaW4gdGhlIG5hbWVzcGFjZSBtYXkgYmUgd3Jp dHRlbiB0byAgb25jZSAgdG8KPiAgICAgICAgZGVmaW5lICB0aGUgIG1hcHBpbmcgIG9mICB1c2Vy IElEcyBpbiB0aGUgbmV3IHVzZXIgbmFtZXNwYWNlLiAgQW4KPiAgICAgICAgYXR0ZW1wdCB0byB3 cml0ZSBtb3JlIHRoYW4gb25jZSB0byAgYSAgdWlkX21hcCAgZmlsZSAgaW4gIGEgIHVzZXIKPiAg ICAgICAgbmFtZXNwYWNlICBmYWlscyAgd2l0aCAgdGhlIGVycm9yIEVQRVJNLiAgU2ltaWxhciBy dWxlcyBhcHBseSBmb3IKPiAgICAgICAgZ2lkX21hcCBmaWxlcy4KPgo+ICAgICAgICBUaGUgbGlu ZXMgd3JpdHRlbiB0byB1aWRfbWFwIChnaWRfbWFwKSBtdXN0IGNvbmZvcm0gdG8gIHRoZSAgZm9s 4oCQCj4gICAgICAgIGxvd2luZyBydWxlczoKPgo+ICAgICAgICAqICBUaGUgIHRocmVlICBmaWVs ZHMgIG11c3QgIGJlIHZhbGlkIG51bWJlcnMsIGFuZCB0aGUgbGFzdCBmaWVsZAo+ICAgICAgICAg ICBtdXN0IGJlIGdyZWF0ZXIgdGhhbiAwLgo+Cj4gICAgICAgICogIExpbmVzIGFyZSB0ZXJtaW5h dGVkIGJ5IG5ld2xpbmUgY2hhcmFjdGVycy4KPgo+ICAgICAgICAqICBUaGVyZSBpcyBhbiAoYXJi aXRyYXJ5KSBsaW1pdCBvbiB0aGUgbnVtYmVyIG9mICBsaW5lcyAgaW4gIHRoZQo+ICAgICAgICAg ICBmaWxlLiAgQXMgYXQgTGludXggMy44LCB0aGUgbGltaXQgaXMgZml2ZSBsaW5lcy4gIEluIGFk ZGl0aW9uLAo+ICAgICAgICAgICB0aGUgbnVtYmVyIG9mIGJ5dGVzIHdyaXR0ZW4gdG8gdGhlIGZp bGUgbXVzdCBiZSBsZXNzIHRoYW4gIHRoZQo+ICAgICAgICAgICBzeXN0ZW0gcGFnZSBzaXplLCBh bmQgdGhlIHdyaXRlIG11c3QgYmUgcGVyZm9ybWVkIGF0IHRoZSBzdGFydAo+ICAgICAgICAgICBv ZiB0aGUgZmlsZSAoaS5lLiwgbHNlZWsoMikgYW5kIHB3cml0ZSgyKSAgY2FuJ3QgIGJlICB1c2Vk ICB0bwo+ICAgICAgICAgICB3cml0ZSB0byBub256ZXJvIG9mZnNldHMgaW4gdGhlIGZpbGUpLgo+ Cj4gICAgICAgICogIFRoZSAgcmFuZ2Ugb2YgdXNlciBJRHMgKGdyb3VwIElEcykgc3BlY2lmaWVk IGluIGVhY2ggbGluZSBjYW7igJAKPiAgICAgICAgICAgbm90IG92ZXJsYXAgd2l0aCB0aGUgcmFu Z2VzIGluIGFueSBvdGhlciBsaW5lcy4gIEluICB0aGUgIGluaeKAkAo+ICAgICAgICAgICB0aWFs ICBpbXBsZW1lbnRhdGlvbiAgKExpbnV4IDMuOCksIHRoaXMgcmVxdWlyZW1lbnQgd2FzIHNhdGlz 4oCQCj4gICAgICAgICAgIGZpZWQgYnkgYSBzaW1wbGlzdGljIGltcGxlbWVudGF0aW9uIHRoYXQg aW1wb3NlZCAgdGhlICBmdXJ0aGVyCj4gICAgICAgICAgIHJlcXVpcmVtZW50ICB0aGF0ICB0aGUg IHZhbHVlcyAgaW4gYm90aCBmaWVsZCAxIGFuZCBmaWVsZCAyIG9mCj4gICAgICAgICAgIHN1Y2Nl c3NpdmUgbGluZXMgbXVzdCBiZSBpbiBhc2NlbmRpbmcgbnVtZXJpY2FsICBvcmRlciwgIHdoaWNo Cj4gICAgICAgICAgIHByZXZlbnRlZCBzb21lIG90aGVyd2lzZSB2YWxpZCBtYXBzIGZyb20gYmVp bmcgY3JlYXRlZC4gIExpbnV4Cj4gICAgICAgICAgIDMuOSBhbmQgbGF0ZXIgZml4IHRoaXMgbGlt aXRhdGlvbiwgYWxsb3dpbmcgYW55IHZhbGlkICBzZXQgIG9mCj4gICAgICAgICAgIG5vbm92ZXJs YXBwaW5nIG1hcHMuCj4KPiAgICAgICAgKiAgQXQgbGVhc3Qgb25lIGxpbmUgbXVzdCBiZSB3cml0 dGVuIHRvIHRoZSBmaWxlLgo+Cj4gICAgICAgIFdyaXRlcyB0aGF0IHZpb2xhdGUgdGhlIGFib3Zl IHJ1bGVzIGZhaWwgd2l0aCB0aGUgZXJyb3IgRUlOVkFMLgo+Cj4gICAgICAgIEluICBvcmRlciAg Zm9yICBhICBwcm9jZXNzICB0byAgd3JpdGUgIHRvIHRoZSAvcHJvYy9bcGlkXS91aWRfbWFwCj4g ICAgICAgICgvcHJvYy9bcGlkXS9naWRfbWFwKSBmaWxlLCBhbGwgIG9mICB0aGUgIGZvbGxvd2lu ZyAgcmVxdWlyZW1lbnRzCj4gICAgICAgIG11c3QgYmUgbWV0Ogo+Cj4gICAgICAgIDEuIFRoZSAg d3JpdGluZyAgcHJvY2VzcyAgbXVzdCAgaGF2ZSAgdGhlIENBUF9TRVRVSUQgKENBUF9TRVRHSUQp Cj4gICAgICAgICAgIGNhcGFiaWxpdHkgaW4gdGhlIHVzZXIgbmFtZXNwYWNlIG9mIHRoZSBwcm9j ZXNzIHBpZC4KPgo+ICAgICAgICAyLiBUaGUgd3JpdGluZyBwcm9jZXNzIG11c3QgYmUgaW4gZWl0 aGVyIHRoZSAgdXNlciAgbmFtZXNwYWNlICBvZgo+ICAgICAgICAgICB0aGUgIHByb2Nlc3MgIHBp ZCAgb3IgIGluc2lkZSB0aGUgcGFyZW50IHVzZXIgbmFtZXNwYWNlIG9mIHRoZQo+ICAgICAgICAg ICBwcm9jZXNzIHBpZC4KPgo+ICAgICAgICAzLiBUaGUgbWFwcGVkIHVzZXIgSURzIChncm91cCBJ RHMpIG11c3QgaW4gdHVybiBoYXZlIGEgbWFwcGluZyBpbgo+ICAgICAgICAgICB0aGUgcGFyZW50 IHVzZXIgbmFtZXNwYWNlLgo+Cj4gICAgICAgIDQuIE9uZSBvZiB0aGUgZm9sbG93aW5nIGlzIHRy dWU6Cj4KPiAgICAgICAgICAgKiAgVGhlICBkYXRhIHdyaXR0ZW4gdG8gdWlkX21hcCAoZ2lkX21h cCkgY29uc2lzdHMgb2YgYSBzaW5nbGUKPiAgICAgICAgICAgICAgbGluZSB0aGF0IG1hcHMgdGhl IHdyaXRpbmcgIHByb2Nlc3MncyAgZmlsZXN5c3RlbSAgdXNlciAgSUQKPiAgICAgICAgICAgICAg KGdyb3VwIElEKSBpbiB0aGUgcGFyZW50IHVzZXIgbmFtZXNwYWNlIHRvIGEgdXNlciBJRCAoZ3Jv dXAKPiAgICAgICAgICAgICAgSUQpIGluIHRoZSB1c2VyIG5hbWVzcGFjZS4gIFRoZSB1c3VhbCAg Y2FzZSAgaGVyZSAgaXMgIHRoYXQKPiAgICAgICAgICAgICAgdGhpcyAgc2luZ2xlICBsaW5lICBw cm92aWRlcyAgYSAgbWFwcGluZyBmb3IgdXNlciBJRCBvZiB0aGUKPiAgICAgICAgICAgICAgcHJv Y2VzcyB0aGF0IGNyZWF0ZWQgdGhlIG5hbWVzcGFjZS4KPgo+ICAgICAgICAgICAqICBUaGUgcHJv Y2VzcyBoYXMgdGhlIENBUF9TRVRVSUQgKENBUF9TRVRHSUQpICBjYXBhYmlsaXR5ICBpbgo+ICAg ICAgICAgICAgICB0aGUgIHBhcmVudCB1c2VyIG5hbWVzcGFjZS4gIFRodXMsIGEgcHJpdmlsZWdl ZCBwcm9jZXNzIGNhbgo+ICAgICAgICAgICAgICBtYWtlIG1hcHBpbmdzIHRvIGFyYml0cmFyeSB1 c2VyIElEcyAoZ3JvdXAgSURzKSBpbiB0aGUgcGFy4oCQCj4gICAgICAgICAgICAgIGVudCB1c2Vy IG5hbWVzcGFjZS4KPgo+ICAgICAgICBXcml0ZXMgdGhhdCB2aW9sYXRlIHRoZSBhYm92ZSBydWxl cyBmYWlsIHdpdGggdGhlIGVycm9yIEVQRVJNLgo+Cj4gICAgVW5tYXBwZWQgdXNlciBhbmQgZ3Jv dXAgSURzCj4gICAgICAgIFRoZXJlIGFyZSB2YXJpb3VzIHBsYWNlcyB3aGVyZSBhbiB1bm1hcHBl ZCB1c2VyIElEIChncm91cCBJRCkgbWF5Cj4gICAgICAgIGJlIGV4cG9zZWQgdG8gdXNlciBzcGFj ZS4gIEZvciBleGFtcGxlLCB0aGUgZmlyc3QgIHByb2Nlc3MgIGluICBhCj4gICAgICAgIG5ldyB1 c2VyIG5hbWVzcGFjZSBtYXkgY2FsbCBnZXR1aWQoKSBiZWZvcmUgYSB1c2VyIElEIG1hcHBpbmcg aGFzCj4gICAgICAgIGJlZW4gZGVmaW5lZCBmb3IgdGhlIG5hbWVzcGFjZS4gIEluIG1vc3Qgc3Vj aCBjYXNlcywgYW4gIHVubWFwcGVkCj4gICAgICAgIHVzZXIgIElEICBpcyAgY29udmVydGVkICB0 byAgdGhlIG92ZXJmbG93IHVzZXIgSUQgKGdyb3VwIElEKTsgdGhlCj4gICAgICAgIGRlZmF1bHQg dmFsdWUgZm9yIHRoZSBvdmVyZmxvdyB1c2VyIElEIChncm91cCBJRCkgaXMgNjU1MzQuICAgU2Vl Cj4gICAgICAgIHRoZSAgICAgZGVzY3JpcHRpb25zICAgIG9mICAgIC9wcm9jL3N5cy9rZXJuZWwv b3ZlcmZsb3d1aWQgICAgYW5kCj4gICAgICAgIC9wcm9jL3N5cy9rZXJuZWwvb3ZlcmZsb3dnaWQg aW4gcHJvYyg1KS4KPgo+ICAgICAgICBUaGUgY2FzZXMgd2hlcmUgdW5tYXBwZWQgSURzIGFyZSBt YXBwZWQgaW4gdGhpcyAgZmFzaGlvbiAgaW5jbHVkZQo+ICAgICAgICBzeXN0ZW0gY2FsbHMgdGhh dCByZXR1cm4gdXNlciBJRHMgKGdldHVpZCgyKSBnZXRnaWQoMiksIGFuZCBzaW1p4oCQCj4gICAg ICAgIGxhciksIGNyZWRlbnRpYWxzIHBhc3NlZCBvdmVyIGEgVU5JWCBkb21haW4gIHNvY2tldCwg IGNyZWRlbnRpYWxzCj4gICAgICAgIHJldHVybmVkICBieSAgc3RhdCgyKSwgIHdhaXRpZCgyKSwg IGFuZCAgdGhlICBTeXN0ZW0gIFYgSVBDICJjdGwiCj4gICAgICAgIElQQ19TVEFUIG9wZXJhdGlv bnMsIGNyZWRlbnRpYWxzIGV4cG9zZWQgYnkgL3Byb2MvUElEL3N0YXR1cyAgYW5kCj4gICAgICAg IHRoZSBmaWxlcyBpbiAvcHJvYy9zeXN2aXBjLyosIGNyZWRlbnRpYWxzIHJldHVybmVkIHZpYSB0 aGUgc2lfdWlkCj4gICAgICAgIGZpZWxkIGluIHRoZSBzaWdpbmZvX3QgcmVjZWl2ZWQgd2l0aCBh IHNpZ25hbCAoc2VlIHNpZ2FjdGlvbigyKSksCj4gICAgICAgIGNyZWRlbnRpYWxzIHdyaXR0ZW4g dG8gdGhlIHByb2Nlc3MgYWNjb3VudGluZyBmaWxlIChzZWUgYWNjdCg1KSksCj4gICAgICAgIGFu ZCBjcmVkZW50aWFscyByZXR1cm5lZCB3aXRoIFBPU0lYIG1lc3NhZ2UgIHF1ZXVlICBub3RpZmlj YXRpb25zCj4gICAgICAgIChzZWUgbXFfbm90aWZ5KDMpKS4KPgo+ICAgICAgICBUaGVyZSAgaXMg IG9uZSBub3RhYmxlIGNhc2Ugd2hlcmUgdW5tYXBwZWQgdXNlciBhbmQgZ3JvdXAgSURzIGFyZQo+ ICAgICAgICBub3QgY29udmVydGVkIHRvIHRoZSBjb3JyZXNwb25kaW5nIG92ZXJmbG93IElEIHZh bHVlLiAgV2hlbiB2aWV34oCQCj4gICAgICAgIGluZyAgYSAgdWlkX21hcCAgb3IgZ2lkX21hcCBm aWxlIGluIHdoaWNoIHRoZXJlIGlzIG5vIG1hcHBpbmcgZm9yCj4gICAgICAgIHRoZSBzZWNvbmQg ZmllbGQsIHRoYXQgZmllbGQgaXMgZGlzcGxheWVkIGFzIDQyOTQ5NjcyOTUgKC0xIGFzIGFuCj4g ICAgICAgIHVuc2lnbmVkIGludGVnZXIpOwo+Cj4gICAgU2V0LXVzZXItSUQgYW5kIHNldC1ncm91 cC1JRCBwcm9ncmFtcwo+ICAgICAgICBXaGVuICBhICBwcm9jZXNzICBpbnNpZGUgIGEgdXNlciBu YW1lc3BhY2UgZXhlY3V0ZXMgYSBzZXQtdXNlci1JRAo+ICAgICAgICAoc2V0LWdyb3VwLUlEKSBw cm9ncmFtLCB0aGUgcHJvY2VzcydzIGVmZmVjdGl2ZSB1c2VyICAoZ3JvdXApICBJRAo+ICAgICAg ICBpbnNpZGUgIHRoZSAgbmFtZXNwYWNlIGlzIGNoYW5nZWQgdG8gd2hhdGV2ZXIgdmFsdWUgaXMg bWFwcGVkIGZvcgo+ICAgICAgICB0aGUgdXNlciAoZ3JvdXApIElEIG9mIHRoZSBmaWxlLiAgSG93 ZXZlciwgaWYgZWl0aGVyIHRoZSB1c2VyICBvcgo+ICAgICAgICB0aGUgZ3JvdXAgSUQgb2YgdGhl IGZpbGUgaGFzIG5vIG1hcHBpbmcgaW5zaWRlIHRoZSBuYW1lc3BhY2UsIHRoZQo+ICAgICAgICBz ZXQtdXNlci1JRCAoc2V0LWdyb3VwLUlEKSBiaXQgaXMgc2lsZW50bHkgaWdub3JlZDogdGhlIG5l dyAgcHJv4oCQCj4gICAgICAgIGdyYW0gIGlzIGV4ZWN1dGVkLCBidXQgdGhlIHByb2Nlc3MncyBl ZmZlY3RpdmUgdXNlciAoZ3JvdXApIElEIGlzCj4gICAgICAgIGxlZnQgdW5jaGFuZ2VkLiAgKFRo aXMgbWlycm9ycyB0aGUgc2VtYW50aWNzIG9mIGV4ZWN1dGluZyBhICBzZXQtCj4gICAgICAgIHVz ZXItSUQgb3Igc2V0LWdyb3VwLUlEIHByb2dyYW0gdGhhdCByZXNpZGVzIG9uIGEgZmlsZXN5c3Rl bSB0aGF0Cj4gICAgICAgIHdhcyBtb3VudGVkIHdpdGggdGhlIE1TX05PU1VJRCBmbGFnLCBhcyBk ZXNjcmliZWQgaW4gbW91bnQoMikuKQo+Cj4gICAgTWlzY2VsbGFuZW91cwo+ICAgICAgICBXaGVu IGEgcHJvY2VzcydzIHVzZXIgYW5kIGdyb3VwIElEcyBhcmUgcGFzc2VkIG92ZXIgYSBVTklYIGRv bWFpbgo+ICAgICAgICBzb2NrZXQgIHRvICBhICBwcm9jZXNzICBpbiAgYSAgZGlmZmVyZW50ICB1 c2VyIG5hbWVzcGFjZSAoc2VlIHRoZQo+ICAgICAgICBkZXNjcmlwdGlvbiBvZiBTQ01fQ1JFREVO VElBTFMgaW4gdW5peCg3KSksIHRoZXkgIGFyZSAgdHJhbnNsYXRlZAo+ICAgICAgICBpbnRvIHRo ZSBjb3JyZXNwb25kaW5nIHZhbHVlcyBhcyBwZXIgdGhlIHJlY2VpdmluZyBwcm9jZXNzJ3MgdXNl cgo+ICAgICAgICBhbmQgZ3JvdXAgSUQgbWFwcGluZ3MuCj4KPiBDT05GT1JNSU5HIFRPCj4gICAg ICAgIE5hbWVzcGFjZXMgYXJlIGEgTGludXgtc3BlY2lmaWMgZmVhdHVyZS4KPgo+IE5PVEVTCj4g ICAgICAgIE92ZXIgdGhlIHllYXJzLCB0aGVyZSBoYXZlIGJlZW4gYSBsb3Qgb2YgZmVhdHVyZXMg dGhhdCBoYXZlICBiZWVuCj4gICAgICAgIGFkZGVkICB0byAgdGhlIExpbnV4IGtlcm5lbCB0aGF0 IGhhdmUgYmVlbiBtYWRlIGF2YWlsYWJsZSBvbmx5IHRvCj4gICAgICAgIHByaXZpbGVnZWQgdXNl cnMgYmVjYXVzZSBvZiB0aGVpciBwb3RlbnRpYWwgdG8gY29uZnVzZSAgc2V0LXVzZXItCj4gICAg ICAgIElELXJvb3QgIGFwcGxpY2F0aW9ucy4gICBJbiBnZW5lcmFsLCBpdCBiZWNvbWVzIHNhZmUg dG8gYWxsb3cgdGhlCj4gICAgICAgIHJvb3QgdXNlciBpbiBhIHVzZXIgbmFtZXNwYWNlIHRvIHVz ZSB0aG9zZSBmZWF0dXJlcyBiZWNhdXNlIGl0IGlzCj4gICAgICAgIGltcG9zc2libGUsICB3aGls ZSAgaW4gIGEgIHVzZXIgbmFtZXNwYWNlLCB0byBnYWluIG1vcmUgcHJpdmlsZWdlCj4gICAgICAg IHRoYW4gdGhlIHJvb3QgdXNlciBvZiBhIHVzZXIgbmFtZXNwYWNlIGhhcy4KPgo+ICAgIEF2YWls YWJpbGl0eQo+ICAgICAgICBVc2Ugb2YgdXNlciBuYW1lc3BhY2VzIHJlcXVpcmVzIGEga2VybmVs IHRoYXQgaXMgY29uZmlndXJlZCAgd2l0aAo+ICAgICAgICB0aGUgIENPTkZJR19VU0VSX05TIG9w dGlvbi4gIFVzZXIgbmFtZXNwYWNlcyByZXF1aXJlIHN1cHBvcnQgaW4gYQo+ICAgICAgICByYW5n ZSBvZiBzdWJzeXN0ZW1zIGFjcm9zcyB0aGUga2VybmVsLiAgV2hlbiBhbiB1bnN1cHBvcnRlZCAg c3Vi4oCQCj4gICAgICAgIHN5c3RlbSAgaXMgY29uZmlndXJlZCBpbnRvIHRoZSBrZXJuZWwsIGl0 IGlzIG5vdCBwb3NzaWJsZSB0byBjb27igJAKPiAgICAgICAgZmlndXJlIHVzZXIgbmFtZXNwYWNl cyBzdXBwb3J0Lgo+Cj4gICAgICAgIEFzIGF0IExpbnV4IDMuOCwgbW9zdCByZWxldmFudCBzdWJz eXN0ZW1zIHN1cHBvcnRlZCAgdXNlciAgbmFtZXPigJAKPiAgICAgICAgcGFjZXMsICBidXQgIGEg bnVtYmVyIG9mIGZpbGVzeXN0ZW1zIGRpZCBub3QgaGF2ZSB0aGUgaW5mcmFzdHJ1Y+KAkAo+ICAg ICAgICB0dXJlIG5lZWRlZCB0byBtYXAgdXNlciBhbmQgZ3JvdXAgSURzICBiZXR3ZWVuICB1c2Vy ICBuYW1lc3BhY2VzLgo+ICAgICAgICBMaW51eCAgMy45ICBhZGRlZCB0aGUgcmVxdWlyZWQgaW5m cmFzdHJ1Y3R1cmUgc3VwcG9ydCBmb3IgbWFueSBvZgo+ICAgICAgICB0aGUgcmVtYWluaW5nIHVu c3VwcG9ydGVkIGZpbGVzeXN0ZW1zIChQbGFuIDkgKDlQKSwgIEFuZHJldyAgRmlsZQo+ICAgICAg ICBTeXN0ZW0gIChBRlMpLCAgQ2VwaCwgIENJRlMsICBDT0RBLCAgTkZTLCBhbmQgT0NGUzIpLiAg TGludXggMy4xMQo+ICAgICAgICBhZGRlZCBzdXBwb3J0IHRoZSBsYXN0IG9mIHRoZSB1bnN1cHBv cnRlZCBtYWpvciBmaWxlc3lzdGVtcywgWEZTLgo+Cj4gRVhBTVBMRQo+ICAgICAgICBUaGUgcHJv Z3JhbSBiZWxvdyBpcyBkZXNpZ25lZCB0byBhbGxvdyAgZXhwZXJpbWVudGluZyAgd2l0aCAgdXNl cgo+ICAgICAgICBuYW1lc3BhY2VzLCAgYXMgIHdlbGwgIGFzICBvdGhlciB0eXBlcyBvZiBuYW1l c3BhY2VzLiAgSXQgY3JlYXRlcwo+ICAgICAgICBuYW1lc3BhY2VzIGFzIHNwZWNpZmllZCBieSBj b21tYW5kLWxpbmUgb3B0aW9ucyBhbmQgdGhlbiBleGVjdXRlcwo+ICAgICAgICBhICBjb21tYW5k ICBpbnNpZGUgIHRob3NlICBuYW1lc3BhY2VzLiAgIFRoZSBjb21tZW50cyBhbmQgdXNhZ2UoKQo+ ICAgICAgICBmdW5jdGlvbiBpbnNpZGUgdGhlIHByb2dyYW0gcHJvdmlkZSBhICBmdWxsICBleHBs YW5hdGlvbiAgb2YgIHRoZQo+ICAgICAgICBwcm9ncmFtLiAgVGhlIGZvbGxvd2luZyBzaGVsbCBz ZXNzaW9uIGRlbW9uc3RyYXRlcyBpdHMgdXNlLgo+Cj4gICAgICAgIEZpcnN0LCB3ZSBsb29rIGF0 IHRoZSBydW4tdGltZSBlbnZpcm9ubWVudDoKPgo+ICAgICAgICAgICAgJCB1bmFtZSAtcnMgICAg ICMgTmVlZCBMaW51eCAzLjggb3IgbGF0ZXIKPiAgICAgICAgICAgIExpbnV4IDMuOC4wCj4gICAg ICAgICAgICAkIGlkIC11ICAgICAgICAgIyBSdW5uaW5nIGFzIHVucHJpdmlsZWdlZCB1c2VyCj4g ICAgICAgICAgICAxMDAwCj4gICAgICAgICAgICAkIGlkIC1nCj4gICAgICAgICAgICAxMDAwCj4K PiAgICAgICAgTm93ICBzdGFydCBhIG5ldyBzaGVsbCBpbiBuZXcgdXNlciAoLVUpLCBtb3VudCAo LW0pLCBhbmQgUElEICgtcCkKPiAgICAgICAgbmFtZXNwYWNlcywgd2l0aCB1c2VyIElEICgtTSkg YW5kIGdyb3VwIElEICgtRykgMTAwMCBtYXBwZWQgdG8gIDAKPiAgICAgICAgaW5zaWRlIHRoZSB1 c2VyIG5hbWVzcGFjZToKPgo+ICAgICAgICAgICAgJCAuL3VzZXJuc19jaGlsZF9leGVjIC1wIC1t IC1VIC1NICcwIDEwMDAgMScgLUcgJzAgMTAwMCAxJyBiYXNoCj4KPiAgICAgICAgVGhlICBzaGVs bCAgaGFzIFBJRCAxLCBiZWNhdXNlIGl0IGlzIHRoZSBmaXJzdCBwcm9jZXNzIGluIHRoZSBuZXcK PiAgICAgICAgUElEIG5hbWVzcGFjZToKPgo+ICAgICAgICAgICAgYmFzaCQgZWNobyAkJAo+ICAg ICAgICAgICAgMQo+Cj4gICAgICAgIEluc2lkZSB0aGUgdXNlciBuYW1lc3BhY2UsIHRoZSBzaGVs bCBoYXMgdXNlciBhbmQgZ3JvdXAgSUQgMCwgYW5kCj4gICAgICAgIGEgZnVsbCBzZXQgb2YgcGVy bWl0dGVkIGFuZCBlZmZlY3RpdmUgY2FwYWJpbGl0aWVzOgo+Cj4gICAgICAgICAgICBiYXNoJCBj YXQgL3Byb2MvJCQvc3RhdHVzIHwgZWdyZXAgJ15bVUddaWQnCj4gICAgICAgICAgICBVaWQ6IDAg ICAgMCAgICAwICAgIDAKPiAgICAgICAgICAgIEdpZDogMCAgICAwICAgIDAgICAgMAo+ICAgICAg ICAgICAgYmFzaCQgY2F0IC9wcm9jLyQkL3N0YXR1cyB8IGVncmVwICdeQ2FwKFBybXxJbmh8RWZm KScKPiAgICAgICAgICAgIENhcEluaDogICAwMDAwMDAwMDAwMDAwMDAwCj4gICAgICAgICAgICBD YXBQcm06ICAgMDAwMDAwMWZmZmZmZmZmZgo+ICAgICAgICAgICAgQ2FwRWZmOiAgIDAwMDAwMDFm ZmZmZmZmZmYKPgo+ICAgICAgICBNb3VudGluZyAgYSBuZXcgL3Byb2MgZmlsZXN5c3RlbSBhbmQg bGlzdGluZyBhbGwgb2YgdGhlIHByb2Nlc3Nlcwo+ICAgICAgICB2aXNpYmxlIGluIHRoZSBuZXcg UElEIG5hbWVzcGFjZSBzaG93cyB0aGF0IHRoZSBzaGVsbCAgY2FuJ3QgIHNlZQo+ICAgICAgICBh bnkgcHJvY2Vzc2VzIG91dHNpZGUgdGhlIFBJRCBuYW1lc3BhY2U6Cj4KPiAgICAgICAgICAgIGJh c2gkIG1vdW50IC10IHByb2MgcHJvYyAvcHJvYwo+ICAgICAgICAgICAgYmFzaCQgcHMgYXgKPiAg ICAgICAgICAgICAgUElEIFRUWSAgICAgIFNUQVQgICBUSU1FIENPTU1BTkQKPiAgICAgICAgICAg ICAgICAxIHB0cy8zICAgIFMgICAgICAwOjAwIGJhc2gKPiAgICAgICAgICAgICAgIDIyIHB0cy8z ICAgIFIrICAgICAwOjAwIHBzIGF4Cj4KPiAgICBQcm9ncmFtIHNvdXJjZQo+Cj4gICAgICAgIC8q IHVzZXJuc19jaGlsZF9leGVjLmMKPgo+ICAgICAgICAgICBMaWNlbnNlZCB1bmRlciBHTlUgR2Vu ZXJhbCBQdWJsaWMgTGljZW5zZSB2MiBvciBsYXRlcgo+Cj4gICAgICAgICAgIENyZWF0ZSBhIGNo aWxkIHByb2Nlc3MgdGhhdCBleGVjdXRlcyBhIHNoZWxsIGNvbW1hbmQgaW4gbmV3Cj4gICAgICAg ICAgIG5hbWVzcGFjZShzKTsgYWxsb3cgVUlEIGFuZCBHSUQgbWFwcGluZ3MgdG8gYmUgc3BlY2lm aWVkIHdoZW4KPiAgICAgICAgICAgY3JlYXRpbmcgYSB1c2VyIG5hbWVzcGFjZS4KPiAgICAgICAg Ki8KPiAgICAgICAgI2RlZmluZSBfR05VX1NPVVJDRQo+ICAgICAgICAjaW5jbHVkZSA8c2NoZWQu aD4KPiAgICAgICAgI2luY2x1ZGUgPHVuaXN0ZC5oPgo+ICAgICAgICAjaW5jbHVkZSA8c3RkbGli Lmg+Cj4gICAgICAgICNpbmNsdWRlIDxzeXMvd2FpdC5oPgo+ICAgICAgICAjaW5jbHVkZSA8c2ln bmFsLmg+Cj4gICAgICAgICNpbmNsdWRlIDxmY250bC5oPgo+ICAgICAgICAjaW5jbHVkZSA8c3Rk aW8uaD4KPiAgICAgICAgI2luY2x1ZGUgPHN0cmluZy5oPgo+ICAgICAgICAjaW5jbHVkZSA8bGlt aXRzLmg+Cj4gICAgICAgICNpbmNsdWRlIDxlcnJuby5oPgo+Cj4gICAgICAgIC8qIEEgc2ltcGxl IGVycm9yLWhhbmRsaW5nIGZ1bmN0aW9uOiBwcmludCBhbiBlcnJvciBtZXNzYWdlIGJhc2VkCj4g ICAgICAgICAgIG9uIHRoZSB2YWx1ZSBpbiAnZXJybm8nIGFuZCB0ZXJtaW5hdGUgdGhlIGNhbGxp bmcgcHJvY2VzcyAqLwo+Cj4gICAgICAgICNkZWZpbmUgZXJyRXhpdChtc2cpICAgIGRvIHsgcGVy cm9yKG1zZyk7IGV4aXQoRVhJVF9GQUlMVVJFKTsgXAo+ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICB9IHdoaWxlICgwKQo+Cj4gICAgICAgIHN0cnVjdCBjaGlsZF9hcmdzIHsKPiAgICAg ICAgICAgIGNoYXIgKiphcmd2OyAgICAgICAgLyogQ29tbWFuZCB0byBiZSBleGVjdXRlZCBieSBj aGlsZCwgd2l0aCBhcmdzICovCj4gICAgICAgICAgICBpbnQgICAgcGlwZV9mZFsyXTsgIC8qIFBp cGUgdXNlZCB0byBzeW5jaHJvbml6ZSBwYXJlbnQgYW5kIGNoaWxkICovCj4gICAgICAgIH07Cj4K PiAgICAgICAgc3RhdGljIGludCB2ZXJib3NlOwo+Cj4gICAgICAgIHN0YXRpYyB2b2lkCj4gICAg ICAgIHVzYWdlKGNoYXIgKnBuYW1lKQo+ICAgICAgICB7Cj4gICAgICAgICAgICBmcHJpbnRmKHN0 ZGVyciwgIlVzYWdlOiAlcyBbb3B0aW9uc10gY21kIFthcmcuLi5dXG5cbiIsIHBuYW1lKTsKPiAg ICAgICAgICAgIGZwcmludGYoc3RkZXJyLCAiQ3JlYXRlIGEgY2hpbGQgcHJvY2VzcyB0aGF0IGV4 ZWN1dGVzIGEgc2hlbGwgIgo+ICAgICAgICAgICAgICAgICAgICAiY29tbWFuZCBpbiBhIG5ldyB1 c2VyIG5hbWVzcGFjZSxcbiIKPiAgICAgICAgICAgICAgICAgICAgImFuZCBwb3NzaWJseSBhbHNv IG90aGVyIG5ldyBuYW1lc3BhY2UocykuXG5cbiIpOwo+ICAgICAgICAgICAgZnByaW50ZihzdGRl cnIsICJPcHRpb25zIGNhbiBiZTpcblxuIik7Cj4gICAgICAgICNkZWZpbmUgZnBlKHN0cikgZnBy aW50ZihzdGRlcnIsICIgICAgJXMiLCBzdHIpOwo+ICAgICAgICAgICAgZnBlKCItaSAgICAgICAg ICBOZXcgSVBDIG5hbWVzcGFjZVxuIik7Cj4gICAgICAgICAgICBmcGUoIi1tICAgICAgICAgIE5l dyBtb3VudCBuYW1lc3BhY2VcbiIpOwo+ICAgICAgICAgICAgZnBlKCItbiAgICAgICAgICBOZXcg bmV0d29yayBuYW1lc3BhY2VcbiIpOwo+ICAgICAgICAgICAgZnBlKCItcCAgICAgICAgICBOZXcg UElEIG5hbWVzcGFjZVxuIik7Cj4gICAgICAgICAgICBmcGUoIi11ICAgICAgICAgIE5ldyBVVFMg bmFtZXNwYWNlXG4iKTsKPiAgICAgICAgICAgIGZwZSgiLVUgICAgICAgICAgTmV3IHVzZXIgbmFt ZXNwYWNlXG4iKTsKPiAgICAgICAgICAgIGZwZSgiLU0gdWlkX21hcCAgU3BlY2lmeSBVSUQgbWFw IGZvciB1c2VyIG5hbWVzcGFjZVxuIik7Cj4gICAgICAgICAgICBmcGUoIi1HIGdpZF9tYXAgIFNw ZWNpZnkgR0lEIG1hcCBmb3IgdXNlciBuYW1lc3BhY2VcbiIpOwo+ICAgICAgICAgICAgZnBlKCIt eiAgICAgICAgICBNYXAgdXNlcidzIFVJRCBhbmQgR0lEIHRvIDAgaW4gdXNlciBuYW1lc3BhY2Vc biIpOwo+ICAgICAgICAgICAgZnBlKCIgICAgICAgICAgICAoZXF1aXZhbGVudCB0bzogLU0gJzAg PHVpZD4gMScgLUcgJzAgPGdpZD4gMScpXG4iKTsKPiAgICAgICAgICAgIGZwZSgiLXYgICAgICAg ICAgRGlzcGxheSB2ZXJib3NlIG1lc3NhZ2VzXG4iKTsKPiAgICAgICAgICAgIGZwZSgiXG4iKTsK PiAgICAgICAgICAgIGZwZSgiSWYgLXosIC1NLCBvciAtRyBpcyBzcGVjaWZpZWQsIC1VIGlzIHJl cXVpcmVkLlxuIik7Cj4gICAgICAgICAgICBmcGUoIkl0IGlzIG5vdCBwZXJtaXR0ZWQgdG8gc3Bl Y2lmeSBib3RoIC16IGFuZCBlaXRoZXIgLU0gb3IgLUcuXG4iKTsKPiAgICAgICAgICAgIGZwZSgi XG4iKTsKPiAgICAgICAgICAgIGZwZSgiTWFwIHN0cmluZ3MgZm9yIC1NIGFuZCAtRyBjb25zaXN0 IG9mIHJlY29yZHMgb2YgdGhlIGZvcm06XG4iKTsKPiAgICAgICAgICAgIGZwZSgiXG4iKTsKPiAg ICAgICAgICAgIGZwZSgiICAgIElELWluc2lkZS1ucyAgIElELW91dHNpZGUtbnMgICBsZW5cbiIp Owo+ICAgICAgICAgICAgZnBlKCJcbiIpOwo+ICAgICAgICAgICAgZnBlKCJBIG1hcCBzdHJpbmcg Y2FuIGNvbnRhaW4gbXVsdGlwbGUgcmVjb3Jkcywgc2VwYXJhdGVkIgo+ICAgICAgICAgICAgICAg ICIgYnkgY29tbWFzO1xuIik7Cj4gICAgICAgICAgICBmcGUoInRoZSBjb21tYXMgYXJlIHJlcGxh Y2VkIGJ5IG5ld2xpbmVzIGJlZm9yZSB3cml0aW5nIgo+ICAgICAgICAgICAgICAgICIgdG8gbWFw IGZpbGVzLlxuIik7Cj4KPiAgICAgICAgICAgIGV4aXQoRVhJVF9GQUlMVVJFKTsKPiAgICAgICAg fQo+Cj4gICAgICAgIC8qIFVwZGF0ZSB0aGUgbWFwcGluZyBmaWxlICdtYXBfZmlsZScsIHdpdGgg dGhlIHZhbHVlIHByb3ZpZGVkIGluCj4gICAgICAgICAgICdtYXBwaW5nJywgYSBzdHJpbmcgdGhh dCBkZWZpbmVzIGEgVUlEIG9yIEdJRCBtYXBwaW5nLiBBIFVJRCBvcgo+ICAgICAgICAgICBHSUQg bWFwcGluZyBjb25zaXN0cyBvZiBvbmUgb3IgbW9yZSBuZXdsaW5lLWRlbGltaXRlZCByZWNvcmRz Cj4gICAgICAgICAgIG9mIHRoZSBmb3JtOgo+Cj4gICAgICAgICAgICAgICBJRF9pbnNpZGUtbnMg ICAgSUQtb3V0c2lkZS1ucyAgIGxlbmd0aAo+Cj4gICAgICAgICAgIFJlcXVpcmluZyB0aGUgdXNl ciB0byBzdXBwbHkgYSBzdHJpbmcgdGhhdCBjb250YWlucyBuZXdsaW5lcyBpcwo+ICAgICAgICAg ICBvZiBjb3Vyc2UgaW5jb252ZW5pZW50IGZvciBjb21tYW5kLWxpbmUgdXNlLiBUaHVzLCB3ZSBw ZXJtaXQgdGhlCj4gICAgICAgICAgIHVzZSBvZiBjb21tYXMgdG8gZGVsaW1pdCByZWNvcmRzIGlu IHRoaXMgc3RyaW5nLCBhbmQgcmVwbGFjZSB0aGVtCj4gICAgICAgICAgIHdpdGggbmV3bGluZXMg YmVmb3JlIHdyaXRpbmcgdGhlIHN0cmluZyB0byB0aGUgZmlsZS4gKi8KPgo+ICAgICAgICBzdGF0 aWMgdm9pZAo+ICAgICAgICB1cGRhdGVfbWFwKGNoYXIgKm1hcHBpbmcsIGNoYXIgKm1hcF9maWxl KQo+ICAgICAgICB7Cj4gICAgICAgICAgICBpbnQgZmQsIGo7Cj4gICAgICAgICAgICBzaXplX3Qg bWFwX2xlbjsgICAgIC8qIExlbmd0aCBvZiAnbWFwcGluZycgKi8KPgo+ICAgICAgICAgICAgLyog UmVwbGFjZSBjb21tYXMgaW4gbWFwcGluZyBzdHJpbmcgd2l0aCBuZXdsaW5lcyAqLwo+Cj4gICAg ICAgICAgICBtYXBfbGVuID0gc3RybGVuKG1hcHBpbmcpOwo+ICAgICAgICAgICAgZm9yIChqID0g MDsgaiA8IG1hcF9sZW47IGorKykKPiAgICAgICAgICAgICAgICBpZiAobWFwcGluZ1tqXSA9PSAn LCcpCj4gICAgICAgICAgICAgICAgICAgIG1hcHBpbmdbal0gPSAnXG4nOwo+Cj4gICAgICAgICAg ICBmZCA9IG9wZW4obWFwX2ZpbGUsIE9fUkRXUik7Cj4gICAgICAgICAgICBpZiAoZmQgPT0gLTEp IHsKPiAgICAgICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkVSUk9SOiBvcGVuICVzOiAlc1xu IiwgbWFwX2ZpbGUsCj4gICAgICAgICAgICAgICAgICAgICAgICBzdHJlcnJvcihlcnJubykpOwo+ ICAgICAgICAgICAgICAgIGV4aXQoRVhJVF9GQUlMVVJFKTsKPiAgICAgICAgICAgIH0KPgo+ICAg ICAgICAgICAgaWYgKHdyaXRlKGZkLCBtYXBwaW5nLCBtYXBfbGVuKSAhPSBtYXBfbGVuKSB7Cj4g ICAgICAgICAgICAgICAgZnByaW50ZihzdGRlcnIsICJFUlJPUjogd3JpdGUgJXM6ICVzXG4iLCBt YXBfZmlsZSwKPiAgICAgICAgICAgICAgICAgICAgICAgIHN0cmVycm9yKGVycm5vKSk7Cj4gICAg ICAgICAgICAgICAgZXhpdChFWElUX0ZBSUxVUkUpOwo+ICAgICAgICAgICAgfQo+Cj4gICAgICAg ICAgICBjbG9zZShmZCk7Cj4gICAgICAgIH0KPgo+ICAgICAgICBzdGF0aWMgaW50ICAgICAgICAg ICAgICAvKiBTdGFydCBmdW5jdGlvbiBmb3IgY2xvbmVkIGNoaWxkICovCj4gICAgICAgIGNoaWxk RnVuYyh2b2lkICphcmcpCj4gICAgICAgIHsKPiAgICAgICAgICAgIHN0cnVjdCBjaGlsZF9hcmdz ICphcmdzID0gKHN0cnVjdCBjaGlsZF9hcmdzICopIGFyZzsKPiAgICAgICAgICAgIGNoYXIgY2g7 Cj4KPiAgICAgICAgICAgIC8qIFdhaXQgdW50aWwgdGhlIHBhcmVudCBoYXMgdXBkYXRlZCB0aGUg VUlEIGFuZCBHSUQgbWFwcGluZ3MuCj4gICAgICAgICAgICAgICBTZWUgdGhlIGNvbW1lbnQgaW4g bWFpbigpLiBXZSB3YWl0IGZvciBlbmQgb2YgZmlsZSBvbiBhCj4gICAgICAgICAgICAgICBwaXBl IHRoYXQgd2lsbCBiZSBjbG9zZWQgYnkgdGhlIHBhcmVudCBwcm9jZXNzIG9uY2UgaXQgaGFzCj4g ICAgICAgICAgICAgICB1cGRhdGVkIHRoZSBtYXBwaW5ncy4gKi8KPgo+ICAgICAgICAgICAgY2xv c2UoYXJncy0+cGlwZV9mZFsxXSk7ICAgIC8qIENsb3NlIG91ciBkZXNjcmlwdG9yIGZvciB0aGUg d3JpdGUKPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbmQgb2Yg dGhlIHBpcGUgc28gdGhhdCB3ZSBzZWUgRU9GCj4gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgd2hlbiBwYXJlbnQgY2xvc2VzIGl0cyBkZXNjcmlwdG9yICovCj4gICAg ICAgICAgICBpZiAocmVhZChhcmdzLT5waXBlX2ZkWzBdLCAmY2gsIDEpICE9IDApIHsKPiAgICAg ICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwKPiAgICAgICAgICAgICAgICAgICAgICAgICJGYWls dXJlIGluIGNoaWxkOiByZWFkIGZyb20gcGlwZSByZXR1cm5lZCAhPSAwXG4iKTsKPiAgICAgICAg ICAgICAgICBleGl0KEVYSVRfRkFJTFVSRSk7Cj4gICAgICAgICAgICB9Cj4KPiAgICAgICAgICAg IC8qIEV4ZWN1dGUgYSBzaGVsbCBjb21tYW5kICovCj4KPiAgICAgICAgICAgIHByaW50ZigiQWJv dXQgdG8gZXhlYyAlc1xuIiwgYXJncy0+YXJndlswXSk7Cj4gICAgICAgICAgICBleGVjdnAoYXJn cy0+YXJndlswXSwgYXJncy0+YXJndik7Cj4gICAgICAgICAgICBlcnJFeGl0KCJleGVjdnAiKTsK PiAgICAgICAgfQo+Cj4gICAgICAgICNkZWZpbmUgU1RBQ0tfU0laRSAoMTAyNCAqIDEwMjQpCj4K PiAgICAgICAgc3RhdGljIGNoYXIgY2hpbGRfc3RhY2tbU1RBQ0tfU0laRV07ICAgIC8qIFNwYWNl IGZvciBjaGlsZCdzIHN0YWNrICovCj4KPiAgICAgICAgaW50Cj4gICAgICAgIG1haW4oaW50IGFy Z2MsIGNoYXIgKmFyZ3ZbXSkKPiAgICAgICAgewo+ICAgICAgICAgICAgaW50IGZsYWdzLCBvcHQs IG1hcF96ZXJvOwo+ICAgICAgICAgICAgcGlkX3QgY2hpbGRfcGlkOwo+ICAgICAgICAgICAgc3Ry dWN0IGNoaWxkX2FyZ3MgYXJnczsKPiAgICAgICAgICAgIGNoYXIgKnVpZF9tYXAsICpnaWRfbWFw Owo+ICAgICAgICAgICAgY29uc3QgaW50IE1BUF9CVUZfU0laRSA9IDEwMDsKPiAgICAgICAgICAg IGNoYXIgbWFwX2J1ZltNQVBfQlVGX1NJWkVdOwo+ICAgICAgICAgICAgY2hhciBtYXBfcGF0aFtQ QVRIX01BWF07Cj4KPiAgICAgICAgICAgIC8qIFBhcnNlIGNvbW1hbmQtbGluZSBvcHRpb25zLiBU aGUgaW5pdGlhbCAnKycgY2hhcmFjdGVyIGluCj4gICAgICAgICAgICAgICB0aGUgZmluYWwgZ2V0 b3B0KCkgYXJndW1lbnQgcHJldmVudHMgR05VLXN0eWxlIHBlcm11dGF0aW9uCj4gICAgICAgICAg ICAgICBvZiBjb21tYW5kLWxpbmUgb3B0aW9ucy4gVGhhdCdzIHVzZWZ1bCwgc2luY2Ugc29tZXRp bWVzCj4gICAgICAgICAgICAgICB0aGUgJ2NvbW1hbmQnIHRvIGJlIGV4ZWN1dGVkIGJ5IHRoaXMg cHJvZ3JhbSBpdHNlbGYKPiAgICAgICAgICAgICAgIGhhcyBjb21tYW5kLWxpbmUgb3B0aW9ucy4g V2UgZG9uJ3Qgd2FudCBnZXRvcHQoKSB0byB0cmVhdAo+ICAgICAgICAgICAgICAgdGhvc2UgYXMg b3B0aW9ucyB0byB0aGlzIHByb2dyYW0uICovCj4KPiAgICAgICAgICAgIGZsYWdzID0gMDsKPiAg ICAgICAgICAgIHZlcmJvc2UgPSAwOwo+ICAgICAgICAgICAgZ2lkX21hcCA9IE5VTEw7Cj4gICAg ICAgICAgICB1aWRfbWFwID0gTlVMTDsKPiAgICAgICAgICAgIG1hcF96ZXJvID0gMDsKPiAgICAg ICAgICAgIHdoaWxlICgob3B0ID0gZ2V0b3B0KGFyZ2MsIGFyZ3YsICIraW1ucHVVTTpHOnp2Iikp ICE9IC0xKSB7Cj4gICAgICAgICAgICAgICAgc3dpdGNoIChvcHQpIHsKPiAgICAgICAgICAgICAg ICBjYXNlICdpJzogZmxhZ3MgfD0gQ0xPTkVfTkVXSVBDOyAgICAgICAgYnJlYWs7Cj4gICAgICAg ICAgICAgICAgY2FzZSAnbSc6IGZsYWdzIHw9IENMT05FX05FV05TOyAgICAgICAgIGJyZWFrOwo+ ICAgICAgICAgICAgICAgIGNhc2UgJ24nOiBmbGFncyB8PSBDTE9ORV9ORVdORVQ7ICAgICAgICBi cmVhazsKPiAgICAgICAgICAgICAgICBjYXNlICdwJzogZmxhZ3MgfD0gQ0xPTkVfTkVXUElEOyAg ICAgICAgYnJlYWs7Cj4gICAgICAgICAgICAgICAgY2FzZSAndSc6IGZsYWdzIHw9IENMT05FX05F V1VUUzsgICAgICAgIGJyZWFrOwo+ICAgICAgICAgICAgICAgIGNhc2UgJ3YnOiB2ZXJib3NlID0g MTsgICAgICAgICAgICAgICAgICBicmVhazsKPiAgICAgICAgICAgICAgICBjYXNlICd6JzogbWFw X3plcm8gPSAxOyAgICAgICAgICAgICAgICAgYnJlYWs7Cj4gICAgICAgICAgICAgICAgY2FzZSAn TSc6IHVpZF9tYXAgPSBvcHRhcmc7ICAgICAgICAgICAgIGJyZWFrOwo+ICAgICAgICAgICAgICAg IGNhc2UgJ0cnOiBnaWRfbWFwID0gb3B0YXJnOyAgICAgICAgICAgICBicmVhazsKPiAgICAgICAg ICAgICAgICBjYXNlICdVJzogZmxhZ3MgfD0gQ0xPTkVfTkVXVVNFUjsgICAgICAgYnJlYWs7Cj4g ICAgICAgICAgICAgICAgZGVmYXVsdDogIHVzYWdlKGFyZ3ZbMF0pOwo+ICAgICAgICAgICAgICAg IH0KPiAgICAgICAgICAgIH0KPgo+ICAgICAgICAgICAgLyogLU0gb3IgLUcgd2l0aG91dCAtVSBp cyBub25zZW5zaWNhbCAqLwo+Cj4gICAgICAgICAgICBpZiAoKCh1aWRfbWFwICE9IE5VTEwgfHwg Z2lkX21hcCAhPSBOVUxMIHx8IG1hcF96ZXJvKSAmJgo+ICAgICAgICAgICAgICAgICAgICAgICAg IShmbGFncyAmIENMT05FX05FV1VTRVIpKSB8fAo+ICAgICAgICAgICAgICAgICAgICAobWFwX3pl cm8gJiYgKHVpZF9tYXAgIT0gTlVMTCB8fCBnaWRfbWFwICE9IE5VTEwpKSkKPiAgICAgICAgICAg ICAgICB1c2FnZShhcmd2WzBdKTsKPgo+ICAgICAgICAgICAgYXJncy5hcmd2ID0gJmFyZ3Zbb3B0 aW5kXTsKPgo+ICAgICAgICAgICAgLyogV2UgdXNlIGEgcGlwZSB0byBzeW5jaHJvbml6ZSB0aGUg cGFyZW50IGFuZCBjaGlsZCwgaW4gb3JkZXIgdG8KPiAgICAgICAgICAgICAgIGVuc3VyZSB0aGF0 IHRoZSBwYXJlbnQgc2V0cyB0aGUgVUlEIGFuZCBHSUQgbWFwcyBiZWZvcmUgdGhlIGNoaWxkCj4g ICAgICAgICAgICAgICBjYWxscyBleGVjdmUoKS4gVGhpcyBlbnN1cmVzIHRoYXQgdGhlIGNoaWxk IG1haW50YWlucyBpdHMKPiAgICAgICAgICAgICAgIGNhcGFiaWxpdGllcyBkdXJpbmcgdGhlIGV4 ZWN2ZSgpIGluIHRoZSBjb21tb24gY2FzZSB3aGVyZSB3ZQo+ICAgICAgICAgICAgICAgd2FudCB0 byBtYXAgdGhlIGNoaWxkJ3MgZWZmZWN0aXZlIHVzZXIgSUQgdG8gMCBpbiB0aGUgbmV3IHVzZXIK PiAgICAgICAgICAgICAgIG5hbWVzcGFjZS4gV2l0aG91dCB0aGlzIHN5bmNocm9uaXphdGlvbiwg dGhlIGNoaWxkIHdvdWxkIGxvc2UKPiAgICAgICAgICAgICAgIGl0cyBjYXBhYmlsaXRpZXMgaWYg aXQgcGVyZm9ybWVkIGFuIGV4ZWN2ZSgpIHdpdGggbm9uemVybwo+ICAgICAgICAgICAgICAgdXNl ciBJRHMgKHNlZSB0aGUgY2FwYWJpbGl0aWVzKDcpIG1hbiBwYWdlIGZvciBkZXRhaWxzIG9mIHRo ZQo+ICAgICAgICAgICAgICAgdHJhbnNmb3JtYXRpb24gb2YgYSBwcm9jZXNzJ3MgY2FwYWJpbGl0 aWVzIGR1cmluZyBleGVjdmUoKSkuICovCj4KPiAgICAgICAgICAgIGlmIChwaXBlKGFyZ3MucGlw ZV9mZCkgPT0gLTEpCj4gICAgICAgICAgICAgICAgZXJyRXhpdCgicGlwZSIpOwo+Cj4gICAgICAg ICAgICAvKiBDcmVhdGUgdGhlIGNoaWxkIGluIG5ldyBuYW1lc3BhY2UocykgKi8KPgo+ICAgICAg ICAgICAgY2hpbGRfcGlkID0gY2xvbmUoY2hpbGRGdW5jLCBjaGlsZF9zdGFjayArIFNUQUNLX1NJ WkUsCj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmbGFncyB8IFNJR0NITEQsICZhcmdz KTsKPiAgICAgICAgICAgIGlmIChjaGlsZF9waWQgPT0gLTEpCj4gICAgICAgICAgICAgICAgZXJy RXhpdCgiY2xvbmUiKTsKPgo+ICAgICAgICAgICAgLyogUGFyZW50IGZhbGxzIHRocm91Z2ggdG8g aGVyZSAqLwo+Cj4gICAgICAgICAgICBpZiAodmVyYm9zZSkKPiAgICAgICAgICAgICAgICBwcmlu dGYoIiVzOiBQSUQgb2YgY2hpbGQgY3JlYXRlZCBieSBjbG9uZSgpIGlzICVsZFxuIiwKPiAgICAg ICAgICAgICAgICAgICAgICAgIGFyZ3ZbMF0sIChsb25nKSBjaGlsZF9waWQpOwo+Cj4gICAgICAg ICAgICAvKiBVcGRhdGUgdGhlIFVJRCBhbmQgR0lEIG1hcHMgaW4gdGhlIGNoaWxkICovCj4KPiAg ICAgICAgICAgIGlmICh1aWRfbWFwICE9IE5VTEwgfHwgbWFwX3plcm8pIHsKPiAgICAgICAgICAg ICAgICBzbnByaW50ZihtYXBfcGF0aCwgUEFUSF9NQVgsICIvcHJvYy8lbGQvdWlkX21hcCIsCj4g ICAgICAgICAgICAgICAgICAgICAgICAobG9uZykgY2hpbGRfcGlkKTsKPiAgICAgICAgICAgICAg ICBpZiAobWFwX3plcm8pIHsKPiAgICAgICAgICAgICAgICAgICAgc25wcmludGYobWFwX2J1Ziwg TUFQX0JVRl9TSVpFLCAiMCAlbGQgMSIsIChsb25nKSBnZXR1aWQoKSk7Cj4gICAgICAgICAgICAg ICAgICAgIHVpZF9tYXAgPSBtYXBfYnVmOwo+ICAgICAgICAgICAgICAgIH0KPiAgICAgICAgICAg ICAgICB1cGRhdGVfbWFwKHVpZF9tYXAsIG1hcF9wYXRoKTsKPiAgICAgICAgICAgIH0KPiAgICAg ICAgICAgIGlmIChnaWRfbWFwICE9IE5VTEwgfHwgbWFwX3plcm8pIHsKPiAgICAgICAgICAgICAg ICBzbnByaW50ZihtYXBfcGF0aCwgUEFUSF9NQVgsICIvcHJvYy8lbGQvZ2lkX21hcCIsCj4gICAg ICAgICAgICAgICAgICAgICAgICAobG9uZykgY2hpbGRfcGlkKTsKPiAgICAgICAgICAgICAgICBp ZiAobWFwX3plcm8pIHsKPiAgICAgICAgICAgICAgICAgICAgc25wcmludGYobWFwX2J1ZiwgTUFQ X0JVRl9TSVpFLCAiMCAlbGQgMSIsIChsb25nKSBnZXRnaWQoKSk7Cj4gICAgICAgICAgICAgICAg ICAgIGdpZF9tYXAgPSBtYXBfYnVmOwo+ICAgICAgICAgICAgICAgIH0KPiAgICAgICAgICAgICAg ICB1cGRhdGVfbWFwKGdpZF9tYXAsIG1hcF9wYXRoKTsKPiAgICAgICAgICAgIH0KPgo+ICAgICAg ICAgICAgLyogQ2xvc2UgdGhlIHdyaXRlIGVuZCBvZiB0aGUgcGlwZSwgdG8gc2lnbmFsIHRvIHRo ZSBjaGlsZCB0aGF0IHdlCj4gICAgICAgICAgICAgICBoYXZlIHVwZGF0ZWQgdGhlIFVJRCBhbmQg R0lEIG1hcHMgKi8KPgo+ICAgICAgICAgICAgY2xvc2UoYXJncy5waXBlX2ZkWzFdKTsKPgo+ICAg ICAgICAgICAgaWYgKHdhaXRwaWQoY2hpbGRfcGlkLCBOVUxMLCAwKSA9PSAtMSkgICAgICAvKiBX YWl0IGZvciBjaGlsZCAqLwo+ICAgICAgICAgICAgICAgIGVyckV4aXQoIndhaXRwaWQiKTsKPgo+ ICAgICAgICAgICAgaWYgKHZlcmJvc2UpCj4gICAgICAgICAgICAgICAgcHJpbnRmKCIlczogdGVy bWluYXRpbmdcbiIsIGFyZ3ZbMF0pOwo+Cj4gICAgICAgICAgICBleGl0KEVYSVRfU1VDQ0VTUyk7 Cj4gICAgICAgIH0KPgo+IFNFRSBBTFNPCj4gICAgICAgIG5ld2dpZG1hcCgxKSwgICBuZXd1aWRt YXAoMSksICAgY2xvbmUoMiksICBzZXRucygyKSwgIHVuc2hhcmUoMiksCj4gICAgICAgIHByb2Mo NSksIHN1YmdpZCg1KSwgc3VidWlkKDUpLCAgY3JlZGVudGlhbHMoNyksICBjYXBhYmlsaXRpZXMo NyksCj4gICAgICAgIG5hbWVzcGFjZXMoNyksIHBpZF9uYW1lc3BhY2VzKDcpCj4KPiAgICAgICAg VGhlICBrZXJuZWwgIHNvdXJjZSAgZmlsZSAgRG9jdW1lbnRhdGlvbi9uYW1lc3BhY2VzL3Jlc291 cmNlLWNvbuKAkAo+ICAgICAgICB0cm9sLnR4dC4KCgpFcmljCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRh aW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5k YXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29udGFpbmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751912AbaH3VxV (ORCPT ); Sat, 30 Aug 2014 17:53:21 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:58454 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751427AbaH3VxS convert rfc822-to-8bit (ORCPT ); Sat, 30 Aug 2014 17:53:18 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: lkml , "linux-man\@vger.kernel.org" , containers@lists.linux-foundation.org, Andy Lutomirski , richard.weinberger@gmail.com, "Serge E. Hallyn" References: <53F5310A.5080503@gmail.com> Date: Sat, 30 Aug 2014 16:53:11 -0500 In-Reply-To: <53F5310A.5080503@gmail.com> (Michael Kerrisk's message of "Wed, 20 Aug 2014 18:36:42 -0500") Message-ID: <87d2bhfxvc.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-AID: U2FsdGVkX1/IZNvBKwPpAdKSOXONSZSHqrsnh1f0P4s= X-SA-Exim-Connect-IP: 67.172.111.204 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 TR_Symld_Words too many words that have symbols inside * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 1.0 T_XMDrugObfuBody_08 obfuscated drug references * 0.5 XM_Body_Dirty_Words Contains a dirty word * 0.1 XMSolicitRefs_0 Weightloss drug * 1.0 T_XMDrugObfuBody_04 obfuscated drug references X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: Subject: Re: For review: user_namespace(7) man page X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 13:58:17 -0700) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hello Eric et al., > > For various reasons, my work on the namespaces man pages > fell off the table a while back. Nevertheless, the pages have > been close to completion for a while now, and I recently restarted, > in an effort to finish them. As you also noted to me f2f, there have > been recently been some small namespace changes that you may affect > the content of the pages. Therefore, I'll take the opportunity to > send the namespace-related pages out for further (final?) review. > > So, here, I start with the user_namespaces(7) page, which is shown > in rendered form below, with source attached to this mail. I'll > send various other pages in follow-on mails. > > Review comments/suggestions for improvements / bug fixes welcome. > > Cheers, > > Michael > > == > > NAME > user_namespaces - overview of Linux user_namespaces > > DESCRIPTION > For an overview of namespaces, see namespaces(7). > > User namespaces isolate security-related identifiers and > attributes, in particular, user IDs and group IDs (see creden‐ > tials(7), the root directory, keys (see keyctl(2)), and capabili‐ > ties (see capabilities(7)). A process's user and group IDs can > be different inside and outside a user namespace. In particular, > a process can have a normal unprivileged user ID outside a user > namespace while at the same time having a user ID of 0 inside the > namespace; in other words, the process has full privileges for > operations inside the user namespace, but is unprivileged for > operations outside the namespace. > > Nested namespaces, namespace membership > User namespaces can be nested; that is, each user namespace— > except the initial ("root") namespace—has a parent user names‐ > pace, and can have zero or more child user namespaces. The par‐ > ent user namespace is the user namespace of the process that cre‐ > ates the user namespace via a call to unshare(2) or clone(2) with > the CLONE_NEWUSER flag. > > The kernel imposes (since version 3.11) a limit of 32 nested lev‐ > els of user namespaces. Calls to unshare(2) or clone(2) that > would cause this limit to be exceeded fail with the error EUSERS. > > Each process is a member of exactly one user namespace. A > process created via fork(2) or clone(2) without the CLONE_NEWUSER > flag is a member of the same user namespace as its parent. > A ^ single-threaded Because of chroot and other things multi-threaded processes are not allowed to join a user namespace. For the documentation just saying single-threaded sounds like enough here. > process can join another user namespace with setns(2) if it has > the CAP_SYS_ADMIN in that namespace; upon doing so, it gains a > full set of capabilities in that namespace. > > A call to clone(2) or unshare(2) with the CLONE_NEWUSER flag > makes the new child process (for clone(2)) or the caller (for > unshare(2)) a member of the new user namespace created by the > call. > > Capabilities > The child process created by clone(2) with the CLONE_NEWUSER flag > starts out with a complete set of capabilities in the new user > namespace. Likewise, a process that creates a new user namespace > using unshare(2) or joins an existing user namespace using > setns(2) gains a full set of capabilities in that namespace. On > the other hand, that process has no capabilities in the parent > (in the case of clone(2)) or previous (in the case of unshare(2) > and setns(2)) user namespace, even if the new namespace is cre‐ > ated or joined by the root user (i.e., a process with user ID 0 > in the root namespace). > > Note that a call to execve(2) will cause a process to lose any > capabilities that it has, unless it has a user ID of 0 within the > namespace. See the discussion of user and group ID mappings, > below. > > A call to clone(2), unshare(2), or setns(2) using the > CLONE_NEWUSER flag sets the "securebits" flags (see capabili‐ > ties(7)) to their default values (all flags disabled) in the > child (for clone(2)) or caller (for unshare(2), or setns(2)). > Note that because the caller no longer has capabilities in its > original user namespace after a call to setns(2), it is not pos‐ > sible for a process to reset its "securebits" flags while retain‐ > ing its user namespace membership by using a pair of setns(2) > calls to move to another user namespace and then return to its > original user namespace. > > Having a capability inside a user namespace permits a process to > perform operations (that require privilege) only on resources > governed by that namespace. The rules for determining whether or > not a process has a capability in a particular user namespace are > as follows: > > 1. A process has a capability inside a user namespace if it is a > member of that namespace and it has the capability in its > effective capability set. A process can gain capabilities in > its effective capability set in various ways. For example, it > may execute a set-user-ID program or an executable with asso‐ > ciated file capabilities. In addition, a process may gain > capabilities via the effect of clone(2), unshare(2), or > setns(2), as already described. > > 2. If a process has a capability in a user namespace, then it has > that capability in all child (and further removed descendant) > namespaces as well. > > 3. When a user namespace is created, the kernel records the > effective user ID of the creating process as being the "owner" > of the namespace. A process that resides in the parent of the > user namespace and whose effective user ID matches the owner > of the namespace has all capabilities in the namespace. By > virtue of the previous rule, this means that the process has > all capabilities in all further removed descendant user names‐ > paces as well. > > Interaction of user namespaces and other types of namespaces > Starting in Linux 3.8, unprivileged processes can create user > namespaces, and mount, PID, IPC, network, and UTS namespaces can > be created with just the CAP_SYS_ADMIN capability in the caller's > user namespace. > > If CLONE_NEWUSER is specified along with other CLONE_NEW* flags > in a single clone(2) or unshare(2) call, the user namespace is > guaranteed to be created first, giving the child (clone(2)) or > caller (unshare(2)) privileges over the remaining namespaces cre‐ > ated by the call. Thus, it is possible for an unprivileged call‐ > er to specify this combination of flags. > > When a new IPC, mount, network, PID, or UTS namespace is created > via clone(2) or unshare(2), the kernel records the user namespace > of the creating process against the new namespace. (This associ‐ > ation can't be changed.) When a process in the new namespace > subsequently performs privileged operations that operate on > global resources isolated by the namespace, the permission checks > are performed according to the process's capabilities in the user > namespace that the kernel associated with the new namespace. Restrictions on mount namespaces. - A mount namespace has a owner user namespace. A mount namespace whose owner user namespace is different than the owerner user namespace of it's parent mount namespace is considered a less privileged mount namespace. - When creating a less privileged mount namespace shared mounts are reduced to slave mounts. This ensures that mappings performed in less privileged mount namespaces will not propogate to more privielged mount namespaces. - Mounts that come as a single unit from more privileged mount are locked together and may not be separated in a less privielged mount namespace. - The mount flags readonly, nodev, nosuid, noexec, and the mount atime settings when propogated from a more privielged to a less privileged mount namespace become locked, and may not be changed in the less privielged mount namespace. - (As of 3.18-rc1 (in todays Al Viros vfs.git#for-next tree)) A file or directory that is a mountpoint in one namespace that is not a mount point in another namespace, may be renamed, unlinked, or rmdired in the mount namespace in which it is not a mount namespace if the ordinary permission checks pass. Previously attemping to rmdir, unlink or rename a file or directory that was a mount point in another mount namespace would result in -EBUSY. This behavior had technical problems of enforcement (nfs) and resulted in a nice denial of servial attack against more privileged users. (Aka preventing individual files from being updated by bind mounting on top of them). > User and group ID mappings: uid_map and gid_map > When a user namespace is created, it starts out without a mapping > of user IDs (group IDs) to the parent user namespace. The > /proc/[pid]/uid_map and /proc/[pid]/gid_map files (available > since Linux 3.5) expose the mappings for user and group IDs > inside the user namespace for the process pid. These files can > be read to view the mappings in a user namespace and written to > (once) to define the mappings. > > The description in the following paragraphs explains the details > for uid_map; gid_map is exactly the same, but each instance of > "user ID" is replaced by "group ID". > > The uid_map file exposes the mapping of user IDs from the user > namespace of the process pid to the user namespace of the process > that opened uid_map (but see a qualification to this point > below). In other words, processes that are in different user > namespaces will potentially see different values when reading > from a particular uid_map file, depending on the user ID mappings > for the user namespaces of the reading processes. > > Each line in the uid_map file specifies a 1-to-1 mapping of a > range of contiguous user IDs between two user namespaces. (When > a user namespace is first created, this file is empty.) The > specification in each line takes the form of three numbers delim‐ > ited by white space. The first two numbers specify the starting > user ID in each of the two user namespaces. The third number > specifies the length of the mapped range. In detail, the fields > are interpreted as follows: > > (1) The start of the range of user IDs in the user namespace of > the process pid. > > (2) The start of the range of user IDs to which the user IDs > specified by field one map. How field two is interpreted > depends on whether the process that opened uid_map and the > process pid are in the same user namespace, as follows: > > a) If the two processes are in different user namespaces: > field two is the start of a range of user IDs in the user > namespace of the process that opened uid_map. > > b) If the two processes are in the same user namespace: field > two is the start of the range of user IDs in the parent > user namespace of the process pid. This case enables the > opener of uid_map (the common case here is opening > /proc/self/uid_map) to see the mapping of user IDs into > the user namespace of the process that created this user > namespace. > > (3) The length of the range of user IDs that is mapped between > the two user namespaces. > > System calls that return user IDs (group IDs)—for example, > getuid(2), getgid(2), and the credential fields in the structure > returned by stat(2)—return the user ID (group ID) mapped into the > caller's user namespace. > > When a process accesses a file, its user and group IDs are mapped > into the initial user namespace for the purpose of permission > checking and assigning IDs when creating a file. When a process > retrieves file user and group IDs via stat(2), the IDs are mapped > in the opposite direction, to produce values relative to the > process user and group ID mappings. > > The initial user namespace has no parent namespace, but, for con‐ > sistency, the kernel provides dummy user and group ID mapping > files for this namespace. Looking at the uid_map file (gid_map > is the same) from a shell in the initial namespace shows: > > $ cat /proc/$$/uid_map > 0 0 4294967295 > > This mapping tells us that the range starting at user ID 0 in > this namespace maps to a range starting at 0 in the (nonexistent) > parent namespace, and the length of the range is the largest > 32-bit unsigned integer. Which deliberately leaves 4294967295 32bit (-1) unmapped. (uid_t)-1 is used in several interfaces (like setreuid) as a way to specify no uid leaving it unmapped and unusuable guarantees that there will be no confusion when using those kernel methods. > Defining user and group ID mappings: writing to uid_map and gid_map > After the creation of a new user namespace, the uid_map file of > one of the processes in the namespace may be written to once to > define the mapping of user IDs in the new user namespace. An > attempt to write more than once to a uid_map file in a user > namespace fails with the error EPERM. Similar rules apply for > gid_map files. > > The lines written to uid_map (gid_map) must conform to the fol‐ > lowing rules: > > * The three fields must be valid numbers, and the last field > must be greater than 0. > > * Lines are terminated by newline characters. > > * There is an (arbitrary) limit on the number of lines in the > file. As at Linux 3.8, the limit is five lines. In addition, > the number of bytes written to the file must be less than the > system page size, and the write must be performed at the start > of the file (i.e., lseek(2) and pwrite(2) can't be used to > write to nonzero offsets in the file). > > * The range of user IDs (group IDs) specified in each line can‐ > not overlap with the ranges in any other lines. In the ini‐ > tial implementation (Linux 3.8), this requirement was satis‐ > fied by a simplistic implementation that imposed the further > requirement that the values in both field 1 and field 2 of > successive lines must be in ascending numerical order, which > prevented some otherwise valid maps from being created. Linux > 3.9 and later fix this limitation, allowing any valid set of > nonoverlapping maps. > > * At least one line must be written to the file. > > Writes that violate the above rules fail with the error EINVAL. > > In order for a process to write to the /proc/[pid]/uid_map > (/proc/[pid]/gid_map) file, all of the following requirements > must be met: > > 1. The writing process must have the CAP_SETUID (CAP_SETGID) > capability in the user namespace of the process pid. > > 2. The writing process must be in either the user namespace of > the process pid or inside the parent user namespace of the > process pid. > > 3. The mapped user IDs (group IDs) must in turn have a mapping in > the parent user namespace. > > 4. One of the following is true: > > * The data written to uid_map (gid_map) consists of a single > line that maps the writing process's filesystem user ID > (group ID) in the parent user namespace to a user ID (group > ID) in the user namespace. The usual case here is that > this single line provides a mapping for user ID of the > process that created the namespace. > > * The process has the CAP_SETUID (CAP_SETGID) capability in > the parent user namespace. Thus, a privileged process can > make mappings to arbitrary user IDs (group IDs) in the par‐ > ent user namespace. > > Writes that violate the above rules fail with the error EPERM. > > Unmapped user and group IDs > There are various places where an unmapped user ID (group ID) may > be exposed to user space. For example, the first process in a > new user namespace may call getuid() before a user ID mapping has > been defined for the namespace. In most such cases, an unmapped > user ID is converted to the overflow user ID (group ID); the > default value for the overflow user ID (group ID) is 65534. See > the descriptions of /proc/sys/kernel/overflowuid and > /proc/sys/kernel/overflowgid in proc(5). > > The cases where unmapped IDs are mapped in this fashion include > system calls that return user IDs (getuid(2) getgid(2), and simi‐ > lar), credentials passed over a UNIX domain socket, credentials > returned by stat(2), waitid(2), and the System V IPC "ctl" > IPC_STAT operations, credentials exposed by /proc/PID/status and > the files in /proc/sysvipc/*, credentials returned via the si_uid > field in the siginfo_t received with a signal (see sigaction(2)), > credentials written to the process accounting file (see acct(5)), > and credentials returned with POSIX message queue notifications > (see mq_notify(3)). > > There is one notable case where unmapped user and group IDs are > not converted to the corresponding overflow ID value. When view‐ > ing a uid_map or gid_map file in which there is no mapping for > the second field, that field is displayed as 4294967295 (-1 as an > unsigned integer); > > Set-user-ID and set-group-ID programs > When a process inside a user namespace executes a set-user-ID > (set-group-ID) program, the process's effective user (group) ID > inside the namespace is changed to whatever value is mapped for > the user (group) ID of the file. However, if either the user or > the group ID of the file has no mapping inside the namespace, the > set-user-ID (set-group-ID) bit is silently ignored: the new pro‐ > gram is executed, but the process's effective user (group) ID is > left unchanged. (This mirrors the semantics of executing a set- > user-ID or set-group-ID program that resides on a filesystem that > was mounted with the MS_NOSUID flag, as described in mount(2).) > > Miscellaneous > When a process's user and group IDs are passed over a UNIX domain > socket to a process in a different user namespace (see the > description of SCM_CREDENTIALS in unix(7)), they are translated > into the corresponding values as per the receiving process's user > and group ID mappings. > > CONFORMING TO > Namespaces are a Linux-specific feature. > > NOTES > Over the years, there have been a lot of features that have been > added to the Linux kernel that have been made available only to > privileged users because of their potential to confuse set-user- > ID-root applications. In general, it becomes safe to allow the > root user in a user namespace to use those features because it is > impossible, while in a user namespace, to gain more privilege > than the root user of a user namespace has. > > Availability > Use of user namespaces requires a kernel that is configured with > the CONFIG_USER_NS option. User namespaces require support in a > range of subsystems across the kernel. When an unsupported sub‐ > system is configured into the kernel, it is not possible to con‐ > figure user namespaces support. > > As at Linux 3.8, most relevant subsystems supported user names‐ > paces, but a number of filesystems did not have the infrastruc‐ > ture needed to map user and group IDs between user namespaces. > Linux 3.9 added the required infrastructure support for many of > the remaining unsupported filesystems (Plan 9 (9P), Andrew File > System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). Linux 3.11 > added support the last of the unsupported major filesystems, XFS. > > EXAMPLE > The program below is designed to allow experimenting with user > namespaces, as well as other types of namespaces. It creates > namespaces as specified by command-line options and then executes > a command inside those namespaces. The comments and usage() > function inside the program provide a full explanation of the > program. The following shell session demonstrates its use. > > First, we look at the run-time environment: > > $ uname -rs # Need Linux 3.8 or later > Linux 3.8.0 > $ id -u # Running as unprivileged user > 1000 > $ id -g > 1000 > > Now start a new shell in new user (-U), mount (-m), and PID (-p) > namespaces, with user ID (-M) and group ID (-G) 1000 mapped to 0 > inside the user namespace: > > $ ./userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash > > The shell has PID 1, because it is the first process in the new > PID namespace: > > bash$ echo $$ > 1 > > Inside the user namespace, the shell has user and group ID 0, and > a full set of permitted and effective capabilities: > > bash$ cat /proc/$$/status | egrep '^[UG]id' > Uid: 0 0 0 0 > Gid: 0 0 0 0 > bash$ cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)' > CapInh: 0000000000000000 > CapPrm: 0000001fffffffff > CapEff: 0000001fffffffff > > Mounting a new /proc filesystem and listing all of the processes > visible in the new PID namespace shows that the shell can't see > any processes outside the PID namespace: > > bash$ mount -t proc proc /proc > bash$ ps ax > PID TTY STAT TIME COMMAND > 1 pts/3 S 0:00 bash > 22 pts/3 R+ 0:00 ps ax > > Program source > > /* userns_child_exec.c > > Licensed under GNU General Public License v2 or later > > Create a child process that executes a shell command in new > namespace(s); allow UID and GID mappings to be specified when > creating a user namespace. > */ > #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > /* A simple error-handling function: print an error message based > on the value in 'errno' and terminate the calling process */ > > #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \ > } while (0) > > struct child_args { > char **argv; /* Command to be executed by child, with args */ > int pipe_fd[2]; /* Pipe used to synchronize parent and child */ > }; > > static int verbose; > > static void > usage(char *pname) > { > fprintf(stderr, "Usage: %s [options] cmd [arg...]\n\n", pname); > fprintf(stderr, "Create a child process that executes a shell " > "command in a new user namespace,\n" > "and possibly also other new namespace(s).\n\n"); > fprintf(stderr, "Options can be:\n\n"); > #define fpe(str) fprintf(stderr, " %s", str); > fpe("-i New IPC namespace\n"); > fpe("-m New mount namespace\n"); > fpe("-n New network namespace\n"); > fpe("-p New PID namespace\n"); > fpe("-u New UTS namespace\n"); > fpe("-U New user namespace\n"); > fpe("-M uid_map Specify UID map for user namespace\n"); > fpe("-G gid_map Specify GID map for user namespace\n"); > fpe("-z Map user's UID and GID to 0 in user namespace\n"); > fpe(" (equivalent to: -M '0 1' -G '0 1')\n"); > fpe("-v Display verbose messages\n"); > fpe("\n"); > fpe("If -z, -M, or -G is specified, -U is required.\n"); > fpe("It is not permitted to specify both -z and either -M or -G.\n"); > fpe("\n"); > fpe("Map strings for -M and -G consist of records of the form:\n"); > fpe("\n"); > fpe(" ID-inside-ns ID-outside-ns len\n"); > fpe("\n"); > fpe("A map string can contain multiple records, separated" > " by commas;\n"); > fpe("the commas are replaced by newlines before writing" > " to map files.\n"); > > exit(EXIT_FAILURE); > } > > /* Update the mapping file 'map_file', with the value provided in > 'mapping', a string that defines a UID or GID mapping. A UID or > GID mapping consists of one or more newline-delimited records > of the form: > > ID_inside-ns ID-outside-ns length > > Requiring the user to supply a string that contains newlines is > of course inconvenient for command-line use. Thus, we permit the > use of commas to delimit records in this string, and replace them > with newlines before writing the string to the file. */ > > static void > update_map(char *mapping, char *map_file) > { > int fd, j; > size_t map_len; /* Length of 'mapping' */ > > /* Replace commas in mapping string with newlines */ > > map_len = strlen(mapping); > for (j = 0; j < map_len; j++) > if (mapping[j] == ',') > mapping[j] = '\n'; > > fd = open(map_file, O_RDWR); > if (fd == -1) { > fprintf(stderr, "ERROR: open %s: %s\n", map_file, > strerror(errno)); > exit(EXIT_FAILURE); > } > > if (write(fd, mapping, map_len) != map_len) { > fprintf(stderr, "ERROR: write %s: %s\n", map_file, > strerror(errno)); > exit(EXIT_FAILURE); > } > > close(fd); > } > > static int /* Start function for cloned child */ > childFunc(void *arg) > { > struct child_args *args = (struct child_args *) arg; > char ch; > > /* Wait until the parent has updated the UID and GID mappings. > See the comment in main(). We wait for end of file on a > pipe that will be closed by the parent process once it has > updated the mappings. */ > > close(args->pipe_fd[1]); /* Close our descriptor for the write > end of the pipe so that we see EOF > when parent closes its descriptor */ > if (read(args->pipe_fd[0], &ch, 1) != 0) { > fprintf(stderr, > "Failure in child: read from pipe returned != 0\n"); > exit(EXIT_FAILURE); > } > > /* Execute a shell command */ > > printf("About to exec %s\n", args->argv[0]); > execvp(args->argv[0], args->argv); > errExit("execvp"); > } > > #define STACK_SIZE (1024 * 1024) > > static char child_stack[STACK_SIZE]; /* Space for child's stack */ > > int > main(int argc, char *argv[]) > { > int flags, opt, map_zero; > pid_t child_pid; > struct child_args args; > char *uid_map, *gid_map; > const int MAP_BUF_SIZE = 100; > char map_buf[MAP_BUF_SIZE]; > char map_path[PATH_MAX]; > > /* Parse command-line options. The initial '+' character in > the final getopt() argument prevents GNU-style permutation > of command-line options. That's useful, since sometimes > the 'command' to be executed by this program itself > has command-line options. We don't want getopt() to treat > those as options to this program. */ > > flags = 0; > verbose = 0; > gid_map = NULL; > uid_map = NULL; > map_zero = 0; > while ((opt = getopt(argc, argv, "+imnpuUM:G:zv")) != -1) { > switch (opt) { > case 'i': flags |= CLONE_NEWIPC; break; > case 'm': flags |= CLONE_NEWNS; break; > case 'n': flags |= CLONE_NEWNET; break; > case 'p': flags |= CLONE_NEWPID; break; > case 'u': flags |= CLONE_NEWUTS; break; > case 'v': verbose = 1; break; > case 'z': map_zero = 1; break; > case 'M': uid_map = optarg; break; > case 'G': gid_map = optarg; break; > case 'U': flags |= CLONE_NEWUSER; break; > default: usage(argv[0]); > } > } > > /* -M or -G without -U is nonsensical */ > > if (((uid_map != NULL || gid_map != NULL || map_zero) && > !(flags & CLONE_NEWUSER)) || > (map_zero && (uid_map != NULL || gid_map != NULL))) > usage(argv[0]); > > args.argv = &argv[optind]; > > /* We use a pipe to synchronize the parent and child, in order to > ensure that the parent sets the UID and GID maps before the child > calls execve(). This ensures that the child maintains its > capabilities during the execve() in the common case where we > want to map the child's effective user ID to 0 in the new user > namespace. Without this synchronization, the child would lose > its capabilities if it performed an execve() with nonzero > user IDs (see the capabilities(7) man page for details of the > transformation of a process's capabilities during execve()). */ > > if (pipe(args.pipe_fd) == -1) > errExit("pipe"); > > /* Create the child in new namespace(s) */ > > child_pid = clone(childFunc, child_stack + STACK_SIZE, > flags | SIGCHLD, &args); > if (child_pid == -1) > errExit("clone"); > > /* Parent falls through to here */ > > if (verbose) > printf("%s: PID of child created by clone() is %ld\n", > argv[0], (long) child_pid); > > /* Update the UID and GID maps in the child */ > > if (uid_map != NULL || map_zero) { > snprintf(map_path, PATH_MAX, "/proc/%ld/uid_map", > (long) child_pid); > if (map_zero) { > snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getuid()); > uid_map = map_buf; > } > update_map(uid_map, map_path); > } > if (gid_map != NULL || map_zero) { > snprintf(map_path, PATH_MAX, "/proc/%ld/gid_map", > (long) child_pid); > if (map_zero) { > snprintf(map_buf, MAP_BUF_SIZE, "0 %ld 1", (long) getgid()); > gid_map = map_buf; > } > update_map(gid_map, map_path); > } > > /* Close the write end of the pipe, to signal to the child that we > have updated the UID and GID maps */ > > close(args.pipe_fd[1]); > > if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */ > errExit("waitpid"); > > if (verbose) > printf("%s: terminating\n", argv[0]); > > exit(EXIT_SUCCESS); > } > > SEE ALSO > newgidmap(1), newuidmap(1), clone(2), setns(2), unshare(2), > proc(5), subgid(5), subuid(5), credentials(7), capabilities(7), > namespaces(7), pid_namespaces(7) > > The kernel source file Documentation/namespaces/resource-con‐ > trol.txt. Eric