From 494a985be0cb109cfc16a3fb4849dfe3009d60b8 Mon Sep 17 00:00:00 2001 From: fedir Date: Fri, 23 May 2025 21:38:48 +0200 Subject: [PATCH] We all hope for this thesis. Hopefully, the final commit. --- accesscontrol.tex | 2 +- conclusion.tex | 2 +- evaluation.tex | 6 +++--- intro.tex | 4 ++-- main-en.pdf | Bin 1326930 -> 1326867 bytes motivation.tex | 14 +++++++------- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/accesscontrol.tex b/accesscontrol.tex index bdff24f..99239b6 100644 --- a/accesscontrol.tex +++ b/accesscontrol.tex @@ -7,7 +7,7 @@ By default, UNIX-like operating systems only provide simplistic Discretionary Ac The policy used by traditional UNIX systems is based on the concepts of \textit{file owner}, \textit{group of a file}, and \textit{others}. For each file, the access rights for these three categories can be specified independently using a so-called access mode. The access mode is a bitmask which specifies whether the file owner, the group of the file, and others have read, write, or execute permissions. -Each process has it's own \textit{Effective User ID} (EUID), the user that the process is running on behalf of. When a process tries to access a file, the kernel checks the access mode of the file, and grants or denies access based on the following rules: +Each process has its own \textit{Effective User ID} (EUID), the user that the process is running on behalf of. When a process tries to access a file, the kernel checks the access mode of the file, and grants or denies access based on the following rules: \begin{itemize} \item If the process's effective user ID matches the file owner, the file owner's access mode is used. diff --git a/conclusion.tex b/conclusion.tex index dfa4c13..531a632 100644 --- a/conclusion.tex +++ b/conclusion.tex @@ -2,7 +2,7 @@ \addcontentsline{toc}{chapter}{Conclusion} % rucne pridanie do obsahu \markboth{Conclusion}{Conclusion} % vyriesenie hlaviciek -This thesis introduced the Interactively Controlled File System (ICFS), a novel approach to file system access control designed to address the inherent limitations of traditional discretionary access control (DAC) mechanisms in Linux environments. By placing access control decisions directly in the hands of users through real-time graphical prompts, ICFS bridges the gap between coarse-grained flexibility of DAC and the rigid complexity of mandatory access control (MAC) frameworks. The system’s design prioritises usability without compromising security, enabling users to grant or deny process-specific permissions dynamically while maintaining backward compatibility with existing software workflows via the FUSE framework. +This thesis introduced the Interactively Controlled File System (ICFS), a novel approach to filesystem access control designed to address the inherent limitations of traditional discretionary access control (DAC) mechanisms in Linux environments. By placing access control decisions directly in the hands of users through real-time graphical prompts, ICFS bridges the gap between coarse-grained flexibility of DAC and the rigid complexity of mandatory access control (MAC) frameworks. The system’s design prioritises usability without compromising security, enabling users to grant or deny process-specific permissions dynamically while maintaining backward compatibility with existing software workflows via the FUSE framework. The implementation of ICFS demonstrates that granular access control can be achieved through an interactive model. By allowing temporary permissions and scalable policy generalisation, the system minimises both user burden and the risk of overprivileged processes -- a critical weakness in traditional DAC models. Experimental evaluations confirmed ICFS’s effectiveness in restricting unauthorised access while maintaining functional compatibility with diverse applications, including text editors, browsers, and synchronisation tools. However, the system’s reliance on process-level identity checks revealed limitations in environments involving interpreted languages, containerised applications, and desktop portals. For instance, Flatpak sandboxes and the \verb|xdg-desktop-portal| daemon obscured process origins, undermining the granularity of access control. Similarly, shell scripting workflows faced usability challenges due to frequent permission prompts, highlighting tensions between security enforcement and practical usability. diff --git a/evaluation.tex b/evaluation.tex index a843921..7a1d7f8 100644 --- a/evaluation.tex +++ b/evaluation.tex @@ -55,7 +55,7 @@ Firefox interactions were limited to file downloads and uploads, which utilise s Hence, it inherited all the usability issues Nautilus had. This dependency also introduced security implications discussed in the following section.\footnote{Only the Flatpak version of Firefox was affected.} -Impact on shell script usability was significant. Since each shell command spawns a new process, users must grant permissions for every command individually.\footnote{Permanent permissions for core shell utilities are discouraged, as they expose the filesystem to unrestricted access via these tools.} A partial mitigation involved redirection operators (\verb|>|, \verb|>>|), which force the shell interpreter to handle file operations, allowing child processes to inherit permissions. However, this approach breaks compatibility with existing scripts. This limitation was anticipated, and potential solutions are discussed in \autoref{eval:future}. +Impact on shell scripting and command line tools' usability was significant. Since each shell command spawns a new process, users must grant permissions for every command individually.\footnote{Permanent permissions for core shell utilities are discouraged, as they expose the filesystem to unrestricted access via these tools.} A partial mitigation involved redirection operators (\verb|>|, \verb|>>|), which force the shell interpreter to handle file operations, allowing child processes to inherit permissions. However, this approach breaks compatibility with existing scripts. This limitation was anticipated, and potential solutions are discussed in \autoref{eval:future}. \section{Security} \label{eval:sec} @@ -64,13 +64,13 @@ The analysis of ICFS’s security profile reveals a significant reduction in sec But while ICFS represents a significant improvement over traditional access control systems in single-user environments, its design contains notable limitations. -ICFS theoretically allows users to control every filesystem access operation, but the system's security depends heavily on the user's ability to interpret and respond to access requests. Despite efforts to make the interface accessible, the system generates prompts that may confuse average users. For example, access attempts by Apostrophe were displayed as actions by \verb|/usr/bin/python3.12|. This occurs because Apostrophe is written in Python, an interpreted language: all Python programs execute under the Python interpreter, causing dialogues to display the interpreter path rather than the application name. This limitation stems from ICFS's permission system, which tracks processes at the executable level. Users must understand this behavior to avoid inadvertently granting interpreters permanent access to files, which would expose them to all scripts executed by the interpreter. +ICFS theoretically allows users to control every filesystem access operation, but the system's security depends heavily on the user's ability to interpret and respond to access requests. Despite efforts to make the interface accessible, the system generates prompts that may confuse average users. For example, access attempts by Apostrophe were displayed as actions by \verb|/usr/bin/python3.12|. This occurs because Apostrophe is written in Python, an interpreted language: all Python programs execute under the Python interpreter, causing dialogues to display the interpreter path rather than the application name. This limitation stems from ICFS's permission system, which tracks processes at the executable level. Users must understand this behaviour to avoid inadvertently granting interpreters permanent access to files, which would expose them to all scripts executed by the interpreter. Another challenge arises with Flatpak-packaged applications, which often obscure filesystem paths within their sandboxes. For instance, Syncthing's relocated executable path invalidated \verb|/proc/pid/exe|, the mechanism ICFS uses to resolve process identities via the \verb|readlink| system call. Current implementations rely on unvalidated paths returned by \verb|readlink|, leaving the system vulnerable to attacks where malicious processes mask their identity by manipulating sandboxed paths. A functional limitation arises with the \verb|xdg-desktop-portal| daemon, which centralises file-chooser interfaces across desktop environments to streamline user interactions. By design, this daemon handles file operations on behalf of requesting processes via D-Bus, acting as an intermediary that abstracts filesystem access. While this improves compatibility and user experience, it introduces a challenge for ICFS: the daemon obscures the identity of the originating process, making it difficult to enforce granular access control tied to specific applications. -For example, files created or accessed through \verb|xdg-desktop-portal| inherit permissions based on the daemon itself rather than the requesting application. This creates a trade-off between usability and precision in access control. To somewhat mitigate unintended access, the \verb|--no-perm-on-create| flag disables automatic permission grants during file creation.\footnote{That is, the file creation operation will still be completed, but the requested process will gain no permissions to access the file next time.} +For example, files created or accessed through \verb|xdg-desktop-portal| inherit permissions based on the daemon itself rather than the requesting application. This creates a trade-off between usability and precision in access control. To somewhat mitigate unintended access, the \verb|--no-grant-on-create| flag disables automatic permission grants during file creation.\footnote{That is, the file creation operation will still be completed, but the requested process will gain no permissions to access the file next time.} However, the daemon retains user-driven file selection via graphical interfaces, maintaining safety equivalent to ICFS's core model (as both depend on GUI interactions remaining inaccessible to untrusted processes). This highlights a broader design constraint: similar trade-offs may exist when integrating with existing or ecosystem-wide services that centralise filesystem access. diff --git a/intro.tex b/intro.tex index 3c58eb0..2a699b0 100644 --- a/intro.tex +++ b/intro.tex @@ -9,6 +9,6 @@ The problem arises when a process or application running under a user's account Over the years, various mandatory access control (MAC) mechanisms, such as SELinux (Security-Enhanced Linux) and AppArmor have been developed to address these limitations. These systems enforce access control policies at a more granular level, often based on labels or rules defined by system administrators. While these mechanisms are effective in certain scenarios, they are generally complex to configure and require significant expertise to maintain. As a result, they are rarely adopted in common user-oriented environments, where simplicity and ease of use are paramount. -In this thesis we introduce our approach to file system access control that empowers users to make real-time decisions about which processes or applications should have access to specific file system objects. By integrating an interactive decision-making layer into the file system, this solution aims to bridge the gap between the security benefits of MAC mechanisms and the simplicity required for widespread adoption. The proposed system delegates access control decisions to the user, enabling them to grant or deny access to individual processes or applications on a per-object basis. This approach not only enhances security but also maintains the flexibility and usability that are critical for user-oriented systems. +In this thesis we introduce our approach to filesystem access control that empowers users to make real-time decisions about which processes or applications should have access to specific filesystem objects. By integrating an interactive decision-making layer into the filesystem, this solution aims to bridge the gap between the security benefits of MAC mechanisms and the simplicity required for widespread adoption. The proposed system delegates access control decisions to the user, enabling them to grant or deny access to individual processes or applications on a per-object basis. This approach not only enhances security but also maintains the flexibility and usability that are critical for user-oriented systems. -The rest of this thesis is organised as follows: \Cref{access} and \cref{current} provide a review of existing access control mechanisms and their limitations. \Cref{icfs} outlines the design objectives, and the interactive component of the proposed file system layer. \Cref{impl} describes the implementation process, including the tools and techniques used to develop the system. Finally, in \cref{eval} we present experimental results, evaluate the performance, security benefits and limitations of the proposed solution, and discuss the potential for further development. +The rest of this thesis is organised as follows: \Cref{access} and \cref{current} provide a review of existing access control mechanisms and their limitations. \Cref{icfs} outlines the design objectives, and the interactive component of the proposed filesystem layer. \Cref{impl} describes the implementation process, including the tools and techniques used to develop the system. Finally, in \cref{eval} we present experimental results, evaluate the performance, security benefits and limitations of the proposed solution, and discuss the potential for further development. diff --git a/main-en.pdf b/main-en.pdf index 24a404527d9196eb4ce5b42bab0b6f332fc2ad58..c813ec0d46b6f14105e5d735791ace60a16f48c1 100644 GIT binary patch delta 23507 zcmV)7K*zt*{!o+tP=JI1gaU*Egam{Iga(8Mgb1_=-0T7{HkVQ22`GPsSj(2;**6t#|t|PG>MiF^PvFbbnEYZ>j8?=s3#i{C;){*;nuB! z($!&=uKxNV)$jLDAHMss$X1*DaaZlK)ziyrzkl3h+f}*C9?NpGdTLg`CV%fAHv44s z!^0ZiW~xUw^bh}e`p18FKW_6?mObu^Vnd75)w-x2v;4Adz1@^aM+pmTWP#ZePcQ+ON_1<2l?7Q zOrExc@nmgQJ*LG@tR0V}VaNOZmTvP#bvVoLCL91Jv_t2Jo&G!M^zmr zxfU5Ws*_yVTE2hRZ2=oS77X5zs0pj$ojVH%M>N06ZXPq~umO}c+_duR+W&7)bS$-jH|wr<_; zq{qrA`|M24iy>835_CHbI-Q0{fs*$^Ay3H>Vd_pC?%W@bX4H|kmBuZONam-$=fI|p z?4rw6Z$O0VXo!Pw;V_BkbkcE{+D6((jU_(g9qdc+Ry);9tyUq@N|(b8-}$DhN@#%= zMO>r348eagtCC-iu2qfW(FI-LaC45JZB><=gT^}3n}cNr!Vd3(oaiXhVCO=Bk0bfH zQHjqmU+y?AD<$BH2w1r;xI@oY&`fb0i)}sm3)ev6UHBabB3rWEV^Qqcpv^uLgPz!X zzz8n$xn)nFW3Y;khxY5yk}W0tH_x1}UGe30*$IEHsf~b!1Tz|_qiEoXDuL(zq&iFu z&|Y9b_O2HO&mMdhDAz+L{-+r4U=kc@8@jl3E7_;oE@_G8nIL3@pjXgrab>XB4b!Yk z=|Q@DFwC-Vh*rKE*3(NP!p!5+MM7%tKs25+&o)ryf}}p`-NHbm1Wx+SOqPi$^z9T0 z?&W_hf`H5h{u5I~)R@r_yMdV{@`v$~(OO;CTJUDH13TV9E9s$wrOC6mMtmt=Pt`T) zOh;(mfDaPa*DfYgPHb@flZH~Z$k&zTYY1D{xiLbB^uNe=N%P-e;T*ShP5QW&+p2*k zF&aZXc&h?oC^ULYbWE)mb~+kHKHcE0Xgq&-3A?E^aZ0a?nsaYDSKq?{;=>PS#^j

;|ci%0D+>Up!jCU(*%$f?s@QM>CTSa-)2t; zD4qTEi8N{|V+B{<f*gcyh-5JW1tQo-Ywg5Z~>pSi8}n z*0$2IJrGsv$n5Bxcn{>a^fhD}xkOJ^r*Q_RuY44asE)4Sc*oi~ArdR#{)ZPLgmsRZ z{u!*;NRw0jHce2lil5q`175y_*VrrYFbASbc7YJkbDOb zXhn`M5oZB#heaCZYGrE2kMcy&1JP*Q*OLRhZKJ#yPNP)=U4PGhoVgqHokl5ZO~tyt z3!3vc`z z`~9+X(~(OJo?bKQH?r?$t3Jaw=%b?+@Qd)qk&rAOlaI7pk$iuaq04_uTmLK|Ar)V7 zu+j(X%mXwKeX@q<=2fi`C`yLBa{}FqY%dGRo}2Re;y==PcKjj+vjmwLhIW!-g{B+V zsa!ObD4bk#us2!{<|Gp3+3|u7+uzK+E~*xbdS>7;$TY;#om2fJ&rV!%w*Q(^v-qma z_F52c(q-&c61!>SGo63RRS`8_QQL(RAgKdPG4KUlBT4{yT0jom3DFJlQ4dvjIDamG z3Vxv51D>lvx|c`x?hUOK6kOuFWcXoLy1h!uaqY~%S|jOgsmb1UzYf;qHX zuG!6Lb(Aijn>Xv_I=&SNh$+Uvp8qjg(;o?6Tr*LbOS0QoBpH9}r!c;XMIPzpYh*%v z&aW52BNLF#9fuLdrO@6;a4(4sl76`RJRN#Y7aMX7*IeP|Sy@Fof1XB}XxcDHYnifw zh!j;EM+II!`bSuGlN1VE%JrXQyw=1mVp^zS102)d1COBc{mi9>*#CVAb7IvT%?YZU zU;o^a{K838zk^6WP)NnxYE=9(w5`y7_%m)PE0Z6N1}WIfaHg|k&7iS)nXr)$0fkd; zV`KWq3FiNCR~h|nyTYYDR+YLUyPEO&>BAq7VGM_t@d64Hmu&S376CVxVc`rZe{EDv zlbbLMz2{eOG&2he7#6s8r`u`IxwSp8pd{`XLv6Dk|GtvtWV4-|&`8fu(t8?;OE$$mfGePEn_S8gc>?CU zNvl?PyQCR@r)~6VG4yU%#Ag3@f6C4bnJn|RX_&{ti-Ok_b5bk^`ql#8l=I3QIXjFa zILDQ7Ik(kZoMEKIX)wyo5j3QwFlknbi81~J%5q7oS^0rRb$OcAvJj6aLei6!0uPoS z$vD#HHRY87N890MS=r@9)AIPpjX+t637jI}k(*12Z=chwsl^{aZC+?fe{gqH!3oX8 zkjrz$dx0G;U@nZyyatIE1B~H((CV6DwF?0|u{fAG^{bGz2KVkf%$(5!QM?C!o8MaK z@ieSKgt}}+O`nc-8?AZ{W1tM76#7z8&8vnv&K9I)z#313%)_{MrSBqEx3y%lz=yO3aq;5p}B<6O?%Ygdi;*Z$64`82E7fQtnAC^ zX&+7!H355A?2LCcm=S2u0{4J%v&yrZ0sG8Y1LV4Qoa95pfRC7tO&@vKq*6psIHixa zms4ubr-U`P=#8G;-7>ct{K00e;#4=1a`Dp~#bCgJb< z?VGoETC8Lmo7{-icE7SVmO`yEBVwHZWw-h>`fx0s2G^}ODz%YV|F!)Iq&M2cnX$xi zSJi*6f9VJJNK8dpy1u7%**0rwqoHeSBEa5%f3Ez&=__h{dza=bVc>F|q8)HS1{b7~ zE)cO;Z$x5jv|ZaI>WW=8RBcm$N~vu0@t6BQV3j5dOK|^gt&)hXLCz0wJ5b0PWcUrY zZC!2ryHXje#H=>b#L61FyR2MKCaQELL~MVxmT2N8FsmfatS097FZehS?cBaN)x$OJ zw6||lSD)9?M2;BRC%7MWT`^S6foNoS&kRk?x}Lfg1;11~mhG#@r@HEgs-*o*)t8;~ z4(V9t9ZJxl|m@4X;(BmI`2YIHPiD*iqcqZ)*$R}roR5SQ+0V9s_=c+hH&2bI}4g)BC(GIY~ViTZNVqq#e9G?uyW*!*P9G*c(=|0%2+$Bj$Bc$WgZ=A zht{E6YRC6`Z{x{WK49Hdhoi?T@Ap9&aQ7}OJIBki7~G-lIAy_EO2<~{rPqJT0!xrJ z0GADCBy4)l$g)Dq5DG}Gnw{f=2Cdz}2i`FF8Z*m_Mn z=e=VH(%)oa1NxwSp2#`9wC)2-1c;4vPR*T>E14 z+_(;NHxm=n0r1;-ta-NmMIC=EL3&Xx)K^5ZZ8(1x!`b2MmsAXT z3H3xJ*%B(XH2tlLT2dik7m`6bHOhDS3hppDS(#PTJe9MJozgYs^^ME8z=@I zN}(wM;Vj*N!pT#&&7o)JmQF^Y1J_G9BW#Xma*j=()y>(3UiOOb`ky+@!w+t4T*X}l zJ=8Wdc+uIht#@G#q;7CErWpG&n_dyp4|@&Ig~bz0yZjoqIwXymkA|~8DnlR5y<;Tz zQT+Bp+xa=qH}`)Qoyl%@mxoR`rY zDh4DNJ#FeV_oHX&%{VtUeKHTdN<90Q@wjVAI|@coKLZHoR|zp)P`0hYqH4-!xhdLj|!*~9vA}u!>Byx z9uHhJnc*@Z4_S z`~z7!tp%6y0tyqi=?Mx#2mv*hvA_^2msS!A5Pz23Te_1?(@EMxHj~aIIdCP~Vpk$v zQd-CVzIc$bckAS0fgnf%#D@=bvf8hb)!P?||NeIO;?-@LuCgMon>tef$qY>s*dZe zUzx?}dXpygHu~^-ohQ)^>`=l$wm9mAR&I2>54fJD@wO~8zfYdVNy^)N5D-gEUe-zU zUeRd&&cnYx^4In1z|v7oJxikN6oxGZ9Dk><(K?MZxD<6_G9cR%PrP1dP1Ls1IbL{U z=#0slffZkqGJzOCcLQR|$`RrK%|#sOc-q8CS+nQ3Ovd|oy(tPf<#2dyM`IxgMFki6 zW(kG&M4PD>6H8(k49*^Lm_*<&sjYOARqYhaB@43?d&!n&$0|ruF-UiElN?!N?tj;t zvWWhX?c`W<&lh{ebqBWzbFx*qPYV&l=wQv>;w6qQrbUqZvfR?jD)CwWq<6+nvlf#a zPU|L%5OigRzB-8*s`%y_zBx?C2wURS7d6E9@2sr16Z~lbxvG;^+z(-5G&84&#~3qy zA2i?DAiI4q1+1g1n+so)vSD8(1b>%9W1$_>w_% z>=ol7SUq5j(wz-iQhFzaQyk0XsiSe;5vTNikQ+MvN^T^D{-~_cBg+%#<4Qdi4b)>E z>M`^6c#8%2mW%TC<4;O3+49nNP&Qd!Mehv;^?1TV#a?->oDkwk383{tmVaak&Xv)Z z^cx$AdFqXIJOCsyzzkx7rje6SP~%~cAud11TRFqS7HUI!>svH?%cTjCkllj(&6C^n zIj3?!G;^(?B)?BmcbF*%ZnENnHemMCpYQ%=Nd%5SxYdonZr|+hOh) ze0jig9*KK3s41{1&UpJXt&mxW6J!XJzMc>4hDl(&=J7q?+M!oj8vTxiO=vmddGe8d zk^B(h-HaZUB|CuM-YZ;>3#CMQMokqxu0buVl8fUori#b!ff^eR_aMLEunK#7o=NJS6N#eAVjg$a#lr0K!?I=w6 zLgoAPQvjfuS>X!+XRz!yJBU|zgVKl3XdVo^;{C9LqA48Txafzq-!e3T-Oe}qM1rHch@ zfni?3iw@Yv^rgOdWQRwwV=(+bg}-6V7?(T@x|!hh~^CCdz$lx{S8-po;R z(ainEeq|@MqLk6HGC4maD3|{I0+ZZ$GJ0xUi^~@}Zo93*Q-S18?!-LcxmzH`T)sMJL&{i@77G(j&>+v-Sxx|6@`EB*_G^kgy~h9N zTMh@qS}l*Pxqk>6M*cP8mQuBz*+V^#hDxMUyOVDbaPo3My|Ct}0K?2ve28c##jwGu zO`{*br#|D%fotqq!y2f<1Xrllep^j=M7<7hV?XFg$Bw1N60Nv3LZ)?j<35`E$F<(kiYIGTAn68h`QS z6Pq`8Fa87Ul?@J;@d64Hm%$hc76LOhmofDWDSuf>bKJNUzUx=?ZK$d=&3(xsRT_^K zJ2mknV@;)|93LPOEivZOA=$EY$#2j17O)r7PA+QT;Q_?kzXt`IhfT2g^VN@cSFdj4 zWD|ydnWoX^ZnsG@KP%%+UIu;<#hbf&^U=$$Ki&Q1)h!rK7^A??(*(yb%j>r{f4h70 z>won&jxsOuueW&?d9Q!__18D=?}Yf_m!E&Td-u!x4}YL}?%llqNf!R`_IIJ&y?yh$ zlCClR<^2zC>uGF`UzJ}f`8a+CdXoC;Q(`UJQtT8+NNskB&%k$vi2~V zo$mpdJ1*|eNvs`+4Accyu;vQA3bIo4rPW)aMeT{BIpjJOEAFON+{pMI1Loqzd! z9Tgr#CozJr1b~*4IQ6=LbV8%2L)+WY+_yTP2l`DsGtY(({yfRTJxyL@yocd1d&Wgy zu8YuP2MfL1>mu@oQF!dL>GrK9o5A;*ogV*amm^?~PF*=Y^_{pV{Va8^T*1i9bnakL ze8SV{9ZkCx^Ce;I$LGSgeC01}CVvilbJyX_%bdP_M`IKP}7i(As{xtghK23;m>6gnzDvuA@NO zMj1>p>u>L_i^<${1WXEDuKeV8*(&(4UEXf^AkYC)o&XqKjnW@++hlxnJKIS#(E=BjzfoYC~qRYgZh4jH5WkrcKG z%3v9m=e`aP=y5jk6fXQCBd!TN;2hj4`7p6#CCFnU9B7Mg=n36q+kYoXvhd+F3cTsy zQZS#mWKNk^!=bHZ*fyUz|G3XdVX$ktnxmVG3YCL~lvLZ=7paqCg8~(WFes$P&Ls7N zB9xtxAA>u{OYb$ZS&SlL8l?DUGE_v@)P@71(l5&RvQCHjQha4b8IyjIC#R;iBNd^r zkTM9es!uuC`uc6Ig@1h9ZeH@Rfn;2pu~0YDJT~_S5_EPFljuDS^gB*}vgNil^B(o? zRC{XjkI^T_HL3TZH&QvP(d=fSeT+ZJfNB-}-t719I;p==;(bg$`BG2rwETi)CX2tQ z=T5@NDF$nMXK$ozJtbWPQssd%y-YK_M<%vm9j{paz@Ll@?|ey5`NK5fCx}q#uiXYeOL4STLs0{uz8r|`TihKMnan$yy zsW>sx`n?qP1b`_@g`pcJE%r^PSbdzeQnW9Z+yb;DaMolPAYYnz|FYFQac$T2yg&@^E&7QXdVSE`dgK`%He+s4`bq*NRvDg3 z8rKdLoD!0epdVlD6XkxMTx2xPnRVUJ5ezkeF1R|0j#5$2xD`e#iAhDd@>NfNVL4vPm2i3e2%oLzsr^048g& z0Dt5a5kP&g^DKaZzA!lQa`KU++S(slGwS!LysjfFsiCo!jizm7ie^<4z3Lh?)-}4} zql*(&A09xjOs|aWH?3}SxQ=<$iCI)k9Y&&aM&rCf)=sp@C50PiGp|We59+Ujy3hc3 zjm5$jF5TISA`RMZP)=6`Y zXZcW{W{AoiJOx6x9|6gmic~@i{2oD0&Q^CBdwG7KdXMsbORo_8@<4h&zC5JyMT(~* zVbt#@Q+oeUaQTD2EWnAIhn^oZLhtp@?}X`Vwv#jP$>tkwtqTh z><8Hb;C6~~xgDp?D+w--{36M}>c9CN$GvF9S?ZU;h3TZ#JpuLtK10efobqYd4i3~y zKnx-yQ3gt-zFHN6jZWS&_#=BQWJXUL&9|U( zb?9iL>UUHib#!l>JS_O|n5?J&uYZk7w2ivy>v3r6?{!YeS?8p0UQ^RGtdS7 zJA%Zej|&e;aruK-4;V=qmuE9~7oH5R;+t78q)1J4N&Mex~-OkX7w}L_)#+@1bpldz6M>z_S! zzqz~m_f?2tunFD!d`LclrmO0%K7I-|HP&!FKSodWg*iKTS_)`DuQcuE!`0vAu|GY1 zAj$(jq+SkhE_m=g!!r=E^nc3?4~yVS`~;u}FYH;UFYE6}pi)pJzNyfW$bnY)&_lH^ zlRKp|wbJiTp861lWdxDJ#4i(#rJoLcORYOK+LjH5%HNX50aQjo6kKVuo_>G9Z9 zMN5qahjbh?I;N$}Te^Lcf|bFLL_2%+phBK%_|r4jLqI9Li#Si>Ai5PQ;PEtX7f8Ff z>4{(nIlMg@#ZGao;7tEzaqerEzi;lY{tF=3=7g8=0typ{XCn%SXCn)@XCn+&O9C)9 zm%)4tDSuc?lhZ~JzVj=5i(G|`-m-HeWH*osOR{TvS=Rig_G? z5}?jZ^qD0QJTulRo@dip6c)?iR<)`uJ2vFh;t=jG=ZmEndu>`(*Zb)r4nWg1O#{=y zGk=bPx8<7_6?5G*3hb7N+Tk+{REm@QVG(qyujEMS%!48C?%_Sr*~QOclGfT=fGmld?v*oLYxx*D0-2R|x_@-M zmiRh}q@jGG(~YW4N&Z12e6SX*J}Sg=vlvcRXiAoV-l!o{A$dr4sjbx(0u|>A%1>k- z1q|<%iktxqhC-BzT6ulxCl9TJAs z)?luuAbtl5E3Xt$rVxV%By^^dQ-3587Z$3-m0e@njj+14JmE~wOJ6+J+}HkIR}bVm zEZBk^;aRA3!S~Of_-Vg3nf~u`tVAskEhE`E|69Sl8 zNo=xU-SzSwF#SRdHoAp^su}2a!#&i;oFVEI-{D%C&C_t{sOog~TkT0rU(7=Q1C#Rwj-;YdT_4BGPk(O|CNG5ut$8(|wM#~GPK5oUmJ zx}oQV^Dh~*DI7Ckff-OSn^GXe6u{RT>vs@%(#I=P*O%Pu`aQdr02_M$IR;>|bP~bm}CkSJK=Ru<$ovVBL=d*4%RVG$>E`e zJjKz1f`zJV5Ow{jTJ+!sdBKA70rH0j_icyD#mPwt#|Z|3fSP$b$hENzA%TY7nU?@pMQc#qJYq~t-o&?LIJA%6jH;(cnlM*Vknl~8aG4l>o^t5%FfTpf>lPh zfp;JW(HywkXtW zT7$7DMH>J5ts z4^J?Va(~HCAh(yo*QjqJzJfz>RHcx#cAy!_DgOL};XWKN4P z=tMGq!Ui2*v-mFr&$kDmOX4EN3@hWsXKjojJBIWfNB<6u-M@GDGumFIR z|EPSHoFy1&)kvyAis3cDiX3M)O1Hz`8ZuT%K1w4Wq4|(>m2&Dd$^7$b_3S?(Rw}p( zWtZ~;3K6$}b_`;Z0X3IV;t43X3knS=1AkzLT0Gqut0T<9I;UX+jv%}sj0{ULO;vHe zoGlfE{Eyqa$GJ8?oShFxXVdRQHd_jC+}<53v~Re>9$N2$2HUM@krA*T?&Lbh8Ufdh zfIAz(GqaMu%PX7pmDbl@jl?INAr&MH?UB#mP!WmFJJQHojW+UeIGYUrxosrfIDa9m zi4^q03gW%?F}2}kdO4i*$B3l_A$()RS~!er#mI0n8D9*~PrEQf<-?0qveklBfNL~> z9c9EH>BFqjDIrgCwhK$uQ)NCLoH;u_lrEF!`;!GeuFw35xQ%%v(ByVDq z;97o}O^`2jicO)8h{9orDEQsjS)2S6bM(>=xCQG*F=-k z>x*5x3I~9;PzPdxy~Y{o)oik@@`^D)w&JH7js1A_p{klT?2KwAXi;75zg4!U;stIf#xq3KbBv(^( zqN5ajzFI!rmsOHoy+89V)sij!m;9^;71Lt2x>-Ej%apf&sbVxOPUio+yPaR3zek`_ zkE^G7FIHpWbqqs9RYY4sIRx)Ri2&s=i6MK<<^dzcUbq|DsWO5BjDL=(y`aLOE!2(b zhz{^?R3;F_LL2)fvunV~whvns+I84UMjLNi(E_z+4PwNY=#?qf!{bZ_~#=` zMlICB;!xJx@6JzOHd!9+wX6EHs3#xbM0t-B8Ly?hd$_Up9NBZMYtJ8~y_|PVH;2AV z_sCtbsU10_xZP=2QZH|%@wc^j^saJ!SMiu#ee*P_@C!>);O`M^69h!y4G0k>F~Baj zgb)n|0e@n(=iG{xVMEf3>JibG-Cny73rRQGzC=JdDsiWv=W4K4ddJ;@-gBF>>{pjp zXL?P#C~kQC#vm|yCy;GK8cArRAm_eiuaoPm(dE@_eAZ{79<@{XIRp9z(t$4_0mS4@ z&=gW5KmYnTp7q$ekgV^;lVRs&h(r4XArHSM(SP1jW30u%T?cZuJp!oEt~-k87g%mb zOX#iywnx-}x83A5&p6=Ze2fEe9fPy!=s+&69cS%GF86s(bQ1C5n;xZMo8<>KXaqvY zl8zGRLky)WY{h|9exG9<`V#UB8ZaPv(V^RBZIkbu&wA{HZhEqEShX9t#gD1U`l zS#R7n5PtWs&|9>Cmyt-FeF)$jZqkSJunV+E@<2=UiinPlDB0eB-x&@mYZC><0;}Qh zn&X>;QE&*N;Ma@Sw-+z3Qy#=ID^vL1-UnsLcr1dvj99@%a9anT!juWN+viyv-n@JB z_g^1w|J{AL{q5zoNY*Fo{gSg09RHQ+ga8~j% zsJe@97fc8qal2wg+Nr!u>>w+0&wTlz17Y6|7k|RfU*XT+`wRA~8?4Ibg7ZkQA}fNF zM@;aX#J|>uc~rZ-;2G%8f7$I5kpj21ygW3jRn?@2o|e>Fw!>j|8+1>Lu7CBY?uQ*v zPi)f~!5&2{vtXaZEKi-i->be-mvCbVM@{g}I2_riQBSI-p=?_srbZDl8+o_e$DwXv z3opWx+h@#-Y_*F+gDeq#l=Gz9+0cSU*5KSC;o)tg9j{i$-5$ZK8ZLKvQb$?h+#{(Dv5`@WFnMX0YRU{Ehz|#rfs3aldE!@I6oE161gbT(q zPD?*@M_GaGMao0#WcZp!q1i22jrur|7^w&)Xw;)dHBDDT*U8=uT7TUuq9(G=(3%&- zK&O$z$U4A!L|PhmjXw1Hb0m^Vl6}EdX)MAU4G7tAh6AsX6|Qc;aY^aLMsktM@{iIQ z6U~ofNuORl0+B}H(K)kH#vmGt2;^0xTixN_*-SJ#j7~rr9_>aob^t%}FLLjPkqGs$ zv(qQ5LUfL#XBp!HFn>_%2VKvA_tUP3!!1Y0V1hW!){f>|j*h{-0wV2s*%e)Kl;Z^P zOM^~N`XDK?lel!ie!!3#T9VtzHmVxpyLw(ac(vs;STn(*&rupVnbWhRlP8QviO-g= zwgk>Vt=O-)+&ZOTDPJ<~tIb1V&P24F0^-D%1e`>~EQPdphJT#LMtkUpJVK9EJ4_yS zM1cr|4+J35JViLE@i;2@cMAvlHsHtB?LibD}uV}e;wNd^gx%ypDy`0i1CrjXJe_P>i8?^x>Y@pBLVzj0d83lvD+9+#{ z=UR6NGCKqfa>f&_kriT_rmMl1)RrbOmAu9KuaN%+LzyNzS9Dctv7Ke%l{>>U6j415 z@4T&G(|<6JTe45eP+3dz6ii{}cEb2fW4#{r_#z3#w#8^O~nRa0|RfU9iNR9fU9gFs)xx;`H3RmSSH($9s)chju_e^nWC~V~ed>8YPQ8V1n!cXVz$t#A*v{ zr`9G!*3NY?i=6?)v@*Wk87b~=P9RbPUU7kbx~Zy7MTP^l@p%cWMCLMovUoXKd)vE7Z{9H;Kw;KSrg?LXdXxQe(rWi@+IKk@yZ3CLk6ksarR4%Go22BQy-HI>1pI^8Qdltd)G{ zhJ#j(lbdi3wmqn`=-fl|+zb%M(NNE> zXox9}s8K;dHHyrF^#+57rZ(~xvUP{bEq{jS)OvDlA>y2+BV>3*@TN69f7)f5lbKX! z&YN`uFm2TyO-B&i1vN|oAebnN;L$GZz&R-tt`z7txPdn$y@*R_y~VEF!J33gM0WwEPgzuOEZgm9gcNW$w@PDlBbxVEVTh*7NphOKn) z#djm(;vT?6&qv}v;s*ORfPtjcYoVrU-x#k&-#d}O7$QGwjQ>aQKS(fW!xs?wi1v+? zh3yi~lv6P-2Orb^)d3_vHvwwOEl!qx2^K&oL-Jr-n8fL3%^0;z5#f@$ z1>ur4JXlMPjcvlp#6{fP`-($#+2P%H1?UYe7iSse$bl|z&G!3!1-}0PmLQRfm+=}6 z6o(m04YwIf4o|HCIG0i42`GP^Sxa-EEYc1A;W1+S-GJnVwho^y}+kxH)XX&Choq_ILLWD%nI)P^4+R**|U4 zEXWGA*%e`s$7-{$Hotpuy!~_kulom>v6!jCG>DXfjcC%xU*3P-fBJuI>#I2P(qQZF zve^6W)0eOR-sZ8l|AJfGg>vxiseYXAf^?T`d=&+|H03RS{rK=@>nCdGjYreo+829<;h`yz|ZjPnibOOLOe_TXyX>&b_hkY9^Q$Tw(e*?*0*~q&CCbFq%d-ElV@V zF5PMC(`-H3uKfXsS?Yg1P9qAk@gv|jE#R96VY*{}flClS$~@lk-GIH+8%#O%cEqFK zc)T*QcUuiiIU0@QFSdT;MZh`@%zL7I?_{=qwDn@clqALh+ahr^{RwVM=C&2j>CJ$r z=CE}&uR>YEYbo3vs3e3ne@$i>2T*6S%e|jq3p*MfGjM&X>qmc?N-QLi*XU=wbi+Mn zABJbno^&ZBKFB`S<_9Dsm&r~gxWmD;r~)&r@p|gJ=7b!?1#ocGBexnYcY__Uf+x5< z?r7vqtUw=xNT!1##>#ux=8@NJBd_N%^QxN@aTpglu?%ByApPSVK}z6uX5(>j_IuWI zH-HVEj=0KPiIIP^7-wb(r3dyZJDh5f0B^ElvL57HqCHAS4rBLBmo610d624|bIsvr`-zV^i^%7Pp?lZALMppyO3%8?z3RDw;`ZNC`ZfDvi_CKGGwSXQRZUt%13?GPiW`16!Z>+S%K#4E^CvTHr_fIIDGPbQu;o{jUs9gdC)M&GWP6z!EnU@oUq4RI4~1__1N z>c(Jrjv{|iD$c5HW5>lL^gkJT0w3cR#^ZMbPjJDpvEahIDi^;+g(b0fKH3uP_qcko zy)IG4XLOo0N9C|tK}0Y_D?IY%G-pwez&g_qFnFMrcwVE8M#}rjDFBBW9GHfY7m|L5 zkwPKwXyuGY7UL+3!Qd^9?;Rf+HMi+Jj+|?(M*? z5_*4U%Qhc+549do`q@8;-E32E^8>gcF_lG2JICum-(U;ed9p?KL=lFXj|0Rn^ZitQ z4GrRi-4B(K6vP$AC?ta@w&&&m_Qm!@z~t3XP6-RiDKg8pXow|clq~VSytO6nc6c}N zcyDTP1x*)@w1wfXxVi*})Fs)MZJL4}ZAE_@tfU6OT3KGqnE`ySyg%9M-n?!lLEYwr zU4c!v0HH!{C7xh?(NP9GC&`V? zTG|={*^AZO7>{O6;w%hQIH$DU=&H8u^O~e-929ZnX3jtawnprU3RR)^aq9coRdIjJ zB1UM0q+Nc70np|fw;0f2uK89+G{6SN(nczX;~SF%x0?EvW+%lzB>pT3;_QDBH7SBP zR98w(A*M1!;^dXMqy&u%C@Z{|sYX;rk(eflYV|l?;yMz}M}{@fY(U%+BCL#n(*29H zNv5ui+9d*vF^wLcImn2&A@O1&<05|?EkhH;Q+t{qZm=vs87Kop-qK552!S?fU?p&6 z61Xt6Lq42ZLSVY){xWr9e~w=mpgDf+^6wdD940|HyW(qg@GCPskKM@!zD|Iy;gnU3 zmV$xI;I7i9A)us+=ql>L!KG>Co|OV%x65vDLJw*Y7mX$C`Mkb!nWN{yD+qrt3v}6c zgS3Tn?yz!RY~QucFJv0o3VZ<^8r^_#8tzZu9;8cuHCLg35nj){52)-g#KY}@t{}`L zzZ02mhT9OIs@li^OUmu*N>3)ZRf29IM?J}ae5E#G;|jxD2(!XBMJdFxKlvXfOj2na zQT+h+)S_J;a5y5QKSSPpaUXw;0Vqk;YaU6tL-QU7#8aazyD4jN0wD>wu_BDT{~j$0 zj&!=GHBi%_Fb??`Du{tgsI}mRmbE96$)~U}QB{OW#GXSQrniRET>^N@jyx(N$(2=8 z=?=jgQt=FFB5%e9IQrDd?wDVG?hp-Qu+1_vM^hDp$y zYjbGR>&8xAHwcPZ7swo#8$<;q9-ovvxCBbyM`;iEYD1U>o%t25v^n8LaV-q+RLl%# zfNg*;Gh9gp>cE$|b<}_H*mu+6xEci&6r*|me}q95?B--`TSzu`5?y215e2T|vf^_3bjUy1%IYi%9jv z5ETV^hWem;1)X4hX&3cnMAdhUg&KCKXn_@c*}|{>PI*-szr%kQ8c;eoiPSk{+-G`K zASkRb>|VbnsaT$j6qd|jI$Yi%-OBgo6+}^Nn2j;untD$L#0!S5F=q-_I2Y2TJ!pDH z!t+~y&3#?WgUXGx;hu}o`10a==`@0L8mrlme825{^rF$H8}<3-R!u3+0(E)yfSXJ8 zfe(f{9g)r;Y)pS+*MRqw+@0;r)xk)dD?h<=u?mB<$gXu%!K0u9CUZ8zP=Y+dR)GkZ zZ+1bk3nP{8q=TqpH9br;@D3ttTYVQ9LrXjtv6`=!( z1mKEr`DV)m@(TF={PkCEEMN=ch!w}|O*2c9;gZWEC}JP?I21~mF!u0W;zyMYw zaJ5vW?rnb#rX20zSi|3px3He(jUW3?SFY@4v?L{X*RG;0#1tYDW?HBX20*%;itv&B z5@IL@WS3W095%0Z7?}<=K+8mTLx|JnnRX41E;%*0`hDWl{_d|kOf2ChazB5G6j@MY`KD~{e*ZJvR4@dLz>8+S zIn%@j@@N|D5-gMJ&6m6X@Xsq?$*^z-K?&<vG>i4Td4%*7WZ8y7j0U^wflAwT!o}VzTqp0jcz5rj)5Ivo{ z-B%<}yw$Hq?bD^mWHms8 zdNIv<@ob?-4LySgODFJP>LxTKAmsc@Z1AYTjwh>H{YuvL_L)Jj-+?>46^@hn2e*i1 zP98*qJ#Bh_3uHU;DhWoX=B^;os~JxHILHf~3DE&m7*&usU5%DDl-N)v5u%orJ3v)E zHq)X24mg~%6(R&fj5gc^~GaKXB=frDi;wb~OE>vEO zTcEI&bfj0Iw4Sg;uari9VzhNAqU_r&QZh_`s5_t~lYVR5vy2eug(RDmbf~ar(qZ9I zPnC^663poMS?+VNsnVy5DFyI zEh%i}*APqMxV$K%&u<|>s43lIBnDB3H81O;K-kBr(r1*$9WjP&<~STU3GQGVa7NVh(NNN zERO@hU{USCj|wLObv^@na%5uTJcIRUK;=Ckcy=#G{)ga%OqX0WM9*!QcCTiS~SMTdz~74SS}d#cx(OMs<~z9}0SJNMwO>WUX{u&rW34t5MPw$N6n{NK3dM!^BbpHmwL*)Hg5e>8ltdbw;~5 zsaM@`ROnkc4dhr> zvXAZ>HJsJ6%sEz>1l}P#-YEGgCi&ksKYXz%iuuJRIcyP(Sk}DN$4xLZi8g1pZ|ORe zB>5IO81~hQDv?z8{?Vb=(6z7iGbZx$)O@jbQWTxBtBJ%zRWAi-G?*8#jju&nhWlFf z4nk8!M=LHDglu*($>yyZc{)pfqI)0*TG42LZpp(5nz55^_~HVHgBj1BJFq{L?%TSL zi6_OEI~u<4$dUkJR5RUiJ4~{AT%;Mw!c7V629$$9-jz97CfrYzn;LL>p(Nc= zMLwPy{7FVJx}jsxoiCBJ*%xt5x>d$%N@@N-)6}-+1ZKYUM^N#hu)}EXtdG9JDG8( z{(AfIt2=!}Q!gb>jXcTayMdEMZ z)HKSQ_5;*>z3HjWk|6!gwT+feu#p=8)-on&Dxh~3T1?Z|5}KtPJr6!+kUtUk@sG2v zGlOXXa?)QBMTE?R8z?#HBt7GrDHY!d?r&|wmRZqY212txh7TZrG_TwZ4edQ5`hju) zVs5sSG|jY5jK<)%KfZVk!4d8! z`aD6ricd5ClTV&s+mAj(V)Hk5uX&wG%iQ;vX<1A-p{CV;-#RSg6+K_LC&&jzULHP9 za0)q5CQhdgP9w|0eT`PndpcPY>MFOX!4l(@zej~$rlUGEhy7XHaVSA3Tab*q=Eztj55!#6-PKjq zb^N>OeW`SnQ{{bCOqDY?u`1%_-vh#8#wmTGYr^3KZf3IbY)~<(#A}$hEK`D za<<&a9O%Mk!w{K%3QTzf<8)+XgBXmK4&^5Bsp!gC2hYWSR?fLFGNy0?Q$BO!t$czw zXoOJ^X4LdtJU2mC!O$uRtA(G|@&;B6O?@Y7cnR`3q&Ny%CW!!oHZoq|#`0s9fq4aM z3&i{!oymA1L~f7~vXnP8C|cealm;7tUv%1!Xj(;IoOD*jm}vpuQREzGkaUvneU)sK z(b2USK!AgP6lFler-b|h^5Ggq0Nf-!a>ytZzPsSKK^KmeS;M%)#InZT9F~x^2omXM z;}DdQ8&M_l$<|8Gys;1l2eHF8g28g5GcsK)Hww=Y<3m>gYd}1-La)WcRPd%M(aW1$ zl`LZ6!D#K|6-K5FN(xvu7UJzFVDd(bpn?-ijwmC4V9w}1ihyYgq4Xl=ZIN1VVoNSb zFP))y85PSmNydkkWssSgl@`V3(Srx0`f>HrL!_%`RsHL4|A94SSrS=0g+QzM$!zv& z^vyTd)0U1FlT{ks>_Y2`SF#2#(LQPC>*~RSs(uoTtcgvlCo&79uz5gdj&_>|&-&;e z=%W6AW!X-iH|y$URsZt%NmajS-mj~(-d}uJG<+DpX-4%UMr!8k73LhJ`KW%@tlE?1 zq*-+yrF->Lb2uG;+rF<}YF@BtmBkFRH!7D`j5c1<1>|}|{@t=YS>T&Cj~AvN!uj+= zP_f(~)=RXpqYcFYDJw$&+57FL%9_okldCLGVD~SxksYHg&)pXa780+Xq_4AY0>+bo->HOWO z{q`{G&1j$LfP}5|@%zrC7)wc0zkz)!(&$ zFWL$fe)auP+pZa{QTA&Q;GOVcjSP&h*G7qV$7d-m4Dr4Me+wh-?ii7o2PEKpQaCzs ziYjd4j>30d%gBnB({`?c3Ktm>bB}I!=X8m-cTQO=+~`iUSih18c_S_ER2kM9u2xAT z-Hljlm4g4I+q<|XFRxa@mCv^2W_O2vkv4f1?X5;|gO|Rj_sbS>gWmUv zid*M-QKfmHO4G(jB`4lo(=Zj2Aze_h(=Z|lb_z<8Ri?$?dpI2 z`uORKr%!(z;`uJ~VnxAtJa0*e$fB+BN|Ji-ydsOgiI?Ao^YW4D0j}}sqF5BFVWtTB3?rqk)kniCt6F6RFb=ycCZtc0?gXmo$wc3nd!>P z%weCEc|k}y?(WYn(QdNNYn8fxi$A-A^u3s?;wYabj^aKRN71|6_$AsKY<#EE=G>z8 z7RS|Urud=a*s*-MUE_PsDj4_itfUCvV^$ZUQQ4?KK#ndNmC`@=@3ro)roY<$>Uz4K zUi;0}Zs|k+ylofz=WYAcKllCUemvXvqx*jQb#Z-k{8R`s=ix9p<=~xv1e`j%gC!`}HS6*zL?4o0S1D36i#fdVp$mHC2cOvy1nec|aT0p6O1=XXP}K@R=O}BV z6mbFP7Q$a-7M59*4x%JdB|-cg&w}A;GI96$vpAZK*NgGH&Ugk0H&dEB!BQ#71(7tE zi~y}MD}cn$XKOVdFDA?J(OOO0dbrX(`D(@y0#xHp;fq``#q{}qe2o{2sg#fdB*CApD3ELwLfYRQ$nrNn)R=_@V^v)7_i?xY33#LeB;A%c2`J>mf$gK%FUF}L zg~|IfPS0d|?>Ie^srF>=6fi_KesE4f9J@1_+5!R>^B$Zwe>Ssr z(Ja+?ezhn>%V9KUW)*7cvwaz(3EZA`sbPX8QFKGaYiPgmXR;qtb?bPf=V?HvG2 zHnb$8*h}93k6Ey9gS9XVP*Cg7eTJ0c#Fa0YLQwM?(*J0NtH5NdvTT1+QAF}+av+uO zH|s8uC$KHBWqm96Jz3u)YhW#FfQ>uwI3@xm;b@qOrR-*Z7f|W+SD6IxGZ++aD1}lu zcklv*Chhl|#k*!XZ)TnG9JUh->UdU@5jCrIeKegls}HMnbG)jLPB16=cn3PLUTN2D zRw^kgU1Tr8-FNQ2#@g8)7NjZ0^GHCvVXt5h6M8dUzdd=~+0AVFS~%QZhl@CSwq2lsj#uX z6D=+|yWRSA0*}Vs(fndR1fk?^h zhQUR0#G`{{+!mhcVIAMUw>_-md)UYJu#WFxAKSNob3J`82|3fTdG6sK*VFqRMsi!a z{<}|uU?C1Hbu&&R&qWSdl|(tuDH;|^ar;!B>+$4WOB#1HYfrny|Hlaqb(7O&Ic8OC z{kA;Vz#Sx{%|%M&+A8z zhUhSbq&>~4$q7u3gBO)to;B0s zlb_r5Pi<3wxGRa`mK>>)aY$5ha}VHKZo>WHlPybSoj|Mj&y+gwS59|Zq8O*L2Z6xk z>Zbm0Gj9)DDSX)ZO>S5)a$=l4r(4zEKTdny%O;Qff53{nkMhq0E3n{~WK^n2xBHos z%e0?3bMimw#Sw~^F|833hf_Wehf_Wfhf_Wghf_Whw^Ke7i1G$9F)=kVG?(Ep6deXK zF)=kVG`9pX6eI^jMK&-*H!wytF)=qaMl&)uF)%_fGB`#xI72W)I6*i$J|H|rHZVjt zFh(>nF*h|vGcq?ZFhVdgI7T%%Loh=)K{z>=Yd91+e@kqf)fLC@neoJ)@i(5A6FZKH z9eezUllU1E=k3HHyf5q(wb+l7x=Wz$XAlgG{kKhi0VYIVo z=WsWJ__^kW_Au@iuoaCM)mL!0fl;(IXlHT9z&Kh7?IGL=Fo|{#+Jm@LU_07Iv@^KV z;9j&IvS9z0;mt)3aAPn1=NC%11i8L0eSD+0om^N0&?8< zfL);5^4Dhcr87XkL!;!glg~~*`vI`q^4DFHNot=1WULq>mr8{Ecrkc?p~X zq_UIuei$?Wwcy%1a@@&SCu4n)e@3B>Gy$fl!DgWFkdD4=`J1a+gA{cV(@9Jx&73rI z(#**}KNBbaRg=|yv>N5&=PdvAq6RK7a38DbGzeD6T;~{Rs5c!3>Vyp|=8tPYr$NpN z`M=54fuYl&1oBp>+|ocRAFel7fEs)asI9LBYSLvZbpA?DtYe`Wpyn})f3_a$Ag?+M z8ekqAvBK~_g0((*TF;O6;E@A~>Ot~LC0M39Fux!b#clCk?nWu9ri+c_{0?vaA;9*O? zyR6Bp%xeNU7SaRR%+l_swQD|WpavG9%t$hz42iq#dle>p229F;}txpIx` zhm&TWx8mHeMvH*^hF7fZ>n>^JpLc+owcSxDXlX{*Gdh>ixs1MMv?}vXD`oCz9%)7o z%hYuyt2oIf@3T_!Yfb3~o57%!*0xF;Vln}6o$(`9+IUt2q?zlC*P*UcTxGAbdm4~U zbSd-QU@stPXi%n>e?jvw-)5!0tX?_?4zZ*rj{zErE3`W8b-a^~G(4lZnXAf{00}~W zF(=$K8KZ+3UB&1$MyJWt^H?XWH1d_!CDOD*qxG3D1CoXYWn4(j&+(XIxoYj}R~7D7 zz_qbnu+qMoG;W*q?LhaOGN^zmr~#cvI*QacxMSA2RMw|~fBHrj*Z{hLT7m9Ex&SGR zo2)cDuO(vyfA*5Bek=X%X<2nEz4A|416I2IysSYhkNr{Bkd>dfDr?xv?@!CxY~>IB zD{I6mEnTvOZv&!pDvPP})zuU6Lth({aYq| zKfVd2e7}41?o$@6;&fA#MYP&IthU=t93`u~h&Fj1uXgq7ui)qIF5U)%?eEr5)?+o8 zzPtN-_shFaNxF)n%{G6_Vw@bV)>*lU(#yPc66ZmS6N{kMRs{VC1ZAMD8ccU!nLE2d zx9%;sR8?u`xL(0xFdf!!M4zrua8#Xftqf9DbLC;|YSn6?=n54DnFsd;F*3Nfj9N_-SZD6=hAMDFM)zyEjNMX<8U6uyQG-_`q zJ=EJjaLEVfy49{9EgXGw2bRo&-BCN*Rl$cYr$f&VQ1St4Qw?gs;Yku4dtB;?8>7<} z?UbalIgp(!-wN7UJC^xVSyc@zc`|qF2u#DRX{%80_prq@_(xZRsCFY?3->G0iKc8c z-D{G;9xY7htwDdu!X?o5(mV#RJeo@1MS;T&fH}%E41SVB!AC#R*Mi=3n*lgfZ4j1t z<7pmE076|?0K(1*kd34H`E2hrStb%BP*59JSxx%wd2!z!ui5qnuORpmX5kMgy2sB4 zXhz(j+f&oyt)A&HHB0v%BvAjAuVj4YCf^=Zdf1wUY942=OW6%Yyu} z6ap@hfQ9RvIdrrO9La_wv93mY;Tn)w zh9?W|8Ol}Pvi;G=Ti6m9QrCEKVZza;Oy;zN4pa$>TGw}NFWNH7m)7C4A( zz<+k zNK985A51B*f$4YRO3^G{mlCf**qGJ~9zv-9fy+6~e}jcnxUFl_hikdb8gLMy(N(?G zB4CDsN~e*IvGzblhl=8&?X6~w2g`0ZHp+hw>10xU?o?~4B^-c%*j`PToMk5xDm@v+ z#cOHM>z@3(fDxmbk6%zZ6LBhw$j<-}kd$QT-voIa0Hg)?+}krZCqr&;qbCS3oc(r> z8YPsGf-CFNGIQ4>rS5fy{`_$s>3~IXk*87XnAfj;`Riu-hphA}hfC_YX)2>lAYOJ+NZU zRSNY<7(l|xc50k-ST60@&{kkftr35+ouBFx7p!{}V_ns)0a$?Z0>a2VY3k!Ds$nxO zxXOz}Kg}f3hYGHpKr%UzUIJPvUF~>4r7bX5gwYe)5Ed)lA?Atx(=9H0zR`Km9S}LO zBWZx3(&%Sy5FSWK&x6Bg_3Obs$3)`a(U9W2Sd7#;?m7ydJ^c^H$!J3 zC~_%d`_4bKeCh&u0zbrjj#ORcAyej~m6IHXs2x%31=CCJq^xRvF7P_#VVsZiM6$Cu zPYF+4Pvo({@})Ei$3VWv1JHk1Cq$4ibcxhO8hake49zl+aFlyD#`+as@^;W=u?zBj z_UFqp#x9ZKEMuUII^<*k%2xS2A6pQQoAqE?Y1X+ek%;e>@`?AL3zbqz(Q|M8ZZ$?#&64v-7H`0SYS!wz8U2y1ubP-k$YWxYwCl((R)xQ>18$^1Ue-Lu&c3Gsn^13L`6rejj#5! z$jJY&l!(ra7r9cANp62rq_Q4JZao}jzTZ>NQBQVKk ziT(Li0yqGqir+YXBVU{kyWttH5AdjU+;w@1XSYxBbnYV9Peh9)FO`zZ(R&$k^iJ&? zez)+5mWM27$v*g^rj~al*;>lHXosrfCc=(j#}o@bKv9#Smlqa>UEUT+FfLI^##l z9!C)E#Q3Mc^{j-$SxMmxN637}Q;dmalEKSp{-cZ(5b&UXbn~BRi+=&sa1}(rj2Qp; zCl*)^8V$<{lHX#8agwtA@0*!IutakTW%=}ru;iw>3Tkeizw9hWYKQ9AfE)YHxoNMh91vtU<$9EOs58f60$K8~rSS`95@p1R& zKV+a2WS0?k3=@}8^$8XMIhVlH6D)s|+aL_R=U4cMXVzYS;Ml%)r|Gok+}a)-nfHlOyJ=UvT{vdsIYsgnIMX}0;cuamYf@~*0r z{gixXRr+)P?Rf`)J7C>5d0m&l6EI(OTD8nulV)&E>*%G?cyCk0X8(4|t_*)!UFL1m z5RVnFQoN;*tC>0C$(eYU&P#ow>@bePIjW52+E!6<79%FkgO+ZNpdl@pPP39tgz;w~ zEtQmc?sGYEeJz5gGf-nbzZEA zKqn@u{U~Z4#*SR>;=GtCRs)hJngy+kyUp0Gt<0;#7K6>lFOGqk#a?9WyHO2eCpSnylsT^|5~qYj`^6T_C}8 z5+tTVaY7-qfq=vS`@5oKJE;eyE@@XWoUrZDkN}H&6_tQQL&sb62;;>HcQXeQ;+?Dz zR^IebR08O#Jm_#gen;cOtgtVGS_hAg^<{Lo4_gVE2zxYkh9w>JC~(jM-XX@-N>6SE z?18Xap#R=cl2#4^+G9-If8ZgLN)|z3sXp3P|1A~NoKY)YdwOI5b*Z*&l5Skxl^PO6 z2|?uZQ5T8A)DRsF%wuD`TEN>#^1t(=6ZhKZ~g$&piIY?Ashu1x9;}|5DS+v z8x1Lc%~wlv+eQq&=U3=vYQ|!?FD|#YB(^*5blM)AX=j=qXlgC7p-B%(#qqx{u)tEJ ztaLIx^&;+K0W22y@KCnet+LgRZ!-SAzkBoc#)y^FsV%Hn-94K-sST zOg`+(r_uN8jnXa=>%Z=P0_lyhX>J{H+|-SKA6|yhKN3?}Rel&~U3KkRx@7FTh6u0^ z-=FJnaQKQE-`?nAB`jQSG}-|d zBhkc7WL8<4J44LxU+{4v+4_g_(2SS3Gr_)1Q-5Adn|NaAp5T7i_2pQ%JED={12eP@ z>w4-t6#Px%YQ^-%RbIHYHpcPK&c=6H!B%?v*Yy#VJN6PYKUGLu~) zDad_*t)K(468saq03@3{@4La%X?MSW-WZ+y?W>Uw%ic$gN<%0vX;-#eIv)-vB6$?C z$zkyQkOq4J3C6f!v^I=^yFKv9d~VYV5kPQDt9vw`spA4AKwy->YH~DgYX07rlNy9* zP!X>L5Lf9wkV#1iBzz-7Z337dg4vZ~QCgaT6QcI)||MQgY4fj5jH zIURzQ(ifH`>*+RC*)&nX@i8`e?1HAP58kl^>2ETz0YlV2PvnALa$k>+6 z+oDyxsK<-2GU$Q=TyQQMgn}#dlseb&YUMErtFitPLZ*|CLvS#xZm-T|iZf{rn4AiQ z$*w=%USZL_BumJrusD!^CW{y^$CJa?PpKL8(qyTfP|sND4{aN;Dxrgh3g<-3fPL9K z@WBIMQ%jZnzW2;i(#i5Vq>LfY0?*hHDFQjH=`-O%x`HbzP^lO8t#4>gG4kQ_IqHwh zHGq-QpN?hrwuJ-O(iYZ}TN zss}*o56}RAK&z*T3(&Mc0^&7?2|}ed=P-SeB0G^;q6d~Xo6vKMFD?ulQbbe~5TJWoo{$;l`=eP8 z(_pYo|J9Ehb_$?>C3Q~xCr|#0mFl^s*+wOGfKu#AKsZS^pm6duUAr5YxucUwXvYN; z&Ip^+nVe%YWOaLTVUWGxyZ)z63-E(mTVHcqK@W8;O4(jR2gC9S#$A35TOE_e&S%3}BbBj{7Qr!+8!3K=vFpQspclIPqAXdC$;A+lqY5-X zQ&d6lB#aP}M~EU}X-b>2-9`P=JWAsMeoo6MG#YRnKkeAQrn1dBC1yD#VuOk~C8jJE zoW)`qObY7Y)XL1V_!OxqWDI4sf9$qr2Rj4*bEb$-|MNgG&NXjyRBohWX`W)}IEgc^MB6L?XM= zC<4H2Kr4wn9OB4?tQa*B2T+{t;$Wwia`VwpQ2=p&wDcnpLcKciZ)&^8Sl?cEP_$Njc1^0O1q9Gp^Wixana2)sXe2xet#Dw8% z&mcl+n+jvT2N6=cR|yl00z`xmt3swa)5{RYauJ3Vo^z*m9xG*lNmy~GuxAj#f2WBr zAYwKj9kJ?DM9i!HN{Sr*_PNj;ih|>$7ChH?Z~g(Z!L28k5q1m{x5x^EV#;^}t`-sRK(#HFYeBwpAFm z=y4o>!$#{k7{R5W6_W?GqjeK*xZ1>(2z>ltOE_{uD z@``Iq|%_H4+K8h27y z#j#wTI%w-0v1;7+azm$I$&IAYpOw+$!1BcTxKf~51qGV=0!>_j-eX0+`Gmh>uV@0|oCx-RP=!4RX$@QzB@xekj=%D1F;AT~mbCyT#2CO9 zVSyUrDYR3=p_dd|g&C%${IQx%8z>U#tnbn6Ete|t>&>?0tVq(IsU!&bn53X)Y; zA39|x)j-9x*YeH$U8DgNAM-{}yMTtv8*V($a$s~tXv-i8R-olxVX#~V$Cr8e#a+*dD(%Dg%@C6ER>8Aid zGqa*_&SRRP{x>^_cWiq#LL#n^u5*>pzx2N|?^3P9)J1uug?|wgRp7dR91p(haAXP4 zX^h%(&fOxh<+{b3ayHr4c7iaCCQhUFBR3G?==%Ru>>_BPv0$Za`NE%m1v;q-u`bc0 zL@cTas)QAeoBllAs_-6yjt=x&ZN1)fhi_43P zC-vAnv-6|I0|}Jq61(W0S)k)~2!iGAaPb164Jm0^oGoNHL9;x6Z)Z3M_}qI^d=4J$9iaO(_--qfZa<%^zzSlmBd9@B4m;} ztSWc$`3sx7$5;OW6s;2wml1Xh6PJY;3Kjx1HJ4H12`GP!Sxa-=xDmeVSIljxstnEd zBZpLJwN~tu*G_D?Qd?dfpdm(LmX8U^k)=z1d%k{v^Dyn?q5&EW5a@1v{WTP<9#+BX zuNObxUc9=AlT{e{Wtv8-+wCgN{H%;uc^UXc6t8Zp)fX?jyu1C|s~adBDMo>xrwNu} zmFqWGf4_fy{qb@gN0}G-m+L%>yz9>&KfZo{E5c77-hIA(`{DhkKT$vTuHOG51OI&U zn@Dcoy#7r^m*{?Y|C5{g`R3;B^=sP2MW9 zu0wC=FGKI1T8(W*-f!g>nxmy=;f;N>pX$CFvDJShh`oArDrOQ5DA$K|vDv<S_0rg^Y3PDa@})qYfEIhY;VdK}dlaS?c5AL|W$ z`cZ!-wC0b?sPJ%fI!5r#0bu1MPQA7#n^5a%-*k2`_l@?ao_-V0Oq1b-{}^T9o;okm z-obI`J!7LUmqqAtfQ8=8Wf6J(AUgKhw7bTV&k%d{R+oRY^Ad1JtD&48$4*?7ewMmW z-oVMMbQ)k$e56zB9!;|r_a$NM$ESyHc*}oZ*-dav6z6uM$)?u;k)Khd6qBq^ zo2SO_L7c!~3wsZ<*e|2ZZR|g>-nIAca{mA}l0t3yL0T*y7FtKKOywQVO5t!c% z%OJs~=di>*&+^23OP4utmpRB35UJI7&5N{7z?QV-meCMFSwUbKdM#bu&|^f?MHdYn zB{|L*{SQ!BCrE>3Sf0i@BA~k0^5xV?u|k51 zLO2ws#>^!3gCdlfksm`l$V=}UXci-hm>LjYkA{-ylG(68RQg33pXcc?pOdfj2r=mw zI62mp9ViKfg``1<)qJYK-q(L`b1vlNw$qHm1}Ed(jDe~ir=h;z(?KV9Vmf+94gHR@ zpG>)F%(O$kJGP#>{7ZDlye9QNbw)DhW-!}HWMAStX;7}B->cp3Z7caVO1v-0oiF+1 zR?{z3Ci3`;M(!wz3^5qnIe!DPb(M5JkQxt?@nxJ4J<_o?+jznAd;Wi9TzKzlHsSu6 zx}~?ZX4(%rwn5C=N^eSha%Ce>#&EtVooVg3yG#Q_I{g)9a2^4KO=WR}ApDWWu^KrP zB)?vf;954+Qc9D^H(fpQ$spz!i76<0I7la+`hBpu_U}QIibC6uDyv)N>%*kkf}rtK`#`qN&mk8| zijp3O!u9)?-Ap5+aVBYg>fl?e5D0GYph0^W+TM7(J`1rX`qkfM;-?5*zbD zNBK4Ka~c(d3G)u!_Z_Q^@`VT^sf*v{G;n!lFTaA~y?kl3XUn>1UjHEU#3-oFThMJ; zhyW!H3Z;MO7^-lXnll1AO9UZ^myQ7GgPkU!7W9SQiRYCMBDL0T-Ks*ta?Rs@bw7au~Lr1}H_`Nnjr$Z^x?v;)*aM}wG;imqczw9a5$RLIzo z6}i&q(%DQ)r>J_3*Iq-YN4Un~;j@r#?OD2pY}H52_ed>Z5t{H4XUaL*MJK4JPcX1N=Tgq0YW{xII5dQ2s|c zzoAzNeu*IKA6_ET_zdW2Nx1gMkV@|%N;ZGemj;A#{m}8_M(AC?dn-!c1}{muo}`An zt)zd4pdjI}??g&Sv{?F-u^(hJq1!6!FS8z?NEaL57f-DHHorU$K}g z(a`+1!5`UaIy1W3V7^D4H~W?*s(l9uvZH?>$IAW87Y~p<{(ogvqGi=pR}Fn#{iu>k zPAVyV0~_nMZj3&UjlH82S|KD3M9v~4#pd_oy%Y$dk>sAy++MiTyS#5E<+-lt;0LDSB4&X@i;%e6F)l1Yd37zXI-*E)Z# z5?HhP87%~jt#>)VTeUxa7|tI)mIhZGYi!Zz*2m%Ct9VGP^zW7Jq*S+hl? zr636OYSXMfUHn5H|I_0Kqdf3Ks_lR927?FS6IO#GmVTMxp%HqCpMd({#XSr4rTs0_ zYvGporqb-f(d@$0aUt|5bgW1bh!h@S>Jl4tOhW|e;ZZcD!XY`bLu#br;1OJXq;ehH zcP-M{gVCxY)VCtiLrvAZjBb_IR4TtediujHEF&B#O#Cv@yY$PxYp9f`!rN!E!>FdB zhy%5Zf+*7BJ-w5$@lm+`C|x}eG_?9a>i|ocH&_333N{846Rq?$f(m)M;ZIMT4?(DO zFA_Y7BkES9Aj#vjo{8-orbh?EmBU-4Q3e&qO40OR7^ksz{`>m&;=jJ`>2H@2b_^4T zAtMThAtMX7AtMY{O9C=Dmr>#gD1W_JOOqQl5WeSE_{O*jJM$i!TL`-(6xqP8QxrvV z(9X!VU>-)&Y~p`UzcgOET)9wi@klMH)z7b6j%T}BJp1v*_nQ|lZ?k-sB+GSCq_fR- zR+P(foz1Fsyj-Q(Y}3sCh*tAYo1b3Z!iHxX(|B1GIk2HEuiw1-Wpi^sUw>q28Kukl zqAJtq^@scWo4XAYAKw4`Ve|I=-NUyyucB9XKk&kDZ+>UW=FQFTLYl+${oOa==!e_e zx36zdiWjkn{_-|o&5~-FCLjcevk-X}SpwgJrAn8@e38V}I=WZAs_TIjIoCLbv+Lz* zEy~`SUbXFUzDgsIG|%(M^ndV8ljvRjwnxGIFi#@4XQKA_jU&~f(n%GiahfpckLnZe zQKR1v)-m;9hr@gUYzC)gxo>#Mbca@VnlE9J8@3*&pYcao&D0ts)Qxy0yHF-sE#snM zW$xz%hz6?Tmwv9AAcrC7FTO+v6-o4YZ)&_16wUH7Qr_$C;2qDv27mCakav4TMUeP3 zFA5OS45Q;!cXV)w7g?<*W6^qG(Io0LjZj(D@`0@aQtioDIR6+Iv0m=LwD~%ZTIIF# zsK9I?BA;p7!Nnj-ny(`jE@^PSivGfD^zo4`uWWPLR(tbg$jC>yE|G;^4t|WYycMQF z9i)>JSCO{J!W+D5Qh&_x7PJu_YqZz3XPUU)i<1q78tv*-Yicqb>KFXDV$Bo?IrPZ4 zNMUD#0u@>GNK!Ku;);0J+BxmOhiSQ@(8a}PzQl92B0Ir?@l0uSt9M}DIZF=|NEhJ5 zyXt|(wL=@W*T#WFyiAG$)$fHXxWO*Z^biki_6E}+2lfXLSbqhfh%yIzJ|ST+jqDh_GaJr%VqFuL-J^J1+dN08JqH ziXx9*wSFJGJmO#n1I&#Q3`1&VWqFEt7zbK6VBX?LHIO1X1Xm5&OBBCXeHh86p_c*W zyo}FLgSb!U%zxF80e;S~+IiFuh$ndg%rV|@#EvK^0ubf&m%1IDd6G+U3H^%S-%Q^O z=$+3F6&Ie5qd(`MS|Wo%K-ZN@6lL7)GUq&x{5Vlo0YLx9DgVe5+q-%4tWS*JQG&|P;kPY zhQt}QN6u{x!zwO98M>pGO*4|KMY&p>rzZ=_vU6jndFdPkd7Yv-MX+2*Xs78j zw57FC;J7`pp^(J`J=3rh0S;n4u$^uKPXgd;)+H=lCxnGKiWw$>B7#V<0fJLoL>XlG z>u9{@?NIsgZrm_oF^p@l#u*#~jiEu?&NwG^0)J0g;iL^?ByF|2(WpePn{Th-hUvH3 zS_(06H{}Y(1{t|oe%0j*ap1pj`on;(%o6r8I$b=Cq?)iY$ppoaq^td$5f9~>k0}7XBXNjF=2~-h+Z(ch<1Wv^X3EUF#&aE9frgGY4X-K<_(+wIm zXBsVx4RvY8lZ%+(paq5YQaGlk#`B7Wj(^mnjF?YFv_G{inkk&-SOf(wcB7T0i-<%L zIfRbw!+FyYHV`7@5GVoMQ)qz|1GLPxI2moo?p!phhtOCHf*IY{C+V&vJrsWEgDB(O zICcGLs6g)j3W72|3j&z#tP0f=r&o{;sDJ^QRkhgoR@qs@i%iX~H|UF6xKY;)3xB4s zE%bU?7{Mb4ds2Ka@VU`0u7$u>)r8nt5j{)^&;04_NKF#eR!(z7Qh6}+G9M4p*ho=_ zrq#3%lX@z&Rw^&c1TBZGgsva`LzQY3eGzE+ue}5y2mR}xgOvvp0%Aq2c$SpUU5DhY z)Z$U*48GXO=ulay=u+eXor^Hz4u3B(;+9kWLoSo{K$qSh$(ZllQUT&}%8(=X*WA~s zzb3Q=gJJ_qF6rG!os-9wu4 zdL%w;VL%&89n_Jx!9xoEY4{?C>F)=i$|HfXbFsC68qE~Uc@;;4aQ5ujfq#!V{M&*% zU=KDY+6Bsp*+W}p=>1v&_%#6WiW(kxP=r(;TXl*r+=lUm8^V)2BtK>#xSLBUZk!q& z*bHU05i-kLL{2)_IdKUh42RJBU!o$#^#vrBkz+$9Jn-0YbWZ-%3Q=+qU?5c|p#~v_ z#{erzY*q}{`S3r8G+PpnQWeN2Xg&p9qr5r~vhcmxy!Z!EhclG75q1o9lL0fAQQ`?G zx338eCQf!mLmu+2qVK%OjA{yFK0^yA^+p{?s2Zo4`=7Y(b@Dn zku|~jkBjCiI8;QU^Nuv~R-=u49L^@ge{LH|H%@;DYa#``u!4B6eN1h5nO+Vj{V`%G zK?vU%u@(;FS}`)5OvV?(^V2TOQ2Fp8m29Tbv2R2WHt5bgC&Dn&eGv5?sqKvkCI0PO&M}5m7h{5e2^+ zn|$gs_5eS?!*R6Xs2MRDM;$FVmIC4G8XfKOEEUaZE#>llWJs))9NatPjs z5&_C#5<~Wy%>zb?y>K_QQ)L7N7#)96dqIUmTc{h=5gp*)s7xS;g*Ns}X4im|Z6CHO zwCk{yj5gl3q6KQzfd6N9&YSCNA?`++Vcl#FXvs;&7m*TJ#trUYDW$!Zg<+1)XQ6G{B12B zy{lZ`RXk=_-#kq!{KAqH_=T@`~8`PB?8J(i8}>7SA(_EJMI?rp4*gVzq-6S(`(X2al_*`27%E#fovnvNJ1k8 zIrlAlom^jyF0W?evpx&;sGZ8s8PGS74txm-ASQ2urjQ!>`PawstjE@cWPLB53_CAF z9NH%cdH6MnfA*FdV=V^mI*_yN5kQ4@-BCopz;ZiULU$#wJ)#D@?Iy2z#sMeiV;qR< z7@SQ<2Xb-kIBQ38xzBT=lZX%B^e7G6EI+V8BM?HCbd)$BVkliYAFqaWC4=R6!S6PqTHVl5>U*WfUfE~w{eD_!wr9jCT7XPr}=`umAkx{o(K3=ff{AZe+T?nTjIH^BjK!yGtTLrmL8r z^1p8nR|zcQAPJJPh~hE}vQ$KssDiq?`sXT=QpCb>td{Pms8YAd%fb_1yzfBSH^bHM z@aLcK^7sCM{ptm0@}=S;mQk6PK_=ozih|U?F~@n-yS)@S*e`zE?NgZnwRN;2w7S*x zWQLwt8l&3bIP(S56Vrc<8TH+;gVkfS>5X8IDpq;0Pm`#~*x&DTU+Zglu>w&O{N@5g zp7dxY-OyIGEiI;#rp0X4m)$-IO$%2<89wnnYiA_uT@qR($?$`kC)3WB7*48z;FhTf z4=2O4MxS?kkfHkqRC)4G+5wFKzZOxJRp{R+&Pvi5Oa?Qjae#k|McB+WYKp$Fx}HZ= zsX&#`E2aZo&ZtytYK1a$3;2{hzO9NOc7N@oM2dG z8b>KaIt3h6q-3&%TaY87vH+L}8HrpF>-+Ak>Isd>LkzMgve2G1x*bWj9?hAL(evbW zXCjgwaIGv~Gsl14e2QgSD{>O}J58$a)jpLV4PH)B+S%Vq9j#6S{TF{*zcK?NkqGuulxO^p+z9yvi) z5|XLB1ZHO@b5xwErEowkL#Ox9lKKsujF=;h%b^iq1sj8#0Tz6BI6FV;QB8w$AJ9I< zS-wt1NstIrVEa_e8ov z+z@fHOgMk3fW~0+u7Sww@jPny&y1Y(BF!UF6_*e@L9|^(EQ=5k?$?9IjRNO!h9@DG zwAj_Ibru6Vf#0+ZZP$3!mS~`c`{g>wjNhOW5-U%N@EwVFv1Ner(-W3BG$+2aL!IHx zB?o0*g3$Yv zoT+IUKv@wiw6h13}Dc!_Q^WO zz;1uI!`~!)|N7?k2UOD1{+spzoDiu6Y8hrNg&2|6t}ZG%{;v4?ThOA|=uD6&klVjj z`qxHdzivXtfns#7lsUmuVgpo-LAfp*lH3m2gcMgLfk)K{Y&xz7-#1%2#B%Zm-+zhp z*O z-xPZ85=ZR6z5?T;uDI}+fQM9pu>gOi>&e1J5C|?9@pFi7|pmE`( z)dsilp-7*-6^vh1f%7B`Q80f+%F79>-MedR4&m#eB6qQ~FHQo3Tdae4N zRRU+o;$npUAH{zo#b97xK;$#J;F-$7c1dTdshF38&uJbWaf#oQ05wp}%*wN11B5oD zjyTZlQ?||J|4DO2(T_aMSiKz4f{VHX;Zij`SSx|Eei~INXWZQTjzfK!@$RPrjD}H5 zu&n0gK##X}`y+h?zJCEcJBQ?lsY(sEsY(uGtpPKa@#+jIe_2U$+eQ|?>sRn*u*!e{ zG}hc~$4W9a2Tx4b9FiPbK#S}W76yx!e?M<)2&CbusX0jKz2E-6*9>>ZUAX(@=Hub! z_D&_cC<@9njdzEKU77`1sdjl821TrPhkEyi7sva*4*$5lgB7clDole&DL9B0efsso zm&51Z_r8iVe=iO8exAkN@1MVZ`{%xhy~9^L;wF@fuW$9^A`j9$+4(98@-*cmfBSUz zb?+xC_okES2Q%49H_a;!WgfKpeVlvGBQKdpGe~pl`CIkfJ}$gz=o=m|Pq@PjuiX7J zR7qpT*Ksnf99mUolvDci-lx@ivVHd+2D8+=pC@Ewf9FR)Z(72)2*NaHdVxw{Kgv8l z^4*BN)EiAT4|c+W4{| z5(!DJaV4{sd7TI72tl$BJ#~qEdi52Lh43g;}i?Qc;`=M(NS7i<*F#xoOyf7}CkwH?omaDbAmd03C~tp%48$T1ypi4S-G+&mMXC6 zg$A@LQ)!Yij$E?MEcY2-bFgG{F5j+O71*XhKb2N6WSO}?2p$_57; zf88Bt(C1HkKPwW94eJxQ4YqO|bSoE{7w}3nW$esdZH6uTVvEcQ?+fbg6;(}IL<2zw z&B`l!1~lco^iUYKJM!k*>ZU(}Bk>OMl=R9w~Af7VW`Md*Jr^#DG`EsV$SMqc28V{5^Mc~>ER ziwa9(@A+gawBOUFUaxAYH?y7C*DZ<9VZTjbfT3z?wO5~MBjdp1-+0!!^lN%>n%QPr)vo(Xuha5e~jR9 zmU&=oJV163XZf{SM;=`ysXIA=_q#ZZYmgrNO2)!y1mPGYjK(NZrUev9`njpOYhIiu z8ae0$adk@{JtuDR90fbZYOoa2a8#V7=AH|1*k;|t-|-gEB`!(EX%HrI(}%8i)*E_c z11GrDbVtKOda!H((0;aT@}YOvf9UC~AN{kK%{~P$KY|w$QCYM$a}*D{1{+}R$r1en z1sH1Hj}X4hk2CotGKdrQK2%0h5>*(Ya2Qyz12;!7FE%H_B`=0jN?1xtkyW-sJFF<7 zWQq6nwX5*7!pW%tM?+YWf zc!KpsM;XwZBv&?T>1c>!PgZkdI+-nwvoKKMlF&AAETb!nGP{xs4x!@2u8lfjD zRE6HBc^DQ~#W{-*p_L)+f6_BdfHq&b#dr==&G$N@2{th1Hc~+xUzsGh)jV{x8ie@c zyq_gOoc%AXCS?$Z>O!e0gj7aIoVya2lc4d2$x82OZV;4lAWq6fwR)OXVI5uN#Ha?E zEwEeJewG++bc{WTXTT zd226qAq3i_fsMeGN#MfF4(V|22!QE^`|He!{Uv^3fads>7e6x0I81_YamAPV=+|a^ zocgm5be#cQ!!4T-Ed>KvuwAW9OE^iD(M8mQi!0NKoRtDxmuFWnVF0y=i^dZ6eBR%? z%rWrf1%j6ix*GaXf7(JhcUU=3cIZ3j7qX0O1-^g{jc&m>4fp5oFVdC2nXAyhDCK9~ zM^ttg;^p>8B3PyOP$a``h);E6WP&;6_GO_b3*0UNw~(VAWJ11D8nJPO;WdKUpqru; zLfN1Fk25BzG>)iz0DJ1tE{`}J5zt={Z?Td`YXC`7@mfSuf9=q^`w`*PB-^g4T3kR# z0wh+3k@xSDMaFTQ%k4o)wlvWc6IROHe{8ULZ~6E!Y5OA9^_*^UF`XR6OfCD=wN(6sLPUY>?t@RctDc zFcd|TVjWFje+j7?R>)Eq80--cpC}z>)=H-$w!r##nMQVTUu{7tSv5D(#|o_Hrs;sG z%515@0Z52p67-hR9NP4_k;~%-K{4wBnFDj9sG!2@lZq$TKI%DdN0F*MP9@Js5)hO;Sb+i5fy60q&+F|66p z;R@G6y0k}4uSj@*=Wn^Mi+NDE5#mY3n%)bR+)k%am<8!#5We5_{uyk*?>jUkmfNNw z#bHnu3l;*orTWO%LXnO*XA~mlsc*q|D(-$)e+1*;Quhg(gG3!9rMlEm4KIQYmMpml z0}0XyM+L%OvCD%p4se(go~{0fS`fsUNS zVy9qbi+RTwDJN~oC*p94?0!91-Ycsd<=6&yFcrff>{7DB%^;5R2_J5G{1Qb72`${^ zfB%uY{6)OvC*@ z!!)EvwlZ`Ok>Fbyt{-f9fRqj2U%vgujTLBN6tUr!gJ~B|GTid^0*YqsUWP&`5~cwj zFu1l9N528u(k#e->8LeDM9y>)I9FjFqGS@4HQmg@{5}!aNI= z!3a2)6A`|!zXceI0NLATG&DsO@lnaBDvXp0nHmS$M*P!$dCo2p$=21%S= z_%BEuD(npEHmu8_8Y&=B1z9Ak4iY;7P*4C=4w67)2_DdP!Gn9f%Ym!0XG`xp&;nVz zra)XdqsLkn%uX)CA3QE^6yQsSsT>3_v9Y4LS)tx7QYFM+E7|Gf-|r(SIj*#O z4vA%oVo}s1ALV#=-o?9LKE(d{)BT4ZZ;ND?=7+K>limH}?sPh&Nwzzd$>Eq3yZdJM zd-Q4O>vnc#=x_eK|L2dlS-wk>!>K5LQd$x3_C<9_s*@<+UyQri=V=;E7wy8>^fzf4 zO?J51d8Fcq*bKbSDMP;!%Y$eBW){7v*^~ee(l|>n{+4R zKjI?(^6B;t&*YB-J4|B~4?OH4+32On=cb zJZ^bBS=AWQQux*M6i1D5wbd-KuObRw(wMz0y_Y1Qu>DNG`*)ImqUgy)rzH}qH?H%m zaiaYEmmKZDoq#Q;Xz}d!YB3!I9J8fN1v%`G8$cxpg-A|^|qIR}wyj)|V5?@VCq0P&j z(9w;P1GtJLjtFZaf3T)GYbP&qq-7SJ)##@g{(7Q~ePs|LMm$pw$~wJ&$8Q7YhVnz; zg4IA=p!Yl@+urdah1P1laf{JlLD~7+G^RWI8VKtKHbb_F@;)Y!}ZCcGNW3 zS5aN?jj5}nAps%h*EMQr#iLc7{z~2r_K84nERQG;-V4c{AKaF!k}fz6jIkT+hjvj4;6T7BKS_kc zkbTPQV7D;Q2+AqH%93!wM@+HWyHSq2HdHifdZ{8WvvAOZnbtM0z3K>FtvB@b!j+AN zo$}QaPj;7t4^o_-7)8o9BBi~fP#`{=HSH~E>5+pbBLKin5(rFxyWuh5vw~$U(r}Ih zMy{b>oh*JfN;D+%Ai4eR?z4yp0f4h+C$adzP9^1`C{FBImQ{f@2o_Zt83JUe99;8A zUI{8O?^6wTBv%;AP8p!vOTwZf@#v>us zRywXHCo=2JC~17-{9R8NXMFlJvDJVr8X=2@_L(F7CPtAO(JL||Q2Ns}jPeo+8nS?M24s9o#0-Y@Sa1^smW`CrZL6kHJ;|J7lS!yM z{+G=U-(8AgeRoMt2OLH$Ixo$6AKXl${mA}p-FT8DKOhIgx<(Nb3A+yu z4!wqMJlC%(k)NmLi=&f*bmqRHA|6=15}?swO<;S^MOlU`S@sS>3!^8Q^tpI0*^Tk4 zRij8}NpuI~z$zLIlv|2$f@bWZTT18z5JzQy9DVJ;`as>+ypM@T#rHQFzVFDA0AjG2 z?ztT%Su<~z8NLlsWwH8yvknbcjso(I=0r_uKQT8o;PgUCdL%|ZUt0W0Mlrf!W755+ zNLuX4ovYNU|AyXGkH`|;KMuBDdXY^&WptzE8JXdQPUzIG0)jAqzw!CE6dL?gC#58R zEd!@&U${DDpPWpXzM%vYeDS509-UThwnFao9@r8)wHK|LuvVVLEJB)r)n$#e6|_b& z`0)J}=)bflJ$;m>ldn%6CoTQhk(=~0d2=iPC^Xt=;+@R6%kXyl@!GvUmpnFZOZxX6U{Ss&UVxa?_$DDmTeR>5`i8E6!6q_sw8eDa8(lnEvIE}%7FTZ{9 z7UpT_!Xd%H8_9ah!zPW(o|RO|)mMu0>RXDJi0wG~Pm+j0a4cI&q^P=juv%vQW@4aB z@+Jv>;|qz_;h1D5kRkPxcG*WFz08K^#71i-^0%lXOh{n+p&iaf`^%Cq7>GM}X!NTj zHg0G`XTsHFm^^Xtrdh?$@yCgOw@M=i^Zs+o_lnIe&7c_{8<+)w42cg!>zPo}jvlPc#0LPoBTEA452a z{a@U@);yC|x$iO4s#tJBO{>3kSjH=QzHm>FZ-}fOK2C57IWZH{1kIc4(jRmV_^jA*l?0X z5(l;yNY?OyrbaenildNJWbdcnUk!(nXvq@Ik+Dh+#JsAztE;N(@$aVhrP5VSmG@OK zRnFYR$~as35GrdU*Hk(0suC&(oh_yEPV?GVKJkmLiYAYIC{;>^XI&Ldf6-J%dm(=a zl`+{=PV3588!CD*HquR$k&NReaT6Fj+RAv%8+tM!xsiv?M8@{XRVE8x3~F+Mu|$8x z!b&QY)n0C3*(Cbmvvo#p;MhygFkl1y7<#wSm63r-8#BEcJ|zpw*>WRupbMJ~LuC3X zFy#@9(~*%4VlY}dl$*e(qAO<|JQsgkIp@O2n8FQA`OJ;C@(JRg5k^6nQPXqr+yq?( zL#rgL7JgdG8(1+k^_{5UCCKNH;wWgDBmxN9$asMp%a2(G<`t|h5c6|%CgX(=xj{zA zQr^&@XnA8$8f*l9(P=-TX%&5O(peQ_rUiUQk#nFy(n-4aRkBe=N7rHi0SQLr_L;M3u-VTPr>D z#zGhz#17jC2Fs1k$aJyXC_G1u4_yVU0rAiZy%rBs!JDc?FK=>HvWSHTqqUP)7@0OG zDPY-Hh_|DF$r~+#3QjCJqKtolIive10;Vm5(uDE2iBBjNo4I508P$&%shO{qm~)ioqxxC1Y)==HX4!d^?$uAt;dK0M z`@VXqdBLJp7BkG=s9at#+IT@1kn1)1cZ>G)1mCoNyfpm~E~X!Xisc5eZqde$HWZ^! z=`N(sL5hKWLaN(>#O{AhxlXEd>})DP$LmH}Q?5*dV3i45zj>8>9!*3pmZ=clh%-Sdyr`MXj5ZM!&Z799inRsDVa zL;dKb=^lh-1oG0mtOzmqM`a3*)d%GyE+wr>v5-CNg!a6uziWSAv=u7+>ieU%T`^jt z?AIc|yWt}n<#BP|YF1j1kf98Y**mYaF}E<{?v4?MjXTW8`J`}kc-f-FuM&3@zVli} zmb9FNh}Y0Yq-adsiPn-MmE>-w9qfdq0JHXXC;UZMX1cO6bJ%BPUJ_D{yZf^( z+I7}>tx|t?@n?6Cz87;<9ObjbQQXJkD0+7r-=e+2#&;@hE-Y$qaa^rtiXSSD9m|*7 zHNNMpf^i?uN{aA3W_2kVm9+{4hC7MKpaR=>kdp z@WF#_g!*BZf7j3Je?R*{eqX&^txlHzsO!Uas@lby`r~JVlh!8IzpF{Rq>ur==w3Mc z^(R8u?aUiX$pT;!By9ur0M+Vhst^li7wIhi)|3AVmq z448jCuKPFjc(IyJW=(xEoz~A`J$X$9SkQec`3_V-RVx6UqpXei{t$3(A^b&VVVOng zAW9-t62#B(EEt|96L+6Ki=)|ibuxa}8P5RWN{Q|SOAV?+Bn>7bKx@njAo26rTF%EO zlg0RGrKW8?TOQl@aHQEBwK}$ z_IC%e{EZJaW?{it6<7Ry94dPS0hk zJ=r@243Ui=oKw*Fc#k-xYF5DM?A-{*?p&s}Sfyj$gVW~EX4alG3pJh}F52l~=QDrD zuiMjA{b#dS(rQ^7Q=crRe~u>~YABDV%kK4Xd0SvQ2MEUY4ge+_T9Q%hCGY>oEZDcf zT9}14%K8hRA*DER8m3|?yV-vQR66}tCIS2m2E`jnp%gA0yg;Ez`~7C|u35~R zS!XHt-he??O`3?!#=i$b$k!|*uH*;$*$eE7ya}WQxp5FH`lH1Vr-+dYc3vpnnn{gs} zE^^4KB+7YC(Xdd8+o$qejVJF~(zv5pd)6)fKTdI|>zppjF{@(hx9!=%sy$dXtAi8t z*({d_)5C-5{9rbnpT0jhY8MCNgXKvxnI26iLh@!YKHlH4}10zj1R)>haQ(i&)RV=Hg475Ky;n!|&$x6K?2+1O4q zKU^N1&S8ITK!ddqNX&mr=*~lu0)>%1=fdhy4f<*yGZRrk)f=+hFL)K!|a&BiIpRyVX zlu8j}#?zG7gDKZth(H+)cPYe6nS!tP^Mz|Cv$;{>tfYOBCZ&_8<_LT;0_FZRYJ^D}@g` zzsU^?Mox^g=X9g``^Raod)efX{|{Jk_fh_NU2^PJvQ7JmGbjH87itlC zhXFnhhXFnihXFnjhXFnkw*fvAoAN0!Gcq|dH!CnQConK4DGD!5Z)8MabY&nYL^?7s zGBq$YGBYtVGC4Chx5Y3NBnLw_Fg8UpH$g@*H#0LvI5I&-Lq;`5IWaOrLN_xtLO3`+ zAUrlOHbpWwK}In*Gc!gwGC@W|Mm0t`F)~9!H#0RtI5?LqI21X5TWDO@6^8ek(O5d8 zGdh|X$r{X0OZM3L*Svtq?*X zSgGEKe}XR;LLu*eLNic^L#+Z@1-A&=(28g&ZV9YIYe(zEZ3i7_DOwpf0cErbnp{mz z(Ynw&aJ5huS|6HTm4R-w2HHB@DyX3iqv>N18yd&U$C|E#y7|dI+zi8eGa0;BX7+z@#g$5o03l`dzHE=qF@WNWeZ^0XD7E0$e zptzlh^KQyL3(kS_;DUw5paw2l@otB#MJwKWMb;%Neo~aBU$kV!&-&$RBeX->I_;@8 zTTxiH;+MY+);9IGi0Pq-zfOWb#PX}XtQRP%3b*oqKnbGES&d)+CO_dV5Z0_T@Qw+i`bS;sdo$)b+D-IDN(T*}X>OQ&F+;`G## z^6mKMpC19QM*Q>JH7HZ3QIJx>yTN);i&MU`^gA?4K0EpB&S5@W1WnD^$Ro#b)-o!MGdwCg@<(XB}+cLrZq@W zCo!GGbkfX8GbhcQ{PQbu^1GU>?xWQx7hkdD{u(I&ZwFXVu%cf7_s!Z8=9gPK5psr8|3Z*wAa>dOMmnyX%m*dwJ2*Jn6dQlx8%}tTl>Kw zFl*`U3mTxuwvK|smVUS(O&#+r7C*XwHD~FaS2S=8oB-NWeeMF7xAdbIG(|h4U#S;h zwPc+G=YcZpQE=MQPp9?RMV34O_5qy`*RcXHrd$S(fh%AcELnQLp%+|bp3bcz?h1Gc zJPlUCla{WHYVtMawSf`~>51!BDbmu+wd6U=ruu?aHWniu>C*sN7h7MY_PX4El2wlX zOctr<$~CSZPMUdQmHFp2S^?ZQylP$dpOZ%Zc^{}-*8_!umS%K4qjMRZ%jj!Ht1@p` zRy?P9q!~S|(A1f%;v}1V$g=d`nlcPV!H8wOtJ1bJnE<%X_??z*{+$L$GuIifLtUr1 z%3f#p3?Q56QsxK2VL;N*piC`)gXUqr$FiY0y>uR&U`b6L2Q(B{Xm#4_cqbicct&$G zSCuUS5`_L@PPl0@Mh7vviqUC|PE%+mSm!O7gF;T9#br@ zSx^7(74A;JwXs>Y?8u@tZkx?%pnFa?sDc`(1D!`Yiqto_V>Y=|HfMl;`o;#Z5exve z0^Nsn0a6&ZS~mAnEg2*DgAZj5TlR~$Wi>7PVAM7wbQB{S7q(8>SROKZmWLhKeF~%_0@St1pbmnzH&o?gguV-~MmJznT#rd=+sg9_sbGs}Y~X>ZyPJe#HN7MBI-ziuwbd z`1-|QJ>hIbTZm|XEu!<;h^#-N7N6)@e?x0r0O}07^j@-_$zL;&6OWvD8p~wkEPAGChkrRrXP~?OnClvWsFa-2}fG++K+rWtROk9qiw(q_0 Ze-hcbDwpX#6dwyUFfcI+B_%~qMhcJ)I1T^+ diff --git a/motivation.tex b/motivation.tex index 12442e2..d04d8e4 100644 --- a/motivation.tex +++ b/motivation.tex @@ -5,7 +5,7 @@ \section{MAC Mechanisms} -Many Linux OS ship with additional Mandatory Access Control (MAC) mechanisms (e.g.\ AppArmor, SELinux) that allow to restrict the usage of file system objects by specific programs. +Many Linux OS ship with additional Mandatory Access Control (MAC) mechanisms (e.g.\ AppArmor, SELinux) that allow to restrict the usage of filesystem objects by specific programs. Unfortunately, these mechanisms require a considerable amount of knowledge and effort for the user to manage them, which makes them infeasible for most single-user environments. @@ -14,9 +14,9 @@ Unfortunately, these mechanisms require a considerable amount of knowledge and e \section{FGACFS} \label{current:FGACFS} -In Lovyagin et. al. 2020 \cite{FGACFS} authors propose and implement a so called FGACFS file system that extends traditional UNIX access control policies with far more sophisticated and granular system. This also includes the ability to restrict access on per-program basis. However, due to the sheer variety of options and configurable parameters, this approach still falls short when it comes to ease of use and user-friendliness. +In Lovyagin et. al. 2020 \cite{FGACFS} authors propose and implement a so called FGACFS filesystem that extends traditional UNIX access control policies with far more sophisticated and granular system. This also includes the ability to restrict access on per-program basis. However, due to the sheer variety of options and configurable parameters, this approach still falls short when it comes to ease of use and user-friendliness. -Additionally, FGACFS and MAC mechanisms described above share a significant drawback: they necessitate user intervention to secure files, even when those files are never accessed. For instance, if access to a file system object is denied (allowed) for all programs by default and only allowed (denied) for specific ones, granting (revoking) access for new programs requires users to modify access permissions proactively. +Additionally, FGACFS and MAC mechanisms described above share a significant drawback: they necessitate user intervention to secure files, even when those files are never accessed. For instance, if access to a filesystem object is denied (allowed) for all programs by default and only allowed (denied) for specific ones, granting (revoking) access for new programs requires users to modify access permissions proactively. While some solutions offer automatic inheritance or assignment of rules and access control policies, they still need extensive manual configuration. Even if inheriting all access permissions from a default value were practical, installing new programs would always necessitate updating rules to adhere to the principle of least privilege. @@ -24,11 +24,11 @@ Another problem of these solutions, is that their policies are granted forever a \section{Containerisation} -Another solution to consider, is using containerised software distribution, like Flatpak \cite{FLATPAK}, Snapcraft \cite{SNAP} or AppImage \cite{APPIMAGE}. Those types of package distribution systems either use Linux feature called \emph{namespaces} or leverage MAC mechanisms to isolate software from the rest of the system. Aside from solving common dependency management problems, this approach also allows some capabilities of the distributed software to be restricted, like access to camera, hardware devices, but -- most importantly -- file system objects. +Another solution to consider, is using containerised software distribution, like Flatpak \cite{FLATPAK}, Snapcraft \cite{SNAP} or AppImage \cite{APPIMAGE}. Those types of package distribution systems either use Linux feature called \emph{namespaces} or leverage MAC mechanisms to isolate software from the rest of the system. Aside from solving common dependency management problems, this approach also allows some capabilities of the distributed software to be restricted, like access to camera, hardware devices, but -- most importantly -- filesystem objects. However, because the developer of the distributed software is responsible for defining the permissions that his own program needs, it often leads to programs having excessive privileges after installation\footnote{It is important to mention, that although this flaw remains unmitigated, the analysis made by Dunlap et al. 2022 \cite{DunlapMAC} shows that most package maintainers actively attempt to define least-privilege application policies.} without any notification of the user. -Additionally, it is a responsibility of the software developer to choose the distribution method, and despite containerised software getting more and more popular, there are still plenty of programs that can only be installed using traditional methods, that do not offer any mechanisms for restricting file system access. +Additionally, it is a responsibility of the software developer to choose the distribution method, and despite containerised software getting more and more popular, there are still plenty of programs that can only be installed using traditional methods, that do not offer any mechanisms for restricting filesystem access. Furthermore, some software is impractical to sandbox. For example, because of the Flatpak's design, CLI software has to be run with \verb|flatpak run| command and has to use often long and hard-to-remember package names, which may appear rather cumbersome for most users. @@ -57,7 +57,7 @@ Unfortunately, Android access control system is specific to Android. Also, it in \section{Ranacco} -Finally, in McIntosh et al. 2021 \cite{MCINTOSH} authors propose and implement software called \emph{Ranacco}, which attempts to analyse various system environmental factors (e.g. latest mouse and keyboard activity) and file system operations to detect potentially malicious actions made by processes, in which case it delegates access control decision to the user. This approach avoids the shortcomings of other possible solutions, while remaining easy-to-use. Although this system is more advanced than the one we propose in this thesis, not only is it exclusive to Windows, but it also remains unavailable for the general public. +Finally, in McIntosh et al. 2021 \cite{MCINTOSH} authors propose and implement software called \emph{Ranacco}, which attempts to analyse various system environmental factors (e.g. latest mouse and keyboard activity) and filesystem operations to detect potentially malicious actions made by processes, in which case it delegates access control decision to the user. This approach avoids the shortcomings of other possible solutions, while remaining easy-to-use. Although this system is more advanced than the one we propose in this thesis, not only is it exclusive to Windows, but it also remains unavailable for the general public. \section{Requirements for the Solution} @@ -67,7 +67,7 @@ The key issues with existent solutions, that our the system proposed in this the \begin{itemize} \item Not all solutions assume processes to be malicious until proven (confirmed by the user to be) safe. Quite often access control permissions are either predefined, inferred or assumed. - \item Some solutions can only enforce access policies on software that is distributed in a special way. This leaves the file system just as unprotected against all other software. + \item Some solutions can only enforce access policies on software that is distributed in a special way. This leaves the filesystem just as unprotected against all other software. \item Most solutions require passive action from the user besides initial installation (e.g. you have to reconfigure policies all the time). This adds further inconvenience to using such systems.