Magisk/native/jni/magiskpolicy/rules.cpp

#include <utils.hpp>
#include <magiskpolicy.hpp>

#include "sepolicy.hpp"

using namespace std;

void sepolicy::magisk_rules() {
    // Temp suppress warnings
    auto bak = log_cb.w;
    log_cb.w = nop_log;

    // This indicates API 26+
    bool new_rules = exists("untrusted_app_25");

    // Prevent anything to change sepolicy except ourselves
    deny(ALL, "kernel", "security", "load_policy");

    type(SEPOL_PROC_DOMAIN, "domain");
    permissive(SEPOL_PROC_DOMAIN);  /* Just in case something is missing */
    typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
    typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
    typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
    type(SEPOL_FILE_TYPE, "file_type");
    typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");

    // Make our root domain unconstrained
    allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
    // Allow us to do any ioctl
    if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
    }

    // Create unconstrained file type
    allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);

    if (new_rules) {
        // Make client type literally untrusted_app
        type(SEPOL_CLIENT_DOMAIN, "domain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
        typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");

        type(SEPOL_EXEC_TYPE, "file_type");
        typeattribute(SEPOL_EXEC_TYPE, "exec_type");

        // Basic su client needs
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);

        const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};
        for (auto type : pts) {
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
        }

        // Allow these processes to access MagiskSU
        vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
        for (auto type : clients) {
            if (!exists(type))
                continue;
            // exec magisk
            allow(type, SEPOL_EXEC_TYPE, "file", "read");
            allow(type, SEPOL_EXEC_TYPE, "file", "open");
            allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
            allow(type, SEPOL_EXEC_TYPE, "file", "execute");
            allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");

            // Auto transit to client domain
            allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");

            // Kill client process
            allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
        }

        // type transition require actual types, not attributes
        const char *app_types[]{
            "system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",
            "untrusted_app_27", "untrusted_app_29", "untrusted_app_30"};
        clients.pop_back();
        clients.insert(clients.end(), app_types, app_types + std::size(app_types));
        for (auto type : clients) {
            // Auto transit to client domain
            type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
        }

        // Allow system_server to manage magisk_client
        allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
        allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");

        // Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
        dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);

        // Only allow client processes and zygote to connect to magisk daemon socket
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
        allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
    } else {
        // Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS

        // Allow these processes to access MagiskSU
        const char *clients[] { "init", "shell", "appdomain", "zygote" };
        for (auto type : clients) {
            if (!exists(type))
                continue;
            allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
            allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
        }
    }

    // Let everyone access tmpfs files (for SAR sbin overlay)
    allow(ALL, "tmpfs", "file", ALL);

    // Allow magiskinit daemon to handle mock selinuxfs
    allow("kernel", "tmpfs", "fifo_file", "write");

    // For relabelling files
    allow("rootfs", "labeledfs", "filesystem", "associate");
    allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
    allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");

    // Let init transit to SEPOL_PROC_DOMAIN
    allow("kernel", "kernel", "process", "setcurrent");
    allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");

    // Let init run stuffs
    allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
    allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
    allow("init", "tmpfs", "file", "getattr");
    allow("init", "tmpfs", "file", "execute");

    // suRights
    allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
    allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");

    // allowLog
    allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");

    // dumpsys
    allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");

    // bootctl
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");

    // For mounting loop devices, mirrors, tmpfs
    allow("kernel", ALL, "file", "read");
    allow("kernel", ALL, "file", "write");

    // Allow all binder transactions
    allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);

    // For changing file context
    allow("rootfs", "tmpfs", "filesystem", "associate");

    // Zygisk rules
    allow("zygote", "zygote", "capability", "sys_resource");  // prctl PR_SET_MM
    allow("zygote", "zygote", "process", "execmem");
    allow("zygote", "fs_type", "filesystem", "unmount");
    allow("system_server", "system_server", "process", "execmem");

    // Shut llkd up
    dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
    dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");

    // Allow update_engine/addon.d-v2 to run permissive on all ROMs
    permissive("update_engine");

#if 0
    // Remove all dontaudit in debug mode
    impl->strip_dontaudit();
#endif

    log_cb.w = bak;
}
Move logging.hpp 2020-06-17 08:17:28 +00:00			`#include <utils.hpp>`
Small native code reorganization 2020-03-09 08:50:30 +00:00			`#include <magiskpolicy.hpp>`
Clean/refactor includes 2019-02-10 08:57:51 +00:00
Rewrite sepolicy.c in C++ 2020-05-23 07:18:25 +00:00			`#include "sepolicy.hpp"`
Add built-in rules 2016-09-12 22:19:07 +00:00
Fix some issues with selinux rules 2020-09-04 07:03:24 +00:00			`using namespace std;`

Modernize magiskpolicy 2020-05-21 13:48:02 +00:00			`void sepolicy::magisk_rules() {`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Temp suppress warnings`
			`auto bak = log_cb.w;`
			`log_cb.w = nop_log;`

			`// This indicates API 26+`
			`bool new_rules = exists("untrusted_app_25");`

			`// Prevent anything to change sepolicy except ourselves`
			`deny(ALL, "kernel", "security", "load_policy");`

			`type(SEPOL_PROC_DOMAIN, "domain");`
			`permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */`
			`typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");`
			`typeattribute(SEPOL_PROC_DOMAIN, "netdomain");`
			`typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");`
			`type(SEPOL_FILE_TYPE, "file_type");`
			`typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");`

			`// Make our root domain unconstrained`
			`allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);`
			`// Allow us to do any ioctl`
			`if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {`
			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);`
			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);`
Update spolicy rules 2021-10-29 10:12:48 +00:00			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`}`

			`// Create unconstrained file type`
			`allow(ALL, SEPOL_FILE_TYPE, "file", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);`
Add rule: `allow * magisk_file lnk_file { * }` 2021-10-25 15:40:25 +00:00			`allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);`
Update rules again 2021-10-29 10:37:14 +00:00			`allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00
			`if (new_rules) {`
			`// Make client type literally untrusted_app`
			`type(SEPOL_CLIENT_DOMAIN, "domain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");`

			`type(SEPOL_EXEC_TYPE, "file_type");`
			`typeattribute(SEPOL_EXEC_TYPE, "exec_type");`

			`// Basic su client needs`
			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);`
			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);`

Fix terminal on android 8 No need to handle untrusted_app_all_devpts on modern devices, but devpts policy is different for older devices. 2021-09-24 15:56:36 +00:00			`const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};`
			`for (auto type : pts) {`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");`
			`}`

Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Allow these processes to access MagiskSU`
			`vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };`
			`for (auto type : clients) {`
			`if (!exists(type))`
			`continue;`
			`// exec magisk`
			`allow(type, SEPOL_EXEC_TYPE, "file", "read");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "open");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "getattr");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "execute");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");`

			`// Auto transit to client domain`
			`allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");`

			`// Kill client process`
			`allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");`
			`}`

			`// type transition require actual types, not attributes`
Add new targetSdk domain https://android-review.googlesource.com/c/platform/system/sepolicy/+/1752122 2021-07-22 08:20:36 +00:00			`const char *app_types[]{`
			`"system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",`
			`"untrusted_app_27", "untrusted_app_29", "untrusted_app_30"};`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`clients.pop_back();`
			`clients.insert(clients.end(), app_types, app_types + std::size(app_types));`
			`for (auto type : clients) {`
			`// Auto transit to client domain`
			`type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);`
			`}`

			`// Allow system_server to manage magisk_client`
			`allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");`
			`allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");`

			`// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket`
			`dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`

Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`// Only allow client processes and zygote to connect to magisk daemon socket`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`
Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`} else {`
			`// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS`

			`// Allow these processes to access MagiskSU`
Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`const char *clients[] { "init", "shell", "appdomain", "zygote" };`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`for (auto type : clients) {`
			`if (!exists(type))`
			`continue;`
			`allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");`
			`allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");`
			`}`
			`}`

			`// Let everyone access tmpfs files (for SAR sbin overlay)`
			`allow(ALL, "tmpfs", "file", ALL);`

Introduce new sepolicy injection mechanism In the current implementation, Magisk will either have to recreate all early mount implementation (for legacy SAR and rootfs devices) or delegate early mount to first stage init (for 2SI devices) to access required partitions for loading sepolicy. It then has to recreate the split sepolicy loading implementation in-house, apply patches, then dump the compiled + patched policies into monolithic format somewhere. Finally, it patches the original init to force it to load the sepolicy file we just created. With the increasing complexity involved in early mount and split sepolicy (there is even APEX module involved in the future!), it is about time to rethink Magisk's sepolicy strategy as rebuilding init's functionality is not scalable and easy to maintain. In this commit, instead of building sepolicy ourselves, we mock selinuxfs with FIFO files connected to a pre-init daemon, waiting for the actual init process to directly write the sepolicy file into MagiskInit. We then patch the file and load it into the kernel. Some FIFO tricks has to be used to hijack the original init process's control flow and prevent race conditions, details are directly in the comments in code. At the moment, only system-as-root (read-only root) support is added. Support for legacy rootfs devices will come with a follow up commit. 2022-03-16 07:31:53 +00:00			`// Allow magiskinit daemon to handle mock selinuxfs`
			`allow("kernel", "tmpfs", "fifo_file", "write");`

Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// For relabelling files`
			`allow("rootfs", "labeledfs", "filesystem", "associate");`
			`allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");`
			`allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");`

			`// Let init transit to SEPOL_PROC_DOMAIN`
			`allow("kernel", "kernel", "process", "setcurrent");`
			`allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");`

			`// Let init run stuffs`
			`allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");`
			`allow("init", SEPOL_PROC_DOMAIN, "process", ALL);`
			`allow("init", "tmpfs", "file", "getattr");`
			`allow("init", "tmpfs", "file", "execute");`

			`// suRights`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");`

			`// allowLog`
			`allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");`

			`// dumpsys`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");`

			`// bootctl`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");`

			`// For mounting loop devices, mirrors, tmpfs`
			`allow("kernel", ALL, "file", "read");`
			`allow("kernel", ALL, "file", "write");`

			`// Allow all binder transactions`
			`allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);`

			`// For changing file context`
			`allow("rootfs", "tmpfs", "filesystem", "associate");`

Update spolicy rules 2021-10-29 10:12:48 +00:00			`// Zygisk rules`
			`allow("zygote", "zygote", "capability", "sys_resource"); // prctl PR_SET_MM`
Add execmem to allow hook 2021-09-18 16:38:33 +00:00			`allow("zygote", "zygote", "process", "execmem");`
Update spolicy rules 2021-10-29 10:12:48 +00:00			`allow("zygote", "fs_type", "filesystem", "unmount");`
Add execmem to allow hook 2021-09-18 16:38:33 +00:00			`allow("system_server", "system_server", "process", "execmem");`

Update spolicy rules 2021-10-29 10:12:48 +00:00			`// Shut llkd up`
			`dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");`
			`dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");`

Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Allow update_engine/addon.d-v2 to run permissive on all ROMs`
			`permissive("update_engine");`
Remove all dontaudit in magisk rules 2018-11-29 11:28:37 +00:00
Fix compile errors 2019-11-23 22:18:55 +00:00			`#if 0`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Remove all dontaudit in debug mode`
			`impl->strip_dontaudit();`
Update sepolicy rules 2019-04-30 00:26:51 +00:00			`#endif`
Temporarily suppress warnings when applying Magisk rules 2018-11-29 11:31:05 +00:00
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`log_cb.w = bak;`
Integrate with unified daemon 2017-04-15 18:29:42 +00:00			`}`