MINI Sh3ll

Path : /var/lib/snapd/apparmor/profiles/

Current File : //var/lib/snapd/apparmor/profiles/snap-confine.snapd.23771

# Author: Jamie Strandboge <[email protected]>
#include <tunables/global>
#include if exists "/etc/apparmor.d/tunables/home.d/"

@{SNAP_MOUNT_DIR_LIST}="{,/var/lib/snapd}/snap"

/snap/snapd/23771/usr/lib/snapd/snap-confine (attach_disconnected) {
    # Include any additional files that snapd chose to generate.
    # - for $HOME on remote file system.
    # - for $HOME on encrypted media
    #
    # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
    # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
    #include "/var/lib/snapd/apparmor/snap-confine.internal"

    # We run privileged, so be fanatical about what we include and don't use
    # any abstractions
    /etc/ld.so.cache r,
    /etc/ld.so.preload r,

    # Do not assume that the interpreter is always named like
    # ld-linux-x86_64.so, as on some architectures there can be a version after
    # the .so suffix, eg. ld-linux-aarch64.so.1
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix,
    # libc, you are funny
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
    # normal libs in order
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
    /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,

    /snap/snapd/23771/usr/lib/snapd/snap-confine mr,

    # This rule is needed when executing from a "base: core" devmode snap on 
    # UC18 and newer where the /snap/snapd/23771/usr/lib/snapd/snap-confine inside the 
    # "base: core" mount namespace always comes from the snapd snap, and thus
    # we will execute snap-confine via this path, and thus need to be able to
    # read this path when executing. It's also necessary on classic where both
    # the snapd and the core snap are installed at the same time.
    # TODO: remove this rule when we stop supporting executing other snaps from
    # inside devmode snaps, ideally even in the short term we would only include
    # this rule on core only, and specifically uc18 and newer where we need it
    /usr/lib/snapd/snap-confine mr,

    /dev/null rw,
    /dev/full rw,
    /dev/zero rw,
    /dev/random r,
    /dev/urandom r,
    /dev/pts/[0-9]* rw,
    /dev/tty rw,

    # SNAP_MOUNT_DIR probe logic
    /proc/1/root/snap r,

    # cgroup: devices
    capability sys_admin,
    capability dac_read_search,
    capability dac_override,
    /sys/fs/cgroup/ r,
    /sys/fs/cgroup/devices/ r,
    /sys/fs/cgroup/devices/snap.*/ rw,
    /sys/fs/cgroup/devices/snap.*/cgroup.procs w,
    /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w,

    # cgroup: freezer
    # Allow creating per-snap cgroup freezers and adding snap command (task)
    # invocations to the freezer. This allows for reliably enumerating all
    # running processes for the snap. In addition, allow enumerating processes
    # in the cgroup to determine if it is occupied.
    /sys/fs/cgroup/freezer/ r,
    /sys/fs/cgroup/freezer/snap.*/ w,
    /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw,
    /sys/fs/cgroup/ r,
    /sys/fs/cgroup/** r,

    # cgroup: reading own cgroup
    @{PROC}/@{pid}/cgroup r,

    # cgroup: manage bpf map for device cgroup
    /sys/fs/bpf/ r,
    /sys/fs/bpf/snap/ rw,
    /sys/fs/bpf/snap/* rw,
    # s-c may need to raise the memlock limit
    capability sys_resource,

    # querying udev
    /etc/udev/udev.conf r,
    /sys/**/uevent r,
    /run/udev/** rw,
    /{,usr/}bin/tr ixr,
    /usr/lib/locale/** r,
    /usr/lib/@{multiarch}/gconv/gconv-modules r,
    /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,

    # priv dropping
    capability setuid,
    capability setgid,

    # changing profile
    @{PROC}/[0-9]*/attr/{,apparmor/}exec w,
    # Reading current profile
    @{PROC}/[0-9]*/attr/{,apparmor/}current r,
    # Reading available filesystems
    @{PROC}/filesystems r,

    # To find where apparmor is mounted
    @{PROC}/[0-9]*/mounts r,
    # To find if apparmor is enabled
    /sys/module/apparmor/parameters/enabled r,

    # For detecting if we're in a container
    /run/systemd/container r,

    # Don't allow changing profile to unconfined or profiles that start with
    # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
    # the environment for determining the capabilities of the architecture.
    # 'unsafe' is ok here because the kernel will have already cleared the
    # environment as part of launching snap-confine with CAP_SYS_ADMIN. This
    # does leave directories as configured by ld.so.preload as well as
    # LD_PRELOAD to be set to a library which is in a directory configured by
    # ld.so.conf, but access to those locations is mediated by this profile
    # (which requires rules for specific locations).
    # TODO: use GenerateAAREExclusionPatterns for this, though the first
    # rule and the fact that the generative aspect is not an absolute filepath
    # complicate using that function directly
    change_profile unsafe /** -> [^u/]**,
    change_profile unsafe /** -> u[^n]**,
    change_profile unsafe /** -> un[^c]**,
    change_profile unsafe /** -> unc[^o]**,
    change_profile unsafe /** -> unco[^n]**,
    change_profile unsafe /** -> uncon[^f]**,
    change_profile unsafe /** -> unconf[^i]**,
    change_profile unsafe /** -> unconfi[^n]**,
    change_profile unsafe /** -> unconfin[^e]**,
    change_profile unsafe /** -> unconfine[^d]**,
    change_profile unsafe /** -> unconfined?**,

    # allow changing to a few not caught above
    change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},

    # LP: #1446794 - when this bug is fixed, change the above to:
    # deny change_profile unsafe /** -> {unconfined,/**},
    # change_profile unsafe /** -> **,

    # reading seccomp filters.
    # Note 1: We still need to consider .bin extension because of global.bin file.
    # Note 2: This rule is not needed because of rule '/var/lib/** rw', however we keep it because at
    # some point we want to investigate if we can narrow the scope of the aforementioned rule.
    /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin{,2} r,

    # adding a missing bpf mount
    mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/,

    # For mounting base dir by dir (write dirs and mount on them)
    /tmp/snap.rootfs_** rw,
    mount options=(remount ro) -> /tmp/snap.rootfs_*/,
    mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/*/*/**/ -> /tmp/snap.rootfs_**/,
    # For mounting individual files
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/** -> /tmp/snap.rootfs_*/**,
    mount options=(rw rslave) -> /tmp/snap.rootfs_**/,
    # Allow mounting dirs from /
    mount options=(rw rbind) /*/ -> /tmp/snap.rootfs_**/,

    # LP: #1668659 and parallel instances of classic snaps
    mount options=(rw rbind) /snap/ -> /snap/,
    mount options=(rw rshared) -> /snap/,
    mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/,
    mount options=(rw rshared) -> /var/lib/snapd/snap/,

    # boostrapping the mount namespace
    /tmp/snap.rootfs_*/ rw,
    mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
    mount options=(rw rshared) -> /,
    mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
    mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
    # the next line is for classic system
    mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/*/*/ -> /tmp/snap.rootfs_*/,
    # the next line is for core system
    mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
    # all of the constructed rootfs is a rslave
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
    # bidirectional mounts (for both classic and core)
    # NOTE: this doesn't capture the MERGED_USR configuration option so that
    # when a distro with merged /usr and / that uses apparmor shows up it
    # should be handled here.
    /{,run/}media/ w,
    mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
    /run/netns/ w,
    mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
    # unidirectional mounts (only for classic system)
    mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,

    mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,

    mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,

    mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,

    mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,

    mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,

    mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,

    mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/,

    mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,

    mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,

    mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
    # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups
    mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,

    mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,

    mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,

    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,

    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,

    mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
    # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups
    mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,

    mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,

    mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,

    # allow making host snap-exec available inside base snaps
    mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    # allow making re-execed host snap-exec available inside base snaps
    mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    # allow making snapd snap tools available inside base snaps
    mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,

    # /etc/alternatives (classic and normal mode)
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/,
    mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/,

    # /etc/alternatives (core/legacy mode)
    mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,

    # making all those directories slave shared.
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/,

    # the /snap directory
    mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/ -> /tmp/snap.rootfs_*/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
    # pivot_root preparation and execution
    mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
    mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,

    # pivot_root mediation in AppArmor is not complete. See LP: #1791711.
    # However, we can mediate the new_root and put_old to be what we expect,
    # and then deny directory creation within old_root to prevent trivial
    # pivoting into an allowlisted path.
    pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/,
    # Explicitly deny creating the old_root directory in case it is
    # inadvertently added somewhere else. While this doesn't resolve
    # LP: #1791711, it provides some hardening.
    # For dir on dir mounts, we do need write permissions in /var though
    audit deny /tmp/snap.rootfs_*/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w,

    # cleanup
    umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
    umount /var/lib/snapd/hostfs/sys/,
    umount /var/lib/snapd/hostfs/dev/,
    umount /var/lib/snapd/hostfs/proc/,
    mount options=(rw rslave) -> /var/lib/snapd/hostfs/,

    # Hide /writable from view of snaps.
    mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/,
    umount /{,var/lib/snapd/hostfs/}writable/,

    # set up user mount namespace
    mount options=(rslave) -> /,

    # set up mount namespace for parallel instances of classic snaps
    mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/{,*/} -> @{SNAP_MOUNT_DIR_LIST}/{,*/},
    mount options=(rslave) -> @{SNAP_MOUNT_DIR_LIST}/,
    mount options=(rslave) -> /var/snap/,
    mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/},
    mount options=(rw rshared) -> /var/snap/,

    # Allow reading the os-release file (possibly a symlink to /usr/lib).
    /{etc/,usr/lib/}os-release r,

    # Allow creating /var/lib/snapd/hostfs, if missing
    /var/lib/snapd/hostfs/ rw,

    # set up snap-specific private /tmp dir
    capability chown,
    /tmp/ rw,
    /tmp/snap-private-tmp/ rw,
    /tmp/snap-private-tmp/snap.*/ rw,
    /tmp/snap-private-tmp/snap.*/tmp/ rw,
    mount options=(rw private) ->  /tmp/,
    mount options=(rw bind) /tmp/snap-private-tmp/snap.*/tmp/ -> /tmp/,
    mount fstype=devpts options=(rw) devpts -> /dev/pts/,
    mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx,     # for bind mounting
    mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
    # Workaround for LP: #1584456 on older kernels that mistakenly think
    # /dev/pts/ptmx needs a trailing '/'
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,

    # for running snaps on classic
    /snap/ r,
    /snap/** r,
    @{SNAP_MOUNT_DIR_LIST}/ r,
    @{SNAP_MOUNT_DIR_LIST}/** r,

    # NOTE: at this stage the /snap directory is stable as we have called
    # pivot_root already.

    # nvidia handling, glob needs /usr/** and the launcher must be
    # able to bind mount the nvidia dir
    /sys/module/nvidia/version r,
    /sys/**/drivers/nvidia{,_*}/* r,
    /sys/**/nvidia*/uevent r,
    /sys/module/nvidia{,_*}/* r,
    /dev/nvidia[0-9]* r,
    /dev/nvidiactl r,
    /dev/nvidia-uvm r,
    /usr/** r,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,

    # Vulkan support
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,

    # GLVND EGL vendor
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,

    # create gl dirs as needed
    /tmp/snap.rootfs_*/ r,
    /tmp/snap.rootfs_*/var/ r,
    /tmp/snap.rootfs_*/var/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,

    # for chroot on steroids, we use pivot_root as a better chroot that makes
    # apparmor rules behave the same on classic and outside of classic.

    # for creating the user data directories: ~/snap, ~/snap/<name> and
    # ~/snap/<name>/<version>
    / r,
    @{HOMEDIRS}/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    @{HOME}/ r,
    @{HOME}/snap/{,*/,*/*/} rw,

    # experimental
    @{HOME}/.snap/                rw,
    @{HOME}/.snap/data/{,*/,*/*/} rw,
    @{HOME}/Snap/{,*/,*/*/}       rw,

    # Special case for *classic* snaps that are used by users with existing dirs
    # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ...
    # (see https://forum.snapcraft.io/t/9717)
    # TODO: this can be removed once we support home-dirs outside of /home
    #       better
    /var/ r,
    /var/lib/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    /var/lib/*/ r,
    /var/lib/*/snap/{,*/,*/*/} rw,

    # for creating the user shared memory directories
    /{dev,run}/{,shm/} r,
    # This should both have 'owner' match but due to LP: #1466234, we can't yet
    /{dev,run}/shm/{,*/,*/*/} rw,

    # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
    # /run/user/UID/<name>
    /run/user/{,[0-9]*/,[0-9]*/*/} rw,

    # Workaround https://launchpad.net/bugs/359338 until upstream handles
    # stacked filesystems generally.
    # encrypted ~/.Private and old-style encrypted $HOME
    @{HOME}/.Private/ r,
    @{HOME}/.Private/** mrwlk,
    # new-style encrypted $HOME
    @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,

    # Allow snap-confine to move to the void, creating it if necessary.
    /var/lib/snapd/void/ rw,

    # Allow snap-confine to read snap contexts
    /var/lib/snapd/context/snap.* r,

    # Allow snap-confine to unmount stale mount namespaces.
    umount /run/snapd/ns/*.mnt,
    /run/snapd/ns/snap.*.fstab w,
    # Allow snap-confine to read and write mount namespace information files.
    /run/snapd/ns/snap.*.info rw,
    # Required to correctly unmount bound mount namespace.
    # See LP: #1735459 for details.
    umount /,

    # support for locking
    /run/snapd/lock/ rw,
    /run/snapd/lock/*.lock rwk,

    # support for the mount namespace sharing
    capability sys_ptrace,
    # allow snap-confine to read /proc/1/ns/mnt
    ptrace read peer=unconfined,
    # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
    ptrace trace peer=unconfined,

    mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
    mount options=(private) -> /run/snapd/ns/,
    / rw,
    /run/ rw,
    /run/snapd/ rw,
    /run/snapd/ns/ rw,
    /run/snapd/ns/*.lock rwk,
    /run/snapd/ns/*.mnt rw,
    ptrace (read, readby, tracedby) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    @{PROC}/*/mountinfo r,
    capability sys_chroot,
    capability sys_admin,
    signal (send, receive) set=(abrt) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,
    signal (send) set=(int) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    signal (send, receive) set=(int, alrm, exists) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,
    signal (receive) set=(exists) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,

    # workaround for linux 4.13/upstream, see
    # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
    ptrace (trace, tracedby) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,

    # Allow reading snap cookies.
    /var/lib/snapd/cookie/snap.* r,

    # For aa_change_hat() to go into ^mount-namespace-capture-helper
    @{PROC}/[0-9]*/attr/{,apparmor/}current w,

    # As a special exception allow snap-confine to write to anything in /var/lib.
    # This code should be changed to allow delegation so that snap-confine can
    # inherit any file descriptor and pass it to the invoked application but
    # this is not possible in apparmor yet.
    # See https://bugs.launchpad.net/snapd/+bug/1815869
    /var/lib/** rw,

    ^mount-namespace-capture-helper (attach_disconnected) {
        # We run privileged, so be fanatical about what we include and don't use
        # any abstractions
        /etc/ld.so.cache r,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix,
        # libc, you are funny
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
        # normal libs in order
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
        /{,{,var/lib/snapd/}snap/{snapd,core}/*/}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,

        /snap/snapd/23771/usr/lib/snapd/snap-confine mr,

        /dev/null rw,
        /dev/full rw,
        /dev/zero rw,
        /dev/random r,
        /dev/urandom r,

        capability sys_ptrace,
        capability sys_admin,
        # This allows us to read and bind mount the namespace file
        / r,
        @{PROC}/ r,
        @{PROC}/*/ r,
        @{PROC}/*/ns/ r,
        @{PROC}/*/ns/mnt r,
        /run/ r,
        /run/snapd/ r,
        /run/snapd/ns/ r,
        /run/snapd/ns/*.mnt rw,
        # NOTE: the source name is / even though we map /proc/123/ns/mnt
        mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
        # This is the SIGALRM that we send and receive if a timeout expires
        signal (send, receive) set=(alrm) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        # Those two rules are exactly the same but we don't know if the parent process is still alive
        # and hence has the appropriate label or is already dead and hence has no label.
        signal (send) set=(exists) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,
        signal (send) set=(exists) peer=unconfined,
        # This is so that we can abort
        signal (send, receive) set=(abrt) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        #  This is the signal we get if snap-confine dies (we subscribe to it with prctl)
        signal (receive) set=(int) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,
        # This allows snap-confine to be killed from the outside.
        signal (receive) peer=unconfined,
        # This allows snap-confine to wait for us
        ptrace (read, trace, tracedby) peer=/snap/snapd/23771/usr/lib/snapd/snap-confine,
    }

    # Allow snap-confine to be killed
    signal (receive) peer=unconfined,

    # Allow switching to snap-update-ns with a per-snap profile.
    change_profile -> snap-update-ns.*,

    # Allow executing snap-update-ns when...

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the distribution package. This is also the location used when using
    # the core/base snap on all-snap systems. The variants here represent
    # various locations of libexecdir across distributions.
    /usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ...snap-confine is not, conceptually, re-executing and uses
    # snap-update-ns from the distribution package but we are already inside
    # the constructed mount namespace so we must traverse "hostfs". The
    # variants here represent various locations of libexecdir across
    # distributions.
    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core or snapd snaps. Note that the location of the actual snap
    # varies from distribution to distribution. The variants here represent
    # different locations of snap mount directory across distributions.
    /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core snap or snapd snap, but we are already inside the
    # constructed mount namespace. Here the apparmor kernel module
    # re-constructs the path to snap-update-ns using the "hostfs" mount entry
    # rather than the more "natural" /snap mount entry but we have no control
    # over that.  This is reported as (LP: #1716339). The variants here
    # represent different locations of snap mount directory across
    # distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,

    # Allow executing snap-discard-ns, just like the set for snap-update-ns
    # above but with the key difference that snap-discard-ns does not
    # have a dedicated profile so we need to inherit snap-confine's profile.

    /usr/lib{,exec,64}/snapd/snap-discard-ns rix,
    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
    /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,

    # Allow mounting /var/lib/jenkins from the host into the snap.
    mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/,

    # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is
    # fixed.
    deny /dev/shm/.org.chromium.Chromium.* rw,

    # While snap-confine itself doesn't require unix rules and therefore all
    # unix rules are implicitly denied, adding an explicit deny for unix to
    # silence noisy denials breaks nested lxd. Until the cause is determined,
    # do not use an explicit deny for unix. (LP: #1855355)
    #deny unix,

    # Explicitly deny these accesses which show up on Arch to silence the
    # denials for this unneeded access.
    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr,
    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr,
    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr,
    deny /etc/nsswitch.conf r,
    deny /etc/passwd r,
}

OHA YOOOO ��JFIF�� ( %!1!%)+...383-7(-.+ ---+--------------------+-----7------+-7-----+---++��"��M!1AQaq�"2��Rr��#3Bb�s��CSc��$4��D��TdE��'1!AQ"2q�a��?�Z�L�[��=D�6]�T mѰx$�6��@ۣ`�Itl �"��(6�Dst�2:��Fk��x��4��K�h}�l�?r��@��!�Q��Y��?��-�=��O��(6��<A�x%B��<A�x%B��<(6�@��.��*%��$e�m��T�wi��~H�]F�Ѱx"�`�Ul��ꃁ��RPl�6�UIA�x(��#�B��zy%�<�L��mvN �ԭ6�Y$Qk�S��䮰�K6ף�x�+�T��L4��>�C=j��p�|J�ǥ��b=��Y�6g9��F1��Y�vݩ�`��塏��>� ��ݨ,��A�o�=W*��"��>�� \�"݄(꧈�y��9�m��d�aAD�u&�T��D �@$BITU�"��D�D!BH�� UTu� �^c�?�[ND�K�`�\F'�jf��<�G�G��B�q]��!tl�6�]\4mѰx"��<�6��B�֊�o4.�Ah�8QM,�y��%cLh��y�c��!�8Tb��h�!p�q�t��EIA�x'Pl �KTN h6�J�P7�6Ԩ�6恰&�� R��)m�`8�nC�J��E��%H� D�"T �n��W�s+��x��+g�?t��@��;�>�o��0��|Ћ0��|"�J�%EBBBB!X��|��X��̟s��Ӭ��H獎ŏm׷�0��2q��s�'q]��7�%��hp8EAYy�Ӗc��9%�A� _g�ٙ��}ӯ�Ul�Ƽl Ѓ�a�ۮ9�i�*��R"�*��:��j�zE+�H ��kB�2�e��~��Zd# ��0Vr�T�ev��Y��-8]o��x�~)�9��}W:RF֟��P�A��G+hH�P6��:��Ԁ��I�O{Y�F��$U"H�#2��*J��L��L�B�*��T`��(�-:�R�H Z��"�B�Ihh��B�B��urP�%� ��9��7v",�!�A�b�X�V6F�� ^K�+��f��qm^��'�9�K� ��o��!��P�%B��E��}Xo�U��(BXJ󥯢t��u�&�}Xj+%�7+�c� �\��t�9t p*)��L�Z��T��KTC�NGT�PH pQ�� ɚ^qB ��8!�*�� P��"T iHS��n��W�s+��x��,mtG��@��D~��} tY��Y��4��!!@!@!@!@�a�^h��R��*��|!��Us;��n:��#��4-h�chW꼝��%�+Z�kA��E%��4M$��@y�q˓��ʽ��$U��eH�-;�a�ކ�&��*IB��Z�w��;c��|�3JZ@��-��w�k��Q�Ϊ �g�d��I��G��8�N�G��(R)�2�_�]3;]z7]�2�w�r��I�Iĭ=15��b~2�{cuO�'෎V�nyI)��1s�� i�lT*�ݠ��H��p��^j�C�Q�B*(��(m�Wb ��Z�)P*D$EGimZU�ViZ��┵\�P�L��IW��Eh��[榚V�R8+l��zV<�B�M�j�V�pw�%�*�UKYǒ}�J�% ��(��HM��NQ�S�toԝ�ܪZd�ল��,UP�J�=�Z m�T��-]��y��*k+��:�%J��V��X�i�o6�D38�h�=� �'G�$�@��X��H�P�~��X��e�Ã��4��WS��x�3��q�˓V�S��k'�K�w�N�w�eb��,��bcw�1�� ȃ�%��͖��Bd�J��*V�Y��.;Kh��*��1 X��-��OJ��$sCU��H�Zj��N��e�m�zT�"T��%��8�(Q�4 雐��d8��j�$NH�'$@�� a�< ᴖ��K��W��5}��{��-��w�}�,Y��䴣�,��S�|�R��BT D!�R ^��I *I4m%Gk�2&�y�m$�k;�7m��sW��:�q��!汖s��]�i�;(��ƣ�7_�Ve�o\㛜K�y��T/.yܝ�2!�AB(BD��ꦽ� �EX�w2��\��^{Nɥ�=��lB�V��y ��t||�K$�v��Ȃ>*D��Q��z$�y��F�MqD��(��鍵M2 �G� ;[r*4�T�Rd�oV#�t+��P�A-��v�*�>��PhU ��-QJ��Y�mE;k�"�F�?%��R��&��G�ӳhx;�i��h��5��+�Cr��8��B�:�+BI�Ϯ�LOٳ��=�~��,��b�t�C�6p\��x ��«�!{�ҽhh��7<� ĊW��<�CNw�ai�@��ںf��j#^�Ny��\^rRU9�1u`�RC% T)SCM��VtR��U溢�f��i�|��Y/SpWF�V ��*�A�5)%T9��'B��O"�TTTQZTm�Dv] ��U��R��5�/B^�.�/��"rE�8B)�"�P�D!Km�<W��y��|�[�m��,Y\A�]��7��f��ѻ,H�Zj[��eh� (N+P�U"N�*��ء6L� 뛐��"T D!BBT�"�#��I~%�͑�W ��Q��w��] ��.��.��<��O��Zl�,��S�|��%F��9"H�Cj�66��4Wy��NTR��iY��'��|��c<�fژ��E��\>.�|hH�Yem��&��"h!!*lehjӼ �s�HQ�b�� pi�Η|h�'�Rh��SP3 ۽�$0��PX?�w�-;5��4h�{� ��/U�v ��ְ\2o��e��@(��+�u��Ē��B^��&�M]�B� �"��D��@!@!@!,�lΖF��W=��^��da�cehi��_��#d��[ 9_=�]�Ù^�$!�-p8�u�(B�/� ��A�!��\�F4q��3��:�[�>�w�ك�[��]��<��[�3�'��M+�yMH�R D�P��(�P��AJ�b Qq�F�bq�ߪ:J�$j��8�-5��z@�#��K� ڕ�NԺKړ�^y߉�Ԭ.�tv��n9��w��n�|s�Z��;q"{��9�! �BJ��BMe��=�`��֍�&�Ba�{��v��@�> ��lp�6��uRh�"�i�,ɯ�79o�*�� V�&�[\v��:�bq k�|��\͒��1��]q��C�xi")��*0w��{��0�c��߸ɢj�X�MQ��Y�R%B�D�P��!�$@$J��J��K��r^�V~�� p�KWg��.��m 뛶��L�Z Bã� U; �H7�V�A��+�B��r R7!�%\��!�!�!�� a��W��+��Z�cw��]�C�D��}˽��]��g��>KM��?�� G�4HI&��i=,�Ge��*��o��ׯr�c�RZ��$��fӿ.:��q'\j�M\㼕j�g�߃rh�� S\��g��d%UkY��?Nn>�Y$ &�,�[/I�ZC��>�a��S�K��p �� Ƭ�QY�X��h!M�m�h�8]p��y%�C/gt��ڭX�� c�iW\�;'�i��atd��ā�7(6L`��]�=��hP��.�ss��X�9�X��ji�;��t��\��V��0f�87�U�?k��ww3W�|��=L@� ��OG��bv�Z��uj��AD�BEjubӨ&��F�Wgb�G��:�uT1��ni��y|�X�Etu��n�k�D��q57��g�A�n ��X]&��+��sD%�0�p��<��Vtm��Z��9�^�Y*�(�{�/��j��sn}uz��_n��MErjΎ��[#N-5�5�a\��cu]m��M�WN�b�_ p�t�q�~'��H�- y�@7%Oj�h�y/B��d�k�-{o�,-5��i�4toWx꘳�_�(E�Ǉ�í�m;�]t��V�^23I�{�h�g�43-zJ�ֽ��g�Z"'!N��:�N��Qku�8�3�n^��s,�6(� �nv��.�),��eƷK�\K��IPO�A��e�K��ڌ6��yW�)֋��Z}�m{쾙��x��{hyn+/EY�l�W!-�$�U.��I�� /M�;��Pݎx�"~+��Ή1�&ѯ��=��#�ыv�$�[�"�R��To�v~)�U�˨x0^q��S��^�d��ʠ�W� ��5�B��dy"��&�õ��c��g�+��9��ugh�ޖG��7�� 곗Hz;f�L��`8��{"��؛f�1��&�)J[�I��!n��v��b�Ik{��ŋ��qo�s\��}ɛ\*KO<=h�L�2�U��Z��v��[O��8�@7$t��4S2r�ʬm��)18op�?��]1%�<��&71�k�.�s$.?-��s�ïZ� C�DjFC�w֠r+�@U4U��xY2��N�w�S�\S+�� P�0D��R�>*D�3�֎m�Fu��v^k��,�9�-�V��M�k��Rw֏�Z�[Y�=��q:Aů%�>��O�0�pmӅC�^뇍6��+E��N�f>29^L��=e�gi�-0��e�W5��U�E�x�і��(ZKH�F(�Y�mrA;Gf\�H�z�G��iw� �^�r�y��-.��9��2|�%��ÌR��J��x��ab��KD�꾏!�k��D�s4o��F/9�2��fv��?y��z;WLC�T�*��l�"�b[�qi��A��Vf�җ�W'fA��¢�#h?%.�҆�lߊ�_��w� 6�uA�*V�;M�y�*�OY��1MZ6��g1�PsWiv�e��%B��@�B"�@$�TQF�т@p�q֫9��+��F��bF�VljWx�B�%��L��ۗ$��˒r�� d�p:KZ��+��Z�c{��r��D�ކ}˿h}��"be�I !��-[��n�{ft�J`�ь7f#�\c�{rڱ��T0уQ~��Q��h��9��;��Ֆr�Ts�Y�dt��L�ٳx�R�i�<�B�g�=��^caؤs�EI��SAEɤ6�\��b�pn_�Z�U�u�� c\}Z�a��y��B�PZ��'�Ya��Ʈ��N��I�C��,Vp��+A^Y,��,h*��[P�!�|��I-,nn��&�x��u)�T�o��%��]8-x�m�dh́�sz]�/�#�}�{� �uq*͚��1=��g27�4�l�;��Rn�v�G�zܑ`�Z9��j��ᲈ�X̜�]�$��OYɊT��2� %BAJ�� :�uԮU�j_� z'�48d�T'��F�g�rI�Ƹ��+ :��p� '$涨�䳶J5�k�48Tk�[;c��K=��zՕXʛuS��"��Q�8l �m��ˋ��k+��ᴇ��$V _�%$g��k��]��GZ�t�^ʹ�쮣��k��m�2V:9׊8c෎v%�8O�&}��]�\�G4?��3F ,�6I9�k��^��m��TЕm � J�P� ��}�� Y��2��}�&��{��|(Y�o��J��v�qܶ��EAA��BG�o<�Y1�K+��۽��^�dŹ��-�v��P��It��sh�VŦ��ޫ.H�4+�9m�ώ�Q �H��%D�@�!@�%@AFkK��B�&hCm��8'&7.A9y�P�$J�B�P�*BJp< �t��͑�W��E- ��#�h�8��{K�s��Zgu��m=IU�v��;!�cϴ��J�"r\ 0 p��+�8T��e]ĵy�rߧ\'�4s\�ep��<�ޑ}ƶ!��9�V�Mk]R;1��4L��'2j��B��F@c��f��e=�k�t�n�?X��2W��j��&��Ꜩ�n�WԮ�5� ��G��|h�m�(ݹ��@Z��VY$?�6�qy$�'��l�z��Õ��I��pK_ny�Tlq��<��.#��)��&��0�)#;s�`k��xn5ʞ�4�-�Y��'�kFe��k%��=�{c9��u�L�Ut��,�`g��iS)Z��Z@��l8B��P1�y��Z�ѩ�\�㏲Vk��&K,��I4��iX!��U,��7l��`t��E�I��ʺN�P�(��k!�}֒�\q��-m'%؝CBh��aTn[�%Z}�C��0P>bs$�)�4��x��9E�&�^EQf��!�mt�z��8��ձhR�Rw�ͨ��{>g��(��c�C��p��޺S��n�l��$lgn�ۂ��I�{݉$�XnM��-{��Z��E-��n��*Si/`s?%��8��6�<�� \7A��WZR#��Ǔi�˹ V2*��B�� T�=3n�&юA�� %��_O�->��G�EgJ�C��a?��tl@��6��m��Q��p�s(^��*�� Tfi :�b��Ed��׀�|c��8^a��F�[J�~7*@n�3��2��j��mik^��NyF�J�g��6��*@��Pg�珢�C�g��*=5��R��g�=U_��;G�~)&��M��\<�F,�]�&��<\o�L�]��g �� r޿��$kk��i(�!�ݥE�V�E�;ͨ��헮��5��TiTM�z��+N��Ī��J�e{ݺ6 �n$�q<�Y�!�1�yAs��.�@��U�%+�έ��u\]J�`�Mdփ��C��;3��:&�^��7NK ��øS��]��'�7v�M;�ä\BD�1�P:�J#i��u��e��mZ��<��X?eew'8�� =��փ��.��Ԯe�c�e�O)�KZ9 rW,��a#[��U[�03\ޚ�\QU�3��L<⵶Zv�dP2��4d5��\f��f�b��н�~��x��e�I��J��e�M2��d��oݴ��\|2M��6U�.��RYt|��O~�Q��pV��։c��C��E:�9��q@��N�D�;� �y�;M�Z�3��BԷڒ� ��Sm>�t��q�O@��=��s�6��H��EAi��e��;��ղ�p�<1T�&��79�ǽ�1#�5��'xµ��eODB��Z^;@7o5��"��xZ+�!S6�<�&�5��z��xa�.��73k�6��Yc@@� ��D� �� f��438D75�/?��.�%�� ?�7�L�)�u��ٙ�S�]��s+��?��r.�G��e��sBBB!Y�4]��)G��g OҴʡi�͐�6QԼ�' �2wT�~��p嬙�z�q��ˆ8a�-��f^ˆҀ��L��E4�GX^�5�(�R�a��>��F�v"! �5�~>�]�,�~*2��n�M��>�i�A �B1U��<�R&��ϊz2�*FV�ѵ��Fm��Z5��~�r�T-�=� �1�7��pP��N�otg��dǟGo޶D�l�U��T��hp8��ε��n#ӊ�[y98��(�N!![p5 P�D! �� $8��r�#r�/;� �ȪD rTԨ�J��f�y��i.w�#�n ��k��V��#�b7]��|�^l61�w�ܼO�\�=�:`��s:=3��H��zJ3ʾJ*�Ղ�f��V�8�c0�pV[�u�!5��*ZRJFw�|�(�Ù��{��5$�8p �d$�A�J��rI��4��Gm��V�2��#2��YN ��C��zy��+e-��q��H�]<�9�W{��%&��g��2��[��sq �U��f�Ӎ�<.��@�e=�$h�y��r�� vޢ��1��{.�%E�I�6��L,��s��F�e`�Z�w5��?� ��uzR��0U��?́o�i#��t��)�u[#�{M�9�q��劘�?�OdqOџv8��q>�}�c��Y�:E��U��tj/�i��#�7�yQl��4��vUg�~;�h�� @'�\�09�9��S�Z�Ӕ�K]��KE�8�l{�?V��ܪ��{ւ�ٱ�ԕ��zd�U�tD��~�*.j��[Du0=��w'�kR�q��z5x:Dߘ��k��WYh�Y�OUg ��t�w*�>u��du�L'P��O%��iuմ��=�JpvnZcm�^��OٱC%܌�`��Ee�L�u��غ�^�owȭ�<2��W��v��[�KK_P*�_i�ͮ\A�Fl��h ŭ��K��r�E��;FB�qSUs�'�W�'v�ߴp?tës��`�bm;b��H�bN��q�A��u��ki�Ԕ4A�J��"Ƌ��36C[�sLM�k��⺖��/��z�(J+{��+�|��8Q��\��͎��g��ޫ#-s\�F@�d��CR��4;��Y,⍾[4m�1��m�>��4�9B�� .�%�WTm�w��Z։n��+�vD! :�ZO��7��t�.�\��u0x��K>Et61�g$�B�!@!@!T ��%�̭/��]Ȁy+)IF>��Ů��;�+Y�p��xzqY�3��!r|�L��͛��O�ތ�G�{��snV/9��v{Cd˲�~JE�*T�Q��[�G��z?{� �T��pg�H�;��ϊzBHP�m�6��`�>�n>��V�G�qEh��S� ��h�rZ߭�ю+$g�� xU:3�4��M{�f��^'�ܰ�}�7�y$�u�V��R�s@z�Z05��4d�i�&�Эe-��6�5��]�v�a# %dU']\|��vv��~��TuN`u ��I�gn'��C\#�|j�>�t��"�3�� $��̈́��1��K�yƤ��;�'⦉�A ��4�B1*�J��ft{I}fɓ�� n��n!>ۦ!��\�n�i��& �s��+>]%yŐ]��G�8f(�m,v6�{s=� `�8:�`�G�;�à��6��`��?S(V�"6觼}��WW�lQ�p��J�l�ST]��0V��LX?��j�,��ԝc}��O�;C�)�v��,toe/�Ԩ�D��hhFí]K&��H륎l�b�+'�.��Hޛl�>j�c�woI��`+�Jݶ�D��z'S�÷/�r�_�[A�i��7v��w/��@ ~��T�pɼ�^�)�z34��$D ��R=�l�[�j�a��FGT&�ŧ6��V��H�S�ttY]%o�3��y O�Y�4ⴹ��D��F��94�zx��]{ܾ+7��*;P�nX�E I7t�XW��4�KD��i��epS��B72U{)B3cZ`nc;��բ��F�<�72Bמ��\k��F��?��$-�F�� Z,�fHۯhsM*�4��FY��@цbP�\�ÎW:s@JE�.��b��N�D�$d��w�]49oi��Z|Ŏu��+}�WC�6b| Ǵ�P[��ps��Q��`��=�G6�c� �R]N&�&�Fƣ��u�� i�Yњ[��n��eu�~,�=�k�4d��Bז��;��Q�˴Ѱ1��()�yT}4�5�pd&�i5��n�ZvN��eÔ�br�~^�6��v�m��:��Q=�8��O��Pw8��汴gL,Ґ�(�]{K��<�G��+,o��3^�暃]��j �E �i#;�Դ v�iz3ƃ� Ap&X.Iڤч~�vNBAMy�uf[��u@�v��3�5��$�V��5��9��i?�72:ր7U��S~�"y$��Rv�C�+�5�NЋh�� mt�+�4��*$Ұ!�1��z��:*��3�l�sX�1��h�J�g��`{NTj#h#Q��yL�y�ڜ1,}d��h�qh�p�Eq��g,�f��(��]'�E]��S?y��O��G˽G� ��?�͓�$�Ew�4{��I�i=��o#�Ը�(��Ru��[�L�ܾ݉��e��_�g��?�\oY��U�}'��A� ��DU�e��M�o��/.S��o�aVsd��H��a�2v8��V琽셤� .q�"m/P�$��u/i��V�;��:��2��W��.�{uÖ��>��ô1��'2w�i L2�W(�}d�9��H�A�= �!�) �d�\D��ԥ�f��j F�AA�p 䴖u�G��XHd��L��xb7�Ly5�X��׳�G��a��4��t9=KjIµ+��c�x7�Q��ߊ�!T*��:ߣ��nb)�h+E��̓�k�k��+MU�X� ��=�Л�Է&��ݽ��;��]��Xwj:��b��C�Z�i�>9��sRf��h��y�NF��%Mn\��*TԵD*Tڥ@�SP��SR�Ir< ാ��=��|��$��\&��ʟ� ��].=��ĴsX��U�6��*�]q�T��s�]¾�%��> Ș��غ�C)[�x$��WL�(,P�6�m�� mķ�5��MJ`QU��3A��k�W�6 ��p8��5�G��ߑ�8�8�㹠rZ�hmnM��\�/��R�D�45�Z(� 70�B��Ktu�/=uƨ�:n;�y[�)�4��Hʂ6�[yƙō?�4��P��;��Ini��l�CJ��_I��j�,m��A�)N ;o�?�o�+�ש��BQ]t�i�h�RQKu!��j.�HIu�D�W�'�EٴT�il�}YV�>�{[��uV?Gض��.>�Ol�/�+�݌@�;��Kr#��yͮN��R��b�4��f�+�N��q��๮��'Z�hid/-m�/��y+)��4��,�X��p0dC^��A��jk�h�|.��6݆�lu2?T��р�55�MJ�3lWL]U��C�g��o�W��~��˯P�@H��H�۲�(rjD��OE��E��˻L�9r��J�q��hΝ?�b�)9�%2��׍k�(��p��D��l��8�m 3�J�U��b��鵝��C+��p��;��Ŧ��L�J�6��VF��_�U�z��ϴ��I�U��"��.�@f�I��f��8�R.��i��6�X�V��Ү�Yg�u&GK,.oU#X�H܉qp7{�h��@)�$��j��`�I��5�lQ��⊪�y f� �CҤJ��!%�\��o�:#�V�DkpVI=��h9�n��˾�gcm20��u�p�kȯSj��姫�z�N�և�K�lg}�a�ⴴ��8_#�Ɨ8�h�y�EzGz�#d�Z]V{��o1�6�2;nG�4� ��[�Ⴐ��$�W1�� cƾEJ��'��S��[��Z�(i=��j�skq��1�mOF�,��h�ܕ��0��1�P�v�a��6�N��ӆI��Ln�1�1��滑�x�l�x7�v��y��X��-�)��W�]�uN�P� � ��y�(U� a��m h&k��(��gk� �1��M(]��7�v��xi�K,a,y"��j��<6V��Wm�'�c[]N ��@ܹ'U1��R��@�SR�T$�J�� &G�\5�}�� Z�w�O�yfy��7�\O�\�n��=��(�.��v�OK��:��2Q�q�� x�.ӦhC��=IU�ƙ��h��' �)��R��E�g��cuG!�i�}X� [K*��+�m+��F-=a�H難��5��p�U\��fd��#��Nh!fݪT׶�*" adL��edr8��߼�d��PKt�{\^�{.i��P��$l)�[�Ǎi�j�Y��8 5>��e�p'�D,8G��C��Ň�5ql��+u � ��Tv7�`;FK�� c��Tƫ�zQ�>�3�;��1�V��N>R�Ň�G'/�?�ƚZ�ˍI$�IQT�NB�2>m�6�o�K��rU�!��Ev�BiT�"�BH� � \ڧ!w2�VSKVt�D��k��p$�L��F�<QoG��׍�9�Ts^��̞&L��Esx5��4�E�0��VX�u~6�t<��sṷ~�t��O��xR��Ů�\��Qk��'<��jpx��Go��R\�S.��Ë�ӯ#�: ��~�0'��t��ׁtsK��hd��4��=��^��{Z��i�EAS<|j㗔Q�E�� b4��<��-KL�_��J6юÛoj�\�b�2m�9��Y��G�_��m�/�B��lo�H�aR93�o �=��Y#|�IBZ�h�c�5�a��sՈek��F �*N��$`sH ��2 �U7��?w+��:�!�t\�p�CP]x��c(�A)��Sj��qm> ��0:�c\�=��|��V��1�Q��j:�1 9c*�tx:�i�hAe p"��i��k�T�no�;�)Ri�w��WF�upJ��@�SR�pB@��6�j�R�Bˑ�W�WHv��o�v�8�uO��G`W3W.7��}:q�i=*�GĀ�,�7%(6��I�ݓ��xM�`8)��$��$�WfY,��64��4h��^;(u$��^rf�ơ�3䎉�u�V_xg��9��N�р��ʐ59Q��4V[�4��M��X�L� 4纥5J� ��k�r4vdh��O*U�"�!��3C$�"��+G㌟6�G ��Yt�Վ��2sN��ɉq�@#.�暁#?)��j5)[°�S1I��#��p�C�KKi#��'ǵ�^��/��LK[�7� �s�9�;ҭ�J��x�J)^�U�{'��EI��T4T�}�k�+ �~#��{j=�ﭑ��t��\�A�/g�;��k��O��V��훧-Ή�k0|�� s��y.|G��W8��<έ�-��BKc�e�;��[_�+%g'��o��i�*V�@�#�TM��Ց�9��6��w ��ed��Rl�N��M�)J��G�V�L�k?UQPK�#��(�/F᳓!d��dpȜ(��n��E��t� qX�"��Y#��t�}�`��v��FY�=҂)`4|��]��xS.ȥr��ZFI�t�>�ƍMh��%{x0��͗� P�B�� JS$U*B ��@!@!@!@QB!6�� -ςVM/F�µ��A�� 4�,�Yt�}k��X��6^�P�{��ӆV�&��u�F�v�Qmtg��g0��-.0�ݺ��jk��{�'j��H�W=�{��8ԯ.vd�$�Ҭkݺ%-ls��|�Яn�A��dx9�g�x�Y��Ln$��)Z�sV4�cO�Y�F<~G��b��~�?��m%��w�џvH�)��bgH��,��f�%��B^�}��O�o�)��ү��e�}۟Խ��.�c�$p��H�׆��u��5�x K#��.��P��i�vG0y4+��~�?�<1߳�O�~��-k�^�!|lq��q�HJZ�AT/S�Np�UgDXoG��E>;Q�y;_=�Xsy��C!��a�v�u��'9��k8v9�#��n��4 qћ��q x�nz��|��b�,�i�� x�we��R�EB!@$)Rn��z�x�F�-�pBF�8%E BD� �J��J��9%�<��.�Uͅ��Y)Y�$��j��b�7=�;qB��y�o �u�sV�^��qǷZF�t@�}nA�D�� !�k��6�C!Ƅސ��c��$/b� ֆ�ZA�P�t�yS��!e��!�!�!�!U )a�s($��7�sc�+�+��W�6y��Z�s]�k�k��P��Nٺ�[��zZ��X�PZ?) ��;u�\_K#w�~8�N�+A»n��lQ�]��$��]�IIC��#�kN ^��C�<�i36��~�ͺ?�Y�չ$o�� Ů��^��@ � �ZG�S�a��m k�w�0�AA)�Ǔ,z�8�&�>��V0�Ƶw�ܵ��(7%U��-%��c�l�u�C{��&Yܻ^L�f��sZ֊�8�� 䬷[m��O�i�?x�\�L�g.{�+��1��\Ʀ�@ i�NB�s ��龝F�Yfi�� )��Cy\��\d��{��s�4��O*�N⤞�u�j.uMv⚄/��|ܮ�P�*��R � �!P$J��PMN@!*D�� !%�D"��}��:�f�R��E�z�х�}RFS+�w1�� x/7�O[v��^��J�).��`��Hm�ROz'1��0�\��S٧��Q��g?W��ub{i��]ą��Ykhu��c}��]|�*�'��ix�϶h|�*7��!|��X�<2��H�g��k��=��8��4k1[vC/N��{Z p�ؘ�Mݧk�-��4��9B�v��y9r�^ɡt�v��4��V�^S�+��z�:��\�.�w�1�}X�ö��j�3ӿ��t��O!�_��C��&]��o��4 ��+��ľ�&Jw�X> �KO"��`��V �n=�a\{k?�UT�8%_F>aP�"�R ��@��P �P�B (Q�)�Oc��ÁBi �� T!�R �F4�՟ q!��MN �w"|��Jr��j�7Wol��C��R��1��[�x�B$?_��c�*n��i�W��/(�ұ��ͻ#��q�H�� L��V��u��/�^8�Q��s�t��Zߎ�&��y5ɖ�eA�f�7B�Y'xP�CBq`��C0ƻT�{��G�,�M� �B �#%�=�_Z��l��6<;�W�^$һߣM'G>�Nl~�x��T�5�z*AN��Q�v~*D( d�ge��:³J��Pv&�\ ��j�F��4ێ��;A�9;楆F��ӟ-�{��-Mk@� ��*]�n��+ pp�MB�L��x�ɻ��Tdؾ��d��Fv�T��*;BBBD T!UҖ��3kG�L<胗^.q�r��^7��Wkh�3SX��U��v��7K�8��}h�̖��=K7G<�%��KJ��}^�T��/��d�c�f�*rBBBBB ��A�zF��HBT �zi�ʗZ"��ƽkxH�v�? �C��%y�Mz1�8�aoٻ�h~ONƹ;$�^#�u�6!5��^��O�W1�.�]7F�`H��bw��\�GԮ�ݛ�p��]"�x{.�o�� R5�S�i��څo��+��X;��Z2�M�*��FѬs^�l��9㓼�P��9��*E��cHQ�k�f�ٸs�Ժe��\/N��>n?%��t��3��ަ-��´TV��1ߕ��=��؎ �(��}z|�T! �BD��E�4�d�\��T�R%Z@�!�* p�@�P� ��f��HF�/ԦM�&��! P"��T�A�У�g?��5^�m� ��w#��ndδ>9�m��Ƹm��{z�o�;E�G��ݐ�g�>��`^Ch��^9�I�q>k��}%2��;Ee��q �i�� Y��8Uk� {g�=�2Q�pAM��Gխl|26X��y�8�TsUKT��z3�Yl��E�4�FV�]��A�~J�{��Od`9��}�q#kA��su��{.��Nװ�5��#"4\,Ӵ�qb9�=hZ� hv]�k�5��0�x�հ�+)2 R!C,�vNН��Ɂ��G��J�#� ��5�-f�=��{l�o`EA�*�2^��S�e� ��8!W6��4a��#��%Mn\��P�*)P�*D U��Ii`�I94�>M�Z��6�k$y�KCԳ��5gl��dv�s$��W�~3�B?t��xooL�WC�z�tm��>�;G�i�z��}��M,�}�a��S��5�Mq�:r�`!@!@!@!@!@!@!@��E�8q'!�=2��՝��Լ�=K��:�e�aX�A�489�c�j��^��EA0B��t}�I/��a��<�r�9-6j�:��+9�,"�� D��F{�=��t��P>�s=�?�Wn��1�;T�Ŵ��j3�8|v��E��OS�Z�� -i�p��׆֓Q�Nn?/qǃ��껅��m� ��.�9�p �dAȮ?��B��0��ג=�L�6X�G.��Uev��$v��U/N]�:�T�uB�8_O��g�B�*D�6L�`��Dȃ.k?*�*D-!P� � D�F D�(��P��b�:��KI��#��+l��TB �B繬cK��5�hĹ�4s)��~��.jt��p �P�MGjPb��;ݹL��Α�&�|Խj��Y/:�/7�`].��j+�y�^��"�[,��i�fY�s�ye��66��$V��;�W��蟭۠�f��d��R÷�;�X�.�:��7��p�+�ccs�m��(��fM�m��[,P0E��|&)#!�� W"3"��aӯ��~� ��hk�7�.f��*RK��ߢ�IK~Z��]- G�TDӫi9��o�Me�ء�9�Dz�$�8z��`@��k#�2��^�C��Ѥ:�F�ܤ�� u�E��C��_m H� ��v?�m��W��.��8C��w�q澴��$�T��Q��D�kFƁ�:E�g��u�GP��;��yu�at.+�(�0s�y�?��{*G:��*k�E@�Ȃ��47N�J��UƐ�/�i#ۈ9�{��W��~.��Y�](׀施�[MU��Xu��7� B�T!"BD T!!!�Al�2F:7�9��X�qS��V��m��$�2{.��89��,��#d�#��]��"tR �ÛN�4�!p�j7�l��G,&7bЇ��G G�'X�e��e��i9��x��#��D&�G`q�qR�|x+C��L��C�ѵ�7�#�1��:��F�fR�Ni��,�� TҔ��v)-�@�dto&�:��x��5�J�^^^?{�g.櫝R�M,��'b�r�c_?%�&��O]�H�D3R��5��OBT��P�(�R �f�P�D*�,d�>7�NrUB�'jICِ��63��&��J�QD�J�E�e릊��t��xҍ��ܫU�I},�G>��äu�Hb��#m��c7�$M&��Y;��دH�9饭��m��fN�/�5�`Z{ з��%�=� _[�u�{�{Ndv��kk�M6�p�'8H�ėd�%K��{F��>��9ͺ�lkh��n�N׹��.��h#G�� o��j�<ׇ &��0��R�3+�N�� 4��kE�5~��:��5��A8�k!�c�c��i4�4T8ePuQ3E}�~��GՏZ޺id��n!ΒS�2�٧|n��D�E#�}6^iY�O$��z�<�L��@VcQ�} t�i;`|U��H ��KC��Z��[\�7��^��87ch��4��V��mC��y��81��SPv?C�^8-��GLmc 4k]V��` kj��cm|�2="��Z&��ZZ��Mpk�ZV��Լ��7n]�6��]��ˡԢ��.��M ��4{��V9��Z]d�ɥ#'�P Ay��ю�M�2e{#�ѭ܅M7*q��MN�v��I�HsIii��FE\q��諒*�-� f4��5,�G�ZN׹� v��ql�#��G��=�|�t�q�U�$�¤�P��z7n�Ŗ)+RX��]� �5�;A�\ѕ��RBOݼ=��O��g�y�ˤ�f^�u8X-�fk�Zj�H�j��7��[uSr��]е��6,�M�ё�渐�iZjä�'d�\3�[�{��\��Б ��H��}㸡%��i��R��U��P R!��?O�Hu�[�Ok�C�=nŠ{O`�PO�+WN�YX�a�狍��5�+*|^��?Լ��n��I�v�vC�W�N�wh��u�6�^��H�� `+UP��B?�+�n!"TFu�:;�*�ԴCxo,�q��&�4��ne>��L릏��#}��g�$�W�d��O�ZkC��;�г��;�dZ�aݶ�J`��=�c0��=��if��oٵ��Ӭs�. �sIk�X�=�0~#X:��q�yG�� Sh�[��u� -5i�GQ�E��вZE�Dq�ym��ਨߗ��+0��d��h:�|��F^�Qg�Ϡc\�a�^k�+�tz��f��U��q+ج�6F۱��h�Ɔ��'�Ayv�o��=��U�Y鹅��U�5��4{\ñ�->}��##N��8x�sX�x�;��)�鯣�,��+g~�U�-9r!y��~�>�h$e]��4^�9�qˎ�:l��Lb*�஻s�f,��ZL{Z�-�D%BH�R!*PN�j�)� �,X��D�.m,Œz�褕�[��:6WW$m�P�*U� �Ϊա�DJ,�J�!@�ZU�1VV�J�Hn��=Vq�KUa�*��U��aP�*��iCf��O�M��8��XK٘��S�=��lK��P ��,�ס"U��p�r#"3 #�J�>� $��,��ٚ�h!TB :��[��P��! 8"�!�M�T ��@�H�i;A��R��}��|�PaO)|�?Q��;#Оj�A2��kO�T�2�Cv o*�5��=��Axr��N3Qab�v��ඊ�N��f��q��B��hWV��o��[p�B�U�`�F�YB��#��-4�p޳Ee٥c��ֶ�?j{QKќ��I�t��\e!�`��H�$��J��ؽ��q�.�|~_�˗�c�v�tf�k�b��iFKOgaܷ!��y�`��Nd� ��њe�Q��jy��' ��|��Ci�T�)�"��PF�U�=��;�pۭ��u A�*2T!!!! �+I��v� �=D�`%$TBH� �񦲵t��K^�#�r;]�w��Y�lk&�Ĝ�㋜w�S�T>8�E��FPIJ��M(�J�PR%B)r� p ��7�*D��;;8�_+}��?G�e�G��_�v(Ve~��}<��^��`� �0�賭?Gv��s�m<׬ ��˔�f��^'i腽�ٞ�?�1�ɦ�*�a�<$�H��9��{��T.��/�c�G�F4۫ܭ��K߳Ŏ��w�hV��b�X�J�:5�ɟ,��$]��߻|3x��y�+wG�p�%�V��څ�r�~\�Q��%��չYѥ HH�*�1MS��Z�HJ��P�6(�T))�@%H��!Q,L�h�q�P�U*˕U��<.��>#B�e ��:+�M��F��\��X�xK H¦SmK��֧,��[��,Rk�u��{.��5��@!@ �n?h�)Sm�x�(Zi�ܒ� VZB* Z��?/r?i��X0�"��t��y��F?N'��r\�.��c7UmN��a{ ��<�YF7 aZl'<�v�SO�w��ixރ^�v��޶}۽ҹ�Ci\J�^�:�h�g�5k,�>�X��/�ෂۅBBR�V��ɴV�� KLiN�]e#�@91�۷l�2�4�R�Ay�cuos�4.Y�|�"�\Mf��ku2��N<<�ޓ�?��H�ok#�&��@r ��(8��+N=ƴ4T묝�G%�ڨ}W��ݩ�NsH�Q5m��o|��ä́� ��ݑݚ�,V�L��5�9�c��tn��\#2{�5�~T\98e�;z8��>�N��r�b��as#K6qBJ��{��֣$#"�vYu^�YM��B�g��w��[�EB�@BHUEz�I��;@��H1�O�B��+Zi[C�?�w��`�B�{}��A�@7�P�@4��ɒ�r�d�D\Ƽ6[v�c�TV��s�*+te��Xk�r�f��hoXt��v{��{�q�Z|��)��-�y��鈕��)��q:SQ$��5��8c�x��E�l$�m/�J�"��Z�֙��1܆�oV�ު��N�J^+��z�:��gY٭n�Vz��_�ӄ�+��n��I,�[o��Y��5��\m�b��1/cĮ��1� sh�I�Գ��.�Թw�n�K��Wڻ��XGS�:�\cv�-��%gYtV�&�v �rc��Gy[��U�5��.�4pc��M��Fgvc h��G�FG�޹p۴u��۷kZ�V��Q�u��S��ҧ�i��[��)~�ޏ_��Z�~>2��N��S?[O��y�jk��8�lƮ|��#��T]lт'{�X��E�@{��c��dk:�M� ��|6Ԧb6QX��!�!*D��Ui�*�, R!eVXj�0�R�t�BsR�Q��FS��#=��}A]��Ϣٱ��w��%罽��QB� u�� -�x�(Zm}��ђ*��ڢ�9"Kȼ��q�q�-.<�W17q��j�2V��ǀ}��w�9��Nfh��ƃ̯?5�v�&ݭ��/�`g�<�Ȟ�qh�(�s��Q�M&~��q��.{ޱ;Gp�\J�N��z��G��}�:��Ē7��Ի+�i�(ro��6��(�RP`�4��:�h�f� ��Z䫎� �-�g��8��~ ��q�ʮYLq�9,��Ӏ�FPǍݧ?2v-;4 ��$�gz��gm5��V�c#Ŗ[�T�u=�YV�mq&�qZeb�08w��RX�t��mܝ�( iy��#0ѫ��֛M+��7X/�6��V�5�2�=�8�FIߏ%cGC��м��i�oX�M�aROy��vn.Y��ol��f��ra��c�Ifsy��p��pW肼�e�w^�p��PT�N[�XY.��i��&��8+V;[%e�� Yi��vEH�é�� S�0��+�Ll��i��M%�Xv:R+��^Y�@ޖ��!��Ni�/��4d��T$�@�M��ȣ�n�"��0斜��h�̔ޕ�i]u��%�7�� |�:��+xr��sϋ��0�#�ˢ��@��,;�1�cZoґ��Z�WmV[�1�rD潍��o4��M֍�Ecv��_�q��g�(h��#� �X��A1a]s�3�U�,f�M�1��ch{��\��s�vF e��u��Q�7o�W.|򚩏��6� �ݩoi�P��p{Mx�,��@�flvGL�5βFe��ը5ִ��(��Ȭ�˖V��?�"�w�c��d��#�|��GZ��9�vx��/�X�+ a%��^>AX�[�ȥ�[�ȫy��x0��D"7�q8��>��7��AsZ^{�n_-�ڇ�� ¸��'ZݾE'ZݾE\��j��a��= �kv�u��Wd�D��$0ct1{�ɣd id��..�h$�p��YQ�<��hq��f�N�uQ\f�9]E��B\��<��V�e�ȠJݾEzdy�=7�n�"��|�!h��ȣ�n�"�?Ih+5�Rx"�{�/��x�;L}��٤|S]Yb>=��W�u��Q}�|��n��΋�`�pVF�"��0��+Mtf�k��]��Ϊ̇��$+�4�с�$��y��HX�C��*�y�E�v+%H��R�$��Z�FBUWaP��~G��=�*�,BT�ZTX�෋5"�GjNs��R��A�'ih?��Ay��DB��X�ʏ?�!��Bm��z/�_ ��%��A�[��;��N��