github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 

Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
pull/6/head
Kubernetes Submit Queue 2017-07-31 16:56:58 -07:00 committed by GitHub
parent ff4330c6eb a5e4c6f6ed
commit 72c6251508
57 changed files with 2661 additions and 1449 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/openapi-spec/swagger.json
View File

@ -57500,6 +57500,10 @@
"io.k8s.api.core.v1.SecurityContext": {
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"properties": {
"allowPrivilegeEscalation": {
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
"type": "boolean"
},
"capabilities": {
"description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
"$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"
@ -58938,6 +58942,10 @@
"fsGroup"
],
"properties": {
"allowPrivilegeEscalation": {
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
"type": "boolean"
},
"allowedCapabilities": {
"description": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
"type": "array",
@ -58952,6 +58960,10 @@
"type": "string"
}
},
"defaultAllowPrivilegeEscalation": {
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
"type": "boolean"
},
"fsGroup": {
"description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.FSGroupStrategyOptions"

4
api/swagger-spec/apps_v1beta1.json
View File

@ -5340,6 +5340,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

4
api/swagger-spec/apps_v1beta2.json
View File

@ -6556,6 +6556,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

4
api/swagger-spec/batch_v1.json
View File

@ -3087,6 +3087,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

4
api/swagger-spec/batch_v2alpha1.json
View File

@ -4168,6 +4168,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

12
api/swagger-spec/extensions_v1beta1.json
View File

@ -8197,6 +8197,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},
@ -9418,6 +9422,14 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."
},
"defaultAllowPrivilegeEscalation": {
"type": "boolean",
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
}
}
},

4
api/swagger-spec/v1.json
View File

@ -20643,6 +20643,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

7
docs/api-reference/apps/v1beta1/definitions.html
View File

@ -6023,6 +6023,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

7
docs/api-reference/apps/v1beta2/definitions.html
View File

@ -6219,6 +6219,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

7
docs/api-reference/batch/v1/definitions.html
View File

@ -5001,6 +5001,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

7
docs/api-reference/batch/v2alpha1/definitions.html
View File

@ -4939,6 +4939,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

21
docs/api-reference/extensions/v1beta1/definitions.html
View File

@ -6969,6 +6969,13 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>
@ -7594,6 +7601,20 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">defaultAllowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it&#8217;s parent process.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

7
docs/api-reference/v1/definitions.html
View File

@ -8366,6 +8366,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

4
federation/apis/openapi-spec/swagger.json
View File

@ -11676,6 +11676,10 @@
"io.k8s.api.core.v1.SecurityContext": {
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"properties": {
"allowPrivilegeEscalation": {
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
"type": "boolean"
},
"capabilities": {
"description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
"$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"

4
federation/apis/swagger-spec/extensions_v1beta1.json
View File

@ -6556,6 +6556,10 @@
"readOnlyRootFilesystem": {
"type": "boolean",
"description": "Whether this container has a read-only root filesystem. Default is false."
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
}
}
},

7
federation/docs/api-reference/extensions/v1beta1/definitions.html
View File

@ -6452,6 +6452,13 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody>
</table>

5
pkg/api/types.go
View File

@ -4030,6 +4030,11 @@ type SecurityContext struct {
// files to, ensuring the persistent data can only be written to mounts.
// +optional
ReadOnlyRootFilesystem *bool
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than it's parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// +optional
AllowPrivilegeEscalation *bool
}
// SELinuxOptions are the labels to be applied to the container.

24
pkg/api/v1/conversion.go
View File

@ -675,6 +675,30 @@ func Convert_v1_Secret_To_api_Secret(in *v1.Secret, out *api.Secret, s conversio
return nil
}
func Convert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityContext, out *v1.SecurityContext, s conversion.Scope) error {
if in.Capabilities != nil {
out.Capabilities = new(v1.Capabilities)
if err := Convert_api_Capabilities_To_v1_Capabilities(in.Capabilities, out.Capabilities, s); err != nil {
return err
}
} else {
out.Capabilities = nil
}
out.Privileged = in.Privileged
if in.SELinuxOptions != nil {
out.SELinuxOptions = new(v1.SELinuxOptions)
if err := Convert_api_SELinuxOptions_To_v1_SELinuxOptions(in.SELinuxOptions, out.SELinuxOptions, s); err != nil {
return err
}
} else {
out.SELinuxOptions = nil
}
out.RunAsUser = in.RunAsUser
out.RunAsNonRoot = in.RunAsNonRoot
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
return nil
}
func Convert_api_PodSecurityContext_To_v1_PodSecurityContext(in *api.PodSecurityContext, out *v1.PodSecurityContext, s conversion.Scope) error {
out.SupplementalGroups = in.SupplementalGroups

75
pkg/api/v1/zz_generated.conversion.go
View File

@ -888,7 +888,15 @@ func autoConvert_v1_Container_To_api_Container(in *v1.Container, out *api.Contai
out.TerminationMessagePath = in.TerminationMessagePath
out.TerminationMessagePolicy = api.TerminationMessagePolicy(in.TerminationMessagePolicy)
out.ImagePullPolicy = api.PullPolicy(in.ImagePullPolicy)
out.SecurityContext = (*api.SecurityContext)(unsafe.Pointer(in.SecurityContext))
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(api.SecurityContext)
if err := Convert_v1_SecurityContext_To_api_SecurityContext(*in, *out, s); err != nil {
return err
}
} else {
out.SecurityContext = nil
}
out.Stdin = in.Stdin
out.StdinOnce = in.StdinOnce
out.TTY = in.TTY
@ -919,7 +927,15 @@ func autoConvert_api_Container_To_v1_Container(in *api.Container, out *v1.Contai
out.TerminationMessagePath = in.TerminationMessagePath
out.TerminationMessagePolicy = v1.TerminationMessagePolicy(in.TerminationMessagePolicy)
out.ImagePullPolicy = v1.PullPolicy(in.ImagePullPolicy)
out.SecurityContext = (*v1.SecurityContext)(unsafe.Pointer(in.SecurityContext))
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(v1.SecurityContext)
if err := Convert_api_SecurityContext_To_v1_SecurityContext(*in, *out, s); err != nil {
return err
}
} else {
out.SecurityContext = nil
}
out.Stdin = in.Stdin
out.StdinOnce = in.StdinOnce
out.TTY = in.TTY
@ -3502,8 +3518,28 @@ func autoConvert_v1_PodSpec_To_api_PodSpec(in *v1.PodSpec, out *api.PodSpec, s c
} else {
out.Volumes = nil
}
out.InitContainers = *(*[]api.Container)(unsafe.Pointer(&in.InitContainers))
out.Containers = *(*[]api.Container)(unsafe.Pointer(&in.Containers))
if in.InitContainers != nil {
in, out := &in.InitContainers, &out.InitContainers
*out = make([]api.Container, len(*in))
for i := range *in {
if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.InitContainers = nil
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]api.Container, len(*in))
for i := range *in {
if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Containers = nil
}
out.RestartPolicy = api.RestartPolicy(in.RestartPolicy)
out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
out.ActiveDeadlineSeconds = (*int64)(unsafe.Pointer(in.ActiveDeadlineSeconds))
@ -3549,11 +3585,27 @@ func autoConvert_api_PodSpec_To_v1_PodSpec(in *api.PodSpec, out *v1.PodSpec, s c
} else {
out.Volumes = nil
}
out.InitContainers = *(*[]v1.Container)(unsafe.Pointer(&in.InitContainers))
if in.Containers == nil {
out.Containers = make([]v1.Container, 0)
if in.InitContainers != nil {
in, out := &in.InitContainers, &out.InitContainers
*out = make([]v1.Container, len(*in))
for i := range *in {
if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Containers = *(*[]v1.Container)(unsafe.Pointer(&in.Containers))
out.InitContainers = nil
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]v1.Container, len(*in))
for i := range *in {
if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Containers = make([]v1.Container, 0)
}
out.RestartPolicy = v1.RestartPolicy(in.RestartPolicy)
out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
@ -4533,6 +4585,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *v1.SecurityContex
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
return nil
}
@ -4548,14 +4601,10 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
return nil
}
// Convert_api_SecurityContext_To_v1_SecurityContext is an autogenerated conversion function.
func Convert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityContext, out *v1.SecurityContext, s conversion.Scope) error {
return autoConvert_api_SecurityContext_To_v1_SecurityContext(in, out, s)
}
func autoConvert_v1_SerializedReference_To_api_SerializedReference(in *v1.SerializedReference, out *api.SerializedReference, s conversion.Scope) error {
if err := Convert_v1_ObjectReference_To_api_ObjectReference(&in.Reference, &out.Reference, s); err != nil {
return err

9
pkg/api/zz_generated.deepcopy.go
View File

@ -5260,6 +5260,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
**out = **in
}
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}

8
pkg/apis/extensions/types.go
View File

@ -922,6 +922,14 @@ type PodSecurityPolicySpec struct {
// will not be forced to.
// +optional
ReadOnlyRootFilesystem bool
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
DefaultAllowPrivilegeEscalation *bool
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool
}
// HostPortRange defines a range of host ports that will be enabled by a policy

5
pkg/apis/extensions/v1beta1/conversion.go
View File

@ -59,6 +59,7 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort,
Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec,
Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec,
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
)
if err != nil {
return err
@ -429,3 +430,7 @@ func Convert_networking_NetworkPolicyList_To_v1beta1_NetworkPolicyList(in *netwo
}
return nil
}
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *extensionsv1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
}

9
pkg/apis/extensions/v1beta1/zz_generated.conversion.go
View File

@ -1221,6 +1221,8 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
return err
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
return nil
}
@ -1262,14 +1264,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
return err
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
return nil
}
// Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
}
func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {

11
pkg/apis/extensions/validation/validation.go
View File

@ -661,6 +661,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
return allErrs
}
@ -786,6 +787,16 @@ func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []extensions.
return allErrs
}
// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
allErrs := field.ErrorList{}
if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
}
return allErrs
}
const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt

17
pkg/apis/extensions/validation/validation_test.go
View File

@ -2494,6 +2494,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
}
invalidDefaultAllowPrivilegeEscalation := validPSP()
pe := true
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
type testCase struct {
psp *extensions.PodSecurityPolicy
errorType field.ErrorType
@ -2600,6 +2604,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid defaultAllowPrivilegeEscalation": {
psp: invalidDefaultAllowPrivilegeEscalation,
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
}
for k, v := range errorCases {
@ -2674,6 +2683,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo",
}
validDefaultAllowPrivilegeEscalation := validPSP()
pe = true
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
successCases := map[string]struct {
psp *extensions.PodSecurityPolicy
}{
@ -2701,6 +2715,9 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
"valid seccomp annotations": {
psp: validSeccomp,
},
"valid defaultAllowPrivilegeEscalation as true": {
psp: validDefaultAllowPrivilegeEscalation,
},
}
for k, v := range successCases {

9
pkg/apis/extensions/zz_generated.deepcopy.go
View File

@ -1316,6 +1316,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}

554
pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
View File

@ -1349,6 +1349,9 @@ type LinuxContainerSecurityContext struct {
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
SeccompProfilePath string `protobuf:"bytes,10,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
// no_new_privs defines if the flag for no_new_privs should be set on the
// container.
NoNewPrivs bool `protobuf:"varint,11,opt,name=no_new_privs,json=noNewPrivs,proto3" json:"no_new_privs,omitempty"`
}
func (m *LinuxContainerSecurityContext) Reset() { *m = LinuxContainerSecurityContext{} }
@ -1427,6 +1430,13 @@ func (m *LinuxContainerSecurityContext) GetSeccompProfilePath() string {
return ""
}
func (m *LinuxContainerSecurityContext) GetNoNewPrivs() bool {
if m != nil {
return m.NoNewPrivs
}
return false
}
// LinuxContainerConfig contains platform-specific configuration for
// Linux-based containers.
type LinuxContainerConfig struct {
@ -5740,6 +5750,16 @@ func (m *LinuxContainerSecurityContext) MarshalTo(dAtA []byte) (int, error) {
i = encodeVarintApi(dAtA, i, uint64(len(m.SeccompProfilePath)))
i += copy(dAtA[i:], m.SeccompProfilePath)
}
if m.NoNewPrivs {
dAtA[i] = 0x58
i++
if m.NoNewPrivs {
dAtA[i] = 1
} else {
dAtA[i] = 0
}
i++
}
return i, nil
}
@ -8702,6 +8722,9 @@ func (m *LinuxContainerSecurityContext) Size() (n int) {
if l > 0 {
n += 1 + l + sovApi(uint64(l))
}
if m.NoNewPrivs {
n += 2
}
return n
}
@ -10161,6 +10184,7 @@ func (this *LinuxContainerSecurityContext) String() string {
`SupplementalGroups:` + fmt.Sprintf("%v", this.SupplementalGroups) + `,`,
`ApparmorProfile:` + fmt.Sprintf("%v", this.ApparmorProfile) + `,`,
`SeccompProfilePath:` + fmt.Sprintf("%v", this.SeccompProfilePath) + `,`,
`NoNewPrivs:` + fmt.Sprintf("%v", this.NoNewPrivs) + `,`,
`}`,
}, "")
return s
@ -16013,6 +16037,26 @@ func (m *LinuxContainerSecurityContext) Unmarshal(dAtA []byte) error {
}
m.SeccompProfilePath = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 11:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field NoNewPrivs", wireType)
}
var v int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowApi
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
m.NoNewPrivs = bool(v != 0)
default:
iNdEx = preIndex
skippy, err := skipApi(dAtA[iNdEx:])
@ -24029,260 +24073,262 @@ var (
func init() { proto.RegisterFile("api.proto", fileDescriptorApi) }
var fileDescriptorApi = []byte{
// 4080 bytes of a gzipped FileDescriptorProto
// 4103 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x3b, 0x4d, 0x6f, 0x1c, 0x47,
0x76, 0x9c, 0x19, 0x7e, 0xcc, 0xbc, 0xe1, 0x0c, 0x87, 0x25, 0x8a, 0x1c, 0x8d, 0x24, 0x9a, 0x6e,
0x59, 0xb6, 0xa4, 0x5d, 0xc9, 0x32, 0xbd, 0xb6, 0x63, 0xf9, 0x4b, 0x63, 0x92, 0x32, 0x68, 0x49,
0x24, 0xb7, 0x47, 0xf4, 0xee, 0x66, 0x03, 0x74, 0x9a, 0xd3, 0xc5, 0x61, 0xdb, 0x33, 0x5d, 0xbd,
0xdd, 0xd5, 0xb2, 0x98, 0x53, 0x72, 0x09, 0x72, 0x74, 0x80, 0x5c, 0x72, 0xcb, 0x21, 0xc0, 0x22,
0x97, 0x1c, 0x72, 0xca, 0x2f, 0x08, 0x16, 0x08, 0x02, 0xe4, 0x14, 0x24, 0xb7, 0x5d, 0xe5, 0x90,
0x43, 0x80, 0xfc, 0x86, 0xa0, 0xbe, 0xba, 0xab, 0xbf, 0x46, 0xa4, 0x6c, 0xec, 0xea, 0xd6, 0xf5,
0xea, 0xbd, 0x57, 0xaf, 0xea, 0xbd, 0x7a, 0xf5, 0xde, 0xab, 0x6a, 0x68, 0xd8, 0xbe, 0x7b, 0xc7,
0x0f, 0x08, 0x25, 0x68, 0x21, 0x88, 0x3c, 0xea, 0x4e, 0x70, 0xef, 0xf6, 0xc8, 0xa5, 0x27, 0xd1,
0xd1, 0x9d, 0x21, 0x99, 0xbc, 0x3d, 0x22, 0x23, 0xf2, 0x36, 0xef, 0x3f, 0x8a, 0x8e, 0x79, 0x8b,
0x37, 0xf8, 0x97, 0xa0, 0x33, 0x6e, 0x41, 0xfb, 0x2b, 0x1c, 0x84, 0x2e, 0xf1, 0x4c, 0xfc, 0xab,
0x08, 0x87, 0x14, 0x75, 0x61, 0xe1, 0xa9, 0x80, 0x74, 0x2b, 0x1b, 0x95, 0x1b, 0x0d, 0x53, 0x35,
0x8d, 0x5f, 0x57, 0x60, 0x29, 0x46, 0x0e, 0x7d, 0xe2, 0x85, 0xb8, 0x1c, 0x1b, 0xbd, 0x0e, 0x8b,
0x52, 0x26, 0xcb, 0xb3, 0x27, 0xb8, 0x5b, 0xe5, 0xdd, 0x4d, 0x09, 0xdb, 0xb3, 0x27, 0x18, 0xbd,
0x05, 0x4b, 0x0a, 0x45, 0x31, 0xa9, 0x71, 0xac, 0xb6, 0x04, 0xcb, 0xd1, 0xd0, 0x1d, 0xb8, 0xa0,
0x10, 0x6d, 0xdf, 0x8d, 0x91, 0x67, 0x39, 0xf2, 0xb2, 0xec, 0xea, 0xfb, 0xae, 0xc4, 0x37, 0x7e,
0x09, 0x8d, 0xed, 0xbd, 0xc1, 0x16, 0xf1, 0x8e, 0xdd, 0x11, 0x13, 0x31, 0xc4, 0x01, 0xa3, 0xe9,
0x56, 0x36, 0x6a, 0x4c, 0x44, 0xd9, 0x44, 0x3d, 0xa8, 0x87, 0xd8, 0x0e, 0x86, 0x27, 0x38, 0xec,
0x56, 0x79, 0x57, 0xdc, 0x66, 0x54, 0xc4, 0xa7, 0x2e, 0xf1, 0xc2, 0x6e, 0x4d, 0x50, 0xc9, 0xa6,
0xf1, 0xb7, 0x15, 0x68, 0x1e, 0x90, 0x80, 0x3e, 0xb6, 0x7d, 0xdf, 0xf5, 0x46, 0xe8, 0x36, 0xd4,
0xf9, 0x5a, 0x0e, 0xc9, 0x98, 0xaf, 0x41, 0x7b, 0x73, 0xf9, 0x8e, 0x14, 0xe9, 0xce, 0x81, 0xec,
0x30, 0x63, 0x14, 0x74, 0x1d, 0xda, 0x43, 0xe2, 0x51, 0xdb, 0xf5, 0x70, 0x60, 0xf9, 0x24, 0xa0,
0x7c, 0x65, 0xe6, 0xcc, 0x56, 0x0c, 0x65, 0xcc, 0xd1, 0x65, 0x68, 0x9c, 0x90, 0x90, 0x0a, 0x8c,
0x1a, 0xc7, 0xa8, 0x33, 0x00, 0xef, 0x5c, 0x83, 0x05, 0xde, 0xe9, 0xfa, 0x72, 0x0d, 0xe6, 0x59,
0x73, 0xd7, 0x37, 0xbe, 0xab, 0xc0, 0xdc, 0x63, 0x12, 0x79, 0x34, 0x33, 0x8c, 0x4d, 0x4f, 0xa4,
0x7e, 0xb4, 0x61, 0x6c, 0x7a, 0x92, 0x0c, 0xc3, 0x30, 0x84, 0x8a, 0xc4, 0x30, 0xac, 0xb3, 0x07,
0xf5, 0x00, 0xdb, 0x0e, 0xf1, 0xc6, 0xa7, 0x5c, 0x84, 0xba, 0x19, 0xb7, 0x99, 0xee, 0x42, 0x3c,
0x76, 0xbd, 0xe8, 0x99, 0x15, 0xe0, 0xb1, 0x7d, 0x84, 0xc7, 0x5c, 0x94, 0xba, 0xd9, 0x96, 0x60,
0x53, 0x40, 0x8d, 0xaf, 0x61, 0x89, 0x29, 0x3b, 0xf4, 0xed, 0x21, 0xde, 0xe7, 0x4b, 0xc8, 0x4c,
0x83, 0x0f, 0xea, 0x61, 0xfa, 0x2d, 0x09, 0xbe, 0xe1, 0x92, 0xd5, 0xcd, 0x26, 0x83, 0xed, 0x09,
0x10, 0xba, 0x04, 0x75, 0x21, 0x97, 0xeb, 0x70, 0xb1, 0xea, 0x26, 0x9f, 0xf1, 0x81, 0xeb, 0xc4,
0x5d, 0xae, 0x3f, 0x94, 0x52, 0x2d, 0x88, 0xd9, 0x0f, 0x0d, 0x03, 0x60, 0xd7, 0xa3, 0xef, 0xff,
0xe4, 0x2b, 0x7b, 0x1c, 0x61, 0xb4, 0x02, 0x73, 0x4f, 0xd9, 0x07, 0xe7, 0x5f, 0x33, 0x45, 0xc3,
0xf8, 0xcb, 0x1a, 0x5c, 0x7e, 0xc4, 0x04, 0x1c, 0xd8, 0x9e, 0x73, 0x44, 0x9e, 0x0d, 0xf0, 0x30,
0x0a, 0x5c, 0x7a, 0xba, 0x45, 0x3c, 0x8a, 0x9f, 0x51, 0xb4, 0x03, 0xcb, 0x9e, 0x92, 0xd7, 0x52,
0x26, 0xc0, 0x38, 0x34, 0x37, 0xbb, 0xb1, 0x5e, 0x33, 0x33, 0x32, 0x3b, 0x5e, 0x1a, 0x10, 0xa2,
0xcf, 0x92, 0xf5, 0x51, 0x4c, 0xaa, 0x9c, 0xc9, 0x6a, 0xcc, 0x64, 0xb0, 0xc3, 0xe5, 0x90, 0x2c,
0xd4, 0xba, 0x29, 0x06, 0xef, 0x02, 0xdb, 0x2b, 0x96, 0x1d, 0x5a, 0x51, 0x88, 0x03, 0x3e, 0xd3,
0xe6, 0xe6, 0x85, 0x98, 0x38, 0x99, 0xa7, 0xd9, 0x08, 0x22, 0xaf, 0x1f, 0x1e, 0x86, 0x38, 0xe0,
0x3b, 0x4a, 0x6a, 0xc8, 0x0a, 0x08, 0xa1, 0xc7, 0xa1, 0xd2, 0x8a, 0x02, 0x9b, 0x1c, 0x8a, 0xde,
0x86, 0x0b, 0x61, 0xe4, 0xfb, 0x63, 0x3c, 0xc1, 0x1e, 0xb5, 0xc7, 0xd6, 0x28, 0x20, 0x91, 0x1f,
0x76, 0xe7, 0x36, 0x6a, 0x37, 0x6a, 0x26, 0xd2, 0xbb, 0xbe, 0xe0, 0x3d, 0x68, 0x1d, 0xc0, 0x0f,
0xdc, 0xa7, 0xee, 0x18, 0x8f, 0xb0, 0xd3, 0x9d, 0xe7, 0x4c, 0x35, 0x08, 0xba, 0x0b, 0x2b, 0x21,
0x1e, 0x0e, 0xc9, 0xc4, 0xb7, 0xfc, 0x80, 0x1c, 0xbb, 0x63, 0x2c, 0x6c, 0x6a, 0x81, 0xdb, 0x14,
0x92, 0x7d, 0x07, 0xa2, 0x8b, 0x59, 0x97, 0xf1, 0x5d, 0x15, 0x2e, 0xf2, 0x05, 0x38, 0x20, 0x8e,
0xd4, 0x85, 0xdc, 0xb1, 0xd7, 0xa0, 0x35, 0xe4, 0x02, 0x59, 0xbe, 0x1d, 0x60, 0x8f, 0x4a, 0xd3,
0x5d, 0x14, 0xc0, 0x03, 0x0e, 0x43, 0xfb, 0xd0, 0x09, 0xa5, 0xea, 0xac, 0xa1, 0xd0, 0x9d, 0x5c,
0xe1, 0x37, 0xe2, 0x45, 0x9a, 0xa2, 0x67, 0x73, 0x29, 0xcc, 0x29, 0x7e, 0x21, 0x3c, 0x0d, 0x87,
0x74, 0x2c, 0x76, 0x7c, 0x73, 0xf3, 0x47, 0x69, 0x3e, 0x59, 0x31, 0xef, 0x0c, 0x04, 0xf6, 0x8e,
0x47, 0x83, 0x53, 0x53, 0xd1, 0xf6, 0xee, 0xc1, 0xa2, 0xde, 0x81, 0x3a, 0x50, 0xfb, 0x06, 0x9f,
0xca, 0x29, 0xb0, 0xcf, 0xc4, 0x2e, 0xc5, 0x7e, 0x13, 0x8d, 0x7b, 0xd5, 0x3f, 0xaa, 0x18, 0x01,
0xa0, 0x64, 0x94, 0xc7, 0x98, 0xda, 0x8e, 0x4d, 0x6d, 0x84, 0x60, 0x96, 0x7b, 0x50, 0xc1, 0x82,
0x7f, 0x33, 0xae, 0x91, 0xdc, 0x1a, 0x0d, 0x93, 0x7d, 0xa2, 0x2b, 0xd0, 0x88, 0x8d, 0x50, 0xba,
0xd1, 0x04, 0xc0, 0xdc, 0x99, 0x4d, 0x29, 0x9e, 0xf8, 0x94, 0x1b, 0x44, 0xcb, 0x54, 0x4d, 0xe3,
0x9f, 0x67, 0xa1, 0x93, 0xd3, 0xc0, 0x07, 0x50, 0x9f, 0xc8, 0xe1, 0xa5, 0xed, 0x5f, 0x4e, 0x7c,
0x5a, 0x4e, 0x42, 0x33, 0x46, 0x66, 0x2e, 0x83, 0x6d, 0x46, 0xcd, 0xe3, 0xc7, 0x6d, 0xa6, 0xd6,
0x31, 0x19, 0x59, 0x8e, 0x1b, 0xe0, 0x21, 0x25, 0xc1, 0xa9, 0x94, 0x72, 0x71, 0x4c, 0x46, 0xdb,
0x0a, 0x86, 0xde, 0x01, 0x70, 0xbc, 0x90, 0x69, 0xf4, 0xd8, 0x1d, 0x71, 0x59, 0x9b, 0x9b, 0x28,
0x1e, 0x3b, 0xf6, 0xea, 0x66, 0xc3, 0xf1, 0x42, 0x29, 0xec, 0x87, 0xd0, 0x62, 0x5e, 0xd2, 0x9a,
0x08, 0x87, 0x2c, 0xac, 0xb8, 0xb9, 0xb9, 0xa2, 0x49, 0x1c, 0x7b, 0x6b, 0x73, 0xd1, 0x4f, 0x1a,
0x21, 0xfa, 0x04, 0xe6, 0xb9, 0x97, 0x0a, 0xbb, 0xf3, 0x9c, 0xe6, 0x7a, 0xc1, 0x2c, 0xa5, 0xb6,
0x1f, 0x71, 0x3c, 0xa1, 0x6c, 0x49, 0x84, 0x1e, 0x41, 0xd3, 0xf6, 0x3c, 0x42, 0x6d, 0xb1, 0xc1,
0x17, 0x38, 0x8f, 0x5b, 0xe5, 0x3c, 0xfa, 0x09, 0xb2, 0x60, 0xa4, 0x93, 0xa3, 0x9f, 0xc0, 0x1c,
0xf7, 0x00, 0xdd, 0x3a, 0x9f, 0xf5, 0xfa, 0x74, 0xf3, 0x33, 0x05, 0x72, 0xef, 0x43, 0x68, 0x6a,
0xa2, 0x9d, 0xc7, 0xdc, 0x7a, 0x9f, 0x42, 0x27, 0x2b, 0xd1, 0xb9, 0xcc, 0x75, 0x17, 0x56, 0xcc,
0xc8, 0x4b, 0x04, 0x53, 0x21, 0xc4, 0x3b, 0x30, 0x2f, 0xf5, 0x27, 0x6c, 0xe7, 0x52, 0xe9, 0x8a,
0x98, 0x12, 0xd1, 0xf8, 0x04, 0x2e, 0x66, 0x58, 0xc9, 0x00, 0xe3, 0x0d, 0x68, 0xfb, 0xc4, 0xb1,
0x42, 0x01, 0xb6, 0x5c, 0x47, 0x39, 0x03, 0x3f, 0xc6, 0xdd, 0x75, 0x18, 0xf9, 0x80, 0x12, 0x3f,
0x2f, 0xca, 0xd9, 0xc8, 0xbb, 0xb0, 0x9a, 0x25, 0x17, 0xc3, 0x1b, 0x9f, 0xc1, 0x9a, 0x89, 0x27,
0xe4, 0x29, 0x7e, 0x59, 0xd6, 0x3d, 0xe8, 0xe6, 0x19, 0x24, 0xcc, 0x13, 0xe8, 0x80, 0xda, 0x34,
0x0a, 0xcf, 0xc7, 0xfc, 0xa6, 0xce, 0x40, 0x1e, 0x9d, 0x82, 0x0f, 0x6a, 0x43, 0xd5, 0xf5, 0x25,
0x51, 0xd5, 0xf5, 0x8d, 0xcf, 0xa0, 0x11, 0x1f, 0x5a, 0x68, 0x33, 0x09, 0x6e, 0xaa, 0x2f, 0x38,
0xd9, 0xe2, 0xb0, 0xe7, 0x61, 0xce, 0x5b, 0xcb, 0x91, 0x36, 0x01, 0x62, 0x3f, 0xa3, 0x4e, 0x4a,
0x94, 0xe7, 0x67, 0x6a, 0x58, 0xc6, 0xdf, 0xa7, 0x9c, 0x8e, 0x26, 0xb2, 0x13, 0x8b, 0xec, 0xa4,
0x9c, 0x50, 0xf5, 0x3c, 0x4e, 0xe8, 0x0e, 0xcc, 0x85, 0xd4, 0xa6, 0xc2, 0x0d, 0xb6, 0xb5, 0xc9,
0xa5, 0x87, 0xc4, 0xa6, 0x40, 0x43, 0x57, 0x01, 0x86, 0x01, 0xb6, 0x29, 0x76, 0x2c, 0x5b, 0xf8,
0xc7, 0x9a, 0xd9, 0x90, 0x90, 0x3e, 0x45, 0xf7, 0x60, 0x41, 0x45, 0x2a, 0x73, 0x5c, 0x8c, 0x8d,
0x02, 0x86, 0xa9, 0xd5, 0x37, 0x15, 0x41, 0xb2, 0xa7, 0xe7, 0xa7, 0xef, 0x69, 0x49, 0x27, 0x90,
0x35, 0xb7, 0xb4, 0x50, 0xea, 0x96, 0x04, 0xc5, 0x59, 0xdc, 0x52, 0xbd, 0xd4, 0x2d, 0x49, 0x1e,
0x53, 0xdd, 0xd2, 0x1f, 0xd2, 0xc1, 0x3c, 0x86, 0x6e, 0x7e, 0x83, 0x48, 0xc7, 0xf0, 0x0e, 0xcc,
0x87, 0x1c, 0x32, 0xc5, 0xc9, 0x48, 0x12, 0x89, 0x68, 0x3c, 0x80, 0x95, 0x8c, 0x05, 0x88, 0x40,
0x31, 0xb6, 0x97, 0xca, 0x99, 0xec, 0xc5, 0xf8, 0xbf, 0x8a, 0x6e, 0xbd, 0x0f, 0xdc, 0x31, 0xc5,
0x41, 0xce, 0x7a, 0xdf, 0x55, 0x4c, 0x85, 0xe9, 0x5e, 0x2d, 0x63, 0x2a, 0x62, 0x38, 0x69, 0x89,
0x03, 0x68, 0x73, 0x1d, 0x5a, 0x21, 0x1e, 0xf3, 0x03, 0x51, 0x86, 0x22, 0x3f, 0x2e, 0xa0, 0x16,
0xe3, 0x0a, 0x03, 0x18, 0x48, 0x74, 0xa1, 0xbe, 0xd6, 0x58, 0x87, 0xf5, 0xee, 0x03, 0xca, 0x23,
0x9d, 0x4b, 0x0f, 0x5f, 0xb2, 0xbd, 0xcf, 0x72, 0x8f, 0x02, 0x4f, 0x7f, 0xcc, 0xc5, 0x98, 0xa2,
0x04, 0x21, 0xa7, 0x29, 0x11, 0x8d, 0xbf, 0xab, 0x01, 0x24, 0x9d, 0xaf, 0xec, 0xa6, 0xff, 0x20,
0xde, 0x82, 0x22, 0x9a, 0x78, 0xad, 0x80, 0x5f, 0xe1, 0xe6, 0x7b, 0x90, 0xde, 0x7c, 0x22, 0xae,
0x78, 0xa3, 0x88, 0xfa, 0x95, 0xdd, 0x76, 0x5b, 0xb0, 0x9a, 0x55, 0xb7, 0xdc, 0x74, 0x37, 0x61,
0xce, 0xa5, 0x78, 0x22, 0x32, 0x69, 0x3d, 0x1d, 0xd1, 0x70, 0x05, 0x86, 0xf1, 0x3a, 0x34, 0x76,
0x27, 0xf6, 0x08, 0x0f, 0x7c, 0x3c, 0x64, 0x63, 0xb9, 0xac, 0x21, 0xc7, 0x17, 0x0d, 0x63, 0x13,
0xea, 0x0f, 0xf1, 0xa9, 0xd8, 0x83, 0x67, 0x94, 0xcf, 0xf8, 0xd7, 0x0a, 0xac, 0x71, 0xdf, 0xb9,
0xa5, 0xf2, 0x58, 0x13, 0x87, 0x24, 0x0a, 0x86, 0x38, 0xe4, 0x2a, 0xf5, 0x23, 0xcb, 0xc7, 0x81,
0x4b, 0x1c, 0x99, 0xf5, 0x35, 0x86, 0x7e, 0x74, 0xc0, 0x01, 0x2c, 0xd7, 0x65, 0xdd, 0xbf, 0x8a,
0x88, 0xb4, 0xad, 0x9a, 0x59, 0x1f, 0xfa, 0xd1, 0x4f, 0x59, 0x5b, 0xd1, 0x86, 0x27, 0x76, 0x80,
0x43, 0x6e, 0x43, 0x82, 0x76, 0xc0, 0x01, 0xe8, 0x1d, 0xb8, 0x38, 0xc1, 0x13, 0x12, 0x9c, 0x5a,
0x63, 0x77, 0xe2, 0x52, 0xcb, 0xf5, 0xac, 0xa3, 0x53, 0x8a, 0x43, 0x69, 0x38, 0x48, 0x74, 0x3e,
0x62, 0x7d, 0xbb, 0xde, 0xe7, 0xac, 0x07, 0x19, 0xd0, 0x22, 0x64, 0x62, 0x85, 0x43, 0x12, 0x60,
0xcb, 0x76, 0xbe, 0xe6, 0x87, 0x47, 0xcd, 0x6c, 0x12, 0x32, 0x19, 0x30, 0x58, 0xdf, 0xf9, 0xda,
0xb0, 0xa1, 0x95, 0xca, 0x02, 0x59, 0xac, 0xcf, 0xd3, 0x3d, 0x19, 0xeb, 0xb3, 0x6f, 0x06, 0x0b,
0xc8, 0x58, 0xad, 0x03, 0xff, 0x66, 0x30, 0x7a, 0xea, 0xab, 0x40, 0x9f, 0x7f, 0xb3, 0x05, 0x1b,
0xe3, 0xa7, 0x32, 0x11, 0x6f, 0x98, 0xa2, 0x61, 0x38, 0x00, 0x5b, 0xb6, 0x6f, 0x1f, 0xb9, 0x63,
0x97, 0x9e, 0xa2, 0x9b, 0xd0, 0xb1, 0x1d, 0xc7, 0x1a, 0x2a, 0x88, 0x8b, 0x55, 0x55, 0x64, 0xc9,
0x76, 0x9c, 0x2d, 0x0d, 0x8c, 0x7e, 0x04, 0xcb, 0x4e, 0x40, 0xfc, 0x34, 0xae, 0x28, 0x93, 0x74,
0x58, 0x87, 0x8e, 0x6c, 0xfc, 0xcd, 0x2c, 0x5c, 0x4d, 0xab, 0x25, 0x9b, 0x57, 0x7f, 0x00, 0x8b,
0x99, 0x51, 0xd3, 0x09, 0x6d, 0x22, 0xa4, 0x99, 0x42, 0xcc, 0x64, 0x9e, 0xd5, 0x5c, 0xe6, 0x59,
0x98, 0xb0, 0xd7, 0x7e, 0x88, 0x84, 0x7d, 0xf6, 0xfb, 0x24, 0xec, 0x73, 0x67, 0x4a, 0xd8, 0xdf,
0xe4, 0x25, 0x30, 0x45, 0xc4, 0xd3, 0xa6, 0x79, 0x51, 0xa7, 0x89, 0x71, 0x3c, 0x55, 0x2a, 0xcb,
0x24, 0xf6, 0x0b, 0xe7, 0x49, 0xec, 0xeb, 0xa5, 0x89, 0x3d, 0xb3, 0x08, 0xdf, 0xb7, 0x83, 0x09,
0x09, 0x54, 0xe6, 0xde, 0x6d, 0x70, 0x11, 0x96, 0x14, 0x5c, 0x66, 0xed, 0xa5, 0x39, 0x3e, 0x94,
0xe6, 0xf8, 0xff, 0x50, 0x81, 0x95, 0xb4, 0x59, 0xc8, 0x9c, 0xed, 0x53, 0x68, 0x04, 0x6a, 0xdf,
0x4a, 0x53, 0xd8, 0x48, 0xc7, 0x46, 0xf9, 0xfd, 0x6d, 0x26, 0x24, 0xe8, 0xa7, 0xa5, 0xd9, 0xff,
0x9b, 0x25, 0x6c, 0x5e, 0x94, 0xff, 0x1b, 0x7d, 0x58, 0x8e, 0x91, 0xa7, 0xe6, 0xde, 0x5a, 0x2e,
0x5d, 0x4d, 0xe7, 0xd2, 0x1e, 0xcc, 0x6f, 0xe3, 0xa7, 0xee, 0x10, 0xff, 0x20, 0xe5, 0xb7, 0x0d,
0x68, 0xfa, 0x38, 0x98, 0xb8, 0x61, 0x18, 0x9b, 0x74, 0xc3, 0xd4, 0x41, 0xc6, 0x7f, 0xcd, 0xc1,
0x52, 0x76, 0x65, 0xdf, 0xcf, 0xa5, 0xee, 0xbd, 0x64, 0x8f, 0x65, 0xe7, 0xa7, 0x9d, 0x9f, 0x37,
0x94, 0x8b, 0xae, 0x66, 0x22, 0xf8, 0xd8, 0x8b, 0x4b, 0xb7, 0xcd, 0xe6, 0x3f, 0x24, 0x93, 0x89,
0xed, 0x39, 0xaa, 0x34, 0x2a, 0x9b, 0x6c, 0xb5, 0xec, 0x60, 0xc4, 0x36, 0x0e, 0x03, 0xf3, 0x6f,
0xf4, 0x1a, 0x34, 0x59, 0x24, 0xec, 0x7a, 0x3c, 0xf3, 0xe7, 0xdb, 0xa2, 0x61, 0x82, 0x04, 0x6d,
0xbb, 0x01, 0xba, 0x0e, 0xb3, 0xd8, 0x7b, 0xaa, 0x4e, 0xca, 0xa4, 0x76, 0xaa, 0x8e, 0x06, 0x93,
0x77, 0xa3, 0x37, 0x61, 0x7e, 0x42, 0x22, 0x8f, 0xaa, 0x98, 0xb8, 0x1d, 0x23, 0xf2, 0x82, 0xa7,
0x29, 0x7b, 0xd1, 0x4d, 0x58, 0x70, 0xb8, 0x0e, 0x54, 0xe0, 0xbb, 0x94, 0x54, 0x0f, 0x38, 0xdc,
0x54, 0xfd, 0xe8, 0xe3, 0xf8, 0x8c, 0x6f, 0x64, 0x4e, 0xe9, 0xcc, 0xa2, 0x16, 0x1e, 0xf4, 0x0f,
0xd3, 0x07, 0x3d, 0x70, 0x16, 0x37, 0x4b, 0x59, 0x4c, 0xcf, 0xfd, 0x2f, 0x41, 0x7d, 0x4c, 0x46,
0xc2, 0x0e, 0x9a, 0xa2, 0x90, 0x3e, 0x26, 0x23, 0x6e, 0x06, 0x2b, 0x2c, 0xb0, 0x71, 0x5c, 0xaf,
0xbb, 0xc8, 0x37, 0xbc, 0x68, 0xb0, 0xf3, 0x8a, 0x7f, 0x58, 0xc4, 0x1b, 0xe2, 0x6e, 0x8b, 0x77,
0x35, 0x38, 0x64, 0xdf, 0x1b, 0xf2, 0xe3, 0x94, 0xd2, 0xd3, 0x6e, 0x9b, 0xc3, 0xd9, 0x27, 0x8b,
0x47, 0x45, 0x26, 0xb2, 0x94, 0x89, 0x47, 0x8b, 0xf6, 0xe7, 0x2b, 0x50, 0x5c, 0xf8, 0xa7, 0x0a,
0xac, 0x6e, 0xf1, 0x70, 0x4c, 0xf3, 0x04, 0xe7, 0x48, 0x8e, 0xd1, 0xdd, 0xb8, 0x0a, 0x91, 0xcd,
0x71, 0xb3, 0x93, 0x95, 0x78, 0xe8, 0x3e, 0xb4, 0x15, 0x4f, 0x49, 0x59, 0x7b, 0x51, 0xfd, 0xa2,
0x15, 0xea, 0x4d, 0xe3, 0x63, 0x58, 0xcb, 0xc9, 0x2c, 0x43, 0xa7, 0xd7, 0x61, 0x31, 0xf1, 0x08,
0xb1, 0xc8, 0xcd, 0x18, 0xb6, 0xeb, 0x18, 0xf7, 0xe0, 0xe2, 0x80, 0xda, 0x01, 0xcd, 0x4d, 0xf8,
0x0c, 0xb4, 0xbc, 0x84, 0x91, 0xa6, 0x95, 0x55, 0x86, 0x01, 0xac, 0x0c, 0x28, 0xf1, 0x5f, 0x82,
0x29, 0xdb, 0xe9, 0x6c, 0xda, 0x24, 0xa2, 0x32, 0x5e, 0x52, 0x4d, 0x63, 0x4d, 0x14, 0x5c, 0xf2,
0xa3, 0x7d, 0x04, 0xab, 0xa2, 0xde, 0xf1, 0x32, 0x93, 0xb8, 0xa4, 0xaa, 0x2d, 0x79, 0xbe, 0xdb,
0x70, 0x21, 0x71, 0xe5, 0x49, 0xea, 0x76, 0x3b, 0x9d, 0xba, 0xad, 0xe5, 0x75, 0x9c, 0xca, 0xdc,
0xfe, 0xba, 0xaa, 0x39, 0xcc, 0x92, 0xc4, 0x6d, 0x33, 0x9d, 0xb8, 0x5d, 0x29, 0x61, 0x99, 0xca,
0xdb, 0xf2, 0x16, 0x59, 0x2b, 0xb0, 0x48, 0x33, 0x97, 0xdd, 0xcd, 0x66, 0x0a, 0xcd, 0x19, 0xd9,
0x7e, 0x2f, 0xc9, 0xdd, 0xae, 0x48, 0xee, 0xe2, 0xa1, 0xe3, 0x1a, 0xd4, 0xdd, 0x4c, 0x72, 0xd7,
0x2d, 0x13, 0x33, 0xce, 0xed, 0xfe, 0x6a, 0x16, 0x1a, 0x71, 0x5f, 0x6e, 0x61, 0xf3, 0x8b, 0x54,
0x2d, 0x58, 0x24, 0xfd, 0xfc, 0xaa, 0xbd, 0xcc, 0xf9, 0x35, 0xfb, 0xa2, 0xf3, 0xeb, 0x32, 0x34,
0xf8, 0x87, 0x15, 0xe0, 0x63, 0x79, 0x1e, 0xd5, 0x39, 0xc0, 0xc4, 0xc7, 0x89, 0x41, 0xcd, 0x9f,
0xc5, 0xa0, 0x32, 0x59, 0xe4, 0x42, 0x36, 0x8b, 0x7c, 0x3f, 0x3e, 0x61, 0xc4, 0x59, 0xb4, 0x9e,
0x67, 0x57, 0x78, 0xb6, 0xec, 0xa4, 0xcf, 0x16, 0x71, 0x3c, 0x5d, 0x2b, 0x20, 0x7e, 0x65, 0x73,
0xc8, 0x47, 0x22, 0x87, 0xd4, 0xad, 0x4a, 0x3a, 0xc2, 0x4d, 0x80, 0x78, 0xcf, 0xab, 0x44, 0x12,
0xe5, 0xa7, 0x66, 0x6a, 0x58, 0xcc, 0xab, 0xa4, 0xd6, 0x3f, 0x29, 0x94, 0x9e, 0xc1, 0xab, 0xfc,
0x8b, 0x1e, 0x25, 0x95, 0xd4, 0x1a, 0xdf, 0xcf, 0x95, 0x1d, 0xce, 0x66, 0x75, 0xb7, 0xd3, 0x55,
0x87, 0xf3, 0x99, 0x4b, 0xae, 0xe8, 0xc0, 0x0f, 0x75, 0x3b, 0x90, 0xdd, 0x22, 0x5f, 0x6c, 0x48,
0x48, 0x9f, 0xb2, 0x50, 0xea, 0xd8, 0xf5, 0xdc, 0xf0, 0x44, 0xf4, 0xcf, 0xf3, 0x7e, 0x50, 0xa0,
0x3e, 0xbf, 0x34, 0xc6, 0xcf, 0x5c, 0x6a, 0x0d, 0x89, 0x83, 0xb9, 0x31, 0xce, 0x99, 0x75, 0x06,
0xd8, 0x22, 0x0e, 0x4e, 0x36, 0x48, 0xfd, 0x5c, 0x1b, 0xa4, 0x91, 0xd9, 0x20, 0xab, 0x30, 0x1f,
0x60, 0x3b, 0x24, 0x9e, 0x0c, 0xfb, 0x65, 0x8b, 0x9d, 0x15, 0x13, 0x1c, 0x86, 0x6c, 0x00, 0x19,
0xc0, 0xc8, 0xa6, 0x16, 0x66, 0x2d, 0x96, 0x85, 0x59, 0x53, 0x8a, 0x99, 0x99, 0x30, 0xab, 0x55,
0x16, 0x66, 0x9d, 0xa5, 0x96, 0xa9, 0x05, 0x91, 0xed, 0xa9, 0x41, 0xa4, 0x1e, 0x8e, 0x2d, 0xa5,
0xc2, 0xb1, 0x3f, 0xe4, 0x9e, 0x7a, 0x08, 0x6b, 0xb9, 0x5d, 0x20, 0x37, 0xd5, 0xdd, 0x4c, 0x35,
0xb4, 0x5b, 0xb6, 0x40, 0x71, 0x31, 0xf4, 0x4f, 0x61, 0x69, 0xe7, 0x19, 0x1e, 0x0e, 0x4e, 0xbd,
0xe1, 0x39, 0x22, 0x82, 0x0e, 0xd4, 0x86, 0x13, 0x47, 0x96, 0x01, 0xd8, 0xa7, 0x1e, 0x23, 0xd4,
0xd2, 0x31, 0x82, 0x05, 0x9d, 0x64, 0x04, 0x29, 0xe7, 0x2a, 0x93, 0xd3, 0x61, 0xc8, 0x8c, 0xf9,
0xa2, 0x29, 0x5b, 0x12, 0x8e, 0x83, 0x80, 0xcf, 0x5a, 0xc0, 0x71, 0x10, 0xa4, 0x2d, 0xba, 0x96,
0xb6, 0x68, 0xe3, 0x6b, 0x68, 0xb2, 0x01, 0xbe, 0x97, 0xf8, 0x32, 0x50, 0xae, 0x25, 0x81, 0x72,
0x1c, 0x6f, 0xcf, 0x6a, 0xf1, 0xb6, 0xb1, 0x01, 0x8b, 0x62, 0x2c, 0x39, 0x91, 0x0e, 0xd4, 0xa2,
0x60, 0xac, 0xf4, 0x16, 0x05, 0x63, 0xe3, 0x8f, 0xa1, 0xd5, 0xa7, 0xd4, 0x1e, 0x9e, 0x9c, 0x43,
0x9e, 0x78, 0xac, 0xaa, 0x1e, 0xdb, 0xe7, 0x64, 0x32, 0x0c, 0x68, 0x2b, 0xde, 0xa5, 0xe3, 0xef,
0x01, 0x3a, 0x20, 0x01, 0x7d, 0x40, 0x82, 0x6f, 0xed, 0xc0, 0x39, 0x5f, 0xac, 0x8c, 0x60, 0x56,
0x3e, 0x45, 0xa9, 0xdd, 0x98, 0x33, 0xf9, 0xb7, 0xf1, 0x16, 0x5c, 0x48, 0xf1, 0x2b, 0x1d, 0xf8,
0x03, 0x68, 0x72, 0x17, 0x22, 0xe3, 0xa9, 0x1b, 0x7a, 0xad, 0x6f, 0x9a, 0x9f, 0x61, 0x19, 0x37,
0x3b, 0x23, 0x38, 0x3c, 0x76, 0xe8, 0x3f, 0xce, 0x44, 0x1d, 0x2b, 0x69, 0xfa, 0x4c, 0xc4, 0xf1,
0x8f, 0x15, 0x98, 0xe3, 0xf0, 0x9c, 0x47, 0xbf, 0x0c, 0x8d, 0x00, 0xfb, 0xc4, 0xa2, 0xf6, 0x28,
0x7e, 0xdd, 0xc3, 0x00, 0x4f, 0xec, 0x51, 0xc8, 0x1f, 0x27, 0xb1, 0x4e, 0xc7, 0x1d, 0xe1, 0x90,
0xaa, 0x27, 0x3e, 0x4d, 0x06, 0xdb, 0x16, 0x20, 0xb6, 0x24, 0xa1, 0xfb, 0x67, 0x22, 0x9c, 0x98,
0x35, 0xf9, 0x37, 0xba, 0x2e, 0x6e, 0xdd, 0xa7, 0x94, 0x76, 0xf8, 0x55, 0x7c, 0x0f, 0xea, 0x99,
0x6a, 0x4e, 0xdc, 0x36, 0x3e, 0x06, 0xa4, 0xcf, 0x59, 0x2e, 0xea, 0x9b, 0x30, 0xcf, 0x97, 0x44,
0x9d, 0x87, 0xed, 0xf4, 0xa4, 0x4d, 0xd9, 0x6b, 0x7c, 0x0a, 0x48, 0xac, 0x62, 0xea, 0x0c, 0x3c,
0xfb, 0x8a, 0x7f, 0x04, 0x17, 0x52, 0xf4, 0xf1, 0x25, 0x6b, 0x8a, 0x41, 0x76, 0x74, 0x49, 0xfc,
0x6f, 0x15, 0x80, 0x7e, 0x44, 0x4f, 0x64, 0xa1, 0x41, 0x9f, 0x65, 0x25, 0x3d, 0x4b, 0xd6, 0xe7,
0xdb, 0x61, 0xf8, 0x2d, 0x09, 0x54, 0x90, 0x17, 0xb7, 0x79, 0x91, 0x20, 0xa2, 0x27, 0xaa, 0x74,
0xc9, 0xbe, 0xd1, 0x75, 0x68, 0x8b, 0x47, 0x59, 0x96, 0xed, 0x38, 0x01, 0x0e, 0x43, 0x59, 0xc3,
0x6c, 0x09, 0x68, 0x5f, 0x00, 0x19, 0x9a, 0xeb, 0x60, 0x8f, 0xba, 0xf4, 0xd4, 0xa2, 0xe4, 0x1b,
0xec, 0xc9, 0xf0, 0xad, 0xa5, 0xa0, 0x4f, 0x18, 0x90, 0xa1, 0x05, 0x78, 0xe4, 0x86, 0x34, 0x50,
0x68, 0xaa, 0xa6, 0x26, 0xa1, 0x1c, 0xcd, 0xf8, 0x75, 0x05, 0x3a, 0x07, 0xd1, 0x78, 0x2c, 0x26,
0x79, 0xde, 0xb5, 0x44, 0x6f, 0xc9, 0x79, 0x54, 0x33, 0xd6, 0x90, 0x2c, 0x91, 0x9c, 0xdc, 0xf7,
0x4f, 0x2b, 0xef, 0xc2, 0xb2, 0x26, 0xa8, 0x54, 0x5a, 0xea, 0x94, 0xae, 0xa4, 0x4f, 0x69, 0x66,
0x28, 0x22, 0x93, 0x7a, 0xb9, 0xc9, 0x19, 0x17, 0xe1, 0x42, 0x8a, 0x5e, 0x66, 0x61, 0xb7, 0xa0,
0x25, 0x2f, 0x3a, 0xa5, 0x11, 0x5c, 0x82, 0x3a, 0x73, 0x2f, 0x43, 0xd7, 0x51, 0x35, 0xeb, 0x05,
0x9f, 0x38, 0x5b, 0xae, 0x13, 0x18, 0x7b, 0xd0, 0x32, 0x05, 0x7b, 0x89, 0xfb, 0x09, 0xb4, 0xe5,
0xb5, 0xa8, 0x95, 0x7a, 0x1e, 0x90, 0x14, 0x58, 0x53, 0xbc, 0xcd, 0x96, 0xa7, 0x37, 0x8d, 0x5f,
0x42, 0xef, 0xd0, 0x77, 0x58, 0x30, 0xa5, 0x73, 0x55, 0x53, 0xfb, 0x04, 0xd4, 0xa3, 0xc1, 0x32,
0xe6, 0x69, 0xb2, 0x56, 0xa0, 0x37, 0x8d, 0xab, 0x70, 0xb9, 0x90, 0xb9, 0x9c, 0xb7, 0x0f, 0x9d,
0xa4, 0xc3, 0x71, 0x55, 0xa9, 0x9e, 0x97, 0xe0, 0x2b, 0x5a, 0x09, 0x7e, 0x35, 0x3e, 0x86, 0x85,
0x43, 0x97, 0x2d, 0x2d, 0x68, 0xaa, 0x95, 0x05, 0x4d, 0xb3, 0xa9, 0xa0, 0xc9, 0xf8, 0x32, 0x5e,
0x3d, 0x19, 0xb1, 0x7e, 0xc8, 0xc3, 0x66, 0x31, 0xb6, 0x72, 0x13, 0x97, 0x0a, 0x26, 0x27, 0x30,
0x4c, 0x0d, 0xd9, 0x58, 0x82, 0x56, 0xca, 0x61, 0x18, 0xf7, 0xa1, 0x9d, 0xf1, 0x00, 0x77, 0x32,
0xf1, 0x43, 0x6e, 0xd9, 0x32, 0xd1, 0xc3, 0x8a, 0x74, 0x44, 0x0f, 0xc2, 0x5d, 0xef, 0x98, 0x28,
0xbe, 0xd7, 0xa0, 0x79, 0x58, 0xf6, 0x00, 0x6f, 0x56, 0xdd, 0xe0, 0xbc, 0x05, 0xcb, 0x03, 0x4a,
0x02, 0x7b, 0x84, 0x77, 0xf9, 0xae, 0x3d, 0x76, 0xc5, 0x1d, 0x47, 0x14, 0xc5, 0xfe, 0x9b, 0x7f,
0x1b, 0xff, 0x51, 0x81, 0xa5, 0x07, 0xee, 0x18, 0x87, 0xa7, 0x21, 0xc5, 0x93, 0x43, 0x1e, 0x4b,
0x5e, 0x81, 0x06, 0x93, 0x26, 0xa4, 0xf6, 0xc4, 0x57, 0x37, 0x3c, 0x31, 0x80, 0xad, 0x51, 0x28,
0x58, 0xab, 0xec, 0x52, 0x8f, 0xe3, 0x73, 0xa3, 0xb2, 0xd8, 0x5a, 0x82, 0xd0, 0xbb, 0x00, 0x51,
0x88, 0x1d, 0x79, 0xab, 0x53, 0xcb, 0x1c, 0x3d, 0x87, 0x7a, 0xf5, 0x9e, 0xe1, 0x89, 0x2b, 0x9e,
0xf7, 0xa0, 0xe9, 0x7a, 0xc4, 0xc1, 0xbc, 0x7a, 0xef, 0xc8, 0xcc, 0xb3, 0x98, 0x0a, 0x04, 0xe2,
0x61, 0x88, 0x1d, 0xe3, 0x4f, 0xa4, 0x17, 0x56, 0x8b, 0x27, 0x75, 0xb0, 0x03, 0xcb, 0x62, 0x43,
0x1f, 0xc7, 0x93, 0x56, 0x8a, 0x4e, 0xc2, 0xb9, 0xcc, 0x82, 0x98, 0x1d, 0x57, 0x9e, 0x8a, 0x8a,
0xc2, 0xb8, 0x07, 0x17, 0x53, 0x31, 0xdf, 0x79, 0x52, 0xa5, 0x2f, 0x32, 0x79, 0x56, 0x62, 0x20,
0x32, 0xd1, 0x51, 0xf6, 0x51, 0x92, 0xe8, 0x84, 0x22, 0xd1, 0x09, 0x0d, 0x13, 0x2e, 0xa5, 0xd2,
0xbf, 0x94, 0x20, 0xef, 0x65, 0x8e, 0xf8, 0xab, 0x25, 0xcc, 0x32, 0x67, 0xfd, 0xff, 0x54, 0x60,
0xa5, 0x08, 0xe1, 0x25, 0x0b, 0x0d, 0x3f, 0x2b, 0xb9, 0x6b, 0xbf, 0x3b, 0x55, 0x9a, 0xdf, 0x4b,
0x49, 0xe6, 0x21, 0xf4, 0x8a, 0x56, 0x2f, 0xaf, 0x8a, 0xda, 0x19, 0x54, 0xf1, 0xbf, 0x55, 0xad,
0x74, 0xd6, 0xa7, 0x34, 0x70, 0x8f, 0x22, 0x66, 0xbc, 0x3f, 0x54, 0x0a, 0x7c, 0x3f, 0x4e, 0xef,
0xc4, 0xfa, 0xdd, 0xc8, 0x53, 0x25, 0xa3, 0x16, 0xa6, 0x78, 0xfb, 0xe9, 0x14, 0x4f, 0x14, 0xc5,
0x6e, 0x4f, 0x65, 0xf3, 0xca, 0xd6, 0x3d, 0x9e, 0x57, 0xa0, 0x9d, 0xd6, 0x03, 0xfa, 0x18, 0xc0,
0x8e, 0x25, 0x97, 0x26, 0x7f, 0x65, 0xda, 0xec, 0x4c, 0x0d, 0x1f, 0x5d, 0x83, 0xda, 0xd0, 0x8f,
0xa4, 0x46, 0x92, 0xdb, 0x91, 0x2d, 0x3f, 0x12, 0x0e, 0x80, 0xf5, 0xb2, 0xa0, 0x59, 0xdc, 0x40,
0xe7, 0x3c, 0xd7, 0x63, 0x0e, 0x16, 0xa8, 0x12, 0x07, 0x7d, 0x06, 0xed, 0x6f, 0x03, 0x97, 0xda,
0x47, 0x63, 0x6c, 0x8d, 0xed, 0x53, 0x1c, 0x48, 0xcf, 0x55, 0xee, 0x65, 0x5a, 0x0a, 0xff, 0x11,
0x43, 0x37, 0x22, 0xa8, 0xab, 0xf1, 0x5f, 0xe0, 0x91, 0x1f, 0xc2, 0x5a, 0xc4, 0xd0, 0x2c, 0x7e,
0x0b, 0xee, 0xd9, 0x1e, 0xb1, 0x42, 0xcc, 0x8e, 0x26, 0xf5, 0xf2, 0xac, 0xd8, 0x5b, 0xae, 0x70,
0xa2, 0x2d, 0x12, 0xe0, 0x3d, 0xdb, 0x23, 0x03, 0x41, 0x61, 0x4c, 0xa0, 0xa9, 0x4d, 0xe7, 0x05,
0x23, 0xdf, 0x87, 0x65, 0x75, 0xef, 0x14, 0x62, 0x2a, 0xfd, 0xfa, 0xb4, 0x31, 0x97, 0x24, 0xfa,
0x00, 0x53, 0xee, 0xdd, 0x6f, 0x5d, 0x81, 0xba, 0x7a, 0xbf, 0x8f, 0x16, 0xa0, 0xf6, 0x64, 0xeb,
0xa0, 0x33, 0xc3, 0x3e, 0x0e, 0xb7, 0x0f, 0x3a, 0x95, 0x5b, 0xf7, 0x60, 0x29, 0xf3, 0xb2, 0x04,
0x2d, 0x43, 0x6b, 0xd0, 0xdf, 0xdb, 0xfe, 0x7c, 0xff, 0xe7, 0x96, 0xb9, 0xd3, 0xdf, 0xfe, 0x45,
0x67, 0x06, 0xad, 0x40, 0x47, 0x81, 0xf6, 0xf6, 0x9f, 0x08, 0x68, 0xe5, 0xd6, 0x37, 0x19, 0x1b,
0xc1, 0xe8, 0x22, 0x2c, 0x6f, 0xed, 0xef, 0x3d, 0xe9, 0xef, 0xee, 0xed, 0x98, 0xd6, 0x96, 0xb9,
0xd3, 0x7f, 0xb2, 0xb3, 0xdd, 0x99, 0x49, 0x83, 0xcd, 0xc3, 0xbd, 0xbd, 0xdd, 0xbd, 0x2f, 0x3a,
0x15, 0xc6, 0x35, 0x01, 0xef, 0xfc, 0x7c, 0x97, 0x21, 0x57, 0xd3, 0xc8, 0x87, 0x7b, 0x0f, 0xf7,
0xf6, 0x7f, 0xb6, 0xd7, 0xa9, 0x6d, 0xfe, 0x76, 0x11, 0xda, 0xea, 0x10, 0xc7, 0x01, 0xbf, 0x9d,
0xfc, 0x14, 0x16, 0xd4, 0xaf, 0x15, 0x89, 0xf7, 0x48, 0xff, 0x07, 0xd2, 0xeb, 0xe6, 0x3b, 0x64,
0x30, 0x34, 0x83, 0x0e, 0x78, 0x70, 0xa2, 0xbd, 0xe2, 0xb9, 0xaa, 0x87, 0x0b, 0xb9, 0x67, 0x42,
0xbd, 0xf5, 0xb2, 0xee, 0x98, 0xe3, 0x80, 0x45, 0x24, 0xfa, 0x0b, 0x4c, 0xb4, 0xae, 0x9f, 0xdb,
0xf9, 0x97, 0x9d, 0xbd, 0xd7, 0x4a, 0xfb, 0x63, 0xa6, 0xbf, 0x80, 0x4e, 0xf6, 0xed, 0x25, 0x4a,
0x6e, 0x99, 0x4b, 0xde, 0x75, 0xf6, 0x5e, 0x9f, 0x82, 0xa1, 0xb3, 0xce, 0xbd, 0x5f, 0xdc, 0x28,
0x7f, 0x81, 0x96, 0x63, 0x5d, 0xf6, 0xac, 0x4d, 0x2c, 0x45, 0xfa, 0xf5, 0x0d, 0xd2, 0x5f, 0x0d,
0x16, 0xbc, 0xc2, 0xd2, 0x96, 0xa2, 0xf8, 0xd9, 0x8e, 0x31, 0x83, 0xbe, 0x82, 0xa5, 0xcc, 0xc5,
0x14, 0x4a, 0xa8, 0x8a, 0xaf, 0xd9, 0x7a, 0x1b, 0xe5, 0x08, 0x69, 0xbd, 0xe9, 0xd7, 0x4e, 0x29,
0xbd, 0x15, 0xdc, 0x65, 0xa5, 0xf4, 0x56, 0x78, 0x5f, 0xc5, 0xcd, 0x2b, 0x75, 0xb9, 0xa4, 0x99,
0x57, 0xd1, 0x4d, 0x56, 0x6f, 0xbd, 0xac, 0x5b, 0x9f, 0x7e, 0xe6, 0x62, 0x49, 0x9b, 0x7e, 0xf1,
0x7d, 0x55, 0x6f, 0xa3, 0x1c, 0x21, 0xab, 0xab, 0xa4, 0xca, 0x9d, 0xd1, 0x55, 0xee, 0x52, 0x25,
0xa3, 0xab, 0x7c, 0x79, 0x5c, 0xea, 0x2a, 0x53, 0xae, 0x7e, 0xad, 0xb4, 0x9c, 0x97, 0xd7, 0x55,
0x71, 0x85, 0xd0, 0x98, 0x41, 0x7d, 0xa8, 0xab, 0x7a, 0x1c, 0x4a, 0x76, 0x77, 0xa6, 0x08, 0xd8,
0xbb, 0x54, 0xd0, 0x13, 0xb3, 0x78, 0x0f, 0x66, 0x19, 0x14, 0xad, 0xa4, 0x90, 0x14, 0xe9, 0xc5,
0x0c, 0x34, 0x26, 0xfb, 0x08, 0xe6, 0x45, 0xf9, 0x0a, 0x25, 0x79, 0x45, 0xaa, 0x56, 0xd6, 0x5b,
0xcb, 0xc1, 0x63, 0xe2, 0x2f, 0xc5, 0xef, 0x56, 0xb2, 0x0e, 0x85, 0x2e, 0xa7, 0x9e, 0xf5, 0xa7,
0xab, 0x5d, 0xbd, 0x2b, 0xc5, 0x9d, 0xba, 0xbe, 0x32, 0x87, 0xf3, 0x7a, 0x59, 0xf4, 0x94, 0xd3,
0x57, 0x71, 0x34, 0x66, 0xcc, 0x20, 0x4b, 0x94, 0x74, 0x32, 0x8c, 0x8d, 0x62, 0x45, 0xa7, 0x98,
0x5f, 0x9b, 0x8a, 0x13, 0x0f, 0x70, 0x04, 0x17, 0x0a, 0x92, 0x53, 0x94, 0x50, 0x97, 0xe7, 0xc5,
0xbd, 0x37, 0xa6, 0x23, 0xe9, 0x2a, 0x92, 0xb6, 0xb6, 0xaa, 0x6f, 0x50, 0xcd, 0xc4, 0xd6, 0x72,
0x70, 0x45, 0xbc, 0xf9, 0x17, 0x35, 0x58, 0x14, 0x25, 0x04, 0x79, 0xc0, 0x7c, 0x01, 0x90, 0x54,
0xb9, 0x50, 0x2f, 0x35, 0xcd, 0x54, 0xb9, 0xaf, 0x77, 0xb9, 0xb0, 0x4f, 0x57, 0xbe, 0x56, 0xb0,
0xd2, 0x94, 0x9f, 0x2f, 0x83, 0x69, 0xca, 0x2f, 0xa8, 0x71, 0x19, 0x33, 0x68, 0x1b, 0x1a, 0x71,
0x15, 0x05, 0x69, 0xc5, 0x97, 0x4c, 0x09, 0xa8, 0xd7, 0x2b, 0xea, 0xd2, 0x25, 0xd2, 0x2a, 0x23,
0x9a, 0x44, 0xf9, 0x7a, 0x8b, 0x26, 0x51, 0x51, 0x31, 0x25, 0x99, 0x9d, 0x48, 0x04, 0xb3, 0xb3,
0x4b, 0xe5, 0xd6, 0xd9, 0xd9, 0xa5, 0x73, 0x47, 0x63, 0xe6, 0xf3, 0x2b, 0xbf, 0xf9, 0xdd, 0x7a,
0xe5, 0x3f, 0x7f, 0xb7, 0x3e, 0xf3, 0xe7, 0xcf, 0xd7, 0x2b, 0xbf, 0x79, 0xbe, 0x5e, 0xf9, 0xf7,
0xe7, 0xeb, 0x95, 0xdf, 0x3e, 0x5f, 0xaf, 0x7c, 0xf7, 0xdf, 0xeb, 0x33, 0x47, 0xf3, 0xfc, 0xff,
0xc3, 0x77, 0xff, 0x3f, 0x00, 0x00, 0xff, 0xff, 0x05, 0xad, 0x49, 0x79, 0x33, 0x3a, 0x00, 0x00,
0x59, 0xb6, 0xa4, 0x5d, 0xc9, 0x32, 0xbd, 0xb6, 0x63, 0xf9, 0x4b, 0x34, 0x49, 0x19, 0xb4, 0xa4,
0x11, 0xb7, 0x47, 0xf4, 0xee, 0x66, 0x03, 0x74, 0x9a, 0xd3, 0xc5, 0x61, 0x5b, 0x33, 0x5d, 0xbd,
0xdd, 0xd5, 0x92, 0x98, 0x53, 0x72, 0x09, 0x72, 0x74, 0x8e, 0xb9, 0xe5, 0x10, 0x60, 0x91, 0x4b,
0x0e, 0x39, 0x04, 0xf9, 0x05, 0xc1, 0x02, 0x41, 0x80, 0x9c, 0x82, 0xe4, 0xb6, 0xab, 0x1c, 0x72,
0x08, 0x90, 0xdf, 0x10, 0xd4, 0x57, 0x77, 0xf5, 0xd7, 0x88, 0x94, 0x8d, 0x5d, 0xdd, 0xba, 0x5e,
0xbd, 0xf7, 0xea, 0x55, 0xbd, 0x57, 0xaf, 0xde, 0x7b, 0x55, 0x0d, 0x0d, 0xdb, 0x77, 0x6f, 0xf9,
0x01, 0xa1, 0x04, 0x2d, 0x04, 0x91, 0x47, 0xdd, 0x09, 0xee, 0xdd, 0x1c, 0xb9, 0xf4, 0x38, 0x3a,
0xbc, 0x35, 0x24, 0x93, 0x77, 0x47, 0x64, 0x44, 0xde, 0xe5, 0xfd, 0x87, 0xd1, 0x11, 0x6f, 0xf1,
0x06, 0xff, 0x12, 0x74, 0xc6, 0x0d, 0x68, 0x7f, 0x83, 0x83, 0xd0, 0x25, 0x9e, 0x89, 0x7f, 0x15,
0xe1, 0x90, 0xa2, 0x2e, 0x2c, 0x3c, 0x15, 0x90, 0x6e, 0x65, 0xa3, 0x72, 0xad, 0x61, 0xaa, 0xa6,
0xf1, 0xeb, 0x0a, 0x2c, 0xc5, 0xc8, 0xa1, 0x4f, 0xbc, 0x10, 0x97, 0x63, 0xa3, 0x37, 0x61, 0x51,
0xca, 0x64, 0x79, 0xf6, 0x04, 0x77, 0xab, 0xbc, 0xbb, 0x29, 0x61, 0x7d, 0x7b, 0x82, 0xd1, 0x3b,
0xb0, 0xa4, 0x50, 0x14, 0x93, 0x1a, 0xc7, 0x6a, 0x4b, 0xb0, 0x1c, 0x0d, 0xdd, 0x82, 0x73, 0x0a,
0xd1, 0xf6, 0xdd, 0x18, 0x79, 0x96, 0x23, 0x2f, 0xcb, 0xae, 0x2d, 0xdf, 0x95, 0xf8, 0xc6, 0x2f,
0xa1, 0xb1, 0xd3, 0x1f, 0x6c, 0x13, 0xef, 0xc8, 0x1d, 0x31, 0x11, 0x43, 0x1c, 0x30, 0x9a, 0x6e,
0x65, 0xa3, 0xc6, 0x44, 0x94, 0x4d, 0xd4, 0x83, 0x7a, 0x88, 0xed, 0x60, 0x78, 0x8c, 0xc3, 0x6e,
0x95, 0x77, 0xc5, 0x6d, 0x46, 0x45, 0x7c, 0xea, 0x12, 0x2f, 0xec, 0xd6, 0x04, 0x95, 0x6c, 0x1a,
0x7f, 0x53, 0x81, 0xe6, 0x3e, 0x09, 0xe8, 0x43, 0xdb, 0xf7, 0x5d, 0x6f, 0x84, 0x6e, 0x42, 0x9d,
0xaf, 0xe5, 0x90, 0x8c, 0xf9, 0x1a, 0xb4, 0x37, 0x97, 0x6f, 0x49, 0x91, 0x6e, 0xed, 0xcb, 0x0e,
0x33, 0x46, 0x41, 0x57, 0xa1, 0x3d, 0x24, 0x1e, 0xb5, 0x5d, 0x0f, 0x07, 0x96, 0x4f, 0x02, 0xca,
0x57, 0x66, 0xce, 0x6c, 0xc5, 0x50, 0xc6, 0x1c, 0x5d, 0x84, 0xc6, 0x31, 0x09, 0xa9, 0xc0, 0xa8,
0x71, 0x8c, 0x3a, 0x03, 0xf0, 0xce, 0x35, 0x58, 0xe0, 0x9d, 0xae, 0x2f, 0xd7, 0x60, 0x9e, 0x35,
0xf7, 0x7c, 0xe3, 0xbb, 0x0a, 0xcc, 0x3d, 0x24, 0x91, 0x47, 0x33, 0xc3, 0xd8, 0xf4, 0x58, 0xea,
0x47, 0x1b, 0xc6, 0xa6, 0xc7, 0xc9, 0x30, 0x0c, 0x43, 0xa8, 0x48, 0x0c, 0xc3, 0x3a, 0x7b, 0x50,
0x0f, 0xb0, 0xed, 0x10, 0x6f, 0x7c, 0xc2, 0x45, 0xa8, 0x9b, 0x71, 0x9b, 0xe9, 0x2e, 0xc4, 0x63,
0xd7, 0x8b, 0x9e, 0x5b, 0x01, 0x1e, 0xdb, 0x87, 0x78, 0xcc, 0x45, 0xa9, 0x9b, 0x6d, 0x09, 0x36,
0x05, 0xd4, 0xf8, 0x16, 0x96, 0x98, 0xb2, 0x43, 0xdf, 0x1e, 0xe2, 0x47, 0x7c, 0x09, 0x99, 0x69,
0xf0, 0x41, 0x3d, 0x4c, 0x9f, 0x91, 0xe0, 0x09, 0x97, 0xac, 0x6e, 0x36, 0x19, 0xac, 0x2f, 0x40,
0xe8, 0x02, 0xd4, 0x85, 0x5c, 0xae, 0xc3, 0xc5, 0xaa, 0x9b, 0x7c, 0xc6, 0xfb, 0xae, 0x13, 0x77,
0xb9, 0xfe, 0x50, 0x4a, 0xb5, 0x20, 0x66, 0x3f, 0x34, 0x0c, 0x80, 0x3d, 0x8f, 0x7e, 0xf8, 0x93,
0x6f, 0xec, 0x71, 0x84, 0xd1, 0x0a, 0xcc, 0x3d, 0x65, 0x1f, 0x9c, 0x7f, 0xcd, 0x14, 0x0d, 0xe3,
0x2f, 0x6b, 0x70, 0xf1, 0x01, 0x13, 0x70, 0x60, 0x7b, 0xce, 0x21, 0x79, 0x3e, 0xc0, 0xc3, 0x28,
0x70, 0xe9, 0xc9, 0x36, 0xf1, 0x28, 0x7e, 0x4e, 0xd1, 0x2e, 0x2c, 0x7b, 0x4a, 0x5e, 0x4b, 0x99,
0x00, 0xe3, 0xd0, 0xdc, 0xec, 0xc6, 0x7a, 0xcd, 0xcc, 0xc8, 0xec, 0x78, 0x69, 0x40, 0x88, 0xbe,
0x48, 0xd6, 0x47, 0x31, 0xa9, 0x72, 0x26, 0xab, 0x31, 0x93, 0xc1, 0x2e, 0x97, 0x43, 0xb2, 0x50,
0xeb, 0xa6, 0x18, 0xbc, 0x0f, 0x6c, 0xaf, 0x58, 0x76, 0x68, 0x45, 0x21, 0x0e, 0xf8, 0x4c, 0x9b,
0x9b, 0xe7, 0x62, 0xe2, 0x64, 0x9e, 0x66, 0x23, 0x88, 0xbc, 0xad, 0xf0, 0x20, 0xc4, 0x01, 0xdf,
0x51, 0x52, 0x43, 0x56, 0x40, 0x08, 0x3d, 0x0a, 0x95, 0x56, 0x14, 0xd8, 0xe4, 0x50, 0xf4, 0x2e,
0x9c, 0x0b, 0x23, 0xdf, 0x1f, 0xe3, 0x09, 0xf6, 0xa8, 0x3d, 0xb6, 0x46, 0x01, 0x89, 0xfc, 0xb0,
0x3b, 0xb7, 0x51, 0xbb, 0x56, 0x33, 0x91, 0xde, 0xf5, 0x15, 0xef, 0x41, 0xeb, 0x00, 0x7e, 0xe0,
0x3e, 0x75, 0xc7, 0x78, 0x84, 0x9d, 0xee, 0x3c, 0x67, 0xaa, 0x41, 0xd0, 0x6d, 0x58, 0x09, 0xf1,
0x70, 0x48, 0x26, 0xbe, 0xe5, 0x07, 0xe4, 0xc8, 0x1d, 0x63, 0x61, 0x53, 0x0b, 0xdc, 0xa6, 0x90,
0xec, 0xdb, 0x17, 0x5d, 0xcc, 0xba, 0x8c, 0xef, 0xaa, 0x70, 0x9e, 0x2f, 0xc0, 0x3e, 0x71, 0xa4,
0x2e, 0xe4, 0x8e, 0xbd, 0x02, 0xad, 0x21, 0x17, 0xc8, 0xf2, 0xed, 0x00, 0x7b, 0x54, 0x9a, 0xee,
0xa2, 0x00, 0xee, 0x73, 0x18, 0x7a, 0x04, 0x9d, 0x50, 0xaa, 0xce, 0x1a, 0x0a, 0xdd, 0xc9, 0x15,
0x7e, 0x2b, 0x5e, 0xa4, 0x29, 0x7a, 0x36, 0x97, 0xc2, 0x9c, 0xe2, 0x17, 0xc2, 0x93, 0x70, 0x48,
0xc7, 0x62, 0xc7, 0x37, 0x37, 0x7f, 0x94, 0xe6, 0x93, 0x15, 0xf3, 0xd6, 0x40, 0x60, 0xef, 0x7a,
0x34, 0x38, 0x31, 0x15, 0x6d, 0xef, 0x0e, 0x2c, 0xea, 0x1d, 0xa8, 0x03, 0xb5, 0x27, 0xf8, 0x44,
0x4e, 0x81, 0x7d, 0x26, 0x76, 0x29, 0xf6, 0x9b, 0x68, 0xdc, 0xa9, 0xfe, 0x51, 0xc5, 0x08, 0x00,
0x25, 0xa3, 0x3c, 0xc4, 0xd4, 0x76, 0x6c, 0x6a, 0x23, 0x04, 0xb3, 0xdc, 0x83, 0x0a, 0x16, 0xfc,
0x9b, 0x71, 0x8d, 0xe4, 0xd6, 0x68, 0x98, 0xec, 0x13, 0x5d, 0x82, 0x46, 0x6c, 0x84, 0xd2, 0x8d,
0x26, 0x00, 0xe6, 0xce, 0x6c, 0x4a, 0xf1, 0xc4, 0xa7, 0xdc, 0x20, 0x5a, 0xa6, 0x6a, 0x1a, 0xff,
0x3c, 0x0b, 0x9d, 0x9c, 0x06, 0x3e, 0x82, 0xfa, 0x44, 0x0e, 0x2f, 0x6d, 0xff, 0x62, 0xe2, 0xd3,
0x72, 0x12, 0x9a, 0x31, 0x32, 0x73, 0x19, 0x6c, 0x33, 0x6a, 0x1e, 0x3f, 0x6e, 0x33, 0xb5, 0x8e,
0xc9, 0xc8, 0x72, 0xdc, 0x00, 0x0f, 0x29, 0x09, 0x4e, 0xa4, 0x94, 0x8b, 0x63, 0x32, 0xda, 0x51,
0x30, 0xf4, 0x1e, 0x80, 0xe3, 0x85, 0x4c, 0xa3, 0x47, 0xee, 0x88, 0xcb, 0xda, 0xdc, 0x44, 0xf1,
0xd8, 0xb1, 0x57, 0x37, 0x1b, 0x8e, 0x17, 0x4a, 0x61, 0x3f, 0x86, 0x16, 0xf3, 0x92, 0xd6, 0x44,
0x38, 0x64, 0x61, 0xc5, 0xcd, 0xcd, 0x15, 0x4d, 0xe2, 0xd8, 0x5b, 0x9b, 0x8b, 0x7e, 0xd2, 0x08,
0xd1, 0x67, 0x30, 0xcf, 0xbd, 0x54, 0xd8, 0x9d, 0xe7, 0x34, 0x57, 0x0b, 0x66, 0x29, 0xb5, 0xfd,
0x80, 0xe3, 0x09, 0x65, 0x4b, 0x22, 0xf4, 0x00, 0x9a, 0xb6, 0xe7, 0x11, 0x6a, 0x8b, 0x0d, 0xbe,
0xc0, 0x79, 0xdc, 0x28, 0xe7, 0xb1, 0x95, 0x20, 0x0b, 0x46, 0x3a, 0x39, 0xfa, 0x09, 0xcc, 0x71,
0x0f, 0xd0, 0xad, 0xf3, 0x59, 0xaf, 0x4f, 0x37, 0x3f, 0x53, 0x20, 0xf7, 0x3e, 0x86, 0xa6, 0x26,
0xda, 0x59, 0xcc, 0xad, 0xf7, 0x39, 0x74, 0xb2, 0x12, 0x9d, 0xc9, 0x5c, 0xf7, 0x60, 0xc5, 0x8c,
0xbc, 0x44, 0x30, 0x15, 0x42, 0xbc, 0x07, 0xf3, 0x52, 0x7f, 0xc2, 0x76, 0x2e, 0x94, 0xae, 0x88,
0x29, 0x11, 0x8d, 0xcf, 0xe0, 0x7c, 0x86, 0x95, 0x0c, 0x30, 0xde, 0x82, 0xb6, 0x4f, 0x1c, 0x2b,
0x14, 0x60, 0xcb, 0x75, 0x94, 0x33, 0xf0, 0x63, 0xdc, 0x3d, 0x87, 0x91, 0x0f, 0x28, 0xf1, 0xf3,
0xa2, 0x9c, 0x8e, 0xbc, 0x0b, 0xab, 0x59, 0x72, 0x31, 0xbc, 0xf1, 0x05, 0xac, 0x99, 0x78, 0x42,
0x9e, 0xe2, 0x57, 0x65, 0xdd, 0x83, 0x6e, 0x9e, 0x41, 0xc2, 0x3c, 0x81, 0x0e, 0xa8, 0x4d, 0xa3,
0xf0, 0x6c, 0xcc, 0xaf, 0xeb, 0x0c, 0xe4, 0xd1, 0x29, 0xf8, 0xa0, 0x36, 0x54, 0x5d, 0x5f, 0x12,
0x55, 0x5d, 0xdf, 0xf8, 0x02, 0x1a, 0xf1, 0xa1, 0x85, 0x36, 0x93, 0xe0, 0xa6, 0xfa, 0x92, 0x93,
0x2d, 0x0e, 0x7b, 0xee, 0xe7, 0xbc, 0xb5, 0x1c, 0x69, 0x13, 0x20, 0xf6, 0x33, 0xea, 0xa4, 0x44,
0x79, 0x7e, 0xa6, 0x86, 0x65, 0xfc, 0x5d, 0xca, 0xe9, 0x68, 0x22, 0x3b, 0xb1, 0xc8, 0x4e, 0xca,
0x09, 0x55, 0xcf, 0xe2, 0x84, 0x6e, 0xc1, 0x5c, 0x48, 0x6d, 0x2a, 0xdc, 0x60, 0x5b, 0x9b, 0x5c,
0x7a, 0x48, 0x6c, 0x0a, 0x34, 0x74, 0x19, 0x60, 0x18, 0x60, 0x9b, 0x62, 0xc7, 0xb2, 0x85, 0x7f,
0xac, 0x99, 0x0d, 0x09, 0xd9, 0xa2, 0xe8, 0x0e, 0x2c, 0xa8, 0x48, 0x65, 0x8e, 0x8b, 0xb1, 0x51,
0xc0, 0x30, 0xb5, 0xfa, 0xa6, 0x22, 0x48, 0xf6, 0xf4, 0xfc, 0xf4, 0x3d, 0x2d, 0xe9, 0x04, 0xb2,
0xe6, 0x96, 0x16, 0x4a, 0xdd, 0x92, 0xa0, 0x38, 0x8d, 0x5b, 0xaa, 0x97, 0xba, 0x25, 0xc9, 0x63,
0xaa, 0x5b, 0xfa, 0x43, 0x3a, 0x98, 0x87, 0xd0, 0xcd, 0x6f, 0x10, 0xe9, 0x18, 0xde, 0x83, 0xf9,
0x90, 0x43, 0xa6, 0x38, 0x19, 0x49, 0x22, 0x11, 0x8d, 0x7b, 0xb0, 0x92, 0xb1, 0x00, 0x11, 0x28,
0xc6, 0xf6, 0x52, 0x39, 0x95, 0xbd, 0x18, 0xff, 0x57, 0xd1, 0xad, 0xf7, 0x9e, 0x3b, 0xa6, 0x38,
0xc8, 0x59, 0xef, 0xfb, 0x8a, 0xa9, 0x30, 0xdd, 0xcb, 0x65, 0x4c, 0x45, 0x0c, 0x27, 0x2d, 0x71,
0x00, 0x6d, 0xae, 0x43, 0x2b, 0xc4, 0x63, 0x7e, 0x20, 0xca, 0x50, 0xe4, 0xc7, 0x05, 0xd4, 0x62,
0x5c, 0x61, 0x00, 0x03, 0x89, 0x2e, 0xd4, 0xd7, 0x1a, 0xeb, 0xb0, 0xde, 0x5d, 0x40, 0x79, 0xa4,
0x33, 0xe9, 0xe1, 0x6b, 0xb6, 0xf7, 0x59, 0xee, 0x51, 0xe0, 0xe9, 0x8f, 0xb8, 0x18, 0x53, 0x94,
0x20, 0xe4, 0x34, 0x25, 0xa2, 0xf1, 0xb7, 0x35, 0x80, 0xa4, 0xf3, 0xb5, 0xdd, 0xf4, 0x1f, 0xc5,
0x5b, 0x50, 0x44, 0x13, 0x6f, 0x14, 0xf0, 0x2b, 0xdc, 0x7c, 0xf7, 0xd2, 0x9b, 0x4f, 0xc4, 0x15,
0x6f, 0x15, 0x51, 0xbf, 0xb6, 0xdb, 0x6e, 0x1b, 0x56, 0xb3, 0xea, 0x96, 0x9b, 0xee, 0x3a, 0xcc,
0xb9, 0x14, 0x4f, 0x44, 0x26, 0xad, 0xa7, 0x23, 0x1a, 0xae, 0xc0, 0x30, 0xde, 0x84, 0xc6, 0xde,
0xc4, 0x1e, 0xe1, 0x81, 0x8f, 0x87, 0x6c, 0x2c, 0x97, 0x35, 0xe4, 0xf8, 0xa2, 0x61, 0x6c, 0x42,
0xfd, 0x3e, 0x3e, 0x11, 0x7b, 0xf0, 0x94, 0xf2, 0x19, 0xff, 0x5a, 0x81, 0x35, 0xee, 0x3b, 0xb7,
0x55, 0x1e, 0x6b, 0xe2, 0x90, 0x44, 0xc1, 0x10, 0x87, 0x5c, 0xa5, 0x7e, 0x64, 0xf9, 0x38, 0x70,
0x89, 0x23, 0xb3, 0xbe, 0xc6, 0xd0, 0x8f, 0xf6, 0x39, 0x80, 0xe5, 0xba, 0xac, 0xfb, 0x57, 0x11,
0x91, 0xb6, 0x55, 0x33, 0xeb, 0x43, 0x3f, 0xfa, 0x29, 0x6b, 0x2b, 0xda, 0xf0, 0xd8, 0x0e, 0x70,
0xc8, 0x6d, 0x48, 0xd0, 0x0e, 0x38, 0x00, 0xbd, 0x07, 0xe7, 0x27, 0x78, 0x42, 0x82, 0x13, 0x6b,
0xec, 0x4e, 0x5c, 0x6a, 0xb9, 0x9e, 0x75, 0x78, 0x42, 0x71, 0x28, 0x0d, 0x07, 0x89, 0xce, 0x07,
0xac, 0x6f, 0xcf, 0xfb, 0x92, 0xf5, 0x20, 0x03, 0x5a, 0x84, 0x4c, 0xac, 0x70, 0x48, 0x02, 0x6c,
0xd9, 0xce, 0xb7, 0xfc, 0xf0, 0xa8, 0x99, 0x4d, 0x42, 0x26, 0x03, 0x06, 0xdb, 0x72, 0xbe, 0x35,
0x6c, 0x68, 0xa5, 0xb2, 0x40, 0x16, 0xeb, 0xf3, 0x74, 0x4f, 0xc6, 0xfa, 0xec, 0x9b, 0xc1, 0x02,
0x32, 0x56, 0xeb, 0xc0, 0xbf, 0x19, 0x8c, 0x9e, 0xf8, 0x2a, 0xd0, 0xe7, 0xdf, 0x6c, 0xc1, 0xc6,
0xf8, 0xa9, 0x4c, 0xc4, 0x1b, 0xa6, 0x68, 0x18, 0x0e, 0xc0, 0xb6, 0xed, 0xdb, 0x87, 0xee, 0xd8,
0xa5, 0x27, 0xe8, 0x3a, 0x74, 0x6c, 0xc7, 0xb1, 0x86, 0x0a, 0xe2, 0x62, 0x55, 0x15, 0x59, 0xb2,
0x1d, 0x67, 0x5b, 0x03, 0xa3, 0x1f, 0xc1, 0xb2, 0x13, 0x10, 0x3f, 0x8d, 0x2b, 0xca, 0x24, 0x1d,
0xd6, 0xa1, 0x23, 0x1b, 0xff, 0x34, 0x0b, 0x97, 0xd3, 0x6a, 0xc9, 0xe6, 0xd5, 0x1f, 0xc1, 0x62,
0x66, 0xd4, 0x74, 0x42, 0x9b, 0x08, 0x69, 0xa6, 0x10, 0x33, 0x99, 0x67, 0x35, 0x97, 0x79, 0x16,
0x26, 0xec, 0xb5, 0x1f, 0x22, 0x61, 0x9f, 0xfd, 0x3e, 0x09, 0xfb, 0xdc, 0xa9, 0x12, 0xf6, 0xb7,
0x79, 0x09, 0x4c, 0x11, 0xf1, 0xb4, 0x69, 0x5e, 0xd4, 0x69, 0x62, 0x1c, 0x4f, 0x95, 0xca, 0x32,
0x89, 0xfd, 0xc2, 0x59, 0x12, 0xfb, 0x7a, 0x69, 0x62, 0xcf, 0x2c, 0xc2, 0xf7, 0xed, 0x60, 0x42,
0x02, 0x95, 0xb9, 0x77, 0x1b, 0x5c, 0x84, 0x25, 0x05, 0x97, 0x59, 0x7b, 0x69, 0x8e, 0x0f, 0x65,
0x39, 0x3e, 0xda, 0x80, 0x45, 0x8f, 0x58, 0x1e, 0x7e, 0x66, 0x31, 0x85, 0x85, 0xdd, 0xa6, 0xd0,
0x9e, 0x47, 0xfa, 0xf8, 0xd9, 0x3e, 0x83, 0x18, 0x7f, 0x5f, 0x81, 0x95, 0xb4, 0xe1, 0xc8, 0xac,
0xee, 0x73, 0x68, 0x04, 0x6a, 0x67, 0x4b, 0x63, 0xd9, 0x48, 0x47, 0x4f, 0x79, 0x0f, 0x60, 0x26,
0x24, 0xe8, 0xa7, 0xa5, 0xf5, 0x81, 0xb7, 0x4b, 0xd8, 0xbc, 0xac, 0x42, 0x60, 0x6c, 0xc1, 0x72,
0x8c, 0x3c, 0x35, 0x3b, 0xd7, 0xb2, 0xed, 0x6a, 0x3a, 0xdb, 0xf6, 0x60, 0x7e, 0x07, 0x3f, 0x75,
0x87, 0xf8, 0x07, 0x29, 0xd0, 0x6d, 0x40, 0xd3, 0xc7, 0xc1, 0xc4, 0x0d, 0xc3, 0xd8, 0xe8, 0x1b,
0xa6, 0x0e, 0x32, 0xfe, 0x6b, 0x0e, 0x96, 0xb2, 0x2b, 0xfb, 0x61, 0x2e, 0xb9, 0xef, 0x25, 0xbb,
0x30, 0x3b, 0x3f, 0xed, 0x84, 0xbd, 0xa6, 0x9c, 0x78, 0x35, 0x13, 0xe3, 0xc7, 0x7e, 0x5e, 0x3a,
0x76, 0x36, 0xff, 0x21, 0x99, 0x4c, 0x6c, 0xcf, 0x51, 0xc5, 0x53, 0xd9, 0x64, 0xab, 0x65, 0x07,
0x23, 0xb6, 0xb5, 0x18, 0x98, 0x7f, 0xa3, 0x37, 0xa0, 0xc9, 0x62, 0x65, 0xd7, 0xe3, 0xb5, 0x01,
0xbe, 0x71, 0x1a, 0x26, 0x48, 0xd0, 0x8e, 0x1b, 0xa0, 0xab, 0x30, 0x8b, 0xbd, 0xa7, 0xea, 0x2c,
0x4d, 0xaa, 0xab, 0xea, 0xf0, 0x30, 0x79, 0x37, 0x7a, 0x1b, 0xe6, 0x27, 0x24, 0xf2, 0xa8, 0x8a,
0x9a, 0xdb, 0x31, 0x22, 0x2f, 0x89, 0x9a, 0xb2, 0x17, 0x5d, 0x87, 0x05, 0x87, 0xeb, 0x40, 0x85,
0xc6, 0x4b, 0x49, 0x7d, 0x81, 0xc3, 0x4d, 0xd5, 0x8f, 0x3e, 0x8d, 0xa3, 0x80, 0x46, 0xe6, 0x1c,
0xcf, 0x2c, 0x6a, 0x61, 0x28, 0x70, 0x3f, 0x1d, 0x0a, 0x00, 0x67, 0x71, 0xbd, 0x94, 0xc5, 0xf4,
0xea, 0xc0, 0x05, 0xa8, 0x8f, 0xc9, 0x48, 0xd8, 0x41, 0x53, 0x94, 0xda, 0xc7, 0x64, 0xc4, 0xcd,
0x60, 0x85, 0x85, 0x3e, 0x8e, 0xeb, 0x75, 0x17, 0xf9, 0xf6, 0x12, 0x0d, 0x76, 0xa2, 0xf1, 0x0f,
0x8b, 0x78, 0x43, 0xdc, 0x6d, 0xf1, 0xae, 0x06, 0x87, 0x3c, 0xf2, 0x86, 0xfc, 0xc0, 0xa5, 0xf4,
0xa4, 0xdb, 0xe6, 0x70, 0xf6, 0xc9, 0x22, 0x56, 0x91, 0xab, 0x2c, 0x65, 0x22, 0xd6, 0xa2, 0xfd,
0xf9, 0x1a, 0x94, 0x1f, 0xfe, 0xb1, 0x02, 0xab, 0xdb, 0x3c, 0x60, 0xd3, 0x3c, 0xc1, 0x19, 0xd2,
0x67, 0x74, 0x3b, 0xae, 0x53, 0x64, 0xb3, 0xe0, 0xec, 0x64, 0x25, 0x1e, 0xba, 0x0b, 0x6d, 0xc5,
0x53, 0x52, 0xd6, 0x5e, 0x56, 0xe1, 0x68, 0x85, 0x7a, 0xd3, 0xf8, 0x14, 0xd6, 0x72, 0x32, 0xcb,
0xe0, 0xea, 0x4d, 0x58, 0x4c, 0x3c, 0x42, 0x2c, 0x72, 0x33, 0x86, 0xed, 0x39, 0xc6, 0x1d, 0x38,
0x3f, 0xa0, 0x76, 0x40, 0x73, 0x13, 0x3e, 0x05, 0x2d, 0x2f, 0x72, 0xa4, 0x69, 0x65, 0x1d, 0x62,
0x00, 0x2b, 0x03, 0x4a, 0xfc, 0x57, 0x60, 0xca, 0x76, 0x3a, 0x9b, 0x36, 0x89, 0xa8, 0x8c, 0xa8,
0x54, 0xd3, 0x58, 0x13, 0x25, 0x99, 0xfc, 0x68, 0x9f, 0xc0, 0xaa, 0xa8, 0x88, 0xbc, 0xca, 0x24,
0x2e, 0xa8, 0x7a, 0x4c, 0x9e, 0xef, 0x0e, 0x9c, 0x4b, 0x5c, 0x79, 0x92, 0xdc, 0xdd, 0x4c, 0x27,
0x77, 0x6b, 0x79, 0x1d, 0xa7, 0x72, 0xbb, 0xbf, 0xae, 0x6a, 0x0e, 0xb3, 0x24, 0xb5, 0xdb, 0x4c,
0xa7, 0x76, 0x97, 0x4a, 0x58, 0xa6, 0x32, 0xbb, 0xbc, 0x45, 0xd6, 0x0a, 0x2c, 0xd2, 0xcc, 0xe5,
0x7f, 0xb3, 0x99, 0x52, 0x74, 0x46, 0xb6, 0xdf, 0x4b, 0xfa, 0xb7, 0x27, 0xd2, 0xbf, 0x78, 0xe8,
0xb8, 0x4a, 0x75, 0x3b, 0x93, 0xfe, 0x75, 0xcb, 0xc4, 0x8c, 0xb3, 0xbf, 0xbf, 0x9a, 0x85, 0x46,
0xdc, 0x97, 0x5b, 0xd8, 0xfc, 0x22, 0x55, 0x0b, 0x16, 0x49, 0x3f, 0xbf, 0x6a, 0xaf, 0x72, 0x7e,
0xcd, 0xbe, 0xec, 0xfc, 0xba, 0x08, 0x0d, 0xfe, 0x61, 0x05, 0xf8, 0x48, 0x9e, 0x47, 0x75, 0x0e,
0x30, 0xf1, 0x51, 0x62, 0x50, 0xf3, 0xa7, 0x31, 0xa8, 0x4c, 0x9e, 0xb9, 0x90, 0xcd, 0x33, 0x3f,
0x8c, 0x4f, 0x18, 0x71, 0x16, 0xad, 0xe7, 0xd9, 0x15, 0x9e, 0x2d, 0xbb, 0xe9, 0xb3, 0x45, 0x1c,
0x4f, 0x57, 0x0a, 0x88, 0x5f, 0xdb, 0x2c, 0xf3, 0x81, 0xc8, 0x32, 0x75, 0xab, 0x92, 0x8e, 0x70,
0x13, 0x20, 0xde, 0xf3, 0x2a, 0xd5, 0x44, 0xf9, 0xa9, 0x99, 0x1a, 0x16, 0xf3, 0x2a, 0xa9, 0xf5,
0x4f, 0x4a, 0xa9, 0xa7, 0xf0, 0x2a, 0xff, 0xa2, 0x47, 0x49, 0x25, 0xd5, 0xc8, 0x0f, 0x73, 0x85,
0x89, 0xd3, 0x59, 0xdd, 0xcd, 0x74, 0x5d, 0xe2, 0x6c, 0xe6, 0x92, 0x2b, 0x4b, 0xf0, 0x43, 0xdd,
0x0e, 0x64, 0xb7, 0xc8, 0x28, 0x1b, 0x12, 0xb2, 0x45, 0x59, 0x28, 0x75, 0xe4, 0x7a, 0x6e, 0x78,
0x2c, 0xfa, 0xe7, 0x79, 0x3f, 0x28, 0xd0, 0x16, 0xbf, 0x56, 0xc6, 0xcf, 0x5d, 0x6a, 0x0d, 0x89,
0x83, 0xb9, 0x31, 0xce, 0x99, 0x75, 0x06, 0xd8, 0x26, 0x0e, 0x4e, 0x36, 0x48, 0xfd, 0x4c, 0x1b,
0xa4, 0x91, 0xd9, 0x20, 0xab, 0x30, 0x1f, 0x60, 0x3b, 0x24, 0x9e, 0x4c, 0x0c, 0x64, 0x8b, 0x9d,
0x15, 0x13, 0x1c, 0x86, 0x6c, 0x00, 0x19, 0xc0, 0xc8, 0xa6, 0x16, 0x66, 0x2d, 0x96, 0x85, 0x59,
0x53, 0xca, 0x9d, 0x99, 0x30, 0xab, 0x55, 0x16, 0x66, 0x9d, 0xa6, 0xda, 0xa9, 0x05, 0x91, 0xed,
0xa9, 0x41, 0xa4, 0x1e, 0x8e, 0x2d, 0xa5, 0xc2, 0xb1, 0x3f, 0xe4, 0x9e, 0xba, 0x0f, 0x6b, 0xb9,
0x5d, 0x20, 0x37, 0xd5, 0xed, 0x4c, 0xbd, 0xb4, 0x5b, 0xb6, 0x40, 0x71, 0xb9, 0xf4, 0x4f, 0x61,
0x69, 0xf7, 0x39, 0x1e, 0x0e, 0x4e, 0xbc, 0xe1, 0x19, 0x22, 0x82, 0x0e, 0xd4, 0x86, 0x13, 0x47,
0x16, 0x0a, 0xd8, 0xa7, 0x1e, 0x23, 0xd4, 0xd2, 0x31, 0x82, 0x05, 0x9d, 0x64, 0x04, 0x29, 0xe7,
0x2a, 0x93, 0xd3, 0x61, 0xc8, 0x8c, 0xf9, 0xa2, 0x29, 0x5b, 0x12, 0x8e, 0x83, 0x80, 0xcf, 0x5a,
0xc0, 0x71, 0x10, 0xa4, 0x2d, 0xba, 0x96, 0xb6, 0x68, 0xe3, 0x5b, 0x68, 0xb2, 0x01, 0xbe, 0x97,
0xf8, 0x32, 0x50, 0xae, 0x25, 0x81, 0x72, 0x1c, 0x6f, 0xcf, 0x6a, 0xf1, 0xb6, 0xb1, 0x01, 0x8b,
0x62, 0x2c, 0x39, 0x91, 0x0e, 0xd4, 0xa2, 0x60, 0xac, 0xf4, 0x16, 0x05, 0x63, 0xe3, 0x8f, 0xa1,
0xb5, 0x45, 0xa9, 0x3d, 0x3c, 0x3e, 0x83, 0x3c, 0xf1, 0x58, 0x55, 0x3d, 0xb6, 0xcf, 0xc9, 0x64,
0x18, 0xd0, 0x56, 0xbc, 0x4b, 0xc7, 0xef, 0x03, 0xda, 0x27, 0x01, 0xbd, 0x47, 0x82, 0x67, 0x76,
0xe0, 0x9c, 0x2d, 0x56, 0x46, 0x30, 0x2b, 0x1f, 0xab, 0xd4, 0xae, 0xcd, 0x99, 0xfc, 0xdb, 0x78,
0x07, 0xce, 0xa5, 0xf8, 0x95, 0x0e, 0xfc, 0x11, 0x34, 0xb9, 0x0b, 0x91, 0xf1, 0xd4, 0x35, 0xbd,
0x1a, 0x38, 0xcd, 0xcf, 0xb0, 0x8c, 0x9b, 0x9d, 0x11, 0x1c, 0x1e, 0x3b, 0xf4, 0x1f, 0x67, 0xa2,
0x8e, 0x95, 0x34, 0x7d, 0x26, 0xe2, 0xf8, 0x87, 0x0a, 0xcc, 0x71, 0x78, 0xce, 0xa3, 0x5f, 0x84,
0x46, 0x80, 0x7d, 0x62, 0x51, 0x7b, 0x14, 0xbf, 0xff, 0x61, 0x80, 0xc7, 0xf6, 0x28, 0xe4, 0xcf,
0x97, 0x58, 0xa7, 0xe3, 0x8e, 0x70, 0x48, 0xd5, 0x23, 0xa0, 0x26, 0x83, 0xed, 0x08, 0x10, 0x5b,
0x92, 0xd0, 0xfd, 0x33, 0x11, 0x4e, 0xcc, 0x9a, 0xfc, 0x1b, 0x5d, 0x15, 0xf7, 0xf2, 0x53, 0x8a,
0x3f, 0xfc, 0xb2, 0xbe, 0x07, 0xf5, 0x4c, 0xbd, 0x27, 0x6e, 0x1b, 0x9f, 0x02, 0xd2, 0xe7, 0x2c,
0x17, 0xf5, 0x6d, 0x98, 0xe7, 0x4b, 0xa2, 0xce, 0xc3, 0x76, 0x7a, 0xd2, 0xa6, 0xec, 0x35, 0x3e,
0x07, 0x24, 0x56, 0x31, 0x75, 0x06, 0x9e, 0x7e, 0xc5, 0x3f, 0x81, 0x73, 0x29, 0xfa, 0xf8, 0x1a,
0x36, 0xc5, 0x20, 0x3b, 0xba, 0x24, 0xfe, 0xb7, 0x0a, 0xc0, 0x56, 0x44, 0x8f, 0x65, 0xa1, 0x41,
0x9f, 0x65, 0x25, 0x3d, 0x4b, 0xd6, 0xe7, 0xdb, 0x61, 0xf8, 0x8c, 0x04, 0x2a, 0xc8, 0x8b, 0xdb,
0xbc, 0x48, 0x10, 0xd1, 0x63, 0x55, 0xdc, 0x64, 0xdf, 0xe8, 0x2a, 0xb4, 0xc5, 0xb3, 0x2d, 0xcb,
0x76, 0x9c, 0x00, 0x87, 0xa1, 0xac, 0x72, 0xb6, 0x04, 0x74, 0x4b, 0x00, 0x19, 0x9a, 0xeb, 0x60,
0x8f, 0xba, 0xf4, 0xc4, 0xa2, 0xe4, 0x09, 0xf6, 0x64, 0xf8, 0xd6, 0x52, 0xd0, 0xc7, 0x0c, 0xc8,
0xd0, 0x02, 0x3c, 0x72, 0x43, 0x1a, 0x28, 0x34, 0x55, 0x75, 0x93, 0x50, 0x8e, 0x66, 0xfc, 0xba,
0x02, 0x9d, 0xfd, 0x68, 0x3c, 0x16, 0x93, 0x3c, 0xeb, 0x5a, 0xa2, 0x77, 0xe4, 0x3c, 0xaa, 0x19,
0x6b, 0x48, 0x96, 0x48, 0x4e, 0xee, 0xfb, 0xa7, 0x95, 0xb7, 0x61, 0x59, 0x13, 0x54, 0x2a, 0x2d,
0x75, 0x4a, 0x57, 0xd2, 0xa7, 0x34, 0x33, 0x14, 0x91, 0x49, 0xbd, 0xda, 0xe4, 0x8c, 0xf3, 0x70,
0x2e, 0x45, 0x2f, 0xb3, 0xb0, 0x1b, 0xd0, 0x92, 0x57, 0xa1, 0xd2, 0x08, 0x2e, 0x40, 0x9d, 0xb9,
0x97, 0xa1, 0xeb, 0xa8, 0xaa, 0xf6, 0x82, 0x4f, 0x9c, 0x6d, 0xd7, 0x09, 0x8c, 0x3e, 0xb4, 0x4c,
0xc1, 0x5e, 0xe2, 0x7e, 0x06, 0x6d, 0x79, 0x71, 0x6a, 0xa5, 0x1e, 0x10, 0x24, 0x25, 0xd8, 0x14,
0x6f, 0xb3, 0xe5, 0xe9, 0x4d, 0xe3, 0x97, 0xd0, 0x3b, 0xf0, 0x1d, 0x16, 0x4c, 0xe9, 0x5c, 0xd5,
0xd4, 0x3e, 0x03, 0xf5, 0xac, 0xb0, 0x8c, 0x79, 0x9a, 0xac, 0x15, 0xe8, 0x4d, 0xe3, 0x32, 0x5c,
0x2c, 0x64, 0x2e, 0xe7, 0xed, 0x43, 0x27, 0xe9, 0x70, 0x5c, 0x55, 0xcc, 0xe7, 0x45, 0xfa, 0x8a,
0x56, 0xa4, 0x5f, 0x8d, 0x8f, 0x61, 0xe1, 0xd0, 0x65, 0x4b, 0x0b, 0x9a, 0x6a, 0x65, 0x41, 0xd3,
0x6c, 0x2a, 0x68, 0x32, 0xbe, 0x8e, 0x57, 0x4f, 0x46, 0xac, 0x1f, 0xf3, 0xb0, 0x59, 0x8c, 0xad,
0xdc, 0xc4, 0x85, 0x82, 0xc9, 0x09, 0x0c, 0x53, 0x43, 0x36, 0x96, 0xa0, 0x95, 0x72, 0x18, 0xc6,
0x5d, 0x68, 0x67, 0x3c, 0xc0, 0xad, 0x4c, 0xfc, 0x90, 0x5b, 0xb6, 0x4c, 0xf4, 0xb0, 0x22, 0x1d,
0xd1, 0xbd, 0x70, 0xcf, 0x3b, 0x22, 0x8a, 0xef, 0x15, 0x68, 0x1e, 0x94, 0x3d, 0xd1, 0x9b, 0x55,
0x77, 0x3c, 0xef, 0xc0, 0xf2, 0x80, 0x92, 0xc0, 0x1e, 0xe1, 0x3d, 0xbe, 0x6b, 0x8f, 0x5c, 0x71,
0x0b, 0x12, 0x45, 0xb1, 0xff, 0xe6, 0xdf, 0xc6, 0x7f, 0x54, 0x60, 0xe9, 0x9e, 0x3b, 0xc6, 0xe1,
0x49, 0x48, 0xf1, 0xe4, 0x80, 0xc7, 0x92, 0x97, 0xa0, 0xc1, 0xa4, 0x09, 0xa9, 0x3d, 0xf1, 0xd5,
0x1d, 0x50, 0x0c, 0x60, 0x6b, 0x14, 0x0a, 0xd6, 0x2a, 0xbb, 0xd4, 0xe3, 0xf8, 0xdc, 0xa8, 0x2c,
0xb6, 0x96, 0x20, 0xf4, 0x3e, 0x40, 0x14, 0x62, 0x47, 0xde, 0xfb, 0xd4, 0x32, 0x47, 0xcf, 0x81,
0x5e, 0xdf, 0x67, 0x78, 0xe2, 0x12, 0xe8, 0x03, 0x68, 0xba, 0x1e, 0x71, 0x30, 0xaf, 0xef, 0x3b,
0x32, 0xf3, 0x2c, 0xa6, 0x02, 0x81, 0x78, 0x10, 0x62, 0xc7, 0xf8, 0x13, 0xe9, 0x85, 0xd5, 0xe2,
0x49, 0x1d, 0xec, 0xc2, 0xb2, 0xd8, 0xd0, 0x47, 0xf1, 0xa4, 0x95, 0xa2, 0x93, 0x70, 0x2e, 0xb3,
0x20, 0x66, 0xc7, 0x95, 0xa7, 0xa2, 0xa2, 0x30, 0xee, 0xc0, 0xf9, 0x54, 0xcc, 0x77, 0x96, 0x54,
0xe9, 0xab, 0x4c, 0x9e, 0x95, 0x18, 0x88, 0x4c, 0x74, 0x94, 0x7d, 0x94, 0x24, 0x3a, 0xa1, 0x48,
0x74, 0x42, 0xc3, 0x84, 0x0b, 0xa9, 0xf4, 0x2f, 0x25, 0xc8, 0x07, 0x99, 0x23, 0xfe, 0x72, 0x09,
0xb3, 0xcc, 0x59, 0xff, 0x3f, 0x15, 0x58, 0x29, 0x42, 0x78, 0xc5, 0x42, 0xc3, 0xcf, 0x4a, 0x6e,
0xe3, 0x6f, 0x4f, 0x95, 0xe6, 0xf7, 0x52, 0x92, 0xb9, 0x0f, 0xbd, 0xa2, 0xd5, 0xcb, 0xab, 0xa2,
0x76, 0x0a, 0x55, 0xfc, 0x6f, 0x55, 0x2b, 0x9d, 0x6d, 0x51, 0x1a, 0xb8, 0x87, 0x11, 0x33, 0xde,
0x1f, 0x2a, 0x05, 0xbe, 0x1b, 0xa7, 0x77, 0x62, 0xfd, 0xae, 0xe5, 0xa9, 0x92, 0x51, 0x0b, 0x53,
0xbc, 0x47, 0xe9, 0x14, 0x4f, 0x14, 0xc5, 0x6e, 0x4e, 0x65, 0xf3, 0xda, 0xd6, 0x3d, 0x5e, 0x54,
0xa0, 0x9d, 0xd6, 0x03, 0xfa, 0x14, 0xc0, 0x8e, 0x25, 0x97, 0x26, 0x7f, 0x69, 0xda, 0xec, 0x4c,
0x0d, 0x1f, 0x5d, 0x81, 0xda, 0xd0, 0x8f, 0xa4, 0x46, 0x92, 0xdb, 0x91, 0x6d, 0x3f, 0x12, 0x0e,
0x80, 0xf5, 0xb2, 0xa0, 0x59, 0xdc, 0x51, 0xe7, 0x3c, 0xd7, 0x43, 0x0e, 0x16, 0xa8, 0x12, 0x07,
0x7d, 0x01, 0xed, 0x67, 0x81, 0x4b, 0xed, 0xc3, 0x31, 0xb6, 0xc6, 0xf6, 0x09, 0x0e, 0xa4, 0xe7,
0x2a, 0xf7, 0x32, 0x2d, 0x85, 0xff, 0x80, 0xa1, 0x1b, 0x11, 0xd4, 0xd5, 0xf8, 0x2f, 0xf1, 0xc8,
0xf7, 0x61, 0x2d, 0x62, 0x68, 0x16, 0xbf, 0x27, 0xf7, 0x6c, 0x8f, 0x58, 0x21, 0x66, 0x47, 0x93,
0x7a, 0x9b, 0x56, 0xec, 0x2d, 0x57, 0x38, 0xd1, 0x36, 0x09, 0x70, 0xdf, 0xf6, 0xc8, 0x40, 0x50,
0x18, 0x13, 0x68, 0x6a, 0xd3, 0x79, 0xc9, 0xc8, 0x77, 0x61, 0x59, 0xdd, 0x3b, 0x85, 0x98, 0x4a,
0xbf, 0x3e, 0x6d, 0xcc, 0x25, 0x89, 0x3e, 0xc0, 0x94, 0x7b, 0xf7, 0x1b, 0x97, 0xa0, 0xae, 0x5e,
0xf8, 0xa3, 0x05, 0xa8, 0x3d, 0xde, 0xde, 0xef, 0xcc, 0xb0, 0x8f, 0x83, 0x9d, 0xfd, 0x4e, 0xe5,
0xc6, 0x1d, 0x58, 0xca, 0xbc, 0x3d, 0x41, 0xcb, 0xd0, 0x1a, 0x6c, 0xf5, 0x77, 0xbe, 0x7c, 0xf4,
0x73, 0xcb, 0xdc, 0xdd, 0xda, 0xf9, 0x45, 0x67, 0x06, 0xad, 0x40, 0x47, 0x81, 0xfa, 0x8f, 0x1e,
0x0b, 0x68, 0xe5, 0xc6, 0x93, 0x8c, 0x8d, 0x60, 0x74, 0x1e, 0x96, 0xb7, 0x1f, 0xf5, 0x1f, 0x6f,
0xed, 0xf5, 0x77, 0x4d, 0x6b, 0xdb, 0xdc, 0xdd, 0x7a, 0xbc, 0xbb, 0xd3, 0x99, 0x49, 0x83, 0xcd,
0x83, 0x7e, 0x7f, 0xaf, 0xff, 0x55, 0xa7, 0xc2, 0xb8, 0x26, 0xe0, 0xdd, 0x9f, 0xef, 0x31, 0xe4,
0x6a, 0x1a, 0xf9, 0xa0, 0x7f, 0xbf, 0xff, 0xe8, 0x67, 0xfd, 0x4e, 0x6d, 0xf3, 0xb7, 0x8b, 0xd0,
0x56, 0x87, 0x38, 0x0e, 0xf8, 0xed, 0xe4, 0xe7, 0xb0, 0xa0, 0x7e, 0xbe, 0x48, 0xbc, 0x47, 0xfa,
0x4f, 0x91, 0x5e, 0x37, 0xdf, 0x21, 0x83, 0xa1, 0x19, 0xb4, 0xcf, 0x83, 0x13, 0xed, 0x9d, 0xcf,
0x65, 0x3d, 0x5c, 0xc8, 0x3d, 0x24, 0xea, 0xad, 0x97, 0x75, 0xc7, 0x1c, 0x07, 0x2c, 0x22, 0xd1,
0xdf, 0x68, 0xa2, 0x75, 0xfd, 0xdc, 0xce, 0xbf, 0xfd, 0xec, 0xbd, 0x51, 0xda, 0x1f, 0x33, 0xfd,
0x05, 0x74, 0xb2, 0xaf, 0x33, 0x51, 0x72, 0xcb, 0x5c, 0xf2, 0xf2, 0xb3, 0xf7, 0xe6, 0x14, 0x0c,
0x9d, 0x75, 0xee, 0x85, 0xe3, 0x46, 0xf9, 0x1b, 0xb5, 0x1c, 0xeb, 0xb2, 0x87, 0x6f, 0x62, 0x29,
0xd2, 0xef, 0x73, 0x90, 0xfe, 0xae, 0xb0, 0xe0, 0x9d, 0x96, 0xb6, 0x14, 0xc5, 0x0f, 0x7b, 0x8c,
0x19, 0xf4, 0x0d, 0x2c, 0x65, 0x2e, 0xa6, 0x50, 0x42, 0x55, 0x7c, 0xcd, 0xd6, 0xdb, 0x28, 0x47,
0x48, 0xeb, 0x4d, 0xbf, 0x76, 0x4a, 0xe9, 0xad, 0xe0, 0x2e, 0x2b, 0xa5, 0xb7, 0xc2, 0xfb, 0x2a,
0x6e, 0x5e, 0xa9, 0xcb, 0x25, 0xcd, 0xbc, 0x8a, 0x6e, 0xb2, 0x7a, 0xeb, 0x65, 0xdd, 0xfa, 0xf4,
0x33, 0x17, 0x4b, 0xda, 0xf4, 0x8b, 0xef, 0xab, 0x7a, 0x1b, 0xe5, 0x08, 0x59, 0x5d, 0x25, 0x55,
0xee, 0x8c, 0xae, 0x72, 0x97, 0x2a, 0x19, 0x5d, 0xe5, 0xcb, 0xe3, 0x52, 0x57, 0x99, 0x72, 0xf5,
0x1b, 0xa5, 0xe5, 0xbc, 0xbc, 0xae, 0x8a, 0x2b, 0x84, 0xc6, 0x0c, 0xda, 0x82, 0xba, 0xaa, 0xc7,
0xa1, 0x64, 0x77, 0x67, 0x8a, 0x80, 0xbd, 0x0b, 0x05, 0x3d, 0x31, 0x8b, 0x0f, 0x60, 0x96, 0x41,
0xd1, 0x4a, 0x0a, 0x49, 0x91, 0x9e, 0xcf, 0x40, 0x63, 0xb2, 0x4f, 0x60, 0x5e, 0x94, 0xaf, 0x50,
0x92, 0x57, 0xa4, 0x6a, 0x65, 0xbd, 0xb5, 0x1c, 0x3c, 0x26, 0xfe, 0x5a, 0xfc, 0x90, 0x25, 0xeb,
0x50, 0xe8, 0x62, 0xea, 0xe1, 0x7f, 0xba, 0xda, 0xd5, 0xbb, 0x54, 0xdc, 0xa9, 0xeb, 0x2b, 0x73,
0x38, 0xaf, 0x97, 0x45, 0x4f, 0x39, 0x7d, 0x15, 0x47, 0x63, 0xc6, 0x0c, 0xb2, 0x44, 0x49, 0x27,
0xc3, 0xd8, 0x28, 0x56, 0x74, 0x8a, 0xf9, 0x95, 0xa9, 0x38, 0xf1, 0x00, 0x87, 0x70, 0xae, 0x20,
0x39, 0x45, 0x09, 0x75, 0x79, 0x5e, 0xdc, 0x7b, 0x6b, 0x3a, 0x92, 0xae, 0x22, 0x69, 0x6b, 0xab,
0xfa, 0x06, 0xd5, 0x4c, 0x6c, 0x2d, 0x07, 0x57, 0xc4, 0x9b, 0x7f, 0x51, 0x83, 0x45, 0x51, 0x42,
0x90, 0x07, 0xcc, 0x57, 0x00, 0x49, 0x95, 0x0b, 0xf5, 0x52, 0xd3, 0x4c, 0x95, 0xfb, 0x7a, 0x17,
0x0b, 0xfb, 0x74, 0xe5, 0x6b, 0x05, 0x2b, 0x4d, 0xf9, 0xf9, 0x32, 0x98, 0xa6, 0xfc, 0x82, 0x1a,
0x97, 0x31, 0x83, 0x76, 0xa0, 0x11, 0x57, 0x51, 0x90, 0x56, 0x7c, 0xc9, 0x94, 0x80, 0x7a, 0xbd,
0xa2, 0x2e, 0x5d, 0x22, 0xad, 0x32, 0xa2, 0x49, 0x94, 0xaf, 0xb7, 0x68, 0x12, 0x15, 0x15, 0x53,
0x92, 0xd9, 0x89, 0x44, 0x30, 0x3b, 0xbb, 0x54, 0x6e, 0x9d, 0x9d, 0x5d, 0x3a, 0x77, 0x34, 0x66,
0xbe, 0xbc, 0xf4, 0x9b, 0xdf, 0xad, 0x57, 0xfe, 0xf3, 0x77, 0xeb, 0x33, 0x7f, 0xfe, 0x62, 0xbd,
0xf2, 0x9b, 0x17, 0xeb, 0x95, 0x7f, 0x7f, 0xb1, 0x5e, 0xf9, 0xed, 0x8b, 0xf5, 0xca, 0x77, 0xff,
0xbd, 0x3e, 0x73, 0x38, 0xcf, 0xff, 0x50, 0x7c, 0xff, 0xff, 0x03, 0x00, 0x00, 0xff, 0xff, 0xbd,
0x17, 0xb2, 0x8b, 0x55, 0x3a, 0x00, 0x00,
}

5
pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
View File

@ -514,6 +514,9 @@ message LinuxContainerSecurityContext {
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
string seccomp_profile_path = 10;
// no_new_privs defines if the flag for no_new_privs should be set on the
// container.
bool no_new_privs = 11;
}
// LinuxContainerConfig contains platform-specific configuration for
@ -982,7 +985,7 @@ message FilesystemUsage {
// The underlying storage of the filesystem.
StorageIdentifier storage_id = 2;
// UsedBytes represents the bytes used for images on the filesystem.
// This may differ from the total bytes used on the filesystem and may not
// This may differ from the total bytes used on the filesystem and may not
// equal CapacityBytes - AvailableBytes.
UInt64Value used_bytes = 3;
// InodesUsed represents the inodes used by the images.

4
pkg/kubelet/dockershim/security_context.go
View File

@ -113,6 +113,10 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
}
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, apparmorSecurityOpts...)
if sc.NoNewPrivs {
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
}
return nil
}

1
pkg/kubelet/kubelet.go
View File

@ -798,6 +798,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Dep
klet.appArmorValidator = apparmor.NewValidator(kubeCfg.ContainerRuntime)
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) {
if kubeCfg.ContainerRuntime == kubetypes.DockerContainerRuntime {
if klet.gpuManager, err = nvidia.NewNvidiaGPUManager(klet, kubeDeps.DockerClient); err != nil {

2
pkg/kubelet/kuberuntime/security_context.go
View File

@ -66,6 +66,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...)
}
synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc)
return synthesized
}

71
pkg/kubelet/lifecycle/handlers.go
View File

@ -165,3 +165,74 @@ func (a *appArmorAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
}
}
func NewNoNewPrivsAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
return &noNewPrivsAdmitHandler{
Runtime: runtime,
}
}
type noNewPrivsAdmitHandler struct {
kubecontainer.Runtime
}
func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
// If the pod is already running or terminated, no need to recheck NoNewPrivs.
if attrs.Pod.Status.Phase != v1.PodPending {
return PodAdmitResult{Admit: true}
}
// If the containers in a pod do not require no-new-privs, admit it.
if !noNewPrivsRequired(attrs.Pod) {
return PodAdmitResult{Admit: true}
}
// Make sure it is either docker or rkt runtimes.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %s runtime not supported", a.Runtime.Type()),
}
}
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
// Make sure docker api version is valid.
rversion, err := a.Runtime.APIVersion()
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
v, err := rversion.Compare("1.23")
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
// If the version is less than 1.23 it will return -1 above.
if v == -1 {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
}
}
return PodAdmitResult{Admit: true}
}
func noNewPrivsRequired(pod *v1.Pod) bool {
// Iterate over pod containers and check if we added no-new-privs.
for _, c := range pod.Spec.Containers {
if c.SecurityContext != nil && c.SecurityContext.AllowPrivilegeEscalation != nil && !*c.SecurityContext.AllowPrivilegeEscalation {
return true
}
}
return false
}

21
pkg/kubelet/rkt/rkt.go
View File

@ -439,6 +439,14 @@ func setIsolators(app *appctypes.App, c *v1.Container, ctx *v1.SecurityContext)
}
}
if ok := securitycontext.AddNoNewPrivileges(ctx); ok {
isolator, err := newNoNewPrivilegesIsolator(true)
if err != nil {
return err
}
isolators = append(isolators, *isolator)
}
mergeIsolators(app, isolators)
return nil
}
@ -2621,3 +2629,16 @@ func convertKubePortMappings(portMappings []kubecontainer.PortMapping) ([]appcty
return containerPorts, hostPorts
}
func newNoNewPrivilegesIsolator(v bool) (*appctypes.Isolator, error) {
b := fmt.Sprintf(`{"name": "%s", "value": %t}`, appctypes.LinuxNoNewPrivilegesName, v)
i := &appctypes.Isolator{
Name: appctypes.LinuxNoNewPrivilegesName,
}
if err := i.UnmarshalJSON([]byte(b)); err != nil {
return nil, err
}
return i, nil
}

3
pkg/kubelet/rkt/rkt_test.go
View File

@ -23,6 +23,7 @@ import (
"os"
"path/filepath"
"sort"
"strings"
"testing"
"time"
@ -48,7 +49,6 @@ import (
"k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/utils/exec"
fakeexec "k8s.io/utils/exec/testing"
"strings"
)
func mustMarshalPodManifest(man *appcschema.PodManifest) []byte {
@ -938,6 +938,7 @@ func baseImageManifest(t *testing.T) *appcschema.ImageManifest {
func baseAppWithRootUserGroup(t *testing.T) *appctypes.App {
app := baseApp(t)
app.User, app.Group = "0", "0"
app.Isolators = append(app.Isolators)
return app
}

20
pkg/security/podsecuritypolicy/provider.go
View File

@ -183,6 +183,17 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
sc.ReadOnlyRootFilesystem = &readOnlyRootFS
}
// if the PSP sets DefaultAllowPrivilegeEscalation and the container security context
// allowPrivilegeEscalation is not set, then default to that set by the PSP.
if s.psp.Spec.DefaultAllowPrivilegeEscalation != nil && sc.AllowPrivilegeEscalation == nil {
sc.AllowPrivilegeEscalation = s.psp.Spec.DefaultAllowPrivilegeEscalation
}
// if the PSP sets psp.AllowPrivilegeEscalation to false set that as the default
if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation == nil {
sc.AllowPrivilegeEscalation = &s.psp.Spec.AllowPrivilegeEscalation
}
return sc, annotations, nil
}
@ -301,6 +312,15 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
}
}
if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation == nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), sc.AllowPrivilegeEscalation, "Allowing privilege escalation for containers is not allowed"))
}
if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation != nil && *sc.AllowPrivilegeEscalation {
allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), *sc.AllowPrivilegeEscalation, "Allowing privilege escalation for containers is not allowed"))
}
return allErrs
}

109
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -920,6 +920,7 @@ func defaultPSP() *extensions.PodSecurityPolicy {
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
},
AllowPrivilegeEscalation: true,
},
}
}
@ -1033,3 +1034,111 @@ func TestValidateAllowedVolumes(t *testing.T) {
}
}
}
// TestValidateAllowPrivilegeEscalation will test that when the podSecurityPolicy
// AllowPrivilegeEscalation is false we cannot set a container's securityContext
// to allowPrivilegeEscalation, but when it is true we can.
func TestValidateAllowPrivilegeEscalation(t *testing.T) {
pod := defaultPod()
pe := true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
// create a PSP that does not allow privilege escalation
psp := defaultPSP()
psp.Spec.AllowPrivilegeEscalation = false
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
if err != nil {
t.Errorf("error creating provider: %v", err.Error())
}
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// now add allowPrivilegeEscalation to the podSecurityPolicy
psp.Spec.AllowPrivilegeEscalation = true
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
}
}
// TestValidateDefaultAllowPrivilegeEscalation will test that when the podSecurityPolicy
// DefaultAllowPrivilegeEscalation is false we cannot set a container's
// securityContext to allowPrivilegeEscalation but when it is true we can.
func TestValidateDefaultAllowPrivilegeEscalation(t *testing.T) {
pod := defaultPod()
pe := true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
// create a PSP that does not allow privilege escalation
psp := defaultPSP()
dpe := false
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
psp.Spec.AllowPrivilegeEscalation = false
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
if err != nil {
t.Errorf("error creating provider: %v", err.Error())
}
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// now add DefaultAllowPrivilegeEscalation to the podSecurityPolicy
dpe = true
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
psp.Spec.AllowPrivilegeEscalation = false
// expect a denial for this PSP because we did not allowPrivilege Escalation via the PodSecurityPolicy
// and test the error message to ensure it's related to allowPrivilegeEscalation
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// Now set AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = true
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
}
// Now set the psp spec to false and reset AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = false
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// Now unset both AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("resetting allowing privilege escalation expected no errors but got %v", errs)
}
}

45
pkg/securitycontext/util.go
View File

@ -133,6 +133,11 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
}
if containerSc.AllowPrivilegeEscalation != nil {
effectiveSc.AllowPrivilegeEscalation = new(bool)
*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
}
return effectiveSc
}
@ -205,6 +210,11 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
}
if containerSc.AllowPrivilegeEscalation != nil {
effectiveSc.AllowPrivilegeEscalation = new(bool)
*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
}
return effectiveSc
}
@ -231,3 +241,38 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
return synthesized
}
// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
// 1) the container is not privileged
// 2) CAP_SYS_ADMIN is not being added
// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
// - nil, then return false
// - true, then return false
// - false, then return true
func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
if sc == nil {
return false
}
// handle the case where the container is privileged
if sc.Privileged != nil && *sc.Privileged {
return false
}
// handle the case where we are adding CAP_SYS_ADMIN
if sc.Capabilities != nil {
for _, cap := range sc.Capabilities.Add {
if string(cap) == "CAP_SYS_ADMIN" {
return false
}
}
}
// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
if sc.AllowPrivilegeEscalation == nil {
return false
}
// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
return !*sc.AllowPrivilegeEscalation
}

97
pkg/securitycontext/util_test.go
View File

@ -176,3 +176,100 @@ func TestHasRootRunAsUser(t *testing.T) {
}
}
}
func TestAddNoNewPrivileges(t *testing.T) {
var nonRoot int64 = 1000
var root int64 = 0
pfalse := false
ptrue := true
tests := map[string]struct {
sc v1.SecurityContext
expect bool
}{
"allowPrivilegeEscalation nil security context nil": {},
"allowPrivilegeEscalation nil capAddSysadmin": {
sc: v1.SecurityContext{
Capabilities: &v1.Capabilities{
Add: []v1.Capability{"CAP_SYS_ADMIN"},
},
},
},
"allowPrivilegeEscalation nil privileged": {
sc: v1.SecurityContext{
Privileged: &ptrue,
},
},
"allowPrivilegeEscalation nil nonRoot": {
sc: v1.SecurityContext{
RunAsUser: &nonRoot,
},
},
"allowPrivilegeEscalation nil root": {
sc: v1.SecurityContext{
RunAsUser: &root,
},
},
"allowPrivilegeEscalation false capAddSysadmin": {
sc: v1.SecurityContext{
Capabilities: &v1.Capabilities{
Add: []v1.Capability{"CAP_SYS_ADMIN"},
},
AllowPrivilegeEscalation: &pfalse,
},
},
"allowPrivilegeEscalation false privileged": {
sc: v1.SecurityContext{
Privileged: &ptrue,
AllowPrivilegeEscalation: &pfalse,
},
},
"allowPrivilegeEscalation false nonRoot": {
sc: v1.SecurityContext{
RunAsUser: &nonRoot,
AllowPrivilegeEscalation: &pfalse,
},
expect: true,
},
"allowPrivilegeEscalation false root": {
sc: v1.SecurityContext{
RunAsUser: &root,
AllowPrivilegeEscalation: &pfalse,
},
expect: true,
},
"allowPrivilegeEscalation true capAddSysadmin": {
sc: v1.SecurityContext{
Capabilities: &v1.Capabilities{
Add: []v1.Capability{"CAP_SYS_ADMIN"},
},
AllowPrivilegeEscalation: &ptrue,
},
},
"allowPrivilegeEscalation true privileged": {
sc: v1.SecurityContext{
Privileged: &ptrue,
AllowPrivilegeEscalation: &ptrue,
},
},
"allowPrivilegeEscalation true nonRoot": {
sc: v1.SecurityContext{
RunAsUser: &nonRoot,
AllowPrivilegeEscalation: &ptrue,
},
},
"allowPrivilegeEscalation true root": {
sc: v1.SecurityContext{
RunAsUser: &root,
AllowPrivilegeEscalation: &ptrue,
},
},
}
for k, v := range tests {
actual := AddNoNewPrivileges(&v.sc)
if actual != v.expect {
t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
}
}
}

1463
staging/src/k8s.io/api/core/v1/generated.pb.go
View File

File diff suppressed because it is too large Load Diff

9
staging/src/k8s.io/api/core/v1/generated.proto
View File

@ -3540,6 +3540,15 @@ message SecurityContext {
// Default is false.
// +optional
optional bool readOnlyRootFilesystem = 6;
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than it's parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// AllowPrivilegeEscalation is true always when the container is:
// 1) run as Privileged
// 2) has CAP_SYS_ADMIN
// +optional
optional bool allowPrivilegeEscalation = 7;
}
// SerializedReference is a reference to serialized object.

180
staging/src/k8s.io/api/core/v1/types.generated.go
View File

@ -67986,7 +67986,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [6]bool
var yyq2 [7]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.Capabilities != nil
@ -67995,9 +67995,10 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yyq2[3] = x.RunAsUser != nil
yyq2[4] = x.RunAsNonRoot != nil
yyq2[5] = x.ReadOnlyRootFilesystem != nil
yyq2[6] = x.AllowPrivilegeEscalation != nil
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(6)
r.EncodeArrayStart(7)
} else {
yynn2 = 0
for _, b := range yyq2 {
@ -68194,6 +68195,41 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[6] {
if x.AllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy30 := *x.AllowPrivilegeEscalation
yym31 := z.EncBinary()
_ = yym31
if false {
} else {
r.EncodeBool(bool(yy30))
}
}
} else {
r.EncodeNil()
}
} else {
if yyq2[6] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("allowPrivilegeEscalation"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if x.AllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy32 := *x.AllowPrivilegeEscalation
yym33 := z.EncBinary()
_ = yym33
if false {
} else {
r.EncodeBool(bool(yy32))
}
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
@ -68341,6 +68377,22 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
}
}
case "allowPrivilegeEscalation":
if r.TryDecodeAsNil() {
if x.AllowPrivilegeEscalation != nil {
x.AllowPrivilegeEscalation = nil
}
} else {
if x.AllowPrivilegeEscalation == nil {
x.AllowPrivilegeEscalation = new(bool)
}
yym15 := z.DecBinary()
_ = yym15
if false {
} else {
*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
@ -68352,16 +68404,16 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj14 int
var yyb14 bool
var yyhl14 bool = l >= 0
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
var yyj16 int
var yyb16 bool
var yyhl16 bool = l >= 0
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68376,13 +68428,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
x.Capabilities.CodecDecodeSelf(d)
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68395,20 +68447,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.Privileged == nil {
x.Privileged = new(bool)
}
yym17 := z.DecBinary()
_ = yym17
yym19 := z.DecBinary()
_ = yym19
if false {
} else {
*((*bool)(x.Privileged)) = r.DecodeBool()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68423,13 +68475,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
x.SELinuxOptions.CodecDecodeSelf(d)
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68442,20 +68494,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
}
yym20 := z.DecBinary()
_ = yym20
yym22 := z.DecBinary()
_ = yym22
if false {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68468,20 +68520,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.RunAsNonRoot == nil {
x.RunAsNonRoot = new(bool)
}
yym22 := z.DecBinary()
_ = yym22
yym24 := z.DecBinary()
_ = yym24
if false {
} else {
*((*bool)(x.RunAsNonRoot)) = r.DecodeBool()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -68494,25 +68546,51 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.ReadOnlyRootFilesystem == nil {
x.ReadOnlyRootFilesystem = new(bool)
}
yym24 := z.DecBinary()
_ = yym24
yym26 := z.DecBinary()
_ = yym26
if false {
} else {
*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
}
}
for {
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
} else {
yyb14 = r.CheckBreak()
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb16 = r.CheckBreak()
}
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
if x.AllowPrivilegeEscalation != nil {
x.AllowPrivilegeEscalation = nil
}
if yyb14 {
} else {
if x.AllowPrivilegeEscalation == nil {
x.AllowPrivilegeEscalation = new(bool)
}
yym28 := z.DecBinary()
_ = yym28
if false {
} else {
*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
}
}
for {
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb16 = r.CheckBreak()
}
if yyb16 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj14-1, "")
z.DecStructFieldNotFound(yyj16-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}

8
staging/src/k8s.io/api/core/v1/types.go
View File

@ -4613,6 +4613,14 @@ type SecurityContext struct {
// Default is false.
// +optional
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than it's parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// AllowPrivilegeEscalation is true always when the container is:
// 1) run as Privileged
// 2) has CAP_SYS_ADMIN
// +optional
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
}
// SELinuxOptions are the labels to be applied to the container

15
staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go
View File

@ -1763,13 +1763,14 @@ func (SecretVolumeSource) SwaggerDoc() map[string]string {
}
var map_SecurityContext = map[string]string{
"": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"capabilities": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
"privileged": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
"seLinuxOptions": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
"": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"capabilities": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
"privileged": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
"seLinuxOptions": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
}
func (SecurityContext) SwaggerDoc() map[string]string {

9
staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go
View File

@ -5262,6 +5262,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
**out = **in
}
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}

496
staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
View File

@ -2005,6 +2005,26 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
dAtA[i] = 0
}
i++
if m.DefaultAllowPrivilegeEscalation != nil {
dAtA[i] = 0x78
i++
if *m.DefaultAllowPrivilegeEscalation {
dAtA[i] = 1
} else {
dAtA[i] = 0
}
i++
}
dAtA[i] = 0x80
i++
dAtA[i] = 0x1
i++
if m.AllowPrivilegeEscalation {
dAtA[i] = 1
} else {
dAtA[i] = 0
}
i++
return i, nil
}
@ -3267,6 +3287,10 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
l = m.FSGroup.Size()
n += 1 + l + sovGenerated(uint64(l))
n += 2
if m.DefaultAllowPrivilegeEscalation != nil {
n += 2
}
n += 3
return n
}
@ -4001,6 +4025,8 @@ func (this *PodSecurityPolicySpec) String() string {
`SupplementalGroups:` + strings.Replace(strings.Replace(this.SupplementalGroups.String(), "SupplementalGroupsStrategyOptions", "SupplementalGroupsStrategyOptions", 1), `&`, ``, 1) + `,`,
`FSGroup:` + strings.Replace(strings.Replace(this.FSGroup.String(), "FSGroupStrategyOptions", "FSGroupStrategyOptions", 1), `&`, ``, 1) + `,`,
`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
`AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`,
`}`,
}, "")
return s
@ -9440,6 +9466,47 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
}
}
m.ReadOnlyRootFilesystem = bool(v != 0)
case 15:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field DefaultAllowPrivilegeEscalation", wireType)
}
var v int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
b := bool(v != 0)
m.DefaultAllowPrivilegeEscalation = &b
case 16:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegeEscalation", wireType)
}
var v int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
m.AllowPrivilegeEscalation = bool(v != 0)
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -11892,217 +11959,220 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 3383 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1b, 0xc7,
0xf5, 0xf7, 0x8a, 0xa2, 0x44, 0x3e, 0x59, 0x92, 0x35, 0x72, 0x64, 0x46, 0x8e, 0x25, 0x67, 0x03,
0xf8, 0x6f, 0xe7, 0x6f, 0x93, 0xb1, 0x13, 0x27, 0x6e, 0x8c, 0xa6, 0x15, 0xa5, 0xd8, 0x56, 0x2a,
0xc9, 0xf4, 0x90, 0x52, 0x5a, 0xa3, 0x6e, 0xb3, 0x22, 0x47, 0xd4, 0x5a, 0xcb, 0xdd, 0xcd, 0xee,
0xac, 0x62, 0x5e, 0x8a, 0x9e, 0x02, 0x14, 0x68, 0xd1, 0xf6, 0x90, 0x22, 0xbd, 0x35, 0x97, 0x9e,
0x5a, 0x34, 0xb7, 0xf6, 0x10, 0x14, 0x28, 0xd0, 0x02, 0x46, 0x91, 0x16, 0x39, 0xb5, 0xe9, 0x45,
0x68, 0x94, 0x63, 0xcf, 0x05, 0x0a, 0x1f, 0x8a, 0x62, 0x66, 0x67, 0xbf, 0x77, 0x45, 0x52, 0xb1,
0x85, 0xa2, 0x37, 0x71, 0xde, 0x7b, 0xbf, 0xf7, 0x31, 0x33, 0x6f, 0xde, 0xcc, 0x5b, 0xc1, 0x8d,
0x9d, 0x6b, 0x76, 0x59, 0x35, 0x2a, 0x3b, 0xce, 0x26, 0xb1, 0x74, 0x42, 0x89, 0x5d, 0xd9, 0x25,
0x7a, 0xcb, 0xb0, 0x2a, 0x82, 0xa0, 0x98, 0x6a, 0x85, 0x3c, 0xa0, 0x44, 0xb7, 0x55, 0x43, 0xb7,
0x2b, 0xbb, 0x97, 0x37, 0x09, 0x55, 0x2e, 0x57, 0xda, 0x44, 0x27, 0x96, 0x42, 0x49, 0xab, 0x6c,
0x5a, 0x06, 0x35, 0xd0, 0x19, 0x97, 0xbd, 0xac, 0x98, 0x6a, 0x39, 0x60, 0x2f, 0x0b, 0xf6, 0xd9,
0x4b, 0x6d, 0x95, 0x6e, 0x3b, 0x9b, 0xe5, 0xa6, 0xd1, 0xa9, 0xb4, 0x8d, 0xb6, 0x51, 0xe1, 0x52,
0x9b, 0xce, 0x16, 0xff, 0xc5, 0x7f, 0xf0, 0xbf, 0x5c, 0xb4, 0x59, 0x39, 0xa4, 0xbc, 0x69, 0x58,
0xa4, 0xb2, 0x9b, 0xd0, 0x38, 0x7b, 0x21, 0xc4, 0x63, 0x1a, 0x9a, 0xda, 0xec, 0x66, 0x19, 0x37,
0xfb, 0x52, 0xc0, 0xda, 0x51, 0x9a, 0xdb, 0xaa, 0x4e, 0xac, 0x6e, 0xc5, 0xdc, 0x69, 0x73, 0x59,
0x8b, 0xd8, 0x86, 0x63, 0x35, 0xc9, 0x40, 0x52, 0x76, 0xa5, 0x43, 0xa8, 0x92, 0x66, 0x56, 0x25,
0x4b, 0xca, 0x72, 0x74, 0xaa, 0x76, 0x92, 0x6a, 0x5e, 0xee, 0x25, 0x60, 0x37, 0xb7, 0x49, 0x47,
0x49, 0xc8, 0xbd, 0x98, 0x25, 0xe7, 0x50, 0x55, 0xab, 0xa8, 0x3a, 0xb5, 0xa9, 0x15, 0x17, 0x92,
0xcb, 0x00, 0x0b, 0xb5, 0xe5, 0x0d, 0x62, 0xb1, 0xe9, 0x41, 0x67, 0x61, 0x58, 0x57, 0x3a, 0xa4,
0x24, 0x9d, 0x95, 0xce, 0x17, 0xab, 0xc7, 0x1f, 0xee, 0xcd, 0x1f, 0xdb, 0xdf, 0x9b, 0x1f, 0x5e,
0x53, 0x3a, 0x04, 0x73, 0x8a, 0xfc, 0x53, 0x09, 0x9e, 0x5e, 0x74, 0x6c, 0x6a, 0x74, 0x56, 0x09,
0xb5, 0xd4, 0xe6, 0xa2, 0x63, 0x59, 0x44, 0xa7, 0x75, 0xaa, 0x50, 0xc7, 0xee, 0x2d, 0x8f, 0xee,
0x42, 0x7e, 0x57, 0xd1, 0x1c, 0x52, 0x1a, 0x3a, 0x2b, 0x9d, 0x1f, 0xbb, 0x52, 0x2e, 0x07, 0xcb,
0xc4, 0x37, 0xba, 0x6c, 0xee, 0xb4, 0xf9, 0xba, 0xf1, 0x66, 0xa2, 0x7c, 0xc7, 0x51, 0x74, 0xaa,
0xd2, 0x6e, 0xf5, 0xa4, 0x80, 0x3c, 0x2e, 0xf4, 0x6e, 0x30, 0x2c, 0xec, 0x42, 0xca, 0xdf, 0x81,
0x33, 0x99, 0xa6, 0xad, 0xa8, 0x36, 0x45, 0xf7, 0x20, 0xaf, 0x52, 0xd2, 0xb1, 0x4b, 0xd2, 0xd9,
0xdc, 0xf9, 0xb1, 0x2b, 0xd7, 0xca, 0x07, 0xae, 0xd1, 0x72, 0x26, 0x58, 0x75, 0x5c, 0x98, 0x91,
0x5f, 0x66, 0x70, 0xd8, 0x45, 0x95, 0x7f, 0x2c, 0x01, 0x0a, 0xcb, 0x34, 0x14, 0xab, 0x4d, 0x68,
0x1f, 0x41, 0xf9, 0xc6, 0x17, 0x0b, 0xca, 0xb4, 0x80, 0x1c, 0x73, 0x15, 0x46, 0x62, 0x62, 0xc2,
0x4c, 0xd2, 0x24, 0x1e, 0x8c, 0x8d, 0x68, 0x30, 0x2e, 0x0f, 0x10, 0x0c, 0x17, 0x25, 0x23, 0x0a,
0xef, 0x0d, 0x41, 0x71, 0x49, 0x21, 0x1d, 0x43, 0xaf, 0x13, 0x8a, 0xde, 0x82, 0x02, 0xdb, 0x18,
0x2d, 0x85, 0x2a, 0x3c, 0x00, 0x63, 0x57, 0x5e, 0x38, 0xc8, 0x3b, 0xbb, 0xcc, 0xb8, 0xcb, 0xbb,
0x97, 0xcb, 0xb7, 0x37, 0xef, 0x93, 0x26, 0x5d, 0x25, 0x54, 0xa9, 0x22, 0xa1, 0x07, 0x82, 0x31,
0xec, 0xa3, 0xa2, 0x35, 0x18, 0xb6, 0x4d, 0xd2, 0x14, 0xb1, 0xbb, 0xd8, 0xc3, 0x0d, 0xdf, 0xb2,
0xba, 0x49, 0x9a, 0xc1, 0x64, 0xb0, 0x5f, 0x98, 0xe3, 0xa0, 0x0d, 0x18, 0xb1, 0xf9, 0x2c, 0x97,
0x72, 0x89, 0xd9, 0x38, 0x18, 0xd1, 0x5d, 0x1b, 0x13, 0x02, 0x73, 0xc4, 0xfd, 0x8d, 0x05, 0x9a,
0xfc, 0x91, 0x04, 0xe3, 0x3e, 0x2f, 0x9f, 0x81, 0x6f, 0x26, 0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c,
0x9a, 0x47, 0xe6, 0x84, 0xd0, 0x55, 0xf0, 0x46, 0x42, 0x71, 0x59, 0xf5, 0xe6, 0x77, 0x88, 0xcf,
0xef, 0xf9, 0x7e, 0xdd, 0xc8, 0x98, 0xd6, 0x9f, 0x0c, 0x87, 0xcc, 0x67, 0xe1, 0x42, 0xf7, 0xa0,
0x60, 0x13, 0x8d, 0x34, 0xa9, 0x61, 0x09, 0xf3, 0x5f, 0xec, 0xd3, 0x7c, 0x65, 0x93, 0x68, 0x75,
0x21, 0x5a, 0x3d, 0xce, 0xec, 0xf7, 0x7e, 0x61, 0x1f, 0x12, 0xdd, 0x81, 0x02, 0x25, 0x1d, 0x53,
0x53, 0xa8, 0xb7, 0x2f, 0x9e, 0x0b, 0xbb, 0xc0, 0x4e, 0x01, 0x06, 0x56, 0x33, 0x5a, 0x0d, 0xc1,
0xc6, 0xa7, 0xd4, 0x0f, 0x89, 0x37, 0x8a, 0x7d, 0x18, 0xb4, 0x0b, 0x13, 0x8e, 0xd9, 0x62, 0x9c,
0x94, 0xe5, 0xc0, 0x76, 0x57, 0x4c, 0xf1, 0xcb, 0xfd, 0xc6, 0x66, 0x3d, 0x22, 0x5d, 0x9d, 0x11,
0xba, 0x26, 0xa2, 0xe3, 0x38, 0xa6, 0x05, 0x2d, 0xc0, 0x64, 0x47, 0xd5, 0x31, 0x51, 0x5a, 0xdd,
0x3a, 0x69, 0x1a, 0x7a, 0xcb, 0x2e, 0x0d, 0x9f, 0x95, 0xce, 0xe7, 0xab, 0xa7, 0x04, 0xc0, 0xe4,
0x6a, 0x94, 0x8c, 0xe3, 0xfc, 0xe8, 0x0d, 0x40, 0x9e, 0x1b, 0x37, 0xdd, 0x14, 0xae, 0x1a, 0x7a,
0x29, 0x7f, 0x56, 0x3a, 0x9f, 0xab, 0xce, 0x0a, 0x14, 0xd4, 0x48, 0x70, 0xe0, 0x14, 0x29, 0xb4,
0x02, 0x27, 0x2d, 0xb2, 0xab, 0x32, 0x1f, 0x6f, 0xa9, 0x36, 0x35, 0xac, 0xee, 0x8a, 0xda, 0x51,
0x69, 0x69, 0x84, 0xdb, 0x54, 0xda, 0xdf, 0x9b, 0x3f, 0x89, 0x53, 0xe8, 0x38, 0x55, 0x4a, 0xfe,
0x30, 0x0f, 0x93, 0xb1, 0x3d, 0x80, 0x36, 0x60, 0xa6, 0xe9, 0x26, 0xcc, 0x35, 0xa7, 0xb3, 0x49,
0xac, 0x7a, 0x73, 0x9b, 0xb4, 0x1c, 0x8d, 0xb4, 0xf8, 0x42, 0xc9, 0x57, 0xe7, 0x84, 0xc5, 0x33,
0x8b, 0xa9, 0x5c, 0x38, 0x43, 0x9a, 0x45, 0x41, 0xe7, 0x43, 0xab, 0xaa, 0x6d, 0xfb, 0x98, 0x43,
0x1c, 0xd3, 0x8f, 0xc2, 0x5a, 0x82, 0x03, 0xa7, 0x48, 0x31, 0x1b, 0x5b, 0xc4, 0x56, 0x2d, 0xd2,
0x8a, 0xdb, 0x98, 0x8b, 0xda, 0xb8, 0x94, 0xca, 0x85, 0x33, 0xa4, 0xd1, 0x55, 0x18, 0x73, 0xb5,
0xf1, 0xf9, 0x13, 0x13, 0xed, 0xa7, 0xe8, 0xb5, 0x80, 0x84, 0xc3, 0x7c, 0xcc, 0x35, 0x63, 0xd3,
0x26, 0xd6, 0x2e, 0x69, 0x65, 0x4f, 0xf0, 0xed, 0x04, 0x07, 0x4e, 0x91, 0x62, 0xae, 0xb9, 0x2b,
0x30, 0xe1, 0xda, 0x48, 0xd4, 0xb5, 0xf5, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xd6, 0xb1, 0x6b, 0xf2,
0xc2, 0xae, 0xa2, 0x6a, 0xca, 0xa6, 0x46, 0x4a, 0xa3, 0xd1, 0x75, 0xbc, 0x16, 0x25, 0xe3, 0x38,
0x3f, 0xba, 0x09, 0x53, 0xee, 0xd0, 0xba, 0xae, 0xf8, 0x20, 0x05, 0x0e, 0xf2, 0xb4, 0x00, 0x99,
0x5a, 0x8b, 0x33, 0xe0, 0xa4, 0x0c, 0x7a, 0x15, 0x26, 0x9a, 0x86, 0xa6, 0xf1, 0xf5, 0xb8, 0x68,
0x38, 0x3a, 0x2d, 0x15, 0x79, 0xac, 0x10, 0xdb, 0x8f, 0x8b, 0x11, 0x0a, 0x8e, 0x71, 0xca, 0x7f,
0x94, 0xe0, 0x54, 0xc6, 0x9e, 0x46, 0x5f, 0x81, 0x61, 0xda, 0x35, 0xbd, 0xd3, 0xfa, 0xff, 0xbd,
0x03, 0xa2, 0xd1, 0x35, 0xc9, 0xa3, 0xbd, 0xf9, 0xd3, 0x19, 0x62, 0x8c, 0x8c, 0xb9, 0x20, 0xd2,
0x61, 0xdc, 0x62, 0xea, 0xf4, 0xb6, 0xcb, 0x22, 0x92, 0xd7, 0xd5, 0x1e, 0x39, 0x06, 0x87, 0x65,
0x82, 0x64, 0x3c, 0xb5, 0xbf, 0x37, 0x3f, 0x1e, 0xa1, 0xe1, 0x28, 0xbc, 0xfc, 0xfe, 0x10, 0xc0,
0x12, 0x31, 0x35, 0xa3, 0xdb, 0x21, 0xfa, 0x51, 0x1c, 0xb8, 0xb7, 0x23, 0x07, 0xee, 0xa5, 0x5e,
0xb9, 0xd3, 0x37, 0x2d, 0xf3, 0xc4, 0x7d, 0x33, 0x76, 0xe2, 0x56, 0xfa, 0x87, 0x3c, 0xf8, 0xc8,
0xfd, 0x6b, 0x0e, 0xa6, 0x03, 0xe6, 0x45, 0x43, 0x6f, 0xa9, 0x7c, 0x7f, 0x5c, 0x8f, 0xcc, 0xf1,
0xff, 0xc5, 0xe6, 0xf8, 0x54, 0x8a, 0x48, 0x68, 0x7e, 0x57, 0x7c, 0x6b, 0x87, 0xb8, 0xf8, 0x4b,
0x51, 0xe5, 0x8f, 0xf6, 0xe6, 0x53, 0x2e, 0x2b, 0x65, 0x1f, 0x29, 0x6a, 0x22, 0x3a, 0x07, 0x23,
0x16, 0x51, 0x6c, 0x43, 0xe7, 0x89, 0xa2, 0x18, 0xb8, 0x82, 0xf9, 0x28, 0x16, 0x54, 0x74, 0x01,
0x46, 0x3b, 0xc4, 0xb6, 0x95, 0x36, 0xe1, 0x39, 0xa1, 0x58, 0x9d, 0x14, 0x8c, 0xa3, 0xab, 0xee,
0x30, 0xf6, 0xe8, 0xe8, 0x3e, 0x4c, 0x68, 0x8a, 0x2d, 0x16, 0x68, 0x43, 0xed, 0x10, 0xbe, 0xeb,
0xc7, 0xae, 0x3c, 0xdf, 0xdf, 0x3a, 0x60, 0x12, 0xc1, 0xc9, 0xb6, 0x12, 0x41, 0xc2, 0x31, 0x64,
0xb4, 0x0b, 0x88, 0x8d, 0x34, 0x2c, 0x45, 0xb7, 0xdd, 0x40, 0x31, 0x7d, 0xa3, 0x03, 0xeb, 0xf3,
0x33, 0xdc, 0x4a, 0x02, 0x0d, 0xa7, 0x68, 0x90, 0x7f, 0x2b, 0xc1, 0x44, 0x30, 0x4d, 0x47, 0x50,
0x4d, 0xad, 0x45, 0xab, 0xa9, 0x0b, 0x7d, 0x2f, 0xd1, 0x8c, 0x72, 0xea, 0x5f, 0x43, 0x80, 0x02,
0x26, 0xb6, 0xc1, 0x37, 0x95, 0xe6, 0x4e, 0x1f, 0x77, 0x85, 0xf7, 0x24, 0x40, 0x22, 0x3d, 0x2f,
0xe8, 0xba, 0x41, 0x79, 0xc6, 0xf7, 0xcc, 0x5a, 0xee, 0xdb, 0x2c, 0x4f, 0x63, 0x79, 0x3d, 0x81,
0xf5, 0xba, 0x4e, 0xad, 0x6e, 0x30, 0x23, 0x49, 0x06, 0x9c, 0x62, 0x00, 0x52, 0x00, 0x2c, 0x81,
0xd9, 0x30, 0xc4, 0x46, 0xbe, 0xd4, 0x47, 0xce, 0x63, 0x02, 0x8b, 0x86, 0xbe, 0xa5, 0xb6, 0x83,
0xb4, 0x83, 0x7d, 0x20, 0x1c, 0x02, 0x9d, 0x7d, 0x1d, 0x4e, 0x65, 0x58, 0x8b, 0x4e, 0x40, 0x6e,
0x87, 0x74, 0xdd, 0xb0, 0x61, 0xf6, 0x27, 0x3a, 0x19, 0xbe, 0x53, 0x15, 0xc5, 0x75, 0xe8, 0xd5,
0xa1, 0x6b, 0x92, 0xfc, 0x51, 0x3e, 0xbc, 0x76, 0x78, 0x29, 0x7b, 0x1e, 0x0a, 0x16, 0x31, 0x35,
0xb5, 0xa9, 0xd8, 0xa2, 0x42, 0xe1, 0x55, 0x29, 0x16, 0x63, 0xd8, 0xa7, 0x46, 0x8a, 0xde, 0xa1,
0x27, 0x5b, 0xf4, 0xe6, 0x1e, 0x4f, 0xd1, 0xfb, 0x6d, 0x28, 0xd8, 0x5e, 0xb9, 0x3b, 0xcc, 0x21,
0x2f, 0x0f, 0x90, 0x5f, 0x45, 0xa5, 0xeb, 0x2b, 0xf0, 0x6b, 0x5c, 0x1f, 0x34, 0xad, 0xba, 0xcd,
0x0f, 0x58, 0xdd, 0x3e, 0xd6, 0x8a, 0x94, 0xe5, 0x54, 0x53, 0x71, 0x6c, 0xd2, 0xe2, 0x89, 0xa8,
0x10, 0xe4, 0xd4, 0x1a, 0x1f, 0xc5, 0x82, 0x8a, 0xee, 0x45, 0x96, 0x6c, 0xe1, 0x30, 0x4b, 0x76,
0x22, 0x7b, 0xb9, 0xa2, 0x75, 0x38, 0x65, 0x5a, 0x46, 0xdb, 0x22, 0xb6, 0xbd, 0x44, 0x94, 0x96,
0xa6, 0xea, 0xc4, 0x8b, 0x4f, 0x91, 0xfb, 0x75, 0x7a, 0x7f, 0x6f, 0xfe, 0x54, 0x2d, 0x9d, 0x05,
0x67, 0xc9, 0xca, 0x0f, 0x87, 0xe1, 0x44, 0xfc, 0x04, 0xcc, 0xa8, 0x1e, 0xa5, 0x43, 0x55, 0x8f,
0x17, 0x43, 0x9b, 0xc1, 0x2d, 0xad, 0xfd, 0xd9, 0x4f, 0xd9, 0x10, 0x0b, 0x30, 0x29, 0xb2, 0x81,
0x47, 0x14, 0xf5, 0xb3, 0x3f, 0xfb, 0xeb, 0x51, 0x32, 0x8e, 0xf3, 0xb3, 0x9a, 0x30, 0x28, 0xf5,
0x3c, 0x90, 0xe1, 0x68, 0x4d, 0xb8, 0x10, 0x67, 0xc0, 0x49, 0x19, 0xb4, 0x0a, 0xd3, 0x8e, 0x9e,
0x84, 0x72, 0x57, 0xe3, 0x69, 0x01, 0x35, 0xbd, 0x9e, 0x64, 0xc1, 0x69, 0x72, 0x68, 0x0b, 0xa0,
0xe9, 0x1d, 0xdb, 0x76, 0x69, 0x84, 0x67, 0xd8, 0x2b, 0x7d, 0xef, 0x1d, 0xff, 0xc4, 0x0f, 0xf2,
0x9a, 0x3f, 0x64, 0xe3, 0x10, 0x32, 0xba, 0x0e, 0xe3, 0x16, 0xbf, 0x10, 0x78, 0x06, 0xbb, 0x45,
0xf5, 0x53, 0x42, 0x6c, 0x1c, 0x87, 0x89, 0x38, 0xca, 0x9b, 0x52, 0x07, 0x17, 0xfa, 0xae, 0x83,
0x7f, 0x27, 0x85, 0x0f, 0x21, 0xbf, 0x04, 0x7e, 0x35, 0x52, 0x1e, 0x9d, 0x8b, 0x95, 0x47, 0x33,
0x49, 0x89, 0x50, 0x75, 0x64, 0xa4, 0x57, 0xbf, 0x2f, 0x0f, 0x54, 0xfd, 0x06, 0x87, 0x67, 0xef,
0xf2, 0xf7, 0x03, 0x09, 0x66, 0x6e, 0xd4, 0x6f, 0x5a, 0x86, 0x63, 0x7a, 0xe6, 0xdc, 0x36, 0xdd,
0xb8, 0xbe, 0x02, 0xc3, 0x96, 0xa3, 0x79, 0x7e, 0x3c, 0xe7, 0xf9, 0x81, 0x1d, 0x8d, 0xf9, 0x31,
0x1d, 0x93, 0x72, 0x9d, 0x60, 0x02, 0x68, 0x0d, 0x46, 0x2c, 0x45, 0x6f, 0x13, 0xef, 0x58, 0x3d,
0xd7, 0xc3, 0xfa, 0xe5, 0x25, 0xcc, 0xd8, 0x43, 0xc5, 0x1b, 0x97, 0xc6, 0x02, 0x45, 0xfe, 0x81,
0x04, 0x93, 0xb7, 0x1a, 0x8d, 0xda, 0xb2, 0xce, 0x77, 0x74, 0x4d, 0xa1, 0xdb, 0xec, 0xa4, 0x37,
0x15, 0xba, 0x1d, 0x3f, 0xe9, 0x19, 0x0d, 0x73, 0x0a, 0xfa, 0x3a, 0x8c, 0xb2, 0x4c, 0x42, 0xf4,
0x56, 0x9f, 0xa5, 0xb6, 0x80, 0xaf, 0xba, 0x42, 0x41, 0x85, 0x28, 0x06, 0xb0, 0x07, 0x27, 0xef,
0xc0, 0xc9, 0x90, 0x39, 0x2c, 0x1e, 0xfc, 0xcd, 0x10, 0xd5, 0x21, 0xcf, 0x34, 0x7b, 0x4f, 0x82,
0xbd, 0x5e, 0xbe, 0x62, 0x2e, 0x05, 0x95, 0x0e, 0xfb, 0x65, 0x63, 0x17, 0x4b, 0x5e, 0x85, 0xf1,
0x5b, 0x86, 0x4d, 0x6b, 0x86, 0x45, 0x79, 0x58, 0xd0, 0x19, 0xc8, 0x75, 0x54, 0x5d, 0x9c, 0xb3,
0x63, 0x42, 0x26, 0xc7, 0xce, 0x08, 0x36, 0xce, 0xc9, 0xca, 0x03, 0x91, 0x79, 0x02, 0xb2, 0xf2,
0x00, 0xb3, 0x71, 0xf9, 0x26, 0x8c, 0x8a, 0x70, 0x87, 0x81, 0x72, 0x07, 0x03, 0xe5, 0x52, 0x80,
0x7e, 0x38, 0x04, 0xa3, 0xc2, 0xfa, 0x23, 0xb8, 0x34, 0xad, 0x44, 0x2e, 0x4d, 0xcf, 0xf7, 0x37,
0x93, 0x99, 0x37, 0xa6, 0x46, 0xec, 0xc6, 0x74, 0xb1, 0x4f, 0xbc, 0x83, 0xaf, 0x4b, 0x1f, 0x4a,
0x30, 0x11, 0x5d, 0x43, 0xe8, 0x2a, 0x8c, 0xb1, 0xf3, 0x41, 0x6d, 0x92, 0xb5, 0xa0, 0x2c, 0xf5,
0x1f, 0x33, 0xea, 0x01, 0x09, 0x87, 0xf9, 0x50, 0xdb, 0x17, 0x63, 0xd3, 0x2e, 0x9c, 0xce, 0x0e,
0xa9, 0x43, 0x55, 0xad, 0xec, 0x36, 0x28, 0xca, 0xcb, 0x3a, 0xbd, 0x6d, 0xd5, 0xa9, 0xa5, 0xea,
0xed, 0x84, 0x22, 0xbe, 0x86, 0xc2, 0xc8, 0xf2, 0x6f, 0x24, 0x18, 0x13, 0x26, 0x1f, 0xc1, 0x25,
0xe0, 0x6b, 0xd1, 0x4b, 0xc0, 0xb9, 0x3e, 0xf7, 0x63, 0xfa, 0x0d, 0xe0, 0xe7, 0x81, 0xe9, 0x6c,
0x07, 0xb2, 0x84, 0xb0, 0x6d, 0xd8, 0x34, 0x9e, 0x10, 0xd8, 0xde, 0xc1, 0x9c, 0x82, 0x1c, 0x38,
0xa1, 0xc6, 0xb6, 0xac, 0x08, 0x6d, 0xa5, 0x3f, 0x4b, 0x7c, 0xb1, 0x6a, 0x49, 0xc0, 0x9f, 0x88,
0x53, 0x70, 0x42, 0x85, 0x4c, 0x20, 0xc1, 0x85, 0xee, 0xc0, 0xf0, 0x36, 0xa5, 0x66, 0xca, 0xbb,
0x6f, 0x8f, 0x44, 0x11, 0x98, 0x50, 0xe0, 0xde, 0x35, 0x1a, 0x35, 0xcc, 0xa1, 0xe4, 0x7f, 0x07,
0xf1, 0xa8, 0xbb, 0x6b, 0xdc, 0x4f, 0x7f, 0xd2, 0x61, 0xd2, 0xdf, 0x58, 0x5a, 0xea, 0x43, 0xb7,
0x20, 0x47, 0xb5, 0x7e, 0x6f, 0x71, 0x02, 0xb1, 0xb1, 0x52, 0x0f, 0xf2, 0x47, 0x63, 0xa5, 0x8e,
0x19, 0x04, 0xba, 0x0d, 0x79, 0x76, 0x58, 0xb0, 0x2d, 0x98, 0xeb, 0x7f, 0x4b, 0x33, 0xff, 0x83,
0x05, 0xc1, 0x7e, 0xd9, 0xd8, 0xc5, 0x91, 0xdf, 0x86, 0xf1, 0xc8, 0x3e, 0x45, 0x6f, 0xc1, 0x71,
0xcd, 0x50, 0x5a, 0x55, 0x45, 0x53, 0xf4, 0x26, 0xf1, 0x1e, 0xd9, 0xcf, 0xa5, 0x5d, 0x08, 0x56,
0x42, 0x7c, 0x62, 0x97, 0xfb, 0xad, 0xb2, 0x30, 0x0d, 0x47, 0x10, 0x65, 0x05, 0x20, 0xf0, 0x11,
0xcd, 0x43, 0x9e, 0xad, 0x33, 0x37, 0xfd, 0x17, 0xab, 0x45, 0x66, 0x21, 0x5b, 0x7e, 0x36, 0x76,
0xc7, 0xd1, 0x15, 0x00, 0x9b, 0x34, 0x2d, 0x42, 0x79, 0x32, 0x70, 0x9f, 0x3f, 0xfc, 0xb4, 0x57,
0xf7, 0x29, 0x38, 0xc4, 0x25, 0xff, 0x41, 0x82, 0xf1, 0x35, 0x42, 0xdf, 0x31, 0xac, 0x9d, 0x1a,
0x6f, 0xca, 0x1e, 0x41, 0xb2, 0xc5, 0x91, 0x64, 0xfb, 0x42, 0x8f, 0x99, 0x89, 0x58, 0x97, 0x95,
0x72, 0x99, 0x1f, 0xa5, 0x08, 0x67, 0x78, 0xef, 0xae, 0x43, 0xde, 0x34, 0x2c, 0xea, 0x1d, 0x9c,
0x03, 0x69, 0x64, 0x79, 0x2c, 0x74, 0x74, 0x32, 0x18, 0xec, 0xa2, 0x31, 0x3f, 0xb6, 0x2c, 0xa3,
0x23, 0x56, 0xeb, 0x60, 0xa8, 0x84, 0x58, 0x81, 0x1f, 0x37, 0x2c, 0xa3, 0x83, 0x39, 0x96, 0xfc,
0x7b, 0x09, 0xa6, 0x22, 0x9c, 0x47, 0x90, 0x37, 0xef, 0x44, 0xf3, 0xe6, 0xc5, 0x41, 0x1c, 0xc9,
0xc8, 0x9e, 0xff, 0x8c, 0xbb, 0xc1, 0x1c, 0x46, 0x5b, 0x30, 0x66, 0x1a, 0xad, 0xfa, 0x63, 0xe8,
0x4a, 0x4d, 0xb2, 0x63, 0xa7, 0x16, 0x60, 0xe1, 0x30, 0x30, 0x7a, 0x00, 0x53, 0xba, 0xd2, 0x21,
0xb6, 0xa9, 0x34, 0x49, 0xfd, 0x31, 0x3c, 0x07, 0x3c, 0xc5, 0x9f, 0xbd, 0xe3, 0x88, 0x38, 0xa9,
0x44, 0xfe, 0x45, 0xc2, 0x6f, 0xc3, 0xa2, 0xe8, 0x26, 0x14, 0x78, 0x3b, 0xbf, 0x69, 0x68, 0xde,
0xc3, 0x35, 0x9b, 0x8a, 0x9a, 0x18, 0x7b, 0xb4, 0x37, 0x7f, 0x3a, 0xe5, 0x4d, 0xd2, 0x23, 0x63,
0x5f, 0x18, 0xad, 0xc1, 0xb0, 0xf9, 0x45, 0x4e, 0x6c, 0x9e, 0xd4, 0xf9, 0x31, 0xcd, 0x71, 0xe4,
0xcf, 0xe3, 0xe6, 0xf2, 0xd4, 0x7e, 0xff, 0xb1, 0x4d, 0x93, 0x5f, 0x21, 0x64, 0x4e, 0xd5, 0x26,
0x8c, 0x8a, 0x13, 0x4d, 0xac, 0xbe, 0x57, 0x06, 0x59, 0x7d, 0xe1, 0xac, 0xed, 0xd7, 0xd3, 0xde,
0xa0, 0x07, 0x2c, 0xff, 0x49, 0x82, 0x29, 0x6e, 0x40, 0xd3, 0xb1, 0x54, 0xda, 0x3d, 0xb2, 0x3c,
0xb7, 0x11, 0xc9, 0x73, 0x2f, 0xf5, 0x70, 0x2c, 0x61, 0x61, 0x66, 0xae, 0xfb, 0x58, 0x82, 0xa7,
0x12, 0xdc, 0x47, 0x90, 0x27, 0xd6, 0xa3, 0x79, 0xe2, 0x85, 0x41, 0x1d, 0xca, 0xc8, 0x15, 0x7f,
0x2b, 0xa6, 0xb8, 0xc3, 0x17, 0xe2, 0x15, 0x00, 0xd3, 0x52, 0x77, 0x55, 0x8d, 0xb4, 0x45, 0x6f,
0xb2, 0x10, 0x84, 0xbc, 0xe6, 0x53, 0x70, 0x88, 0x0b, 0xd9, 0x30, 0xd3, 0x22, 0x5b, 0x8a, 0xa3,
0xd1, 0x85, 0x56, 0x6b, 0x51, 0x31, 0x95, 0x4d, 0x55, 0x53, 0xa9, 0x2a, 0x2e, 0x8b, 0xc5, 0xea,
0x75, 0xb7, 0x67, 0x98, 0xc6, 0xf1, 0x68, 0x6f, 0xfe, 0x4c, 0x5a, 0x6f, 0xc0, 0x63, 0xe9, 0xe2,
0x0c, 0x68, 0xd4, 0x85, 0x92, 0x45, 0xde, 0x76, 0x54, 0x8b, 0xb4, 0x96, 0x2c, 0xc3, 0x8c, 0xa8,
0xcd, 0x71, 0xb5, 0x5f, 0xde, 0xdf, 0x9b, 0x2f, 0xe1, 0x0c, 0x9e, 0xde, 0x8a, 0x33, 0xe1, 0xd1,
0x7d, 0x98, 0x56, 0x34, 0xcd, 0x78, 0x87, 0x44, 0x9d, 0x1d, 0xe6, 0x5a, 0xaf, 0xed, 0xef, 0xcd,
0x4f, 0x2f, 0x24, 0xc9, 0xbd, 0x15, 0xa6, 0x81, 0xa2, 0x0a, 0x8c, 0xee, 0x1a, 0x9a, 0xd3, 0x21,
0x76, 0x29, 0xcf, 0xf1, 0x59, 0x62, 0x1c, 0xdd, 0x70, 0x87, 0x1e, 0xed, 0xcd, 0x8f, 0xdc, 0xa8,
0xf3, 0x6b, 0xba, 0xc7, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0x82,
0xa4, 0x70, 0x2b, 0x20, 0xe1, 0x30, 0x1f, 0xba, 0x07, 0xc5, 0x6d, 0x71, 0x27, 0xb5, 0x4b, 0xa3,
0x7d, 0x1d, 0x4a, 0x91, 0x3b, 0x6c, 0x75, 0x4a, 0xa8, 0x28, 0x7a, 0xc3, 0x36, 0x0e, 0x10, 0xd1,
0x05, 0x18, 0xe5, 0x3f, 0x96, 0x97, 0xf8, 0x63, 0x4c, 0x21, 0x48, 0x1d, 0xb7, 0xdc, 0x61, 0xec,
0xd1, 0x3d, 0xd6, 0xe5, 0xda, 0x22, 0x7f, 0x14, 0x8c, 0xb1, 0x2e, 0xd7, 0x16, 0xb1, 0x47, 0x47,
0x6f, 0xc1, 0xa8, 0x4d, 0x56, 0x54, 0xdd, 0x79, 0x50, 0x82, 0xbe, 0x5a, 0x8a, 0xf5, 0xd7, 0x39,
0x77, 0xec, 0x59, 0x24, 0xd0, 0x20, 0xe8, 0xd8, 0x83, 0x45, 0xdb, 0x50, 0xb4, 0x1c, 0x7d, 0xc1,
0x5e, 0xb7, 0x89, 0x55, 0x1a, 0xe3, 0x3a, 0x7a, 0x65, 0x4b, 0xec, 0xf1, 0xc7, 0xb5, 0xf8, 0x11,
0xf2, 0x39, 0x70, 0x00, 0x8e, 0xbe, 0x2f, 0x01, 0xb2, 0x1d, 0xd3, 0xd4, 0x48, 0x87, 0xe8, 0x54,
0xd1, 0xf8, 0x4b, 0x8c, 0x5d, 0x3a, 0xce, 0x75, 0x7e, 0xb5, 0x97, 0x5f, 0x09, 0xc1, 0xb8, 0x72,
0xff, 0xc9, 0x33, 0xc9, 0x8a, 0x53, 0xf4, 0xb2, 0xd0, 0x6e, 0xd9, 0xfc, 0xef, 0xd2, 0x78, 0x5f,
0xa1, 0x4d, 0x7f, 0x71, 0x0a, 0x42, 0x2b, 0xe8, 0xd8, 0x83, 0x45, 0x1b, 0x30, 0x63, 0x11, 0xa5,
0x75, 0x5b, 0xd7, 0xba, 0xd8, 0x30, 0xe8, 0x0d, 0x55, 0x23, 0x76, 0xd7, 0xa6, 0xa4, 0x53, 0x9a,
0xe0, 0xd3, 0xee, 0xb7, 0xe4, 0x71, 0x2a, 0x17, 0xce, 0x90, 0xe6, 0xdd, 0x5f, 0xf1, 0x16, 0x78,
0x34, 0x9f, 0x5b, 0x0d, 0xd6, 0xfd, 0x0d, 0x4c, 0x7b, 0x6c, 0xdd, 0xdf, 0x10, 0xe4, 0xc1, 0xcf,
0x19, 0xff, 0x18, 0x82, 0xe9, 0x80, 0xb9, 0xef, 0xee, 0x6f, 0x8a, 0xc8, 0x13, 0xeb, 0xfe, 0xa6,
0xb7, 0x4f, 0x73, 0x4f, 0xba, 0x7d, 0xfa, 0x04, 0xba, 0xce, 0xbc, 0x23, 0x1b, 0x84, 0xee, 0xbf,
0xaf, 0x23, 0x1b, 0xd8, 0x96, 0x51, 0x25, 0xfc, 0x6a, 0x28, 0xec, 0xc0, 0xff, 0x7c, 0x5b, 0xf0,
0x8b, 0x7f, 0x93, 0x26, 0x7f, 0x9c, 0x83, 0x13, 0xf1, 0xdd, 0x18, 0xe9, 0x1e, 0x49, 0x3d, 0xbb,
0x47, 0x35, 0x38, 0xb9, 0xe5, 0x68, 0x5a, 0x97, 0x87, 0x21, 0xd4, 0x42, 0x72, 0x5f, 0x7f, 0x9f,
0x11, 0x92, 0x27, 0x6f, 0xa4, 0xf0, 0xe0, 0x54, 0xc9, 0x8c, 0x4e, 0x58, 0xee, 0x50, 0x9d, 0xb0,
0x44, 0x63, 0x66, 0x78, 0x80, 0xc6, 0x4c, 0x6a, 0x57, 0x2b, 0x7f, 0x88, 0xae, 0xd6, 0x61, 0xda,
0x50, 0x29, 0x49, 0xac, 0x57, 0x1b, 0x4a, 0x7e, 0x06, 0x66, 0x85, 0x18, 0xe5, 0x1d, 0x22, 0x9d,
0x5a, 0x86, 0xa6, 0x11, 0x6b, 0xc9, 0xe9, 0x74, 0xba, 0xf2, 0x6b, 0x30, 0x11, 0xed, 0x7d, 0xba,
0x33, 0xed, 0xb6, 0x5f, 0xc5, 0x1b, 0x7c, 0x68, 0xa6, 0xdd, 0x71, 0xec, 0x73, 0xc8, 0xef, 0x4a,
0x30, 0x93, 0xfe, 0x8d, 0x13, 0xd2, 0x60, 0xa2, 0xa3, 0x3c, 0x08, 0x7f, 0x10, 0x26, 0x1d, 0xf2,
0xfa, 0xc9, 0x9b, 0x5e, 0xab, 0x11, 0x2c, 0x1c, 0xc3, 0x66, 0x57, 0xd2, 0x53, 0x19, 0xed, 0xa6,
0xa3, 0xb5, 0x04, 0xdd, 0x85, 0x42, 0x47, 0x79, 0x50, 0x77, 0xac, 0x36, 0x39, 0xf4, 0x85, 0x9b,
0x67, 0x8c, 0x55, 0x81, 0x82, 0x7d, 0x3c, 0xf9, 0x03, 0x09, 0x4a, 0x59, 0xb5, 0x19, 0xba, 0x1a,
0x69, 0x8c, 0x3d, 0x1b, 0x6b, 0x8c, 0x4d, 0x25, 0xe4, 0x9e, 0x50, 0x5b, 0xec, 0x97, 0x12, 0xcc,
0xa4, 0xd7, 0xa8, 0xe8, 0xc5, 0x88, 0x85, 0xf3, 0x31, 0x0b, 0x27, 0x63, 0x52, 0xc2, 0xbe, 0x6f,
0xc1, 0x84, 0xa8, 0x64, 0x05, 0x8c, 0x88, 0xaa, 0x9c, 0x96, 0x2b, 0x05, 0x84, 0x57, 0xb9, 0xf1,
0xf9, 0x8a, 0x8e, 0xe1, 0x18, 0x9a, 0xfc, 0xbd, 0x21, 0xc8, 0xd7, 0x9b, 0x8a, 0x46, 0x8e, 0xa0,
0xcc, 0x7a, 0x23, 0x52, 0x66, 0xf5, 0xfa, 0x78, 0x9b, 0x5b, 0x95, 0x59, 0x61, 0xe1, 0x58, 0x85,
0xf5, 0x7c, 0x5f, 0x68, 0x07, 0x17, 0x57, 0x5f, 0x82, 0xa2, 0xaf, 0x74, 0xb0, 0x9c, 0x2f, 0xff,
0x6c, 0x08, 0xc6, 0x42, 0x2a, 0x06, 0x3c, 0x31, 0xb6, 0x22, 0x27, 0x6d, 0x3f, 0xff, 0xc6, 0x11,
0xd2, 0x55, 0xf6, 0xce, 0x56, 0xf7, 0x1b, 0xa7, 0xe0, 0xab, 0x96, 0xe4, 0x91, 0xfb, 0x1a, 0x4c,
0x50, 0xfe, 0x6f, 0x0e, 0xfe, 0x33, 0x55, 0x8e, 0xaf, 0x45, 0xff, 0xcb, 0xb8, 0x46, 0x84, 0x8a,
0x63, 0xdc, 0xb3, 0xd7, 0x61, 0x3c, 0xa2, 0x6c, 0xa0, 0x4f, 0x94, 0x7e, 0x2d, 0xc1, 0xb3, 0x3d,
0x6f, 0x39, 0xa8, 0x1a, 0xd9, 0x24, 0xe5, 0xd8, 0x26, 0x99, 0xcb, 0x06, 0x78, 0x82, 0xad, 0xee,
0x77, 0x87, 0x00, 0x35, 0xb6, 0x55, 0xab, 0x55, 0x53, 0x2c, 0xda, 0xc5, 0xe2, 0x7f, 0x55, 0x8e,
0x60, 0xc3, 0x5c, 0x85, 0xb1, 0x16, 0xb1, 0x9b, 0x96, 0xca, 0x83, 0x23, 0xaa, 0x73, 0xff, 0x25,
0x60, 0x29, 0x20, 0xe1, 0x30, 0x1f, 0x7a, 0x13, 0x0a, 0xbb, 0xee, 0x3f, 0x3f, 0x79, 0x8d, 0x9c,
0x5e, 0x85, 0x64, 0xf0, 0xef, 0x52, 0xc1, 0xfa, 0x11, 0x03, 0x36, 0xf6, 0xc1, 0xe4, 0xf7, 0x25,
0x98, 0x49, 0x06, 0x62, 0x89, 0x99, 0xfa, 0xe4, 0x83, 0xf1, 0x0c, 0x0c, 0x73, 0x74, 0x16, 0x85,
0xe3, 0xee, 0xa3, 0x2c, 0xd3, 0x8c, 0xf9, 0xa8, 0xfc, 0x17, 0x09, 0x66, 0xd3, 0x4d, 0x3b, 0x82,
0xb2, 0xfd, 0x6e, 0xb4, 0x6c, 0xef, 0x75, 0xd1, 0x4e, 0xb7, 0x33, 0xa3, 0x84, 0xff, 0x73, 0x6a,
0xcc, 0x8f, 0xc0, 0xa9, 0x8d, 0xa8, 0x53, 0x97, 0x07, 0x76, 0x2a, 0xdd, 0xa1, 0xea, 0xa5, 0x87,
0x9f, 0xcd, 0x1d, 0xfb, 0xe4, 0xb3, 0xb9, 0x63, 0x9f, 0x7e, 0x36, 0x77, 0xec, 0xbb, 0xfb, 0x73,
0xd2, 0xc3, 0xfd, 0x39, 0xe9, 0x93, 0xfd, 0x39, 0xe9, 0xd3, 0xfd, 0x39, 0xe9, 0xef, 0xfb, 0x73,
0xd2, 0x8f, 0x3e, 0x9f, 0x3b, 0x76, 0x77, 0x54, 0xe0, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0x27,
0x77, 0x47, 0x4b, 0xbc, 0x39, 0x00, 0x00,
// 3431 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4f, 0x6c, 0x1b, 0xc7,
0xd5, 0xf7, 0x8a, 0xa2, 0x44, 0x3d, 0x59, 0x92, 0x35, 0x72, 0x64, 0x46, 0x8e, 0x45, 0x67, 0x03,
0xf8, 0xb3, 0xf3, 0xd9, 0x64, 0xec, 0xc4, 0x89, 0xbf, 0x18, 0x5f, 0xbe, 0x4f, 0x94, 0xfc, 0x47,
0xa9, 0x24, 0xd3, 0x43, 0x4a, 0x69, 0x8d, 0xb8, 0xcd, 0x8a, 0x1c, 0x51, 0x6b, 0x2d, 0x77, 0x37,
0xbb, 0xb3, 0x8a, 0x79, 0x29, 0x7a, 0x0a, 0x50, 0xa0, 0x45, 0xdb, 0x43, 0x8a, 0xf4, 0xd6, 0x5c,
0x7a, 0x6a, 0xd1, 0xdc, 0xda, 0x43, 0x50, 0xa0, 0x40, 0x0b, 0x18, 0x45, 0x5a, 0xe4, 0xd4, 0xe6,
0x24, 0x34, 0xca, 0xb1, 0xe7, 0x02, 0x85, 0x0f, 0x45, 0x31, 0xb3, 0xb3, 0xff, 0x77, 0x45, 0x52,
0xb1, 0x85, 0xa2, 0x37, 0x71, 0xde, 0x7b, 0xbf, 0xf7, 0x67, 0x66, 0xde, 0xbc, 0x99, 0xb7, 0x82,
0x9b, 0x3b, 0xd7, 0xec, 0xb2, 0x6a, 0x54, 0x76, 0x9c, 0x4d, 0x62, 0xe9, 0x84, 0x12, 0xbb, 0xb2,
0x4b, 0xf4, 0x96, 0x61, 0x55, 0x04, 0x41, 0x31, 0xd5, 0x0a, 0x79, 0x48, 0x89, 0x6e, 0xab, 0x86,
0x6e, 0x57, 0x76, 0x2f, 0x6f, 0x12, 0xaa, 0x5c, 0xae, 0xb4, 0x89, 0x4e, 0x2c, 0x85, 0x92, 0x56,
0xd9, 0xb4, 0x0c, 0x6a, 0xa0, 0x33, 0x2e, 0x7b, 0x59, 0x31, 0xd5, 0x72, 0xc0, 0x5e, 0x16, 0xec,
0x73, 0x97, 0xda, 0x2a, 0xdd, 0x76, 0x36, 0xcb, 0x4d, 0xa3, 0x53, 0x69, 0x1b, 0x6d, 0xa3, 0xc2,
0xa5, 0x36, 0x9d, 0x2d, 0xfe, 0x8b, 0xff, 0xe0, 0x7f, 0xb9, 0x68, 0x73, 0x72, 0x48, 0x79, 0xd3,
0xb0, 0x48, 0x65, 0x37, 0xa1, 0x71, 0xee, 0x42, 0x88, 0xc7, 0x34, 0x34, 0xb5, 0xd9, 0xcd, 0x32,
0x6e, 0xee, 0x95, 0x80, 0xb5, 0xa3, 0x34, 0xb7, 0x55, 0x9d, 0x58, 0xdd, 0x8a, 0xb9, 0xd3, 0xe6,
0xb2, 0x16, 0xb1, 0x0d, 0xc7, 0x6a, 0x92, 0x81, 0xa4, 0xec, 0x4a, 0x87, 0x50, 0x25, 0xcd, 0xac,
0x4a, 0x96, 0x94, 0xe5, 0xe8, 0x54, 0xed, 0x24, 0xd5, 0xbc, 0xda, 0x4b, 0xc0, 0x6e, 0x6e, 0x93,
0x8e, 0x92, 0x90, 0x7b, 0x39, 0x4b, 0xce, 0xa1, 0xaa, 0x56, 0x51, 0x75, 0x6a, 0x53, 0x2b, 0x2e,
0x24, 0x97, 0x01, 0x16, 0x6a, 0xcb, 0x1b, 0xc4, 0x62, 0xd3, 0x83, 0xce, 0xc2, 0xb0, 0xae, 0x74,
0x48, 0x51, 0x3a, 0x2b, 0x9d, 0x1f, 0xab, 0x1e, 0x7f, 0xb4, 0x57, 0x3a, 0xb6, 0xbf, 0x57, 0x1a,
0x5e, 0x53, 0x3a, 0x04, 0x73, 0x8a, 0xfc, 0x13, 0x09, 0x9e, 0x5d, 0x74, 0x6c, 0x6a, 0x74, 0x56,
0x09, 0xb5, 0xd4, 0xe6, 0xa2, 0x63, 0x59, 0x44, 0xa7, 0x75, 0xaa, 0x50, 0xc7, 0xee, 0x2d, 0x8f,
0xee, 0x41, 0x7e, 0x57, 0xd1, 0x1c, 0x52, 0x1c, 0x3a, 0x2b, 0x9d, 0x1f, 0xbf, 0x52, 0x2e, 0x07,
0xcb, 0xc4, 0x37, 0xba, 0x6c, 0xee, 0xb4, 0xf9, 0xba, 0xf1, 0x66, 0xa2, 0x7c, 0xd7, 0x51, 0x74,
0xaa, 0xd2, 0x6e, 0xf5, 0xa4, 0x80, 0x3c, 0x2e, 0xf4, 0x6e, 0x30, 0x2c, 0xec, 0x42, 0xca, 0xdf,
0x86, 0x33, 0x99, 0xa6, 0xad, 0xa8, 0x36, 0x45, 0xf7, 0x21, 0xaf, 0x52, 0xd2, 0xb1, 0x8b, 0xd2,
0xd9, 0xdc, 0xf9, 0xf1, 0x2b, 0xd7, 0xca, 0x07, 0xae, 0xd1, 0x72, 0x26, 0x58, 0x75, 0x42, 0x98,
0x91, 0x5f, 0x66, 0x70, 0xd8, 0x45, 0x95, 0x7f, 0x24, 0x01, 0x0a, 0xcb, 0x34, 0x14, 0xab, 0x4d,
0x68, 0x1f, 0x41, 0xf9, 0xc6, 0x57, 0x0b, 0xca, 0x8c, 0x80, 0x1c, 0x77, 0x15, 0x46, 0x62, 0x62,
0xc2, 0x6c, 0xd2, 0x24, 0x1e, 0x8c, 0x8d, 0x68, 0x30, 0x2e, 0x0f, 0x10, 0x0c, 0x17, 0x25, 0x23,
0x0a, 0x1f, 0x0c, 0xc1, 0xd8, 0x92, 0x42, 0x3a, 0x86, 0x5e, 0x27, 0x14, 0xbd, 0x03, 0x05, 0xb6,
0x31, 0x5a, 0x0a, 0x55, 0x78, 0x00, 0xc6, 0xaf, 0xbc, 0x74, 0x90, 0x77, 0x76, 0x99, 0x71, 0x97,
0x77, 0x2f, 0x97, 0xef, 0x6c, 0x3e, 0x20, 0x4d, 0xba, 0x4a, 0xa8, 0x52, 0x45, 0x42, 0x0f, 0x04,
0x63, 0xd8, 0x47, 0x45, 0x6b, 0x30, 0x6c, 0x9b, 0xa4, 0x29, 0x62, 0x77, 0xb1, 0x87, 0x1b, 0xbe,
0x65, 0x75, 0x93, 0x34, 0x83, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41, 0x1b, 0x30, 0x62, 0xf3, 0x59,
0x2e, 0xe6, 0x12, 0xb3, 0x71, 0x30, 0xa2, 0xbb, 0x36, 0x26, 0x05, 0xe6, 0x88, 0xfb, 0x1b, 0x0b,
0x34, 0xf9, 0x13, 0x09, 0x26, 0x7c, 0x5e, 0x3e, 0x03, 0x6f, 0x27, 0x62, 0x53, 0xee, 0x2f, 0x36,
0x4c, 0x9a, 0x47, 0xe6, 0x84, 0xd0, 0x55, 0xf0, 0x46, 0x42, 0x71, 0x59, 0xf5, 0xe6, 0x77, 0x88,
0xcf, 0xef, 0xf9, 0x7e, 0xdd, 0xc8, 0x98, 0xd6, 0x1f, 0x0f, 0x87, 0xcc, 0x67, 0xe1, 0x42, 0xf7,
0xa1, 0x60, 0x13, 0x8d, 0x34, 0xa9, 0x61, 0x09, 0xf3, 0x5f, 0xee, 0xd3, 0x7c, 0x65, 0x93, 0x68,
0x75, 0x21, 0x5a, 0x3d, 0xce, 0xec, 0xf7, 0x7e, 0x61, 0x1f, 0x12, 0xdd, 0x85, 0x02, 0x25, 0x1d,
0x53, 0x53, 0xa8, 0xb7, 0x2f, 0x5e, 0x08, 0xbb, 0xc0, 0x4e, 0x01, 0x06, 0x56, 0x33, 0x5a, 0x0d,
0xc1, 0xc6, 0xa7, 0xd4, 0x0f, 0x89, 0x37, 0x8a, 0x7d, 0x18, 0xb4, 0x0b, 0x93, 0x8e, 0xd9, 0x62,
0x9c, 0x94, 0xe5, 0xc0, 0x76, 0x57, 0x4c, 0xf1, 0xab, 0xfd, 0xc6, 0x66, 0x3d, 0x22, 0x5d, 0x9d,
0x15, 0xba, 0x26, 0xa3, 0xe3, 0x38, 0xa6, 0x05, 0x2d, 0xc0, 0x54, 0x47, 0xd5, 0x31, 0x51, 0x5a,
0xdd, 0x3a, 0x69, 0x1a, 0x7a, 0xcb, 0x2e, 0x0e, 0x9f, 0x95, 0xce, 0xe7, 0xab, 0xa7, 0x04, 0xc0,
0xd4, 0x6a, 0x94, 0x8c, 0xe3, 0xfc, 0xe8, 0x4d, 0x40, 0x9e, 0x1b, 0xb7, 0xdc, 0x14, 0xae, 0x1a,
0x7a, 0x31, 0x7f, 0x56, 0x3a, 0x9f, 0xab, 0xce, 0x09, 0x14, 0xd4, 0x48, 0x70, 0xe0, 0x14, 0x29,
0xb4, 0x02, 0x27, 0x2d, 0xb2, 0xab, 0x32, 0x1f, 0x6f, 0xab, 0x36, 0x35, 0xac, 0xee, 0x8a, 0xda,
0x51, 0x69, 0x71, 0x84, 0xdb, 0x54, 0xdc, 0xdf, 0x2b, 0x9d, 0xc4, 0x29, 0x74, 0x9c, 0x2a, 0x25,
0x7f, 0x9c, 0x87, 0xa9, 0xd8, 0x1e, 0x40, 0x1b, 0x30, 0xdb, 0x74, 0x13, 0xe6, 0x9a, 0xd3, 0xd9,
0x24, 0x56, 0xbd, 0xb9, 0x4d, 0x5a, 0x8e, 0x46, 0x5a, 0x7c, 0xa1, 0xe4, 0xab, 0xf3, 0xc2, 0xe2,
0xd9, 0xc5, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xa2, 0xa0, 0xf3, 0xa1, 0x55, 0xd5, 0xb6, 0x7d, 0xcc,
0x21, 0x8e, 0xe9, 0x47, 0x61, 0x2d, 0xc1, 0x81, 0x53, 0xa4, 0x98, 0x8d, 0x2d, 0x62, 0xab, 0x16,
0x69, 0xc5, 0x6d, 0xcc, 0x45, 0x6d, 0x5c, 0x4a, 0xe5, 0xc2, 0x19, 0xd2, 0xe8, 0x2a, 0x8c, 0xbb,
0xda, 0xf8, 0xfc, 0x89, 0x89, 0xf6, 0x53, 0xf4, 0x5a, 0x40, 0xc2, 0x61, 0x3e, 0xe6, 0x9a, 0xb1,
0x69, 0x13, 0x6b, 0x97, 0xb4, 0xb2, 0x27, 0xf8, 0x4e, 0x82, 0x03, 0xa7, 0x48, 0x31, 0xd7, 0xdc,
0x15, 0x98, 0x70, 0x6d, 0x24, 0xea, 0xda, 0x7a, 0x2a, 0x17, 0xce, 0x90, 0x66, 0xeb, 0xd8, 0x35,
0x79, 0x61, 0x57, 0x51, 0x35, 0x65, 0x53, 0x23, 0xc5, 0xd1, 0xe8, 0x3a, 0x5e, 0x8b, 0x92, 0x71,
0x9c, 0x1f, 0xdd, 0x82, 0x69, 0x77, 0x68, 0x5d, 0x57, 0x7c, 0x90, 0x02, 0x07, 0x79, 0x56, 0x80,
0x4c, 0xaf, 0xc5, 0x19, 0x70, 0x52, 0x06, 0xbd, 0x0e, 0x93, 0x4d, 0x43, 0xd3, 0xf8, 0x7a, 0x5c,
0x34, 0x1c, 0x9d, 0x16, 0xc7, 0x78, 0xac, 0x10, 0xdb, 0x8f, 0x8b, 0x11, 0x0a, 0x8e, 0x71, 0xca,
0x7f, 0x90, 0xe0, 0x54, 0xc6, 0x9e, 0x46, 0xff, 0x07, 0xc3, 0xb4, 0x6b, 0x7a, 0xa7, 0xf5, 0x7f,
0x7b, 0x07, 0x44, 0xa3, 0x6b, 0x92, 0xc7, 0x7b, 0xa5, 0xd3, 0x19, 0x62, 0x8c, 0x8c, 0xb9, 0x20,
0xd2, 0x61, 0xc2, 0x62, 0xea, 0xf4, 0xb6, 0xcb, 0x22, 0x92, 0xd7, 0xd5, 0x1e, 0x39, 0x06, 0x87,
0x65, 0x82, 0x64, 0x3c, 0xbd, 0xbf, 0x57, 0x9a, 0x88, 0xd0, 0x70, 0x14, 0x5e, 0xfe, 0x70, 0x08,
0x60, 0x89, 0x98, 0x9a, 0xd1, 0xed, 0x10, 0xfd, 0x28, 0x0e, 0xdc, 0x3b, 0x91, 0x03, 0xf7, 0x52,
0xaf, 0xdc, 0xe9, 0x9b, 0x96, 0x79, 0xe2, 0xbe, 0x15, 0x3b, 0x71, 0x2b, 0xfd, 0x43, 0x1e, 0x7c,
0xe4, 0xfe, 0x25, 0x07, 0x33, 0x01, 0xf3, 0xa2, 0xa1, 0xb7, 0x54, 0xbe, 0x3f, 0xae, 0x47, 0xe6,
0xf8, 0xbf, 0x62, 0x73, 0x7c, 0x2a, 0x45, 0x24, 0x34, 0xbf, 0x2b, 0xbe, 0xb5, 0x43, 0x5c, 0xfc,
0x95, 0xa8, 0xf2, 0xc7, 0x7b, 0xa5, 0x94, 0xcb, 0x4a, 0xd9, 0x47, 0x8a, 0x9a, 0x88, 0xce, 0xc1,
0x88, 0x45, 0x14, 0xdb, 0xd0, 0x79, 0xa2, 0x18, 0x0b, 0x5c, 0xc1, 0x7c, 0x14, 0x0b, 0x2a, 0xba,
0x00, 0xa3, 0x1d, 0x62, 0xdb, 0x4a, 0x9b, 0xf0, 0x9c, 0x30, 0x56, 0x9d, 0x12, 0x8c, 0xa3, 0xab,
0xee, 0x30, 0xf6, 0xe8, 0xe8, 0x01, 0x4c, 0x6a, 0x8a, 0x2d, 0x16, 0x68, 0x43, 0xed, 0x10, 0xbe,
0xeb, 0xc7, 0xaf, 0xbc, 0xd8, 0xdf, 0x3a, 0x60, 0x12, 0xc1, 0xc9, 0xb6, 0x12, 0x41, 0xc2, 0x31,
0x64, 0xb4, 0x0b, 0x88, 0x8d, 0x34, 0x2c, 0x45, 0xb7, 0xdd, 0x40, 0x31, 0x7d, 0xa3, 0x03, 0xeb,
0xf3, 0x33, 0xdc, 0x4a, 0x02, 0x0d, 0xa7, 0x68, 0x90, 0x7f, 0x23, 0xc1, 0x64, 0x30, 0x4d, 0x47,
0x50, 0x4d, 0xad, 0x45, 0xab, 0xa9, 0x0b, 0x7d, 0x2f, 0xd1, 0x8c, 0x72, 0xea, 0x1f, 0x43, 0x80,
0x02, 0x26, 0xb6, 0xc1, 0x37, 0x95, 0xe6, 0x4e, 0x1f, 0x77, 0x85, 0x0f, 0x24, 0x40, 0x22, 0x3d,
0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0xf7, 0xcc, 0x5a, 0xee, 0xdb, 0x2c, 0x4f, 0x63, 0x79, 0x3d,
0x81, 0x75, 0x43, 0xa7, 0x56, 0x37, 0x98, 0x91, 0x24, 0x03, 0x4e, 0x31, 0x00, 0x29, 0x00, 0x96,
0xc0, 0x6c, 0x18, 0x62, 0x23, 0x5f, 0xea, 0x23, 0xe7, 0x31, 0x81, 0x45, 0x43, 0xdf, 0x52, 0xdb,
0x41, 0xda, 0xc1, 0x3e, 0x10, 0x0e, 0x81, 0xce, 0xdd, 0x80, 0x53, 0x19, 0xd6, 0xa2, 0x13, 0x90,
0xdb, 0x21, 0x5d, 0x37, 0x6c, 0x98, 0xfd, 0x89, 0x4e, 0x86, 0xef, 0x54, 0x63, 0xe2, 0x3a, 0xf4,
0xfa, 0xd0, 0x35, 0x49, 0xfe, 0x24, 0x1f, 0x5e, 0x3b, 0xbc, 0x94, 0x3d, 0x0f, 0x05, 0x8b, 0x98,
0x9a, 0xda, 0x54, 0x6c, 0x51, 0xa1, 0xf0, 0xaa, 0x14, 0x8b, 0x31, 0xec, 0x53, 0x23, 0x45, 0xef,
0xd0, 0xd3, 0x2d, 0x7a, 0x73, 0x4f, 0xa6, 0xe8, 0xfd, 0x16, 0x14, 0x6c, 0xaf, 0xdc, 0x1d, 0xe6,
0x90, 0x97, 0x07, 0xc8, 0xaf, 0xa2, 0xd2, 0xf5, 0x15, 0xf8, 0x35, 0xae, 0x0f, 0x9a, 0x56, 0xdd,
0xe6, 0x07, 0xac, 0x6e, 0x9f, 0x68, 0x45, 0xca, 0x72, 0xaa, 0xa9, 0x38, 0x36, 0x69, 0xf1, 0x44,
0x54, 0x08, 0x72, 0x6a, 0x8d, 0x8f, 0x62, 0x41, 0x45, 0xf7, 0x23, 0x4b, 0xb6, 0x70, 0x98, 0x25,
0x3b, 0x99, 0xbd, 0x5c, 0xd1, 0x3a, 0x9c, 0x32, 0x2d, 0xa3, 0x6d, 0x11, 0xdb, 0x5e, 0x22, 0x4a,
0x4b, 0x53, 0x75, 0xe2, 0xc5, 0x67, 0x8c, 0xfb, 0x75, 0x7a, 0x7f, 0xaf, 0x74, 0xaa, 0x96, 0xce,
0x82, 0xb3, 0x64, 0xe5, 0x47, 0xc3, 0x70, 0x22, 0x7e, 0x02, 0x66, 0x54, 0x8f, 0xd2, 0xa1, 0xaa,
0xc7, 0x8b, 0xa1, 0xcd, 0xe0, 0x96, 0xd6, 0xfe, 0xec, 0xa7, 0x6c, 0x88, 0x05, 0x98, 0x12, 0xd9,
0xc0, 0x23, 0x8a, 0xfa, 0xd9, 0x9f, 0xfd, 0xf5, 0x28, 0x19, 0xc7, 0xf9, 0x59, 0x4d, 0x18, 0x94,
0x7a, 0x1e, 0xc8, 0x70, 0xb4, 0x26, 0x5c, 0x88, 0x33, 0xe0, 0xa4, 0x0c, 0x5a, 0x85, 0x19, 0x47,
0x4f, 0x42, 0xb9, 0xab, 0xf1, 0xb4, 0x80, 0x9a, 0x59, 0x4f, 0xb2, 0xe0, 0x34, 0x39, 0xb4, 0x05,
0xd0, 0xf4, 0x8e, 0x6d, 0xbb, 0x38, 0xc2, 0x33, 0xec, 0x95, 0xbe, 0xf7, 0x8e, 0x7f, 0xe2, 0x07,
0x79, 0xcd, 0x1f, 0xb2, 0x71, 0x08, 0x19, 0x5d, 0x87, 0x09, 0x8b, 0x5f, 0x08, 0x3c, 0x83, 0xdd,
0xa2, 0xfa, 0x19, 0x21, 0x36, 0x81, 0xc3, 0x44, 0x1c, 0xe5, 0x4d, 0xa9, 0x83, 0x0b, 0x7d, 0xd7,
0xc1, 0xbf, 0x95, 0xc2, 0x87, 0x90, 0x5f, 0x02, 0xbf, 0x1e, 0x29, 0x8f, 0xce, 0xc5, 0xca, 0xa3,
0xd9, 0xa4, 0x44, 0xa8, 0x3a, 0x32, 0xd2, 0xab, 0xdf, 0x57, 0x07, 0xaa, 0x7e, 0x83, 0xc3, 0xb3,
0x77, 0xf9, 0xfb, 0x91, 0x04, 0xb3, 0x37, 0xeb, 0xb7, 0x2c, 0xc3, 0x31, 0x3d, 0x73, 0xee, 0x98,
0x6e, 0x5c, 0x5f, 0x83, 0x61, 0xcb, 0xd1, 0x3c, 0x3f, 0x5e, 0xf0, 0xfc, 0xc0, 0x8e, 0xc6, 0xfc,
0x98, 0x89, 0x49, 0xb9, 0x4e, 0x30, 0x01, 0xb4, 0x06, 0x23, 0x96, 0xa2, 0xb7, 0x89, 0x77, 0xac,
0x9e, 0xeb, 0x61, 0xfd, 0xf2, 0x12, 0x66, 0xec, 0xa1, 0xe2, 0x8d, 0x4b, 0x63, 0x81, 0x22, 0x7f,
0x5f, 0x82, 0xa9, 0xdb, 0x8d, 0x46, 0x6d, 0x59, 0xe7, 0x3b, 0xba, 0xa6, 0xd0, 0x6d, 0x76, 0xd2,
0x9b, 0x0a, 0xdd, 0x8e, 0x9f, 0xf4, 0x8c, 0x86, 0x39, 0x05, 0x7d, 0x1d, 0x46, 0x59, 0x26, 0x21,
0x7a, 0xab, 0xcf, 0x52, 0x5b, 0xc0, 0x57, 0x5d, 0xa1, 0xa0, 0x42, 0x14, 0x03, 0xd8, 0x83, 0x93,
0x77, 0xe0, 0x64, 0xc8, 0x1c, 0x16, 0x0f, 0xfe, 0x66, 0x88, 0xea, 0x90, 0x67, 0x9a, 0xbd, 0x27,
0xc1, 0x5e, 0x2f, 0x5f, 0x31, 0x97, 0x82, 0x4a, 0x87, 0xfd, 0xb2, 0xb1, 0x8b, 0x25, 0xaf, 0xc2,
0xc4, 0x6d, 0xc3, 0xa6, 0x35, 0xc3, 0xa2, 0x3c, 0x2c, 0xe8, 0x0c, 0xe4, 0x3a, 0xaa, 0x2e, 0xce,
0xd9, 0x71, 0x21, 0x93, 0x63, 0x67, 0x04, 0x1b, 0xe7, 0x64, 0xe5, 0xa1, 0xc8, 0x3c, 0x01, 0x59,
0x79, 0x88, 0xd9, 0xb8, 0x7c, 0x0b, 0x46, 0x45, 0xb8, 0xc3, 0x40, 0xb9, 0x83, 0x81, 0x72, 0x29,
0x40, 0x3f, 0x18, 0x82, 0x51, 0x61, 0xfd, 0x11, 0x5c, 0x9a, 0x56, 0x22, 0x97, 0xa6, 0x17, 0xfb,
0x9b, 0xc9, 0xcc, 0x1b, 0x53, 0x23, 0x76, 0x63, 0xba, 0xd8, 0x27, 0xde, 0xc1, 0xd7, 0xa5, 0x8f,
0x25, 0x98, 0x8c, 0xae, 0x21, 0x74, 0x15, 0xc6, 0xd9, 0xf9, 0xa0, 0x36, 0xc9, 0x5a, 0x50, 0x96,
0xfa, 0x8f, 0x19, 0xf5, 0x80, 0x84, 0xc3, 0x7c, 0xa8, 0xed, 0x8b, 0xb1, 0x69, 0x17, 0x4e, 0x67,
0x87, 0xd4, 0xa1, 0xaa, 0x56, 0x76, 0x1b, 0x14, 0xe5, 0x65, 0x9d, 0xde, 0xb1, 0xea, 0xd4, 0x52,
0xf5, 0x76, 0x42, 0x11, 0x5f, 0x43, 0x61, 0x64, 0xf9, 0xd7, 0x12, 0x8c, 0x0b, 0x93, 0x8f, 0xe0,
0x12, 0xf0, 0xb5, 0xe8, 0x25, 0xe0, 0x5c, 0x9f, 0xfb, 0x31, 0xfd, 0x06, 0xf0, 0xb3, 0xc0, 0x74,
0xb6, 0x03, 0x59, 0x42, 0xd8, 0x36, 0x6c, 0x1a, 0x4f, 0x08, 0x6c, 0xef, 0x60, 0x4e, 0x41, 0x0e,
0x9c, 0x50, 0x63, 0x5b, 0x56, 0x84, 0xb6, 0xd2, 0x9f, 0x25, 0xbe, 0x58, 0xb5, 0x28, 0xe0, 0x4f,
0xc4, 0x29, 0x38, 0xa1, 0x42, 0x26, 0x90, 0xe0, 0x42, 0x77, 0x61, 0x78, 0x9b, 0x52, 0x33, 0xe5,
0xdd, 0xb7, 0x47, 0xa2, 0x08, 0x4c, 0x28, 0x70, 0xef, 0x1a, 0x8d, 0x1a, 0xe6, 0x50, 0xf2, 0x3f,
0x83, 0x78, 0xd4, 0xdd, 0x35, 0xee, 0xa7, 0x3f, 0xe9, 0x30, 0xe9, 0x6f, 0x3c, 0x2d, 0xf5, 0xa1,
0xdb, 0x90, 0xa3, 0x5a, 0xbf, 0xb7, 0x38, 0x81, 0xd8, 0x58, 0xa9, 0x07, 0xf9, 0xa3, 0xb1, 0x52,
0xc7, 0x0c, 0x02, 0xdd, 0x81, 0x3c, 0x3b, 0x2c, 0xd8, 0x16, 0xcc, 0xf5, 0xbf, 0xa5, 0x99, 0xff,
0xc1, 0x82, 0x60, 0xbf, 0x6c, 0xec, 0xe2, 0xc8, 0xef, 0xc2, 0x44, 0x64, 0x9f, 0xa2, 0x77, 0xe0,
0xb8, 0x66, 0x28, 0xad, 0xaa, 0xa2, 0x29, 0x7a, 0x93, 0x78, 0x8f, 0xec, 0xe7, 0xd2, 0x2e, 0x04,
0x2b, 0x21, 0x3e, 0xb1, 0xcb, 0xfd, 0x56, 0x59, 0x98, 0x86, 0x23, 0x88, 0xb2, 0x02, 0x10, 0xf8,
0x88, 0x4a, 0x90, 0x67, 0xeb, 0xcc, 0x4d, 0xff, 0x63, 0xd5, 0x31, 0x66, 0x21, 0x5b, 0x7e, 0x36,
0x76, 0xc7, 0xd1, 0x15, 0x00, 0x9b, 0x34, 0x2d, 0x42, 0x79, 0x32, 0x70, 0x9f, 0x3f, 0xfc, 0xb4,
0x57, 0xf7, 0x29, 0x38, 0xc4, 0x25, 0xff, 0x5e, 0x82, 0x89, 0x35, 0x42, 0xdf, 0x33, 0xac, 0x9d,
0x1a, 0x6f, 0xca, 0x1e, 0x41, 0xb2, 0xc5, 0x91, 0x64, 0xfb, 0x52, 0x8f, 0x99, 0x89, 0x58, 0x97,
0x95, 0x72, 0x99, 0x1f, 0xc5, 0x08, 0x67, 0x78, 0xef, 0xae, 0x43, 0xde, 0x34, 0x2c, 0xea, 0x1d,
0x9c, 0x03, 0x69, 0x64, 0x79, 0x2c, 0x74, 0x74, 0x32, 0x18, 0xec, 0xa2, 0x31, 0x3f, 0xb6, 0x2c,
0xa3, 0x23, 0x56, 0xeb, 0x60, 0xa8, 0x84, 0x58, 0x81, 0x1f, 0x37, 0x2d, 0xa3, 0x83, 0x39, 0x96,
0xfc, 0x3b, 0x09, 0xa6, 0x23, 0x9c, 0x47, 0x90, 0x37, 0xef, 0x46, 0xf3, 0xe6, 0xc5, 0x41, 0x1c,
0xc9, 0xc8, 0x9e, 0x7f, 0x8f, 0xbb, 0xc1, 0x1c, 0x46, 0x5b, 0x30, 0x6e, 0x1a, 0xad, 0xfa, 0x13,
0xe8, 0x4a, 0x4d, 0xb1, 0x63, 0xa7, 0x16, 0x60, 0xe1, 0x30, 0x30, 0x7a, 0x08, 0xd3, 0xba, 0xd2,
0x21, 0xb6, 0xa9, 0x34, 0x49, 0xfd, 0x09, 0x3c, 0x07, 0x3c, 0xc3, 0x9f, 0xbd, 0xe3, 0x88, 0x38,
0xa9, 0x44, 0xfe, 0x79, 0xc2, 0x6f, 0xc3, 0xa2, 0xe8, 0x16, 0x14, 0x78, 0x3b, 0xbf, 0x69, 0x68,
0xde, 0xc3, 0x35, 0x9b, 0x8a, 0x9a, 0x18, 0x7b, 0xbc, 0x57, 0x3a, 0x9d, 0xf2, 0x26, 0xe9, 0x91,
0xb1, 0x2f, 0x8c, 0xd6, 0x60, 0xd8, 0xfc, 0x2a, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38,
0xf2, 0x97, 0x71, 0x73, 0x79, 0x6a, 0x7f, 0xf0, 0xc4, 0xa6, 0xc9, 0xaf, 0x10, 0x32, 0xa7, 0x6a,
0x13, 0x46, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x6b, 0x83, 0xac, 0xbe, 0x70, 0xd6, 0xf6, 0xeb, 0x69,
0x6f, 0xd0, 0x03, 0x96, 0xff, 0x28, 0xc1, 0x34, 0x37, 0xa0, 0xe9, 0x58, 0x2a, 0xed, 0x1e, 0x59,
0x9e, 0xdb, 0x88, 0xe4, 0xb9, 0x57, 0x7a, 0x38, 0x96, 0xb0, 0x30, 0x33, 0xd7, 0x7d, 0x2a, 0xc1,
0x33, 0x09, 0xee, 0x23, 0xc8, 0x13, 0xeb, 0xd1, 0x3c, 0xf1, 0xd2, 0xa0, 0x0e, 0x65, 0x55, 0x5a,
0xe3, 0x29, 0xee, 0xf0, 0x85, 0x78, 0x05, 0xc0, 0xb4, 0xd4, 0x5d, 0x55, 0x23, 0x6d, 0xd1, 0x9b,
0x2c, 0x04, 0x21, 0xaf, 0xf9, 0x14, 0x1c, 0xe2, 0x42, 0x36, 0xcc, 0xb6, 0xc8, 0x96, 0xe2, 0x68,
0x74, 0xa1, 0xd5, 0x5a, 0x54, 0x4c, 0x65, 0x53, 0xd5, 0x54, 0xaa, 0x8a, 0xcb, 0xe2, 0x58, 0xf5,
0xba, 0xdb, 0x33, 0x4c, 0xe3, 0x78, 0xbc, 0x57, 0x3a, 0x93, 0xd6, 0x1b, 0xf0, 0x58, 0xba, 0x38,
0x03, 0x1a, 0x75, 0xa1, 0x68, 0x91, 0x77, 0x1d, 0xd5, 0x22, 0xad, 0x25, 0xcb, 0x30, 0x23, 0x6a,
0x73, 0x5c, 0xed, 0xff, 0xee, 0xef, 0x95, 0x8a, 0x38, 0x83, 0xa7, 0xb7, 0xe2, 0x4c, 0x78, 0xf4,
0x00, 0x66, 0x14, 0x4d, 0x33, 0xde, 0x23, 0x51, 0x67, 0x87, 0xb9, 0xd6, 0x6b, 0xfb, 0x7b, 0xa5,
0x99, 0x85, 0x24, 0xb9, 0xb7, 0xc2, 0x34, 0x50, 0x54, 0x81, 0xd1, 0x5d, 0x43, 0x73, 0x3a, 0xc4,
0x2e, 0xe6, 0x39, 0x3e, 0x4b, 0x8c, 0xa3, 0x1b, 0xee, 0xd0, 0xe3, 0xbd, 0xd2, 0xc8, 0xcd, 0x3a,
0xbf, 0xa6, 0x7b, 0x5c, 0xec, 0x7e, 0xc2, 0x4a, 0x13, 0xb1, 0x67, 0xf9, 0x7b, 0x61, 0x21, 0x48,
0x0a, 0xb7, 0x03, 0x12, 0x0e, 0xf3, 0xa1, 0xfb, 0x30, 0xb6, 0x2d, 0xee, 0xa4, 0x76, 0x71, 0xb4,
0xaf, 0x43, 0x29, 0x72, 0x87, 0xad, 0x4e, 0x0b, 0x15, 0x63, 0xde, 0xb0, 0x8d, 0x03, 0x44, 0x74,
0x01, 0x46, 0xf9, 0x8f, 0xe5, 0x25, 0xfe, 0x18, 0x53, 0x08, 0x52, 0xc7, 0x6d, 0x77, 0x18, 0x7b,
0x74, 0x8f, 0x75, 0xb9, 0xb6, 0xc8, 0x1f, 0x05, 0x63, 0xac, 0xcb, 0xb5, 0x45, 0xec, 0xd1, 0xd1,
0x3b, 0x30, 0x6a, 0x93, 0x15, 0x55, 0x77, 0x1e, 0x16, 0xa1, 0xaf, 0x96, 0x62, 0xfd, 0x06, 0xe7,
0x8e, 0x3d, 0x8b, 0x04, 0x1a, 0x04, 0x1d, 0x7b, 0xb0, 0x68, 0x1b, 0xc6, 0x2c, 0x47, 0x5f, 0xb0,
0xd7, 0x6d, 0x62, 0x15, 0xc7, 0xb9, 0x8e, 0x5e, 0xd9, 0x12, 0x7b, 0xfc, 0x71, 0x2d, 0x7e, 0x84,
0x7c, 0x0e, 0x1c, 0x80, 0xa3, 0xef, 0x49, 0x80, 0x6c, 0xc7, 0x34, 0x35, 0xd2, 0x21, 0x3a, 0x55,
0x34, 0xfe, 0x12, 0x63, 0x17, 0x8f, 0x73, 0x9d, 0xff, 0xdf, 0xcb, 0xaf, 0x84, 0x60, 0x5c, 0xb9,
0xff, 0xe4, 0x99, 0x64, 0xc5, 0x29, 0x7a, 0x59, 0x68, 0xb7, 0x6c, 0xfe, 0x77, 0x71, 0xa2, 0xaf,
0xd0, 0xa6, 0xbf, 0x38, 0x05, 0xa1, 0x15, 0x74, 0xec, 0xc1, 0xa2, 0x0d, 0x98, 0xb5, 0x88, 0xd2,
0xba, 0xa3, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xa6, 0xaa, 0x11, 0xbb, 0x6b, 0x53, 0xd2, 0x29, 0x4e,
0xf2, 0x69, 0xf7, 0x5b, 0xf2, 0x38, 0x95, 0x0b, 0x67, 0x48, 0xa3, 0x0e, 0x94, 0xbc, 0x94, 0xc1,
0xf6, 0x93, 0x9f, 0xb3, 0x6e, 0xd8, 0x4d, 0x45, 0x73, 0x5f, 0x81, 0xa7, 0xb8, 0x82, 0x17, 0xf6,
0xf7, 0x4a, 0xa5, 0xa5, 0x83, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x36, 0x14, 0x95, 0x2c, 0x3d, 0x27,
0xb8, 0x9e, 0xb3, 0xc2, 0x91, 0x62, 0xa6, 0x92, 0x4c, 0x04, 0xde, 0xca, 0x16, 0x0f, 0x9b, 0x47,
0xf3, 0xed, 0xd8, 0x60, 0xad, 0xec, 0xc0, 0xb4, 0x27, 0xd6, 0xca, 0x0e, 0x41, 0x1e, 0xfc, 0x36,
0xf3, 0xb7, 0x21, 0x98, 0x09, 0x98, 0xfb, 0x6e, 0x65, 0xa7, 0x88, 0x3c, 0xb5, 0x56, 0x76, 0x7a,
0x2f, 0x38, 0xf7, 0xb4, 0x7b, 0xc1, 0x4f, 0xa1, 0x85, 0xce, 0xdb, 0xcb, 0x41, 0xe8, 0xfe, 0xfd,
0xda, 0xcb, 0x81, 0x6d, 0x19, 0x25, 0xcf, 0x2f, 0x87, 0xc2, 0x0e, 0xfc, 0xc7, 0xf7, 0x38, 0xbf,
0xfa, 0x07, 0x76, 0xf2, 0xa7, 0x39, 0x38, 0x11, 0xdf, 0x8d, 0x91, 0x56, 0x98, 0xd4, 0xb3, 0x15,
0x56, 0x83, 0x93, 0x5b, 0x8e, 0xa6, 0x75, 0x79, 0x18, 0x42, 0xfd, 0x30, 0xf7, 0x29, 0xfb, 0x39,
0x21, 0x79, 0xf2, 0x66, 0x0a, 0x0f, 0x4e, 0x95, 0xcc, 0x68, 0xeb, 0xe5, 0x0e, 0xd5, 0xd6, 0x4b,
0x74, 0x99, 0x86, 0x07, 0xe8, 0x32, 0xa5, 0xb6, 0xe8, 0xf2, 0x87, 0x68, 0xd1, 0x1d, 0xa6, 0xa7,
0x96, 0x92, 0xc4, 0x7a, 0xf5, 0xd4, 0xe4, 0xe7, 0x60, 0x4e, 0x88, 0x51, 0xde, 0xee, 0xd2, 0xa9,
0x65, 0x68, 0x1a, 0xb1, 0x96, 0x9c, 0x4e, 0xa7, 0x2b, 0xbf, 0x01, 0x93, 0xd1, 0x46, 0xae, 0x3b,
0xd3, 0x6e, 0x2f, 0x59, 0x34, 0x14, 0x42, 0x33, 0xed, 0x8e, 0x63, 0x9f, 0x43, 0x7e, 0x5f, 0x82,
0xd9, 0xf4, 0x0f, 0xb6, 0x90, 0x06, 0x93, 0x1d, 0xe5, 0x61, 0xf8, 0xeb, 0x36, 0xe9, 0x90, 0x77,
0x69, 0xde, 0xc1, 0x5b, 0x8d, 0x60, 0xe1, 0x18, 0x36, 0xbb, 0x5f, 0x9f, 0xca, 0xe8, 0x9d, 0x1d,
0xad, 0x25, 0xe8, 0x1e, 0x14, 0x3a, 0xca, 0xc3, 0xba, 0x63, 0xb5, 0xc9, 0xa1, 0x5f, 0x0f, 0x78,
0xc6, 0x58, 0x15, 0x28, 0xd8, 0xc7, 0x93, 0x3f, 0x92, 0xa0, 0x98, 0x55, 0x68, 0xa2, 0xab, 0x91,
0x2e, 0xdf, 0xf3, 0xb1, 0x2e, 0xdf, 0x74, 0x42, 0xee, 0x29, 0xf5, 0xf8, 0x7e, 0x21, 0xc1, 0x6c,
0x7a, 0xc1, 0x8d, 0x5e, 0x8e, 0x58, 0x58, 0x8a, 0x59, 0x38, 0x15, 0x93, 0x12, 0xf6, 0x7d, 0x13,
0x26, 0x45, 0x59, 0x2e, 0x60, 0x44, 0x54, 0xe5, 0xb4, 0x5c, 0x29, 0x20, 0xbc, 0x32, 0x94, 0xcf,
0x57, 0x74, 0x0c, 0xc7, 0xd0, 0xe4, 0xef, 0x0e, 0x41, 0xbe, 0xde, 0x54, 0x34, 0x72, 0x04, 0x65,
0xd6, 0x9b, 0x91, 0x32, 0xab, 0xd7, 0x97, 0xe8, 0xdc, 0xaa, 0xcc, 0x0a, 0x0b, 0xc7, 0x2a, 0xac,
0x17, 0xfb, 0x42, 0x3b, 0xb8, 0xb8, 0xfa, 0x1f, 0x18, 0xf3, 0x95, 0x0e, 0x96, 0xf3, 0xe5, 0x9f,
0x0e, 0xc1, 0x78, 0x48, 0xc5, 0x80, 0x27, 0xc6, 0x56, 0xe4, 0xa4, 0xed, 0xe7, 0x7f, 0x52, 0x42,
0xba, 0xca, 0xde, 0xd9, 0xea, 0x7e, 0xb0, 0x15, 0x7c, 0xa2, 0x93, 0x3c, 0x72, 0xdf, 0x80, 0x49,
0xca, 0xff, 0x67, 0xc3, 0x7f, 0x73, 0xcb, 0xf1, 0xb5, 0xe8, 0x7f, 0xe6, 0xd7, 0x88, 0x50, 0x71,
0x8c, 0x7b, 0xee, 0x3a, 0x4c, 0x44, 0x94, 0x0d, 0xf4, 0xbd, 0xd5, 0xaf, 0x24, 0x78, 0xbe, 0xe7,
0x95, 0x0d, 0x55, 0x23, 0x9b, 0xa4, 0x1c, 0xdb, 0x24, 0xf3, 0xd9, 0x00, 0x4f, 0xb1, 0x6f, 0xff,
0xfe, 0x10, 0xa0, 0xc6, 0xb6, 0x6a, 0xb5, 0x6a, 0x8a, 0x45, 0xbb, 0x58, 0xfc, 0xe3, 0xcd, 0x11,
0x6c, 0x98, 0xab, 0x30, 0xde, 0x22, 0x76, 0xd3, 0x52, 0x79, 0x70, 0x44, 0x75, 0xee, 0x3f, 0x6b,
0x2c, 0x05, 0x24, 0x1c, 0xe6, 0x43, 0x6f, 0x41, 0x61, 0xd7, 0xfd, 0x4f, 0x2e, 0xaf, 0x2b, 0xd5,
0xab, 0x90, 0x0c, 0xfe, 0xf7, 0x2b, 0x58, 0x3f, 0x62, 0xc0, 0xc6, 0x3e, 0x98, 0xfc, 0xa1, 0x04,
0xb3, 0xc9, 0x40, 0x2c, 0x31, 0x53, 0x9f, 0x7e, 0x30, 0x9e, 0x83, 0x61, 0x8e, 0xce, 0xa2, 0x70,
0xdc, 0x7d, 0x61, 0x66, 0x9a, 0x31, 0x1f, 0x95, 0xff, 0x2c, 0xc1, 0x5c, 0xba, 0x69, 0x47, 0x50,
0xb6, 0xdf, 0x8b, 0x96, 0xed, 0xbd, 0x5e, 0x0d, 0xd2, 0xed, 0xcc, 0x28, 0xe1, 0xff, 0x94, 0x1a,
0xf3, 0x23, 0x70, 0x6a, 0x23, 0xea, 0xd4, 0xe5, 0x81, 0x9d, 0x4a, 0x77, 0xa8, 0x7a, 0xe9, 0xd1,
0x17, 0xf3, 0xc7, 0x3e, 0xfb, 0x62, 0xfe, 0xd8, 0xe7, 0x5f, 0xcc, 0x1f, 0xfb, 0xce, 0xfe, 0xbc,
0xf4, 0x68, 0x7f, 0x5e, 0xfa, 0x6c, 0x7f, 0x5e, 0xfa, 0x7c, 0x7f, 0x5e, 0xfa, 0xeb, 0xfe, 0xbc,
0xf4, 0xc3, 0x2f, 0xe7, 0x8f, 0xdd, 0x1b, 0x15, 0xb8, 0xff, 0x0a, 0x00, 0x00, 0xff, 0xff, 0xc0,
0x14, 0x27, 0xd4, 0x89, 0x3a, 0x00, 0x00,
}

10
staging/src/k8s.io/api/extensions/v1beta1/generated.proto
View File

@ -723,6 +723,16 @@ message PodSecurityPolicySpec {
// will not be forced to.
// +optional
optional bool readOnlyRootFilesystem = 14;
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than it's parent process.
// +optional
optional bool defaultAllowPrivilegeEscalation = 15;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// +optional
optional bool allowPrivilegeEscalation = 16;
}
// ReplicaSet represents the configuration of a ReplicaSet.

490
staging/src/k8s.io/api/extensions/v1beta1/types.generated.go
View File

@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [14]bool
var yyq2 [16]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.Privileged != false
@ -14764,9 +14764,11 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
yyq2[7] = x.HostPID != false
yyq2[8] = x.HostIPC != false
yyq2[13] = x.ReadOnlyRootFilesystem != false
yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil
yyq2[15] = x.AllowPrivilegeEscalation != false
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(14)
r.EncodeArrayStart(16)
} else {
yynn2 = 4
for _, b := range yyq2 {
@ -15111,6 +15113,66 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[14] {
if x.DefaultAllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy54 := *x.DefaultAllowPrivilegeEscalation
yym55 := z.EncBinary()
_ = yym55
if false {
} else {
r.EncodeBool(bool(yy54))
}
}
} else {
r.EncodeNil()
}
} else {
if yyq2[14] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("defaultAllowPrivilegeEscalation"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if x.DefaultAllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy56 := *x.DefaultAllowPrivilegeEscalation
yym57 := z.EncBinary()
_ = yym57
if false {
} else {
r.EncodeBool(bool(yy56))
}
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[15] {
yym59 := z.EncBinary()
_ = yym59
if false {
} else {
r.EncodeBool(bool(x.AllowPrivilegeEscalation))
}
} else {
r.EncodeBool(false)
}
} else {
if yyq2[15] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("allowPrivilegeEscalation"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
yym60 := z.EncBinary()
_ = yym60
if false {
} else {
r.EncodeBool(bool(x.AllowPrivilegeEscalation))
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
@ -15320,6 +15382,34 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod
*((*bool)(yyv26)) = r.DecodeBool()
}
}
case "defaultAllowPrivilegeEscalation":
if r.TryDecodeAsNil() {
if x.DefaultAllowPrivilegeEscalation != nil {
x.DefaultAllowPrivilegeEscalation = nil
}
} else {
if x.DefaultAllowPrivilegeEscalation == nil {
x.DefaultAllowPrivilegeEscalation = new(bool)
}
yym29 := z.DecBinary()
_ = yym29
if false {
} else {
*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
}
}
case "allowPrivilegeEscalation":
if r.TryDecodeAsNil() {
x.AllowPrivilegeEscalation = false
} else {
yyv30 := &x.AllowPrivilegeEscalation
yym31 := z.DecBinary()
_ = yym31
if false {
} else {
*((*bool)(yyv30)) = r.DecodeBool()
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
@ -15331,16 +15421,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj28 int
var yyb28 bool
var yyhl28 bool = l >= 0
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
var yyj32 int
var yyb32 bool
var yyhl32 bool = l >= 0
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15348,21 +15438,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Privileged = false
} else {
yyv29 := &x.Privileged
yym30 := z.DecBinary()
_ = yym30
yyv33 := &x.Privileged
yym34 := z.DecBinary()
_ = yym34
if false {
} else {
*((*bool)(yyv29)) = r.DecodeBool()
*((*bool)(yyv33)) = r.DecodeBool()
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15370,51 +15460,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.DefaultAddCapabilities = nil
} else {
yyv31 := &x.DefaultAddCapabilities
yym32 := z.DecBinary()
_ = yym32
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv31), d)
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
} else {
yyb28 = r.CheckBreak()
}
if yyb28 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.RequiredDropCapabilities = nil
} else {
yyv33 := &x.RequiredDropCapabilities
yym34 := z.DecBinary()
_ = yym34
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv33), d)
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
} else {
yyb28 = r.CheckBreak()
}
if yyb28 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowedCapabilities = nil
} else {
yyv35 := &x.AllowedCapabilities
yyv35 := &x.DefaultAddCapabilities
yym36 := z.DecBinary()
_ = yym36
if false {
@ -15422,13 +15468,57 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d)
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.RequiredDropCapabilities = nil
} else {
yyv37 := &x.RequiredDropCapabilities
yym38 := z.DecBinary()
_ = yym38
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowedCapabilities = nil
} else {
yyv39 := &x.AllowedCapabilities
yym40 := z.DecBinary()
_ = yym40
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15436,21 +15526,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Volumes = nil
} else {
yyv37 := &x.Volumes
yym38 := z.DecBinary()
_ = yym38
yyv41 := &x.Volumes
yym42 := z.DecBinary()
_ = yym42
if false {
} else {
h.decSliceFSType((*[]FSType)(yyv37), d)
h.decSliceFSType((*[]FSType)(yyv41), d)
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15458,51 +15548,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostNetwork = false
} else {
yyv39 := &x.HostNetwork
yym40 := z.DecBinary()
_ = yym40
if false {
} else {
*((*bool)(yyv39)) = r.DecodeBool()
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
} else {
yyb28 = r.CheckBreak()
}
if yyb28 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostPorts = nil
} else {
yyv41 := &x.HostPorts
yym42 := z.DecBinary()
_ = yym42
if false {
} else {
h.decSliceHostPortRange((*[]HostPortRange)(yyv41), d)
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
} else {
yyb28 = r.CheckBreak()
}
if yyb28 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostPID = false
} else {
yyv43 := &x.HostPID
yyv43 := &x.HostNetwork
yym44 := z.DecBinary()
_ = yym44
if false {
@ -15510,13 +15556,57 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
*((*bool)(yyv43)) = r.DecodeBool()
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostPorts = nil
} else {
yyv45 := &x.HostPorts
yym46 := z.DecBinary()
_ = yym46
if false {
} else {
h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostPID = false
} else {
yyv47 := &x.HostPID
yym48 := z.DecBinary()
_ = yym48
if false {
} else {
*((*bool)(yyv47)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15524,21 +15614,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostIPC = false
} else {
yyv45 := &x.HostIPC
yym46 := z.DecBinary()
_ = yym46
yyv49 := &x.HostIPC
yym50 := z.DecBinary()
_ = yym50
if false {
} else {
*((*bool)(yyv45)) = r.DecodeBool()
*((*bool)(yyv49)) = r.DecodeBool()
}
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15546,16 +15636,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SELinux = SELinuxStrategyOptions{}
} else {
yyv47 := &x.SELinux
yyv47.CodecDecodeSelf(d)
yyv51 := &x.SELinux
yyv51.CodecDecodeSelf(d)
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15563,16 +15653,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.RunAsUser = RunAsUserStrategyOptions{}
} else {
yyv48 := &x.RunAsUser
yyv48.CodecDecodeSelf(d)
yyv52 := &x.RunAsUser
yyv52.CodecDecodeSelf(d)
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15580,16 +15670,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SupplementalGroups = SupplementalGroupsStrategyOptions{}
} else {
yyv49 := &x.SupplementalGroups
yyv49.CodecDecodeSelf(d)
yyv53 := &x.SupplementalGroups
yyv53.CodecDecodeSelf(d)
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15597,16 +15687,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.FSGroup = FSGroupStrategyOptions{}
} else {
yyv50 := &x.FSGroup
yyv50.CodecDecodeSelf(d)
yyv54 := &x.FSGroup
yyv54.CodecDecodeSelf(d)
}
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15614,26 +15704,74 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.ReadOnlyRootFilesystem = false
} else {
yyv51 := &x.ReadOnlyRootFilesystem
yym52 := z.DecBinary()
_ = yym52
yyv55 := &x.ReadOnlyRootFilesystem
yym56 := z.DecBinary()
_ = yym56
if false {
} else {
*((*bool)(yyv51)) = r.DecodeBool()
*((*bool)(yyv55)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
if x.DefaultAllowPrivilegeEscalation != nil {
x.DefaultAllowPrivilegeEscalation = nil
}
} else {
if x.DefaultAllowPrivilegeEscalation == nil {
x.DefaultAllowPrivilegeEscalation = new(bool)
}
yym58 := z.DecBinary()
_ = yym58
if false {
} else {
*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowPrivilegeEscalation = false
} else {
yyv59 := &x.AllowPrivilegeEscalation
yym60 := z.DecBinary()
_ = yym60
if false {
} else {
*((*bool)(yyv59)) = r.DecodeBool()
}
}
for {
yyj28++
if yyhl28 {
yyb28 = yyj28 > l
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb28 = r.CheckBreak()
yyb32 = r.CheckBreak()
}
if yyb28 {
if yyb32 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj28-1, "")
z.DecStructFieldNotFound(yyj32-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
@ -21422,7 +21560,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co
yyrg1 := len(yyv1) > 0
yyv21 := yyv1
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 560)
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]

8
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -954,6 +954,14 @@ type PodSecurityPolicySpec struct {
// will not be forced to.
// +optional
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than it's parent process.
// +optional
DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
}
// FS Type gives strong typing to different file systems that are used by volumes.

32
staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
View File

@ -410,21 +410,23 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
}
var map_PodSecurityPolicySpec = map[string]string{
"": "Pod Security Policy Spec defines the policy enforced.",
"privileged": "privileged determines if a pod can request to be run as privileged.",
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
"volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",
"hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
"hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.",
"hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.",
"hostIPC": "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
"seLinux": "seLinux is the strategy that will dictate the allowable labels that may be set.",
"runAsUser": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"": "Pod Security Policy Spec defines the policy enforced.",
"privileged": "privileged determines if a pod can request to be run as privileged.",
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
"volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",
"hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
"hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.",
"hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.",
"hostIPC": "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
"seLinux": "seLinux is the strategy that will dictate the allowable labels that may be set.",
"runAsUser": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
}
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

9
staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
View File

@ -1321,6 +1321,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}

1
test/e2e_node/BUILD
View File

@ -118,6 +118,7 @@ go_test(
"//test/e2e_node/services:go_default_library",
"//test/e2e_node/system:go_default_library",
"//test/utils:go_default_library",
"//vendor/github.com/blang/semver:go_default_library",
"//vendor/github.com/coreos/go-systemd/util:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",

1
test/e2e_node/image_list.go
View File

@ -53,6 +53,7 @@ var NodeImageWhiteList = sets.NewString(
"gcr.io/google_containers/nginx-slim:0.7",
"gcr.io/google_containers/serve_hostname:v1.4",
"gcr.io/google_containers/netexec:1.7",
"gcr.io/google_containers/nonewprivs:1.2",
framework.GetPauseImageNameForHostArch(),
)

84
test/e2e_node/security_context_test.go
View File

@ -28,6 +28,7 @@ import (
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework"
"github.com/blang/semver"
. "github.com/onsi/ginkgo"
)
@ -375,4 +376,87 @@ var _ = framework.KubeDescribe("Security Context", func() {
}
})
})
Context("when creating containers with AllowPrivilegeEscalation", func() {
BeforeEach(func() {
if framework.TestContext.ContainerRuntime == "docker" {
// parse the docker version
out, err := exec.Command("docker", "-v").CombinedOutput()
if err != nil {
framework.Failf("checking docker version failed output %s: %v", string(out), err)
}
parts := strings.Split(string(out), ",")
parts = strings.Split(parts[0], " ")
dversion := parts[len(parts)-1]
version, err := semver.New(dversion)
if err != nil {
framework.Failf("parsing docker version %q failed: %v", dversion, err)
}
if version.LT(semver.Version{Major: 1, Minor: 11}) {
// make sure its >= 1.11 thats when "no-new-privileges" was added
framework.Skipf("Skipping no_new_privs tests, docker version is < 1.11 it is %s", version.String())
}
}
})
makeAllowPrivilegeEscalationPod := func(podName string, allowPrivilegeEscalation *bool, uid int64) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
Containers: []v1.Container{
{
Image: "gcr.io/google_containers/nonewprivs:1.2",
Name: podName,
SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: allowPrivilegeEscalation,
RunAsUser: &uid,
},
},
},
},
}
}
createAndMatchOutput := func(podName, output string, allowPrivilegeEscalation *bool, uid int64) error {
podClient.Create(makeAllowPrivilegeEscalationPod(podName,
allowPrivilegeEscalation,
uid,
))
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
if err := podClient.MatchContainerOutput(podName, podName, output); err != nil {
return err
}
return nil
}
It("should allow privilege escalation when not explicitly set and uid != 0", func() {
podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
if err := createAndMatchOutput(podName, "Effective uid: 0", nil, 1000); err != nil {
framework.Failf("Match output for pod %q failed: %v", podName, err)
}
})
It("should not allow privilege escalation when false", func() {
podName := "alpine-nnp-false-" + string(uuid.NewUUID())
apeFalse := false
if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
framework.Failf("Match output for pod %q failed: %v", podName, err)
}
})
It("should allow privilege escalation when true", func() {
podName := "alpine-nnp-true-" + string(uuid.NewUUID())
apeTrue := true
if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, 1000); err != nil {
framework.Failf("Match output for pod %q failed: %v", podName, err)
}
})
})
})

1
test/images/nonewprivs/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
nnp

20
test/images/nonewprivs/Dockerfile Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM alpine:latest
COPY nnp /usr/local/bin/nnp
RUN chmod +s /usr/local/bin/nnp
CMD ["nnp"]

33
test/images/nonewprivs/Makefile Normal file
View File

@ -0,0 +1,33 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.PHONY: all image push clean
TAG = 1.2
PREFIX = gcr.io/google_containers
all: push
nnp: nnp.c
gcc -static -o $@ $@.c
image: nnp
docker build --pull -t $(PREFIX)/nonewprivs:$(TAG) .
push: image
gcloud docker -- push $(PREFIX)/nonewprivs:$(TAG)
clean:
rm -f nnp

22
test/images/nonewprivs/nnp.c Normal file
View File

@ -0,0 +1,22 @@
// Copyright 2017 The Kubernetes Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char *argv[]){
printf("Effective uid: %d\n", geteuid());
return 0;
}