165818 2016-12-13 12:48:41 -0800 [Mac][WK2] Tighten Keychain directory access 2016-12-14 10:29:07 -0800 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Mac All RESOLVED FIXED InRadar P2 Normal --- 1 bfulgham bfulgham aestes andersca bfulgham oldest_to_newest 1259510 0 bfulgham 2016-12-13 12:48:41 -0800 The existing Sandbox rules for the various WebKit processes are overly permissive. We should tighten them down to just the handful of operations we really need: We should limit our access to: file-read-data, file-read-metadata, and file-write-data. We should also deny access to newer keychains (with UUID-based names) since those are not meant to be used by user processes. 1259511 1 bfulgham 2016-12-13 12:49:21 -0800 <rdar://problem/16863857> 1259514 2 297036 bfulgham 2016-12-13 12:51:53 -0800 Created attachment 297036 Patch 1259528 3 297036 bburg 2016-12-13 13:58:45 -0800 Comment on attachment 297036 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review > Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 > +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX All of this profile text is going to get embedded in the binary. Should it? > Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto. > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto. 1259546 4 297036 bfulgham 2016-12-13 14:51:08 -0800 Comment on attachment 297036 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review >> Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 >> +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX > > All of this profile text is going to get embedded in the binary. Should it? That's okay -- I'll pull it out. >> Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto. >> Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto. 1259548 5 bfulgham 2016-12-13 14:57:02 -0800 Committed r209779: <http://trac.webkit.org/changeset/209779> 1259747 6 bfulgham 2016-12-14 09:01:58 -0800 This change broke the Keygen element (e.g., http/tests/misc/submit-post-keygen.html). WebProcess needs the file-write-create permission for the Keychains directory. 1259756 7 bfulgham 2016-12-14 09:18:49 -0800 Committed r209806: <http://trac.webkit.org/changeset/209806> 1259809 8 bfulgham 2016-12-14 10:29:07 -0800 Please note, three changes are needed to integrate this sandbox change: Committed r209779: <http://trac.webkit.org/changeset/209779> Committed r209806: <http://trac.webkit.org/changeset/209806> Committed r209814: <http://trac.webkit.org/changeset/209814> 297036 2016-12-13 12:51:53 -0800 2016-12-13 13:57:30 -0800 Patch bug-165818-20161213125103.patch text/plain 11182 bfulgham SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDIwOTc3MikKKysrIFNvdXJjZS9XZWJLaXQyL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDE2LTEyLTEzICBCcmVudCBG dWxnaGFtICA8YmZ1bGdoYW1AYXBwbGUuY29tPgorCisgICAgICAgIFtNYWNdW1dLMl0gVGlnaHRl biBLZXljaGFpbiBkaXJlY3RvcnkgYWNjZXNzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xNjU4MTgKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzE2ODYz ODU3PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIExv Y2sgZG93biBLZXljaGFpbiBkaXJlY3RvcnkgYWNjZXNzIHRvIGp1c3QgdGhlIGZpbGUtcmVhZC1k YXRhLCBmaWxlLXJlYWQtbWV0YWRhdGEsIGFuZAorICAgICAgICBmaWxlLXdyaXRlLWRhdGEgb3Bl cmF0aW9ucyB3ZSBhY3R1YWxseSBuZWVkLgorCisgICAgICAgICogTmV0d29ya1Byb2Nlc3MvbWFj L2NvbS5hcHBsZS5XZWJLaXQuTmV0d29ya1Byb2Nlc3Muc2IuaW46CisgICAgICAgICogUGx1Z2lu UHJvY2Vzcy9tYWMvY29tLmFwcGxlLldlYktpdC5wbHVnaW4tY29tbW9uLnNiLmluOgorICAgICAg ICAqIFdlYlByb2Nlc3MvY29tLmFwcGxlLldlYlByb2Nlc3Muc2IuaW46CisKIDIwMTYtMTItMTMg IEpvc2VwaCBQZWNvcmFybyAgPHBlY29yYXJvQGFwcGxlLmNvbT4KIAogICAgICAgICBOU0FycmF5 IGxlYWtzIHNlZW4gaW4gU2FmYXJpLCBhbGxvY2F0ZWQgdW5kZXIgV0tJY29uRGF0YWJhc2VUcnlD b3B5Q0dJbWFnZUFycmF5Rm9yVVJMCkluZGV4OiBTb3VyY2UvV2ViS2l0Mi9OZXR3b3JrUHJvY2Vz cy9tYWMvY29tLmFwcGxlLldlYktpdC5OZXR3b3JrUHJvY2Vzcy5zYi5pbgo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBTb3VyY2UvV2ViS2l0Mi9OZXR3b3JrUHJvY2Vzcy9tYWMvY29tLmFwcGxlLldlYktpdC5OZXR3 b3JrUHJvY2Vzcy5zYi5pbgkocmV2aXNpb24gMjA5NzEyKQorKysgU291cmNlL1dlYktpdDIvTmV0 d29ya1Byb2Nlc3MvbWFjL2NvbS5hcHBsZS5XZWJLaXQuTmV0d29ya1Byb2Nlc3Muc2IuaW4JKHdv cmtpbmcgY29weSkKQEAgLTM3LDYgKzM3LDM4IEBACiAoZGVmaW5lIChob21lLWxpdGVyYWwgaG9t ZS1yZWxhdGl2ZS1saXRlcmFsKQogICAgIChsaXRlcmFsIChzdHJpbmctYXBwZW5kIChwYXJhbSAi SE9NRV9ESVIiKSBob21lLXJlbGF0aXZlLWxpdGVyYWwpKSkKIAorOzs7IDxyZGFyOi8vcHJvYmxl bS8xNTY3MzQ2Nj4KKzs7OyBVVUlEIG9mIHRoZSBmb3JtOiBYWFhYWFhYWC1YWFhYLVhYWFgtLVhY WFgtWFhYWFhYWFhYWFhYCis7OzsgVGhhdCdzIDhYLTRYLTRYLTRYLTEyWDsgd2hlcmUgWCA9ICJb MC05QS1GXSIsIGxlbmd0aChYKSA9IDgKKzs7OyBSZXR1cm4gYSByZWdleCBzdHJpbmcgd2hpY2gg bWF0Y2hlcyBjYXBpdGFsIGhleCBkaWdpdCBwYXR0ZXJucworOzs7IHBhdHRlcm4gZGVzY3JpcHRv ciBpcyBhbiBsaXN0IG9mIGludGVnZXJzIHdoZXJlIHRoZSBlbGVtZW50IHNwZWNpZmllcyB0aGUg cmVwZWF0Cis7OzsgY291bnQgb2YgdGhlIGhleCBkaWdpdDsgMCBtZWFucyBpbnNlcnQgYSBkYXNo Cis7OzsgWW91IGNhbiBwYXN0ZSB0aGVzZSBmdW5jdGlvbnMgaW50bzogaHR0cHM6Ly9yZXBsLml0 L2xhbmd1YWdlcy9TY2hlbWUKKyhkZWZpbmUgKEhFWC1wYXR0ZXJuLW1hdGNoLWdlbmVyYXRvciBw YXR0ZXJuLWRlc2NyaXB0b3IpCisgICAgKGxldHJlYyAoKHBhdHRlcm4tc3RyaW5nICIiKSkKKyAg ICAgICAgKGZvci1lYWNoICAobGFtYmRhIChyZXBlYXQtY291bnQpCisgICAgICAgICAgICAoaWYg KHplcm8/IHJlcGVhdC1jb3VudCkKKyAgICAgICAgICAgICAgICAoc2V0ISBwYXR0ZXJuLXN0cmlu ZyAoc3RyaW5nLWFwcGVuZCAgcGF0dGVybi1zdHJpbmcgIi0iKSkKKyAgICAgICAgICAgICAgICAo bGV0IGFwcGVuZGVyICgoY291bnQgcmVwZWF0LWNvdW50KSkKKyAgICAgICAgICAgICAgICAgICAg KGlmICg+IGNvdW50IDApCisgICAgICAgICAgICAgICAgICAgICAgICAoYmVnaW4KKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAoc2V0ISBwYXR0ZXJuLXN0cmluZyAoc3RyaW5nLWFwcGVuZCAg cGF0dGVybi1zdHJpbmcgIlswLTlBLUZdIikpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg KGFwcGVuZGVyICgtIGNvdW50IDEpKSkpKSkpCisgICAgICAgICAgICBwYXR0ZXJuLWRlc2NyaXB0 b3IpCisgICAgICAgIHBhdHRlcm4tc3RyaW5nKSkKKworOzsgcmV0dXJuIGEgcmVnZXggcGF0dGVy biBtYXRjaGluZyBzdHJpbmcgZm9yIDgtNC00LTQtMTIgVVVJRHM6CisoZGVmaW5lICh1dWlkLUhF WC1wYXR0ZXJuLW1hdGNoLXN0cmluZykKKyAgICAoSEVYLXBhdHRlcm4tbWF0Y2gtZ2VuZXJhdG9y ICcoOCAwIDQgMCA0IDAgNCAwIDEyKSkpCisKKzs7IGdsb2JhbCB0byBob2xkIHRoZSBjb21wdXRl ZCBVVUlEIG1hdGNoaW5nIHBhdHRlcm4uCisoZGVmaW5lICp1dWlkLXBhdHRlcm4qICIiKQorCiso ZGVmaW5lICh1dWlkLXJlZ2V4LXN0cmluZykKKyAgICAoaWYgKHplcm8/IChzdHJpbmctbGVuZ3Ro ICp1dWlkLXBhdHRlcm4qKSkKKyAgICAgICAgKHNldCEgKnV1aWQtcGF0dGVybiogKHV1aWQtSEVY LXBhdHRlcm4tbWF0Y2gtc3RyaW5nKSkpCisgICAgKnV1aWQtcGF0dGVybiopCisKIDs7IFJlYWQt b25seSBwcmVmZXJlbmNlcyBhbmQgZGF0YQogKGFsbG93IHVzZXItcHJlZmVyZW5jZS1yZWFkCiAg ICAgKHByZWZlcmVuY2UtZG9tYWluCkBAIC0xMTAsNyArMTQyLDE2IEBACiAgICAgICAgKGdsb2Jh bC1uYW1lICJjb20uYXBwbGUuU2VjdXJpdHlTZXJ2ZXIiKSkKIAogI2lmIF9fTUFDX09TX1hfVkVS U0lPTl9NSU5fUkVRVUlSRUQgPCAxMDEyNDAKLShhbGxvdyBmaWxlLXJlYWQqIGZpbGUtd3JpdGUq IChob21lLXN1YnBhdGggIi9MaWJyYXJ5L0tleWNoYWlucyIpKSA7OyBGSVhNRTogVGhpcyBzaG91 bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS8xMDQ3OTY4NT4gaXMgZml4ZWQuCis7 OyBGSVhNRTogVGhpcyBzaG91bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS8xMDQ3 OTY4NT4gaXMgZml4ZWQuCis7OyBSZXN0cmljdCBBcHBTYW5kYm94ZWQgcHJvY2Vzc2VzIGZyb20g Y3JlYXRpbmcgL0xpYnJhcnkvS2V5Y2hhaW5zLCBidXQgYWxsb3cgYWNjZXNzIHRvIHRoZSBjb250 ZW50cyBvZiAvTGlicmFyeS9LZXljaGFpbnM6CisoYWxsb3cgZmlsZS1yZWFkLWRhdGEgZmlsZS1y ZWFkLW1ldGFkYXRhIGZpbGUtd3JpdGUtZGF0YQorICAgIChzdWJwYXRoICIvTGlicmFyeS9LZXlj aGFpbnMiKQorICAgIChob21lLXN1YnBhdGggIi9MaWJyYXJ5L0tleWNoYWlucyIpKQorCis7OyBF eGNlcHQgZGVueSBhY2Nlc3MgdG8gbmV3LXN0eWxlIGlPUyBLZXljaGFpbiBmb2xkZXJzIHdoaWNo IGFyZSBVVUlEcy4KKyhkZW55IGZpbGUtcmVhZCogZmlsZS13cml0ZSoKKyAgICAocmVnZXggKHN0 cmluZy1hcHBlbmQgIi9MaWJyYXJ5L0tleWNoYWlucy8iICh1dWlkLXJlZ2V4LXN0cmluZykgIigv fCQpIikpCisgICAgKGhvbWUtcmVnZXggKHN0cmluZy1hcHBlbmQgIi9MaWJyYXJ5L0tleWNoYWlu cy8iICh1dWlkLXJlZ2V4LXN0cmluZykgIigvfCQpIikpKQogI2VuZGlmCiAKIChhbGxvdyBmaWxl LXJlYWQqIGZpbGUtd3JpdGUqIChzdWJwYXRoICIvcHJpdmF0ZS92YXIvZGIvbWRzL3N5c3RlbSIp KSA7OyBGSVhNRTogVGhpcyBzaG91bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS85 NTM4NDE0PiBpcyBmaXhlZC4KQEAgLTEyMyw5ICsxNjQsNiBAQAogICAgICAgICAiY29tLmFwcGxl LnNlY3VyaXR5LnJldm9jYXRpb24iKSkKIAogKGFsbG93IGZpbGUtcmVhZCoKLSNpZiBfX01BQ19P U19YX1ZFUlNJT05fTUlOX1JFUVVJUkVEIDwgMTAxMjQwCi0gICAgICAgKHN1YnBhdGggIi9MaWJy YXJ5L0tleWNoYWlucyIpCi0jZW5kaWYKICAgICAgICAoc3VicGF0aCAiL3ByaXZhdGUvdmFyL2Ri L21kcyIpCiAgICAgICAgKGxpdGVyYWwgIi9wcml2YXRlL3Zhci9kYi9EZXRhY2hlZFNpZ25hdHVy ZXMiKQogCkluZGV4OiBTb3VyY2UvV2ViS2l0Mi9QbHVnaW5Qcm9jZXNzL21hYy9jb20uYXBwbGUu V2ViS2l0LnBsdWdpbi1jb21tb24uc2IuaW4KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYktpdDIv UGx1Z2luUHJvY2Vzcy9tYWMvY29tLmFwcGxlLldlYktpdC5wbHVnaW4tY29tbW9uLnNiLmluCShy ZXZpc2lvbiAyMDk3MTIpCisrKyBTb3VyY2UvV2ViS2l0Mi9QbHVnaW5Qcm9jZXNzL21hYy9jb20u YXBwbGUuV2ViS2l0LnBsdWdpbi1jb21tb24uc2IuaW4JKHdvcmtpbmcgY29weSkKQEAgLTczLDYg KzczLDM4IEBACiAgICAgICAgICAgICAgICAgICAgICAgIChob21lLWxpYnJhcnktcHJlZmVyZW5j ZXMtcmVnZXggKHN0cmluZy1hcHBlbmQgIyIvQnlIb3N0LyIgKHJlZ2V4LXF1b3RlIGRvbWFpbikg IyJcLi4qXC5wbGlzdCQiKSkpKSkKICAgICAgICAgICAgIGRvbWFpbnMpKQogCis7OzsgPHJkYXI6 Ly9wcm9ibGVtLzE1NjczNDY2PgorOzs7IFVVSUQgb2YgdGhlIGZvcm06IFhYWFhYWFhYLVhYWFgt WFhYWC0tWFhYWC1YWFhYWFhYWFhYWFgKKzs7OyBUaGF0J3MgOFgtNFgtNFgtNFgtMTJYOyB3aGVy ZSBYID0gIlswLTlBLUZdIiwgbGVuZ3RoKFgpID0gOAorOzs7IFJldHVybiBhIHJlZ2V4IHN0cmlu ZyB3aGljaCBtYXRjaGVzIGNhcGl0YWwgaGV4IGRpZ2l0IHBhdHRlcm5zCis7OzsgcGF0dGVybiBk ZXNjcmlwdG9yIGlzIGFuIGxpc3Qgb2YgaW50ZWdlcnMgd2hlcmUgdGhlIGVsZW1lbnQgc3BlY2lm aWVzIHRoZSByZXBlYXQKKzs7OyBjb3VudCBvZiB0aGUgaGV4IGRpZ2l0OyAwIG1lYW5zIGluc2Vy dCBhIGRhc2gKKzs7OyBZb3UgY2FuIHBhc3RlIHRoZXNlIGZ1bmN0aW9ucyBpbnRvOiBodHRwczov L3JlcGwuaXQvbGFuZ3VhZ2VzL1NjaGVtZQorKGRlZmluZSAoSEVYLXBhdHRlcm4tbWF0Y2gtZ2Vu ZXJhdG9yIHBhdHRlcm4tZGVzY3JpcHRvcikKKyAgICAobGV0cmVjICgocGF0dGVybi1zdHJpbmcg IiIpKQorICAgICAgICAoZm9yLWVhY2ggIChsYW1iZGEgKHJlcGVhdC1jb3VudCkKKyAgICAgICAg ICAgIChpZiAoemVybz8gcmVwZWF0LWNvdW50KQorICAgICAgICAgICAgICAgIChzZXQhIHBhdHRl cm4tc3RyaW5nIChzdHJpbmctYXBwZW5kICBwYXR0ZXJuLXN0cmluZyAiLSIpKQorICAgICAgICAg ICAgICAgIChsZXQgYXBwZW5kZXIgKChjb3VudCByZXBlYXQtY291bnQpKQorICAgICAgICAgICAg ICAgICAgICAoaWYgKD4gY291bnQgMCkKKyAgICAgICAgICAgICAgICAgICAgICAgIChiZWdpbgor ICAgICAgICAgICAgICAgICAgICAgICAgICAgIChzZXQhIHBhdHRlcm4tc3RyaW5nIChzdHJpbmct YXBwZW5kICBwYXR0ZXJuLXN0cmluZyAiWzAtOUEtRl0iKSkKKyAgICAgICAgICAgICAgICAgICAg ICAgICAgICAoYXBwZW5kZXIgKC0gY291bnQgMSkpKSkpKSkKKyAgICAgICAgICAgIHBhdHRlcm4t ZGVzY3JpcHRvcikKKyAgICBwYXR0ZXJuLXN0cmluZykpCisKKzs7IHJldHVybiBhIHJlZ2V4IHBh dHRlcm4gbWF0Y2hpbmcgc3RyaW5nIGZvciA4LTQtNC00LTEyIFVVSURzOgorKGRlZmluZSAodXVp ZC1IRVgtcGF0dGVybi1tYXRjaC1zdHJpbmcpCisgICAgKEhFWC1wYXR0ZXJuLW1hdGNoLWdlbmVy YXRvciAnKDggMCA0IDAgNCAwIDQgMCAxMikpKQorCis7OyBnbG9iYWwgdG8gaG9sZCB0aGUgY29t cHV0ZWQgVVVJRCBtYXRjaGluZyBwYXR0ZXJuLgorKGRlZmluZSAqdXVpZC1wYXR0ZXJuKiAiIikK KworKGRlZmluZSAodXVpZC1yZWdleC1zdHJpbmcpCisgICAgKGlmICh6ZXJvPyAoc3RyaW5nLWxl bmd0aCAqdXVpZC1wYXR0ZXJuKikpCisgICAgICAgIChzZXQhICp1dWlkLXBhdHRlcm4qICh1dWlk LUhFWC1wYXR0ZXJuLW1hdGNoLXN0cmluZykpKQorICAgICp1dWlkLXBhdHRlcm4qKQorCiA7OyBX ZWJLaXQyIHNhbmRib3ggbGF1bmNoZXIgbmVlZHMgdG8gZGVmaW5lIGFuIF9PU19WRVJTSU9OIHBh cmFtZXRlcgogOzsgVGhpcyBwYXJhbWV0ZXIgaXMgdGhlIG1ham9yIE9TIFZlcnNpb24gbnVtYmVy LgogKGlmIChub3QgKGRlZmluZWQ/ICdvcy12ZXJzaW9uKSkKQEAgLTE2MiwxNCArMTk0LDIzIEBA CiAKICAgICAoc3VicGF0aCAiL0xpYnJhcnkvQ29sb3JTeW5jIikKIAotICAgIChob21lLWxpdGVy YWwgIi9MaWJyYXJ5L1ByZWZlcmVuY2VzL2NvbS5hcHBsZS5sb29rdXAuc2hhcmVkLnBsaXN0IikK KyAgICAoaG9tZS1saXRlcmFsICIvTGlicmFyeS9QcmVmZXJlbmNlcy9jb20uYXBwbGUubG9va3Vw LnNoYXJlZC5wbGlzdCIpKQogCi0gICAgOzsgRklYTUU6IFRoaXMgc2hvdWxkIGJlIHJlbW92ZWQg d2hlbiA8cmRhcjovL3Byb2JsZW0vMTA0Nzk2ODU+IGlzIGZpeGVkLgotICAgIChzdWJwYXRoICIv TGlicmFyeS9LZXljaGFpbnMiKSkKKyNpZiBfX01BQ19PU19YX1ZFUlNJT05fTUlOX1JFUVVJUkVE IDwgMTAxMjQwCis7OyBGSVhNRTogVGhpcyBzaG91bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8v cHJvYmxlbS8xMDQ3OTY4NT4gaXMgZml4ZWQuCis7OyBSZXN0cmljdCBBcHBTYW5kYm94ZWQgcHJv Y2Vzc2VzIGZyb20gY3JlYXRpbmcgL0xpYnJhcnkvS2V5Y2hhaW5zLCBidXQgYWxsb3cgYWNjZXNz IHRvIHRoZSBjb250ZW50cyBvZiAvTGlicmFyeS9LZXljaGFpbnM6CisoYWxsb3cgZmlsZS1yZWFk LWRhdGEgZmlsZS1yZWFkLW1ldGFkYXRhIGZpbGUtd3JpdGUtZGF0YQorICAgIChzdWJwYXRoICIv TGlicmFyeS9LZXljaGFpbnMiKQorICAgIChob21lLWxpYnJhcnktc3VicGF0aCAiL0tleWNoYWlu cyIpKQorCis7OyBFeGNlcHQgZGVueSBhY2Nlc3MgdG8gbmV3LXN0eWxlIGlPUyBLZXljaGFpbiBm b2xkZXJzIHdoaWNoIGFyZSBVVUlEcy4KKyhkZW55IGZpbGUtcmVhZCogZmlsZS13cml0ZSoKKyAg ICAocmVnZXggKHN0cmluZy1hcHBlbmQgIi9MaWJyYXJ5L0tleWNoYWlucy8iICh1dWlkLXJlZ2V4 LXN0cmluZykgIigvfCQpIikpCisgICAgKGhvbWUtbGlicmFyeS1yZWdleCAoc3RyaW5nLWFwcGVu ZCAiL0xpYnJhcnkvS2V5Y2hhaW5zLyIgKHV1aWQtcmVnZXgtc3RyaW5nKSAiKC98JCkiKSkpCisj ZW5kaWYKIAogOzsgU2VjdXJpdHkgZnJhbWV3b3JrCiAoYWxsb3cgbWFjaC1sb29rdXAgKGdsb2Jh bC1uYW1lICJjb20uYXBwbGUub2NzcGQiKSkKLShhbGxvdyBmaWxlLXJlYWQqIGZpbGUtd3JpdGUq IChob21lLWxpYnJhcnktc3VicGF0aCAiL0tleWNoYWlucyIpKQogKGFsbG93IGZpbGUtcmVhZCoK ICAgICAgICAoc3VicGF0aCAiL3ByaXZhdGUvdmFyL2RiL21kcyIpCiAgICAgICAgKGxpdGVyYWwg Ii9wcml2YXRlL3Zhci9kYi9EZXRhY2hlZFNpZ25hdHVyZXMiKSkKQEAgLTE3Nyw5ICsyMTgsNiBA QAogICAgICAgIChpcGMtcG9zaXgtbmFtZSAiY29tLmFwcGxlLkFwcGxlRGF0YWJhc2VDaGFuZ2Vk IikpCiAKIDs7IFJlYWQtd3JpdGUgcHJlZmVyZW5jZXMgYW5kIGRhdGEKLShhbGxvdyBmaWxlKgot ICAgIDs7IEZJWE1FOiBUaGlzIHNob3VsZCBiZSByZW1vdmVkIHdoZW4gPHJkYXI6Ly9wcm9ibGVt LzEwNDc5Njg1PiBpcyBmaXhlZC4KLSAgICAoaG9tZS1saWJyYXJ5LXN1YnBhdGggIi9LZXljaGFp bnMiKSkKIChhbGxvdyBzeXN0ZW0tZnNjdGwgKGZzY3RsLWNvbW1hbmQgKF9JTyAiaCIgNDcpKSkK IAogOzsgSU9LaXQgdXNlciBjbGllbnRzCkluZGV4OiBTb3VyY2UvV2ViS2l0Mi9XZWJQcm9jZXNz L2NvbS5hcHBsZS5XZWJQcm9jZXNzLnNiLmluCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJLaXQy L1dlYlByb2Nlc3MvY29tLmFwcGxlLldlYlByb2Nlc3Muc2IuaW4JKHJldmlzaW9uIDIwOTcxMikK KysrIFNvdXJjZS9XZWJLaXQyL1dlYlByb2Nlc3MvY29tLmFwcGxlLldlYlByb2Nlc3Muc2IuaW4J KHdvcmtpbmcgY29weSkKQEAgLTQzLDYgKzQzLDM4IEBACiAgICAgICAgICAgICAoYWxsb3cgZmls ZS1yZWFkKiAoc3VicGF0aCBwYXRoKSkKICAgICAgICAgICAgIChhbGxvdyBmaWxlLWlzc3VlLWV4 dGVuc2lvbiAocmVxdWlyZS1hbGwgKGV4dGVuc2lvbi1jbGFzcyAiY29tLmFwcGxlLmFwcC1zYW5k Ym94LnJlYWQiKSAoc3VicGF0aCBwYXRoKSkpKSkpCiAKKzs7OyA8cmRhcjovL3Byb2JsZW0vMTU2 NzM0NjY+Cis7OzsgVVVJRCBvZiB0aGUgZm9ybTogWFhYWFhYWFgtWFhYWC1YWFhYLS1YWFhYLVhY WFhYWFhYWFhYWAorOzs7IFRoYXQncyA4WC00WC00WC00WC0xMlg7IHdoZXJlIFggPSAiWzAtOUEt Rl0iLCBsZW5ndGgoWCkgPSA4Cis7OzsgUmV0dXJuIGEgcmVnZXggc3RyaW5nIHdoaWNoIG1hdGNo ZXMgY2FwaXRhbCBoZXggZGlnaXQgcGF0dGVybnMKKzs7OyBwYXR0ZXJuIGRlc2NyaXB0b3IgaXMg YW4gbGlzdCBvZiBpbnRlZ2VycyB3aGVyZSB0aGUgZWxlbWVudCBzcGVjaWZpZXMgdGhlIHJlcGVh dAorOzs7IGNvdW50IG9mIHRoZSBoZXggZGlnaXQ7IDAgbWVhbnMgaW5zZXJ0IGEgZGFzaAorOzs7 IFlvdSBjYW4gcGFzdGUgdGhlc2UgZnVuY3Rpb25zIGludG86IGh0dHBzOi8vcmVwbC5pdC9sYW5n dWFnZXMvU2NoZW1lCisoZGVmaW5lIChIRVgtcGF0dGVybi1tYXRjaC1nZW5lcmF0b3IgcGF0dGVy bi1kZXNjcmlwdG9yKQorICAgIChsZXRyZWMgKChwYXR0ZXJuLXN0cmluZyAiIikpCisgICAgICAg IChmb3ItZWFjaCAgKGxhbWJkYSAocmVwZWF0LWNvdW50KQorICAgICAgICAgICAgKGlmICh6ZXJv PyByZXBlYXQtY291bnQpCisgICAgICAgICAgICAgICAgKHNldCEgcGF0dGVybi1zdHJpbmcgKHN0 cmluZy1hcHBlbmQgIHBhdHRlcm4tc3RyaW5nICItIikpCisgICAgICAgICAgICAgICAgKGxldCBh cHBlbmRlciAoKGNvdW50IHJlcGVhdC1jb3VudCkpCisgICAgICAgICAgICAgICAgICAgIChpZiAo PiBjb3VudCAwKQorICAgICAgICAgICAgICAgICAgICAgICAgKGJlZ2luCisgICAgICAgICAgICAg ICAgICAgICAgICAgICAgKHNldCEgcGF0dGVybi1zdHJpbmcgKHN0cmluZy1hcHBlbmQgIHBhdHRl cm4tc3RyaW5nICJbMC05QS1GXSIpKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgIChhcHBl bmRlciAoLSBjb3VudCAxKSkpKSkpKQorICAgICAgICAgICAgcGF0dGVybi1kZXNjcmlwdG9yKQor ICAgIHBhdHRlcm4tc3RyaW5nKSkKKworOzsgcmV0dXJuIGEgcmVnZXggcGF0dGVybiBtYXRjaGlu ZyBzdHJpbmcgZm9yIDgtNC00LTQtMTIgVVVJRHM6CisoZGVmaW5lICh1dWlkLUhFWC1wYXR0ZXJu LW1hdGNoLXN0cmluZykKKyAgICAoSEVYLXBhdHRlcm4tbWF0Y2gtZ2VuZXJhdG9yICcoOCAwIDQg MCA0IDAgNCAwIDEyKSkpCisKKzs7IGdsb2JhbCB0byBob2xkIHRoZSBjb21wdXRlZCBVVUlEIG1h dGNoaW5nIHBhdHRlcm4uCisoZGVmaW5lICp1dWlkLXBhdHRlcm4qICIiKQorCisoZGVmaW5lICh1 dWlkLXJlZ2V4LXN0cmluZykKKyAgICAoaWYgKHplcm8/IChzdHJpbmctbGVuZ3RoICp1dWlkLXBh dHRlcm4qKSkKKyAgICAgICAgKHNldCEgKnV1aWQtcGF0dGVybiogKHV1aWQtSEVYLXBhdHRlcm4t bWF0Y2gtc3RyaW5nKSkpCisgICAgKnV1aWQtcGF0dGVybiopCisKIDs7IFJlYWQtb25seSBwcmVm ZXJlbmNlcyBhbmQgZGF0YQogKGFsbG93IGZpbGUtcmVhZCoKICAgICAgICA7OyBCYXNpYyBzeXN0 ZW0gcGF0aHMKQEAgLTIyMSwxNSArMjUzLDIxIEBACiAgICAgICAgKGdsb2JhbC1uYW1lICJjb20u YXBwbGUuU2VjdXJpdHlTZXJ2ZXIiKSkKIAogI2lmIF9fTUFDX09TX1hfVkVSU0lPTl9NSU5fUkVR VUlSRUQgPCAxMDEyNDAKLShhbGxvdyBmaWxlLXJlYWQqIGZpbGUtd3JpdGUqIChob21lLXN1YnBh dGggIi9MaWJyYXJ5L0tleWNoYWlucyIpKSA7OyBGSVhNRTogVGhpcyBzaG91bGQgYmUgcmVtb3Zl ZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS8xMDQ3OTY4NT4gaXMgZml4ZWQuCis7OyBGSVhNRTogVGhp cyBzaG91bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS8xMDQ3OTY4NT4gaXMgZml4 ZWQuCis7OyBSZXN0cmljdCBBcHBTYW5kYm94ZWQgcHJvY2Vzc2VzIGZyb20gY3JlYXRpbmcgL0xp YnJhcnkvS2V5Y2hhaW5zLCBidXQgYWxsb3cgYWNjZXNzIHRvIHRoZSBjb250ZW50cyBvZiAvTGli cmFyeS9LZXljaGFpbnM6CisoYWxsb3cgZmlsZS1yZWFkLWRhdGEgZmlsZS1yZWFkLW1ldGFkYXRh IGZpbGUtd3JpdGUtZGF0YQorICAgIChzdWJwYXRoICIvTGlicmFyeS9LZXljaGFpbnMiKQorICAg IChob21lLXN1YnBhdGggIi9MaWJyYXJ5L0tleWNoYWlucyIpKQorCis7OyBFeGNlcHQgZGVueSBh Y2Nlc3MgdG8gbmV3LXN0eWxlIGlPUyBLZXljaGFpbiBmb2xkZXJzIHdoaWNoIGFyZSBVVUlEcy4K KyhkZW55IGZpbGUtcmVhZCogZmlsZS13cml0ZSoKKyAgICAocmVnZXggKHN0cmluZy1hcHBlbmQg Ii9MaWJyYXJ5L0tleWNoYWlucy8iICh1dWlkLXJlZ2V4LXN0cmluZykgIigvfCQpIikpCisgICAg KGhvbWUtcmVnZXggKHN0cmluZy1hcHBlbmQgIi9MaWJyYXJ5L0tleWNoYWlucy8iICh1dWlkLXJl Z2V4LXN0cmluZykgIigvfCQpIikpKQogI2VuZGlmCiAKIChhbGxvdyBmaWxlLXJlYWQqIGZpbGUt d3JpdGUqIChzdWJwYXRoICIvcHJpdmF0ZS92YXIvZGIvbWRzL3N5c3RlbSIpKSA7OyBGSVhNRTog VGhpcyBzaG91bGQgYmUgcmVtb3ZlZCB3aGVuIDxyZGFyOi8vcHJvYmxlbS85NTM4NDE0PiBpcyBm aXhlZC4KIAogKGFsbG93IGZpbGUtcmVhZCoKLSNpZiBfX01BQ19PU19YX1ZFUlNJT05fTUlOX1JF UVVJUkVEIDwgMTAxMjQwCi0gICAgICAgKHN1YnBhdGggIi9MaWJyYXJ5L0tleWNoYWlucyIpCi0j ZW5kaWYKICAgICAgICAoc3VicGF0aCAiL3ByaXZhdGUvdmFyL2RiL21kcyIpCiAgICAgICAgKGxp dGVyYWwgIi9wcml2YXRlL3Zhci9kYi9EZXRhY2hlZFNpZ25hdHVyZXMiKQogICAgICAgIDsgVGhl IGZvbGxvd2luZyBhcmUgbmVlZGVkIHVudGlsIDxyZGFyOi8vcHJvYmxlbS8xMTEzNDY4OD4gaXMg cmVzb2x2ZWQuCg==