From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 74F262013A; Sat, 29 Nov 2025 20:10:48 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 7BE8F20134; Sat, 29 Nov 2025 20:10:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) by atuin.qyliss.net (Postfix) with ESMTPS id 5B4E920187 for ; Sat, 29 Nov 2025 20:10:45 +0000 (UTC) Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-787ff3f462bso37617677b3.0 for ; Sat, 29 Nov 2025 12:10:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764447042; x=1765051842; darn=spectrum-os.org; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=BG8X/+ho22diKzvFTYT+3rAouOr9KPtliUPJa7PXvnk=; b=Gz7l3s+prN9KmUEcox8J9I+t5yQSKp/e26M6YhJ7KoxF4RoHt6y6M7xi5WF8ZU58W3 rCDThCWYoX0jh2c1niF1q9uhUukbgey4ehznt9sqJwxzqAYIqpeDCGzf+ufVsQ3fDoG1 gDHsrGpPJRfrw32RWXTYmBAP5QTtoXmmSvxYr+lC6CWproYy8Kz8xk1+u3ILKhHdvGhc cNwHMuGLb5V6vbroYRCT5tjuKsFYlhDvxgOiVkeyxY+fBPFvv05Zz8NGuU3xIJdVZfYI G4BQBgZgKH2VEMjGfwTG8QIzMckuP/Cqt9dwNBdjFZW5BXPVh4XzEgH3qaDF0kjc9Vho ZINA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764447042; x=1765051842; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BG8X/+ho22diKzvFTYT+3rAouOr9KPtliUPJa7PXvnk=; b=H4U8sOUDSh1ml0ARkrksNssunsjVNhTEwWcpof6ceryboKVbf+SUl0mJb2NanOEbvL YbxwPd0p4ekw/hGiwt4j+DZQEhI39/dBBEPLMf2xPoZw1DOwHBE5vIoMIeXM+/pbHtGH XKn8vdAFO0oyt3Wu6lDEZqSa0AkbaGf2RN8KXcTdCZ6zShAUamRTBKnj+HChDw7TImLo GLFHQRwVHanuSrzG0hfBExnbzaY0SAoaSzI/DQT4eLdyP3W4p8g4k0Q/MQoVgLD/cfix pYnNbG8RD5l+zhgdObmH5phTkesgOEOB15uL1MfXgWxuKpgFzATnJv163UnLWXD00793 jOlg== X-Gm-Message-State: AOJu0YzFcJVzxn01miOFkS0qyWTWHqtz/B8iSzMB7KODGVGJCNPaTubj AniyUEVwHqwahA9qSsuQyC+J7EQ8mbIXxKhZF/TcPsEI3Y+vJczvpzQA X-Gm-Gg: ASbGncuW498B6zOPMRpQaXk6j+mihEhd1IH0cxnVKbRl6qcvP3N4GB7fkQYzmodXpr0 MotJMum4rezm2JbkOI8Ic+M0NMXuzHSNzOxwodp1msJLyDleuhdjpsymgPlQTdbaxKTlM9aaSru fczDDXtN9aIX9j7sbwWQZedSFAJ21VM4+vMTFw3E2kBOOwRnasLm7LQ+1fadLFjxUfddSi6AewZ S7WOTC1rA2MTXgtk/rpqk9asp1/15s4ezvfcW5BDGQjYv91sQO5ny4qy1oVvSuZlU87DvtH2Eme KnYa27VdaR1q4WJ0k00OhK8q+uAVLF64fJYqcozk4K8UuXsLTvHHGJkLM0ktKc8krmx7IbK4tKz bjFSRh8Z9TBQEbbu/ImCjMJIS6pHTncUWYRDktmE23uFl7eO1AJrnLnLQZyh8k4Ya9ax04Rb+8z GqXHtRR1l1GgGQxPPEZG9FJ57C/syiEwlQ4yuR230nKyz2yWyhkXxpWS5Xu7r2K7Uu7P65BEYYY Bo+MQdgtWSfMn2uGY9rB/6vniw= X-Google-Smtp-Source: AGHT+IFlyxndeNKt9mmFsV7YfIuEnCGeO15Recmta/Fj/XZRxJYO1e6aviGZKqy4R0O0XmvK4QiUog== X-Received: by 2002:a05:690e:4143:b0:63f:b87a:8370 with SMTP id 956f58d0204a3-64302592ab3mr20761822d50.7.1764447041295; Sat, 29 Nov 2025 12:10:41 -0800 (PST) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6433c078297sm2843896d50.9.2025.11.29.12.10.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 29 Nov 2025 12:10:40 -0800 (PST) Message-ID: <03b28aa9-c2fe-49d1-8f76-83240d85ae20@gmail.com> Date: Sat, 29 Nov 2025 15:10:35 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 1/3] tools/mount-flatpak: init To: Alyssa Ross References: <20251127202311.42422-2-hi@alyssa.is> <01179fd8-ca6a-43f8-b61d-447d507dd5a6@gmail.com> <874iqcekad.fsf@alyssa.is> Content-Language: en-US From: Demi Marie Obenour Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT In-Reply-To: <874iqcekad.fsf@alyssa.is> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------qvnbIcshH6khzxDcrZ9D9HuQ" Message-ID-Hash: UEUIJ7ZKX3DOKRK4IJN7HBBIS22BZXH7 X-Message-ID-Hash: UEUIJ7ZKX3DOKRK4IJN7HBBIS22BZXH7 X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------qvnbIcshH6khzxDcrZ9D9HuQ Content-Type: multipart/mixed; boundary="------------ayT4hoe5R3XMKYXytcXrR5me"; protected-headers="v1" From: Demi Marie Obenour To: Alyssa Ross Cc: devel@spectrum-os.org Message-ID: <03b28aa9-c2fe-49d1-8f76-83240d85ae20@gmail.com> Subject: Re: [PATCH v3 1/3] tools/mount-flatpak: init References: <20251127202311.42422-2-hi@alyssa.is> <01179fd8-ca6a-43f8-b61d-447d507dd5a6@gmail.com> <874iqcekad.fsf@alyssa.is> In-Reply-To: <874iqcekad.fsf@alyssa.is> Autocrypt-Gossip: addr=hi@alyssa.is; keydata= xsFNBFpSgoYBEAC4xkCYidG2JlRWulUkTWcx0pHFDf3oSbb6Q872Kb3iDChWgluNVz43hva1 3xfDo9foV0GoyfGl/ycSCkXX5hlQr7ir/5FN38E7H/yY6tH8+l68iDgIOcb1qY0OYaxyg+Lz WesfFQedrmwNTbF4L1BtWzrTR5PflDdhDo5VWSguHGJFSclchcr/6UmMb/gOUN+2ElBC2TE2 EKY099phZ6DJZ2aZCsclwKIdCpZzXlEmXPAeaH5om6xo90JYv5+sFji40R0Plqec3WC+jTxy lGca6IbPdOminuUF+GvsR86eVsgh/0XNK7/zus7gyc4PuMUA1rCoeHcWOBDPgmelgCQyJGXd /bXeKuUsGoge58uc7/YNvOh1vfpD3AaEMqAyXfmmUwBnIicml74+2eOpH3Oljfs01g+DhkOB MtpVSZSgaIDvP0WG6cbAxImoUasnmNxEDNskfVmI8bsajPW9bt4z5hiP5Q9G3vE0D5HcIFdM adOz81PpOwNiUXcjtYV1PWZQ56jbSTOf8EBvsB71WwB+XgVWcPzIlY8hAykiHIO87oV3o71U JTAn1Foj7mjSADnY0deleOmar/K5jrK3wvKKM1XlB7PXcGBdkorJC+cbxVsw0ADzMw0c7bVc wEE7OFvHjQiIK1lO+lb1cvGBBY3IZxjsjZdA/VsFHFdAeYlzNQARAQABzRpBbHlzc2EgUm9z cyA8aGlAYWx5c3NhLmlzPsLBlwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZ ARYhBHVzVtd5u7iIdz5BXnNszfnvUb2XBQJpALHXBQkPJNZRAAoJEHNszfnvUb2X2jEP/AqQ aafKiC7ormevgoCH4QinAKJoXAqiwOIdRK55HOvyhGWjnlzqoK4JTUFVRMR4Vat/APlkjOUk LPXKk+DCn4loFyl7BCLvsk4Xwy7WmXyfSPqjdik8/cjTv/Q4AHTYTpnx7GMC5eTS7ULmUvcf mD/JRr7NM2273Z7dkL3gOeZdnXYOQaGAIIox91qCtmnQhn+V7s3uxvcRl8I2/Qnn3S2veV03 LXSugAXSTdKRa7LBrcSm9TtC/D3qY9kStHiaiB/eAJsOQ0l5yRfax5INorE2DQgBKjbiBcnQ mTX7Rl9LW+U0ibHmKOFG8Zs+zKlmItek49cmqoGOv66RAY6dGUOHoEQgP0EUDJ8xGwActToC lOGZrzcXfrfx0CYlgqYE1VEWgSmtbTW1DBXiZIPKUMLJGhgaIHSKEjYujHd+vGytAMGKQsVQ OwgOMHYWyzAIB/Y6hZGNK8y5fxr468zX876mDdXhYo4dKA7UEOeQOlAIGobTXDRFEC7B/UAj qYbP+qmnyUohCy/Pf04cF0ucpWW2Z00sBL83lauhyQHiLze5OznvOeEkEeXQ6DsJOY0dmrsi 0NJZ1QoyYewXOPmPBNc7IesY1MjrpAnHgeAt1rgEPwTkt4NrRASsPe5JowJcc7CpIdR8eOrG hrw+bEMyoyjk7fN6Hs6MK+hVihMNhUwMzjgEZyd/yxIKKwYBBAGXVQEFAQEHQCVxoiHOlsEo NDKGCbxg4nL3E1CV0MRQCU1hPowd77h3AwEIB8LBfAQYAQoAJgIbDBYhBHVzVtd5u7iIdz5B XnNszfnvUb2XBQJpALHQBQkCT9j5AAoJEHNszfnvUb2XhSMP/0gStw42LjpjVLh+0HKWafs3 T9NJxtefYRbyu4wkkO0dss2pkl9gekZnvgktD0SzIe8AiMszs1rUWMG8zPXVWdMi7tSNm/IR WPa0XZDIoDwJY4T342nCvHeDsfoJnGg8o0nreI2djwO8sc9aeSevm60MQ9AouFBpS6Qw7f/Z LalXH4aWCCtvAO1o95lQXEoH4Lg4qnS6GxYMYi1u3IzrYdUu0By/Ccc5+AOOICgbJnpOoYQI bVDbdjMkj18JxxmpN5amOkPdiDndpzWkWm+oNhGUITYp6EuP1esRb35MgOmFGouvt5UdKpEl Egs2y5h9oR+kiiu9DhrC0UFL2CQ/HdiukCAxADKX3RE9m+mprSbvw7CsYmXUTH6WzPpvxpGx wQq7m2O7uy85u0HyVYkiWQiAfwCbEr1vrFU7gscBW+FcrLIODauovA9eZgA4d+cHRXfzsdKW u/QuVHsABh78LLIq008GcqJChSe4KHrJ5PUjkLnyp/Sshrmuyoy+DwqYky0KK4NtkaWa2o0B TFp+Kk2VCxWA8i/azPvTMzXOWNwqogISp5SwljiEx0hkyf0HvSb3gHfuGbZ+eGfWB+qy2pTD x/YriV5EfqkP+4+1cqXjasrQxyZUW0ULRke0j92Cgt+J722PIcOAb8vdSGF4AXczO+KMtNn9 wGxvGU7TX5ou --------------ayT4hoe5R3XMKYXytcXrR5me Content-Type: multipart/mixed; boundary="------------winQQEalPuSCsZ0UUkGnFCpJ" --------------winQQEalPuSCsZ0UUkGnFCpJ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/29/25 14:00, Alyssa Ross wrote: > Demi Marie Obenour writes: >=20 >> On 11/27/25 15:23, Alyssa Ross wrote: >>> diff --git a/tools/mount-flatpak/src/main.rs b/tools/mount-flatpak/sr= c/main.rs >>> new file mode 100644 >>> index 0000000..fd2f74f >>> --- /dev/null >>> +++ b/tools/mount-flatpak/src/main.rs >>> @@ -0,0 +1,252 @@ >>> +// SPDX-FileCopyrightText: 2025 Alyssa Ross >>> +// SPDX-License-Identifier: EUPL-1.2+ >>> + >>> +mod keyfile; >>> +mod metadata; >>> + >>> +use std::borrow::Cow; >>> +use std::env::{ArgsOs, args_os}; >>> +use std::ffi::OsStr; >>> +use std::io; >>> +use std::os::unix::prelude::*; >>> +use std::path::{Path, PathBuf}; >>> +use std::process::exit; >>> + >>> +use pathrs::Root; >>> +use pathrs::flags::{OpenFlags, ResolverFlags}; >>> +use rustix::fs::{CWD, FileType, fstat}; >>> +use rustix::mount::{MoveMountFlags, OpenTreeFlags, move_mount, open_= tree}; >>> + >>> +use metadata::extract_runtime; >>> + >>> +fn ex_usage() -> ! { >>> + eprintln!("Usage: mount-flatpak installation app"); >>> + exit(1); >>> +} >> >> Stale usage message. >=20 > Will fix. >=20 >>> +fn run(mut args: ArgsOs) -> Result<(), String> { >>> + let Some(user_data_path) =3D args.next().map(PathBuf::from) else= { >>> + ex_usage(); >>> + }; >> >> This should be an absolute path, as the working directory isn't one >> that the user should be caring about. >=20 > I don't see any reason to restrict the user like that. The advantage is better error messages. A relative path will result in a confusing "does not exist" error at best. Definitely should not block committing this. >>> + let Some(installation_path) =3D args.next().map(PathBuf::from) e= lse { >>> + ex_usage(); >>> + }; >>> + let Some(app) =3D args.next() else { >>> + ex_usage(); >>> + }; >> >> I recommend checking that 'app' is not empty, '.' or '..' and does >> not contain '/'. >=20 > I think this is a sign we really need to be using the flatpak > installation as a root. We need to be protecting *systematically* > against escapes from the flatpak directory to elsewhere on the user dat= a > partition, because that's where all the interesting data is. I 100% agree with this. > This comment[1] gives me the impression that it we should be okay > opening a root for the user data partition, resolving the installation > path inside the user partition, and creating a new root from that, to b= e > used for everything within it. >=20 > (We don't need to go any more granular than that, because it never make= s > sense for individual subdirectories of the Flatpak repository to be > specifically writable by a VM, I think. So we assume that whatever > writes the Flatpak repository already has access to the whole > repository, and is not interested in tricking the host to do things to > it that it could have just directly done itself.) >=20 > [1]: https://github.com/cyphar/libpathrs/issues/26#issuecomment-5863826= 81 Fair. >>> + let target_installation_dir =3D open_tree( >>> + CWD, >>> + "flatpak", >>> + OpenTreeFlags::OPEN_TREE_CLONE >>> + | OpenTreeFlags::OPEN_TREE_CLOEXEC >>> + | OpenTreeFlags::AT_RECURSIVE, >> >> Missing AT_SYMLINK_NOFOLLOW unless it is is implied. >=20 > We rely on nothing malicious being able to mess with the target > directory while we're running, and we do not create flatpak as a > symlink. Still good practice anyway, but not a blocker. >>> + ) >>> + .map_err(|e| format!("opening target flatpak installation: {e}")= )?; >>> + let mut target_installation_dir =3D Root::from_fd(target_install= ation_dir); >>> + target_installation_dir.set_resolver_flags(ResolverFlags::NO_SYM= LINKS); >> >> Is NO_XDEV implied? It's not supported in the API but it would be >> useful to check. >=20 > It is not implied, but there's no way to set it either. That is a little bit annoying, but not a blocker. >>> + let mut full_app_path =3D installation_path.join("app"); >>> + full_app_path.push(&app); >>> + full_app_path.push("current"); >>> + let arch_and_branch =3D source_installation_dir >>> + .readlink(&full_app_path) >>> + .map_err(|e| format!("reading current app arch and branch: {= e}"))?; >> >> This is somewhat hard to understand. I recommend a big comment at >> the start of the file explaining the structure of the source directory= , which is: >> >> VM's directory/ >> Installation root/ >> app/ >> App ID/ >> current -> arch/branch >> arch/ >> branch/ >> active -> actual commit hash (64 bytes lowercase hex= ) >> commit hash >> metadata (contains runtime info) >> runtime/ >> Runtime ID/ >> arch/ >> branch/ >> active -> actual commit hash (64 bytes lowercase hex= ) >> commit hash >> >> As well as that of the target directory, which I'm not sure about. >=20 > I can do that. >=20 > (The target directory is just an installation with a single app and > single runtime installed.) Thank you! >>> + let mut components =3D arch_and_branch.components(); >>> + let arch =3D components.next().unwrap().as_os_str(); >>> + let branch =3D components.as_path().as_os_str(); >>> + if branch.is_empty() { >>> + return Err("can't infer branch from \"current\" link".to_str= ing()); >>> + } >>> + >>> + full_app_path.pop(); >>> + full_app_path.push(&arch_and_branch); >>> + full_app_path.push("active"); >>> + let commit =3D source_installation_dir >>> + .readlink(&full_app_path) >>> + .map_err(|e| format!("reading active app commit: {e}"))? >>> + .into_os_string(); >>> + >>> + full_app_path.pop(); >>> + full_app_path.push(&commit); >>> + let source_app_dir =3D source_installation_dir >>> + .resolve(&full_app_path) >>> + .map_err(|e| format!("opening source app directory: {e}"))?;= >>> + >>> + let metadata =3D source_installation_dir >>> + .resolve(full_app_path.join("metadata")) >>> + .map_err(|e| format!("resolving app metadata: {e}"))?; >>> + >>> + let metadata_stat =3D >>> + fstat(&metadata).map_err(|e| format!("checking app metadata = is a regular file: {e}"))?; >>> + let metadata_type =3D FileType::from_raw_mode(metadata_stat.st_m= ode); >>> + if !metadata_type.is_file() { >>> + let e =3D format!("type of app metadata is {metadata_type:?}= , not RegularFile"); >>> + return Err(e); >>> + } >>> + let metadata =3D metadata >>> + .reopen(OpenFlags::O_RDONLY) >>> + .map_err(|e| format!("opening app metadata: {e}"))?; >>> + >>> + let runtime =3D >>> + extract_runtime(metadata).map_err(|e| format!("reading runti= me from metadata: {e}"))?; >>> + >>> + let mut full_runtime_path =3D installation_path.join("runtime");= >>> + full_runtime_path.push(runtime); >>> + full_runtime_path.push("active"); >>> + let runtime_commit =3D source_installation_dir >>> + .readlink(&full_runtime_path) >>> + .map_err(|e| format!("reading active runtime commit: {e}"))?= >>> + .into_os_string(); >>> + >>> + full_runtime_path.pop(); >>> + full_runtime_path.push(&runtime_commit); >>> + let source_runtime_dir =3D source_installation_dir >>> + .resolve(&full_runtime_path) >>> + .map_err(|e| format!("opening source runtime directory: {e}"= ))?; >>> + >>> + let target_app_dir =3D target_installation_dir >>> + .mkdir_all(&full_app_path, &PermissionsExt::from_mode(0o700)= ) >>> + .map_err(|e| format!("creating target app directory: {e}"))?= ; >>> + let target_runtime_dir =3D target_installation_dir >>> + .mkdir_all(&full_runtime_path, &PermissionsExt::from_mode(0o= 700)) >>> + .map_err(|e| format!("creating target runtime directory: {e}= "))?; >>> + >>> + let source_app_tree =3D open_tree( >>> + &source_app_dir, >>> + "", >>> + OpenTreeFlags::AT_EMPTY_PATH >>> + | OpenTreeFlags::OPEN_TREE_CLONE >>> + | OpenTreeFlags::OPEN_TREE_CLOEXEC >>> + | OpenTreeFlags::AT_RECURSIVE, >>> + ) >>> + .map_err(|e| format!("cloning source app tree: {e}"))?; >>> + let source_runtime_tree =3D open_tree( >>> + &source_runtime_dir, >>> + "", >>> + OpenTreeFlags::AT_EMPTY_PATH >>> + | OpenTreeFlags::OPEN_TREE_CLONE >>> + | OpenTreeFlags::OPEN_TREE_CLOEXEC >>> + | OpenTreeFlags::AT_RECURSIVE, >>> + ) >>> + .map_err(|e| format!("cloning source runtime tree: {e}"))?; >>> + >>> + move_mount( >>> + source_app_tree, >>> + "", >>> + target_app_dir, >>> + "", >>> + MoveMountFlags::MOVE_MOUNT_F_EMPTY_PATH | MoveMountFlags::MO= VE_MOUNT_T_EMPTY_PATH, >>> + ) >>> + .map_err(|e| format!("mounting app directory: {e}"))?; >>> + move_mount( >>> + source_runtime_tree, >>> + "", >>> + target_runtime_dir, >>> + "", >>> + MoveMountFlags::MOVE_MOUNT_F_EMPTY_PATH | MoveMountFlags::MO= VE_MOUNT_T_EMPTY_PATH, >>> + ) >>> + .map_err(|e| format!("mounting runtime directory: {e}"))?; >>> + >>> + target_installation_dir >>> + .mkdir_all("repo/objects", &PermissionsExt::from_mode(0o700)= ) >>> + .map_err(|e| format!("creating repo/objects: {e}"))?; >>> + target_installation_dir >>> + .mkdir_all("repo/tmp/cache", &PermissionsExt::from_mode(0o70= 0)) >>> + .map_err(|e| format!("creating repo/tmp/cache: {e}"))?; >>> + let config_target =3D target_installation_dir >>> + .create_file( >>> + "repo/config", >>> + OpenFlags::O_WRONLY | OpenFlags::O_CLOEXEC, >>> + &PermissionsExt::from_mode(0o700), >>> + ) >>> + .map_err(|e| format!("creating repo/config: {e}"))?; >>> + let config_source_path =3D env!("MOUNT_FLATPAK_CONFIG_PATH"); >> >> This should always be an absolute path, and it might be good to assert= that. >=20 > str::contains is not const, so it's not possible to do this in the > obvious way, but it's also not critical to validate a compile-time > constant we know we're always setting correctly. Would consider a > patch. Ah, I forgot that this is a compile-time constant. >>> + let config_source =3D open_tree( >>> + CWD, >>> + config_source_path, >>> + OpenTreeFlags::OPEN_TREE_CLONE | OpenTreeFlags::OPEN_TREE_CL= OEXEC, >>> + ) >>> + .map_err(|e| format!("opening {config_source_path}: {e}"))?; >>> + move_mount( >>> + config_source, >>> + "", >>> + config_target, >>> + "", >>> + MoveMountFlags::MOVE_MOUNT_F_EMPTY_PATH | MoveMountFlags::MO= VE_MOUNT_T_EMPTY_PATH, >>> + ) >>> + .map_err(|e| format!("mounting config: {e}"))?; >>> + >>> + let mut attr =3D libc::mount_attr { >>> + attr_clr: libc::MOUNT_ATTR_NOSYMFOLLOW, >>> + attr_set: libc::MOUNT_ATTR_RDONLY | libc::MOUNT_ATTR_NODEV, >>> + propagation: 0, >>> + userns_fd: 0, >>> + }; >> >> Propagation should likely be set to MS_SLAVE. (Yeah, I know, >> terrible name.) attr_set should also include MOUNT_ATTR_NOEXEC as >> well as the host has no business executing anything there. >=20 > The host has no business executing anything at all from the whole user > data partition, so this is not the place to set that. There's no reaso= n > this mount _in particular_ needs the flag set that doesn't apply to the= > whole partition this mount's flags are inherited from. Good point, but I still think the propagation needs to be set to MS_SLAVE. Right now, mount flags are set manually by the user. >>> + let empty =3D b"\0"; >>> + // SAFETY: we pass a valid FD, and a valid mutable pointer with = the correct size. >>> + unsafe { >>> + let r =3D libc::syscall( >>> + libc::SYS_mount_setattr, >>> + target_installation_dir.as_fd(), >>> + empty.as_ptr() as *const libc::c_char, >>> + (libc::AT_EMPTY_PATH | libc::AT_RECURSIVE) as libc::c_ui= nt, >>> + &mut attr as *mut libc::mount_attr, >>> + size_of::() as libc::size_t, >>> + ); >> >> All of the non-pointer arguments need to be cast to libc::c_long or >> (equivalently and possibly better) core::ffi::c_long. >=20 > I wish this was better documented, but sounds right. Technically, the pointers should be cast too, but I'm more concerned about rustc assuming this means the data the pointers point to won't be accessed than about something that is guaranteed to work by the ABI. >>> diff --git a/tools/mount-flatpak/src/metadata.rs b/tools/mount-flatpa= k/src/metadata.rs >>> new file mode 100644 >>> index 0000000..dfc05b1 >>> --- /dev/null >>> +++ b/tools/mount-flatpak/src/metadata.rs >>> @@ -0,0 +1,19 @@ >>> +// SPDX-License-Identifier: EUPL-1.2+ >>> +// SPDX-FileCopyrightText: 2025 Alyssa Ross >>> + >>> +use std::fs::File; >>> +use std::io::read_to_string; >>> + >>> +use crate::keyfile::parse; >>> + >>> +pub fn extract_runtime(mut metadata: File) -> Result= { >>> + let metadata =3D read_to_string(&mut metadata).map_err(|e| e.to_= string())?; >> >> Missing limit on the size of the file to prevent unbounded memory allo= cation. >=20 > There are lots of ways to cause unbounded host memory allocation. > Modifying everything to limit size is not feasible. The only way to > prevent this is to run this stuff in a VM-scoped cgroup. It's easy to run the VM's services in a cgroup, but running commands like this in the cgroup is harder. Also, this command is much easier to make robust against problems like that. Should not block commit though. --=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------winQQEalPuSCsZ0UUkGnFCpJ Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------winQQEalPuSCsZ0UUkGnFCpJ-- --------------ayT4hoe5R3XMKYXytcXrR5me-- --------------qvnbIcshH6khzxDcrZ9D9HuQ Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmkrUzwACgkQszaHOrMp 8lP1YQ/9Gr5YxG0Q1QmwvoDmqo5q5f6jtTycrc47yzyd7R/nOp65/nU1Rwsr3XmS xyKaZARvYGfoqrKEW1kXfI4VeclZSNGxW1xROrMu+U09lAZQul8dkS9X6XUaFucZ TMjHTMGeu6e4bAuNEs+8F0n8TsegIJd4qlwADRm//blyEBCWLl0Sh0oA+29c2bNk S3Ywa6xu+tgYVXsv98NJT050alLRQD85RE8RXwN4srR/yQ42oM5z4d8z0Agj6JaR qSZ1a4gvKI9QmN73e89f7gGIkRJZG8TjcMKEtmrGdzWvkYXFKdAVPjA2nYOw11jb 25LKR8pLt1/JZeMyTNd6J35OAFWD1hUz8cm+ACVUlibP19YheTa57xCc5gO1DZjZ akUMEd8Qo4wnec82mba4KjEyNwu/fWJK+IoffcwtseEdPGtCaQkjUgdaHl+KYOkA StUPOjKPNV3VujyFhLjefq7h6NuRJk5XEzuX4c8DzQa7fwjO58Zo4M8KgeUEmJnj 5zQdWmh/vpeExwE7AJxxy3tNCTBQFcEu9b3kCAiBDuiHmqijZIcwBCpGUr3/I6wx fC86sp6Q3GIwRGfeXcgLKeNIsvAbBgab9q7fEZ9XGIwwztwfyHFWHJfbuES65Ik8 eVJRpYeco9HGW39xnVTXo++vqR6rxRZ2ra/iWjBFEiyJXnU3RKE= =cYzR -----END PGP SIGNATURE----- --------------qvnbIcshH6khzxDcrZ9D9HuQ--