secmodel_securelevel.c revision 1.8.8.1
1 1.8.8.1 christos /* $NetBSD: secmodel_securelevel.c,v 1.8.8.1 2008/03/29 20:47:03 christos Exp $ */ 2 1.1 elad /*- 3 1.1 elad * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 1.1 elad * All rights reserved. 5 1.1 elad * 6 1.1 elad * Redistribution and use in source and binary forms, with or without 7 1.1 elad * modification, are permitted provided that the following conditions 8 1.1 elad * are met: 9 1.1 elad * 1. Redistributions of source code must retain the above copyright 10 1.1 elad * notice, this list of conditions and the following disclaimer. 11 1.1 elad * 2. Redistributions in binary form must reproduce the above copyright 12 1.1 elad * notice, this list of conditions and the following disclaimer in the 13 1.1 elad * documentation and/or other materials provided with the distribution. 14 1.1 elad * 3. The name of the author may not be used to endorse or promote products 15 1.1 elad * derived from this software without specific prior written permission. 16 1.1 elad * 17 1.1 elad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 elad * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 elad * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 elad * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 1.1 elad * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 1.1 elad * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 1.1 elad * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 1.1 elad * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 1.1 elad * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 1.1 elad * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 1.1 elad */ 28 1.1 elad 29 1.1 elad /* 30 1.1 elad * This file contains kauth(9) listeners needed to implement the traditional 31 1.1 elad * NetBSD securelevel. 32 1.1 elad * 33 1.1 elad * The securelevel is a system-global indication on what operations are 34 1.1 elad * allowed or not. It affects all users, including root. 35 1.1 elad */ 36 1.1 elad 37 1.1 elad #include <sys/cdefs.h> 38 1.8.8.1 christos __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.8.8.1 2008/03/29 20:47:03 christos Exp $"); 39 1.1 elad 40 1.1 elad #ifdef _KERNEL_OPT 41 1.1 elad #include "opt_insecure.h" 42 1.1 elad #endif /* _KERNEL_OPT */ 43 1.1 elad 44 1.1 elad #include <sys/types.h> 45 1.1 elad #include <sys/param.h> 46 1.1 elad #include <sys/kauth.h> 47 1.1 elad 48 1.1 elad #include <sys/conf.h> 49 1.1 elad #include <sys/mount.h> 50 1.1 elad #include <sys/sysctl.h> 51 1.1 elad #include <sys/vnode.h> 52 1.1 elad 53 1.1 elad #include <miscfs/specfs/specdev.h> 54 1.1 elad 55 1.1 elad #include <secmodel/securelevel/securelevel.h> 56 1.1 elad 57 1.1 elad static int securelevel; 58 1.1 elad 59 1.1 elad static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; 60 1.1 elad 61 1.1 elad /* 62 1.1 elad * sysctl helper routine for securelevel. ensures that the value 63 1.1 elad * only rises unless the caller has pid 1 (assumed to be init). 64 1.1 elad */ 65 1.1 elad int 66 1.1 elad secmodel_securelevel_sysctl(SYSCTLFN_ARGS) 67 1.1 elad { 68 1.1 elad int newsecurelevel, error; 69 1.1 elad struct sysctlnode node; 70 1.1 elad 71 1.1 elad newsecurelevel = securelevel; 72 1.1 elad node = *rnode; 73 1.1 elad node.sysctl_data = &newsecurelevel; 74 1.1 elad error = sysctl_lookup(SYSCTLFN_CALL(&node)); 75 1.1 elad if (error || newp == NULL) 76 1.1 elad return (error); 77 1.1 elad 78 1.1 elad if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1) 79 1.1 elad return (EPERM); 80 1.1 elad 81 1.1 elad securelevel = newsecurelevel; 82 1.1 elad 83 1.1 elad return (error); 84 1.1 elad } 85 1.1 elad 86 1.1 elad void 87 1.1 elad secmodel_securelevel_init(void) 88 1.1 elad { 89 1.1 elad #ifdef INSECURE 90 1.1 elad securelevel = -1; 91 1.1 elad #else 92 1.1 elad securelevel = 0; 93 1.1 elad #endif /* INSECURE */ 94 1.1 elad } 95 1.1 elad 96 1.1 elad SYSCTL_SETUP(sysctl_security_securelevel_setup, 97 1.1 elad "sysctl security securelevel setup") 98 1.1 elad { 99 1.1 elad /* 100 1.1 elad * For compatibility, we create a kern.securelevel variable. 101 1.1 elad */ 102 1.1 elad sysctl_createv(clog, 0, NULL, NULL, 103 1.1 elad CTLFLAG_PERMANENT, 104 1.1 elad CTLTYPE_NODE, "kern", NULL, 105 1.1 elad NULL, 0, NULL, 0, 106 1.1 elad CTL_KERN, CTL_EOL); 107 1.1 elad 108 1.1 elad sysctl_createv(clog, 0, NULL, NULL, 109 1.1 elad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 110 1.1 elad CTLTYPE_INT, "securelevel", 111 1.1 elad SYSCTL_DESCR("System security level"), 112 1.1 elad secmodel_securelevel_sysctl, 0, NULL, 0, 113 1.1 elad CTL_KERN, KERN_SECURELVL, CTL_EOL); 114 1.1 elad } 115 1.1 elad 116 1.1 elad void 117 1.1 elad secmodel_securelevel_start(void) 118 1.1 elad { 119 1.1 elad l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 120 1.1 elad secmodel_securelevel_system_cb, NULL); 121 1.1 elad l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, 122 1.1 elad secmodel_securelevel_process_cb, NULL); 123 1.1 elad l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, 124 1.1 elad secmodel_securelevel_network_cb, NULL); 125 1.1 elad l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 126 1.1 elad secmodel_securelevel_machdep_cb, NULL); 127 1.1 elad l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, 128 1.1 elad secmodel_securelevel_device_cb, NULL); 129 1.1 elad } 130 1.1 elad 131 1.1 elad #if defined(_LKM) 132 1.1 elad void 133 1.1 elad secmodel_securelevel_stop(void) 134 1.1 elad { 135 1.1 elad kauth_unlisten_scope(l_system); 136 1.1 elad kauth_unlisten_scope(l_process); 137 1.1 elad kauth_unlisten_scope(l_network); 138 1.1 elad kauth_unlisten_scope(l_machdep); 139 1.1 elad kauth_unlisten_scope(l_device); 140 1.1 elad } 141 1.1 elad #endif /* _LKM */ 142 1.1 elad 143 1.1 elad /* 144 1.1 elad * kauth(9) listener 145 1.1 elad * 146 1.1 elad * Security model: Traditional NetBSD 147 1.1 elad * Scope: System 148 1.1 elad * Responsibility: Securelevel 149 1.1 elad */ 150 1.1 elad int 151 1.1 elad secmodel_securelevel_system_cb(kauth_cred_t cred, 152 1.1 elad kauth_action_t action, void *cookie, void *arg0, void *arg1, 153 1.1 elad void *arg2, void *arg3) 154 1.1 elad { 155 1.1 elad int result; 156 1.1 elad enum kauth_system_req req; 157 1.1 elad 158 1.2 elad result = KAUTH_RESULT_DEFER; 159 1.1 elad req = (enum kauth_system_req)arg0; 160 1.1 elad 161 1.1 elad switch (action) { 162 1.1 elad case KAUTH_SYSTEM_CHSYSFLAGS: 163 1.2 elad if (securelevel > 0) 164 1.2 elad result = KAUTH_RESULT_DENY; 165 1.1 elad break; 166 1.1 elad 167 1.1 elad case KAUTH_SYSTEM_TIME: 168 1.1 elad switch (req) { 169 1.1 elad case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: 170 1.2 elad if (securelevel > 0) 171 1.2 elad result = KAUTH_RESULT_DENY; 172 1.1 elad break; 173 1.1 elad 174 1.3 elad case KAUTH_REQ_SYSTEM_TIME_SYSTEM: { 175 1.3 elad struct timespec *ts = arg1; 176 1.8.8.1 christos struct timespec *delta = arg2; 177 1.3 elad 178 1.3 elad /* 179 1.8.8.1 christos * Don't allow the time to be set forward so far it 180 1.8.8.1 christos * will wrap and become negative, thus allowing an 181 1.8.8.1 christos * attacker to bypass the next check below. The 182 1.8.8.1 christos * cutoff is 1 year before rollover occurs, so even 183 1.8.8.1 christos * if the attacker uses adjtime(2) to move the time 184 1.8.8.1 christos * past the cutoff, it will take a very long time 185 1.3 elad * to get to the wrap point. 186 1.3 elad */ 187 1.3 elad if (securelevel > 1 && 188 1.8.8.1 christos ((ts->tv_sec > LLONG_MAX - 365*24*60*60) || 189 1.8.8.1 christos (delta->tv_sec < 0 || delta->tv_nsec < 0))) 190 1.3 elad result = KAUTH_RESULT_DENY; 191 1.3 elad break; 192 1.3 elad } 193 1.3 elad 194 1.1 elad default: 195 1.1 elad break; 196 1.1 elad } 197 1.1 elad break; 198 1.1 elad 199 1.1 elad case KAUTH_SYSTEM_LKM: 200 1.7 ad case KAUTH_SYSTEM_MODULE: 201 1.2 elad if (securelevel > 0) 202 1.2 elad result = KAUTH_RESULT_DENY; 203 1.1 elad break; 204 1.1 elad 205 1.1 elad case KAUTH_SYSTEM_MOUNT: 206 1.1 elad switch (req) { 207 1.1 elad case KAUTH_REQ_SYSTEM_MOUNT_NEW: 208 1.1 elad if (securelevel > 1) 209 1.2 elad result = KAUTH_RESULT_DENY; 210 1.1 elad 211 1.1 elad break; 212 1.1 elad 213 1.1 elad case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 214 1.1 elad if (securelevel > 1) { 215 1.1 elad struct mount *mp = arg1; 216 1.1 elad u_long flags = (u_long)arg2; 217 1.1 elad 218 1.1 elad /* Can only degrade from read/write to read-only. */ 219 1.1 elad if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD | 220 1.1 elad MNT_FORCE | MNT_UPDATE)) 221 1.2 elad result = KAUTH_RESULT_DENY; 222 1.1 elad } 223 1.1 elad 224 1.1 elad break; 225 1.1 elad 226 1.1 elad default: 227 1.1 elad break; 228 1.1 elad } 229 1.1 elad 230 1.1 elad break; 231 1.1 elad 232 1.1 elad case KAUTH_SYSTEM_SYSCTL: 233 1.1 elad switch (req) { 234 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_ADD: 235 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: 236 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_DESC: 237 1.2 elad if (securelevel > 0) 238 1.2 elad result = KAUTH_RESULT_DENY; 239 1.1 elad break; 240 1.1 elad 241 1.1 elad default: 242 1.1 elad break; 243 1.1 elad } 244 1.1 elad break; 245 1.1 elad 246 1.1 elad case KAUTH_SYSTEM_SETIDCORE: 247 1.2 elad if (securelevel > 0) 248 1.2 elad result = KAUTH_RESULT_DENY; 249 1.1 elad break; 250 1.1 elad 251 1.1 elad case KAUTH_SYSTEM_DEBUG: 252 1.1 elad switch (req) { 253 1.1 elad case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: 254 1.2 elad if (securelevel > 0) 255 1.2 elad result = KAUTH_RESULT_DENY; 256 1.1 elad break; 257 1.1 elad 258 1.1 elad default: 259 1.1 elad break; 260 1.1 elad } 261 1.1 elad break; 262 1.1 elad } 263 1.1 elad 264 1.1 elad return (result); 265 1.1 elad } 266 1.1 elad 267 1.1 elad /* 268 1.1 elad * kauth(9) listener 269 1.1 elad * 270 1.1 elad * Security model: Traditional NetBSD 271 1.1 elad * Scope: Process 272 1.1 elad * Responsibility: Securelevel 273 1.1 elad */ 274 1.1 elad int 275 1.1 elad secmodel_securelevel_process_cb(kauth_cred_t cred, 276 1.1 elad kauth_action_t action, void *cookie, void *arg0, 277 1.1 elad void *arg1, void *arg2, void *arg3) 278 1.1 elad { 279 1.1 elad struct proc *p; 280 1.1 elad int result; 281 1.1 elad 282 1.2 elad result = KAUTH_RESULT_DEFER; 283 1.1 elad p = arg0; 284 1.1 elad 285 1.1 elad switch (action) { 286 1.8 elad case KAUTH_PROCESS_PROCFS: { 287 1.1 elad enum kauth_process_req req; 288 1.1 elad 289 1.1 elad req = (enum kauth_process_req)arg2; 290 1.1 elad switch (req) { 291 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_READ: 292 1.1 elad break; 293 1.1 elad 294 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_RW: 295 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_WRITE: 296 1.1 elad if ((p == initproc) && (securelevel > -1)) 297 1.1 elad result = KAUTH_RESULT_DENY; 298 1.1 elad 299 1.1 elad break; 300 1.2 elad 301 1.1 elad default: 302 1.1 elad break; 303 1.1 elad } 304 1.1 elad 305 1.1 elad break; 306 1.1 elad } 307 1.1 elad 308 1.8 elad case KAUTH_PROCESS_PTRACE: 309 1.2 elad if ((p == initproc) && (securelevel >= 0)) 310 1.1 elad result = KAUTH_RESULT_DENY; 311 1.1 elad 312 1.1 elad break; 313 1.1 elad 314 1.1 elad case KAUTH_PROCESS_CORENAME: 315 1.2 elad if (securelevel > 1) 316 1.2 elad result = KAUTH_RESULT_DENY; 317 1.1 elad break; 318 1.1 elad } 319 1.1 elad 320 1.1 elad return (result); 321 1.1 elad } 322 1.1 elad 323 1.1 elad /* 324 1.1 elad * kauth(9) listener 325 1.1 elad * 326 1.1 elad * Security model: Traditional NetBSD 327 1.1 elad * Scope: Network 328 1.1 elad * Responsibility: Securelevel 329 1.1 elad */ 330 1.1 elad int 331 1.1 elad secmodel_securelevel_network_cb(kauth_cred_t cred, 332 1.1 elad kauth_action_t action, void *cookie, void *arg0, 333 1.1 elad void *arg1, void *arg2, void *arg3) 334 1.1 elad { 335 1.1 elad int result; 336 1.1 elad enum kauth_network_req req; 337 1.1 elad 338 1.2 elad result = KAUTH_RESULT_DEFER; 339 1.1 elad req = (enum kauth_network_req)arg0; 340 1.1 elad 341 1.1 elad switch (action) { 342 1.1 elad case KAUTH_NETWORK_FIREWALL: 343 1.1 elad switch (req) { 344 1.1 elad case KAUTH_REQ_NETWORK_FIREWALL_FW: 345 1.1 elad case KAUTH_REQ_NETWORK_FIREWALL_NAT: 346 1.2 elad if (securelevel > 1) 347 1.2 elad result = KAUTH_RESULT_DENY; 348 1.1 elad break; 349 1.1 elad 350 1.1 elad default: 351 1.1 elad break; 352 1.1 elad } 353 1.1 elad break; 354 1.1 elad 355 1.1 elad case KAUTH_NETWORK_FORWSRCRT: 356 1.2 elad if (securelevel > 0) 357 1.2 elad result = KAUTH_RESULT_DENY; 358 1.1 elad break; 359 1.1 elad } 360 1.1 elad 361 1.1 elad return (result); 362 1.1 elad } 363 1.1 elad 364 1.1 elad /* 365 1.1 elad * kauth(9) listener 366 1.1 elad * 367 1.1 elad * Security model: Traditional NetBSD 368 1.1 elad * Scope: Machdep 369 1.1 elad * Responsibility: Securelevel 370 1.1 elad */ 371 1.1 elad int 372 1.1 elad secmodel_securelevel_machdep_cb(kauth_cred_t cred, 373 1.1 elad kauth_action_t action, void *cookie, void *arg0, 374 1.1 elad void *arg1, void *arg2, void *arg3) 375 1.1 elad { 376 1.1 elad int result; 377 1.1 elad 378 1.2 elad result = KAUTH_RESULT_DEFER; 379 1.1 elad 380 1.1 elad switch (action) { 381 1.1 elad case KAUTH_MACHDEP_IOPERM_SET: 382 1.1 elad case KAUTH_MACHDEP_IOPL: 383 1.2 elad if (securelevel > 0) 384 1.2 elad result = KAUTH_RESULT_DENY; 385 1.1 elad break; 386 1.1 elad 387 1.1 elad case KAUTH_MACHDEP_UNMANAGEDMEM: 388 1.2 elad if (securelevel > 0) 389 1.2 elad result = KAUTH_RESULT_DENY; 390 1.1 elad break; 391 1.1 elad } 392 1.1 elad 393 1.1 elad return (result); 394 1.1 elad } 395 1.1 elad 396 1.1 elad /* 397 1.1 elad * kauth(9) listener 398 1.1 elad * 399 1.1 elad * Security model: Traditional NetBSD 400 1.1 elad * Scope: Device 401 1.1 elad * Responsibility: Securelevel 402 1.1 elad */ 403 1.1 elad int 404 1.1 elad secmodel_securelevel_device_cb(kauth_cred_t cred, 405 1.1 elad kauth_action_t action, void *cookie, void *arg0, 406 1.1 elad void *arg1, void *arg2, void *arg3) 407 1.1 elad { 408 1.1 elad int result; 409 1.1 elad 410 1.2 elad result = KAUTH_RESULT_DEFER; 411 1.1 elad 412 1.1 elad switch (action) { 413 1.1 elad case KAUTH_DEVICE_RAWIO_SPEC: { 414 1.1 elad struct vnode *vp, *bvp; 415 1.1 elad enum kauth_device_req req; 416 1.1 elad dev_t dev; 417 1.1 elad int d_type; 418 1.1 elad 419 1.1 elad req = (enum kauth_device_req)arg0; 420 1.1 elad vp = arg1; 421 1.1 elad 422 1.1 elad KASSERT(vp != NULL); 423 1.1 elad 424 1.6 ad dev = vp->v_rdev; 425 1.1 elad d_type = D_OTHER; 426 1.1 elad bvp = NULL; 427 1.1 elad 428 1.1 elad /* Handle /dev/mem and /dev/kmem. */ 429 1.1 elad if ((vp->v_type == VCHR) && iskmemdev(dev)) { 430 1.1 elad switch (req) { 431 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 432 1.1 elad break; 433 1.1 elad 434 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 435 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 436 1.2 elad if (securelevel > 0) 437 1.2 elad result = KAUTH_RESULT_DENY; 438 1.1 elad break; 439 1.1 elad } 440 1.1 elad 441 1.1 elad break; 442 1.1 elad } 443 1.1 elad 444 1.1 elad switch (req) { 445 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 446 1.1 elad break; 447 1.1 elad 448 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 449 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 450 1.1 elad switch (vp->v_type) { 451 1.1 elad case VCHR: { 452 1.1 elad const struct cdevsw *cdev; 453 1.1 elad 454 1.1 elad cdev = cdevsw_lookup(dev); 455 1.1 elad if (cdev != NULL) { 456 1.1 elad dev_t blkdev; 457 1.1 elad 458 1.1 elad blkdev = devsw_chr2blk(dev); 459 1.1 elad if (blkdev != NODEV) { 460 1.1 elad vfinddev(blkdev, VBLK, &bvp); 461 1.1 elad if (bvp != NULL) 462 1.1 elad d_type = (cdev->d_flag 463 1.1 elad & D_TYPEMASK); 464 1.1 elad } 465 1.1 elad } 466 1.1 elad 467 1.1 elad break; 468 1.1 elad } 469 1.1 elad case VBLK: { 470 1.1 elad const struct bdevsw *bdev; 471 1.1 elad 472 1.1 elad bdev = bdevsw_lookup(dev); 473 1.1 elad if (bdev != NULL) 474 1.1 elad d_type = (bdev->d_flag & D_TYPEMASK); 475 1.1 elad 476 1.1 elad bvp = vp; 477 1.1 elad 478 1.1 elad break; 479 1.1 elad } 480 1.2 elad 481 1.1 elad default: 482 1.1 elad break; 483 1.1 elad } 484 1.1 elad 485 1.2 elad if (d_type != D_DISK) 486 1.1 elad break; 487 1.1 elad 488 1.1 elad /* 489 1.1 elad * XXX: This is bogus. We should be failing the request 490 1.1 elad * XXX: not only if this specific slice is mounted, but 491 1.1 elad * XXX: if it's on a disk with any other mounted slice. 492 1.1 elad */ 493 1.1 elad if (vfs_mountedon(bvp) && (securelevel > 0)) 494 1.1 elad break; 495 1.1 elad 496 1.2 elad if (securelevel > 1) 497 1.2 elad result = KAUTH_RESULT_DENY; 498 1.1 elad 499 1.1 elad break; 500 1.1 elad } 501 1.1 elad 502 1.1 elad break; 503 1.1 elad } 504 1.1 elad 505 1.2 elad case KAUTH_DEVICE_RAWIO_PASSTHRU: 506 1.1 elad if (securelevel > 0) { 507 1.1 elad u_long bits; 508 1.1 elad 509 1.1 elad bits = (u_long)arg0; 510 1.1 elad 511 1.1 elad KASSERT(bits != 0); 512 1.1 elad KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); 513 1.1 elad 514 1.1 elad if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) 515 1.1 elad result = KAUTH_RESULT_DENY; 516 1.1 elad } 517 1.1 elad 518 1.1 elad break; 519 1.1 elad } 520 1.1 elad 521 1.1 elad return (result); 522 1.1 elad } 523
Indexes created Fri Sep 26 08:10:20 GMT 2025