764786 2016-04-08 14:54:00 +0000 [Security] Run extractor and miners in chroot jail or sandbox or with limited capabilities 2016-12-22 13:36:09 +0000 1 1 11 Core tracker Extractor 1.8.x Other All RESOLVED FIXED Normal major --- 1 gnome tracker-extractor alan.coopersmith carlosg elad gueux+gnome jbicha lantw44 mbiebl mcatanzaro pointedstick ssssam tingping tracker-extractor --- --- oldest_to_newest 2893991 0 gnome 2016-04-08 14:54:59 +0000 Tracker is operating on unknown data, some of it downloaded from the internet. This data can be modified to be malicious. With tracker scanning (reading, parsing) many files, any file just laying on the disk could be used to crack tracker. For web browsers, the trend is to do the parsing in unprivileged processes. I think tracker should do something similiar. Some possible tools to do that: seccomp(2) : filter a list of allowed syscalls. Miner subprocesses don't need network acces or similiar syscalls. They just need to read files and put data to the database. namespaces(7) : create a virtual filesystem on top of real filesystem. User data could be mounted read-only with this. capabilities(7), … This issue also affects miners provided by other packages, including but not limited to: gnome-online-miners tracker-miner-chatlog tracker-miner-media tracker-upnp I know of tracker-sandbox.py, but it looks like a script for developers testing tracker's features, not like a end user tool. It isn't shipped with Fedora. 2902708 1 carlosg 2016-05-05 13:30:16 +0000 Within the Tracker repo, only tracker-extract is potentially affected here, moving to that subcomponent. (In reply to Christian Stadelmann from comment #0) > Tracker is operating on unknown data, some of it downloaded from the > internet. This data can be modified to be malicious. With tracker scanning > (reading, parsing) many files, any file just laying on the disk could be > used to crack tracker. > > For web browsers, the trend is to do the parsing in unprivileged processes. > I think tracker should do something similiar. I think it is feasible to drop certain privileges there so malicious files that attempt to trigger bugs in 3rd party libraries can't do much with arbitrary code execution. I trusted at least the filesystem's would be done through xdg-app, although I guess this is tangential depending on the setup. I'll leave this though at an "accept patches" stage though, I think devising a model for xdg-app is the priority here. > > Some possible tools to do that: > seccomp(2) : filter a list of allowed syscalls. Miner subprocesses don't > need network acces or similiar syscalls. They just need to read files and > put data to the database. > namespaces(7) : create a virtual filesystem on top of real filesystem. User > data could be mounted read-only with this. > capabilities(7), … > > This issue also affects miners provided by other packages, including but not > limited to: I agree some level of paranoia is good, although I don't really think all those deal with the same levels of "untrusted data" :). However, that'd be better dealt with by filing bugs in the relevant places, I don't think this could be done generically in Tracker even if we wanted and tried hard. > gnome-online-miners Those only talk to very specific services set up through g-o-a, I'd trust something happens if connection to a counterfeit site is attempted (eg. SSL certificate errors). You might consider those sites exploitable and thus prone to provide malicious data at some point, but that's IMO a quite slim attack vector. > tracker-miner-chatlog This one only interacts with telepathy through dbus. It could make it really sure it only talks with org.freedesktop.Telepathy and org.freedesktop.Tracker1 interfaces, but I really see no way to have arbitrary code execution happening there... > tracker-miner-media This one is dead. > tracker-upnp Not much idea about this one myself... it probably could/should whitelist networks where it is ok to lookup upnp servers. Better dealt with filing a bug in the relevant place, although from looking at the git log, good luck getting a reply... > > I know of tracker-sandbox.py, but it looks like a script for developers > testing tracker's features, not like a end user tool. It isn't shipped with > Fedora. Right, it's basically a sandbox for testing purposes, so the whole testing setup runs without affecting the user databases. 2960852 2 gnome 2016-11-17 21:22:55 +0000 (In reply to Elad Alfassa from comment #0 in https://bugzilla.gnome.org/show_bug.cgi?id=774498) > Inspired by this tracker-related 0day, > https://scarybeastsecurity.blogspot.co.il/2016/11/0day-poc-risky-design- > decisions-in.html > > Can we sandbox tracker-extract using bubblewrap[1]? tracker-extract involves > parsing a lot of different file types, and since tracker is commonly > configured to index quite a lot by default, it's an "obvious" candidate for > sandboxing to reduce attack surface. > > > [1] https://github.com/projectatomic/bubblewrap +1. No need to design tracker in a way that it allows 0-day exploits. Parsing random untrusted data with insecure parsers (I'd count every parser written in C here) is irresponsible. 2960860 3 elad 2016-11-17 21:42:47 +0000 *** Bug 774498 has been marked as a duplicate of this bug. *** 2960864 4 elad 2016-11-17 21:55:52 +0000 bubblewrap is used by xdg-app and I think it makes the most sense to just use it instead of "re-inventing the wheel", and it's very simple to use. Since we're talking about the extractor, using the --file argument is probably a bad idea (since it preforms a copy), so I guess the correct way to implement this would be to use "--bind-ro" to give the extractor a read-only view of the directory where the file to extract is present. According to the manpage, tracker-extract already uses subprocesses to preform the actual extraction, so it's "just" a matter of changing the way the subprocess is launched to use bubblewrap as a sandbox. deciding which flags to pass to bubblewrap seems trivial enough (I'd guess all the ones that start with --unshare, for a start), the only "complicated" bit in there is probably deciding which seccomp options to use (ie. which syscalls should be allowed to be run by the extractor?), but I guess this can be done "later" since being isolated from the filesystem and the network is already more secure than what we have now. I would've tried to write a patch for this myself, but I'm not familiar enough with tracker's codebase (and a bit short on free time for such projects these days) so I guess this should be left for people who have more time & are more familiar with the codebase. (unless someone can teach me exactly how the extractor works and point me at the relevant place in the code that launches the subprocess) 2967108 5 341490 carlosg 2016-12-06 16:20:17 +0000 Created attachment 341490 libtracker-extract: Ditch ThreadAwareness module configuration toggle It's basically unused, just use a private thread per-module so they're easier to isolate. 2967109 6 341491 carlosg 2016-12-06 16:20:23 +0000 Created attachment 341491 libtracker-common: Implement sandboxing through libseccomp The threads calling the new tracker_seccomp_init() function, and all threads/processes spawned from these, will enter a restricted mode where only a few sensible syscalls are allowed, and more specifically, filesystem access is restricted. 2967110 7 341492 carlosg 2016-12-06 16:20:28 +0000 Created attachment 341492 tracker-extract: Sandbox extractor threads through seccomp Those deal with plugins and potentially malicious content, make it sure that any potential exploit is deprived of all tools that could make it harmful. 2967113 8 elad 2016-12-06 16:28:04 +0000 I see you've allowed the sandboxed stuff to use write(). This means if someone manages to exploit the extractor and gain arbitrary code execution, they can write to ~/.bashrc or similar to break out of the sandbox by the next time the user logs in. This is why I think using bubblewrap or anything similar that will allow further isolation of filesystem access (via readonly bind mounts, user namespaces, etc) might be a better approach. 2967169 9 carlosg 2016-12-06 20:06:22 +0000 (In reply to Elad Alfassa from comment #8) > I see you've allowed the sandboxed stuff to use write(). This means if > someone manages to exploit the extractor and gain arbitrary code execution, > they can write to ~/.bashrc or similar to break out of the sandbox by the > next time the user logs in. No, you can't. The seccomp rules also include making calls to open() fail with EACCESS if anything else than O_READONLY is set, this leaves the malicious code pretty much unable to create or modify anything in the filesystem. But there's nothing like actually trying! doing: diff --git a/src/tracker-extract/tracker-extract-text.c b/src/tracker-extract/tracker-extract-text.c index abcf403..b6d36ea 100644 --- a/src/tracker-extract/tracker-extract-text.c +++ b/src/tracker-extract/tracker-extract-text.c @@ -89,6 +89,16 @@ tracker_extract_get_metadata (TrackerExtractInfo *info) config = tracker_main_get_config (); + { + gint fd; + if ((fd = open ("/home/carlos/.bashrc", O_RDWR | O_APPEND, 0755)) < 0) { + g_print ("booh: %m\n"); + } else { + write (fd, "imaevil", 7); + close (fd); + } + } + content = get_file_content (tracker_extract_info_get_file (info), tracker_config_get_max_bytes (config)); Fills my output with: booh: Permission denied Booh indeed... And no, the non-sandboxed pieces don't open ~/.bashrc as RW for malicious code to exploit, the threads just inherit stdout/stderr themselves. I guess malicious code *might* reach for the dbus fd, but that will happen no matter how many processes you put in between, there will be always a socket to the outside. And anyways... that requires exploiting both the codec/library and tracker-extract, just to reach out to a socket that will shut you down if you behave funny, there's more direct ways to exploit your system. As much as it would seem write() is the root of all evil, it is needed for pretty legitimate stuff, like printing on stderr/stdout or basic IPC stuff (libraries apparently like to communicate between their threads). I can't disable access to write() without triggering *lots* of false alarms, nor does bubblewrap. > This is why I think using bubblewrap or anything > similar that will allow further isolation of filesystem access (via readonly > bind mounts, user namespaces, etc) might be a better approach. Bubblewrap goes at an entirely different level. If anything, the extraction/miner process should be confined together with the sandboxed app that is interested in the extracted data (and thus the same permissions/restrictions apply altogether). I however consider this part of an "improve flatpack integration" RFE to Tracker interfaces and APIs (also meant to be addressed on 1.12), not an intrinsic security concern. 2967760 10 carlosg 2016-12-08 13:55:28 +0000 Pushed with minor modifications that allowed me not to ditch gstreamer-based extraction entirely. Most namely sockets are allowed, but only with the AF_LOCAL/UNIX families. The chance to exploit this is present, but rather low, the exploit would need breaking through the tracker-extract sandbox by exploiting another local service. The GStreamer developers are already aware of the extra syscalls involved in gstreamer extraction, and it seems definitely unintended given GstDiscoverer should no decoding. So the situation can be made better, and the seccomp rules tightened. But as this patch is intended to be backported, and this is the status quo, this is the compromise taken. Attachment 341490 pushed as 697daeb - libtracker-extract: Ditch ThreadAwareness module configuration toggle Attachment 341491 pushed as 9a924b1 - libtracker-common: Implement sandboxing through libseccomp Attachment 341492 pushed as 5b4132c - tracker-extract: Sandbox extractor threads through seccomp 2967823 11 gnome 2016-12-08 16:07:01 +0000 Thank you! 2967952 12 mbiebl 2016-12-09 00:28:29 +0000 Just curious: Since we already ship systemd --user service files, why not use the sandboxing features provided by systemd, like https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= 2968004 13 lantw44 2016-12-09 09:47:46 +0000 Tracker fails to configure on FreeBSD now: checking for LIBSECCOMP... no configure: error: Libseccomp is mandatory for sandboxed metadata extraction 2968013 14 carlosg 2016-12-09 10:02:24 +0000 (In reply to Michael Biebl from comment #12) > Just curious: Since we already ship systemd --user service files, why not > use the sandboxing features provided by systemd, like > https://www.freedesktop.org/software/systemd/man/systemd.exec. > html#SystemCallFilter= I indeed considered that, but I didn't think that was the best option to eradicate the noise generated. I think saying "tracker is more secure" is bolder than "tracker is more secure if you use it under/together with..." (In reply to Ting-Wei Lan from comment #13) > Tracker fails to configure on FreeBSD now: > > checking for LIBSECCOMP... no > configure: error: Libseccomp is mandatory for sandboxed metadata extraction Right, thanks for the heads up. Only in master/1.11 I made this mandatory, I will loosen the restriction so this only applies to linux platforms. I will have to wait for patches though if something like this is doable in FreeBSD though... 2971379 15 alan.coopersmith 2016-12-22 06:21:43 +0000 (In reply to Ting-Wei Lan from comment #13) > Tracker fails to configure on FreeBSD now: > > checking for LIBSECCOMP... no > configure: error: Libseccomp is mandatory for sandboxed metadata extraction Same on Solaris. Thanks for agreeing to make this restriction only apply to Linux. 2971467 16 carlosg 2016-12-22 13:36:09 +0000 ... and sorry I let that slip, I just pushed commit bdf25c78ee making seccomp only mandatory on linux, and intend to do releases along the weekend. 341490 2016-12-06 16:20:00 +0000 2016-12-08 13:55:34 +0000 libtracker-extract: Ditch ThreadAwareness module configuration toggle libtracker-extract-Ditch-ThreadAwareness-module-co.patch text/plain 12459 carlosg RnJvbSA4NWQ4ZTU0MTU3MDFiMWRkZGU3YWZiNzNkNTMyNTdjZmQ4YzRhYzY0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBDYXJsb3MgR2FybmFjaG8gPGNhcmxvc2dAZ25vbWUub3JnPgpE YXRlOiBUdWUsIDYgRGVjIDIwMTYgMTc6MDE6MDkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBsaWJ0 cmFja2VyLWV4dHJhY3Q6IERpdGNoIFRocmVhZEF3YXJlbmVzcyBtb2R1bGUKIGNvbmZpZ3VyYXRp b24gdG9nZ2xlCgpJdCdzIGJhc2ljYWxseSB1bnVzZWQsIGp1c3QgdXNlIGEgcHJpdmF0ZSB0aHJl YWQgcGVyLW1vZHVsZSBzbyB0aGV5J3JlCmVhc2llciB0byBpc29sYXRlLgoKaHR0cHM6Ly9idWd6 aWxsYS5nbm9tZS5vcmcvc2hvd19idWcuY2dpP2lkPTc2NDc4NgotLS0KIHNyYy9saWJ0cmFja2Vy LWV4dHJhY3QvdHJhY2tlci1kYXRhLmggICAgICAgICAgIHwgIDMgKy0KIHNyYy9saWJ0cmFja2Vy LWV4dHJhY3QvdHJhY2tlci1tb2R1bGUtbWFuYWdlci5jIHwgMTkgKystLS0tCiBzcmMvbGlidHJh Y2tlci1leHRyYWN0L3RyYWNrZXItbW9kdWxlLW1hbmFnZXIuaCB8IDMzICstLS0tLS0tLQogc3Jj L3RyYWNrZXItZXh0cmFjdC90cmFja2VyLWV4dHJhY3QtdGV4dC5jICAgICAgfCAgOCAtLS0KIHNy Yy90cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRyYWN0LmMgICAgICAgICAgIHwgODkgKysrKysr Ky0tLS0tLS0tLS0tLS0tLS0tLQogNSBmaWxlcyBjaGFuZ2VkLCAzMiBpbnNlcnRpb25zKCspLCAx MjAgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvc3JjL2xpYnRyYWNrZXItZXh0cmFjdC90cmFj a2VyLWRhdGEuaCBiL3NyYy9saWJ0cmFja2VyLWV4dHJhY3QvdHJhY2tlci1kYXRhLmgKaW5kZXgg MDViMDBkYi4uZDA2MDlkNCAxMDA2NDQKLS0tIGEvc3JjL2xpYnRyYWNrZXItZXh0cmFjdC90cmFj a2VyLWRhdGEuaAorKysgYi9zcmMvbGlidHJhY2tlci1leHRyYWN0L3RyYWNrZXItZGF0YS5oCkBA IC00NSw4ICs0NSw3IEBAIEdfQkVHSU5fREVDTFMKICAqIGFwcGxpY2F0aW9uLCBsb29rIGF0IHRo ZSBUcmFja2VyRGVjb3JhdG9yIGNsYXNzIGZyb20gbGlidHJhY2tlci1taW5lci4KICAqLwogCi1n Ym9vbGVhbiB0cmFja2VyX2V4dHJhY3RfbW9kdWxlX2luaXQgICAgIChUcmFja2VyTW9kdWxlVGhy ZWFkQXdhcmVuZXNzICAqdGhyZWFkX2F3YXJlbmVzc19yZXQsCi0gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBHRXJyb3IgICAgICAgICAgICAgICAgICAgICAgICoqZXJy b3IpOworZ2Jvb2xlYW4gdHJhY2tlcl9leHRyYWN0X21vZHVsZV9pbml0ICAgICAoR0Vycm9yICoq ZXJyb3IpOwogZ2Jvb2xlYW4gdHJhY2tlcl9leHRyYWN0X21vZHVsZV9zaHV0ZG93biAodm9pZCk7 CiAKIC8qKgpkaWZmIC0tZ2l0IGEvc3JjL2xpYnRyYWNrZXItZXh0cmFjdC90cmFja2VyLW1vZHVs ZS1tYW5hZ2VyLmMgYi9zcmMvbGlidHJhY2tlci1leHRyYWN0L3RyYWNrZXItbW9kdWxlLW1hbmFn ZXIuYwppbmRleCAxNzVjODNlLi4xNWYyOTY0IDEwMDY0NAotLS0gYS9zcmMvbGlidHJhY2tlci1l eHRyYWN0L3RyYWNrZXItbW9kdWxlLW1hbmFnZXIuYworKysgYi9zcmMvbGlidHJhY2tlci1leHRy YWN0L3RyYWNrZXItbW9kdWxlLW1hbmFnZXIuYwpAQCAtMzUsNyArMzUsNiBAQCB0eXBlZGVmIHN0 cnVjdCB7CiAKIHR5cGVkZWYgc3RydWN0IHsKIAlHTW9kdWxlICptb2R1bGU7Ci0JVHJhY2tlck1v ZHVsZVRocmVhZEF3YXJlbmVzcyB0aHJlYWRfYXdhcmVuZXNzOwogCVRyYWNrZXJFeHRyYWN0TWV0 YWRhdGFGdW5jIGV4dHJhY3RfZnVuYzsKIAlUcmFja2VyRXh0cmFjdEluaXRGdW5jIGluaXRfZnVu YzsKIAlUcmFja2VyRXh0cmFjdFNodXRkb3duRnVuYyBzaHV0ZG93bl9mdW5jOwpAQCAtNDUsOCAr NDQsNyBAQCB0eXBlZGVmIHN0cnVjdCB7CiBzdGF0aWMgZ2Jvb2xlYW4gZHVtbXlfZXh0cmFjdF9m dW5jIChUcmFja2VyRXh0cmFjdEluZm8gKmluZm8pOwogCiBzdGF0aWMgTW9kdWxlSW5mbyBkdW1t eV9tb2R1bGUgPSB7Ci0JTlVMTCwgVFJBQ0tFUl9NT0RVTEVfTUFJTl9USFJFQUQsCi0JZHVtbXlf ZXh0cmFjdF9mdW5jLCBOVUxMLCBOVUxMLCBUUlVFCisJTlVMTCwgZHVtbXlfZXh0cmFjdF9mdW5j LCBOVUxMLCBOVUxMLCBUUlVFCiB9OwogCiBzdGF0aWMgR0hhc2hUYWJsZSAqbW9kdWxlcyA9IE5V TEw7CkBAIC0zNzUsNyArMzczLDcgQEAgbG9hZF9tb2R1bGUgKFJ1bGVJbmZvICppbmZvLAogCQlp ZiAobW9kdWxlX2luZm8tPmluaXRfZnVuYykgewogCQkJR0Vycm9yICplcnJvciA9IE5VTEw7CiAK LQkJCWlmICghKG1vZHVsZV9pbmZvLT5pbml0X2Z1bmMpICgmbW9kdWxlX2luZm8tPnRocmVhZF9h d2FyZW5lc3MsICZlcnJvcikpIHsKKwkJCWlmICghKG1vZHVsZV9pbmZvLT5pbml0X2Z1bmMpICgm ZXJyb3IpKSB7CiAJCQkJZ19jcml0aWNhbCAoIkNvdWxkIG5vdCBpbml0aWFsaXplIG1vZHVsZSAl czogJXMiLAogCQkJCQkgICAgZ19tb2R1bGVfbmFtZSAobW9kdWxlX2luZm8tPm1vZHVsZSksCiAJ CQkJCSAgICAoZXJyb3IpID8gZXJyb3ItPm1lc3NhZ2UgOiAiTm8gZXJyb3IgZ2l2ZW4iKTsKQEAg LTM4Niw4ICszODQsNiBAQCBsb2FkX21vZHVsZSAoUnVsZUluZm8gKmluZm8sCiAKIAkJCQlyZXR1 cm4gTlVMTDsKIAkJCX0KLQkJfSBlbHNlIHsKLQkJCW1vZHVsZV9pbmZvLT50aHJlYWRfYXdhcmVu ZXNzID0gVFJBQ0tFUl9NT0RVTEVfTUFJTl9USFJFQUQ7CiAJCX0KIAogCQltb2R1bGVfaW5mby0+ aW5pdGlhbGl6ZWQgPSBUUlVFOwpAQCAtNTMwLDEyICs1MjYsMTAgQEAgdHJhY2tlcl9leHRyYWN0 X21vZHVsZV9tYW5hZ2VyX2dldF9taW1ldHlwZV9oYW5kbGVycyAoY29uc3QgZ2NoYXIgKm1pbWV0 eXBlKQogICogdHJhY2tlcl9taW1ldHlwZV9pbmZvX2dldF9tb2R1bGU6CiAgKiBAaW5mbzogYSAj VHJhY2tlck1pbWV0eXBlSW5mbwogICogQGV4dHJhY3RfZnVuYzogKG91dCk6IChhbGxvdy1ub25l KTogcmV0dXJuIHZhbHVlIGZvciB0aGUgZXh0cmFjdGlvbiBmdW5jdGlvbgotICogQHRocmVhZF9h d2FyZW5lc3M6IChvdXQpOiAoYWxsb3ctbm9uZSk6IHRocmVhZCBhd2FyZW5lc3Mgb2YgdGhlIGV4 dHJhY3RvciBtb2R1bGUKICAqCiAgKiBSZXR1cm5zIHRoZSAjR01vZHVsZSB0aGF0IEBpbmZvIGlz IGN1cnJlbnRseSBwb2ludGluZyB0bywgaWYgQGV4dHJhY3RfZnVuYyBpcwogICogbm90ICVOVUxM LCBpdCB3aWxsIGJlIGZpbGxlZCBpbiB3aXRoIHRoZSBwb2ludGVyIHRvIHRoZSBtZXRhZGF0YSBl eHRyYWN0aW9uCi0gKiBmdW5jdGlvbi4gSWYgQHRocmVhZF9hd2FyZW5lc3MgaXMgbm90ICVOVUxM LCBpdCB3aWxsIGJlIGZpbGxlZCBpbiB3aXRoIHRoZQotICogbW9kdWxlIHRocmVhZCBhd2FyZW5l c3MgZGVzY3JpcHRpb24uCisgKiBmdW5jdGlvbi4KICAqCiAgKiBSZXR1cm5zOiBUaGUgJUdNb2R1 bGUgY3VycmVudGx5IHBvaW50ZWQgdG8gYnkgQGluZm8uCiAgKgpAQCAtNTQzLDggKzUzNyw3IEBA IHRyYWNrZXJfZXh0cmFjdF9tb2R1bGVfbWFuYWdlcl9nZXRfbWltZXR5cGVfaGFuZGxlcnMgKGNv bnN0IGdjaGFyICptaW1ldHlwZSkKICAqKi8KIEdNb2R1bGUgKgogdHJhY2tlcl9taW1ldHlwZV9p bmZvX2dldF9tb2R1bGUgKFRyYWNrZXJNaW1ldHlwZUluZm8gICAgICAgICAgKmluZm8sCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVHJhY2tlckV4dHJhY3RNZXRhZGF0YUZ1bmMg ICAqZXh0cmFjdF9mdW5jLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRyYWNr ZXJNb2R1bGVUaHJlYWRBd2FyZW5lc3MgKnRocmVhZF9hd2FyZW5lc3MpCisgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgVHJhY2tlckV4dHJhY3RNZXRhZGF0YUZ1bmMgICAqZXh0cmFj dF9mdW5jKQogewogCWdfcmV0dXJuX3ZhbF9pZl9mYWlsIChpbmZvICE9IE5VTEwsIE5VTEwpOwog CkBAIC01NTYsMTAgKzU0OSw2IEBAIHRyYWNrZXJfbWltZXR5cGVfaW5mb19nZXRfbW9kdWxlIChU cmFja2VyTWltZXR5cGVJbmZvICAgICAgICAgICppbmZvLAogCQkqZXh0cmFjdF9mdW5jID0gaW5m by0+Y3VyX21vZHVsZV9pbmZvLT5leHRyYWN0X2Z1bmM7CiAJfQogCi0JaWYgKHRocmVhZF9hd2Fy ZW5lc3MpIHsKLQkJKnRocmVhZF9hd2FyZW5lc3MgPSBpbmZvLT5jdXJfbW9kdWxlX2luZm8tPnRo cmVhZF9hd2FyZW5lc3M7Ci0JfQotCiAJcmV0dXJuIGluZm8tPmN1cl9tb2R1bGVfaW5mby0+bW9k dWxlOwogfQogCmRpZmYgLS1naXQgYS9zcmMvbGlidHJhY2tlci1leHRyYWN0L3RyYWNrZXItbW9k dWxlLW1hbmFnZXIuaCBiL3NyYy9saWJ0cmFja2VyLWV4dHJhY3QvdHJhY2tlci1tb2R1bGUtbWFu YWdlci5oCmluZGV4IGYxMTYxOGEuLmU0OTcxMmIgMTAwNjQ0Ci0tLSBhL3NyYy9saWJ0cmFja2Vy LWV4dHJhY3QvdHJhY2tlci1tb2R1bGUtbWFuYWdlci5oCisrKyBiL3NyYy9saWJ0cmFja2VyLWV4 dHJhY3QvdHJhY2tlci1tb2R1bGUtbWFuYWdlci5oCkBAIC0zMiwzNyArMzIsOSBAQAogCiBHX0JF R0lOX0RFQ0xTCiAKLS8qKgotICogVHJhY2tlck1vZHVsZVRocmVhZEF3YXJlbmVzczoKLSAqIEBU UkFDS0VSX01PRFVMRV9OT05FOiBFeHRyYWN0aW9ucyBhcmUgY29tcGxldGVkIGluIHRoZSBtYWlu IGV2ZW50Ci0gKiBsb29wLgotICogQFRSQUNLRVJfTU9EVUxFX01BSU5fVEhSRUFEOiBFeHRyYWN0 aW9ucyB3aWxsIGJlIGRpc3BhdGNoZWQgaW4gdGhlCi0gKiBtYWluIHRocmVhZC4KLSAqIEBUUkFD S0VSX01PRFVMRV9TSU5HTEVfVEhSRUFEOiBFeHRyYWN0aW9ucyB3aWxsIGJlIGRpc3BhdGNoZWQg aW4gYQotICogc2VwYXJhdGUgdGhyZWFkIHdoaWNoIGlzIG5vdCB0aGUgbWFpbiB0aHJlYWQuIFRo aXMgbWVhbnMgYSBuZXcKLSAqIHRocmVhZCBpcyBjcmVhdGVkIGFuZCB1c2VkIGZvciBhbGwgZXh0 cmFjdGlvbnMgd2l0aCB0aGlzIHZhbHVlLgotICogQFRSQUNLRVJfTU9EVUxFX01VTFRJX1RIUkVB RDogQSB0aHJlYWQgcG9vbCBpcyB1c2VkIGZvciBhbGwKLSAqIGV4dHJhY3Rpb25zIG9mIHRoaXMg bW9kdWxlLiBUaGlzIHJlcXVpcmVzIHRoYXQgdGhlIG1vZHVsZSBpcyB0aHJlYWQKLSAqIGF3YXJl LgotICoKLSAqIEVudW1lcmF0ZXMgdGhlIGRpZmZlcmVudCB0eXBlcyBvZiB0aHJlYWQgYXdhcmVu ZXNzIHdoaWNoIGV4dHJhY3RvcgotICogbW9kdWxlcyBuZWVkIHRvIGJlIGF3YXJlIG9mLiBUaGlz IGlzIHVzZWZ1bCB0byBrbm93IGJlY2F1c2UgaXQKLSAqIGNoYW5nZXMgdGhlIHdheSB3ZSBxdWV1 ZSBhbmQgbm90aWZ5IGV4dHJhY3Rpb25zIHdpdGggbW9kdWxlcyBmb3IKLSAqIG1ldGFkYXRhIGZy b20gZmlsZXMuCi0gKgotICogU2luY2U6IDAuMTQKLSAqKi8KLXR5cGVkZWYgZW51bSB7Ci0JVFJB Q0tFUl9NT0RVTEVfTk9ORSwKLQlUUkFDS0VSX01PRFVMRV9NQUlOX1RIUkVBRCwKLQlUUkFDS0VS X01PRFVMRV9TSU5HTEVfVEhSRUFELAotCVRSQUNLRVJfTU9EVUxFX01VTFRJX1RIUkVBRAotfSBU cmFja2VyTW9kdWxlVGhyZWFkQXdhcmVuZXNzOwotCiB0eXBlZGVmIHN0cnVjdCBfVHJhY2tlck1p bWV0eXBlSW5mbyBUcmFja2VyTWltZXR5cGVJbmZvOwogCi10eXBlZGVmIGdib29sZWFuICgqIFRy YWNrZXJFeHRyYWN0SW5pdEZ1bmMpICAgICAoVHJhY2tlck1vZHVsZVRocmVhZEF3YXJlbmVzcyAg KnRocmVhZF9hd2FyZW5lc3NfcmV0LAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIEdFcnJvciAgICAgICAgICAgICAgICAgICAgICAgKiplcnJvcik7Cit0 eXBlZGVmIGdib29sZWFuICgqIFRyYWNrZXJFeHRyYWN0SW5pdEZ1bmMpICAgICAoR0Vycm9yICoq ZXJyb3IpOwogdHlwZWRlZiB2b2lkICAgICAoKiBUcmFja2VyRXh0cmFjdFNodXRkb3duRnVuYykg KHZvaWQpOwogCiB0eXBlZGVmIGdib29sZWFuICgqIFRyYWNrZXJFeHRyYWN0TWV0YWRhdGFGdW5j KSAoVHJhY2tlckV4dHJhY3RJbmZvICppbmZvKTsKQEAgLTgxLDggKzUzLDcgQEAgVHJhY2tlck1p bWV0eXBlSW5mbyAqIHRyYWNrZXJfZXh0cmFjdF9tb2R1bGVfbWFuYWdlcl9nZXRfbWltZXR5cGVf aGFuZGxlcnMgIChjb24KIEdTdHJ2ICAgICAgICAgICAgICAgICB0cmFja2VyX2V4dHJhY3RfbW9k dWxlX21hbmFnZXJfZ2V0X2ZhbGxiYWNrX3JkZl90eXBlcyAoY29uc3QgZ2NoYXIgKm1pbWV0eXBl KTsKIAogR01vZHVsZSAqIHRyYWNrZXJfbWltZXR5cGVfaW5mb19nZXRfbW9kdWxlIChUcmFja2Vy TWltZXR5cGVJbmZvICAgICAgICAgICppbmZvLAotICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBUcmFja2VyRXh0cmFjdE1ldGFkYXRhRnVuYyAgICpleHRyYWN0X2Z1 bmMsCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRyYWNrZXJN b2R1bGVUaHJlYWRBd2FyZW5lc3MgKnRocmVhZF9hd2FyZW5lc3MpOworICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUcmFja2VyRXh0cmFjdE1ldGFkYXRhRnVuYyAg ICpleHRyYWN0X2Z1bmMpOwogZ2Jvb2xlYW4gIHRyYWNrZXJfbWltZXR5cGVfaW5mb19pdGVyX25l eHQgIChUcmFja2VyTWltZXR5cGVJbmZvICAgICAgICAgICppbmZvKTsKIHZvaWQgICAgICB0cmFj a2VyX21pbWV0eXBlX2luZm9fZnJlZSAgICAgICAoVHJhY2tlck1pbWV0eXBlSW5mbyAgICAgICAg ICAqaW5mbyk7CiAKZGlmZiAtLWdpdCBhL3NyYy90cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRy YWN0LXRleHQuYyBiL3NyYy90cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRyYWN0LXRleHQuYwpp bmRleCA4NTdkYWE0Li5hYmNmNDAzIDEwMDY0NAotLS0gYS9zcmMvdHJhY2tlci1leHRyYWN0L3Ry YWNrZXItZXh0cmFjdC10ZXh0LmMKKysrIGIvc3JjL3RyYWNrZXItZXh0cmFjdC90cmFja2VyLWV4 dHJhY3QtdGV4dC5jCkBAIC04MSwxNCArODEsNiBAQCBnZXRfZmlsZV9jb250ZW50IChHRmlsZSAq ZmlsZSwKIH0KIAogR19NT0RVTEVfRVhQT1JUIGdib29sZWFuCi10cmFja2VyX2V4dHJhY3RfbW9k dWxlX2luaXQgKFRyYWNrZXJNb2R1bGVUaHJlYWRBd2FyZW5lc3MgICp0aHJlYWRfYXdhcmVuZXNz X3JldCwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR0Vycm9yICAgICAgICAgICAgICAg ICAgICAgICAqKmVycm9yKQotewotCSp0aHJlYWRfYXdhcmVuZXNzX3JldCA9IFRSQUNLRVJfTU9E VUxFX01VTFRJX1RIUkVBRDsKLQlyZXR1cm4gVFJVRTsKLX0KLQotR19NT0RVTEVfRVhQT1JUIGdi b29sZWFuCiB0cmFja2VyX2V4dHJhY3RfZ2V0X21ldGFkYXRhIChUcmFja2VyRXh0cmFjdEluZm8g KmluZm8pCiB7CiAJVHJhY2tlclJlc291cmNlICptZXRhZGF0YTsKZGlmZiAtLWdpdCBhL3NyYy90 cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRyYWN0LmMgYi9zcmMvdHJhY2tlci1leHRyYWN0L3Ry YWNrZXItZXh0cmFjdC5jCmluZGV4IDYwZGU0ZDguLmZlZTZjN2YgMTAwNjQ0Ci0tLSBhL3NyYy90 cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRyYWN0LmMKKysrIGIvc3JjL3RyYWNrZXItZXh0cmFj dC90cmFja2VyLWV4dHJhY3QuYwpAQCAtNTIxLDcgKzUyMSw3IEBAIGdldF9tZXRhZGF0YSAoVHJh Y2tlckV4dHJhY3RUYXNrICp0YXNrKQogCXJldHVybiBGQUxTRTsKIH0KIAotc3RhdGljIHZvaWQK K3N0YXRpYyBncG9pbnRlcgogc2luZ2xlX3RocmVhZF9nZXRfbWV0YWRhdGEgKEdBc3luY1F1ZXVl ICpxdWV1ZSkKIHsKIAl3aGlsZSAoVFJVRSkgewpAQCAtNTM0LDYgKzUzNCw4IEBAIHNpbmdsZV90 aHJlYWRfZ2V0X21ldGFkYXRhIChHQXN5bmNRdWV1ZSAqcXVldWUpCiAjZW5kaWYgLyogVEhSRUFE X0VOQUJMRV9UUkFDRSAqLwogCQlnZXRfbWV0YWRhdGEgKHRhc2spOwogCX0KKworCXJldHVybiBO VUxMOwogfQogCiAvKiBUaGlzIGZ1bmN0aW9uIGlzIGV4ZWN1dGVkIGluIHRoZSBtYWluIHRocmVh ZCwgZGVjaWRlcyB0aGUKQEAgLTU0Myw5ICs1NDUsOSBAQCBzaW5nbGVfdGhyZWFkX2dldF9tZXRh ZGF0YSAoR0FzeW5jUXVldWUgKnF1ZXVlKQogc3RhdGljIGdib29sZWFuCiBkaXNwYXRjaF90YXNr X2NiIChUcmFja2VyRXh0cmFjdFRhc2sgKnRhc2spCiB7Ci0JVHJhY2tlck1vZHVsZVRocmVhZEF3 YXJlbmVzcyB0aHJlYWRfYXdhcmVuZXNzOwogCVRyYWNrZXJFeHRyYWN0UHJpdmF0ZSAqcHJpdjsK IAlHRXJyb3IgKmVycm9yID0gTlVMTDsKKwlHQXN5bmNRdWV1ZSAqYXN5bmNfcXVldWU7CiAJR01v ZHVsZSAqbW9kdWxlOwogCiAjaWZkZWYgVEhSRUFEX0VOQUJMRV9UUkFDRQpAQCAtNTk1LDcgKzU5 Nyw3IEBAIGRpc3BhdGNoX3Rhc2tfY2IgKFRyYWNrZXJFeHRyYWN0VGFzayAqdGFzaykKIAkJcmV0 dXJuIEZBTFNFOwogCX0KIAotCXRhc2stPmN1cl9tb2R1bGUgPSBtb2R1bGUgPSB0cmFja2VyX21p bWV0eXBlX2luZm9fZ2V0X21vZHVsZSAodGFzay0+bWltZXR5cGVfaGFuZGxlcnMsICZ0YXNrLT5j dXJfZnVuYywgJnRocmVhZF9hd2FyZW5lc3MpOworCXRhc2stPmN1cl9tb2R1bGUgPSBtb2R1bGUg PSB0cmFja2VyX21pbWV0eXBlX2luZm9fZ2V0X21vZHVsZSAodGFzay0+bWltZXR5cGVfaGFuZGxl cnMsICZ0YXNrLT5jdXJfZnVuYyk7CiAKIAlpZiAoIXRhc2stPmN1cl9mdW5jKSB7CiAJCWdfd2Fy bmluZyAoIkRpc2NhcmRpbmcgdGFzaywgbm8gbW9kdWxlIGFibGUgdG8gaGFuZGxlICclcyciLCB0 YXNrLT5maWxlKTsKQEAgLTYwNCw3MyArNjA2LDMzIEBAIGRpc3BhdGNoX3Rhc2tfY2IgKFRyYWNr ZXJFeHRyYWN0VGFzayAqdGFzaykKIAkJcmV0dXJuIEZBTFNFOwogCX0KIAotCXN3aXRjaCAodGhy ZWFkX2F3YXJlbmVzcykgewotCWNhc2UgVFJBQ0tFUl9NT0RVTEVfTk9ORToKLQkJLyogRXJyb3Ig b3V0ICovCi0JCWdfdGFza19yZXR1cm5fbmV3X2Vycm9yIChHX1RBU0sgKHRhc2stPnJlcyksCi0J CSAgICAgICAgICAgICAgICAgICAgICAgICB0cmFja2VyX2V4dHJhY3RfZXJyb3JfcXVhcmsgKCks Ci0JCSAgICAgICAgICAgICAgICAgICAgICAgICBUUkFDS0VSX0VYVFJBQ1RfRVJST1JfTk9fRVhU UkFDVE9SLAotCQkgICAgICAgICAgICAgICAgICAgICAgICAgIk1vZHVsZSAnJXMnIGluaXRpYWxp emF0aW9uIGZhaWxlZCIsCi0JCSAgICAgICAgICAgICAgICAgICAgICAgICBnX21vZHVsZV9uYW1l IChtb2R1bGUpKTsKLQkJZXh0cmFjdF90YXNrX2ZyZWUgKHRhc2spOwotCQlicmVhazsKLQljYXNl IFRSQUNLRVJfTU9EVUxFX01BSU5fVEhSRUFEOgotCQkvKiBEaXNwYXRjaCB0aGUgdGFzayByaWdo dCBhd2F5IGluIHRoaXMgdGhyZWFkICovCi0jaWZkZWYgVEhSRUFEX0VOQUJMRV9UUkFDRQotCQln X2RlYnVnICgiVGhyZWFkOiVwIChNYWluKSA8LS0gJyVzJzogRGlzcGF0Y2hpbmcgaW4gbWFpbiB0 aHJlYWQiLAotCQkgICAgICAgICBnX3RocmVhZF9zZWxmKCksIHRhc2stPmZpbGUpOwotI2VuZGlm IC8qIFRIUkVBRF9FTkFCTEVfVFJBQ0UgKi8KLQkJZ2V0X21ldGFkYXRhICh0YXNrKTsKLQkJYnJl YWs7Ci0JY2FzZSBUUkFDS0VSX01PRFVMRV9TSU5HTEVfVEhSRUFEOiB7Ci0JCUdBc3luY1F1ZXVl ICphc3luY19xdWV1ZTsKLQotCQlhc3luY19xdWV1ZSA9IGdfaGFzaF90YWJsZV9sb29rdXAgKHBy aXYtPnNpbmdsZV90aHJlYWRfZXh0cmFjdG9ycywgbW9kdWxlKTsKLQotCQlpZiAoIWFzeW5jX3F1 ZXVlKSB7Ci0JCQlHVGhyZWFkICp0aHJlYWQ7Ci0KLQkJCS8qIE5vIHRocmVhZCBjcmVhdGVkIHll dCBmb3IgdGhpcyBtb2R1bGUsIGNyZWF0ZSBpdAotCQkJICogdG9nZXRoZXIgd2l0aCB0aGUgYXN5 bmMgcXVldWUgdXNlZCB0byBwYXNzIGRhdGEgdG8gaXQKLQkJCSAqLwotCQkJYXN5bmNfcXVldWUg PSBnX2FzeW5jX3F1ZXVlX25ldyAoKTsKLQkJCXRocmVhZCA9IGdfdGhyZWFkX3RyeV9uZXcgKCJz aW5nbGUiLAotCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgKEdUaHJlYWRGdW5jKSBzaW5n bGVfdGhyZWFkX2dldF9tZXRhZGF0YSwKLQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIGdf YXN5bmNfcXVldWVfcmVmIChhc3luY19xdWV1ZSksCi0JCQkgICAgICAgICAgICAgICAgICAgICAg ICAgICAmZXJyb3IpOwotCQkJaWYgKCF0aHJlYWQpIHsKLQkJCQlnX3Rhc2tfcmV0dXJuX2Vycm9y IChHX1RBU0sgKHRhc2stPnJlcyksIGVycm9yKTsKLQkJCQlleHRyYWN0X3Rhc2tfZnJlZSAodGFz ayk7Ci0JCQkJcmV0dXJuIEZBTFNFOwotCQkJfQorCWFzeW5jX3F1ZXVlID0gZ19oYXNoX3RhYmxl X2xvb2t1cCAocHJpdi0+c2luZ2xlX3RocmVhZF9leHRyYWN0b3JzLCBtb2R1bGUpOwogCi0JCQkv KiBXZSB3b24ndCBqb2luIHRoZSB0aHJlYWQsIHNvIGp1c3QgdW5yZWYgaXQgaGVyZSAqLwotCQkJ Z19vYmplY3RfdW5yZWYgKHRocmVhZCk7CisJaWYgKCFhc3luY19xdWV1ZSkgeworCQlHVGhyZWFk ICp0aHJlYWQ7CiAKLQkJCWdfaGFzaF90YWJsZV9pbnNlcnQgKHByaXYtPnNpbmdsZV90aHJlYWRf ZXh0cmFjdG9ycywgbW9kdWxlLCBhc3luY19xdWV1ZSk7Ci0JCX0KLQotCQlnX2FzeW5jX3F1ZXVl X3B1c2ggKGFzeW5jX3F1ZXVlLCB0YXNrKTsKLQkJYnJlYWs7Ci0JfQotCWNhc2UgVFJBQ0tFUl9N T0RVTEVfTVVMVElfVEhSRUFEOgotCQkvKiBQdXQgdGFzayBpbiB0aHJlYWQgcG9vbCAqLwotI2lm ZGVmIFRIUkVBRF9FTkFCTEVfVFJBQ0UKLQkJZ19kZWJ1ZyAoIlRocmVhZDolcCAoTWFpbikgLS0+ ICclcyc6IERpc3BhdGNoaW5nIGluIHRocmVhZCBwb29sIiwKLQkJICAgICAgICAgZ190aHJlYWRf c2VsZigpLCB0YXNrLT5maWxlKTsKLSNlbmRpZiAvKiBUSFJFQURfRU5BQkxFX1RSQUNFICovCi0J CWdfdGhyZWFkX3Bvb2xfcHVzaCAocHJpdi0+dGhyZWFkX3Bvb2wsIHRhc2ssICZlcnJvcik7Ci0K LQkJaWYgKGVycm9yKSB7CisJCS8qIE5vIHRocmVhZCBjcmVhdGVkIHlldCBmb3IgdGhpcyBtb2R1 bGUsIGNyZWF0ZSBpdAorCQkgKiB0b2dldGhlciB3aXRoIHRoZSBhc3luYyBxdWV1ZSB1c2VkIHRv IHBhc3MgZGF0YSB0byBpdAorCQkgKi8KKwkJYXN5bmNfcXVldWUgPSBnX2FzeW5jX3F1ZXVlX25l dyAoKTsKKwkJdGhyZWFkID0gZ190aHJlYWRfdHJ5X25ldyAoInNpbmdsZSIsCisJCSAgICAgICAg ICAgICAgICAgICAgICAgICAgIChHVGhyZWFkRnVuYykgc2luZ2xlX3RocmVhZF9nZXRfbWV0YWRh dGEsCisJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIGdfYXN5bmNfcXVldWVfcmVmIChhc3lu Y19xdWV1ZSksCisJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICZlcnJvcik7CisJCWlmICgh dGhyZWFkKSB7CiAJCQlnX3Rhc2tfcmV0dXJuX2Vycm9yIChHX1RBU0sgKHRhc2stPnJlcyksIGVy cm9yKTsKIAkJCWV4dHJhY3RfdGFza19mcmVlICh0YXNrKTsKLQogCQkJcmV0dXJuIEZBTFNFOwog CQl9CiAKLQkJYnJlYWs7CisJCS8qIFdlIHdvbid0IGpvaW4gdGhlIHRocmVhZCwgc28ganVzdCB1 bnJlZiBpdCBoZXJlICovCisJCWdfdGhyZWFkX3VucmVmICh0aHJlYWQpOworCisJCWdfaGFzaF90 YWJsZV9pbnNlcnQgKHByaXYtPnNpbmdsZV90aHJlYWRfZXh0cmFjdG9ycywgbW9kdWxlLCBhc3lu Y19xdWV1ZSk7CiAJfQogCisJZ19hc3luY19xdWV1ZV9wdXNoIChhc3luY19xdWV1ZSwgdGFzayk7 CisKIAlyZXR1cm4gRkFMU0U7CiB9CiAKQEAgLTc2Nyw3ICs3MjksNyBAQCB0cmFja2VyX2V4dHJh Y3RfZ2V0X21ldGFkYXRhX2J5X2NtZGxpbmUgKFRyYWNrZXJFeHRyYWN0ICpvYmplY3QsCiAKIAl0 YXNrLT5taW1ldHlwZV9oYW5kbGVycyA9IHRyYWNrZXJfZXh0cmFjdF9tb2R1bGVfbWFuYWdlcl9n ZXRfbWltZXR5cGVfaGFuZGxlcnMgKHRhc2stPm1pbWV0eXBlKTsKIAlpZiAodGFzay0+bWltZXR5 cGVfaGFuZGxlcnMpIHsKLQkJdGFzay0+Y3VyX21vZHVsZSA9IHRyYWNrZXJfbWltZXR5cGVfaW5m b19nZXRfbW9kdWxlICh0YXNrLT5taW1ldHlwZV9oYW5kbGVycywgJnRhc2stPmN1cl9mdW5jLCBO VUxMKTsKKwkJdGFzay0+Y3VyX21vZHVsZSA9IHRyYWNrZXJfbWltZXR5cGVfaW5mb19nZXRfbW9k dWxlICh0YXNrLT5taW1ldHlwZV9oYW5kbGVycywgJnRhc2stPmN1cl9mdW5jKTsKIAl9CiAKIAl3 aGlsZSAodGFzay0+Y3VyX2Z1bmMpIHsKQEAgLTgxNyw4ICs3NzksNyBAQCB0cmFja2VyX2V4dHJh Y3RfZ2V0X21ldGFkYXRhX2J5X2NtZGxpbmUgKFRyYWNrZXJFeHRyYWN0ICpvYmplY3QsCiAJCQl9 CiAKIAkJCXRhc2stPmN1cl9tb2R1bGUgPSB0cmFja2VyX21pbWV0eXBlX2luZm9fZ2V0X21vZHVs ZSAodGFzay0+bWltZXR5cGVfaGFuZGxlcnMsCi0JCQkgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICZ0YXNrLT5jdXJfZnVuYywKLQkJCSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTlVMTCk7CisJCQkg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZ0YXNr LT5jdXJfZnVuYyk7CiAJCX0KIAl9CiAKLS0gCjIuOS4z committed 341491 2016-12-06 16:20:00 +0000 2016-12-08 13:55:38 +0000 libtracker-common: Implement sandboxing through libseccomp libtracker-common-Implement-sandboxing-through-lib.patch text/plain 8970 carlosg RnJvbSBhMWI0ZWViN2Y2ZDBjZmI4YWVhMzZlYWM0OGM2MzE4ZjkyY2U5OWZiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBDYXJsb3MgR2FybmFjaG8gPGNhcmxvc2dAZ25vbWUub3JnPgpE YXRlOiBUdWUsIDYgRGVjIDIwMTYgMTc6MDM6MTcgKzAxMDAKU3ViamVjdDogW1BBVENIXSBsaWJ0 cmFja2VyLWNvbW1vbjogSW1wbGVtZW50IHNhbmRib3hpbmcgdGhyb3VnaCBsaWJzZWNjb21wCgpU aGUgdGhyZWFkcyBjYWxsaW5nIHRoZSBuZXcgdHJhY2tlcl9zZWNjb21wX2luaXQoKSBmdW5jdGlv biwgYW5kIGFsbAp0aHJlYWRzL3Byb2Nlc3NlcyBzcGF3bmVkIGZyb20gdGhlc2UsIHdpbGwgZW50 ZXIgYSByZXN0cmljdGVkIG1vZGUKd2hlcmUgb25seSBhIGZldyBzZW5zaWJsZSBzeXNjYWxscyBh cmUgYWxsb3dlZCwgYW5kIG1vcmUgc3BlY2lmaWNhbGx5LApmaWxlc3lzdGVtIGFjY2VzcyBpcyBy ZXN0cmljdGVkLgoKaHR0cHM6Ly9idWd6aWxsYS5nbm9tZS5vcmcvc2hvd19idWcuY2dpP2lkPTc2 NDc4NgotLS0KIGNvbmZpZ3VyZS5hYyAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAyMCAr KysrCiBzcmMvbGlidHJhY2tlci1jb21tb24vTWFrZWZpbGUuYW0gICAgICAgfCAgIDIgKwogc3Jj L2xpYnRyYWNrZXItY29tbW9uL3RyYWNrZXItY29tbW9uLmggIHwgICAxICsKIHNyYy9saWJ0cmFj a2VyLWNvbW1vbi90cmFja2VyLXNlY2NvbXAuYyB8IDE2MCArKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKwogc3JjL2xpYnRyYWNrZXItY29tbW9uL3RyYWNrZXItc2VjY29tcC5oIHwgIDM1 ICsrKysrKysKIDUgZmlsZXMgY2hhbmdlZCwgMjE4IGluc2VydGlvbnMoKykKIGNyZWF0ZSBtb2Rl IDEwMDY0NCBzcmMvbGlidHJhY2tlci1jb21tb24vdHJhY2tlci1zZWNjb21wLmMKIGNyZWF0ZSBt b2RlIDEwMDY0NCBzcmMvbGlidHJhY2tlci1jb21tb24vdHJhY2tlci1zZWNjb21wLmgKCmRpZmYg LS1naXQgYS9jb25maWd1cmUuYWMgYi9jb25maWd1cmUuYWMKaW5kZXggZDE1YTZhZC4uZjFhOTll YiAxMDA2NDQKLS0tIGEvY29uZmlndXJlLmFjCisrKyBiL2NvbmZpZ3VyZS5hYwpAQCAtMjYwMSw2 ICsyNjAxLDIwIEBAIGZpCiAKIEFNX0NPTkRJVElPTkFMKEhBVkVfQVJUV09SSywgdGVzdCAieCRo YXZlX2FydHdvcmsiID0gInh5ZXMiKQogCisjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKKyMgQ2hlY2sgZm9yIGxpYnNlY2Nv bXAKKyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIworCitQS0dfQ0hFQ0tfTU9EVUxFUyhMSUJTRUNDT01QLAorICAgICAgICAg ICAgICAgICAgW2xpYnNlY2NvbXAgPj0gMi4wXSwKKyAgICAgICAgICAgICAgICAgIFtoYXZlX2xp YnNlY2NvbXA9eWVzXSwKKyAgICAgICAgICAgICAgICAgIFtoYXZlX2xpYnNlY2NvbXA9bm9dKQor CitpZiB0ZXN0ICIkaGF2ZV9saWJzZWNjb21wIiA9ICJ5ZXMiOyB0aGVuCisgICBMSUJUUkFDS0VS X0NPTU1PTl9MSUJTPSIkTElCVFJBQ0tFUl9DT01NT05fTElCUyAkTElCU0VDQ09NUF9MSUJTIgor ICAgTElCVFJBQ0tFUl9DT01NT05fQ0ZMQUdTPSIkTElCVFJBQ0tFUl9DT01NT05fQ0ZMQUdTICRM SUJTRUNDT01QX0NGTEFHUyIKKyAgIEFDX0RFRklORShIQVZFX0xJQlNFQ0NPTVAsIFtdLCBbRGVm aW5lIGlmIHdlIGhhdmUgbGlic2VjY29tcF0pCitmaQogCiAjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKICMgV3JpdGUgZ2Vu ZXJhdGVkIGZpbGVzCkBAIC0yODY5LDMgKzI4ODMsOSBAQCBXQVJOSU5HOgogCiAiCiBmaQorCitp ZiB0ZXN0ICIkaGF2ZV9saWJzZWNjb21wIiA9ICJubyI7IHRoZW4KK2VjaG8gIgorV0FSTklORzog bGlic2VjY29tcCB3YXMgbm90IGZvdW5kLCBidWlsZCB3aWxsIG5vdCBiZSBwcmV2ZW50ZWQsIGJ1 dCB0aGlzIGlzIGEgc2VjdXJpdHkgZmxhdy4KKyIKK2ZpCmRpZmYgLS1naXQgYS9zcmMvbGlidHJh Y2tlci1jb21tb24vTWFrZWZpbGUuYW0gYi9zcmMvbGlidHJhY2tlci1jb21tb24vTWFrZWZpbGUu YW0KaW5kZXggNjg0MjJlOS4uNGQyNTk2ZSAxMDA2NDQKLS0tIGEvc3JjL2xpYnRyYWNrZXItY29t bW9uL01ha2VmaWxlLmFtCisrKyBiL3NyYy9saWJ0cmFja2VyLWNvbW1vbi9NYWtlZmlsZS5hbQpA QCAtMjcsNiArMjcsNyBAQCBsaWJ0cmFja2VyX2NvbW1vbl9sYV9TT1VSQ0VTID0gXAogCXRyYWNr ZXItaW9wcmlvLmMgXAogCXRyYWNrZXItbG9nLmMgXAogCXRyYWNrZXItc2NoZWQuYyBcCisJdHJh Y2tlci1zZWNjb21wLmMgXAogCXRyYWNrZXItdHlwZS11dGlscy5jIFwKIAl0cmFja2VyLXV0aWxz LmMgXAogCXRyYWNrZXItbG9jYWxlLmMgXApAQCAtNDIsNiArNDMsNyBAQCBub2luc3RfSEVBREVS UyA9IFwKIAl0cmFja2VyLWRhdGUtdGltZS5oIFwKIAl0cmFja2VyLWZpbGUtdXRpbHMuaCBcCiAJ dHJhY2tlci1zY2hlZC5oIFwKKwl0cmFja2VyLXNlY2NvbXAuaCBcCiAJdHJhY2tlci10eXBlLXV0 aWxzLmggXAogCXRyYWNrZXItdXRpbHMuaCBcCiAJdHJhY2tlci1sb2NhbGUuaCBcCmRpZmYgLS1n aXQgYS9zcmMvbGlidHJhY2tlci1jb21tb24vdHJhY2tlci1jb21tb24uaCBiL3NyYy9saWJ0cmFj a2VyLWNvbW1vbi90cmFja2VyLWNvbW1vbi5oCmluZGV4IDFhZjczOTMuLjI0MzRiN2YgMTAwNjQ0 Ci0tLSBhL3NyYy9saWJ0cmFja2VyLWNvbW1vbi90cmFja2VyLWNvbW1vbi5oCisrKyBiL3NyYy9s aWJ0cmFja2VyLWNvbW1vbi90cmFja2VyLWNvbW1vbi5oCkBAIC0zNiw2ICszNiw3IEBACiAjaW5j bHVkZSAidHJhY2tlci1sb2cuaCIKICNpbmNsdWRlICJ0cmFja2VyLXBhcnNlci5oIgogI2luY2x1 ZGUgInRyYWNrZXItc2NoZWQuaCIKKyNpbmNsdWRlICJ0cmFja2VyLXNlY2NvbXAuaCIKICNpbmNs dWRlICJ0cmFja2VyLXR5cGUtdXRpbHMuaCIKICNpbmNsdWRlICJ0cmFja2VyLXV0aWxzLmgiCiAj aW5jbHVkZSAidHJhY2tlci1sb2NhbGUuaCIKZGlmZiAtLWdpdCBhL3NyYy9saWJ0cmFja2VyLWNv bW1vbi90cmFja2VyLXNlY2NvbXAuYyBiL3NyYy9saWJ0cmFja2VyLWNvbW1vbi90cmFja2VyLXNl Y2NvbXAuYwpuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi40YTljNGI5Ci0tLSAv ZGV2L251bGwKKysrIGIvc3JjL2xpYnRyYWNrZXItY29tbW9uL3RyYWNrZXItc2VjY29tcC5jCkBA IC0wLDAgKzEsMTYwIEBACisvKgorICogQ29weXJpZ2h0IChDKSAyMDE2LCBSZWQgSGF0IEluYy4K KyAqCisgKiBUaGlzIGxpYnJhcnkgaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1 dGUgaXQgYW5kL29yCisgKiBtb2RpZnkgaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgTGVz c2VyIEdlbmVyYWwgUHVibGljCisgKiBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBT b2Z0d2FyZSBGb3VuZGF0aW9uOyBlaXRoZXIKKyAqIHZlcnNpb24gMi4xIG9mIHRoZSBMaWNlbnNl LCBvciAoYXQgeW91ciBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9uLgorICoKKyAqIFRoaXMgbGli cmFyeSBpcyBkaXN0cmlidXRlZCBpbiB0aGUgaG9wZSB0aGF0IGl0IHdpbGwgYmUgdXNlZnVsLAor ICogYnV0IFdJVEhPVVQgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2ZW4gdGhlIGltcGxpZWQgd2Fy cmFudHkgb2YKKyAqIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIg UFVSUE9TRS4gIFNlZSB0aGUgR05VCisgKiBMZXNzZXIgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBm b3IgbW9yZSBkZXRhaWxzLgorICoKKyAqIFlvdSBzaG91bGQgaGF2ZSByZWNlaXZlZCBhIGNvcHkg b2YgdGhlIEdOVSBMZXNzZXIgR2VuZXJhbCBQdWJsaWMKKyAqIExpY2Vuc2UgYWxvbmcgd2l0aCB0 aGlzIGxpYnJhcnk7IGlmIG5vdCwgd3JpdGUgdG8gdGhlCisgKiBGcmVlIFNvZnR3YXJlIEZvdW5k YXRpb24sIEluYy4sIDUxIEZyYW5rbGluIFN0cmVldCwgRmlmdGggRmxvb3IsCisgKiBCb3N0b24s IE1BICAwMjExMC0xMzAxLCBVU0EuCisgKi8KKworI2luY2x1ZGUgImNvbmZpZy5oIgorCisjaW5j bHVkZSAidHJhY2tlci1zZWNjb21wLmgiCisKKyNpZmRlZiBIQVZFX0xJQlNFQ0NPTVAKKworI2lu Y2x1ZGUgPHN0ZGxpYi5oPgorI2luY2x1ZGUgPHN0ZGlvLmg+CisjaW5jbHVkZSA8c3RkZGVmLmg+ CisjaW5jbHVkZSA8c3RyaW5nLmg+CisjaW5jbHVkZSA8dW5pc3RkLmg+CisjaW5jbHVkZSA8ZXJy bm8uaD4KKworI2luY2x1ZGUgPHN5cy90eXBlcy5oPgorI2luY2x1ZGUgPHN5cy9wcmN0bC5oPgor I2luY2x1ZGUgPHN5cy9zeXNjYWxsLmg+CisjaW5jbHVkZSA8c3lzL3NvY2tldC5oPgorI2luY2x1 ZGUgPGZjbnRsLmg+CisKKyNpbmNsdWRlIDxzZWNjb21wLmg+CisKKyNkZWZpbmUgQUxMT1dfUlVM RShjYWxsKSBHX1NUTVRfU1RBUlQgeyBpZiAoc2VjY29tcF9ydWxlX2FkZCAoY3R4LCBTQ01QX0FD VF9BTExPVywgU0NNUF9TWVMoY2FsbCksIDApIDwgMCkgZ290byBvdXQ7IH0gR19TVE1UX0VORAor CitnYm9vbGVhbgordHJhY2tlcl9zZWNjb21wX2luaXQgKHZvaWQpCit7CisJc2NtcF9maWx0ZXJf Y3R4IGN0eDsKKworCWN0eCA9IHNlY2NvbXBfaW5pdCAoU0NNUF9BQ1RfVFJBUCk7CisJaWYgKGN0 eCA9PSBOVUxMKQorCQlyZXR1cm4gRkFMU0U7CisKKwkvKiBNZW1vcnkgbWFuYWdlbWVudCAqLwor CUFMTE9XX1JVTEUgKGJyayk7CisJQUxMT1dfUlVMRSAobW1hcCk7CisJQUxMT1dfUlVMRSAobXVu bWFwKTsKKwlBTExPV19SVUxFIChtcmVtYXApOworCUFMTE9XX1JVTEUgKG1wcm90ZWN0KTsKKwlB TExPV19SVUxFIChtYWR2aXNlKTsKKwkvKiBQcm9jZXNzIG1hbmFnZW1lbnQgKi8KKwlBTExPV19S VUxFIChleGl0X2dyb3VwKTsKKwlBTExPV19SVUxFIChnZXR1aWQpOworCUFMTE9XX1JVTEUgKGdl dGV1aWQpOworCUFMTE9XX1JVTEUgKGdldHBwaWQpOworCUFMTE9XX1JVTEUgKGdldHRpZCk7CisJ QUxMT1dfUlVMRSAoZXhpdCk7CisJLyogQmFzaWMgZmlsZXN5c3RlbSBhY2Nlc3MgKi8KKwlBTExP V19SVUxFIChmc3RhdCk7CisJQUxMT1dfUlVMRSAoc3RhdCk7CisJQUxMT1dfUlVMRSAoc3RhdGZz KTsKKwlBTExPV19SVUxFIChsc3RhdCk7CisJQUxMT1dfUlVMRSAoYWNjZXNzKTsKKwlBTExPV19S VUxFIChnZXRkZW50cyk7CisJQUxMT1dfUlVMRSAocmVhZGxpbmspOworCUFMTE9XX1JVTEUgKHJl YWRsaW5rYXQpOworCUFMTE9XX1JVTEUgKHV0aW1lKTsKKwlBTExPV19SVUxFIChmc3luYyk7CisJ LyogUHJvY2Vzc2VzIGFuZCB0aHJlYWRzICovCisJQUxMT1dfUlVMRSAoY2xvbmUpOworCUFMTE9X X1JVTEUgKGZ1dGV4KTsKKwlBTExPV19SVUxFIChzZXRfcm9idXN0X2xpc3QpOworCUFMTE9XX1JV TEUgKHJ0X3NpZ2FjdGlvbik7CisJQUxMT1dfUlVMRSAocnRfc2lncHJvY21hc2spOworCUFMTE9X X1JVTEUgKHNjaGVkX3lpZWxkKTsKKwlBTExPV19SVUxFIChzY2hlZF9nZXRhZmZpbml0eSk7CisJ QUxMT1dfUlVMRSAobmFub3NsZWVwKTsKKwkvKiBNYWluIGxvb3BzICovCisJQUxMT1dfUlVMRSAo cG9sbCk7CisJQUxMT1dfUlVMRSAocHBvbGwpOworCUFMTE9XX1JVTEUgKGZjbnRsKTsKKwlBTExP V19SVUxFIChldmVudGZkMik7CisJQUxMT1dfUlVMRSAocGlwZSk7CisJQUxMT1dfUlVMRSAocGlw ZTIpOworCS8qIFN5c3RlbSAqLworCUFMTE9XX1JVTEUgKHVuYW1lKTsKKwlBTExPV19SVUxFIChz eXNpbmZvKTsKKwlBTExPV19SVUxFIChwcmN0bCk7CisJQUxMT1dfUlVMRSAoZ2V0cmFuZG9tKTsK KwkvKiBGaWxlcyAqLworCUFMTE9XX1JVTEUgKGNsb3NlKTsKKwlBTExPV19SVUxFIChyZWFkKTsK KwlBTExPV19SVUxFIChwcmVhZDY0KTsKKwlBTExPV19SVUxFIChsc2Vlayk7CisJQUxMT1dfUlVM RSAoZmFkdmlzZTY0KTsKKwlBTExPV19SVUxFICh3cml0ZSk7CisJQUxMT1dfUlVMRSAod3JpdGV2 KTsKKworCS8qIFNwZWNpYWwgcmVxdWlyZW1lbnRzIGZvciBpb2N0bCwgYWxsb3dlZCBvbiBzdGRv dXQvc3RkZXJyICovCisJaWYgKHNlY2NvbXBfcnVsZV9hZGQgKGN0eCwgU0NNUF9BQ1RfQUxMT1cs IFNDTVBfU1lTKGlvY3RsKSwgMSwKKwkgICAgICAgICAgICAgICAgICAgICAgU0NNUF9DTVAoMCwg U0NNUF9DTVBfRVEsIDEpKSA8IDApCisJCWdvdG8gb3V0OworCWlmIChzZWNjb21wX3J1bGVfYWRk IChjdHgsIFNDTVBfQUNUX0FMTE9XLCBTQ01QX1NZUyhpb2N0bCksIDEsCisJICAgICAgICAgICAg ICAgICAgICAgIFNDTVBfQ01QKDAsIFNDTVBfQ01QX0VRLCAyKSkgPCAwKQorCQlnb3RvIG91dDsK KworCS8qIFNwZWNpYWwgcmVxdWlyZW1lbnRzIGZvciBvcGVuLCBhbGxvdyBPX1JET05MWSBjYWxs cywgYnV0IGZhaWwKKwkgKiBpZiB3cml0ZSBwZXJtaXNzaW9ucyBhcmUgcmVxdWVzdGVkLgorCSAq LworCWlmIChzZWNjb21wX3J1bGVfYWRkIChjdHgsIFNDTVBfQUNUX0FMTE9XLCBTQ01QX1NZUyhv cGVuKSwgMSwKKwkgICAgICAgICAgICAgICAgICAgICAgU0NNUF9DTVAoMSwgU0NNUF9DTVBfTUFT S0VEX0VRLCBPX1dST05MWSB8IE9fUkRXUiwgMCkpIDwgMCkKKwkJZ290byBvdXQ7CisJaWYgKHNl Y2NvbXBfcnVsZV9hZGQgKGN0eCwgU0NNUF9BQ1RfRVJSTk8gKEVBQ0NFUyksIFNDTVBfU1lTKG9w ZW4pLCAxLAorCSAgICAgICAgICAgICAgICAgICAgICBTQ01QX0NNUCgxLCBTQ01QX0NNUF9NQVNL RURfRVEsIE9fV1JPTkxZLCBPX1dST05MWSkpIDwgMCkKKwkJZ290byBvdXQ7CisJaWYgKHNlY2Nv bXBfcnVsZV9hZGQgKGN0eCwgU0NNUF9BQ1RfRVJSTk8gKEVBQ0NFUyksIFNDTVBfU1lTKG9wZW4p LCAxLAorCSAgICAgICAgICAgICAgICAgICAgICBTQ01QX0NNUCgxLCBTQ01QX0NNUF9NQVNLRURf RVEsIE9fUkRXUiwgT19SRFdSKSkgPCAwKQorCQlnb3RvIG91dDsKKworI2lmIDAKKwkvKiBUaGlz IGlzIGNyYXp5IHNoaXQsIGdzdHJlYW1lciBvYnZpb3VzbHkgdXNlcyBpdCAqLworCUFMTE9XX1JV TEUgKHNvY2tldCk7CisJQUxMT1dfUlVMRSAoY29ubmVjdCk7CisJQUxMT1dfUlVMRSAoc2VuZG1z Zyk7CisJQUxMT1dfUlVMRSAocmVjdm1zZyk7CisJQUxMT1dfUlVMRSAocmVjdmZyb20pOworCUFM TE9XX1JVTEUgKHNvY2tldHBhaXIpOworCUFMTE9XX1JVTEUgKGdldHBlZXJuYW1lKTsKKwlBTExP V19SVUxFIChzaHV0ZG93bik7CisjZW5kaWYKKworCWdfZGVidWcgKCJMb2FkaW5nIHNlY2NvbXAg cnVsZXMuIik7CisKKwlpZiAoc2VjY29tcF9sb2FkIChjdHgpID49IDApCisJCXJldHVybiBUUlVF OworCitvdXQ6CisJZ19jcml0aWNhbCAoIkZhaWxlZCB0byBsb2FkIHNlY2NvbXAgcnVsZXMuIik7 CisJc2VjY29tcF9yZWxlYXNlIChjdHgpOworCXJldHVybiBGQUxTRTsKK30KKworI2Vsc2UgLyog SEFWRV9MSUJTRUNDT01QICovCisKK2dib29sZWFuCit0cmFja2VyX3NlY2NvbXBfaW5pdCAodm9p ZCkKK3sKKwlnX3dhcm5pbmcgKCJObyBzZWNjb21wIHN1cHBvcnQgY29tcGlsZWQtaW4uIik7CisJ cmV0dXJuIFRSVUU7Cit9CisKKyNlbmRpZiAvKiBIQVZFX0xJQlNFQ0NPTVAgKi8KZGlmZiAtLWdp dCBhL3NyYy9saWJ0cmFja2VyLWNvbW1vbi90cmFja2VyLXNlY2NvbXAuaCBiL3NyYy9saWJ0cmFj a2VyLWNvbW1vbi90cmFja2VyLXNlY2NvbXAuaApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAw MDAwMDAwLi4wZTAzMzMwCi0tLSAvZGV2L251bGwKKysrIGIvc3JjL2xpYnRyYWNrZXItY29tbW9u L3RyYWNrZXItc2VjY29tcC5oCkBAIC0wLDAgKzEsMzUgQEAKKy8qCisgKiBDb3B5cmlnaHQgKEMp IDIwMTYsIFJlZCBIYXQgSW5jLgorICoKKyAqIFRoaXMgbGlicmFyeSBpcyBmcmVlIHNvZnR3YXJl OyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IKKyAqIG1vZGlmeSBpdCB1bmRlciB0aGUg dGVybXMgb2YgdGhlIEdOVSBMZXNzZXIgR2VuZXJhbCBQdWJsaWMKKyAqIExpY2Vuc2UgYXMgcHVi bGlzaGVkIGJ5IHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlcgorICogdmVyc2lv biAyLjEgb2YgdGhlIExpY2Vuc2UsIG9yIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNp b24uCisgKgorICogVGhpcyBsaWJyYXJ5IGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQg aXQgd2lsbCBiZSB1c2VmdWwsCisgKiBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQg ZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgorICogTUVSQ0hBTlRBQklMSVRZIG9yIEZJVE5F U1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLiAgU2VlIHRoZSBHTlUKKyAqIExlc3NlciBHZW5l cmFsIFB1YmxpYyBMaWNlbnNlIGZvciBtb3JlIGRldGFpbHMuCisgKgorICogWW91IHNob3VsZCBo YXZlIHJlY2VpdmVkIGEgY29weSBvZiB0aGUgR05VIExlc3NlciBHZW5lcmFsIFB1YmxpYworICog TGljZW5zZSBhbG9uZyB3aXRoIHRoaXMgbGlicmFyeTsgaWYgbm90LCB3cml0ZSB0byB0aGUKKyAq IEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbiwgSW5jLiwgNTEgRnJhbmtsaW4gU3RyZWV0LCBGaWZ0 aCBGbG9vciwKKyAqIEJvc3RvbiwgTUEgIDAyMTEwLTEzMDEsIFVTQS4KKyAqLworCisjaWZuZGVm IF9fVFJBQ0tFUl9TRUNDT01QX0hfXworI2RlZmluZSBfX1RSQUNLRVJfU0VDQ09NUF9IX18KKwor I2luY2x1ZGUgPGdsaWIuaD4KKworR19CRUdJTl9ERUNMUworCisjaWYgIWRlZmluZWQgKF9fTElC VFJBQ0tFUl9DT01NT05fSU5TSURFX18pICYmICFkZWZpbmVkIChUUkFDS0VSX0NPTVBJTEFUSU9O KQorI2Vycm9yICJvbmx5IDxsaWJ0cmFja2VyLWNvbW1vbi90cmFja2VyLWNvbW1vbi5oPiBtdXN0 IGJlIGluY2x1ZGVkIGRpcmVjdGx5LiIKKyNlbmRpZgorCitnYm9vbGVhbiB0cmFja2VyX3NlY2Nv bXBfaW5pdCAodm9pZCk7CisKK0dfRU5EX0RFQ0xTCisKKyNlbmRpZiAvKiBfX1RSQUNLRVJfU0VD Q09NUF9IX18gKi8KLS0gCjIuOS4z committed 341492 2016-12-06 16:20:00 +0000 2016-12-08 13:55:42 +0000 tracker-extract: Sandbox extractor threads through seccomp tracker-extract-Sandbox-extractor-threads-through-.patch text/plain 972 carlosg RnJvbSAwZThhYzI4MWI2NDkwYTk2ODUxMTNjOGQ2YTViNzUyNWQzMTNmY2FiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBDYXJsb3MgR2FybmFjaG8gPGNhcmxvc2dAZ25vbWUub3JnPgpE YXRlOiBUdWUsIDYgRGVjIDIwMTYgMTc6MDg6MDkgKzAxMDAKU3ViamVjdDogW1BBVENIXSB0cmFj a2VyLWV4dHJhY3Q6IFNhbmRib3ggZXh0cmFjdG9yIHRocmVhZHMgdGhyb3VnaCBzZWNjb21wCgpU aG9zZSBkZWFsIHdpdGggcGx1Z2lucyBhbmQgcG90ZW50aWFsbHkgbWFsaWNpb3VzIGNvbnRlbnQs IG1ha2UgaXQKc3VyZSB0aGF0IGFueSBwb3RlbnRpYWwgZXhwbG9pdCBpcyBkZXByaXZlZCBvZiBh bGwgdG9vbHMgdGhhdCBjb3VsZAptYWtlIGl0IGhhcm1mdWwuCgpodHRwczovL2J1Z3ppbGxhLmdu b21lLm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzY0Nzg2Ci0tLQogc3JjL3RyYWNrZXItZXh0cmFjdC90 cmFja2VyLWV4dHJhY3QuYyB8IDMgKysrCiAxIGZpbGUgY2hhbmdlZCwgMyBpbnNlcnRpb25zKCsp CgpkaWZmIC0tZ2l0IGEvc3JjL3RyYWNrZXItZXh0cmFjdC90cmFja2VyLWV4dHJhY3QuYyBiL3Ny Yy90cmFja2VyLWV4dHJhY3QvdHJhY2tlci1leHRyYWN0LmMKaW5kZXggZmVlNmM3Zi4uYWQzMTQ4 ZCAxMDA2NDQKLS0tIGEvc3JjL3RyYWNrZXItZXh0cmFjdC90cmFja2VyLWV4dHJhY3QuYworKysg Yi9zcmMvdHJhY2tlci1leHRyYWN0L3RyYWNrZXItZXh0cmFjdC5jCkBAIC01MjQsNiArNTI0LDkg QEAgZ2V0X21ldGFkYXRhIChUcmFja2VyRXh0cmFjdFRhc2sgKnRhc2spCiBzdGF0aWMgZ3BvaW50 ZXIKIHNpbmdsZV90aHJlYWRfZ2V0X21ldGFkYXRhIChHQXN5bmNRdWV1ZSAqcXVldWUpCiB7CisJ aWYgKCF0cmFja2VyX3NlY2NvbXBfaW5pdCAoKSkKKwkJZ19hc3NlcnRfbm90X3JlYWNoZWQgKCk7 CisKIAl3aGlsZSAoVFJVRSkgewogCQlUcmFja2VyRXh0cmFjdFRhc2sgKnRhc2s7CiAKLS0gCjIu OS4z committed