Commit Graph

310 Commits

Author SHA1 Message Date
Alex Richardson
fa32350347 close_range: add audit support
This fixes the closefrom test in sys/audit.

Includes cherry-picks of the following commits from openbsm:

4dfc628aaf
99ff6fe32a
da48a0399e

Reviewed By:	kevans
Differential Revision: https://reviews.freebsd.org/D28388
2021-02-23 17:47:07 +00:00
Mateusz Guzik
08a5615cfe audit: rework AUDIT_SYSCLOSE
This in particular avoids spurious lookups on close.
2020-12-17 18:52:04 +00:00
Mateusz Guzik
e5ecee7440 security: clean up empty lines in .c and .h files 2020-09-01 21:26:00 +00:00
Mateusz Guzik
feabaaf995 cache: drop the always curthread argument from reverse lookup routines
Note VOP_VPTOCNP keeps getting it as temporary compatibility for zfs.

Tested by:	pho
2020-08-24 08:57:02 +00:00
Mateusz Guzik
51ea7bea91 vfs: add VOP_STAT
The current scheme of calling VOP_GETATTR adds avoidable overhead.

An example with tmpfs doing fstat (ops/s):
before: 7488958
after:  7913833

Reviewed by:	kib (previous version)
Differential Revision:	https://reviews.freebsd.org/D25910
2020-08-07 23:06:40 +00:00
Mateusz Guzik
8e5679aa10 audit: provide AUDITING_TD for !AUDIT case 2020-07-04 06:21:20 +00:00
Christian S.J. Peron
757a564248 Add BSM record conversion for a number of syscalls:
- thr_kill(2) and thr_exit(2) generally (no argument auditing here.
- A set of syscalls for the process descriptor family, specifically:
  pdfork(2), pdgetpid(2) and pdkill(2)

  For these syscalls, audit the file descriptor. In the case of pdfork(2)
  a pointer to an integer (file descriptor) is passed in as an argument.
  We audit the post initialized file descriptor (not the random garbage
  that would have been passed in). We will also audit the child process
  which was created from the fork operation (similar to what is done for
  the fork(2) syscall).

  pdkill(2) we audit the signal value and fd, and finally pdgetpid(2)
  just the file descriptor:

- Following is a sample of the produced audit trails:

  header,111,11,pdfork(2),0,Sat May 16 03:07:50 2020, + 394 msec
  argument,0,0x39d,child PID
  argument,2,0x2,flags
  argument,1,0x8,fd
  subject,root,root,0,root,0,924,0,0,0.0.0.0
  return,success,925

  header,79,11,pdgetpid(2),0,Sat May 16 03:07:50 2020, + 394 msec
  argument,1,0x8,fd
  subject,root,root,0,root,0,924,0,0,0.0.0.0
  return,success,0
  trailer,79

  header,135,11,pdkill(2),0,Sat May 16 03:07:50 2020, + 395 msec
  argument,1,0x8,fd
  argument,2,0xf,signal
  process_ex,root,root,0,root,0,925,0,0,0.0.0.0
  subject,root,root,0,root,0,924,0,0,0.0.0.0
  return,success,0
  trailer,135

MFC after:      1 week
2020-05-16 03:45:15 +00:00
Kyle Evans
cc62118e65 audit_canon_path_vp: don't panic if cdir == NULL
cdir may have simply failed to resolve (e.g. fget_cap failure in namei
leading to NULL dp passed to AUDIT_ARG_UPATH*_VP); restore the pre-rS358191
behavior of setting cpath[0] = '\0' and bailing out instead of panicking.

This was found by inadvertently running the libc/c063 tests with auditing
enabled, resulting in a panic.

Reviewed by:	mjg (committed version actually his)
Differential Revision:	https://reviews.freebsd.org/D24445
2020-04-17 02:09:31 +00:00
Christian S.J. Peron
b1c170686c Make sure we convert internal audit records for thr_new
into BSM records.

MFC after:	2 weeks
2020-03-30 18:15:36 +00:00
Christian S.J. Peron
3580f3cfec In r358471, we interrupted the case block that would eventually lead
to the path related tokens not being processed. Restore this behavior and
and move AUE_JAIL_SET in this block, as it may conditionally contain a
path token.

Discovered by:	kevans
PR:	244537
Reviewed by:	kevans
Differential Revision:	https://reviews.freebsd.org/D23929
2020-03-03 01:46:35 +00:00
Mateusz Guzik
8d03b99b9d fd: move vnodes out of filedesc into a dedicated structure
The new structure is copy-on-write. With the assumption that path lookups are
significantly more frequent than chdirs and chrooting this is a win.

This provides stable root and jail root vnodes without the need to reference
them on lookup, which in turn means less work on globally shared structures.
Note this also happens to fix a bug where jail vnode was never referenced,
meaning subsequent access on lookup could run into use-after-free.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D23884
2020-03-01 21:53:46 +00:00
Christian S.J. Peron
1018b2ff00 Currently kernel audit events for jail_set(2), jail_get(2), jail_attach(2),
jail_remove(2) and finally setloginclass(2) are not being converted and
committed into userspace. Add the cases for these syscalls and make sure
they are being converted properly.

Reviewed by:	bz, kevans
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D23882
2020-02-29 19:17:24 +00:00
Pawel Biernacki
7029da5c36 Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)
r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE.  All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by:	kib (mentor, blanket)
Commented by:	kib, gallatin, melifaro
Differential Revision:	https://reviews.freebsd.org/D23718
2020-02-26 14:26:36 +00:00
Mateusz Guzik
7de6c5ebbd audit: provide audit_canon_path variant which accepts vnodes 2020-02-21 01:40:49 +00:00
Mateusz Guzik
9e826d32e8 audit: simplify path resolving logic 2020-02-21 01:40:20 +00:00
Mateusz Guzik
a1197bde68 audit: rely on use count instead of hold count in audit_canon_path 2020-02-21 01:39:51 +00:00
Mateusz Guzik
0573d0a9b8 vfs: add realpathat syscall
realpath(3) is used a lot e.g., by clang and is a major source of getcwd
and fstatat calls. This can be done more efficiently in the kernel.

This works by performing a regular lookup while saving the name and found
parent directory. If the terminal vnode is a directory we can resolve it using
usual means. Otherwise we can use the name saved by lookup and resolve the
parent.

See the review for sample syscall counts.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D23574
2020-02-20 16:58:19 +00:00
Mateusz Guzik
2f7292437d Merge audit and systrace checks
This further shortens the syscall routine by not having to re-check after
the system call.
2020-02-14 13:09:41 +00:00
Mateusz Guzik
0e84a878c0 Annotate branches in the syscall path
This in particular significantly shortens amd64_syscall, which otherwise
keeps jumping forward over 2KB of code in total.

Note some of these branches should be either eliminated altogether or
coalesced.
2020-02-14 13:08:46 +00:00
Mateusz Guzik
b249ce48ea vfs: drop the mostly unused flags argument from VOP_UNLOCK
Filesystems which want to use it in limited capacity can employ the
VOP_UNLOCK_FLAGS macro.

Reviewed by:	kib (previous version)
Differential Revision:	https://reviews.freebsd.org/D21427
2020-01-03 22:29:58 +00:00
David Bright
2d5603fe65 Jail and capability mode for shm_rename; add audit support for shm_rename
Co-mingling two things here:

  * Addressing some feedback from Konstantin and Kyle re: jail,
    capability mode, and a few other things
  * Adding audit support as promised.

The audit support change includes a partial refresh of OpenBSM from
upstream, where the change to add shm_rename has already been
accepted. Matthew doesn't plan to work on refreshing anything else to
support audit for those new event types.

Submitted by:	Matthew Bryan <matthew.bryan@isilon.com>
Reviewed by:	kib
Relnotes:	Yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D22083
2019-11-18 13:31:16 +00:00
Conrad Meyer
e2e050c8ef Extract eventfilter declarations to sys/_eventfilter.h
This allows replacing "sys/eventfilter.h" includes with "sys/_eventfilter.h"
in other header files (e.g., sys/{bus,conf,cpu}.h) and reduces header
pollution substantially.

EVENTHANDLER_DECLARE and EVENTHANDLER_LIST_DECLAREs were moved out of .c
files into appropriate headers (e.g., sys/proc.h, powernv/opal.h).

As a side effect of reduced header pollution, many .c files and headers no
longer contain needed definitions.  The remainder of the patch addresses
adding appropriate includes to fix those files.

LOCK_DEBUG and LOCK_FILE_LINE_ARG are moved to sys/_lock.h, as required by
sys/mutex.h since r326106 (but silently protected by header pollution prior
to this change).

No functional change (intended).  Of course, any out of tree modules that
relied on header pollution for sys/eventhandler.h, sys/lock.h, or
sys/mutex.h inclusion need to be fixed.  __FreeBSD_version has been bumped.
2019-05-20 00:38:23 +00:00
Kirk McKusick
88640c0e8b Create new EINTEGRITY error with message "Integrity check failed".
An integrity check such as a check-hash or a cross-correlation failed.
The integrity error falls between EINVAL that identifies errors in
parameters to a system call and EIO that identifies errors with the
underlying storage media. EINTEGRITY is typically raised by intermediate
kernel layers such as a filesystem or an in-kernel GEOM subsystem when
they detect inconsistencies. Uses include allowing the mount(8) command
to return a different exit value to automate the running of fsck(8)
during a system boot.

These changes make no use of the new error, they just add it. Later
commits will be made for the use of the new error number and it will
be added to additional manual pages as appropriate.

Reviewed by:    gnn, dim, brueffer, imp
Discussed with: kib, cem, emaste, ed, jilles
Differential Revision: https://reviews.freebsd.org/D18765
2019-01-17 06:35:45 +00:00
Mateusz Guzik
cc426dd319 Remove unused argument to priv_check_cred.
Patch mostly generated with cocinnelle:

@@
expression E1,E2;
@@

- priv_check_cred(E1,E2,0)
+ priv_check_cred(E1,E2)

Sponsored by:	The FreeBSD Foundation
2018-12-11 19:32:16 +00:00
Mateusz Guzik
e8451da5e8 audi: replace open-coded TDP_AUDITREC checks with the macro
Sponsored by:	The FreeBSD Foundation
2018-12-11 17:14:12 +00:00
Mateusz Guzik
c0282e1e07 audit: predict AUDITING_TD as false
By default it is compiled in and disabled.

Sponsored by:	The FreeBSD Foundation
2018-11-29 09:19:48 +00:00
Mateusz Guzik
159dcc30a5 audit: change audit_syscalls_enabled type to bool
So that it fits better in __read_frequently.

Sponsored by:	The FreeBSD Foundation
2018-11-29 08:37:33 +00:00
Brooks Davis
12e69f96a2 Add const to input-only char * arguments.
These arguments are mostly paths handled by NAMEI*() macros which already
take const char * arguments.

This change improves the match between syscalls.master and the public
declerations of system calls.

Reviewed by:	kib (prior version)
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D17812
2018-11-02 20:50:22 +00:00
Robert Watson
2ddefb6d5d Rework the logic around quick checks for auditing that take place at
system-call entry and whenever audit arguments or return values are
captured:

1. Expose a single global, audit_syscalls_enabled, which controls
   whether the audit framework is entered, rather than exposing
   components of the policy -- e.g., if the trail is enabled,
   suspended, etc.

2. Introduce a new function audit_syscalls_enabled_update(), which is
   called to update audit_syscalls_enabled whenever an aspect of the
   policy changes, so that the value can be updated.

3. Remove a check of trail enablement/suspension from audit_new() --
   at the point where this function has been entered, we believe that
   system-call auditing is already in force, or we wouldn't get here,
   so simply proceed to more expensive policy checks.

4. Use an audit-provided global, audit_dtrace_enabled, rather than a
   dtaudit-provided global, to provide policy indicating whether
   dtaudit would like system calls to be audited.

5. Do some minor cosmetic renaming to clarify what various variables
   are for.

These changes collectively arrange it so that traditional audit
(trail, pipes) or the DTrace audit provider can enable system-call
probes without the other configured.  Otherwise, dtaudit cannot
capture system-call data without auditd(8) started.

Reviewed by:		gnn
Sponsored by:		DARPA, AFRL
Approved by:		re (gjb)
Differential Revision:	https://reviews.freebsd.org/D17348
2018-10-02 15:58:17 +00:00
Robert Watson
deea362c80 The kernel DTrace audit provider (dtaudit) relies on auditd(8) to load
/etc/security/audit_event to provide a list of audit event-number <->
name mappings.  However, this occurs too late for anonymous tracing.
With this change, adding 'audit_event_load="YES"' to /boot/loader.conf
will cause the boot loader to preload the file, and then the kernel
audit code will parse it to register an initial set of audit event-number
<-> name mappings.  Those mappings can later be updated by auditd(8) if
the configuration file changes.

Reviewed by:	gnn, asomers, markj, allanjude
Discussed with:	jhb
Approved by:	re (kib)
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16589
2018-09-03 14:26:43 +00:00
Andriy Gapon
dc8240f0da fix incorrect operator in the AUDITPIPE_SET_QLIMIT bounds check
PR:		229983
Submitted by:	Aniket Pandey <aniketp@iitk.ac.in>
Reported by:	Aniket Pandey <aniketp@iitk.ac.in>
MFC after:	1 week
2018-07-23 16:56:49 +00:00
Alan Somers
12395dc9f6 Fix audit of chflagsat, lgetfh, and setfib
These syscalls were always supposed to have been auditted, but due to
oversights never were.

PR:		228374
Reported by:	aniketp
Reviewed by:	aniketp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D16388
2018-07-22 14:11:52 +00:00
Alan Somers
f7c188aeeb auditon(2): fix A_SETPOLICY with 64-bit values
A_SETPOLICY is supposed to work with either 64 or 32-bit values, but due to a
typo the 64-bit version has never worked correctly.

Submitted by:	aniketp
Reviewed by:	asomers, cem
MFC after:	2 weeks
Sponsored by:	Google, Inc. (GSoC 2018)
Differential Revision:	https://reviews.freebsd.org/D16222
2018-07-15 21:10:19 +00:00
Alan Somers
ebc0d5599d audit(4): fix the definition of ARG_TERMID_ADDR
Due to a copy/paste error in r168688, ARG_TERMID_ADDR has the same
definition as ARG_SADDRUNIX.  Fix it.

The header change, while publicly visible, is guarded by #ifdef KERNEL, and
I can't find any kmod ports that use it.  So I'm not bumping
__FreeBSD_version.

PR:		228820
Submitted by:	aniketp
Sponsored by:	Google, Inc. (GSoC 2018)
Differential Revision:	https://reviews.freebsd.org/D15702
2018-06-13 14:55:31 +00:00
Alan Somers
1c97d64332 #include <bsm/audit.h> in security/audit/audit_ioctl.h
security/audit/audit_ioctl.h uses a type from bsm/audit.h, so needs to
include it.  And it needs to know the type's size, so it can't just
forward-declare.

PR:		228470
Submitted by:	aniketp
MFC after:	2 weeks
Sponsored by:	Google, Inc. (GSoC 2018)
Differential Revision:	https://reviews.freebsd.org/D15561
2018-05-30 21:50:23 +00:00
Alan Somers
cb3d7cd839 Fix "Bad tailq" panic when auditing auditon(A_SETCLASS, ...)
Due to an oversight in r195280, auditon(A_SETCLASS, ...) would cause a tailq
element to get added to the tailq twice, resulting in a circular tailq. This
panics when INVARIANTS are on.

MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D15381
2018-05-28 20:47:39 +00:00
Alan Somers
b521cf275c audit(4): fix a typo in a comment
no functional change
2018-03-17 17:56:08 +00:00
Pedro F. Giffuni
51369649b0 sys: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:43:44 +00:00
Mateusz Guzik
574adb65c8 Sprinkle __read_frequently on few obvious places.
Note that some of annotated variables should probably change their types
to something smaller, preferably bit-sized.
2017-09-06 20:33:33 +00:00
Konstantin Belousov
6992112349 Commit the 64-bit inode project.
Extend the ino_t, dev_t, nlink_t types to 64-bit ints.  Modify
struct dirent layout to add d_off, increase the size of d_fileno
to 64-bits, increase the size of d_namlen to 16-bits, and change
the required alignment.  Increase struct statfs f_mntfromname[] and
f_mntonname[] array length MNAMELEN to 1024.

ABI breakage is mitigated by providing compatibility using versioned
symbols, ingenious use of the existing padding in structures, and
by employing other tricks.  Unfortunately, not everything can be
fixed, especially outside the base system.  For instance, third-party
APIs which pass struct stat around are broken in backward and
forward incompatible ways.

Kinfo sysctl MIBs ABI is changed in backward-compatible way, but
there is no general mechanism to handle other sysctl MIBS which
return structures where the layout has changed. It was considered
that the breakage is either in the management interfaces, where we
usually allow ABI slip, or is not important.

Struct xvnode changed layout, no compat shims are provided.

For struct xtty, dev_t tty device member was reduced to uint32_t.
It was decided that keeping ABI compat in this case is more useful
than reporting 64-bit dev_t, for the sake of pstat.

Update note: strictly follow the instructions in UPDATING.  Build
and install the new kernel with COMPAT_FREEBSD11 option enabled,
then reboot, and only then install new world.

Credits: The 64-bit inode project, also known as ino64, started life
many years ago as a project by Gleb Kurtsou (gleb).  Kirk McKusick
(mckusick) then picked up and updated the patch, and acted as a
flag-waver.  Feedback, suggestions, and discussions were carried
by Ed Maste (emaste), John Baldwin (jhb), Jilles Tjoelker (jilles),
and Rick Macklem (rmacklem).  Kris Moore (kris) performed an initial
ports investigation followed by an exp-run by Antoine Brodin (antoine).
Essential and all-embracing testing was done by Peter Holm (pho).
The heavy lifting of coordinating all these efforts and bringing the
project to completion were done by Konstantin Belousov (kib).

Sponsored by:	The FreeBSD Foundation (emaste, kib)
Differential revision:	https://reviews.freebsd.org/D10439
2017-05-23 09:29:05 +00:00
Robert Watson
709557d903 Break audit_bsm_klib.c into two files: one (audit_bsm_klib.c)
retaining various utility functions used during BSM generation,
and a second (audit_bsm_db.c) that contains the various in-kernel
databases supporting various audit activities (the class and
event-name tables).

(No functional change is intended.)

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-04-03 10:15:58 +00:00
Robert Watson
475e1fc01f Correct macro names and signatures for !AUDIT versions of canonical
path auditing.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-03-31 14:13:13 +00:00
Robert Watson
15bcf785ba Audit arguments to POSIX message queues, semaphores, and shared memory.
This requires minor changes to the audit framework to allow capturing
paths that are not filesystem paths (i.e., will not be canonicalised
relative to the process current working directory and/or filesystem
root).

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-03-31 13:43:00 +00:00
Robert Watson
1c2da02938 Audit arguments to System V IPC system calls implementing sempahores,
message queues, and shared memory.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-03-30 22:26:15 +00:00
Robert Watson
b65ec5e523 Various BSM generation improvements when auditing AUE_ACCEPT,
AUE_PROCCTL, AUE_SENDFILE, AUE_ACL_*, and AUE_POSIX_FALLOCATE.
Audit AUE_SHMUNLINK path in the path token rather than as a
text string, and AUE_SHMOPEN flags as an integer token rather
than a System V IPC address token.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-03-30 21:39:03 +00:00
Robert Watson
7cad64f796 Don't ifdef KDTRACE_HOOKS struct, variable, and function prototype
definitions for the DTrace audit provider, so that the dtaudit module
can compile in the absence of kernel DTrace support.  This doesn't
really make run-time sense (since the binary dependencies for the
module won't be present), but it allows the dtaudit module to compile
successfully regardless of the kernel configuration.

MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
Reported by:	kib
2017-03-30 12:35:56 +00:00
Robert Watson
b783025921 When handling msgsys(2), semsys(2), and shmsys(2) multiplex system calls,
map the 'which' argument into a suitable audit event identifier for the
specific operation requested.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	DARPA, AFRL
2017-03-29 23:31:35 +00:00
Robert Watson
1811d6bf7f Add an experimental DTrace audit provider, which allows users of DTrace to
instrument security event auditing rather than relying on conventional BSM
trail files or audit pipes:

- Add a set of per-event 'commit' probes, which provide access to
  particular auditable events at the time of commit in system-call return.
  These probes gain access to audit data via the in-kernel audit_record
  data structure, providing convenient access to system-call arguments and
  return values in a single probe.

- Add a set of per-event 'bsm' probes, which provide access to particular
  auditable events at the time of BSM record generation in the audit
  worker thread. These probes have access to the in-kernel audit_record
  data structure and BSM representation as would be written to a trail
  file or audit pipe -- i.e., asynchronously in the audit worker thread.

DTrace probe arguments consist of the name of the audit event (to support
future mechanisms of instrumenting multiple events via a single probe --
e.g., using classes), a pointer to the in-kernel audit record, and an
optional pointer to the BSM data and its length. For human convenience,
upper-case audit event names (AUE_...) are converted to lower case in
DTrace.

DTrace scripts can now cause additional audit-based data to be collected
on system calls, and inspect internal and BSM representations of the data.
They do not affect data captured in the audit trail or audit pipes
configured in the system. auditd(8) must be configured and running in
order to provide a database of event information, as well as other audit
configuration parameters (e.g., to capture command-line arguments or
environmental variables) for the provider to operate.

Reviewed by:	gnn, jonathan, markj
Sponsored by:	DARPA, AFRL
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D10149
2017-03-29 19:58:00 +00:00
Robert Watson
759c8caa5a Introduce an audit event identifier -> audit event name mapping
database in the kernel audit implementation, similar the exist
class mapping database.  This will be used by the DTrace audit
provider to map audit event identifiers originating in the
system-call table back into strings for the purposes of setting
probe names.  The database is initialised and maintained by
auditd(8), which reads values in from the audit_events
configuration file, and then manages them using the A_GETEVENT
and A_SETEVENT auditon(2) operations.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, AFRL
MFC after:	3 weeks
2017-03-27 10:38:53 +00:00
Robert Watson
d422682f67 Extend comment describing path canonicalisation in audit.
Sponsored by:	DARPA, AFRL
Obtained from:	TrustedBSD Project
MFC after:	3 days
2017-03-27 08:29:17 +00:00