Merge pull request #47019 from jessfraz/allowPrivilegeEscalation

Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```

api/openapi-spec/swagger.json

@@ -57500,6 +57500,10 @@
    "io.k8s.api.core.v1.SecurityContext": {
     "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.",
     "properties": {
+     "allowPrivilegeEscalation": {
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
+      "type": "boolean"
+     },
      "capabilities": {
       "description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
       "$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"
@@ -58938,6 +58942,10 @@
      "fsGroup"
     ],
     "properties": {
+     "allowPrivilegeEscalation": {
+      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
+      "type": "boolean"
+     },
      "allowedCapabilities": {
       "description": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
       "type": "array",
@@ -58952,6 +58960,10 @@
        "type": "string"
       }
      },
+     "defaultAllowPrivilegeEscalation": {
+      "description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
+      "type": "boolean"
+     },
      "fsGroup": {
       "description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.FSGroupStrategyOptions"

api/swagger-spec/apps_v1beta1.json

@@ -5340,6 +5340,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

api/swagger-spec/apps_v1beta2.json

@@ -6556,6 +6556,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

api/swagger-spec/batch_v1.json

@@ -3087,6 +3087,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

api/swagger-spec/batch_v2alpha1.json

@@ -4168,6 +4168,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

api/swagger-spec/extensions_v1beta1.json

@@ -8197,6 +8197,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },
@@ -9418,6 +9422,14 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."
+     },
+     "defaultAllowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
      }
     }
    },

api/swagger-spec/v1.json

@@ -20643,6 +20643,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

docs/api-reference/apps/v1beta1/definitions.html

@@ -6023,6 +6023,13 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

docs/api-reference/apps/v1beta2/definitions.html

@@ -6219,6 +6219,13 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

docs/api-reference/batch/v1/definitions.html

@@ -5001,6 +5001,13 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

docs/api-reference/batch/v2alpha1/definitions.html

@@ -4939,6 +4939,13 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

docs/api-reference/extensions/v1beta1/definitions.html

@@ -6969,6 +6969,13 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 
@@ -7594,6 +7601,20 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">defaultAllowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it&#8217;s parent process.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

docs/api-reference/v1/definitions.html

@@ -8366,6 +8366,13 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

federation/apis/openapi-spec/swagger.json

@@ -11676,6 +11676,10 @@
    "io.k8s.api.core.v1.SecurityContext": {
     "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.",
     "properties": {
+     "allowPrivilegeEscalation": {
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
+      "type": "boolean"
+     },
      "capabilities": {
       "description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
       "$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"

federation/apis/swagger-spec/extensions_v1beta1.json

@@ -6556,6 +6556,10 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "Whether this container has a read-only root filesystem. Default is false."
+     },
+     "allowPrivilegeEscalation": {
+      "type": "boolean",
+      "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
      }
     }
    },

federation/docs/api-reference/extensions/v1beta1/definitions.html

@@ -6452,6 +6452,13 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it&#8217;s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+</tr>
 </tbody>
 </table>
 

pkg/api/types.go

@@ -4030,6 +4030,11 @@ type SecurityContext struct {
 	// files to, ensuring the persistent data can only be written to mounts.
 	// +optional
 	ReadOnlyRootFilesystem *bool
+	// AllowPrivilegeEscalation controls whether a process can gain more
+	// privileges than it's parent process. This bool directly controls if
+	// the no_new_privs flag will be set on the container process.
+	// +optional
+	AllowPrivilegeEscalation *bool
 }
 
 // SELinuxOptions are the labels to be applied to the container.

pkg/api/v1/conversion.go

@@ -675,6 +675,30 @@ func Convert_v1_Secret_To_api_Secret(in *v1.Secret, out *api.Secret, s conversio
 
 	return nil
 }
+func Convert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityContext, out *v1.SecurityContext, s conversion.Scope) error {
+	if in.Capabilities != nil {
+		out.Capabilities = new(v1.Capabilities)
+		if err := Convert_api_Capabilities_To_v1_Capabilities(in.Capabilities, out.Capabilities, s); err != nil {
+			return err
+		}
+	} else {
+		out.Capabilities = nil
+	}
+	out.Privileged = in.Privileged
+	if in.SELinuxOptions != nil {
+		out.SELinuxOptions = new(v1.SELinuxOptions)
+		if err := Convert_api_SELinuxOptions_To_v1_SELinuxOptions(in.SELinuxOptions, out.SELinuxOptions, s); err != nil {
+			return err
+		}
+	} else {
+		out.SELinuxOptions = nil
+	}
+	out.RunAsUser = in.RunAsUser
+	out.RunAsNonRoot = in.RunAsNonRoot
+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+	return nil
+}
 
 func Convert_api_PodSecurityContext_To_v1_PodSecurityContext(in *api.PodSecurityContext, out *v1.PodSecurityContext, s conversion.Scope) error {
 	out.SupplementalGroups = in.SupplementalGroups

pkg/api/v1/zz_generated.conversion.go

@@ -888,7 +888,15 @@ func autoConvert_v1_Container_To_api_Container(in *v1.Container, out *api.Contai
 	out.TerminationMessagePath = in.TerminationMessagePath
 	out.TerminationMessagePolicy = api.TerminationMessagePolicy(in.TerminationMessagePolicy)
 	out.ImagePullPolicy = api.PullPolicy(in.ImagePullPolicy)
-	out.SecurityContext = (*api.SecurityContext)(unsafe.Pointer(in.SecurityContext))
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		*out = new(api.SecurityContext)
+		if err := Convert_v1_SecurityContext_To_api_SecurityContext(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecurityContext = nil
+	}
 	out.Stdin = in.Stdin
 	out.StdinOnce = in.StdinOnce
 	out.TTY = in.TTY
@@ -919,7 +927,15 @@ func autoConvert_api_Container_To_v1_Container(in *api.Container, out *v1.Contai
 	out.TerminationMessagePath = in.TerminationMessagePath
 	out.TerminationMessagePolicy = v1.TerminationMessagePolicy(in.TerminationMessagePolicy)
 	out.ImagePullPolicy = v1.PullPolicy(in.ImagePullPolicy)
-	out.SecurityContext = (*v1.SecurityContext)(unsafe.Pointer(in.SecurityContext))
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		*out = new(v1.SecurityContext)
+		if err := Convert_api_SecurityContext_To_v1_SecurityContext(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecurityContext = nil
+	}
 	out.Stdin = in.Stdin
 	out.StdinOnce = in.StdinOnce
 	out.TTY = in.TTY
@@ -3502,8 +3518,28 @@ func autoConvert_v1_PodSpec_To_api_PodSpec(in *v1.PodSpec, out *api.PodSpec, s c
 	} else {
 		out.Volumes = nil
 	}
-	out.InitContainers = *(*[]api.Container)(unsafe.Pointer(&in.InitContainers))
+	if in.InitContainers != nil {
-	out.Containers = *(*[]api.Container)(unsafe.Pointer(&in.Containers))
+		in, out := &in.InitContainers, &out.InitContainers
+		*out = make([]api.Container, len(*in))
+		for i := range *in {
+			if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.InitContainers = nil
+	}
+	if in.Containers != nil {
+		in, out := &in.Containers, &out.Containers
+		*out = make([]api.Container, len(*in))
+		for i := range *in {
+			if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Containers = nil
+	}
 	out.RestartPolicy = api.RestartPolicy(in.RestartPolicy)
 	out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
 	out.ActiveDeadlineSeconds = (*int64)(unsafe.Pointer(in.ActiveDeadlineSeconds))
@@ -3549,11 +3585,27 @@ func autoConvert_api_PodSpec_To_v1_PodSpec(in *api.PodSpec, out *v1.PodSpec, s c
 	} else {
 		out.Volumes = nil
 	}
-	out.InitContainers = *(*[]v1.Container)(unsafe.Pointer(&in.InitContainers))
+	if in.InitContainers != nil {
-	if in.Containers == nil {
+		in, out := &in.InitContainers, &out.InitContainers
-		out.Containers = make([]v1.Container, 0)
+		*out = make([]v1.Container, len(*in))
+		for i := range *in {
+			if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
 	} else {
-		out.Containers = *(*[]v1.Container)(unsafe.Pointer(&in.Containers))
+		out.InitContainers = nil
+	}
+	if in.Containers != nil {
+		in, out := &in.Containers, &out.Containers
+		*out = make([]v1.Container, len(*in))
+		for i := range *in {
+			if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Containers = make([]v1.Container, 0)
 	}
 	out.RestartPolicy = v1.RestartPolicy(in.RestartPolicy)
 	out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
@@ -4533,6 +4585,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *v1.SecurityContex
 	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
 	out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
+	out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
 	return nil
 }
 
@@ -4548,14 +4601,10 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
 	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
 	out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
+	out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
 	return nil
 }
 
-// Convert_api_SecurityContext_To_v1_SecurityContext is an autogenerated conversion function.
-func Convert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityContext, out *v1.SecurityContext, s conversion.Scope) error {
-	return autoConvert_api_SecurityContext_To_v1_SecurityContext(in, out, s)
-}
-
 func autoConvert_v1_SerializedReference_To_api_SerializedReference(in *v1.SerializedReference, out *api.SerializedReference, s conversion.Scope) error {
 	if err := Convert_v1_ObjectReference_To_api_ObjectReference(&in.Reference, &out.Reference, s); err != nil {
 		return err

pkg/api/zz_generated.deepcopy.go

@@ -5260,6 +5260,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
 			**out = **in
 		}
 	}
+	if in.AllowPrivilegeEscalation != nil {
+		in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
 	return
 }
 

pkg/apis/extensions/types.go

@@ -922,6 +922,14 @@ type PodSecurityPolicySpec struct {
 	// will not be forced to.
 	// +optional
 	ReadOnlyRootFilesystem bool
+	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
+	// process can gain more privileges than its parent process.
+	// +optional
+	DefaultAllowPrivilegeEscalation *bool
+	// AllowPrivilegeEscalation determines if a pod can request to allow
+	// privilege escalation.
+	// +optional
+	AllowPrivilegeEscalation bool
 }
 
 // HostPortRange defines a range of host ports that will be enabled by a policy

pkg/apis/extensions/v1beta1/conversion.go

@@ -59,6 +59,7 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
 		Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort,
 		Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec,
 		Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec,
+		Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
 	)
 	if err != nil {
 		return err
@@ -429,3 +430,7 @@ func Convert_networking_NetworkPolicyList_To_v1beta1_NetworkPolicyList(in *netwo
 	}
 	return nil
 }
+
+func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *extensionsv1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
+	return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
+}

pkg/apis/extensions/v1beta1/zz_generated.conversion.go

@@ -1221,6 +1221,8 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
 		return err
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
+	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
 	return nil
 }
 
@@ -1262,14 +1264,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
 		return err
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
+	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
 	return nil
 }
 
-// Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
-func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
-	return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
-}
-
 func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
 	if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {

pkg/apis/extensions/validation/validation.go

@@ -661,6 +661,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa
 	allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
+	allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
 
 	return allErrs
 }
@@ -786,6 +787,16 @@ func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []extensions.
 	return allErrs
 }
 
+// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
+func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
+		allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
+	}
+
+	return allErrs
+}
+
 const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
 const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
 

pkg/apis/extensions/validation/validation_test.go

@@ -2494,6 +2494,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 		seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
 	}
 
+	invalidDefaultAllowPrivilegeEscalation := validPSP()
+	pe := true
+	invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
+
 	type testCase struct {
 		psp         *extensions.PodSecurityPolicy
 		errorType   field.ErrorType
@@ -2600,6 +2604,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 			errorType:   field.ErrorTypeInvalid,
 			errorDetail: "must be a valid seccomp profile",
 		},
+		"invalid defaultAllowPrivilegeEscalation": {
+			psp:         invalidDefaultAllowPrivilegeEscalation,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
+		},
 	}
 
 	for k, v := range errorCases {
@@ -2674,6 +2683,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 		seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo",
 	}
 
+	validDefaultAllowPrivilegeEscalation := validPSP()
+	pe = true
+	validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
+	validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
+
 	successCases := map[string]struct {
 		psp *extensions.PodSecurityPolicy
 	}{
@@ -2701,6 +2715,9 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 		"valid seccomp annotations": {
 			psp: validSeccomp,
 		},
+		"valid defaultAllowPrivilegeEscalation as true": {
+			psp: validDefaultAllowPrivilegeEscalation,
+		},
 	}
 
 	for k, v := range successCases {

pkg/apis/extensions/zz_generated.deepcopy.go

@@ -1316,6 +1316,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
 	in.RunAsUser.DeepCopyInto(&out.RunAsUser)
 	in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
 	in.FSGroup.DeepCopyInto(&out.FSGroup)
+	if in.DefaultAllowPrivilegeEscalation != nil {
+		in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
 	return
 }
 

pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go

@@ -1349,6 +1349,9 @@ type LinuxContainerSecurityContext struct {
 	// * localhost/<full-path-to-profile>: the profile installed on the node.
 	//   <full-path-to-profile> is the full path of the profile.
 	SeccompProfilePath string `protobuf:"bytes,10,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
+	// no_new_privs defines if the flag for no_new_privs should be set on the
+	// container.
+	NoNewPrivs bool `protobuf:"varint,11,opt,name=no_new_privs,json=noNewPrivs,proto3" json:"no_new_privs,omitempty"`
 }
 
 func (m *LinuxContainerSecurityContext) Reset()      { *m = LinuxContainerSecurityContext{} }
@@ -1427,6 +1430,13 @@ func (m *LinuxContainerSecurityContext) GetSeccompProfilePath() string {
 	return ""
 }
 
+func (m *LinuxContainerSecurityContext) GetNoNewPrivs() bool {
+	if m != nil {
+		return m.NoNewPrivs
+	}
+	return false
+}
+
 // LinuxContainerConfig contains platform-specific configuration for
 // Linux-based containers.
 type LinuxContainerConfig struct {
@@ -5740,6 +5750,16 @@ func (m *LinuxContainerSecurityContext) MarshalTo(dAtA []byte) (int, error) {
 		i = encodeVarintApi(dAtA, i, uint64(len(m.SeccompProfilePath)))
 		i += copy(dAtA[i:], m.SeccompProfilePath)
 	}
+	if m.NoNewPrivs {
+		dAtA[i] = 0x58
+		i++
+		if m.NoNewPrivs {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
 	return i, nil
 }
 
@@ -8702,6 +8722,9 @@ func (m *LinuxContainerSecurityContext) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovApi(uint64(l))
 	}
+	if m.NoNewPrivs {
+		n += 2
+	}
 	return n
 }
 
@@ -10161,6 +10184,7 @@ func (this *LinuxContainerSecurityContext) String() string {
 		`SupplementalGroups:` + fmt.Sprintf("%v", this.SupplementalGroups) + `,`,
 		`ApparmorProfile:` + fmt.Sprintf("%v", this.ApparmorProfile) + `,`,
 		`SeccompProfilePath:` + fmt.Sprintf("%v", this.SeccompProfilePath) + `,`,
+		`NoNewPrivs:` + fmt.Sprintf("%v", this.NoNewPrivs) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -16013,6 +16037,26 @@ func (m *LinuxContainerSecurityContext) Unmarshal(dAtA []byte) error {
 			}
 			m.SeccompProfilePath = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 11:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NoNewPrivs", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowApi
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.NoNewPrivs = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipApi(dAtA[iNdEx:])
@@ -24029,260 +24073,262 @@ var (
 func init() { proto.RegisterFile("api.proto", fileDescriptorApi) }
 
 var fileDescriptorApi = []byte{
-	// 4080 bytes of a gzipped FileDescriptorProto
+	// 4103 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x3b, 0x4d, 0x6f, 0x1c, 0x47,
 	0x76, 0x9c, 0x19, 0x7e, 0xcc, 0xbc, 0xe1, 0x0c, 0x87, 0x25, 0x8a, 0x1c, 0x8d, 0x24, 0x9a, 0x6e,
-	0x59, 0xb6, 0xa4, 0x5d, 0xc9, 0x32, 0xbd, 0xb6, 0x63, 0xf9, 0x4b, 0x63, 0x92, 0x32, 0x68, 0x49,
+	0x59, 0xb6, 0xa4, 0x5d, 0xc9, 0x32, 0xbd, 0xb6, 0x63, 0xf9, 0x4b, 0x34, 0x49, 0x19, 0xb4, 0xa4,
-	0x24, 0xb7, 0x47, 0xf4, 0xee, 0x66, 0x03, 0x74, 0x9a, 0xd3, 0xc5, 0x61, 0xdb, 0x33, 0x5d, 0xbd,
+	0x11, 0xb7, 0x47, 0xf4, 0xee, 0x66, 0x03, 0x74, 0x9a, 0xd3, 0xc5, 0x61, 0x5b, 0x33, 0x5d, 0xbd,
-	0xdd, 0xd5, 0xb2, 0x98, 0x53, 0x72, 0x09, 0x72, 0x74, 0x80, 0x5c, 0x72, 0xcb, 0x21, 0xc0, 0x22,
+	0xdd, 0xd5, 0x92, 0x98, 0x53, 0x72, 0x09, 0x72, 0x74, 0x8e, 0xb9, 0xe5, 0x10, 0x60, 0x91, 0x4b,
-	0x97, 0x1c, 0x72, 0xca, 0x2f, 0x08, 0x16, 0x08, 0x02, 0xe4, 0x14, 0x24, 0xb7, 0x5d, 0xe5, 0x90,
+	0x0e, 0x39, 0x04, 0xf9, 0x05, 0xc1, 0x02, 0x41, 0x80, 0x9c, 0x82, 0xe4, 0xb6, 0xab, 0x1c, 0x72,
-	0x43, 0x80, 0xfc, 0x86, 0xa0, 0xbe, 0xba, 0xab, 0xbf, 0x46, 0xa4, 0x6c, 0xec, 0xea, 0xd6, 0xf5,
+	0x08, 0x90, 0xdf, 0x10, 0xd4, 0x57, 0x77, 0xf5, 0xd7, 0x88, 0x94, 0x8d, 0x5d, 0xdd, 0xba, 0x5e,
-	0xea, 0xbd, 0x57, 0xaf, 0xea, 0xbd, 0x7a, 0xf5, 0xde, 0xab, 0x6a, 0x68, 0xd8, 0xbe, 0x7b, 0xc7,
+	0xbd, 0xf7, 0xea, 0x55, 0xbd, 0x57, 0xaf, 0xde, 0x7b, 0x55, 0x0d, 0x0d, 0xdb, 0x77, 0x6f, 0xf9,
-	0x0f, 0x08, 0x25, 0x68, 0x21, 0x88, 0x3c, 0xea, 0x4e, 0x70, 0xef, 0xf6, 0xc8, 0xa5, 0x27, 0xd1,
+	0x01, 0xa1, 0x04, 0x2d, 0x04, 0x91, 0x47, 0xdd, 0x09, 0xee, 0xdd, 0x1c, 0xb9, 0xf4, 0x38, 0x3a,
-	0xd1, 0x9d, 0x21, 0x99, 0xbc, 0x3d, 0x22, 0x23, 0xf2, 0x36, 0xef, 0x3f, 0x8a, 0x8e, 0x79, 0x8b,
+	0xbc, 0x35, 0x24, 0x93, 0x77, 0x47, 0x64, 0x44, 0xde, 0xe5, 0xfd, 0x87, 0xd1, 0x11, 0x6f, 0xf1,
-	0x37, 0xf8, 0x97, 0xa0, 0x33, 0x6e, 0x41, 0xfb, 0x2b, 0x1c, 0x84, 0x2e, 0xf1, 0x4c, 0xfc, 0xab,
+	0x06, 0xff, 0x12, 0x74, 0xc6, 0x0d, 0x68, 0x7f, 0x83, 0x83, 0xd0, 0x25, 0x9e, 0x89, 0x7f, 0x15,
-	0x08, 0x87, 0x14, 0x75, 0x61, 0xe1, 0xa9, 0x80, 0x74, 0x2b, 0x1b, 0x95, 0x1b, 0x0d, 0x53, 0x35,
+	0xe1, 0x90, 0xa2, 0x2e, 0x2c, 0x3c, 0x15, 0x90, 0x6e, 0x65, 0xa3, 0x72, 0xad, 0x61, 0xaa, 0xa6,
-	0x8d, 0x5f, 0x57, 0x60, 0x29, 0x46, 0x0e, 0x7d, 0xe2, 0x85, 0xb8, 0x1c, 0x1b, 0xbd, 0x0e, 0x8b,
+	0xf1, 0xeb, 0x0a, 0x2c, 0xc5, 0xc8, 0xa1, 0x4f, 0xbc, 0x10, 0x97, 0x63, 0xa3, 0x37, 0x61, 0x51,
-	0x52, 0x26, 0xcb, 0xb3, 0x27, 0xb8, 0x5b, 0xe5, 0xdd, 0x4d, 0x09, 0xdb, 0xb3, 0x27, 0x18, 0xbd,
+	0xca, 0x64, 0x79, 0xf6, 0x04, 0x77, 0xab, 0xbc, 0xbb, 0x29, 0x61, 0x7d, 0x7b, 0x82, 0xd1, 0x3b,
-	0x05, 0x4b, 0x0a, 0x45, 0x31, 0xa9, 0x71, 0xac, 0xb6, 0x04, 0xcb, 0xd1, 0xd0, 0x1d, 0xb8, 0xa0,
+	0xb0, 0xa4, 0x50, 0x14, 0x93, 0x1a, 0xc7, 0x6a, 0x4b, 0xb0, 0x1c, 0x0d, 0xdd, 0x82, 0x73, 0x0a,
-	0x10, 0x6d, 0xdf, 0x8d, 0x91, 0x67, 0x39, 0xf2, 0xb2, 0xec, 0xea, 0xfb, 0xae, 0xc4, 0x37, 0x7e,
+	0xd1, 0xf6, 0xdd, 0x18, 0x79, 0x96, 0x23, 0x2f, 0xcb, 0xae, 0x2d, 0xdf, 0x95, 0xf8, 0xc6, 0x2f,
-	0x09, 0x8d, 0xed, 0xbd, 0xc1, 0x16, 0xf1, 0x8e, 0xdd, 0x11, 0x13, 0x31, 0xc4, 0x01, 0xa3, 0xe9,
+	0xa1, 0xb1, 0xd3, 0x1f, 0x6c, 0x13, 0xef, 0xc8, 0x1d, 0x31, 0x11, 0x43, 0x1c, 0x30, 0x9a, 0x6e,
-	0x56, 0x36, 0x6a, 0x4c, 0x44, 0xd9, 0x44, 0x3d, 0xa8, 0x87, 0xd8, 0x0e, 0x86, 0x27, 0x38, 0xec,
+	0x65, 0xa3, 0xc6, 0x44, 0x94, 0x4d, 0xd4, 0x83, 0x7a, 0x88, 0xed, 0x60, 0x78, 0x8c, 0xc3, 0x6e,
-	0x56, 0x79, 0x57, 0xdc, 0x66, 0x54, 0xc4, 0xa7, 0x2e, 0xf1, 0xc2, 0x6e, 0x4d, 0x50, 0xc9, 0xa6,
+	0x95, 0x77, 0xc5, 0x6d, 0x46, 0x45, 0x7c, 0xea, 0x12, 0x2f, 0xec, 0xd6, 0x04, 0x95, 0x6c, 0x1a,
-	0xf1, 0xb7, 0x15, 0x68, 0x1e, 0x90, 0x80, 0x3e, 0xb6, 0x7d, 0xdf, 0xf5, 0x46, 0xe8, 0x36, 0xd4,
+	0x7f, 0x53, 0x81, 0xe6, 0x3e, 0x09, 0xe8, 0x43, 0xdb, 0xf7, 0x5d, 0x6f, 0x84, 0x6e, 0x42, 0x9d,
-	0xf9, 0x5a, 0x0e, 0xc9, 0x98, 0xaf, 0x41, 0x7b, 0x73, 0xf9, 0x8e, 0x14, 0xe9, 0xce, 0x81, 0xec,
+	0xaf, 0xe5, 0x90, 0x8c, 0xf9, 0x1a, 0xb4, 0x37, 0x97, 0x6f, 0x49, 0x91, 0x6e, 0xed, 0xcb, 0x0e,
-	0x30, 0x63, 0x14, 0x74, 0x1d, 0xda, 0x43, 0xe2, 0x51, 0xdb, 0xf5, 0x70, 0x60, 0xf9, 0x24, 0xa0,
+	0x33, 0x46, 0x41, 0x57, 0xa1, 0x3d, 0x24, 0x1e, 0xb5, 0x5d, 0x0f, 0x07, 0x96, 0x4f, 0x02, 0xca,
-	0x7c, 0x65, 0xe6, 0xcc, 0x56, 0x0c, 0x65, 0xcc, 0xd1, 0x65, 0x68, 0x9c, 0x90, 0x90, 0x0a, 0x8c,
+	0x57, 0x66, 0xce, 0x6c, 0xc5, 0x50, 0xc6, 0x1c, 0x5d, 0x84, 0xc6, 0x31, 0x09, 0xa9, 0xc0, 0xa8,
-	0x1a, 0xc7, 0xa8, 0x33, 0x00, 0xef, 0x5c, 0x83, 0x05, 0xde, 0xe9, 0xfa, 0x72, 0x0d, 0xe6, 0x59,
+	0x71, 0x8c, 0x3a, 0x03, 0xf0, 0xce, 0x35, 0x58, 0xe0, 0x9d, 0xae, 0x2f, 0xd7, 0x60, 0x9e, 0x35,
-	0x73, 0xd7, 0x37, 0xbe, 0xab, 0xc0, 0xdc, 0x63, 0x12, 0x79, 0x34, 0x33, 0x8c, 0x4d, 0x4f, 0xa4,
+	0xf7, 0x7c, 0xe3, 0xbb, 0x0a, 0xcc, 0x3d, 0x24, 0x91, 0x47, 0x33, 0xc3, 0xd8, 0xf4, 0x58, 0xea,
-	0x7e, 0xb4, 0x61, 0x6c, 0x7a, 0x92, 0x0c, 0xc3, 0x30, 0x84, 0x8a, 0xc4, 0x30, 0xac, 0xb3, 0x07,
+	0x47, 0x1b, 0xc6, 0xa6, 0xc7, 0xc9, 0x30, 0x0c, 0x43, 0xa8, 0x48, 0x0c, 0xc3, 0x3a, 0x7b, 0x50,
-	0xf5, 0x00, 0xdb, 0x0e, 0xf1, 0xc6, 0xa7, 0x5c, 0x84, 0xba, 0x19, 0xb7, 0x99, 0xee, 0x42, 0x3c,
+	0x0f, 0xb0, 0xed, 0x10, 0x6f, 0x7c, 0xc2, 0x45, 0xa8, 0x9b, 0x71, 0x9b, 0xe9, 0x2e, 0xc4, 0x63,
-	0x76, 0xbd, 0xe8, 0x99, 0x15, 0xe0, 0xb1, 0x7d, 0x84, 0xc7, 0x5c, 0x94, 0xba, 0xd9, 0x96, 0x60,
+	0xd7, 0x8b, 0x9e, 0x5b, 0x01, 0x1e, 0xdb, 0x87, 0x78, 0xcc, 0x45, 0xa9, 0x9b, 0x6d, 0x09, 0x36,
-	0x53, 0x40, 0x8d, 0xaf, 0x61, 0x89, 0x29, 0x3b, 0xf4, 0xed, 0x21, 0xde, 0xe7, 0x4b, 0xc8, 0x4c,
+	0x05, 0xd4, 0xf8, 0x16, 0x96, 0x98, 0xb2, 0x43, 0xdf, 0x1e, 0xe2, 0x47, 0x7c, 0x09, 0x99, 0x69,
-	0x83, 0x0f, 0xea, 0x61, 0xfa, 0x2d, 0x09, 0xbe, 0xe1, 0x92, 0xd5, 0xcd, 0x26, 0x83, 0xed, 0x09,
+	0xf0, 0x41, 0x3d, 0x4c, 0x9f, 0x91, 0xe0, 0x09, 0x97, 0xac, 0x6e, 0x36, 0x19, 0xac, 0x2f, 0x40,
-	0x10, 0xba, 0x04, 0x75, 0x21, 0x97, 0xeb, 0x70, 0xb1, 0xea, 0x26, 0x9f, 0xf1, 0x81, 0xeb, 0xc4,
+	0xe8, 0x02, 0xd4, 0x85, 0x5c, 0xae, 0xc3, 0xc5, 0xaa, 0x9b, 0x7c, 0xc6, 0xfb, 0xae, 0x13, 0x77,
-	0x5d, 0xae, 0x3f, 0x94, 0x52, 0x2d, 0x88, 0xd9, 0x0f, 0x0d, 0x03, 0x60, 0xd7, 0xa3, 0xef, 0xff,
+	0xb9, 0xfe, 0x50, 0x4a, 0xb5, 0x20, 0x66, 0x3f, 0x34, 0x0c, 0x80, 0x3d, 0x8f, 0x7e, 0xf8, 0x93,
-	0xe4, 0x2b, 0x7b, 0x1c, 0x61, 0xb4, 0x02, 0x73, 0x4f, 0xd9, 0x07, 0xe7, 0x5f, 0x33, 0x45, 0xc3,
+	0x6f, 0xec, 0x71, 0x84, 0xd1, 0x0a, 0xcc, 0x3d, 0x65, 0x1f, 0x9c, 0x7f, 0xcd, 0x14, 0x0d, 0xe3,
-	0xf8, 0xcb, 0x1a, 0x5c, 0x7e, 0xc4, 0x04, 0x1c, 0xd8, 0x9e, 0x73, 0x44, 0x9e, 0x0d, 0xf0, 0x30,
+	0x2f, 0x6b, 0x70, 0xf1, 0x01, 0x13, 0x70, 0x60, 0x7b, 0xce, 0x21, 0x79, 0x3e, 0xc0, 0xc3, 0x28,
-	0x0a, 0x5c, 0x7a, 0xba, 0x45, 0x3c, 0x8a, 0x9f, 0x51, 0xb4, 0x03, 0xcb, 0x9e, 0x92, 0xd7, 0x52,
+	0x70, 0xe9, 0xc9, 0x36, 0xf1, 0x28, 0x7e, 0x4e, 0xd1, 0x2e, 0x2c, 0x7b, 0x4a, 0x5e, 0x4b, 0x99,
-	0x26, 0xc0, 0x38, 0x34, 0x37, 0xbb, 0xb1, 0x5e, 0x33, 0x33, 0x32, 0x3b, 0x5e, 0x1a, 0x10, 0xa2,
+	0x00, 0xe3, 0xd0, 0xdc, 0xec, 0xc6, 0x7a, 0xcd, 0xcc, 0xc8, 0xec, 0x78, 0x69, 0x40, 0x88, 0xbe,
-	0xcf, 0x92, 0xf5, 0x51, 0x4c, 0xaa, 0x9c, 0xc9, 0x6a, 0xcc, 0x64, 0xb0, 0xc3, 0xe5, 0x90, 0x2c,
+	0x48, 0xd6, 0x47, 0x31, 0xa9, 0x72, 0x26, 0xab, 0x31, 0x93, 0xc1, 0x2e, 0x97, 0x43, 0xb2, 0x50,
-	0xd4, 0xba, 0x29, 0x06, 0xef, 0x02, 0xdb, 0x2b, 0x96, 0x1d, 0x5a, 0x51, 0x88, 0x03, 0x3e, 0xd3,
+	0xeb, 0xa6, 0x18, 0xbc, 0x0f, 0x6c, 0xaf, 0x58, 0x76, 0x68, 0x45, 0x21, 0x0e, 0xf8, 0x4c, 0x9b,
-	0xe6, 0xe6, 0x85, 0x98, 0x38, 0x99, 0xa7, 0xd9, 0x08, 0x22, 0xaf, 0x1f, 0x1e, 0x86, 0x38, 0xe0,
+	0x9b, 0xe7, 0x62, 0xe2, 0x64, 0x9e, 0x66, 0x23, 0x88, 0xbc, 0xad, 0xf0, 0x20, 0xc4, 0x01, 0xdf,
-	0x3b, 0x4a, 0x6a, 0xc8, 0x0a, 0x08, 0xa1, 0xc7, 0xa1, 0xd2, 0x8a, 0x02, 0x9b, 0x1c, 0x8a, 0xde,
+	0x51, 0x52, 0x43, 0x56, 0x40, 0x08, 0x3d, 0x0a, 0x95, 0x56, 0x14, 0xd8, 0xe4, 0x50, 0xf4, 0x2e,
-	0x86, 0x0b, 0x61, 0xe4, 0xfb, 0x63, 0x3c, 0xc1, 0x1e, 0xb5, 0xc7, 0xd6, 0x28, 0x20, 0x91, 0x1f,
+	0x9c, 0x0b, 0x23, 0xdf, 0x1f, 0xe3, 0x09, 0xf6, 0xa8, 0x3d, 0xb6, 0x46, 0x01, 0x89, 0xfc, 0xb0,
-	0x76, 0xe7, 0x36, 0x6a, 0x37, 0x6a, 0x26, 0xd2, 0xbb, 0xbe, 0xe0, 0x3d, 0x68, 0x1d, 0xc0, 0x0f,
+	0x3b, 0xb7, 0x51, 0xbb, 0x56, 0x33, 0x91, 0xde, 0xf5, 0x15, 0xef, 0x41, 0xeb, 0x00, 0x7e, 0xe0,
-	0xdc, 0xa7, 0xee, 0x18, 0x8f, 0xb0, 0xd3, 0x9d, 0xe7, 0x4c, 0x35, 0x08, 0xba, 0x0b, 0x2b, 0x21,
+	0x3e, 0x75, 0xc7, 0x78, 0x84, 0x9d, 0xee, 0x3c, 0x67, 0xaa, 0x41, 0xd0, 0x6d, 0x58, 0x09, 0xf1,
-	0x1e, 0x0e, 0xc9, 0xc4, 0xb7, 0xfc, 0x80, 0x1c, 0xbb, 0x63, 0x2c, 0x6c, 0x6a, 0x81, 0xdb, 0x14,
+	0x70, 0x48, 0x26, 0xbe, 0xe5, 0x07, 0xe4, 0xc8, 0x1d, 0x63, 0x61, 0x53, 0x0b, 0xdc, 0xa6, 0x90,
-	0x92, 0x7d, 0x07, 0xa2, 0x8b, 0x59, 0x97, 0xf1, 0x5d, 0x15, 0x2e, 0xf2, 0x05, 0x38, 0x20, 0x8e,
+	0xec, 0xdb, 0x17, 0x5d, 0xcc, 0xba, 0x8c, 0xef, 0xaa, 0x70, 0x9e, 0x2f, 0xc0, 0x3e, 0x71, 0xa4,
-	0xd4, 0x85, 0xdc, 0xb1, 0xd7, 0xa0, 0x35, 0xe4, 0x02, 0x59, 0xbe, 0x1d, 0x60, 0x8f, 0x4a, 0xd3,
+	0x2e, 0xe4, 0x8e, 0xbd, 0x02, 0xad, 0x21, 0x17, 0xc8, 0xf2, 0xed, 0x00, 0x7b, 0x54, 0x9a, 0xee,
-	0x5d, 0x14, 0xc0, 0x03, 0x0e, 0x43, 0xfb, 0xd0, 0x09, 0xa5, 0xea, 0xac, 0xa1, 0xd0, 0x9d, 0x5c,
+	0xa2, 0x00, 0xee, 0x73, 0x18, 0x7a, 0x04, 0x9d, 0x50, 0xaa, 0xce, 0x1a, 0x0a, 0xdd, 0xc9, 0x15,
-	0xe1, 0x37, 0xe2, 0x45, 0x9a, 0xa2, 0x67, 0x73, 0x29, 0xcc, 0x29, 0x7e, 0x21, 0x3c, 0x0d, 0x87,
+	0x7e, 0x2b, 0x5e, 0xa4, 0x29, 0x7a, 0x36, 0x97, 0xc2, 0x9c, 0xe2, 0x17, 0xc2, 0x93, 0x70, 0x48,
-	0x74, 0x2c, 0x76, 0x7c, 0x73, 0xf3, 0x47, 0x69, 0x3e, 0x59, 0x31, 0xef, 0x0c, 0x04, 0xf6, 0x8e,
+	0xc7, 0x62, 0xc7, 0x37, 0x37, 0x7f, 0x94, 0xe6, 0x93, 0x15, 0xf3, 0xd6, 0x40, 0x60, 0xef, 0x7a,
-	0x47, 0x83, 0x53, 0x53, 0xd1, 0xf6, 0xee, 0xc1, 0xa2, 0xde, 0x81, 0x3a, 0x50, 0xfb, 0x06, 0x9f,
+	0x34, 0x38, 0x31, 0x15, 0x6d, 0xef, 0x0e, 0x2c, 0xea, 0x1d, 0xa8, 0x03, 0xb5, 0x27, 0xf8, 0x44,
-	0xca, 0x29, 0xb0, 0xcf, 0xc4, 0x2e, 0xc5, 0x7e, 0x13, 0x8d, 0x7b, 0xd5, 0x3f, 0xaa, 0x18, 0x01,
+	0x4e, 0x81, 0x7d, 0x26, 0x76, 0x29, 0xf6, 0x9b, 0x68, 0xdc, 0xa9, 0xfe, 0x51, 0xc5, 0x08, 0x00,
-	0xa0, 0x64, 0x94, 0xc7, 0x98, 0xda, 0x8e, 0x4d, 0x6d, 0x84, 0x60, 0x96, 0x7b, 0x50, 0xc1, 0x82,
+	0x25, 0xa3, 0x3c, 0xc4, 0xd4, 0x76, 0x6c, 0x6a, 0x23, 0x04, 0xb3, 0xdc, 0x83, 0x0a, 0x16, 0xfc,
-	0x7f, 0x33, 0xae, 0x91, 0xdc, 0x1a, 0x0d, 0x93, 0x7d, 0xa2, 0x2b, 0xd0, 0x88, 0x8d, 0x50, 0xba,
+	0x9b, 0x71, 0x8d, 0xe4, 0xd6, 0x68, 0x98, 0xec, 0x13, 0x5d, 0x82, 0x46, 0x6c, 0x84, 0xd2, 0x8d,
-	0xd1, 0x04, 0xc0, 0xdc, 0x99, 0x4d, 0x29, 0x9e, 0xf8, 0x94, 0x1b, 0x44, 0xcb, 0x54, 0x4d, 0xe3,
+	0x26, 0x00, 0xe6, 0xce, 0x6c, 0x4a, 0xf1, 0xc4, 0xa7, 0xdc, 0x20, 0x5a, 0xa6, 0x6a, 0x1a, 0xff,
-	0x9f, 0x67, 0xa1, 0x93, 0xd3, 0xc0, 0x07, 0x50, 0x9f, 0xc8, 0xe1, 0xa5, 0xed, 0x5f, 0x4e, 0x7c,
+	0x3c, 0x0b, 0x9d, 0x9c, 0x06, 0x3e, 0x82, 0xfa, 0x44, 0x0e, 0x2f, 0x6d, 0xff, 0x62, 0xe2, 0xd3,
-	0x5a, 0x4e, 0x42, 0x33, 0x46, 0x66, 0x2e, 0x83, 0x6d, 0x46, 0xcd, 0xe3, 0xc7, 0x6d, 0xa6, 0xd6,
+	0x72, 0x12, 0x9a, 0x31, 0x32, 0x73, 0x19, 0x6c, 0x33, 0x6a, 0x1e, 0x3f, 0x6e, 0x33, 0xb5, 0x8e,
-	0x31, 0x19, 0x59, 0x8e, 0x1b, 0xe0, 0x21, 0x25, 0xc1, 0xa9, 0x94, 0x72, 0x71, 0x4c, 0x46, 0xdb,
+	0xc9, 0xc8, 0x72, 0xdc, 0x00, 0x0f, 0x29, 0x09, 0x4e, 0xa4, 0x94, 0x8b, 0x63, 0x32, 0xda, 0x51,
-	0x0a, 0x86, 0xde, 0x01, 0x70, 0xbc, 0x90, 0x69, 0xf4, 0xd8, 0x1d, 0x71, 0x59, 0x9b, 0x9b, 0x28,
+	0x30, 0xf4, 0x1e, 0x80, 0xe3, 0x85, 0x4c, 0xa3, 0x47, 0xee, 0x88, 0xcb, 0xda, 0xdc, 0x44, 0xf1,
-	0x1e, 0x3b, 0xf6, 0xea, 0x66, 0xc3, 0xf1, 0x42, 0x29, 0xec, 0x87, 0xd0, 0x62, 0x5e, 0xd2, 0x9a,
+	0xd8, 0xb1, 0x57, 0x37, 0x1b, 0x8e, 0x17, 0x4a, 0x61, 0x3f, 0x86, 0x16, 0xf3, 0x92, 0xd6, 0x44,
-	0x08, 0x87, 0x2c, 0xac, 0xb8, 0xb9, 0xb9, 0xa2, 0x49, 0x1c, 0x7b, 0x6b, 0x73, 0xd1, 0x4f, 0x1a,
+	0x38, 0x64, 0x61, 0xc5, 0xcd, 0xcd, 0x15, 0x4d, 0xe2, 0xd8, 0x5b, 0x9b, 0x8b, 0x7e, 0xd2, 0x08,
-	0x21, 0xfa, 0x04, 0xe6, 0xb9, 0x97, 0x0a, 0xbb, 0xf3, 0x9c, 0xe6, 0x7a, 0xc1, 0x2c, 0xa5, 0xb6,
+	0xd1, 0x67, 0x30, 0xcf, 0xbd, 0x54, 0xd8, 0x9d, 0xe7, 0x34, 0x57, 0x0b, 0x66, 0x29, 0xb5, 0xfd,
-	0x1f, 0x71, 0x3c, 0xa1, 0x6c, 0x49, 0x84, 0x1e, 0x41, 0xd3, 0xf6, 0x3c, 0x42, 0x6d, 0xb1, 0xc1,
+	0x80, 0xe3, 0x09, 0x65, 0x4b, 0x22, 0xf4, 0x00, 0x9a, 0xb6, 0xe7, 0x11, 0x6a, 0x8b, 0x0d, 0xbe,
-	0x17, 0x38, 0x8f, 0x5b, 0xe5, 0x3c, 0xfa, 0x09, 0xb2, 0x60, 0xa4, 0x93, 0xa3, 0x9f, 0xc0, 0x1c,
+	0xc0, 0x79, 0xdc, 0x28, 0xe7, 0xb1, 0x95, 0x20, 0x0b, 0x46, 0x3a, 0x39, 0xfa, 0x09, 0xcc, 0x71,
-	0xf7, 0x00, 0xdd, 0x3a, 0x9f, 0xf5, 0xfa, 0x74, 0xf3, 0x33, 0x05, 0x72, 0xef, 0x43, 0x68, 0x6a,
+	0x0f, 0xd0, 0xad, 0xf3, 0x59, 0xaf, 0x4f, 0x37, 0x3f, 0x53, 0x20, 0xf7, 0x3e, 0x86, 0xa6, 0x26,
-	0xa2, 0x9d, 0xc7, 0xdc, 0x7a, 0x9f, 0x42, 0x27, 0x2b, 0xd1, 0xb9, 0xcc, 0x75, 0x17, 0x56, 0xcc,
+	0xda, 0x59, 0xcc, 0xad, 0xf7, 0x39, 0x74, 0xb2, 0x12, 0x9d, 0xc9, 0x5c, 0xf7, 0x60, 0xc5, 0x8c,
-	0xc8, 0x4b, 0x04, 0x53, 0x21, 0xc4, 0x3b, 0x30, 0x2f, 0xf5, 0x27, 0x6c, 0xe7, 0x52, 0xe9, 0x8a,
+	0xbc, 0x44, 0x30, 0x15, 0x42, 0xbc, 0x07, 0xf3, 0x52, 0x7f, 0xc2, 0x76, 0x2e, 0x94, 0xae, 0x88,
-	0x98, 0x12, 0xd1, 0xf8, 0x04, 0x2e, 0x66, 0x58, 0xc9, 0x00, 0xe3, 0x0d, 0x68, 0xfb, 0xc4, 0xb1,
+	0x29, 0x11, 0x8d, 0xcf, 0xe0, 0x7c, 0x86, 0x95, 0x0c, 0x30, 0xde, 0x82, 0xb6, 0x4f, 0x1c, 0x2b,
-	0x42, 0x01, 0xb6, 0x5c, 0x47, 0x39, 0x03, 0x3f, 0xc6, 0xdd, 0x75, 0x18, 0xf9, 0x80, 0x12, 0x3f,
+	0x14, 0x60, 0xcb, 0x75, 0x94, 0x33, 0xf0, 0x63, 0xdc, 0x3d, 0x87, 0x91, 0x0f, 0x28, 0xf1, 0xf3,
-	0x2f, 0xca, 0xd9, 0xc8, 0xbb, 0xb0, 0x9a, 0x25, 0x17, 0xc3, 0x1b, 0x9f, 0xc1, 0x9a, 0x89, 0x27,
+	0xa2, 0x9c, 0x8e, 0xbc, 0x0b, 0xab, 0x59, 0x72, 0x31, 0xbc, 0xf1, 0x05, 0xac, 0x99, 0x78, 0x42,
-	0xe4, 0x29, 0x7e, 0x59, 0xd6, 0x3d, 0xe8, 0xe6, 0x19, 0x24, 0xcc, 0x13, 0xe8, 0x80, 0xda, 0x34,
+	0x9e, 0xe2, 0x57, 0x65, 0xdd, 0x83, 0x6e, 0x9e, 0x41, 0xc2, 0x3c, 0x81, 0x0e, 0xa8, 0x4d, 0xa3,
-	0x0a, 0xcf, 0xc7, 0xfc, 0xa6, 0xce, 0x40, 0x1e, 0x9d, 0x82, 0x0f, 0x6a, 0x43, 0xd5, 0xf5, 0x25,
+	0xf0, 0x6c, 0xcc, 0xaf, 0xeb, 0x0c, 0xe4, 0xd1, 0x29, 0xf8, 0xa0, 0x36, 0x54, 0x5d, 0x5f, 0x12,
-	0x51, 0xd5, 0xf5, 0x8d, 0xcf, 0xa0, 0x11, 0x1f, 0x5a, 0x68, 0x33, 0x09, 0x6e, 0xaa, 0x2f, 0x38,
+	0x55, 0x5d, 0xdf, 0xf8, 0x02, 0x1a, 0xf1, 0xa1, 0x85, 0x36, 0x93, 0xe0, 0xa6, 0xfa, 0x92, 0x93,
-	0xd9, 0xe2, 0xb0, 0xe7, 0x61, 0xce, 0x5b, 0xcb, 0x91, 0x36, 0x01, 0x62, 0x3f, 0xa3, 0x4e, 0x4a,
+	0x2d, 0x0e, 0x7b, 0xee, 0xe7, 0xbc, 0xb5, 0x1c, 0x69, 0x13, 0x20, 0xf6, 0x33, 0xea, 0xa4, 0x44,
-	0x94, 0xe7, 0x67, 0x6a, 0x58, 0xc6, 0xdf, 0xa7, 0x9c, 0x8e, 0x26, 0xb2, 0x13, 0x8b, 0xec, 0xa4,
+	0x79, 0x7e, 0xa6, 0x86, 0x65, 0xfc, 0x5d, 0xca, 0xe9, 0x68, 0x22, 0x3b, 0xb1, 0xc8, 0x4e, 0xca,
-	0x9c, 0x50, 0xf5, 0x3c, 0x4e, 0xe8, 0x0e, 0xcc, 0x85, 0xd4, 0xa6, 0xc2, 0x0d, 0xb6, 0xb5, 0xc9,
+	0x09, 0x55, 0xcf, 0xe2, 0x84, 0x6e, 0xc1, 0x5c, 0x48, 0x6d, 0x2a, 0xdc, 0x60, 0x5b, 0x9b, 0x5c,
-	0xa5, 0x87, 0xc4, 0xa6, 0x40, 0x43, 0x57, 0x01, 0x86, 0x01, 0xb6, 0x29, 0x76, 0x2c, 0x5b, 0xf8,
+	0x7a, 0x48, 0x6c, 0x0a, 0x34, 0x74, 0x19, 0x60, 0x18, 0x60, 0x9b, 0x62, 0xc7, 0xb2, 0x85, 0x7f,
-	0xc7, 0x9a, 0xd9, 0x90, 0x90, 0x3e, 0x45, 0xf7, 0x60, 0x41, 0x45, 0x2a, 0x73, 0x5c, 0x8c, 0x8d,
+	0xac, 0x99, 0x0d, 0x09, 0xd9, 0xa2, 0xe8, 0x0e, 0x2c, 0xa8, 0x48, 0x65, 0x8e, 0x8b, 0xb1, 0x51,
-	0x02, 0x86, 0xa9, 0xd5, 0x37, 0x15, 0x41, 0xb2, 0xa7, 0xe7, 0xa7, 0xef, 0x69, 0x49, 0x27, 0x90,
+	0xc0, 0x30, 0xb5, 0xfa, 0xa6, 0x22, 0x48, 0xf6, 0xf4, 0xfc, 0xf4, 0x3d, 0x2d, 0xe9, 0x04, 0xb2,
-	0x35, 0xb7, 0xb4, 0x50, 0xea, 0x96, 0x04, 0xc5, 0x59, 0xdc, 0x52, 0xbd, 0xd4, 0x2d, 0x49, 0x1e,
+	0xe6, 0x96, 0x16, 0x4a, 0xdd, 0x92, 0xa0, 0x38, 0x8d, 0x5b, 0xaa, 0x97, 0xba, 0x25, 0xc9, 0x63,
-	0x53, 0xdd, 0xd2, 0x1f, 0xd2, 0xc1, 0x3c, 0x86, 0x6e, 0x7e, 0x83, 0x48, 0xc7, 0xf0, 0x0e, 0xcc,
+	0xaa, 0x5b, 0xfa, 0x43, 0x3a, 0x98, 0x87, 0xd0, 0xcd, 0x6f, 0x10, 0xe9, 0x18, 0xde, 0x83, 0xf9,
-	0x87, 0x1c, 0x32, 0xc5, 0xc9, 0x48, 0x12, 0x89, 0x68, 0x3c, 0x80, 0x95, 0x8c, 0x05, 0x88, 0x40,
+	0x90, 0x43, 0xa6, 0x38, 0x19, 0x49, 0x22, 0x11, 0x8d, 0x7b, 0xb0, 0x92, 0xb1, 0x00, 0x11, 0x28,
-	0x31, 0xb6, 0x97, 0xca, 0x99, 0xec, 0xc5, 0xf8, 0xbf, 0x8a, 0x6e, 0xbd, 0x0f, 0xdc, 0x31, 0xc5,
+	0xc6, 0xf6, 0x52, 0x39, 0x95, 0xbd, 0x18, 0xff, 0x57, 0xd1, 0xad, 0xf7, 0x9e, 0x3b, 0xa6, 0x38,
-	0x41, 0xce, 0x7a, 0xdf, 0x55, 0x4c, 0x85, 0xe9, 0x5e, 0x2d, 0x63, 0x2a, 0x62, 0x38, 0x69, 0x89,
+	0xc8, 0x59, 0xef, 0xfb, 0x8a, 0xa9, 0x30, 0xdd, 0xcb, 0x65, 0x4c, 0x45, 0x0c, 0x27, 0x2d, 0x71,
-	0x03, 0x68, 0x73, 0x1d, 0x5a, 0x21, 0x1e, 0xf3, 0x03, 0x51, 0x86, 0x22, 0x3f, 0x2e, 0xa0, 0x16,
+	0x00, 0x6d, 0xae, 0x43, 0x2b, 0xc4, 0x63, 0x7e, 0x20, 0xca, 0x50, 0xe4, 0xc7, 0x05, 0xd4, 0x62,
-	0xe3, 0x0a, 0x03, 0x18, 0x48, 0x74, 0xa1, 0xbe, 0xd6, 0x58, 0x87, 0xf5, 0xee, 0x03, 0xca, 0x23,
+	0x5c, 0x61, 0x00, 0x03, 0x89, 0x2e, 0xd4, 0xd7, 0x1a, 0xeb, 0xb0, 0xde, 0x5d, 0x40, 0x79, 0xa4,
-	0x9d, 0x4b, 0x0f, 0x5f, 0xb2, 0xbd, 0xcf, 0x72, 0x8f, 0x02, 0x4f, 0x7f, 0xcc, 0xc5, 0x98, 0xa2,
+	0x33, 0xe9, 0xe1, 0x6b, 0xb6, 0xf7, 0x59, 0xee, 0x51, 0xe0, 0xe9, 0x8f, 0xb8, 0x18, 0x53, 0x94,
-	0x04, 0x21, 0xa7, 0x29, 0x11, 0x8d, 0xbf, 0xab, 0x01, 0x24, 0x9d, 0xaf, 0xec, 0xa6, 0xff, 0x20,
+	0x20, 0xe4, 0x34, 0x25, 0xa2, 0xf1, 0xb7, 0x35, 0x80, 0xa4, 0xf3, 0xb5, 0xdd, 0xf4, 0x1f, 0xc5,
-	0xde, 0x82, 0x22, 0x9a, 0x78, 0xad, 0x80, 0x5f, 0xe1, 0xe6, 0x7b, 0x90, 0xde, 0x7c, 0x22, 0xae,
+	0x5b, 0x50, 0x44, 0x13, 0x6f, 0x14, 0xf0, 0x2b, 0xdc, 0x7c, 0xf7, 0xd2, 0x9b, 0x4f, 0xc4, 0x15,
-	0x78, 0xa3, 0x88, 0xfa, 0x95, 0xdd, 0x76, 0x5b, 0xb0, 0x9a, 0x55, 0xb7, 0xdc, 0x74, 0x37, 0x61,
+	0x6f, 0x15, 0x51, 0xbf, 0xb6, 0xdb, 0x6e, 0x1b, 0x56, 0xb3, 0xea, 0x96, 0x9b, 0xee, 0x3a, 0xcc,
-	0xce, 0xa5, 0x78, 0x22, 0x32, 0x69, 0x3d, 0x1d, 0xd1, 0x70, 0x05, 0x86, 0xf1, 0x3a, 0x34, 0x76,
+	0xb9, 0x14, 0x4f, 0x44, 0x26, 0xad, 0xa7, 0x23, 0x1a, 0xae, 0xc0, 0x30, 0xde, 0x84, 0xc6, 0xde,
-	0x27, 0xf6, 0x08, 0x0f, 0x7c, 0x3c, 0x64, 0x63, 0xb9, 0xac, 0x21, 0xc7, 0x17, 0x0d, 0x63, 0x13,
+	0xc4, 0x1e, 0xe1, 0x81, 0x8f, 0x87, 0x6c, 0x2c, 0x97, 0x35, 0xe4, 0xf8, 0xa2, 0x61, 0x6c, 0x42,
-	0xea, 0x0f, 0xf1, 0xa9, 0xd8, 0x83, 0x67, 0x94, 0xcf, 0xf8, 0xd7, 0x0a, 0xac, 0x71, 0xdf, 0xb9,
+	0xfd, 0x3e, 0x3e, 0x11, 0x7b, 0xf0, 0x94, 0xf2, 0x19, 0xff, 0x5a, 0x81, 0x35, 0xee, 0x3b, 0xb7,
-	0xa5, 0xf2, 0x58, 0x13, 0x87, 0x24, 0x0a, 0x86, 0x38, 0xe4, 0x2a, 0xf5, 0x23, 0xcb, 0xc7, 0x81,
+	0x55, 0x1e, 0x6b, 0xe2, 0x90, 0x44, 0xc1, 0x10, 0x87, 0x5c, 0xa5, 0x7e, 0x64, 0xf9, 0x38, 0x70,
-	0x4b, 0x1c, 0x99, 0xf5, 0x35, 0x86, 0x7e, 0x74, 0xc0, 0x01, 0x2c, 0xd7, 0x65, 0xdd, 0xbf, 0x8a,
+	0x89, 0x23, 0xb3, 0xbe, 0xc6, 0xd0, 0x8f, 0xf6, 0x39, 0x80, 0xe5, 0xba, 0xac, 0xfb, 0x57, 0x11,
-	0x88, 0xb4, 0xad, 0x9a, 0x59, 0x1f, 0xfa, 0xd1, 0x4f, 0x59, 0x5b, 0xd1, 0x86, 0x27, 0x76, 0x80,
+	0x91, 0xb6, 0x55, 0x33, 0xeb, 0x43, 0x3f, 0xfa, 0x29, 0x6b, 0x2b, 0xda, 0xf0, 0xd8, 0x0e, 0x70,
-	0x43, 0x6e, 0x43, 0x82, 0x76, 0xc0, 0x01, 0xe8, 0x1d, 0xb8, 0x38, 0xc1, 0x13, 0x12, 0x9c, 0x5a,
+	0xc8, 0x6d, 0x48, 0xd0, 0x0e, 0x38, 0x00, 0xbd, 0x07, 0xe7, 0x27, 0x78, 0x42, 0x82, 0x13, 0x6b,
-	0x63, 0x77, 0xe2, 0x52, 0xcb, 0xf5, 0xac, 0xa3, 0x53, 0x8a, 0x43, 0x69, 0x38, 0x48, 0x74, 0x3e,
+	0xec, 0x4e, 0x5c, 0x6a, 0xb9, 0x9e, 0x75, 0x78, 0x42, 0x71, 0x28, 0x0d, 0x07, 0x89, 0xce, 0x07,
-	0x62, 0x7d, 0xbb, 0xde, 0xe7, 0xac, 0x07, 0x19, 0xd0, 0x22, 0x64, 0x62, 0x85, 0x43, 0x12, 0x60,
+	0xac, 0x6f, 0xcf, 0xfb, 0x92, 0xf5, 0x20, 0x03, 0x5a, 0x84, 0x4c, 0xac, 0x70, 0x48, 0x02, 0x6c,
-	0xcb, 0x76, 0xbe, 0xe6, 0x87, 0x47, 0xcd, 0x6c, 0x12, 0x32, 0x19, 0x30, 0x58, 0xdf, 0xf9, 0xda,
+	0xd9, 0xce, 0xb7, 0xfc, 0xf0, 0xa8, 0x99, 0x4d, 0x42, 0x26, 0x03, 0x06, 0xdb, 0x72, 0xbe, 0x35,
-	0xb0, 0xa1, 0x95, 0xca, 0x02, 0x59, 0xac, 0xcf, 0xd3, 0x3d, 0x19, 0xeb, 0xb3, 0x6f, 0x06, 0x0b,
+	0x6c, 0x68, 0xa5, 0xb2, 0x40, 0x16, 0xeb, 0xf3, 0x74, 0x4f, 0xc6, 0xfa, 0xec, 0x9b, 0xc1, 0x02,
-	0xc8, 0x58, 0xad, 0x03, 0xff, 0x66, 0x30, 0x7a, 0xea, 0xab, 0x40, 0x9f, 0x7f, 0xb3, 0x05, 0x1b,
+	0x32, 0x56, 0xeb, 0xc0, 0xbf, 0x19, 0x8c, 0x9e, 0xf8, 0x2a, 0xd0, 0xe7, 0xdf, 0x6c, 0xc1, 0xc6,
-	0xe3, 0xa7, 0x32, 0x11, 0x6f, 0x98, 0xa2, 0x61, 0x38, 0x00, 0x5b, 0xb6, 0x6f, 0x1f, 0xb9, 0x63,
+	0xf8, 0xa9, 0x4c, 0xc4, 0x1b, 0xa6, 0x68, 0x18, 0x0e, 0xc0, 0xb6, 0xed, 0xdb, 0x87, 0xee, 0xd8,
-	0x97, 0x9e, 0xa2, 0x9b, 0xd0, 0xb1, 0x1d, 0xc7, 0x1a, 0x2a, 0x88, 0x8b, 0x55, 0x55, 0x64, 0xc9,
+	0xa5, 0x27, 0xe8, 0x3a, 0x74, 0x6c, 0xc7, 0xb1, 0x86, 0x0a, 0xe2, 0x62, 0x55, 0x15, 0x59, 0xb2,
-	0x76, 0x9c, 0x2d, 0x0d, 0x8c, 0x7e, 0x04, 0xcb, 0x4e, 0x40, 0xfc, 0x34, 0xae, 0x28, 0x93, 0x74,
+	0x1d, 0x67, 0x5b, 0x03, 0xa3, 0x1f, 0xc1, 0xb2, 0x13, 0x10, 0x3f, 0x8d, 0x2b, 0xca, 0x24, 0x1d,
-	0x58, 0x87, 0x8e, 0x6c, 0xfc, 0xcd, 0x2c, 0x5c, 0x4d, 0xab, 0x25, 0x9b, 0x57, 0x7f, 0x00, 0x8b,
+	0xd6, 0xa1, 0x23, 0x1b, 0xff, 0x34, 0x0b, 0x97, 0xd3, 0x6a, 0xc9, 0xe6, 0xd5, 0x1f, 0xc1, 0x62,
-	0x99, 0x51, 0xd3, 0x09, 0x6d, 0x22, 0xa4, 0x99, 0x42, 0xcc, 0x64, 0x9e, 0xd5, 0x5c, 0xe6, 0x59,
+	0x66, 0xd4, 0x74, 0x42, 0x9b, 0x08, 0x69, 0xa6, 0x10, 0x33, 0x99, 0x67, 0x35, 0x97, 0x79, 0x16,
-	0x98, 0xb0, 0xd7, 0x7e, 0x88, 0x84, 0x7d, 0xf6, 0xfb, 0x24, 0xec, 0x73, 0x67, 0x4a, 0xd8, 0xdf,
+	0x26, 0xec, 0xb5, 0x1f, 0x22, 0x61, 0x9f, 0xfd, 0x3e, 0x09, 0xfb, 0xdc, 0xa9, 0x12, 0xf6, 0xb7,
-	0xe4, 0x25, 0x30, 0x45, 0xc4, 0xd3, 0xa6, 0x79, 0x51, 0xa7, 0x89, 0x71, 0x3c, 0x55, 0x2a, 0xcb,
+	0x79, 0x09, 0x4c, 0x11, 0xf1, 0xb4, 0x69, 0x5e, 0xd4, 0x69, 0x62, 0x1c, 0x4f, 0x95, 0xca, 0x32,
-	0x24, 0xf6, 0x0b, 0xe7, 0x49, 0xec, 0xeb, 0xa5, 0x89, 0x3d, 0xb3, 0x08, 0xdf, 0xb7, 0x83, 0x09,
+	0x89, 0xfd, 0xc2, 0x59, 0x12, 0xfb, 0x7a, 0x69, 0x62, 0xcf, 0x2c, 0xc2, 0xf7, 0xed, 0x60, 0x42,
-	0x09, 0x54, 0xe6, 0xde, 0x6d, 0x70, 0x11, 0x96, 0x14, 0x5c, 0x66, 0xed, 0xa5, 0x39, 0x3e, 0x94,
+	0x02, 0x95, 0xb9, 0x77, 0x1b, 0x5c, 0x84, 0x25, 0x05, 0x97, 0x59, 0x7b, 0x69, 0x8e, 0x0f, 0x65,
-	0xe6, 0xf8, 0xff, 0x50, 0x81, 0x95, 0xb4, 0x59, 0xc8, 0x9c, 0xed, 0x53, 0x68, 0x04, 0x6a, 0xdf,
+	0x39, 0x3e, 0xda, 0x80, 0x45, 0x8f, 0x58, 0x1e, 0x7e, 0x66, 0x31, 0x85, 0x85, 0xdd, 0xa6, 0xd0,
-	0x4a, 0x53, 0xd8, 0x48, 0xc7, 0x46, 0xf9, 0xfd, 0x6d, 0x26, 0x24, 0xe8, 0xa7, 0xa5, 0xd9, 0xff,
+	0x9e, 0x47, 0xfa, 0xf8, 0xd9, 0x3e, 0x83, 0x18, 0x7f, 0x5f, 0x81, 0x95, 0xb4, 0xe1, 0xc8, 0xac,
-	0x9b, 0x25, 0x6c, 0x5e, 0x94, 0xff, 0x1b, 0x7d, 0x58, 0x8e, 0x91, 0xa7, 0xe6, 0xde, 0x5a, 0x2e,
+	0xee, 0x73, 0x68, 0x04, 0x6a, 0x67, 0x4b, 0x63, 0xd9, 0x48, 0x47, 0x4f, 0x79, 0x0f, 0x60, 0x26,
-	0x5d, 0x4d, 0xe7, 0xd2, 0x1e, 0xcc, 0x6f, 0xe3, 0xa7, 0xee, 0x10, 0xff, 0x20, 0xe5, 0xb7, 0x0d,
+	0x24, 0xe8, 0xa7, 0xa5, 0xf5, 0x81, 0xb7, 0x4b, 0xd8, 0xbc, 0xac, 0x42, 0x60, 0x6c, 0xc1, 0x72,
-	0x68, 0xfa, 0x38, 0x98, 0xb8, 0x61, 0x18, 0x9b, 0x74, 0xc3, 0xd4, 0x41, 0xc6, 0x7f, 0xcd, 0xc1,
+	0x8c, 0x3c, 0x35, 0x3b, 0xd7, 0xb2, 0xed, 0x6a, 0x3a, 0xdb, 0xf6, 0x60, 0x7e, 0x07, 0x3f, 0x75,
-	0x52, 0x76, 0x65, 0xdf, 0xcf, 0xa5, 0xee, 0xbd, 0x64, 0x8f, 0x65, 0xe7, 0xa7, 0x9d, 0x9f, 0x37,
+	0x87, 0xf8, 0x07, 0x29, 0xd0, 0x6d, 0x40, 0xd3, 0xc7, 0xc1, 0xc4, 0x0d, 0xc3, 0xd8, 0xe8, 0x1b,
-	0x94, 0x8b, 0xae, 0x66, 0x22, 0xf8, 0xd8, 0x8b, 0x4b, 0xb7, 0xcd, 0xe6, 0x3f, 0x24, 0x93, 0x89,
+	0xa6, 0x0e, 0x32, 0xfe, 0x6b, 0x0e, 0x96, 0xb2, 0x2b, 0xfb, 0x61, 0x2e, 0xb9, 0xef, 0x25, 0xbb,
-	0xed, 0x39, 0xaa, 0x34, 0x2a, 0x9b, 0x6c, 0xb5, 0xec, 0x60, 0xc4, 0x36, 0x0e, 0x03, 0xf3, 0x6f,
+	0x30, 0x3b, 0x3f, 0xed, 0x84, 0xbd, 0xa6, 0x9c, 0x78, 0x35, 0x13, 0xe3, 0xc7, 0x7e, 0x5e, 0x3a,
-	0xf4, 0x1a, 0x34, 0x59, 0x24, 0xec, 0x7a, 0x3c, 0xf3, 0xe7, 0xdb, 0xa2, 0x61, 0x82, 0x04, 0x6d,
+	0x76, 0x36, 0xff, 0x21, 0x99, 0x4c, 0x6c, 0xcf, 0x51, 0xc5, 0x53, 0xd9, 0x64, 0xab, 0x65, 0x07,
-	0xbb, 0x01, 0xba, 0x0e, 0xb3, 0xd8, 0x7b, 0xaa, 0x4e, 0xca, 0xa4, 0x76, 0xaa, 0x8e, 0x06, 0x93,
+	0x23, 0xb6, 0xb5, 0x18, 0x98, 0x7f, 0xa3, 0x37, 0xa0, 0xc9, 0x62, 0x65, 0xd7, 0xe3, 0xb5, 0x01,
-	0x77, 0xa3, 0x37, 0x61, 0x7e, 0x42, 0x22, 0x8f, 0xaa, 0x98, 0xb8, 0x1d, 0x23, 0xf2, 0x82, 0xa7,
+	0xbe, 0x71, 0x1a, 0x26, 0x48, 0xd0, 0x8e, 0x1b, 0xa0, 0xab, 0x30, 0x8b, 0xbd, 0xa7, 0xea, 0x2c,
-	0x29, 0x7b, 0xd1, 0x4d, 0x58, 0x70, 0xb8, 0x0e, 0x54, 0xe0, 0xbb, 0x94, 0x54, 0x0f, 0x38, 0xdc,
+	0x4d, 0xaa, 0xab, 0xea, 0xf0, 0x30, 0x79, 0x37, 0x7a, 0x1b, 0xe6, 0x27, 0x24, 0xf2, 0xa8, 0x8a,
-	0x54, 0xfd, 0xe8, 0xe3, 0xf8, 0x8c, 0x6f, 0x64, 0x4e, 0xe9, 0xcc, 0xa2, 0x16, 0x1e, 0xf4, 0x0f,
+	0x9a, 0xdb, 0x31, 0x22, 0x2f, 0x89, 0x9a, 0xb2, 0x17, 0x5d, 0x87, 0x05, 0x87, 0xeb, 0x40, 0x85,
-	0xd3, 0x07, 0x3d, 0x70, 0x16, 0x37, 0x4b, 0x59, 0x4c, 0xcf, 0xfd, 0x2f, 0x41, 0x7d, 0x4c, 0x46,
+	0xc6, 0x4b, 0x49, 0x7d, 0x81, 0xc3, 0x4d, 0xd5, 0x8f, 0x3e, 0x8d, 0xa3, 0x80, 0x46, 0xe6, 0x1c,
-	0xc2, 0x0e, 0x9a, 0xa2, 0x90, 0x3e, 0x26, 0x23, 0x6e, 0x06, 0x2b, 0x2c, 0xb0, 0x71, 0x5c, 0xaf,
+	0xcf, 0x2c, 0x6a, 0x61, 0x28, 0x70, 0x3f, 0x1d, 0x0a, 0x00, 0x67, 0x71, 0xbd, 0x94, 0xc5, 0xf4,
-	0xbb, 0xc8, 0x37, 0xbc, 0x68, 0xb0, 0xf3, 0x8a, 0x7f, 0x58, 0xc4, 0x1b, 0xe2, 0x6e, 0x8b, 0x77,
+	0xea, 0xc0, 0x05, 0xa8, 0x8f, 0xc9, 0x48, 0xd8, 0x41, 0x53, 0x94, 0xda, 0xc7, 0x64, 0xc4, 0xcd,
-	0x35, 0x38, 0x64, 0xdf, 0x1b, 0xf2, 0xe3, 0x94, 0xd2, 0xd3, 0x6e, 0x9b, 0xc3, 0xd9, 0x27, 0x8b,
+	0x60, 0x85, 0x85, 0x3e, 0x8e, 0xeb, 0x75, 0x17, 0xf9, 0xf6, 0x12, 0x0d, 0x76, 0xa2, 0xf1, 0x0f,
-	0x47, 0x45, 0x26, 0xb2, 0x94, 0x89, 0x47, 0x8b, 0xf6, 0xe7, 0x2b, 0x50, 0x5c, 0xf8, 0xa7, 0x0a,
+	0x8b, 0x78, 0x43, 0xdc, 0x6d, 0xf1, 0xae, 0x06, 0x87, 0x3c, 0xf2, 0x86, 0xfc, 0xc0, 0xa5, 0xf4,
-	0xac, 0x6e, 0xf1, 0x70, 0x4c, 0xf3, 0x04, 0xe7, 0x48, 0x8e, 0xd1, 0xdd, 0xb8, 0x0a, 0x91, 0xcd,
+	0xa4, 0xdb, 0xe6, 0x70, 0xf6, 0xc9, 0x22, 0x56, 0x91, 0xab, 0x2c, 0x65, 0x22, 0xd6, 0xa2, 0xfd,
-	0x71, 0xb3, 0x93, 0x95, 0x78, 0xe8, 0x3e, 0xb4, 0x15, 0x4f, 0x49, 0x59, 0x7b, 0x51, 0xfd, 0xa2,
+	0xf9, 0x1a, 0x94, 0x1f, 0xfe, 0xb1, 0x02, 0xab, 0xdb, 0x3c, 0x60, 0xd3, 0x3c, 0xc1, 0x19, 0xd2,
-	0x15, 0xea, 0x4d, 0xe3, 0x63, 0x58, 0xcb, 0xc9, 0x2c, 0x43, 0xa7, 0xd7, 0x61, 0x31, 0xf1, 0x08,
+	0x67, 0x74, 0x3b, 0xae, 0x53, 0x64, 0xb3, 0xe0, 0xec, 0x64, 0x25, 0x1e, 0xba, 0x0b, 0x6d, 0xc5,
-	0xb1, 0xc8, 0xcd, 0x18, 0xb6, 0xeb, 0x18, 0xf7, 0xe0, 0xe2, 0x80, 0xda, 0x01, 0xcd, 0x4d, 0xf8,
+	0x53, 0x52, 0xd6, 0x5e, 0x56, 0xe1, 0x68, 0x85, 0x7a, 0xd3, 0xf8, 0x14, 0xd6, 0x72, 0x32, 0xcb,
-	0x0c, 0xb4, 0xbc, 0x84, 0x91, 0xa6, 0x95, 0x55, 0x86, 0x01, 0xac, 0x0c, 0x28, 0xf1, 0x5f, 0x82,
+	0xe0, 0xea, 0x4d, 0x58, 0x4c, 0x3c, 0x42, 0x2c, 0x72, 0x33, 0x86, 0xed, 0x39, 0xc6, 0x1d, 0x38,
-	0x29, 0xdb, 0xe9, 0x6c, 0xda, 0x24, 0xa2, 0x32, 0x5e, 0x52, 0x4d, 0x63, 0x4d, 0x14, 0x5c, 0xf2,
+	0x3f, 0xa0, 0x76, 0x40, 0x73, 0x13, 0x3e, 0x05, 0x2d, 0x2f, 0x72, 0xa4, 0x69, 0x65, 0x1d, 0x62,
-	0xa3, 0x7d, 0x04, 0xab, 0xa2, 0xde, 0xf1, 0x32, 0x93, 0xb8, 0xa4, 0xaa, 0x2d, 0x79, 0xbe, 0xdb,
+	0x00, 0x2b, 0x03, 0x4a, 0xfc, 0x57, 0x60, 0xca, 0x76, 0x3a, 0x9b, 0x36, 0x89, 0xa8, 0x8c, 0xa8,
-	0x70, 0x21, 0x71, 0xe5, 0x49, 0xea, 0x76, 0x3b, 0x9d, 0xba, 0xad, 0xe5, 0x75, 0x9c, 0xca, 0xdc,
+	0x54, 0xd3, 0x58, 0x13, 0x25, 0x99, 0xfc, 0x68, 0x9f, 0xc0, 0xaa, 0xa8, 0x88, 0xbc, 0xca, 0x24,
-	0xfe, 0xba, 0xaa, 0x39, 0xcc, 0x92, 0xc4, 0x6d, 0x33, 0x9d, 0xb8, 0x5d, 0x29, 0x61, 0x99, 0xca,
+	0x2e, 0xa8, 0x7a, 0x4c, 0x9e, 0xef, 0x0e, 0x9c, 0x4b, 0x5c, 0x79, 0x92, 0xdc, 0xdd, 0x4c, 0x27,
-	0xdb, 0xf2, 0x16, 0x59, 0x2b, 0xb0, 0x48, 0x33, 0x97, 0xdd, 0xcd, 0x66, 0x0a, 0xcd, 0x19, 0xd9,
+	0x77, 0x6b, 0x79, 0x1d, 0xa7, 0x72, 0xbb, 0xbf, 0xae, 0x6a, 0x0e, 0xb3, 0x24, 0xb5, 0xdb, 0x4c,
-	0x7e, 0x2f, 0xc9, 0xdd, 0xae, 0x48, 0xee, 0xe2, 0xa1, 0xe3, 0x1a, 0xd4, 0xdd, 0x4c, 0x72, 0xd7,
+	0xa7, 0x76, 0x97, 0x4a, 0x58, 0xa6, 0x32, 0xbb, 0xbc, 0x45, 0xd6, 0x0a, 0x2c, 0xd2, 0xcc, 0xe5,
-	0x2d, 0x13, 0x33, 0xce, 0xed, 0xfe, 0x6a, 0x16, 0x1a, 0x71, 0x5f, 0x6e, 0x61, 0xf3, 0x8b, 0x54,
+	0x7f, 0xb3, 0x99, 0x52, 0x74, 0x46, 0xb6, 0xdf, 0x4b, 0xfa, 0xb7, 0x27, 0xd2, 0xbf, 0x78, 0xe8,
-	0x2d, 0x58, 0x24, 0xfd, 0xfc, 0xaa, 0xbd, 0xcc, 0xf9, 0x35, 0xfb, 0xa2, 0xf3, 0xeb, 0x32, 0x34,
+	0xb8, 0x4a, 0x75, 0x3b, 0x93, 0xfe, 0x75, 0xcb, 0xc4, 0x8c, 0xb3, 0xbf, 0xbf, 0x9a, 0x85, 0x46,
-	0xf8, 0x87, 0x15, 0xe0, 0x63, 0x79, 0x1e, 0xd5, 0x39, 0xc0, 0xc4, 0xc7, 0x89, 0x41, 0xcd, 0x9f,
+	0xdc, 0x97, 0x5b, 0xd8, 0xfc, 0x22, 0x55, 0x0b, 0x16, 0x49, 0x3f, 0xbf, 0x6a, 0xaf, 0x72, 0x7e,
-	0xc5, 0xa0, 0x32, 0x59, 0xe4, 0x42, 0x36, 0x8b, 0x7c, 0x3f, 0x3e, 0x61, 0xc4, 0x59, 0xb4, 0x9e,
+	0xcd, 0xbe, 0xec, 0xfc, 0xba, 0x08, 0x0d, 0xfe, 0x61, 0x05, 0xf8, 0x48, 0x9e, 0x47, 0x75, 0x0e,
-	0x67, 0x57, 0x78, 0xb6, 0xec, 0xa4, 0xcf, 0x16, 0x71, 0x3c, 0x5d, 0x2b, 0x20, 0x7e, 0x65, 0x73,
+	0x30, 0xf1, 0x51, 0x62, 0x50, 0xf3, 0xa7, 0x31, 0xa8, 0x4c, 0x9e, 0xb9, 0x90, 0xcd, 0x33, 0x3f,
-	0xc8, 0x47, 0x22, 0x87, 0xd4, 0xad, 0x4a, 0x3a, 0xc2, 0x4d, 0x80, 0x78, 0xcf, 0xab, 0x44, 0x12,
+	0x8c, 0x4f, 0x18, 0x71, 0x16, 0xad, 0xe7, 0xd9, 0x15, 0x9e, 0x2d, 0xbb, 0xe9, 0xb3, 0x45, 0x1c,
-	0xe5, 0xa7, 0x66, 0x6a, 0x58, 0xcc, 0xab, 0xa4, 0xd6, 0x3f, 0x29, 0x94, 0x9e, 0xc1, 0xab, 0xfc,
+	0x4f, 0x57, 0x0a, 0x88, 0x5f, 0xdb, 0x2c, 0xf3, 0x81, 0xc8, 0x32, 0x75, 0xab, 0x92, 0x8e, 0x70,
-	0x8b, 0x1e, 0x25, 0x95, 0xd4, 0x1a, 0xdf, 0xcf, 0x95, 0x1d, 0xce, 0x66, 0x75, 0xb7, 0xd3, 0x55,
+	0x13, 0x20, 0xde, 0xf3, 0x2a, 0xd5, 0x44, 0xf9, 0xa9, 0x99, 0x1a, 0x16, 0xf3, 0x2a, 0xa9, 0xf5,
-	0x87, 0xf3, 0x99, 0x4b, 0xae, 0xe8, 0xc0, 0x0f, 0x75, 0x3b, 0x90, 0xdd, 0x22, 0x5f, 0x6c, 0x48,
+	0x4f, 0x4a, 0xa9, 0xa7, 0xf0, 0x2a, 0xff, 0xa2, 0x47, 0x49, 0x25, 0xd5, 0xc8, 0x0f, 0x73, 0x85,
-	0x48, 0x9f, 0xb2, 0x50, 0xea, 0xd8, 0xf5, 0xdc, 0xf0, 0x44, 0xf4, 0xcf, 0xf3, 0x7e, 0x50, 0xa0,
+	0x89, 0xd3, 0x59, 0xdd, 0xcd, 0x74, 0x5d, 0xe2, 0x6c, 0xe6, 0x92, 0x2b, 0x4b, 0xf0, 0x43, 0xdd,
-	0x3e, 0xbf, 0x34, 0xc6, 0xcf, 0x5c, 0x6a, 0x0d, 0x89, 0x83, 0xb9, 0x31, 0xce, 0x99, 0x75, 0x06,
+	0x0e, 0x64, 0xb7, 0xc8, 0x28, 0x1b, 0x12, 0xb2, 0x45, 0x59, 0x28, 0x75, 0xe4, 0x7a, 0x6e, 0x78,
-	0xd8, 0x22, 0x0e, 0x4e, 0x36, 0x48, 0xfd, 0x5c, 0x1b, 0xa4, 0x91, 0xd9, 0x20, 0xab, 0x30, 0x1f,
+	0x2c, 0xfa, 0xe7, 0x79, 0x3f, 0x28, 0xd0, 0x16, 0xbf, 0x56, 0xc6, 0xcf, 0x5d, 0x6a, 0x0d, 0x89,
-	0x60, 0x3b, 0x24, 0x9e, 0x0c, 0xfb, 0x65, 0x8b, 0x9d, 0x15, 0x13, 0x1c, 0x86, 0x6c, 0x00, 0x19,
+	0x83, 0xb9, 0x31, 0xce, 0x99, 0x75, 0x06, 0xd8, 0x26, 0x0e, 0x4e, 0x36, 0x48, 0xfd, 0x4c, 0x1b,
-	0xc0, 0xc8, 0xa6, 0x16, 0x66, 0x2d, 0x96, 0x85, 0x59, 0x53, 0x8a, 0x99, 0x99, 0x30, 0xab, 0x55,
+	0xa4, 0x91, 0xd9, 0x20, 0xab, 0x30, 0x1f, 0x60, 0x3b, 0x24, 0x9e, 0x4c, 0x0c, 0x64, 0x8b, 0x9d,
-	0x16, 0x66, 0x9d, 0xa5, 0x96, 0xa9, 0x05, 0x91, 0xed, 0xa9, 0x41, 0xa4, 0x1e, 0x8e, 0x2d, 0xa5,
+	0x15, 0x13, 0x1c, 0x86, 0x6c, 0x00, 0x19, 0xc0, 0xc8, 0xa6, 0x16, 0x66, 0x2d, 0x96, 0x85, 0x59,
-	0xc2, 0xb1, 0x3f, 0xe4, 0x9e, 0x7a, 0x08, 0x6b, 0xb9, 0x5d, 0x20, 0x37, 0xd5, 0xdd, 0x4c, 0x35,
+	0x53, 0xca, 0x9d, 0x99, 0x30, 0xab, 0x55, 0x16, 0x66, 0x9d, 0xa6, 0xda, 0xa9, 0x05, 0x91, 0xed,
-	0xb4, 0x5b, 0xb6, 0x40, 0x71, 0x31, 0xf4, 0x4f, 0x61, 0x69, 0xe7, 0x19, 0x1e, 0x0e, 0x4e, 0xbd,
+	0xa9, 0x41, 0xa4, 0x1e, 0x8e, 0x2d, 0xa5, 0xc2, 0xb1, 0x3f, 0xe4, 0x9e, 0xba, 0x0f, 0x6b, 0xb9,
-	0xe1, 0x39, 0x22, 0x82, 0x0e, 0xd4, 0x86, 0x13, 0x47, 0x96, 0x01, 0xd8, 0xa7, 0x1e, 0x23, 0xd4,
+	0x5d, 0x20, 0x37, 0xd5, 0xed, 0x4c, 0xbd, 0xb4, 0x5b, 0xb6, 0x40, 0x71, 0xb9, 0xf4, 0x4f, 0x61,
-	0xd2, 0x31, 0x82, 0x05, 0x9d, 0x64, 0x04, 0x29, 0xe7, 0x2a, 0x93, 0xd3, 0x61, 0xc8, 0x8c, 0xf9,
+	0x69, 0xf7, 0x39, 0x1e, 0x0e, 0x4e, 0xbc, 0xe1, 0x19, 0x22, 0x82, 0x0e, 0xd4, 0x86, 0x13, 0x47,
-	0xa2, 0x29, 0x5b, 0x12, 0x8e, 0x83, 0x80, 0xcf, 0x5a, 0xc0, 0x71, 0x10, 0xa4, 0x2d, 0xba, 0x96,
+	0x16, 0x0a, 0xd8, 0xa7, 0x1e, 0x23, 0xd4, 0xd2, 0x31, 0x82, 0x05, 0x9d, 0x64, 0x04, 0x29, 0xe7,
-	0xb6, 0x68, 0xe3, 0x6b, 0x68, 0xb2, 0x01, 0xbe, 0x97, 0xf8, 0x32, 0x50, 0xae, 0x25, 0x81, 0x72,
+	0x2a, 0x93, 0xd3, 0x61, 0xc8, 0x8c, 0xf9, 0xa2, 0x29, 0x5b, 0x12, 0x8e, 0x83, 0x80, 0xcf, 0x5a,
-	0x1c, 0x6f, 0xcf, 0x6a, 0xf1, 0xb6, 0xb1, 0x01, 0x8b, 0x62, 0x2c, 0x39, 0x91, 0x0e, 0xd4, 0xa2,
+	0xc0, 0x71, 0x10, 0xa4, 0x2d, 0xba, 0x96, 0xb6, 0x68, 0xe3, 0x5b, 0x68, 0xb2, 0x01, 0xbe, 0x97,
-	0x60, 0xac, 0xf4, 0x16, 0x05, 0x63, 0xe3, 0x8f, 0xa1, 0xd5, 0xa7, 0xd4, 0x1e, 0x9e, 0x9c, 0x43,
+	0xf8, 0x32, 0x50, 0xae, 0x25, 0x81, 0x72, 0x1c, 0x6f, 0xcf, 0x6a, 0xf1, 0xb6, 0xb1, 0x01, 0x8b,
-	0x9e, 0x78, 0xac, 0xaa, 0x1e, 0xdb, 0xe7, 0x64, 0x32, 0x0c, 0x68, 0x2b, 0xde, 0xa5, 0xe3, 0xef,
+	0x62, 0x2c, 0x39, 0x91, 0x0e, 0xd4, 0xa2, 0x60, 0xac, 0xf4, 0x16, 0x05, 0x63, 0xe3, 0x8f, 0xa1,
-	0x01, 0x3a, 0x20, 0x01, 0x7d, 0x40, 0x82, 0x6f, 0xed, 0xc0, 0x39, 0x5f, 0xac, 0x8c, 0x60, 0x56,
+	0xb5, 0x45, 0xa9, 0x3d, 0x3c, 0x3e, 0x83, 0x3c, 0xf1, 0x58, 0x55, 0x3d, 0xb6, 0xcf, 0xc9, 0x64,
-	0x3e, 0x45, 0xa9, 0xdd, 0x98, 0x33, 0xf9, 0xb7, 0xf1, 0x16, 0x5c, 0x48, 0xf1, 0x2b, 0x1d, 0xf8,
+	0x18, 0xd0, 0x56, 0xbc, 0x4b, 0xc7, 0xef, 0x03, 0xda, 0x27, 0x01, 0xbd, 0x47, 0x82, 0x67, 0x76,
-	0x03, 0x68, 0x72, 0x17, 0x22, 0xe3, 0xa9, 0x1b, 0x7a, 0xad, 0x6f, 0x9a, 0x9f, 0x61, 0x19, 0x37,
+	0xe0, 0x9c, 0x2d, 0x56, 0x46, 0x30, 0x2b, 0x1f, 0xab, 0xd4, 0xae, 0xcd, 0x99, 0xfc, 0xdb, 0x78,
-	0x3b, 0x23, 0x38, 0x3c, 0x76, 0xe8, 0x3f, 0xce, 0x44, 0x1d, 0x2b, 0x69, 0xfa, 0x4c, 0xc4, 0xf1,
+	0x07, 0xce, 0xa5, 0xf8, 0x95, 0x0e, 0xfc, 0x11, 0x34, 0xb9, 0x0b, 0x91, 0xf1, 0xd4, 0x35, 0xbd,
-	0x8f, 0x15, 0x98, 0xe3, 0xf0, 0x9c, 0x47, 0xbf, 0x0c, 0x8d, 0x00, 0xfb, 0xc4, 0xa2, 0xf6, 0x28,
+	0x1a, 0x38, 0xcd, 0xcf, 0xb0, 0x8c, 0x9b, 0x9d, 0x11, 0x1c, 0x1e, 0x3b, 0xf4, 0x1f, 0x67, 0xa2,
-	0x7e, 0xdd, 0xc3, 0x00, 0x4f, 0xec, 0x51, 0xc8, 0x1f, 0x27, 0xb1, 0x4e, 0xc7, 0x1d, 0xe1, 0x90,
+	0x8e, 0x95, 0x34, 0x7d, 0x26, 0xe2, 0xf8, 0x87, 0x0a, 0xcc, 0x71, 0x78, 0xce, 0xa3, 0x5f, 0x84,
-	0xaa, 0x27, 0x3e, 0x4d, 0x06, 0xdb, 0x16, 0x20, 0xb6, 0x24, 0xa1, 0xfb, 0x67, 0x22, 0x9c, 0x98,
+	0x46, 0x80, 0x7d, 0x62, 0x51, 0x7b, 0x14, 0xbf, 0xff, 0x61, 0x80, 0xc7, 0xf6, 0x28, 0xe4, 0xcf,
-	0x35, 0xf9, 0x37, 0xba, 0x2e, 0x6e, 0xdd, 0xa7, 0x94, 0x76, 0xf8, 0x55, 0x7c, 0x0f, 0xea, 0x99,
+	0x97, 0x58, 0xa7, 0xe3, 0x8e, 0x70, 0x48, 0xd5, 0x23, 0xa0, 0x26, 0x83, 0xed, 0x08, 0x10, 0x5b,
-	0x6a, 0x4e, 0xdc, 0x36, 0x3e, 0x06, 0xa4, 0xcf, 0x59, 0x2e, 0xea, 0x9b, 0x30, 0xcf, 0x97, 0x44,
+	0x92, 0xd0, 0xfd, 0x33, 0x11, 0x4e, 0xcc, 0x9a, 0xfc, 0x1b, 0x5d, 0x15, 0xf7, 0xf2, 0x53, 0x8a,
-	0x9d, 0x87, 0xed, 0xf4, 0xa4, 0x4d, 0xd9, 0x6b, 0x7c, 0x0a, 0x48, 0xac, 0x62, 0xea, 0x0c, 0x3c,
+	0x3f, 0xfc, 0xb2, 0xbe, 0x07, 0xf5, 0x4c, 0xbd, 0x27, 0x6e, 0x1b, 0x9f, 0x02, 0xd2, 0xe7, 0x2c,
-	0xfb, 0x8a, 0x7f, 0x04, 0x17, 0x52, 0xf4, 0xf1, 0x25, 0x6b, 0x8a, 0x41, 0x76, 0x74, 0x49, 0xfc,
+	0x17, 0xf5, 0x6d, 0x98, 0xe7, 0x4b, 0xa2, 0xce, 0xc3, 0x76, 0x7a, 0xd2, 0xa6, 0xec, 0x35, 0x3e,
-	0x6f, 0x15, 0x80, 0x7e, 0x44, 0x4f, 0x64, 0xa1, 0x41, 0x9f, 0x65, 0x25, 0x3d, 0x4b, 0xd6, 0xe7,
+	0x07, 0x24, 0x56, 0x31, 0x75, 0x06, 0x9e, 0x7e, 0xc5, 0x3f, 0x81, 0x73, 0x29, 0xfa, 0xf8, 0x1a,
-	0xdb, 0x61, 0xf8, 0x2d, 0x09, 0x54, 0x90, 0x17, 0xb7, 0x79, 0x91, 0x20, 0xa2, 0x27, 0xaa, 0x74,
+	0x36, 0xc5, 0x20, 0x3b, 0xba, 0x24, 0xfe, 0xb7, 0x0a, 0xc0, 0x56, 0x44, 0x8f, 0x65, 0xa1, 0x41,
-	0xc9, 0xbe, 0xd1, 0x75, 0x68, 0x8b, 0x47, 0x59, 0x96, 0xed, 0x38, 0x01, 0x0e, 0x43, 0x59, 0xc3,
+	0x9f, 0x65, 0x25, 0x3d, 0x4b, 0xd6, 0xe7, 0xdb, 0x61, 0xf8, 0x8c, 0x04, 0x2a, 0xc8, 0x8b, 0xdb,
-	0x6c, 0x09, 0x68, 0x5f, 0x00, 0x19, 0x9a, 0xeb, 0x60, 0x8f, 0xba, 0xf4, 0xd4, 0xa2, 0xe4, 0x1b,
+	0xbc, 0x48, 0x10, 0xd1, 0x63, 0x55, 0xdc, 0x64, 0xdf, 0xe8, 0x2a, 0xb4, 0xc5, 0xb3, 0x2d, 0xcb,
-	0xec, 0xc9, 0xf0, 0xad, 0xa5, 0xa0, 0x4f, 0x18, 0x90, 0xa1, 0x05, 0x78, 0xe4, 0x86, 0x34, 0x50,
+	0x76, 0x9c, 0x00, 0x87, 0xa1, 0xac, 0x72, 0xb6, 0x04, 0x74, 0x4b, 0x00, 0x19, 0x9a, 0xeb, 0x60,
-	0x68, 0xaa, 0xa6, 0x26, 0xa1, 0x1c, 0xcd, 0xf8, 0x75, 0x05, 0x3a, 0x07, 0xd1, 0x78, 0x2c, 0x26,
+	0x8f, 0xba, 0xf4, 0xc4, 0xa2, 0xe4, 0x09, 0xf6, 0x64, 0xf8, 0xd6, 0x52, 0xd0, 0xc7, 0x0c, 0xc8,
-	0x79, 0xde, 0xb5, 0x44, 0x6f, 0xc9, 0x79, 0x54, 0x33, 0xd6, 0x90, 0x2c, 0x91, 0x9c, 0xdc, 0xf7,
+	0xd0, 0x02, 0x3c, 0x72, 0x43, 0x1a, 0x28, 0x34, 0x55, 0x75, 0x93, 0x50, 0x8e, 0x66, 0xfc, 0xba,
-	0x4f, 0x2b, 0xef, 0xc2, 0xb2, 0x26, 0xa8, 0x54, 0x5a, 0xea, 0x94, 0xae, 0xa4, 0x4f, 0x69, 0x66,
+	0x02, 0x9d, 0xfd, 0x68, 0x3c, 0x16, 0x93, 0x3c, 0xeb, 0x5a, 0xa2, 0x77, 0xe4, 0x3c, 0xaa, 0x19,
-	0x28, 0x22, 0x93, 0x7a, 0xb9, 0xc9, 0x19, 0x17, 0xe1, 0x42, 0x8a, 0x5e, 0x66, 0x61, 0xb7, 0xa0,
+	0x6b, 0x48, 0x96, 0x48, 0x4e, 0xee, 0xfb, 0xa7, 0x95, 0xb7, 0x61, 0x59, 0x13, 0x54, 0x2a, 0x2d,
-	0x25, 0x2f, 0x3a, 0xa5, 0x11, 0x5c, 0x82, 0x3a, 0x73, 0x2f, 0x43, 0xd7, 0x51, 0x35, 0xeb, 0x05,
+	0x75, 0x4a, 0x57, 0xd2, 0xa7, 0x34, 0x33, 0x14, 0x91, 0x49, 0xbd, 0xda, 0xe4, 0x8c, 0xf3, 0x70,
-	0x9f, 0x38, 0x5b, 0xae, 0x13, 0x18, 0x7b, 0xd0, 0x32, 0x05, 0x7b, 0x89, 0xfb, 0x09, 0xb4, 0xe5,
+	0x2e, 0x45, 0x2f, 0xb3, 0xb0, 0x1b, 0xd0, 0x92, 0x57, 0xa1, 0xd2, 0x08, 0x2e, 0x40, 0x9d, 0xb9,
-	0xb5, 0xa8, 0x95, 0x7a, 0x1e, 0x90, 0x14, 0x58, 0x53, 0xbc, 0xcd, 0x96, 0xa7, 0x37, 0x8d, 0x5f,
+	0x97, 0xa1, 0xeb, 0xa8, 0xaa, 0xf6, 0x82, 0x4f, 0x9c, 0x6d, 0xd7, 0x09, 0x8c, 0x3e, 0xb4, 0x4c,
-	0x42, 0xef, 0xd0, 0x77, 0x58, 0x30, 0xa5, 0x73, 0x55, 0x53, 0xfb, 0x04, 0xd4, 0xa3, 0xc1, 0x32,
+	0xc1, 0x5e, 0xe2, 0x7e, 0x06, 0x6d, 0x79, 0x71, 0x6a, 0xa5, 0x1e, 0x10, 0x24, 0x25, 0xd8, 0x14,
-	0xe6, 0x69, 0xb2, 0x56, 0xa0, 0x37, 0x8d, 0xab, 0x70, 0xb9, 0x90, 0xb9, 0x9c, 0xb7, 0x0f, 0x9d,
+	0x6f, 0xb3, 0xe5, 0xe9, 0x4d, 0xe3, 0x97, 0xd0, 0x3b, 0xf0, 0x1d, 0x16, 0x4c, 0xe9, 0x5c, 0xd5,
-	0xa4, 0xc3, 0x71, 0x55, 0xa9, 0x9e, 0x97, 0xe0, 0x2b, 0x5a, 0x09, 0x7e, 0x35, 0x3e, 0x86, 0x85,
+	0xd4, 0x3e, 0x03, 0xf5, 0xac, 0xb0, 0x8c, 0x79, 0x9a, 0xac, 0x15, 0xe8, 0x4d, 0xe3, 0x32, 0x5c,
-	0x43, 0x97, 0x2d, 0x2d, 0x68, 0xaa, 0x95, 0x05, 0x4d, 0xb3, 0xa9, 0xa0, 0xc9, 0xf8, 0x32, 0x5e,
+	0x2c, 0x64, 0x2e, 0xe7, 0xed, 0x43, 0x27, 0xe9, 0x70, 0x5c, 0x55, 0xcc, 0xe7, 0x45, 0xfa, 0x8a,
-	0x3d, 0x19, 0xb1, 0x7e, 0xc8, 0xc3, 0x66, 0x31, 0xb6, 0x72, 0x13, 0x97, 0x0a, 0x26, 0x27, 0x30,
+	0x56, 0xa4, 0x5f, 0x8d, 0x8f, 0x61, 0xe1, 0xd0, 0x65, 0x4b, 0x0b, 0x9a, 0x6a, 0x65, 0x41, 0xd3,
-	0x4c, 0x0d, 0xd9, 0x58, 0x82, 0x56, 0xca, 0x61, 0x18, 0xf7, 0xa1, 0x9d, 0xf1, 0x00, 0x77, 0x32,
+	0x6c, 0x2a, 0x68, 0x32, 0xbe, 0x8e, 0x57, 0x4f, 0x46, 0xac, 0x1f, 0xf3, 0xb0, 0x59, 0x8c, 0xad,
-	0xf1, 0x43, 0x6e, 0xd9, 0x32, 0xd1, 0xc3, 0x8a, 0x74, 0x44, 0x0f, 0xc2, 0x5d, 0xef, 0x98, 0x28,
+	0xdc, 0xc4, 0x85, 0x82, 0xc9, 0x09, 0x0c, 0x53, 0x43, 0x36, 0x96, 0xa0, 0x95, 0x72, 0x18, 0xc6,
-	0xbe, 0xd7, 0xa0, 0x79, 0x58, 0xf6, 0x00, 0x6f, 0x56, 0xdd, 0xe0, 0xbc, 0x05, 0xcb, 0x03, 0x4a,
+	0x5d, 0x68, 0x67, 0x3c, 0xc0, 0xad, 0x4c, 0xfc, 0x90, 0x5b, 0xb6, 0x4c, 0xf4, 0xb0, 0x22, 0x1d,
-	0x02, 0x7b, 0x84, 0x77, 0xf9, 0xae, 0x3d, 0x76, 0xc5, 0x1d, 0x47, 0x14, 0xc5, 0xfe, 0x9b, 0x7f,
+	0xd1, 0xbd, 0x70, 0xcf, 0x3b, 0x22, 0x8a, 0xef, 0x15, 0x68, 0x1e, 0x94, 0x3d, 0xd1, 0x9b, 0x55,
-	0x1b, 0xff, 0x51, 0x81, 0xa5, 0x07, 0xee, 0x18, 0x87, 0xa7, 0x21, 0xc5, 0x93, 0x43, 0x1e, 0x4b,
+	0x77, 0x3c, 0xef, 0xc0, 0xf2, 0x80, 0x92, 0xc0, 0x1e, 0xe1, 0x3d, 0xbe, 0x6b, 0x8f, 0x5c, 0x71,
-	0x5e, 0x81, 0x06, 0x93, 0x26, 0xa4, 0xf6, 0xc4, 0x57, 0x37, 0x3c, 0x31, 0x80, 0xad, 0x51, 0x28,
+	0x0b, 0x12, 0x45, 0xb1, 0xff, 0xe6, 0xdf, 0xc6, 0x7f, 0x54, 0x60, 0xe9, 0x9e, 0x3b, 0xc6, 0xe1,
-	0x58, 0xab, 0xec, 0x52, 0x8f, 0xe3, 0x73, 0xa3, 0xb2, 0xd8, 0x5a, 0x82, 0xd0, 0xbb, 0x00, 0x51,
+	0x49, 0x48, 0xf1, 0xe4, 0x80, 0xc7, 0x92, 0x97, 0xa0, 0xc1, 0xa4, 0x09, 0xa9, 0x3d, 0xf1, 0xd5,
-	0x88, 0x1d, 0x79, 0xab, 0x53, 0xcb, 0x1c, 0x3d, 0x87, 0x7a, 0xf5, 0x9e, 0xe1, 0x89, 0x2b, 0x9e,
+	0x1d, 0x50, 0x0c, 0x60, 0x6b, 0x14, 0x0a, 0xd6, 0x2a, 0xbb, 0xd4, 0xe3, 0xf8, 0xdc, 0xa8, 0x2c,
-	0xf7, 0xa0, 0xe9, 0x7a, 0xc4, 0xc1, 0xbc, 0x7a, 0xef, 0xc8, 0xcc, 0xb3, 0x98, 0x0a, 0x04, 0xe2,
+	0xb6, 0x96, 0x20, 0xf4, 0x3e, 0x40, 0x14, 0x62, 0x47, 0xde, 0xfb, 0xd4, 0x32, 0x47, 0xcf, 0x81,
-	0x61, 0x88, 0x1d, 0xe3, 0x4f, 0xa4, 0x17, 0x56, 0x8b, 0x27, 0x75, 0xb0, 0x03, 0xcb, 0x62, 0x43,
+	0x5e, 0xdf, 0x67, 0x78, 0xe2, 0x12, 0xe8, 0x03, 0x68, 0xba, 0x1e, 0x71, 0x30, 0xaf, 0xef, 0x3b,
-	0x1f, 0xc7, 0x93, 0x56, 0x8a, 0x4e, 0xc2, 0xb9, 0xcc, 0x82, 0x98, 0x1d, 0x57, 0x9e, 0x8a, 0x8a,
+	0x32, 0xf3, 0x2c, 0xa6, 0x02, 0x81, 0x78, 0x10, 0x62, 0xc7, 0xf8, 0x13, 0xe9, 0x85, 0xd5, 0xe2,
-	0xc2, 0xb8, 0x07, 0x17, 0x53, 0x31, 0xdf, 0x79, 0x52, 0xa5, 0x2f, 0x32, 0x79, 0x56, 0x62, 0x20,
+	0x49, 0x1d, 0xec, 0xc2, 0xb2, 0xd8, 0xd0, 0x47, 0xf1, 0xa4, 0x95, 0xa2, 0x93, 0x70, 0x2e, 0xb3,
-	0x32, 0xd1, 0x51, 0xf6, 0x51, 0x92, 0xe8, 0x84, 0x22, 0xd1, 0x09, 0x0d, 0x13, 0x2e, 0xa5, 0xd2,
+	0x20, 0x66, 0xc7, 0x95, 0xa7, 0xa2, 0xa2, 0x30, 0xee, 0xc0, 0xf9, 0x54, 0xcc, 0x77, 0x96, 0x54,
-	0xbf, 0x94, 0x20, 0xef, 0x65, 0x8e, 0xf8, 0xab, 0x25, 0xcc, 0x32, 0x67, 0xfd, 0xff, 0x54, 0x60,
+	0xe9, 0xab, 0x4c, 0x9e, 0x95, 0x18, 0x88, 0x4c, 0x74, 0x94, 0x7d, 0x94, 0x24, 0x3a, 0xa1, 0x48,
-	0xa5, 0x08, 0xe1, 0x25, 0x0b, 0x0d, 0x3f, 0x2b, 0xb9, 0x6b, 0xbf, 0x3b, 0x55, 0x9a, 0xdf, 0x4b,
+	0x74, 0x42, 0xc3, 0x84, 0x0b, 0xa9, 0xf4, 0x2f, 0x25, 0xc8, 0x07, 0x99, 0x23, 0xfe, 0x72, 0x09,
-	0x49, 0xe6, 0x21, 0xf4, 0x8a, 0x56, 0x2f, 0xaf, 0x8a, 0xda, 0x19, 0x54, 0xf1, 0xbf, 0x55, 0xad,
+	0xb3, 0xcc, 0x59, 0xff, 0x3f, 0x15, 0x58, 0x29, 0x42, 0x78, 0xc5, 0x42, 0xc3, 0xcf, 0x4a, 0x6e,
-	0x74, 0xd6, 0xa7, 0x34, 0x70, 0x8f, 0x22, 0x66, 0xbc, 0x3f, 0x54, 0x0a, 0x7c, 0x3f, 0x4e, 0xef,
+	0xe3, 0x6f, 0x4f, 0x95, 0xe6, 0xf7, 0x52, 0x92, 0xb9, 0x0f, 0xbd, 0xa2, 0xd5, 0xcb, 0xab, 0xa2,
-	0xc4, 0xfa, 0xdd, 0xc8, 0x53, 0x25, 0xa3, 0x16, 0xa6, 0x78, 0xfb, 0xe9, 0x14, 0x4f, 0x14, 0xc5,
+	0x76, 0x0a, 0x55, 0xfc, 0x6f, 0x55, 0x2b, 0x9d, 0x6d, 0x51, 0x1a, 0xb8, 0x87, 0x11, 0x33, 0xde,
-	0x6e, 0x4f, 0x65, 0xf3, 0xca, 0xd6, 0x3d, 0x9e, 0x57, 0xa0, 0x9d, 0xd6, 0x03, 0xfa, 0x18, 0xc0,
+	0x1f, 0x2a, 0x05, 0xbe, 0x1b, 0xa7, 0x77, 0x62, 0xfd, 0xae, 0xe5, 0xa9, 0x92, 0x51, 0x0b, 0x53,
-	0x8e, 0x25, 0x97, 0x26, 0x7f, 0x65, 0xda, 0xec, 0x4c, 0x0d, 0x1f, 0x5d, 0x83, 0xda, 0xd0, 0x8f,
+	0xbc, 0x47, 0xe9, 0x14, 0x4f, 0x14, 0xc5, 0x6e, 0x4e, 0x65, 0xf3, 0xda, 0xd6, 0x3d, 0x5e, 0x54,
-	0xa4, 0x46, 0x92, 0xdb, 0x91, 0x2d, 0x3f, 0x12, 0x0e, 0x80, 0xf5, 0xb2, 0xa0, 0x59, 0xdc, 0x40,
+	0xa0, 0x9d, 0xd6, 0x03, 0xfa, 0x14, 0xc0, 0x8e, 0x25, 0x97, 0x26, 0x7f, 0x69, 0xda, 0xec, 0x4c,
-	0xe7, 0x3c, 0xd7, 0x63, 0x0e, 0x16, 0xa8, 0x12, 0x07, 0x7d, 0x06, 0xed, 0x6f, 0x03, 0x97, 0xda,
+	0x0d, 0x1f, 0x5d, 0x81, 0xda, 0xd0, 0x8f, 0xa4, 0x46, 0x92, 0xdb, 0x91, 0x6d, 0x3f, 0x12, 0x0e,
-	0x47, 0x63, 0x6c, 0x8d, 0xed, 0x53, 0x1c, 0x48, 0xcf, 0x55, 0xee, 0x65, 0x5a, 0x0a, 0xff, 0x11,
+	0x80, 0xf5, 0xb2, 0xa0, 0x59, 0xdc, 0x51, 0xe7, 0x3c, 0xd7, 0x43, 0x0e, 0x16, 0xa8, 0x12, 0x07,
-	0x43, 0x37, 0x22, 0xa8, 0xab, 0xf1, 0x5f, 0xe0, 0x91, 0x1f, 0xc2, 0x5a, 0xc4, 0xd0, 0x2c, 0x7e,
+	0x7d, 0x01, 0xed, 0x67, 0x81, 0x4b, 0xed, 0xc3, 0x31, 0xb6, 0xc6, 0xf6, 0x09, 0x0e, 0xa4, 0xe7,
-	0x0b, 0xee, 0xd9, 0x1e, 0xb1, 0x42, 0xcc, 0x8e, 0x26, 0xf5, 0xf2, 0xac, 0xd8, 0x5b, 0xae, 0x70,
+	0x2a, 0xf7, 0x32, 0x2d, 0x85, 0xff, 0x80, 0xa1, 0x1b, 0x11, 0xd4, 0xd5, 0xf8, 0x2f, 0xf1, 0xc8,
-	0xa2, 0x2d, 0x12, 0xe0, 0x3d, 0xdb, 0x23, 0x03, 0x41, 0x61, 0x4c, 0xa0, 0xa9, 0x4d, 0xe7, 0x05,
+	0xf7, 0x61, 0x2d, 0x62, 0x68, 0x16, 0xbf, 0x27, 0xf7, 0x6c, 0x8f, 0x58, 0x21, 0x66, 0x47, 0x93,
-	0x23, 0xdf, 0x87, 0x65, 0x75, 0xef, 0x14, 0x62, 0x2a, 0xfd, 0xfa, 0xb4, 0x31, 0x97, 0x24, 0xfa,
+	0x7a, 0x9b, 0x56, 0xec, 0x2d, 0x57, 0x38, 0xd1, 0x36, 0x09, 0x70, 0xdf, 0xf6, 0xc8, 0x40, 0x50,
-	0x00, 0x53, 0xee, 0xdd, 0x6f, 0x5d, 0x81, 0xba, 0x7a, 0xbf, 0x8f, 0x16, 0xa0, 0xf6, 0x64, 0xeb,
+	0x18, 0x13, 0x68, 0x6a, 0xd3, 0x79, 0xc9, 0xc8, 0x77, 0x61, 0x59, 0xdd, 0x3b, 0x85, 0x98, 0x4a,
-	0xa0, 0x33, 0xc3, 0x3e, 0x0e, 0xb7, 0x0f, 0x3a, 0x95, 0x5b, 0xf7, 0x60, 0x29, 0xf3, 0xb2, 0x04,
+	0xbf, 0x3e, 0x6d, 0xcc, 0x25, 0x89, 0x3e, 0xc0, 0x94, 0x7b, 0xf7, 0x1b, 0x97, 0xa0, 0xae, 0x5e,
-	0x2d, 0x43, 0x6b, 0xd0, 0xdf, 0xdb, 0xfe, 0x7c, 0xff, 0xe7, 0x96, 0xb9, 0xd3, 0xdf, 0xfe, 0x45,
+	0xf8, 0xa3, 0x05, 0xa8, 0x3d, 0xde, 0xde, 0xef, 0xcc, 0xb0, 0x8f, 0x83, 0x9d, 0xfd, 0x4e, 0xe5,
-	0x67, 0x06, 0xad, 0x40, 0x47, 0x81, 0xf6, 0xf6, 0x9f, 0x08, 0x68, 0xe5, 0xd6, 0x37, 0x19, 0x1b,
+	0xc6, 0x1d, 0x58, 0xca, 0xbc, 0x3d, 0x41, 0xcb, 0xd0, 0x1a, 0x6c, 0xf5, 0x77, 0xbe, 0x7c, 0xf4,
-	0xc1, 0xe8, 0x22, 0x2c, 0x6f, 0xed, 0xef, 0x3d, 0xe9, 0xef, 0xee, 0xed, 0x98, 0xd6, 0x96, 0xb9,
+	0x73, 0xcb, 0xdc, 0xdd, 0xda, 0xf9, 0x45, 0x67, 0x06, 0xad, 0x40, 0x47, 0x81, 0xfa, 0x8f, 0x1e,
-	0xd3, 0x7f, 0xb2, 0xb3, 0xdd, 0x99, 0x49, 0x83, 0xcd, 0xc3, 0xbd, 0xbd, 0xdd, 0xbd, 0x2f, 0x3a,
+	0x0b, 0x68, 0xe5, 0xc6, 0x93, 0x8c, 0x8d, 0x60, 0x74, 0x1e, 0x96, 0xb7, 0x1f, 0xf5, 0x1f, 0x6f,
-	0x15, 0xc6, 0x35, 0x01, 0xef, 0xfc, 0x7c, 0x97, 0x21, 0x57, 0xd3, 0xc8, 0x87, 0x7b, 0x0f, 0xf7,
+	0xed, 0xf5, 0x77, 0x4d, 0x6b, 0xdb, 0xdc, 0xdd, 0x7a, 0xbc, 0xbb, 0xd3, 0x99, 0x49, 0x83, 0xcd,
-	0xf6, 0x7f, 0xb6, 0xd7, 0xa9, 0x6d, 0xfe, 0x76, 0x11, 0xda, 0xea, 0x10, 0xc7, 0x01, 0xbf, 0x9d,
+	0x83, 0x7e, 0x7f, 0xaf, 0xff, 0x55, 0xa7, 0xc2, 0xb8, 0x26, 0xe0, 0xdd, 0x9f, 0xef, 0x31, 0xe4,
-	0xfc, 0x14, 0x16, 0xd4, 0xaf, 0x15, 0x89, 0xf7, 0x48, 0xff, 0x07, 0xd2, 0xeb, 0xe6, 0x3b, 0x64,
+	0x6a, 0x1a, 0xf9, 0xa0, 0x7f, 0xbf, 0xff, 0xe8, 0x67, 0xfd, 0x4e, 0x6d, 0xf3, 0xb7, 0x8b, 0xd0,
-	0x30, 0x34, 0x83, 0x0e, 0x78, 0x70, 0xa2, 0xbd, 0xe2, 0xb9, 0xaa, 0x87, 0x0b, 0xb9, 0x67, 0x42,
+	0x56, 0x87, 0x38, 0x0e, 0xf8, 0xed, 0xe4, 0xe7, 0xb0, 0xa0, 0x7e, 0xbe, 0x48, 0xbc, 0x47, 0xfa,
-	0xbd, 0xf5, 0xb2, 0xee, 0x98, 0xe3, 0x80, 0x45, 0x24, 0xfa, 0x0b, 0x4c, 0xb4, 0xae, 0x9f, 0xdb,
+	0x4f, 0x91, 0x5e, 0x37, 0xdf, 0x21, 0x83, 0xa1, 0x19, 0xb4, 0xcf, 0x83, 0x13, 0xed, 0x9d, 0xcf,
-	0xf9, 0x97, 0x9d, 0xbd, 0xd7, 0x4a, 0xfb, 0x63, 0xa6, 0xbf, 0x80, 0x4e, 0xf6, 0xed, 0x25, 0x4a,
+	0x65, 0x3d, 0x5c, 0xc8, 0x3d, 0x24, 0xea, 0xad, 0x97, 0x75, 0xc7, 0x1c, 0x07, 0x2c, 0x22, 0xd1,
-	0x6e, 0x99, 0x4b, 0xde, 0x75, 0xf6, 0x5e, 0x9f, 0x82, 0xa1, 0xb3, 0xce, 0xbd, 0x5f, 0xdc, 0x28,
+	0xdf, 0x68, 0xa2, 0x75, 0xfd, 0xdc, 0xce, 0xbf, 0xfd, 0xec, 0xbd, 0x51, 0xda, 0x1f, 0x33, 0xfd,
-	0x7f, 0x81, 0x96, 0x63, 0x5d, 0xf6, 0xac, 0x4d, 0x2c, 0x45, 0xfa, 0xf5, 0x0d, 0xd2, 0x5f, 0x0d,
+	0x05, 0x74, 0xb2, 0xaf, 0x33, 0x51, 0x72, 0xcb, 0x5c, 0xf2, 0xf2, 0xb3, 0xf7, 0xe6, 0x14, 0x0c,
-	0x16, 0xbc, 0xc2, 0xd2, 0x96, 0xa2, 0xf8, 0xd9, 0x8e, 0x31, 0x83, 0xbe, 0x82, 0xa5, 0xcc, 0xc5,
+	0x9d, 0x75, 0xee, 0x85, 0xe3, 0x46, 0xf9, 0x1b, 0xb5, 0x1c, 0xeb, 0xb2, 0x87, 0x6f, 0x62, 0x29,
-	0x14, 0x4a, 0xa8, 0x8a, 0xaf, 0xd9, 0x7a, 0x1b, 0xe5, 0x08, 0x69, 0xbd, 0xe9, 0xd7, 0x4e, 0x29,
+	0xd2, 0xef, 0x73, 0x90, 0xfe, 0xae, 0xb0, 0xe0, 0x9d, 0x96, 0xb6, 0x14, 0xc5, 0x0f, 0x7b, 0x8c,
-	0xbd, 0x15, 0xdc, 0x65, 0xa5, 0xf4, 0x56, 0x78, 0x5f, 0xc5, 0xcd, 0x2b, 0x75, 0xb9, 0xa4, 0x99,
+	0x19, 0xf4, 0x0d, 0x2c, 0x65, 0x2e, 0xa6, 0x50, 0x42, 0x55, 0x7c, 0xcd, 0xd6, 0xdb, 0x28, 0x47,
-	0x57, 0xd1, 0x4d, 0x56, 0x6f, 0xbd, 0xac, 0x5b, 0x9f, 0x7e, 0xe6, 0x62, 0x49, 0x9b, 0x7e, 0xf1,
+	0x48, 0xeb, 0x4d, 0xbf, 0x76, 0x4a, 0xe9, 0xad, 0xe0, 0x2e, 0x2b, 0xa5, 0xb7, 0xc2, 0xfb, 0x2a,
-	0x7d, 0x55, 0x6f, 0xa3, 0x1c, 0x21, 0xab, 0xab, 0xa4, 0xca, 0x9d, 0xd1, 0x55, 0xee, 0x52, 0x25,
+	0x6e, 0x5e, 0xa9, 0xcb, 0x25, 0xcd, 0xbc, 0x8a, 0x6e, 0xb2, 0x7a, 0xeb, 0x65, 0xdd, 0xfa, 0xf4,
-	0xa3, 0xab, 0x7c, 0x79, 0x5c, 0xea, 0x2a, 0x53, 0xae, 0x7e, 0xad, 0xb4, 0x9c, 0x97, 0xd7, 0x55,
+	0x33, 0x17, 0x4b, 0xda, 0xf4, 0x8b, 0xef, 0xab, 0x7a, 0x1b, 0xe5, 0x08, 0x59, 0x5d, 0x25, 0x55,
-	0x71, 0x85, 0xd0, 0x98, 0x41, 0x7d, 0xa8, 0xab, 0x7a, 0x1c, 0x4a, 0x76, 0x77, 0xa6, 0x08, 0xd8,
+	0xee, 0x8c, 0xae, 0x72, 0x97, 0x2a, 0x19, 0x5d, 0xe5, 0xcb, 0xe3, 0x52, 0x57, 0x99, 0x72, 0xf5,
-	0xbb, 0x54, 0xd0, 0x13, 0xb3, 0x78, 0x0f, 0x66, 0x19, 0x14, 0xad, 0xa4, 0x90, 0x14, 0xe9, 0xc5,
+	0x1b, 0xa5, 0xe5, 0xbc, 0xbc, 0xae, 0x8a, 0x2b, 0x84, 0xc6, 0x0c, 0xda, 0x82, 0xba, 0xaa, 0xc7,
-	0x0c, 0x34, 0x26, 0xfb, 0x08, 0xe6, 0x45, 0xf9, 0x0a, 0x25, 0x79, 0x45, 0xaa, 0x56, 0xd6, 0x5b,
+	0xa1, 0x64, 0x77, 0x67, 0x8a, 0x80, 0xbd, 0x0b, 0x05, 0x3d, 0x31, 0x8b, 0x0f, 0x60, 0x96, 0x41,
-	0xcb, 0xc1, 0x63, 0xe2, 0x2f, 0xc5, 0xef, 0x56, 0xb2, 0x0e, 0x85, 0x2e, 0xa7, 0x9e, 0xf5, 0xa7,
+	0xd1, 0x4a, 0x0a, 0x49, 0x91, 0x9e, 0xcf, 0x40, 0x63, 0xb2, 0x4f, 0x60, 0x5e, 0x94, 0xaf, 0x50,
-	0xab, 0x5d, 0xbd, 0x2b, 0xc5, 0x9d, 0xba, 0xbe, 0x32, 0x87, 0xf3, 0x7a, 0x59, 0xf4, 0x94, 0xd3,
+	0x92, 0x57, 0xa4, 0x6a, 0x65, 0xbd, 0xb5, 0x1c, 0x3c, 0x26, 0xfe, 0x5a, 0xfc, 0x90, 0x25, 0xeb,
-	0x57, 0x71, 0x34, 0x66, 0xcc, 0x20, 0x4b, 0x94, 0x74, 0x32, 0x8c, 0x8d, 0x62, 0x45, 0xa7, 0x98,
+	0x50, 0xe8, 0x62, 0xea, 0xe1, 0x7f, 0xba, 0xda, 0xd5, 0xbb, 0x54, 0xdc, 0xa9, 0xeb, 0x2b, 0x73,
-	0x5f, 0x9b, 0x8a, 0x13, 0x0f, 0x70, 0x04, 0x17, 0x0a, 0x92, 0x53, 0x94, 0x50, 0x97, 0xe7, 0xc5,
+	0x38, 0xaf, 0x97, 0x45, 0x4f, 0x39, 0x7d, 0x15, 0x47, 0x63, 0xc6, 0x0c, 0xb2, 0x44, 0x49, 0x27,
-	0xbd, 0x37, 0xa6, 0x23, 0xe9, 0x2a, 0x92, 0xb6, 0xb6, 0xaa, 0x6f, 0x50, 0xcd, 0xc4, 0xd6, 0x72,
+	0xc3, 0xd8, 0x28, 0x56, 0x74, 0x8a, 0xf9, 0x95, 0xa9, 0x38, 0xf1, 0x00, 0x87, 0x70, 0xae, 0x20,
-	0x70, 0x45, 0xbc, 0xf9, 0x17, 0x35, 0x58, 0x14, 0x25, 0x04, 0x79, 0xc0, 0x7c, 0x01, 0x90, 0x54,
+	0x39, 0x45, 0x09, 0x75, 0x79, 0x5e, 0xdc, 0x7b, 0x6b, 0x3a, 0x92, 0xae, 0x22, 0x69, 0x6b, 0xab,
-	0xb9, 0x50, 0x2f, 0x35, 0xcd, 0x54, 0xb9, 0xaf, 0x77, 0xb9, 0xb0, 0x4f, 0x57, 0xbe, 0x56, 0xb0,
+	0xfa, 0x06, 0xd5, 0x4c, 0x6c, 0x2d, 0x07, 0x57, 0xc4, 0x9b, 0x7f, 0x51, 0x83, 0x45, 0x51, 0x42,
-	0xd2, 0x94, 0x9f, 0x2f, 0x83, 0x69, 0xca, 0x2f, 0xa8, 0x71, 0x19, 0x33, 0x68, 0x1b, 0x1a, 0x71,
+	0x90, 0x07, 0xcc, 0x57, 0x00, 0x49, 0x95, 0x0b, 0xf5, 0x52, 0xd3, 0x4c, 0x95, 0xfb, 0x7a, 0x17,
-	0x15, 0x05, 0x69, 0xc5, 0x97, 0x4c, 0x09, 0xa8, 0xd7, 0x2b, 0xea, 0xd2, 0x25, 0xd2, 0x2a, 0x23,
+	0x0b, 0xfb, 0x74, 0xe5, 0x6b, 0x05, 0x2b, 0x4d, 0xf9, 0xf9, 0x32, 0x98, 0xa6, 0xfc, 0x82, 0x1a,
-	0x9a, 0x44, 0xf9, 0x7a, 0x8b, 0x26, 0x51, 0x51, 0x31, 0x25, 0x99, 0x9d, 0x48, 0x04, 0xb3, 0xb3,
+	0x97, 0x31, 0x83, 0x76, 0xa0, 0x11, 0x57, 0x51, 0x90, 0x56, 0x7c, 0xc9, 0x94, 0x80, 0x7a, 0xbd,
-	0x4b, 0xe5, 0xd6, 0xd9, 0xd9, 0xa5, 0x73, 0x47, 0x63, 0xe6, 0xf3, 0x2b, 0xbf, 0xf9, 0xdd, 0x7a,
+	0xa2, 0x2e, 0x5d, 0x22, 0xad, 0x32, 0xa2, 0x49, 0x94, 0xaf, 0xb7, 0x68, 0x12, 0x15, 0x15, 0x53,
-	0xe5, 0x3f, 0x7f, 0xb7, 0x3e, 0xf3, 0xe7, 0xcf, 0xd7, 0x2b, 0xbf, 0x79, 0xbe, 0x5e, 0xf9, 0xf7,
+	0x92, 0xd9, 0x89, 0x44, 0x30, 0x3b, 0xbb, 0x54, 0x6e, 0x9d, 0x9d, 0x5d, 0x3a, 0x77, 0x34, 0x66,
-	0xe7, 0xeb, 0x95, 0xdf, 0x3e, 0x5f, 0xaf, 0x7c, 0xf7, 0xdf, 0xeb, 0x33, 0x47, 0xf3, 0xfc, 0xff,
+	0xbe, 0xbc, 0xf4, 0x9b, 0xdf, 0xad, 0x57, 0xfe, 0xf3, 0x77, 0xeb, 0x33, 0x7f, 0xfe, 0x62, 0xbd,
-	0xc3, 0x77, 0xff, 0x3f, 0x00, 0x00, 0xff, 0xff, 0x05, 0xad, 0x49, 0x79, 0x33, 0x3a, 0x00, 0x00,
+	0xf2, 0x9b, 0x17, 0xeb, 0x95, 0x7f, 0x7f, 0xb1, 0x5e, 0xf9, 0xed, 0x8b, 0xf5, 0xca, 0x77, 0xff,
+	0xbd, 0x3e, 0x73, 0x38, 0xcf, 0xff, 0x50, 0x7c, 0xff, 0xff, 0x03, 0x00, 0x00, 0xff, 0xff, 0xbd,
+	0x17, 0xb2, 0x8b, 0x55, 0x3a, 0x00, 0x00,
 }

pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto

@@ -514,6 +514,9 @@ message LinuxContainerSecurityContext {
     // * localhost/<full-path-to-profile>: the profile installed on the node.
     //   <full-path-to-profile> is the full path of the profile.
     string seccomp_profile_path = 10;
+    // no_new_privs defines if the flag for no_new_privs should be set on the
+    // container.
+    bool no_new_privs = 11;
 }
 
 // LinuxContainerConfig contains platform-specific configuration for
@@ -982,7 +985,7 @@ message FilesystemUsage {
     // The underlying storage of the filesystem.
     StorageIdentifier storage_id = 2;
     // UsedBytes represents the bytes used for images on the filesystem.
-    // This may differ from the total bytes used on the filesystem and may not 
+    // This may differ from the total bytes used on the filesystem and may not
     // equal CapacityBytes - AvailableBytes.
     UInt64Value used_bytes = 3;
     // InodesUsed represents the inodes used by the images.

pkg/kubelet/dockershim/security_context.go

@@ -113,6 +113,10 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
 	}
 	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, apparmorSecurityOpts...)
 
+	if sc.NoNewPrivs {
+		hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
+	}
+
 	return nil
 }
 

pkg/kubelet/kubelet.go

@@ -798,6 +798,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Dep
 
 	klet.appArmorValidator = apparmor.NewValidator(kubeCfg.ContainerRuntime)
 	klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
+	klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
 	if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) {
 		if kubeCfg.ContainerRuntime == kubetypes.DockerContainerRuntime {
 			if klet.gpuManager, err = nvidia.NewNvidiaGPUManager(klet, kubeDeps.DockerClient); err != nil {

pkg/kubelet/kuberuntime/security_context.go

@@ -66,6 +66,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 		synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...)
 	}
 
+	synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc)
+
 	return synthesized
 }
 

pkg/kubelet/lifecycle/handlers.go

@@ -165,3 +165,74 @@ func (a *appArmorAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
 		Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
 	}
 }
+
+func NewNoNewPrivsAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
+	return &noNewPrivsAdmitHandler{
+		Runtime: runtime,
+	}
+}
+
+type noNewPrivsAdmitHandler struct {
+	kubecontainer.Runtime
+}
+
+func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	// If the pod is already running or terminated, no need to recheck NoNewPrivs.
+	if attrs.Pod.Status.Phase != v1.PodPending {
+		return PodAdmitResult{Admit: true}
+	}
+
+	// If the containers in a pod do not require no-new-privs, admit it.
+	if !noNewPrivsRequired(attrs.Pod) {
+		return PodAdmitResult{Admit: true}
+	}
+
+	// Make sure it is either docker or rkt runtimes.
+	if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "NoNewPrivs",
+			Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %s runtime not supported", a.Runtime.Type()),
+		}
+	}
+
+	if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
+		// Make sure docker api version is valid.
+		rversion, err := a.Runtime.APIVersion()
+		if err != nil {
+			return PodAdmitResult{
+				Admit:   false,
+				Reason:  "NoNewPrivs",
+				Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
+			}
+		}
+		v, err := rversion.Compare("1.23")
+		if err != nil {
+			return PodAdmitResult{
+				Admit:   false,
+				Reason:  "NoNewPrivs",
+				Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
+			}
+		}
+		// If the version is less than 1.23 it will return -1 above.
+		if v == -1 {
+			return PodAdmitResult{
+				Admit:   false,
+				Reason:  "NoNewPrivs",
+				Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
+			}
+		}
+	}
+
+	return PodAdmitResult{Admit: true}
+}
+
+func noNewPrivsRequired(pod *v1.Pod) bool {
+	// Iterate over pod containers and check if we added no-new-privs.
+	for _, c := range pod.Spec.Containers {
+		if c.SecurityContext != nil && c.SecurityContext.AllowPrivilegeEscalation != nil && !*c.SecurityContext.AllowPrivilegeEscalation {
+			return true
+		}
+	}
+	return false
+}

pkg/kubelet/rkt/rkt.go

@@ -439,6 +439,14 @@ func setIsolators(app *appctypes.App, c *v1.Container, ctx *v1.SecurityContext)
 		}
 	}
 
+	if ok := securitycontext.AddNoNewPrivileges(ctx); ok {
+		isolator, err := newNoNewPrivilegesIsolator(true)
+		if err != nil {
+			return err
+		}
+		isolators = append(isolators, *isolator)
+	}
+
 	mergeIsolators(app, isolators)
 	return nil
 }
@@ -2621,3 +2629,16 @@ func convertKubePortMappings(portMappings []kubecontainer.PortMapping) ([]appcty
 
 	return containerPorts, hostPorts
 }
+
+func newNoNewPrivilegesIsolator(v bool) (*appctypes.Isolator, error) {
+	b := fmt.Sprintf(`{"name": "%s", "value": %t}`, appctypes.LinuxNoNewPrivilegesName, v)
+
+	i := &appctypes.Isolator{
+		Name: appctypes.LinuxNoNewPrivilegesName,
+	}
+	if err := i.UnmarshalJSON([]byte(b)); err != nil {
+		return nil, err
+	}
+
+	return i, nil
+}

pkg/kubelet/rkt/rkt_test.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 	"testing"
 	"time"
 
@@ -48,7 +49,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/utils/exec"
 	fakeexec "k8s.io/utils/exec/testing"
-	"strings"
 )
 
 func mustMarshalPodManifest(man *appcschema.PodManifest) []byte {
@@ -938,6 +938,7 @@ func baseImageManifest(t *testing.T) *appcschema.ImageManifest {
 func baseAppWithRootUserGroup(t *testing.T) *appctypes.App {
 	app := baseApp(t)
 	app.User, app.Group = "0", "0"
+	app.Isolators = append(app.Isolators)
 	return app
 }
 

pkg/security/podsecuritypolicy/provider.go

@@ -183,6 +183,17 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
 		sc.ReadOnlyRootFilesystem = &readOnlyRootFS
 	}
 
+	// if the PSP sets DefaultAllowPrivilegeEscalation and the container security context
+	// allowPrivilegeEscalation is not set, then default to that set by the PSP.
+	if s.psp.Spec.DefaultAllowPrivilegeEscalation != nil && sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = s.psp.Spec.DefaultAllowPrivilegeEscalation
+	}
+
+	// if the PSP sets psp.AllowPrivilegeEscalation to false set that as the default
+	if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = &s.psp.Spec.AllowPrivilegeEscalation
+	}
+
 	return sc, annotations, nil
 }
 
@@ -301,6 +312,15 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
 		}
 	}
 
+	if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation == nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), sc.AllowPrivilegeEscalation, "Allowing privilege escalation for containers is not allowed"))
+
+	}
+
+	if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation != nil && *sc.AllowPrivilegeEscalation {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), *sc.AllowPrivilegeEscalation, "Allowing privilege escalation for containers is not allowed"))
+	}
+
 	return allErrs
 }
 

pkg/security/podsecuritypolicy/provider_test.go

@@ -920,6 +920,7 @@ func defaultPSP() *extensions.PodSecurityPolicy {
 			SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
 				Rule: extensions.SupplementalGroupsStrategyRunAsAny,
 			},
+			AllowPrivilegeEscalation: true,
 		},
 	}
 }
@@ -1033,3 +1034,111 @@ func TestValidateAllowedVolumes(t *testing.T) {
 		}
 	}
 }
+
+// TestValidateAllowPrivilegeEscalation will test that when the podSecurityPolicy
+// AllowPrivilegeEscalation is false we cannot set a container's securityContext
+// to allowPrivilegeEscalation, but when it is true we can.
+func TestValidateAllowPrivilegeEscalation(t *testing.T) {
+	pod := defaultPod()
+	pe := true
+	pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
+
+	// create a PSP that does not allow privilege escalation
+	psp := defaultPSP()
+	psp.Spec.AllowPrivilegeEscalation = false
+
+	provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
+	if err != nil {
+		t.Errorf("error creating provider: %v", err.Error())
+	}
+
+	// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
+	errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 1 {
+		t.Errorf("expected exactly 1 error but got %v", errs)
+	} else {
+		if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
+			t.Errorf("did not find the expected error, received: %v", errs)
+		}
+	}
+
+	// now add allowPrivilegeEscalation to the podSecurityPolicy
+	psp.Spec.AllowPrivilegeEscalation = true
+	errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 0 {
+		t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
+	}
+}
+
+// TestValidateDefaultAllowPrivilegeEscalation will test that when the podSecurityPolicy
+// DefaultAllowPrivilegeEscalation is false we cannot set a container's
+// securityContext to allowPrivilegeEscalation but when it is true we can.
+func TestValidateDefaultAllowPrivilegeEscalation(t *testing.T) {
+	pod := defaultPod()
+	pe := true
+	pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
+
+	// create a PSP that does not allow privilege escalation
+	psp := defaultPSP()
+	dpe := false
+	psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
+	psp.Spec.AllowPrivilegeEscalation = false
+
+	provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
+	if err != nil {
+		t.Errorf("error creating provider: %v", err.Error())
+	}
+
+	// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
+	errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 1 {
+		t.Errorf("expected exactly 1 error but got %v", errs)
+	} else {
+		if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
+			t.Errorf("did not find the expected error, received: %v", errs)
+		}
+	}
+
+	// now add DefaultAllowPrivilegeEscalation to the podSecurityPolicy
+	dpe = true
+	psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
+	psp.Spec.AllowPrivilegeEscalation = false
+
+	// expect a denial for this PSP because we did not allowPrivilege Escalation via the PodSecurityPolicy
+	// and test the error message to ensure it's related to allowPrivilegeEscalation
+	errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 1 {
+		t.Errorf("expected exactly 1 error but got %v", errs)
+	} else {
+		if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
+			t.Errorf("did not find the expected error, received: %v", errs)
+		}
+	}
+
+	// Now set AllowPrivilegeEscalation
+	psp.Spec.AllowPrivilegeEscalation = true
+	errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 0 {
+		t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
+	}
+
+	// Now set the psp spec to false and reset AllowPrivilegeEscalation
+	psp.Spec.AllowPrivilegeEscalation = false
+	pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
+	errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 1 {
+		t.Errorf("expected exactly 1 error but got %v", errs)
+	} else {
+		if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
+			t.Errorf("did not find the expected error, received: %v", errs)
+		}
+	}
+
+	// Now unset both AllowPrivilegeEscalation
+	psp.Spec.AllowPrivilegeEscalation = true
+	pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
+	errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
+	if len(errs) != 0 {
+		t.Errorf("resetting allowing privilege escalation expected no errors but got %v", errs)
+	}
+}

pkg/securitycontext/util.go

@@ -133,6 +133,11 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 		*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
 	}
 
+	if containerSc.AllowPrivilegeEscalation != nil {
+		effectiveSc.AllowPrivilegeEscalation = new(bool)
+		*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
+	}
+
 	return effectiveSc
 }
 
@@ -205,6 +210,11 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
 		*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
 	}
 
+	if containerSc.AllowPrivilegeEscalation != nil {
+		effectiveSc.AllowPrivilegeEscalation = new(bool)
+		*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
+	}
+
 	return effectiveSc
 }
 
@@ -231,3 +241,38 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
 
 	return synthesized
 }
+
+// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
+// 1) the container is not privileged
+// 2) CAP_SYS_ADMIN is not being added
+// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
+//		- nil, then return false
+//		- true, then return false
+//		- false, then return true
+func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
+	if sc == nil {
+		return false
+	}
+
+	// handle the case where the container is privileged
+	if sc.Privileged != nil && *sc.Privileged {
+		return false
+	}
+
+	// handle the case where we are adding CAP_SYS_ADMIN
+	if sc.Capabilities != nil {
+		for _, cap := range sc.Capabilities.Add {
+			if string(cap) == "CAP_SYS_ADMIN" {
+				return false
+			}
+		}
+	}
+
+	// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
+	if sc.AllowPrivilegeEscalation == nil {
+		return false
+	}
+
+	// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
+	return !*sc.AllowPrivilegeEscalation
+}

pkg/securitycontext/util_test.go

@@ -176,3 +176,100 @@ func TestHasRootRunAsUser(t *testing.T) {
 		}
 	}
 }
+
+func TestAddNoNewPrivileges(t *testing.T) {
+	var nonRoot int64 = 1000
+	var root int64 = 0
+	pfalse := false
+	ptrue := true
+
+	tests := map[string]struct {
+		sc     v1.SecurityContext
+		expect bool
+	}{
+		"allowPrivilegeEscalation nil security context nil": {},
+		"allowPrivilegeEscalation nil capAddSysadmin": {
+			sc: v1.SecurityContext{
+				Capabilities: &v1.Capabilities{
+					Add: []v1.Capability{"CAP_SYS_ADMIN"},
+				},
+			},
+		},
+		"allowPrivilegeEscalation nil privileged": {
+			sc: v1.SecurityContext{
+				Privileged: &ptrue,
+			},
+		},
+		"allowPrivilegeEscalation nil nonRoot": {
+			sc: v1.SecurityContext{
+				RunAsUser: &nonRoot,
+			},
+		},
+		"allowPrivilegeEscalation nil root": {
+			sc: v1.SecurityContext{
+				RunAsUser: &root,
+			},
+		},
+		"allowPrivilegeEscalation false capAddSysadmin": {
+			sc: v1.SecurityContext{
+				Capabilities: &v1.Capabilities{
+					Add: []v1.Capability{"CAP_SYS_ADMIN"},
+				},
+				AllowPrivilegeEscalation: &pfalse,
+			},
+		},
+		"allowPrivilegeEscalation false privileged": {
+			sc: v1.SecurityContext{
+				Privileged:               &ptrue,
+				AllowPrivilegeEscalation: &pfalse,
+			},
+		},
+		"allowPrivilegeEscalation false nonRoot": {
+			sc: v1.SecurityContext{
+				RunAsUser:                &nonRoot,
+				AllowPrivilegeEscalation: &pfalse,
+			},
+			expect: true,
+		},
+		"allowPrivilegeEscalation false root": {
+			sc: v1.SecurityContext{
+				RunAsUser:                &root,
+				AllowPrivilegeEscalation: &pfalse,
+			},
+			expect: true,
+		},
+		"allowPrivilegeEscalation true capAddSysadmin": {
+			sc: v1.SecurityContext{
+				Capabilities: &v1.Capabilities{
+					Add: []v1.Capability{"CAP_SYS_ADMIN"},
+				},
+				AllowPrivilegeEscalation: &ptrue,
+			},
+		},
+		"allowPrivilegeEscalation true privileged": {
+			sc: v1.SecurityContext{
+				Privileged:               &ptrue,
+				AllowPrivilegeEscalation: &ptrue,
+			},
+		},
+		"allowPrivilegeEscalation true nonRoot": {
+			sc: v1.SecurityContext{
+				RunAsUser:                &nonRoot,
+				AllowPrivilegeEscalation: &ptrue,
+			},
+		},
+		"allowPrivilegeEscalation true root": {
+			sc: v1.SecurityContext{
+				RunAsUser:                &root,
+				AllowPrivilegeEscalation: &ptrue,
+			},
+		},
+	}
+
+	for k, v := range tests {
+		actual := AddNoNewPrivileges(&v.sc)
+		if actual != v.expect {
+			t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
+		}
+	}
+}

staging/src/k8s.io/api/core/v1/generated.proto

@@ -3540,6 +3540,15 @@ message SecurityContext {
   // Default is false.
   // +optional
   optional bool readOnlyRootFilesystem = 6;
+
+  // AllowPrivilegeEscalation controls whether a process can gain more
+  // privileges than it's parent process. This bool directly controls if
+  // the no_new_privs flag will be set on the container process.
+  // AllowPrivilegeEscalation is true always when the container is:
+  // 1) run as Privileged
+  // 2) has CAP_SYS_ADMIN
+  // +optional
+  optional bool allowPrivilegeEscalation = 7;
 }
 
 // SerializedReference is a reference to serialized object.

staging/src/k8s.io/api/core/v1/types.generated.go

@@ -67986,7 +67986,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 		} else {
 			yysep2 := !z.EncBinary()
 			yy2arr2 := z.EncBasicHandle().StructToArray
-			var yyq2 [6]bool
+			var yyq2 [7]bool
 			_, _, _ = yysep2, yyq2, yy2arr2
 			const yyr2 bool = false
 			yyq2[0] = x.Capabilities != nil
@@ -67995,9 +67995,10 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 			yyq2[3] = x.RunAsUser != nil
 			yyq2[4] = x.RunAsNonRoot != nil
 			yyq2[5] = x.ReadOnlyRootFilesystem != nil
+			yyq2[6] = x.AllowPrivilegeEscalation != nil
 			var yynn2 int
 			if yyr2 || yy2arr2 {
-				r.EncodeArrayStart(6)
+				r.EncodeArrayStart(7)
 			} else {
 				yynn2 = 0
 				for _, b := range yyq2 {
@@ -68194,6 +68195,41 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 					}
 				}
 			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[6] {
+					if x.AllowPrivilegeEscalation == nil {
+						r.EncodeNil()
+					} else {
+						yy30 := *x.AllowPrivilegeEscalation
+						yym31 := z.EncBinary()
+						_ = yym31
+						if false {
+						} else {
+							r.EncodeBool(bool(yy30))
+						}
+					}
+				} else {
+					r.EncodeNil()
+				}
+			} else {
+				if yyq2[6] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("allowPrivilegeEscalation"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					if x.AllowPrivilegeEscalation == nil {
+						r.EncodeNil()
+					} else {
+						yy32 := *x.AllowPrivilegeEscalation
+						yym33 := z.EncBinary()
+						_ = yym33
+						if false {
+						} else {
+							r.EncodeBool(bool(yy32))
+						}
+					}
+				}
+			}
 			if yyr2 || yy2arr2 {
 				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 			} else {
@@ -68341,6 +68377,22 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
 					*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
 				}
 			}
+		case "allowPrivilegeEscalation":
+			if r.TryDecodeAsNil() {
+				if x.AllowPrivilegeEscalation != nil {
+					x.AllowPrivilegeEscalation = nil
+				}
+			} else {
+				if x.AllowPrivilegeEscalation == nil {
+					x.AllowPrivilegeEscalation = new(bool)
+				}
+				yym15 := z.DecBinary()
+				_ = yym15
+				if false {
+				} else {
+					*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
+				}
+			}
 		default:
 			z.DecStructFieldNotFound(-1, yys3)
 		} // end switch yys3
@@ -68352,16 +68404,16 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
-	var yyj14 int
+	var yyj16 int
-	var yyb14 bool
+	var yyb16 bool
-	var yyhl14 bool = l >= 0
+	var yyhl16 bool = l >= 0
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68376,13 +68428,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		}
 		x.Capabilities.CodecDecodeSelf(d)
 	}
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68395,20 +68447,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		if x.Privileged == nil {
 			x.Privileged = new(bool)
 		}
-		yym17 := z.DecBinary()
+		yym19 := z.DecBinary()
-		_ = yym17
+		_ = yym19
 		if false {
 		} else {
 			*((*bool)(x.Privileged)) = r.DecodeBool()
 		}
 	}
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68423,13 +68475,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		}
 		x.SELinuxOptions.CodecDecodeSelf(d)
 	}
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68442,20 +68494,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		if x.RunAsUser == nil {
 			x.RunAsUser = new(int64)
 		}
-		yym20 := z.DecBinary()
+		yym22 := z.DecBinary()
-		_ = yym20
+		_ = yym22
 		if false {
 		} else {
 			*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
 		}
 	}
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68468,20 +68520,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		if x.RunAsNonRoot == nil {
 			x.RunAsNonRoot = new(bool)
 		}
-		yym22 := z.DecBinary()
+		yym24 := z.DecBinary()
-		_ = yym22
+		_ = yym24
 		if false {
 		} else {
 			*((*bool)(x.RunAsNonRoot)) = r.DecodeBool()
 		}
 	}
-	yyj14++
+	yyj16++
-	if yyhl14 {
+	if yyhl16 {
-		yyb14 = yyj14 > l
+		yyb16 = yyj16 > l
 	} else {
-		yyb14 = r.CheckBreak()
+		yyb16 = r.CheckBreak()
 	}
-	if yyb14 {
+	if yyb16 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -68494,25 +68546,51 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		if x.ReadOnlyRootFilesystem == nil {
 			x.ReadOnlyRootFilesystem = new(bool)
 		}
-		yym24 := z.DecBinary()
+		yym26 := z.DecBinary()
-		_ = yym24
+		_ = yym26
 		if false {
 		} else {
 			*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
 		}
 	}
-	for {
+	yyj16++
-		yyj14++
+	if yyhl16 {
-		if yyhl14 {
+		yyb16 = yyj16 > l
-			yyb14 = yyj14 > l
+	} else {
-		} else {
+		yyb16 = r.CheckBreak()
-			yyb14 = r.CheckBreak()
+	}
+	if yyb16 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		if x.AllowPrivilegeEscalation != nil {
+			x.AllowPrivilegeEscalation = nil
 		}
-		if yyb14 {
+	} else {
+		if x.AllowPrivilegeEscalation == nil {
+			x.AllowPrivilegeEscalation = new(bool)
+		}
+		yym28 := z.DecBinary()
+		_ = yym28
+		if false {
+		} else {
+			*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
+		}
+	}
+	for {
+		yyj16++
+		if yyhl16 {
+			yyb16 = yyj16 > l
+		} else {
+			yyb16 = r.CheckBreak()
+		}
+		if yyb16 {
 			break
 		}
 		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-		z.DecStructFieldNotFound(yyj14-1, "")
+		z.DecStructFieldNotFound(yyj16-1, "")
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 }

staging/src/k8s.io/api/core/v1/types.go

@@ -4613,6 +4613,14 @@ type SecurityContext struct {
 	// Default is false.
 	// +optional
 	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
+	// AllowPrivilegeEscalation controls whether a process can gain more
+	// privileges than it's parent process. This bool directly controls if
+	// the no_new_privs flag will be set on the container process.
+	// AllowPrivilegeEscalation is true always when the container is:
+	// 1) run as Privileged
+	// 2) has CAP_SYS_ADMIN
+	// +optional
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
 }
 
 // SELinuxOptions are the labels to be applied to the container

staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go

@@ -1763,13 +1763,14 @@ func (SecretVolumeSource) SwaggerDoc() map[string]string {
 }
 
 var map_SecurityContext = map[string]string{
-	"":                       "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.",
+	"":                         "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.",
-	"capabilities":           "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
+	"capabilities":             "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
-	"privileged":             "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
+	"privileged":               "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
-	"seLinuxOptions":         "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"seLinuxOptions":           "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
-	"runAsUser":              "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"runAsUser":                "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
-	"runAsNonRoot":           "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"runAsNonRoot":             "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
-	"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
+	"readOnlyRootFilesystem":   "Whether this container has a read-only root filesystem. Default is false.",
+	"allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
 }
 
 func (SecurityContext) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go

@@ -5262,6 +5262,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
 			**out = **in
 		}
 	}
+	if in.AllowPrivilegeEscalation != nil {
+		in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
 	return
 }
 

staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go

@@ -2005,6 +2005,26 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
 		dAtA[i] = 0
 	}
 	i++
+	if m.DefaultAllowPrivilegeEscalation != nil {
+		dAtA[i] = 0x78
+		i++
+		if *m.DefaultAllowPrivilegeEscalation {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	dAtA[i] = 0x80
+	i++
+	dAtA[i] = 0x1
+	i++
+	if m.AllowPrivilegeEscalation {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
 	return i, nil
 }
 
@@ -3267,6 +3287,10 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
 	l = m.FSGroup.Size()
 	n += 1 + l + sovGenerated(uint64(l))
 	n += 2
+	if m.DefaultAllowPrivilegeEscalation != nil {
+		n += 2
+	}
+	n += 3
 	return n
 }
 
@@ -4001,6 +4025,8 @@ func (this *PodSecurityPolicySpec) String() string {
 		`SupplementalGroups:` + strings.Replace(strings.Replace(this.SupplementalGroups.String(), "SupplementalGroupsStrategyOptions", "SupplementalGroupsStrategyOptions", 1), `&`, ``, 1) + `,`,
 		`FSGroup:` + strings.Replace(strings.Replace(this.FSGroup.String(), "FSGroupStrategyOptions", "FSGroupStrategyOptions", 1), `&`, ``, 1) + `,`,
 		`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
+		`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
+		`AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -9440,6 +9466,47 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.ReadOnlyRootFilesystem = bool(v != 0)
+		case 15:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultAllowPrivilegeEscalation", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.DefaultAllowPrivilegeEscalation = &b
+		case 16:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegeEscalation", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.AllowPrivilegeEscalation = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -11892,217 +11959,220 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 3383 bytes of a gzipped FileDescriptorProto
+	// 3431 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1b, 0xc7,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4f, 0x6c, 0x1b, 0xc7,
-	0xf5, 0xf7, 0x8a, 0xa2, 0x44, 0x3e, 0x59, 0x92, 0x35, 0x72, 0x64, 0x46, 0x8e, 0x25, 0x67, 0x03,
+	0xd5, 0xf7, 0x8a, 0xa2, 0x44, 0x3d, 0x59, 0x92, 0x35, 0x72, 0x64, 0x46, 0x8e, 0x45, 0x67, 0x03,
-	0xf8, 0x6f, 0xe7, 0x6f, 0x93, 0xb1, 0x13, 0x27, 0x6e, 0x8c, 0xa6, 0x15, 0xa5, 0xd8, 0x56, 0x2a,
+	0xf8, 0xb3, 0xf3, 0xd9, 0x64, 0xec, 0xc4, 0x89, 0xbf, 0x18, 0x5f, 0xbe, 0x4f, 0x94, 0xfc, 0x47,
-	0xc9, 0xf4, 0x90, 0x52, 0x5a, 0xa3, 0x6e, 0xb3, 0x22, 0x47, 0xd4, 0x5a, 0xcb, 0xdd, 0xcd, 0xee,
+	0xa9, 0x24, 0xd3, 0x43, 0x4a, 0x69, 0x8d, 0xb8, 0xcd, 0x8a, 0x1c, 0x51, 0x6b, 0x2d, 0x77, 0x37,
-	0xac, 0x62, 0x5e, 0x8a, 0x9e, 0x02, 0x14, 0x68, 0xd1, 0xf6, 0x90, 0x22, 0xbd, 0x35, 0x97, 0x9e,
+	0xbb, 0xb3, 0x8a, 0x79, 0x29, 0x7a, 0x0a, 0x50, 0xa0, 0x45, 0xdb, 0x43, 0x8a, 0xf4, 0xd6, 0x5c,
-	0x5a, 0x34, 0xb7, 0xf6, 0x10, 0x14, 0x28, 0xd0, 0x02, 0x46, 0x91, 0x16, 0x39, 0xb5, 0xe9, 0x45,
+	0x7a, 0x6a, 0xd1, 0xdc, 0xda, 0x43, 0x50, 0xa0, 0x40, 0x0b, 0x18, 0x45, 0x5a, 0xe4, 0xd4, 0xe6,
-	0x68, 0x94, 0x63, 0xcf, 0x05, 0x0a, 0x1f, 0x8a, 0x62, 0x66, 0x67, 0xbf, 0x77, 0x45, 0x52, 0xb1,
+	0x24, 0x34, 0xca, 0xb1, 0xe7, 0x02, 0x85, 0x0f, 0x45, 0x31, 0xb3, 0xb3, 0xff, 0x77, 0x45, 0x52,
-	0x85, 0xa2, 0x37, 0x71, 0xde, 0x7b, 0xbf, 0xf7, 0x31, 0x33, 0x6f, 0xde, 0xcc, 0x5b, 0xc1, 0x8d,
+	0xb1, 0x85, 0xa2, 0x37, 0x71, 0xde, 0x7b, 0xbf, 0xf7, 0x67, 0x66, 0xde, 0xbc, 0x99, 0xb7, 0x82,
-	0x9d, 0x6b, 0x76, 0x59, 0x35, 0x2a, 0x3b, 0xce, 0x26, 0xb1, 0x74, 0x42, 0x89, 0x5d, 0xd9, 0x25,
+	0x9b, 0x3b, 0xd7, 0xec, 0xb2, 0x6a, 0x54, 0x76, 0x9c, 0x4d, 0x62, 0xe9, 0x84, 0x12, 0xbb, 0xb2,
-	0x7a, 0xcb, 0xb0, 0x2a, 0x82, 0xa0, 0x98, 0x6a, 0x85, 0x3c, 0xa0, 0x44, 0xb7, 0x55, 0x43, 0xb7,
+	0x4b, 0xf4, 0x96, 0x61, 0x55, 0x04, 0x41, 0x31, 0xd5, 0x0a, 0x79, 0x48, 0x89, 0x6e, 0xab, 0x86,
-	0x2b, 0xbb, 0x97, 0x37, 0x09, 0x55, 0x2e, 0x57, 0xda, 0x44, 0x27, 0x96, 0x42, 0x49, 0xab, 0x6c,
+	0x6e, 0x57, 0x76, 0x2f, 0x6f, 0x12, 0xaa, 0x5c, 0xae, 0xb4, 0x89, 0x4e, 0x2c, 0x85, 0x92, 0x56,
-	0x5a, 0x06, 0x35, 0xd0, 0x19, 0x97, 0xbd, 0xac, 0x98, 0x6a, 0x39, 0x60, 0x2f, 0x0b, 0xf6, 0xd9,
+	0xd9, 0xb4, 0x0c, 0x6a, 0xa0, 0x33, 0x2e, 0x7b, 0x59, 0x31, 0xd5, 0x72, 0xc0, 0x5e, 0x16, 0xec,
-	0x4b, 0x6d, 0x95, 0x6e, 0x3b, 0x9b, 0xe5, 0xa6, 0xd1, 0xa9, 0xb4, 0x8d, 0xb6, 0x51, 0xe1, 0x52,
+	0x73, 0x97, 0xda, 0x2a, 0xdd, 0x76, 0x36, 0xcb, 0x4d, 0xa3, 0x53, 0x69, 0x1b, 0x6d, 0xa3, 0xc2,
-	0x9b, 0xce, 0x16, 0xff, 0xc5, 0x7f, 0xf0, 0xbf, 0x5c, 0xb4, 0x59, 0x39, 0xa4, 0xbc, 0x69, 0x58,
+	0xa5, 0x36, 0x9d, 0x2d, 0xfe, 0x8b, 0xff, 0xe0, 0x7f, 0xb9, 0x68, 0x73, 0x72, 0x48, 0x79, 0xd3,
-	0xa4, 0xb2, 0x9b, 0xd0, 0x38, 0x7b, 0x21, 0xc4, 0x63, 0x1a, 0x9a, 0xda, 0xec, 0x66, 0x19, 0x37,
+	0xb0, 0x48, 0x65, 0x37, 0xa1, 0x71, 0xee, 0x42, 0x88, 0xc7, 0x34, 0x34, 0xb5, 0xd9, 0xcd, 0x32,
-	0xfb, 0x52, 0xc0, 0xda, 0x51, 0x9a, 0xdb, 0xaa, 0x4e, 0xac, 0x6e, 0xc5, 0xdc, 0x69, 0x73, 0x59,
+	0x6e, 0xee, 0x95, 0x80, 0xb5, 0xa3, 0x34, 0xb7, 0x55, 0x9d, 0x58, 0xdd, 0x8a, 0xb9, 0xd3, 0xe6,
-	0x8b, 0xd8, 0x86, 0x63, 0x35, 0xc9, 0x40, 0x52, 0x76, 0xa5, 0x43, 0xa8, 0x92, 0x66, 0x56, 0x25,
+	0xb2, 0x16, 0xb1, 0x0d, 0xc7, 0x6a, 0x92, 0x81, 0xa4, 0xec, 0x4a, 0x87, 0x50, 0x25, 0xcd, 0xac,
-	0x4b, 0xca, 0x72, 0x74, 0xaa, 0x76, 0x92, 0x6a, 0x5e, 0xee, 0x25, 0x60, 0x37, 0xb7, 0x49, 0x47,
+	0x4a, 0x96, 0x94, 0xe5, 0xe8, 0x54, 0xed, 0x24, 0xd5, 0xbc, 0xda, 0x4b, 0xc0, 0x6e, 0x6e, 0x93,
-	0x49, 0xc8, 0xbd, 0x98, 0x25, 0xe7, 0x50, 0x55, 0xab, 0xa8, 0x3a, 0xb5, 0xa9, 0x15, 0x17, 0x92,
+	0x8e, 0x92, 0x90, 0x7b, 0x39, 0x4b, 0xce, 0xa1, 0xaa, 0x56, 0x51, 0x75, 0x6a, 0x53, 0x2b, 0x2e,
-	0xcb, 0x00, 0x0b, 0xb5, 0xe5, 0x0d, 0x62, 0xb1, 0xe9, 0x41, 0x67, 0x61, 0x58, 0x57, 0x3a, 0xa4,
+	0x24, 0x97, 0x01, 0x16, 0x6a, 0xcb, 0x1b, 0xc4, 0x62, 0xd3, 0x83, 0xce, 0xc2, 0xb0, 0xae, 0x74,
-	0x24, 0x9d, 0x95, 0xce, 0x17, 0xab, 0xc7, 0x1f, 0xee, 0xcd, 0x1f, 0xdb, 0xdf, 0x9b, 0x1f, 0x5e,
+	0x48, 0x51, 0x3a, 0x2b, 0x9d, 0x1f, 0xab, 0x1e, 0x7f, 0xb4, 0x57, 0x3a, 0xb6, 0xbf, 0x57, 0x1a,
-	0x53, 0x3a, 0x04, 0x73, 0x8a, 0xfc, 0x53, 0x09, 0x9e, 0x5e, 0x74, 0x6c, 0x6a, 0x74, 0x56, 0x09,
+	0x5e, 0x53, 0x3a, 0x04, 0x73, 0x8a, 0xfc, 0x13, 0x09, 0x9e, 0x5d, 0x74, 0x6c, 0x6a, 0x74, 0x56,
-	0xb5, 0xd4, 0xe6, 0xa2, 0x63, 0x59, 0x44, 0xa7, 0x75, 0xaa, 0x50, 0xc7, 0xee, 0x2d, 0x8f, 0xee,
+	0x09, 0xb5, 0xd4, 0xe6, 0xa2, 0x63, 0x59, 0x44, 0xa7, 0x75, 0xaa, 0x50, 0xc7, 0xee, 0x2d, 0x8f,
-	0x42, 0x7e, 0x57, 0xd1, 0x1c, 0x52, 0x1a, 0x3a, 0x2b, 0x9d, 0x1f, 0xbb, 0x52, 0x2e, 0x07, 0xcb,
+	0xee, 0x41, 0x7e, 0x57, 0xd1, 0x1c, 0x52, 0x1c, 0x3a, 0x2b, 0x9d, 0x1f, 0xbf, 0x52, 0x2e, 0x07,
-	0xc4, 0x37, 0xba, 0x6c, 0xee, 0xb4, 0xf9, 0xba, 0xf1, 0x66, 0xa2, 0x7c, 0xc7, 0x51, 0x74, 0xaa,
+	0xcb, 0xc4, 0x37, 0xba, 0x6c, 0xee, 0xb4, 0xf9, 0xba, 0xf1, 0x66, 0xa2, 0x7c, 0xd7, 0x51, 0x74,
-	0xd2, 0x6e, 0xf5, 0xa4, 0x80, 0x3c, 0x2e, 0xf4, 0x6e, 0x30, 0x2c, 0xec, 0x42, 0xca, 0xdf, 0x81,
+	0xaa, 0xd2, 0x6e, 0xf5, 0xa4, 0x80, 0x3c, 0x2e, 0xf4, 0x6e, 0x30, 0x2c, 0xec, 0x42, 0xca, 0xdf,
-	0x33, 0x99, 0xa6, 0xad, 0xa8, 0x36, 0x45, 0xf7, 0x20, 0xaf, 0x52, 0xd2, 0xb1, 0x4b, 0xd2, 0xd9,
+	0x86, 0x33, 0x99, 0xa6, 0xad, 0xa8, 0x36, 0x45, 0xf7, 0x21, 0xaf, 0x52, 0xd2, 0xb1, 0x8b, 0xd2,
-	0xdc, 0xf9, 0xb1, 0x2b, 0xd7, 0xca, 0x07, 0xae, 0xd1, 0x72, 0x26, 0x58, 0x75, 0x5c, 0x98, 0x91,
+	0xd9, 0xdc, 0xf9, 0xf1, 0x2b, 0xd7, 0xca, 0x07, 0xae, 0xd1, 0x72, 0x26, 0x58, 0x75, 0x42, 0x98,
-	0x5f, 0x66, 0x70, 0xd8, 0x45, 0x95, 0x7f, 0x2c, 0x01, 0x0a, 0xcb, 0x34, 0x14, 0xab, 0x4d, 0x68,
+	0x91, 0x5f, 0x66, 0x70, 0xd8, 0x45, 0x95, 0x7f, 0x24, 0x01, 0x0a, 0xcb, 0x34, 0x14, 0xab, 0x4d,
-	0x1f, 0x41, 0xf9, 0xc6, 0x17, 0x0b, 0xca, 0xb4, 0x80, 0x1c, 0x73, 0x15, 0x46, 0x62, 0x62, 0xc2,
+	0x68, 0x1f, 0x41, 0xf9, 0xc6, 0x57, 0x0b, 0xca, 0x8c, 0x80, 0x1c, 0x77, 0x15, 0x46, 0x62, 0x62,
-	0x4c, 0xd2, 0x24, 0x1e, 0x8c, 0x8d, 0x68, 0x30, 0x2e, 0x0f, 0x10, 0x0c, 0x17, 0x25, 0x23, 0x0a,
+	0xc2, 0x6c, 0xd2, 0x24, 0x1e, 0x8c, 0x8d, 0x68, 0x30, 0x2e, 0x0f, 0x10, 0x0c, 0x17, 0x25, 0x23,
-	0xef, 0x0d, 0x41, 0x71, 0x49, 0x21, 0x1d, 0x43, 0xaf, 0x13, 0x8a, 0xde, 0x82, 0x02, 0xdb, 0x18,
+	0x0a, 0x1f, 0x0c, 0xc1, 0xd8, 0x92, 0x42, 0x3a, 0x86, 0x5e, 0x27, 0x14, 0xbd, 0x03, 0x05, 0xb6,
-	0x2d, 0x85, 0x2a, 0x3c, 0x00, 0x63, 0x57, 0x5e, 0x38, 0xc8, 0x3b, 0xbb, 0xcc, 0xb8, 0xcb, 0xbb,
+	0x31, 0x5a, 0x0a, 0x55, 0x78, 0x00, 0xc6, 0xaf, 0xbc, 0x74, 0x90, 0x77, 0x76, 0x99, 0x71, 0x97,
-	0x97, 0xcb, 0xb7, 0x37, 0xef, 0x93, 0x26, 0x5d, 0x25, 0x54, 0xa9, 0x22, 0xa1, 0x07, 0x82, 0x31,
+	0x77, 0x2f, 0x97, 0xef, 0x6c, 0x3e, 0x20, 0x4d, 0xba, 0x4a, 0xa8, 0x52, 0x45, 0x42, 0x0f, 0x04,
-	0xec, 0xa3, 0xa2, 0x35, 0x18, 0xb6, 0x4d, 0xd2, 0x14, 0xb1, 0xbb, 0xd8, 0xc3, 0x0d, 0xdf, 0xb2,
+	0x63, 0xd8, 0x47, 0x45, 0x6b, 0x30, 0x6c, 0x9b, 0xa4, 0x29, 0x62, 0x77, 0xb1, 0x87, 0x1b, 0xbe,
-	0xba, 0x49, 0x9a, 0xc1, 0x64, 0xb0, 0x5f, 0x98, 0xe3, 0xa0, 0x0d, 0x18, 0xb1, 0xf9, 0x2c, 0x97,
+	0x65, 0x75, 0x93, 0x34, 0x83, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41, 0x1b, 0x30, 0x62, 0xf3, 0x59,
-	0x72, 0x89, 0xd9, 0x38, 0x18, 0xd1, 0x5d, 0x1b, 0x13, 0x02, 0x73, 0xc4, 0xfd, 0x8d, 0x05, 0x9a,
+	0x2e, 0xe6, 0x12, 0xb3, 0x71, 0x30, 0xa2, 0xbb, 0x36, 0x26, 0x05, 0xe6, 0x88, 0xfb, 0x1b, 0x0b,
-	0xfc, 0x91, 0x04, 0xe3, 0x3e, 0x2f, 0x9f, 0x81, 0x6f, 0x26, 0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c,
+	0x34, 0xf9, 0x13, 0x09, 0x26, 0x7c, 0x5e, 0x3e, 0x03, 0x6f, 0x27, 0x62, 0x53, 0xee, 0x2f, 0x36,
-	0x9a, 0x47, 0xe6, 0x84, 0xd0, 0x55, 0xf0, 0x46, 0x42, 0x71, 0x59, 0xf5, 0xe6, 0x77, 0x88, 0xcf,
+	0x4c, 0x9a, 0x47, 0xe6, 0x84, 0xd0, 0x55, 0xf0, 0x46, 0x42, 0x71, 0x59, 0xf5, 0xe6, 0x77, 0x88,
-	0xef, 0xf9, 0x7e, 0xdd, 0xc8, 0x98, 0xd6, 0x9f, 0x0c, 0x87, 0xcc, 0x67, 0xe1, 0x42, 0xf7, 0xa0,
+	0xcf, 0xef, 0xf9, 0x7e, 0xdd, 0xc8, 0x98, 0xd6, 0x1f, 0x0f, 0x87, 0xcc, 0x67, 0xe1, 0x42, 0xf7,
-	0x60, 0x13, 0x8d, 0x34, 0xa9, 0x61, 0x09, 0xf3, 0x5f, 0xec, 0xd3, 0x7c, 0x65, 0x93, 0x68, 0x75,
+	0xa1, 0x60, 0x13, 0x8d, 0x34, 0xa9, 0x61, 0x09, 0xf3, 0x5f, 0xee, 0xd3, 0x7c, 0x65, 0x93, 0x68,
-	0x21, 0x5a, 0x3d, 0xce, 0xec, 0xf7, 0x7e, 0x61, 0x1f, 0x12, 0xdd, 0x81, 0x02, 0x25, 0x1d, 0x53,
+	0x75, 0x21, 0x5a, 0x3d, 0xce, 0xec, 0xf7, 0x7e, 0x61, 0x1f, 0x12, 0xdd, 0x85, 0x02, 0x25, 0x1d,
-	0x53, 0xa8, 0xb7, 0x2f, 0x9e, 0x0b, 0xbb, 0xc0, 0x4e, 0x01, 0x06, 0x56, 0x33, 0x5a, 0x0d, 0xc1,
+	0x53, 0x53, 0xa8, 0xb7, 0x2f, 0x5e, 0x08, 0xbb, 0xc0, 0x4e, 0x01, 0x06, 0x56, 0x33, 0x5a, 0x0d,
-	0xc6, 0xa7, 0xd4, 0x0f, 0x89, 0x37, 0x8a, 0x7d, 0x18, 0xb4, 0x0b, 0x13, 0x8e, 0xd9, 0x62, 0x9c,
+	0xc1, 0xc6, 0xa7, 0xd4, 0x0f, 0x89, 0x37, 0x8a, 0x7d, 0x18, 0xb4, 0x0b, 0x93, 0x8e, 0xd9, 0x62,
-	0x94, 0xe5, 0xc0, 0x76, 0x57, 0x4c, 0xf1, 0xcb, 0xfd, 0xc6, 0x66, 0x3d, 0x22, 0x5d, 0x9d, 0x11,
+	0x9c, 0x94, 0xe5, 0xc0, 0x76, 0x57, 0x4c, 0xf1, 0xab, 0xfd, 0xc6, 0x66, 0x3d, 0x22, 0x5d, 0x9d,
-	0xba, 0x26, 0xa2, 0xe3, 0x38, 0xa6, 0x05, 0x2d, 0xc0, 0x64, 0x47, 0xd5, 0x31, 0x51, 0x5a, 0xdd,
+	0x15, 0xba, 0x26, 0xa3, 0xe3, 0x38, 0xa6, 0x05, 0x2d, 0xc0, 0x54, 0x47, 0xd5, 0x31, 0x51, 0x5a,
-	0x3a, 0x69, 0x1a, 0x7a, 0xcb, 0x2e, 0x0d, 0x9f, 0x95, 0xce, 0xe7, 0xab, 0xa7, 0x04, 0xc0, 0xe4,
+	0xdd, 0x3a, 0x69, 0x1a, 0x7a, 0xcb, 0x2e, 0x0e, 0x9f, 0x95, 0xce, 0xe7, 0xab, 0xa7, 0x04, 0xc0,
-	0x6a, 0x94, 0x8c, 0xe3, 0xfc, 0xe8, 0x0d, 0x40, 0x9e, 0x1b, 0x37, 0xdd, 0x14, 0xae, 0x1a, 0x7a,
+	0xd4, 0x6a, 0x94, 0x8c, 0xe3, 0xfc, 0xe8, 0x4d, 0x40, 0x9e, 0x1b, 0xb7, 0xdc, 0x14, 0xae, 0x1a,
-	0x29, 0x7f, 0x56, 0x3a, 0x9f, 0xab, 0xce, 0x0a, 0x14, 0xd4, 0x48, 0x70, 0xe0, 0x14, 0x29, 0xb4,
+	0x7a, 0x31, 0x7f, 0x56, 0x3a, 0x9f, 0xab, 0xce, 0x09, 0x14, 0xd4, 0x48, 0x70, 0xe0, 0x14, 0x29,
-	0x02, 0x27, 0x2d, 0xb2, 0xab, 0x32, 0x1f, 0x6f, 0xa9, 0x36, 0x35, 0xac, 0xee, 0x8a, 0xda, 0x51,
+	0xb4, 0x02, 0x27, 0x2d, 0xb2, 0xab, 0x32, 0x1f, 0x6f, 0xab, 0x36, 0x35, 0xac, 0xee, 0x8a, 0xda,
-	0x69, 0x69, 0x84, 0xdb, 0x54, 0xda, 0xdf, 0x9b, 0x3f, 0x89, 0x53, 0xe8, 0x38, 0x55, 0x4a, 0xfe,
+	0x51, 0x69, 0x71, 0x84, 0xdb, 0x54, 0xdc, 0xdf, 0x2b, 0x9d, 0xc4, 0x29, 0x74, 0x9c, 0x2a, 0x25,
-	0x30, 0x0f, 0x93, 0xb1, 0x3d, 0x80, 0x36, 0x60, 0xa6, 0xe9, 0x26, 0xcc, 0x35, 0xa7, 0xb3, 0x49,
+	0x7f, 0x9c, 0x87, 0xa9, 0xd8, 0x1e, 0x40, 0x1b, 0x30, 0xdb, 0x74, 0x13, 0xe6, 0x9a, 0xd3, 0xd9,
-	0xac, 0x7a, 0x73, 0x9b, 0xb4, 0x1c, 0x8d, 0xb4, 0xf8, 0x42, 0xc9, 0x57, 0xe7, 0x84, 0xc5, 0x33,
+	0x24, 0x56, 0xbd, 0xb9, 0x4d, 0x5a, 0x8e, 0x46, 0x5a, 0x7c, 0xa1, 0xe4, 0xab, 0xf3, 0xc2, 0xe2,
-	0x8b, 0xa9, 0x5c, 0x38, 0x43, 0x9a, 0x45, 0x41, 0xe7, 0x43, 0xab, 0xaa, 0x6d, 0xfb, 0x98, 0x43,
+	0xd9, 0xc5, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xa2, 0xa0, 0xf3, 0xa1, 0x55, 0xd5, 0xb6, 0x7d, 0xcc,
-	0x1c, 0xd3, 0x8f, 0xc2, 0x5a, 0x82, 0x03, 0xa7, 0x48, 0x31, 0x1b, 0x5b, 0xc4, 0x56, 0x2d, 0xd2,
+	0x21, 0x8e, 0xe9, 0x47, 0x61, 0x2d, 0xc1, 0x81, 0x53, 0xa4, 0x98, 0x8d, 0x2d, 0x62, 0xab, 0x16,
-	0x8a, 0xdb, 0x98, 0x8b, 0xda, 0xb8, 0x94, 0xca, 0x85, 0x33, 0xa4, 0xd1, 0x55, 0x18, 0x73, 0xb5,
+	0x69, 0xc5, 0x6d, 0xcc, 0x45, 0x6d, 0x5c, 0x4a, 0xe5, 0xc2, 0x19, 0xd2, 0xe8, 0x2a, 0x8c, 0xbb,
-	0xf1, 0xf9, 0x13, 0x13, 0xed, 0xa7, 0xe8, 0xb5, 0x80, 0x84, 0xc3, 0x7c, 0xcc, 0x35, 0x63, 0xd3,
+	0xda, 0xf8, 0xfc, 0x89, 0x89, 0xf6, 0x53, 0xf4, 0x5a, 0x40, 0xc2, 0x61, 0x3e, 0xe6, 0x9a, 0xb1,
-	0x26, 0xd6, 0x2e, 0x69, 0x65, 0x4f, 0xf0, 0xed, 0x04, 0x07, 0x4e, 0x91, 0x62, 0xae, 0xb9, 0x2b,
+	0x69, 0x13, 0x6b, 0x97, 0xb4, 0xb2, 0x27, 0xf8, 0x4e, 0x82, 0x03, 0xa7, 0x48, 0x31, 0xd7, 0xdc,
-	0x30, 0xe1, 0xda, 0x48, 0xd4, 0xb5, 0xf5, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xd6, 0xb1, 0x6b, 0xf2,
+	0x15, 0x98, 0x70, 0x6d, 0x24, 0xea, 0xda, 0x7a, 0x2a, 0x17, 0xce, 0x90, 0x66, 0xeb, 0xd8, 0x35,
-	0xc2, 0xae, 0xa2, 0x6a, 0xca, 0xa6, 0x46, 0x4a, 0xa3, 0xd1, 0x75, 0xbc, 0x16, 0x25, 0xe3, 0x38,
+	0x79, 0x61, 0x57, 0x51, 0x35, 0x65, 0x53, 0x23, 0xc5, 0xd1, 0xe8, 0x3a, 0x5e, 0x8b, 0x92, 0x71,
-	0x3f, 0xba, 0x09, 0x53, 0xee, 0xd0, 0xba, 0xae, 0xf8, 0x20, 0x05, 0x0e, 0xf2, 0xb4, 0x00, 0x99,
+	0x9c, 0x1f, 0xdd, 0x82, 0x69, 0x77, 0x68, 0x5d, 0x57, 0x7c, 0x90, 0x02, 0x07, 0x79, 0x56, 0x80,
-	0x5a, 0x8b, 0x33, 0xe0, 0xa4, 0x0c, 0x7a, 0x15, 0x26, 0x9a, 0x86, 0xa6, 0xf1, 0xf5, 0xb8, 0x68,
+	0x4c, 0xaf, 0xc5, 0x19, 0x70, 0x52, 0x06, 0xbd, 0x0e, 0x93, 0x4d, 0x43, 0xd3, 0xf8, 0x7a, 0x5c,
-	0x38, 0x3a, 0x2d, 0x15, 0x79, 0xac, 0x10, 0xdb, 0x8f, 0x8b, 0x11, 0x0a, 0x8e, 0x71, 0xca, 0x7f,
+	0x34, 0x1c, 0x9d, 0x16, 0xc7, 0x78, 0xac, 0x10, 0xdb, 0x8f, 0x8b, 0x11, 0x0a, 0x8e, 0x71, 0xca,
-	0x94, 0xe0, 0x54, 0xc6, 0x9e, 0x46, 0x5f, 0x81, 0x61, 0xda, 0x35, 0xbd, 0xd3, 0xfa, 0xff, 0xbd,
+	0x7f, 0x90, 0xe0, 0x54, 0xc6, 0x9e, 0x46, 0xff, 0x07, 0xc3, 0xb4, 0x6b, 0x7a, 0xa7, 0xf5, 0x7f,
-	0x03, 0xa2, 0xd1, 0x35, 0xc9, 0xa3, 0xbd, 0xf9, 0xd3, 0x19, 0x62, 0x8c, 0x8c, 0xb9, 0x20, 0xd2,
+	0x7b, 0x07, 0x44, 0xa3, 0x6b, 0x92, 0xc7, 0x7b, 0xa5, 0xd3, 0x19, 0x62, 0x8c, 0x8c, 0xb9, 0x20,
-	0x61, 0xdc, 0x62, 0xea, 0xf4, 0xb6, 0xcb, 0x22, 0x92, 0xd7, 0xd5, 0x1e, 0x39, 0x06, 0x87, 0x65,
+	0xd2, 0x61, 0xc2, 0x62, 0xea, 0xf4, 0xb6, 0xcb, 0x22, 0x92, 0xd7, 0xd5, 0x1e, 0x39, 0x06, 0x87,
-	0x82, 0x64, 0x3c, 0xb5, 0xbf, 0x37, 0x3f, 0x1e, 0xa1, 0xe1, 0x28, 0xbc, 0xfc, 0xfe, 0x10, 0xc0,
+	0x65, 0x82, 0x64, 0x3c, 0xbd, 0xbf, 0x57, 0x9a, 0x88, 0xd0, 0x70, 0x14, 0x5e, 0xfe, 0x70, 0x08,
-	0x12, 0x31, 0x35, 0xa3, 0xdb, 0x21, 0xfa, 0x51, 0x1c, 0xb8, 0xb7, 0x23, 0x07, 0xee, 0xa5, 0x5e,
+	0x60, 0x89, 0x98, 0x9a, 0xd1, 0xed, 0x10, 0xfd, 0x28, 0x0e, 0xdc, 0x3b, 0x91, 0x03, 0xf7, 0x52,
-	0xb9, 0xd3, 0x37, 0x2d, 0xf3, 0xc4, 0x7d, 0x33, 0x76, 0xe2, 0x56, 0xfa, 0x87, 0x3c, 0xf8, 0xc8,
+	0xaf, 0xdc, 0xe9, 0x9b, 0x96, 0x79, 0xe2, 0xbe, 0x15, 0x3b, 0x71, 0x2b, 0xfd, 0x43, 0x1e, 0x7c,
-	0xfd, 0x6b, 0x0e, 0xa6, 0x03, 0xe6, 0x45, 0x43, 0x6f, 0xa9, 0x7c, 0x7f, 0x5c, 0x8f, 0xcc, 0xf1,
+	0xe4, 0xfe, 0x25, 0x07, 0x33, 0x01, 0xf3, 0xa2, 0xa1, 0xb7, 0x54, 0xbe, 0x3f, 0xae, 0x47, 0xe6,
-	0xff, 0xc5, 0xe6, 0xf8, 0x54, 0x8a, 0x48, 0x68, 0x7e, 0x57, 0x7c, 0x6b, 0x87, 0xb8, 0xf8, 0x4b,
+	0xf8, 0xbf, 0x62, 0x73, 0x7c, 0x2a, 0x45, 0x24, 0x34, 0xbf, 0x2b, 0xbe, 0xb5, 0x43, 0x5c, 0xfc,
-	0x51, 0xe5, 0x8f, 0xf6, 0xe6, 0x53, 0x2e, 0x2b, 0x65, 0x1f, 0x29, 0x6a, 0x22, 0x3a, 0x07, 0x23,
+	0x95, 0xa8, 0xf2, 0xc7, 0x7b, 0xa5, 0x94, 0xcb, 0x4a, 0xd9, 0x47, 0x8a, 0x9a, 0x88, 0xce, 0xc1,
-	0x16, 0x51, 0x6c, 0x43, 0xe7, 0x89, 0xa2, 0x18, 0xb8, 0x82, 0xf9, 0x28, 0x16, 0x54, 0x74, 0x01,
+	0x88, 0x45, 0x14, 0xdb, 0xd0, 0x79, 0xa2, 0x18, 0x0b, 0x5c, 0xc1, 0x7c, 0x14, 0x0b, 0x2a, 0xba,
-	0x46, 0x3b, 0xc4, 0xb6, 0x95, 0x36, 0xe1, 0x39, 0xa1, 0x58, 0x9d, 0x14, 0x8c, 0xa3, 0xab, 0xee,
+	0x00, 0xa3, 0x1d, 0x62, 0xdb, 0x4a, 0x9b, 0xf0, 0x9c, 0x30, 0x56, 0x9d, 0x12, 0x8c, 0xa3, 0xab,
-	0x30, 0xf6, 0xe8, 0xe8, 0x3e, 0x4c, 0x68, 0x8a, 0x2d, 0x16, 0x68, 0x43, 0xed, 0x10, 0xbe, 0xeb,
+	0xee, 0x30, 0xf6, 0xe8, 0xe8, 0x01, 0x4c, 0x6a, 0x8a, 0x2d, 0x16, 0x68, 0x43, 0xed, 0x10, 0xbe,
-	0xc7, 0xae, 0x3c, 0xdf, 0xdf, 0x3a, 0x60, 0x12, 0xc1, 0xc9, 0xb6, 0x12, 0x41, 0xc2, 0x31, 0x64,
+	0xeb, 0xc7, 0xaf, 0xbc, 0xd8, 0xdf, 0x3a, 0x60, 0x12, 0xc1, 0xc9, 0xb6, 0x12, 0x41, 0xc2, 0x31,
-	0xb4, 0x0b, 0x88, 0x8d, 0x34, 0x2c, 0x45, 0xb7, 0xdd, 0x40, 0x31, 0x7d, 0xa3, 0x03, 0xeb, 0xf3,
+	0x64, 0xb4, 0x0b, 0x88, 0x8d, 0x34, 0x2c, 0x45, 0xb7, 0xdd, 0x40, 0x31, 0x7d, 0xa3, 0x03, 0xeb,
-	0x33, 0xdc, 0x4a, 0x02, 0x0d, 0xa7, 0x68, 0x90, 0x7f, 0x2b, 0xc1, 0x44, 0x30, 0x4d, 0x47, 0x50,
+	0xf3, 0x33, 0xdc, 0x4a, 0x02, 0x0d, 0xa7, 0x68, 0x90, 0x7f, 0x23, 0xc1, 0x64, 0x30, 0x4d, 0x47,
-	0x4d, 0xad, 0x45, 0xab, 0xa9, 0x0b, 0x7d, 0x2f, 0xd1, 0x8c, 0x72, 0xea, 0x5f, 0x43, 0x80, 0x02,
+	0x50, 0x4d, 0xad, 0x45, 0xab, 0xa9, 0x0b, 0x7d, 0x2f, 0xd1, 0x8c, 0x72, 0xea, 0x1f, 0x43, 0x80,
-	0x26, 0xb6, 0xc1, 0x37, 0x95, 0xe6, 0x4e, 0x1f, 0x77, 0x85, 0xf7, 0x24, 0x40, 0x22, 0x3d, 0x2f,
+	0x02, 0x26, 0xb6, 0xc1, 0x37, 0x95, 0xe6, 0x4e, 0x1f, 0x77, 0x85, 0x0f, 0x24, 0x40, 0x22, 0x3d,
-	0xe8, 0xba, 0x41, 0x79, 0xc6, 0xf7, 0xcc, 0x5a, 0xee, 0xdb, 0x2c, 0x4f, 0x63, 0x79, 0x3d, 0x81,
+	0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0xf7, 0xcc, 0x5a, 0xee, 0xdb, 0x2c, 0x4f, 0x63, 0x79, 0x3d,
-	0xf5, 0xba, 0x4e, 0xad, 0x6e, 0x30, 0x23, 0x49, 0x06, 0x9c, 0x62, 0x00, 0x52, 0x00, 0x2c, 0x81,
+	0x81, 0x75, 0x43, 0xa7, 0x56, 0x37, 0x98, 0x91, 0x24, 0x03, 0x4e, 0x31, 0x00, 0x29, 0x00, 0x96,
-	0xd9, 0x30, 0xc4, 0x46, 0xbe, 0xd4, 0x47, 0xce, 0x63, 0x02, 0x8b, 0x86, 0xbe, 0xa5, 0xb6, 0x83,
+	0xc0, 0x6c, 0x18, 0x62, 0x23, 0x5f, 0xea, 0x23, 0xe7, 0x31, 0x81, 0x45, 0x43, 0xdf, 0x52, 0xdb,
-	0xb4, 0x83, 0x7d, 0x20, 0x1c, 0x02, 0x9d, 0x7d, 0x1d, 0x4e, 0x65, 0x58, 0x8b, 0x4e, 0x40, 0x6e,
+	0x41, 0xda, 0xc1, 0x3e, 0x10, 0x0e, 0x81, 0xce, 0xdd, 0x80, 0x53, 0x19, 0xd6, 0xa2, 0x13, 0x90,
-	0x87, 0x74, 0xdd, 0xb0, 0x61, 0xf6, 0x27, 0x3a, 0x19, 0xbe, 0x53, 0x15, 0xc5, 0x75, 0xe8, 0xd5,
+	0xdb, 0x21, 0x5d, 0x37, 0x6c, 0x98, 0xfd, 0x89, 0x4e, 0x86, 0xef, 0x54, 0x63, 0xe2, 0x3a, 0xf4,
-	0xa1, 0x6b, 0x92, 0xfc, 0x51, 0x3e, 0xbc, 0x76, 0x78, 0x29, 0x7b, 0x1e, 0x0a, 0x16, 0x31, 0x35,
+	0xfa, 0xd0, 0x35, 0x49, 0xfe, 0x24, 0x1f, 0x5e, 0x3b, 0xbc, 0x94, 0x3d, 0x0f, 0x05, 0x8b, 0x98,
-	0xb5, 0xa9, 0xd8, 0xa2, 0x42, 0xe1, 0x55, 0x29, 0x16, 0x63, 0xd8, 0xa7, 0x46, 0x8a, 0xde, 0xa1,
+	0x9a, 0xda, 0x54, 0x6c, 0x51, 0xa1, 0xf0, 0xaa, 0x14, 0x8b, 0x31, 0xec, 0x53, 0x23, 0x45, 0xef,
-	0x27, 0x5b, 0xf4, 0xe6, 0x1e, 0x4f, 0xd1, 0xfb, 0x6d, 0x28, 0xd8, 0x5e, 0xb9, 0x3b, 0xcc, 0x21,
+	0xd0, 0xd3, 0x2d, 0x7a, 0x73, 0x4f, 0xa6, 0xe8, 0xfd, 0x16, 0x14, 0x6c, 0xaf, 0xdc, 0x1d, 0xe6,
-	0x2f, 0x0f, 0x90, 0x5f, 0x45, 0xa5, 0xeb, 0x2b, 0xf0, 0x6b, 0x5c, 0x1f, 0x34, 0xad, 0xba, 0xcd,
+	0x90, 0x97, 0x07, 0xc8, 0xaf, 0xa2, 0xd2, 0xf5, 0x15, 0xf8, 0x35, 0xae, 0x0f, 0x9a, 0x56, 0xdd,
-	0x0f, 0x58, 0xdd, 0x3e, 0xd6, 0x8a, 0x94, 0xe5, 0x54, 0x53, 0x71, 0x6c, 0xd2, 0xe2, 0x89, 0xa8,
+	0xe6, 0x07, 0xac, 0x6e, 0x9f, 0x68, 0x45, 0xca, 0x72, 0xaa, 0xa9, 0x38, 0x36, 0x69, 0xf1, 0x44,
-	0x10, 0xe4, 0xd4, 0x1a, 0x1f, 0xc5, 0x82, 0x8a, 0xee, 0x45, 0x96, 0x6c, 0xe1, 0x30, 0x4b, 0x76,
+	0x54, 0x08, 0x72, 0x6a, 0x8d, 0x8f, 0x62, 0x41, 0x45, 0xf7, 0x23, 0x4b, 0xb6, 0x70, 0x98, 0x25,
-	0x22, 0x7b, 0xb9, 0xa2, 0x75, 0x38, 0x65, 0x5a, 0x46, 0xdb, 0x22, 0xb6, 0xbd, 0x44, 0x94, 0x96,
+	0x3b, 0x99, 0xbd, 0x5c, 0xd1, 0x3a, 0x9c, 0x32, 0x2d, 0xa3, 0x6d, 0x11, 0xdb, 0x5e, 0x22, 0x4a,
-	0xa6, 0xea, 0xc4, 0x8b, 0x4f, 0x91, 0xfb, 0x75, 0x7a, 0x7f, 0x6f, 0xfe, 0x54, 0x2d, 0x9d, 0x05,
+	0x4b, 0x53, 0x75, 0xe2, 0xc5, 0x67, 0x8c, 0xfb, 0x75, 0x7a, 0x7f, 0xaf, 0x74, 0xaa, 0x96, 0xce,
-	0x67, 0xc9, 0xca, 0x0f, 0x87, 0xe1, 0x44, 0xfc, 0x04, 0xcc, 0xa8, 0x1e, 0xa5, 0x43, 0x55, 0x8f,
+	0x82, 0xb3, 0x64, 0xe5, 0x47, 0xc3, 0x70, 0x22, 0x7e, 0x02, 0x66, 0x54, 0x8f, 0xd2, 0xa1, 0xaa,
-	0x17, 0x43, 0x9b, 0xc1, 0x2d, 0xad, 0xfd, 0xd9, 0x4f, 0xd9, 0x10, 0x0b, 0x30, 0x29, 0xb2, 0x81,
+	0xc7, 0x8b, 0xa1, 0xcd, 0xe0, 0x96, 0xd6, 0xfe, 0xec, 0xa7, 0x6c, 0x88, 0x05, 0x98, 0x12, 0xd9,
-	0x47, 0x14, 0xf5, 0xb3, 0x3f, 0xfb, 0xeb, 0x51, 0x32, 0x8e, 0xf3, 0xb3, 0x9a, 0x30, 0x28, 0xf5,
+	0xc0, 0x23, 0x8a, 0xfa, 0xd9, 0x9f, 0xfd, 0xf5, 0x28, 0x19, 0xc7, 0xf9, 0x59, 0x4d, 0x18, 0x94,
-	0x3c, 0x90, 0xe1, 0x68, 0x4d, 0xb8, 0x10, 0x67, 0xc0, 0x49, 0x19, 0xb4, 0x0a, 0xd3, 0x8e, 0x9e,
+	0x7a, 0x1e, 0xc8, 0x70, 0xb4, 0x26, 0x5c, 0x88, 0x33, 0xe0, 0xa4, 0x0c, 0x5a, 0x85, 0x19, 0x47,
-	0x84, 0x72, 0x57, 0xe3, 0x69, 0x01, 0x35, 0xbd, 0x9e, 0x64, 0xc1, 0x69, 0x72, 0x68, 0x0b, 0xa0,
+	0x4f, 0x42, 0xb9, 0xab, 0xf1, 0xb4, 0x80, 0x9a, 0x59, 0x4f, 0xb2, 0xe0, 0x34, 0x39, 0xb4, 0x05,
-	0xe9, 0x1d, 0xdb, 0x76, 0x69, 0x84, 0x67, 0xd8, 0x2b, 0x7d, 0xef, 0x1d, 0xff, 0xc4, 0x0f, 0xf2,
+	0xd0, 0xf4, 0x8e, 0x6d, 0xbb, 0x38, 0xc2, 0x33, 0xec, 0x95, 0xbe, 0xf7, 0x8e, 0x7f, 0xe2, 0x07,
-	0x9a, 0x3f, 0x64, 0xe3, 0x10, 0x32, 0xba, 0x0e, 0xe3, 0x16, 0xbf, 0x10, 0x78, 0x06, 0xbb, 0x45,
+	0x79, 0xcd, 0x1f, 0xb2, 0x71, 0x08, 0x19, 0x5d, 0x87, 0x09, 0x8b, 0x5f, 0x08, 0x3c, 0x83, 0xdd,
-	0xf5, 0x53, 0x42, 0x6c, 0x1c, 0x87, 0x89, 0x38, 0xca, 0x9b, 0x52, 0x07, 0x17, 0xfa, 0xae, 0x83,
+	0xa2, 0xfa, 0x19, 0x21, 0x36, 0x81, 0xc3, 0x44, 0x1c, 0xe5, 0x4d, 0xa9, 0x83, 0x0b, 0x7d, 0xd7,
-	0x7f, 0x27, 0x85, 0x0f, 0x21, 0xbf, 0x04, 0x7e, 0x35, 0x52, 0x1e, 0x9d, 0x8b, 0x95, 0x47, 0x33,
+	0xc1, 0xbf, 0x95, 0xc2, 0x87, 0x90, 0x5f, 0x02, 0xbf, 0x1e, 0x29, 0x8f, 0xce, 0xc5, 0xca, 0xa3,
-	0x49, 0x89, 0x50, 0x75, 0x64, 0xa4, 0x57, 0xbf, 0x2f, 0x0f, 0x54, 0xfd, 0x06, 0x87, 0x67, 0xef,
+	0xd9, 0xa4, 0x44, 0xa8, 0x3a, 0x32, 0xd2, 0xab, 0xdf, 0x57, 0x07, 0xaa, 0x7e, 0x83, 0xc3, 0xb3,
-	0xf2, 0xf7, 0x03, 0x09, 0x66, 0x6e, 0xd4, 0x6f, 0x5a, 0x86, 0x63, 0x7a, 0xe6, 0xdc, 0x36, 0xdd,
+	0x77, 0xf9, 0xfb, 0x91, 0x04, 0xb3, 0x37, 0xeb, 0xb7, 0x2c, 0xc3, 0x31, 0x3d, 0x73, 0xee, 0x98,
-	0xb8, 0xbe, 0x02, 0xc3, 0x96, 0xa3, 0x79, 0x7e, 0x3c, 0xe7, 0xf9, 0x81, 0x1d, 0x8d, 0xf9, 0x31,
+	0x6e, 0x5c, 0x5f, 0x83, 0x61, 0xcb, 0xd1, 0x3c, 0x3f, 0x5e, 0xf0, 0xfc, 0xc0, 0x8e, 0xc6, 0xfc,
-	0x1d, 0x93, 0x72, 0x9d, 0x60, 0x02, 0x68, 0x0d, 0x46, 0x2c, 0x45, 0x6f, 0x13, 0xef, 0x58, 0x3d,
+	0x98, 0x89, 0x49, 0xb9, 0x4e, 0x30, 0x01, 0xb4, 0x06, 0x23, 0x96, 0xa2, 0xb7, 0x89, 0x77, 0xac,
-	0xd7, 0xc3, 0xfa, 0xe5, 0x25, 0xcc, 0xd8, 0x43, 0xc5, 0x1b, 0x97, 0xc6, 0x02, 0x45, 0xfe, 0x81,
+	0x9e, 0xeb, 0x61, 0xfd, 0xf2, 0x12, 0x66, 0xec, 0xa1, 0xe2, 0x8d, 0x4b, 0x63, 0x81, 0x22, 0x7f,
-	0x04, 0x93, 0xb7, 0x1a, 0x8d, 0xda, 0xb2, 0xce, 0x77, 0x74, 0x4d, 0xa1, 0xdb, 0xec, 0xa4, 0x37,
+	0x5f, 0x82, 0xa9, 0xdb, 0x8d, 0x46, 0x6d, 0x59, 0xe7, 0x3b, 0xba, 0xa6, 0xd0, 0x6d, 0x76, 0xd2,
-	0x15, 0xba, 0x1d, 0x3f, 0xe9, 0x19, 0x0d, 0x73, 0x0a, 0xfa, 0x3a, 0x8c, 0xb2, 0x4c, 0x42, 0xf4,
+	0x9b, 0x0a, 0xdd, 0x8e, 0x9f, 0xf4, 0x8c, 0x86, 0x39, 0x05, 0x7d, 0x1d, 0x46, 0x59, 0x26, 0x21,
-	0x56, 0x9f, 0xa5, 0xb6, 0x80, 0xaf, 0xba, 0x42, 0x41, 0x85, 0x28, 0x06, 0xb0, 0x07, 0x27, 0xef,
+	0x7a, 0xab, 0xcf, 0x52, 0x5b, 0xc0, 0x57, 0x5d, 0xa1, 0xa0, 0x42, 0x14, 0x03, 0xd8, 0x83, 0x93,
-	0xc0, 0xc9, 0x90, 0x39, 0x2c, 0x1e, 0xfc, 0xcd, 0x10, 0xd5, 0x21, 0xcf, 0x34, 0x7b, 0x4f, 0x82,
+	0x77, 0xe0, 0x64, 0xc8, 0x1c, 0x16, 0x0f, 0xfe, 0x66, 0x88, 0xea, 0x90, 0x67, 0x9a, 0xbd, 0x27,
-	0xbd, 0x5e, 0xbe, 0x62, 0x2e, 0x05, 0x95, 0x0e, 0xfb, 0x65, 0x63, 0x17, 0x4b, 0x5e, 0x85, 0xf1,
+	0xc1, 0x5e, 0x2f, 0x5f, 0x31, 0x97, 0x82, 0x4a, 0x87, 0xfd, 0xb2, 0xb1, 0x8b, 0x25, 0xaf, 0xc2,
-	0x5b, 0x86, 0x4d, 0x6b, 0x86, 0x45, 0x79, 0x58, 0xd0, 0x19, 0xc8, 0x75, 0x54, 0x5d, 0x9c, 0xb3,
+	0xc4, 0x6d, 0xc3, 0xa6, 0x35, 0xc3, 0xa2, 0x3c, 0x2c, 0xe8, 0x0c, 0xe4, 0x3a, 0xaa, 0x2e, 0xce,
-	0x63, 0x42, 0x26, 0xc7, 0xce, 0x08, 0x36, 0xce, 0xc9, 0xca, 0x03, 0x91, 0x79, 0x02, 0xb2, 0xf2,
+	0xd9, 0x71, 0x21, 0x93, 0x63, 0x67, 0x04, 0x1b, 0xe7, 0x64, 0xe5, 0xa1, 0xc8, 0x3c, 0x01, 0x59,
-	0x00, 0xb3, 0x71, 0xf9, 0x26, 0x8c, 0x8a, 0x70, 0x87, 0x81, 0x72, 0x07, 0x03, 0xe5, 0x52, 0x80,
+	0x79, 0x88, 0xd9, 0xb8, 0x7c, 0x0b, 0x46, 0x45, 0xb8, 0xc3, 0x40, 0xb9, 0x83, 0x81, 0x72, 0x29,
-	0x7e, 0x38, 0x04, 0xa3, 0xc2, 0xfa, 0x23, 0xb8, 0x34, 0xad, 0x44, 0x2e, 0x4d, 0xcf, 0xf7, 0x37,
+	0x40, 0x3f, 0x18, 0x82, 0x51, 0x61, 0xfd, 0x11, 0x5c, 0x9a, 0x56, 0x22, 0x97, 0xa6, 0x17, 0xfb,
-	0x93, 0x99, 0x37, 0xa6, 0x46, 0xec, 0xc6, 0x74, 0xb1, 0x4f, 0xbc, 0x83, 0xaf, 0x4b, 0x1f, 0x4a,
+	0x9b, 0xc9, 0xcc, 0x1b, 0x53, 0x23, 0x76, 0x63, 0xba, 0xd8, 0x27, 0xde, 0xc1, 0xd7, 0xa5, 0x8f,
-	0x30, 0x11, 0x5d, 0x43, 0xe8, 0x2a, 0x8c, 0xb1, 0xf3, 0x41, 0x6d, 0x92, 0xb5, 0xa0, 0x2c, 0xf5,
+	0x25, 0x98, 0x8c, 0xae, 0x21, 0x74, 0x15, 0xc6, 0xd9, 0xf9, 0xa0, 0x36, 0xc9, 0x5a, 0x50, 0x96,
-	0x1f, 0x33, 0xea, 0x01, 0x09, 0x87, 0xf9, 0x50, 0xdb, 0x17, 0x63, 0xd3, 0x2e, 0x9c, 0xce, 0x0e,
+	0xfa, 0x8f, 0x19, 0xf5, 0x80, 0x84, 0xc3, 0x7c, 0xa8, 0xed, 0x8b, 0xb1, 0x69, 0x17, 0x4e, 0x67,
-	0xa9, 0x43, 0x55, 0xad, 0xec, 0x36, 0x28, 0xca, 0xcb, 0x3a, 0xbd, 0x6d, 0xd5, 0xa9, 0xa5, 0xea,
+	0x87, 0xd4, 0xa1, 0xaa, 0x56, 0x76, 0x1b, 0x14, 0xe5, 0x65, 0x9d, 0xde, 0xb1, 0xea, 0xd4, 0x52,
-	0xed, 0x84, 0x22, 0xbe, 0x86, 0xc2, 0xc8, 0xf2, 0x6f, 0x24, 0x18, 0x13, 0x26, 0x1f, 0xc1, 0x25,
+	0xf5, 0x76, 0x42, 0x11, 0x5f, 0x43, 0x61, 0x64, 0xf9, 0xd7, 0x12, 0x8c, 0x0b, 0x93, 0x8f, 0xe0,
-	0xe0, 0x6b, 0xd1, 0x4b, 0xc0, 0xb9, 0x3e, 0xf7, 0x63, 0xfa, 0x0d, 0xe0, 0xe7, 0x81, 0xe9, 0x6c,
+	0x12, 0xf0, 0xb5, 0xe8, 0x25, 0xe0, 0x5c, 0x9f, 0xfb, 0x31, 0xfd, 0x06, 0xf0, 0xb3, 0xc0, 0x74,
-	0x07, 0xb2, 0x84, 0xb0, 0x6d, 0xd8, 0x34, 0x9e, 0x10, 0xd8, 0xde, 0xc1, 0x9c, 0x82, 0x1c, 0x38,
+	0xb6, 0x03, 0x59, 0x42, 0xd8, 0x36, 0x6c, 0x1a, 0x4f, 0x08, 0x6c, 0xef, 0x60, 0x4e, 0x41, 0x0e,
-	0xa1, 0xc6, 0xb6, 0xac, 0x08, 0x6d, 0xa5, 0x3f, 0x4b, 0x7c, 0xb1, 0x6a, 0x49, 0xc0, 0x9f, 0x88,
+	0x9c, 0x50, 0x63, 0x5b, 0x56, 0x84, 0xb6, 0xd2, 0x9f, 0x25, 0xbe, 0x58, 0xb5, 0x28, 0xe0, 0x4f,
-	0x53, 0x70, 0x42, 0x85, 0x4c, 0x20, 0xc1, 0x85, 0xee, 0xc0, 0xf0, 0x36, 0xa5, 0x66, 0xca, 0xbb,
+	0xc4, 0x29, 0x38, 0xa1, 0x42, 0x26, 0x90, 0xe0, 0x42, 0x77, 0x61, 0x78, 0x9b, 0x52, 0x33, 0xe5,
-	0x6f, 0x8f, 0x44, 0x11, 0x98, 0x50, 0xe0, 0xde, 0x35, 0x1a, 0x35, 0xcc, 0xa1, 0xe4, 0x7f, 0x07,
+	0xdd, 0xb7, 0x47, 0xa2, 0x08, 0x4c, 0x28, 0x70, 0xef, 0x1a, 0x8d, 0x1a, 0xe6, 0x50, 0xf2, 0x3f,
-	0xf1, 0xa8, 0xbb, 0x6b, 0xdc, 0x4f, 0x7f, 0xd2, 0x61, 0xd2, 0xdf, 0x58, 0x5a, 0xea, 0x43, 0xb7,
+	0x83, 0x78, 0xd4, 0xdd, 0x35, 0xee, 0xa7, 0x3f, 0xe9, 0x30, 0xe9, 0x6f, 0x3c, 0x2d, 0xf5, 0xa1,
-	0x20, 0x47, 0xb5, 0x7e, 0x6f, 0x71, 0x02, 0xb1, 0xb1, 0x52, 0x0f, 0xf2, 0x47, 0x63, 0xa5, 0x8e,
+	0xdb, 0x90, 0xa3, 0x5a, 0xbf, 0xb7, 0x38, 0x81, 0xd8, 0x58, 0xa9, 0x07, 0xf9, 0xa3, 0xb1, 0x52,
-	0x19, 0x04, 0xba, 0x0d, 0x79, 0x76, 0x58, 0xb0, 0x2d, 0x98, 0xeb, 0x7f, 0x4b, 0x33, 0xff, 0x83,
+	0xc7, 0x0c, 0x02, 0xdd, 0x81, 0x3c, 0x3b, 0x2c, 0xd8, 0x16, 0xcc, 0xf5, 0xbf, 0xa5, 0x99, 0xff,
-	0x05, 0xc1, 0x7e, 0xd9, 0xd8, 0xc5, 0x91, 0xdf, 0x86, 0xf1, 0xc8, 0x3e, 0x45, 0x6f, 0xc1, 0x71,
+	0xc1, 0x82, 0x60, 0xbf, 0x6c, 0xec, 0xe2, 0xc8, 0xef, 0xc2, 0x44, 0x64, 0x9f, 0xa2, 0x77, 0xe0,
-	0xcd, 0x50, 0x5a, 0x55, 0x45, 0x53, 0xf4, 0x26, 0xf1, 0x1e, 0xd9, 0xcf, 0xa5, 0x5d, 0x08, 0x56,
+	0xb8, 0x66, 0x28, 0xad, 0xaa, 0xa2, 0x29, 0x7a, 0x93, 0x78, 0x8f, 0xec, 0xe7, 0xd2, 0x2e, 0x04,
-	0x42, 0x7c, 0x62, 0x97, 0xfb, 0xad, 0xb2, 0x30, 0x0d, 0x47, 0x10, 0x65, 0x05, 0x20, 0xf0, 0x11,
+	0x2b, 0x21, 0x3e, 0xb1, 0xcb, 0xfd, 0x56, 0x59, 0x98, 0x86, 0x23, 0x88, 0xb2, 0x02, 0x10, 0xf8,
-	0xcd, 0x43, 0x9e, 0xad, 0x33, 0x37, 0xfd, 0x17, 0xab, 0x45, 0x66, 0x21, 0x5b, 0x7e, 0x36, 0x76,
+	0x88, 0x4a, 0x90, 0x67, 0xeb, 0xcc, 0x4d, 0xff, 0x63, 0xd5, 0x31, 0x66, 0x21, 0x5b, 0x7e, 0x36,
-	0xc7, 0xd1, 0x15, 0x00, 0x9b, 0x34, 0x2d, 0x42, 0x79, 0x32, 0x70, 0x9f, 0x3f, 0xfc, 0xb4, 0x57,
+	0x76, 0xc7, 0xd1, 0x15, 0x00, 0x9b, 0x34, 0x2d, 0x42, 0x79, 0x32, 0x70, 0x9f, 0x3f, 0xfc, 0xb4,
-	0xf7, 0x29, 0x38, 0xc4, 0x25, 0xff, 0x41, 0x82, 0xf1, 0x35, 0x42, 0xdf, 0x31, 0xac, 0x9d, 0x1a,
+	0x57, 0xf7, 0x29, 0x38, 0xc4, 0x25, 0xff, 0x5e, 0x82, 0x89, 0x35, 0x42, 0xdf, 0x33, 0xac, 0x9d,
-	0x6f, 0xca, 0x1e, 0x41, 0xb2, 0xc5, 0x91, 0x64, 0xfb, 0x42, 0x8f, 0x99, 0x89, 0x58, 0x97, 0x95,
+	0x1a, 0x6f, 0xca, 0x1e, 0x41, 0xb2, 0xc5, 0x91, 0x64, 0xfb, 0x52, 0x8f, 0x99, 0x89, 0x58, 0x97,
-	0x72, 0x99, 0x1f, 0xa5, 0x08, 0x67, 0x78, 0xef, 0xae, 0x43, 0xde, 0x34, 0x2c, 0xea, 0x1d, 0x9c,
+	0x95, 0x72, 0x99, 0x1f, 0xc5, 0x08, 0x67, 0x78, 0xef, 0xae, 0x43, 0xde, 0x34, 0x2c, 0xea, 0x1d,
-	0x03, 0x69, 0x64, 0x79, 0x2c, 0x74, 0x74, 0x32, 0x18, 0xec, 0xa2, 0x31, 0x3f, 0xb6, 0x2c, 0xa3,
+	0x9c, 0x03, 0x69, 0x64, 0x79, 0x2c, 0x74, 0x74, 0x32, 0x18, 0xec, 0xa2, 0x31, 0x3f, 0xb6, 0x2c,
-	0x23, 0x56, 0xeb, 0x60, 0xa8, 0x84, 0x58, 0x81, 0x1f, 0x37, 0x2c, 0xa3, 0x83, 0x39, 0x96, 0xfc,
+	0xa3, 0x23, 0x56, 0xeb, 0x60, 0xa8, 0x84, 0x58, 0x81, 0x1f, 0x37, 0x2d, 0xa3, 0x83, 0x39, 0x96,
-	0x7b, 0x09, 0xa6, 0x22, 0x9c, 0x47, 0x90, 0x37, 0xef, 0x44, 0xf3, 0xe6, 0xc5, 0x41, 0x1c, 0xc9,
+	0xfc, 0x3b, 0x09, 0xa6, 0x23, 0x9c, 0x47, 0x90, 0x37, 0xef, 0x46, 0xf3, 0xe6, 0xc5, 0x41, 0x1c,
-	0xc8, 0x9e, 0xff, 0x8c, 0xbb, 0xc1, 0x1c, 0x46, 0x5b, 0x30, 0x66, 0x1a, 0xad, 0xfa, 0x63, 0xe8,
+	0xc9, 0xc8, 0x9e, 0x7f, 0x8f, 0xbb, 0xc1, 0x1c, 0x46, 0x5b, 0x30, 0x6e, 0x1a, 0xad, 0xfa, 0x13,
-	0x4a, 0x4d, 0xb2, 0x63, 0xa7, 0x16, 0x60, 0xe1, 0x30, 0x30, 0x7a, 0x00, 0x53, 0xba, 0xd2, 0x21,
+	0xe8, 0x4a, 0x4d, 0xb1, 0x63, 0xa7, 0x16, 0x60, 0xe1, 0x30, 0x30, 0x7a, 0x08, 0xd3, 0xba, 0xd2,
-	0xb6, 0xa9, 0x34, 0x49, 0xfd, 0x31, 0x3c, 0x07, 0x3c, 0xc5, 0x9f, 0xbd, 0xe3, 0x88, 0x38, 0xa9,
+	0x21, 0xb6, 0xa9, 0x34, 0x49, 0xfd, 0x09, 0x3c, 0x07, 0x3c, 0xc3, 0x9f, 0xbd, 0xe3, 0x88, 0x38,
-	0x44, 0xfe, 0x45, 0xc2, 0x6f, 0xc3, 0xa2, 0xe8, 0x26, 0x14, 0x78, 0x3b, 0xbf, 0x69, 0x68, 0xde,
+	0xa9, 0x44, 0xfe, 0x79, 0xc2, 0x6f, 0xc3, 0xa2, 0xe8, 0x16, 0x14, 0x78, 0x3b, 0xbf, 0x69, 0x68,
-	0xc3, 0x35, 0x9b, 0x8a, 0x9a, 0x18, 0x7b, 0xb4, 0x37, 0x7f, 0x3a, 0xe5, 0x4d, 0xd2, 0x23, 0x63,
+	0xde, 0xc3, 0x35, 0x9b, 0x8a, 0x9a, 0x18, 0x7b, 0xbc, 0x57, 0x3a, 0x9d, 0xf2, 0x26, 0xe9, 0x91,
-	0x5f, 0x18, 0xad, 0xc1, 0xb0, 0xf9, 0x45, 0x4e, 0x6c, 0x9e, 0xd4, 0xf9, 0x31, 0xcd, 0x71, 0xe4,
+	0xb1, 0x2f, 0x8c, 0xd6, 0x60, 0xd8, 0xfc, 0x2a, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38,
-	0xcf, 0xe3, 0xe6, 0xf2, 0xd4, 0x7e, 0xff, 0xb1, 0x4d, 0x93, 0x5f, 0x21, 0x64, 0x4e, 0xd5, 0x26,
+	0xf2, 0x97, 0x71, 0x73, 0x79, 0x6a, 0x7f, 0xf0, 0xc4, 0xa6, 0xc9, 0xaf, 0x10, 0x32, 0xa7, 0x6a,
-	0x8c, 0x8a, 0x13, 0x4d, 0xac, 0xbe, 0x57, 0x06, 0x59, 0x7d, 0xe1, 0xac, 0xed, 0xd7, 0xd3, 0xde,
+	0x13, 0x46, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x6b, 0x83, 0xac, 0xbe, 0x70, 0xd6, 0xf6, 0xeb, 0x69,
-	0xa0, 0x07, 0x2c, 0xff, 0x49, 0x82, 0x29, 0x6e, 0x40, 0xd3, 0xb1, 0x54, 0xda, 0x3d, 0xb2, 0x3c,
+	0x6f, 0xd0, 0x03, 0x96, 0xff, 0x28, 0xc1, 0x34, 0x37, 0xa0, 0xe9, 0x58, 0x2a, 0xed, 0x1e, 0x59,
-	0xb7, 0x11, 0xc9, 0x73, 0x2f, 0xf5, 0x70, 0x2c, 0x61, 0x61, 0x66, 0xae, 0xfb, 0x58, 0x82, 0xa7,
+	0x9e, 0xdb, 0x88, 0xe4, 0xb9, 0x57, 0x7a, 0x38, 0x96, 0xb0, 0x30, 0x33, 0xd7, 0x7d, 0x2a, 0xc1,
-	0x12, 0xdc, 0x47, 0x90, 0x27, 0xd6, 0xa3, 0x79, 0xe2, 0x85, 0x41, 0x1d, 0xca, 0xc8, 0x15, 0x7f,
+	0x33, 0x09, 0xee, 0x23, 0xc8, 0x13, 0xeb, 0xd1, 0x3c, 0xf1, 0xd2, 0xa0, 0x0e, 0x65, 0x55, 0x5a,
-	0x2b, 0xa6, 0xb8, 0xc3, 0x17, 0xe2, 0x15, 0x00, 0xd3, 0x52, 0x77, 0x55, 0x8d, 0xb4, 0x45, 0x6f,
+	0xe3, 0x29, 0xee, 0xf0, 0x85, 0x78, 0x05, 0xc0, 0xb4, 0xd4, 0x5d, 0x55, 0x23, 0x6d, 0xd1, 0x9b,
-	0xb2, 0x10, 0x84, 0xbc, 0xe6, 0x53, 0x70, 0x88, 0x0b, 0xd9, 0x30, 0xd3, 0x22, 0x5b, 0x8a, 0xa3,
+	0x2c, 0x04, 0x21, 0xaf, 0xf9, 0x14, 0x1c, 0xe2, 0x42, 0x36, 0xcc, 0xb6, 0xc8, 0x96, 0xe2, 0x68,
-	0xd1, 0x85, 0x56, 0x6b, 0x51, 0x31, 0x95, 0x4d, 0x55, 0x53, 0xa9, 0x2a, 0x2e, 0x8b, 0xc5, 0xea,
+	0x74, 0xa1, 0xd5, 0x5a, 0x54, 0x4c, 0x65, 0x53, 0xd5, 0x54, 0xaa, 0x8a, 0xcb, 0xe2, 0x58, 0xf5,
-	0x75, 0xb7, 0x67, 0x98, 0xc6, 0xf1, 0x68, 0x6f, 0xfe, 0x4c, 0x5a, 0x6f, 0xc0, 0x63, 0xe9, 0xe2,
+	0xba, 0xdb, 0x33, 0x4c, 0xe3, 0x78, 0xbc, 0x57, 0x3a, 0x93, 0xd6, 0x1b, 0xf0, 0x58, 0xba, 0x38,
-	0x0c, 0x68, 0xd4, 0x85, 0x92, 0x45, 0xde, 0x76, 0x54, 0x8b, 0xb4, 0x96, 0x2c, 0xc3, 0x8c, 0xa8,
+	0x03, 0x1a, 0x75, 0xa1, 0x68, 0x91, 0x77, 0x1d, 0xd5, 0x22, 0xad, 0x25, 0xcb, 0x30, 0x23, 0x6a,
-	0xcd, 0x71, 0xb5, 0x5f, 0xde, 0xdf, 0x9b, 0x2f, 0xe1, 0x0c, 0x9e, 0xde, 0x8a, 0x33, 0xe1, 0xd1,
+	0x73, 0x5c, 0xed, 0xff, 0xee, 0xef, 0x95, 0x8a, 0x38, 0x83, 0xa7, 0xb7, 0xe2, 0x4c, 0x78, 0xf4,
-	0x7d, 0x98, 0x56, 0x34, 0xcd, 0x78, 0x87, 0x44, 0x9d, 0x1d, 0xe6, 0x5a, 0xaf, 0xed, 0xef, 0xcd,
+	0x00, 0x66, 0x14, 0x4d, 0x33, 0xde, 0x23, 0x51, 0x67, 0x87, 0xb9, 0xd6, 0x6b, 0xfb, 0x7b, 0xa5,
-	0x4f, 0x2f, 0x24, 0xc9, 0xbd, 0x15, 0xa6, 0x81, 0xa2, 0x0a, 0x8c, 0xee, 0x1a, 0x9a, 0xd3, 0x21,
+	0x99, 0x85, 0x24, 0xb9, 0xb7, 0xc2, 0x34, 0x50, 0x54, 0x81, 0xd1, 0x5d, 0x43, 0x73, 0x3a, 0xc4,
-	0x76, 0x29, 0xcf, 0xf1, 0x59, 0x62, 0x1c, 0xdd, 0x70, 0x87, 0x1e, 0xed, 0xcd, 0x8f, 0xdc, 0xa8,
+	0x2e, 0xe6, 0x39, 0x3e, 0x4b, 0x8c, 0xa3, 0x1b, 0xee, 0xd0, 0xe3, 0xbd, 0xd2, 0xc8, 0xcd, 0x3a,
-	0xf3, 0x6b, 0xba, 0xc7, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0x82,
+	0xbf, 0xa6, 0x7b, 0x5c, 0xec, 0x7e, 0xc2, 0x4a, 0x13, 0xb1, 0x67, 0xf9, 0x7b, 0x61, 0x21, 0x48,
-	0xa4, 0x70, 0x2b, 0x20, 0xe1, 0x30, 0x1f, 0xba, 0x07, 0xc5, 0x6d, 0x71, 0x27, 0xb5, 0x4b, 0xa3,
+	0x0a, 0xb7, 0x03, 0x12, 0x0e, 0xf3, 0xa1, 0xfb, 0x30, 0xb6, 0x2d, 0xee, 0xa4, 0x76, 0x71, 0xb4,
-	0x7d, 0x1d, 0x4a, 0x91, 0x3b, 0x6c, 0x75, 0x4a, 0xa8, 0x28, 0x7a, 0xc3, 0x36, 0x0e, 0x10, 0xd1,
+	0xaf, 0x43, 0x29, 0x72, 0x87, 0xad, 0x4e, 0x0b, 0x15, 0x63, 0xde, 0xb0, 0x8d, 0x03, 0x44, 0x74,
-	0x05, 0x18, 0xe5, 0x3f, 0x96, 0x97, 0xf8, 0x63, 0x4c, 0x21, 0x48, 0x1d, 0xb7, 0xdc, 0x61, 0xec,
+	0x01, 0x46, 0xf9, 0x8f, 0xe5, 0x25, 0xfe, 0x18, 0x53, 0x08, 0x52, 0xc7, 0x6d, 0x77, 0x18, 0x7b,
-	0xd1, 0x3d, 0xd6, 0xe5, 0xda, 0x22, 0x7f, 0x14, 0x8c, 0xb1, 0x2e, 0xd7, 0x16, 0xb1, 0x47, 0x47,
+	0x74, 0x8f, 0x75, 0xb9, 0xb6, 0xc8, 0x1f, 0x05, 0x63, 0xac, 0xcb, 0xb5, 0x45, 0xec, 0xd1, 0xd1,
-	0x6f, 0xc1, 0xa8, 0x4d, 0x56, 0x54, 0xdd, 0x79, 0x50, 0x82, 0xbe, 0x5a, 0x8a, 0xf5, 0xd7, 0x39,
+	0x3b, 0x30, 0x6a, 0x93, 0x15, 0x55, 0x77, 0x1e, 0x16, 0xa1, 0xaf, 0x96, 0x62, 0xfd, 0x06, 0xe7,
-	0x77, 0xec, 0x59, 0x24, 0xd0, 0x20, 0xe8, 0xd8, 0x83, 0x45, 0xdb, 0x50, 0xb4, 0x1c, 0x7d, 0xc1,
+	0x8e, 0x3d, 0x8b, 0x04, 0x1a, 0x04, 0x1d, 0x7b, 0xb0, 0x68, 0x1b, 0xc6, 0x2c, 0x47, 0x5f, 0xb0,
-	0x5e, 0xb7, 0x89, 0x55, 0x1a, 0xe3, 0x3a, 0x7a, 0x65, 0x4b, 0xec, 0xf1, 0xc7, 0xb5, 0xf8, 0x11,
+	0xd7, 0x6d, 0x62, 0x15, 0xc7, 0xb9, 0x8e, 0x5e, 0xd9, 0x12, 0x7b, 0xfc, 0x71, 0x2d, 0x7e, 0x84,
-	0xf2, 0x39, 0x70, 0x00, 0x8e, 0xbe, 0x2f, 0x01, 0xb2, 0x1d, 0xd3, 0xd4, 0x48, 0x87, 0xe8, 0x54,
+	0x7c, 0x0e, 0x1c, 0x80, 0xa3, 0xef, 0x49, 0x80, 0x6c, 0xc7, 0x34, 0x35, 0xd2, 0x21, 0x3a, 0x55,
-	0xd1, 0xf8, 0x4b, 0x8c, 0x5d, 0x3a, 0xce, 0x75, 0x7e, 0xb5, 0x97, 0x5f, 0x09, 0xc1, 0xb8, 0x72,
+	0x34, 0xfe, 0x12, 0x63, 0x17, 0x8f, 0x73, 0x9d, 0xff, 0xdf, 0xcb, 0xaf, 0x84, 0x60, 0x5c, 0xb9,
-	0xff, 0xc9, 0x33, 0xc9, 0x8a, 0x53, 0xf4, 0xb2, 0xd0, 0x6e, 0xd9, 0xfc, 0xef, 0xd2, 0x78, 0x5f,
+	0xff, 0xe4, 0x99, 0x64, 0xc5, 0x29, 0x7a, 0x59, 0x68, 0xb7, 0x6c, 0xfe, 0x77, 0x71, 0xa2, 0xaf,
-	0xa1, 0x4d, 0x7f, 0x71, 0x0a, 0x42, 0x2b, 0xe8, 0xd8, 0x83, 0x45, 0x1b, 0x30, 0x63, 0x11, 0xa5,
+	0xd0, 0xa6, 0xbf, 0x38, 0x05, 0xa1, 0x15, 0x74, 0xec, 0xc1, 0xa2, 0x0d, 0x98, 0xb5, 0x88, 0xd2,
-	0x75, 0x5b, 0xd7, 0xba, 0xd8, 0x30, 0xe8, 0x0d, 0x55, 0x23, 0x76, 0xd7, 0xa6, 0xa4, 0x53, 0x9a,
+	0xba, 0xa3, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xa6, 0xaa, 0x11, 0xbb, 0x6b, 0x53, 0xd2, 0x29, 0x4e,
-	0xe0, 0xd3, 0xee, 0xb7, 0xe4, 0x71, 0x2a, 0x17, 0xce, 0x90, 0xe6, 0xdd, 0x5f, 0xf1, 0x16, 0x78,
+	0xf2, 0x69, 0xf7, 0x5b, 0xf2, 0x38, 0x95, 0x0b, 0x67, 0x48, 0xa3, 0x0e, 0x94, 0xbc, 0x94, 0xc1,
-	0x34, 0x9f, 0x5b, 0x0d, 0xd6, 0xfd, 0x0d, 0x4c, 0x7b, 0x6c, 0xdd, 0xdf, 0x10, 0xe4, 0xc1, 0xcf,
+	0xf6, 0x93, 0x9f, 0xb3, 0x6e, 0xd8, 0x4d, 0x45, 0x73, 0x5f, 0x81, 0xa7, 0xb8, 0x82, 0x17, 0xf6,
-	0x19, 0xff, 0x18, 0x82, 0xe9, 0x80, 0xb9, 0xef, 0xee, 0x6f, 0x8a, 0xc8, 0x13, 0xeb, 0xfe, 0xa6,
+	0xf7, 0x4a, 0xa5, 0xa5, 0x83, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x36, 0x14, 0x95, 0x2c, 0x3d, 0x27,
-	0xb7, 0x4f, 0x73, 0x4f, 0xba, 0x7d, 0xfa, 0x04, 0xba, 0xce, 0xbc, 0x23, 0x1b, 0x84, 0xee, 0xbf,
+	0xb8, 0x9e, 0xb3, 0xc2, 0x91, 0x62, 0xa6, 0x92, 0x4c, 0x04, 0xde, 0xca, 0x16, 0x0f, 0x9b, 0x47,
-	0xaf, 0x23, 0x1b, 0xd8, 0x96, 0x51, 0x25, 0xfc, 0x6a, 0x28, 0xec, 0xc0, 0xff, 0x7c, 0x5b, 0xf0,
+	0xf3, 0xed, 0xd8, 0x60, 0xad, 0xec, 0xc0, 0xb4, 0x27, 0xd6, 0xca, 0x0e, 0x41, 0x1e, 0xfc, 0x36,
-	0x8b, 0x7f, 0x93, 0x26, 0x7f, 0x9c, 0x83, 0x13, 0xf1, 0xdd, 0x18, 0xe9, 0x1e, 0x49, 0x3d, 0xbb,
+	0xf3, 0xb7, 0x21, 0x98, 0x09, 0x98, 0xfb, 0x6e, 0x65, 0xa7, 0x88, 0x3c, 0xb5, 0x56, 0x76, 0x7a,
-	0x47, 0x35, 0x38, 0xb9, 0xe5, 0x68, 0x5a, 0x97, 0x87, 0x21, 0xd4, 0x42, 0x72, 0x5f, 0x7f, 0x9f,
+	0x2f, 0x38, 0xf7, 0xb4, 0x7b, 0xc1, 0x4f, 0xa1, 0x85, 0xce, 0xdb, 0xcb, 0x41, 0xe8, 0xfe, 0xfd,
-	0x11, 0x92, 0x27, 0x6f, 0xa4, 0xf0, 0xe0, 0x54, 0xc9, 0x8c, 0x4e, 0x58, 0xee, 0x50, 0x9d, 0xb0,
+	0xda, 0xcb, 0x81, 0x6d, 0x19, 0x25, 0xcf, 0x2f, 0x87, 0xc2, 0x0e, 0xfc, 0xc7, 0xf7, 0x38, 0xbf,
-	0x44, 0x63, 0x66, 0x78, 0x80, 0xc6, 0x4c, 0x6a, 0x57, 0x2b, 0x7f, 0x88, 0xae, 0xd6, 0x61, 0xda,
+	0xfa, 0x07, 0x76, 0xf2, 0xa7, 0x39, 0x38, 0x11, 0xdf, 0x8d, 0x91, 0x56, 0x98, 0xd4, 0xb3, 0x15,
-	0x50, 0x29, 0x49, 0xac, 0x57, 0x1b, 0x4a, 0x7e, 0x06, 0x66, 0x85, 0x18, 0xe5, 0x1d, 0x22, 0x9d,
+	0x56, 0x83, 0x93, 0x5b, 0x8e, 0xa6, 0x75, 0x79, 0x18, 0x42, 0xfd, 0x30, 0xf7, 0x29, 0xfb, 0x39,
-	0x5a, 0x86, 0xa6, 0x11, 0x6b, 0xc9, 0xe9, 0x74, 0xba, 0xf2, 0x6b, 0x30, 0x11, 0xed, 0x7d, 0xba,
+	0x21, 0x79, 0xf2, 0x66, 0x0a, 0x0f, 0x4e, 0x95, 0xcc, 0x68, 0xeb, 0xe5, 0x0e, 0xd5, 0xd6, 0x4b,
-	0x33, 0xed, 0xb6, 0x5f, 0xc5, 0x1b, 0x7c, 0x68, 0xa6, 0xdd, 0x71, 0xec, 0x73, 0xc8, 0xef, 0x4a,
+	0x74, 0x99, 0x86, 0x07, 0xe8, 0x32, 0xa5, 0xb6, 0xe8, 0xf2, 0x87, 0x68, 0xd1, 0x1d, 0xa6, 0xa7,
-	0x30, 0x93, 0xfe, 0x8d, 0x13, 0xd2, 0x60, 0xa2, 0xa3, 0x3c, 0x08, 0x7f, 0x10, 0x26, 0x1d, 0xf2,
+	0x96, 0x92, 0xc4, 0x7a, 0xf5, 0xd4, 0xe4, 0xe7, 0x60, 0x4e, 0x88, 0x51, 0xde, 0xee, 0xd2, 0xa9,
-	0xfa, 0xc9, 0x9b, 0x5e, 0xab, 0x11, 0x2c, 0x1c, 0xc3, 0x66, 0x57, 0xd2, 0x53, 0x19, 0xed, 0xa6,
+	0x65, 0x68, 0x1a, 0xb1, 0x96, 0x9c, 0x4e, 0xa7, 0x2b, 0xbf, 0x01, 0x93, 0xd1, 0x46, 0xae, 0x3b,
-	0xa3, 0xb5, 0x04, 0xdd, 0x85, 0x42, 0x47, 0x79, 0x50, 0x77, 0xac, 0x36, 0x39, 0xf4, 0x85, 0x9b,
+	0xd3, 0x6e, 0x2f, 0x59, 0x34, 0x14, 0x42, 0x33, 0xed, 0x8e, 0x63, 0x9f, 0x43, 0x7e, 0x5f, 0x82,
-	0x67, 0x8c, 0x55, 0x81, 0x82, 0x7d, 0x3c, 0xf9, 0x03, 0x09, 0x4a, 0x59, 0xb5, 0x19, 0xba, 0x1a,
+	0xd9, 0xf4, 0x0f, 0xb6, 0x90, 0x06, 0x93, 0x1d, 0xe5, 0x61, 0xf8, 0xeb, 0x36, 0xe9, 0x90, 0x77,
-	0x69, 0x8c, 0x3d, 0x1b, 0x6b, 0x8c, 0x4d, 0x25, 0xe4, 0x9e, 0x50, 0x5b, 0xec, 0x97, 0x12, 0xcc,
+	0x69, 0xde, 0xc1, 0x5b, 0x8d, 0x60, 0xe1, 0x18, 0x36, 0xbb, 0x5f, 0x9f, 0xca, 0xe8, 0x9d, 0x1d,
-	0xa4, 0xd7, 0xa8, 0xe8, 0xc5, 0x88, 0x85, 0xf3, 0x31, 0x0b, 0x27, 0x63, 0x52, 0xc2, 0xbe, 0x6f,
+	0xad, 0x25, 0xe8, 0x1e, 0x14, 0x3a, 0xca, 0xc3, 0xba, 0x63, 0xb5, 0xc9, 0xa1, 0x5f, 0x0f, 0x78,
-	0xc1, 0x84, 0xa8, 0x64, 0x05, 0x8c, 0x88, 0xaa, 0x9c, 0x96, 0x2b, 0x05, 0x84, 0x57, 0xb9, 0xf1,
+	0xc6, 0x58, 0x15, 0x28, 0xd8, 0xc7, 0x93, 0x3f, 0x92, 0xa0, 0x98, 0x55, 0x68, 0xa2, 0xab, 0x91,
-	0xf9, 0x8a, 0x8e, 0xe1, 0x18, 0x9a, 0xfc, 0xbd, 0x21, 0xc8, 0xd7, 0x9b, 0x8a, 0x46, 0x8e, 0xa0,
+	0x2e, 0xdf, 0xf3, 0xb1, 0x2e, 0xdf, 0x74, 0x42, 0xee, 0x29, 0xf5, 0xf8, 0x7e, 0x21, 0xc1, 0x6c,
-	0xcc, 0x7a, 0x23, 0x52, 0x66, 0xf5, 0xfa, 0x78, 0x9b, 0x5b, 0x95, 0x59, 0x61, 0xe1, 0x58, 0x85,
+	0x7a, 0xc1, 0x8d, 0x5e, 0x8e, 0x58, 0x58, 0x8a, 0x59, 0x38, 0x15, 0x93, 0x12, 0xf6, 0x7d, 0x13,
-	0xf5, 0x7c, 0x5f, 0x68, 0x07, 0x17, 0x57, 0x5f, 0x82, 0xa2, 0xaf, 0x74, 0xb0, 0x9c, 0x2f, 0xff,
+	0x26, 0x45, 0x59, 0x2e, 0x60, 0x44, 0x54, 0xe5, 0xb4, 0x5c, 0x29, 0x20, 0xbc, 0x32, 0x94, 0xcf,
-	0x6c, 0x08, 0xc6, 0x42, 0x2a, 0x06, 0x3c, 0x31, 0xb6, 0x22, 0x27, 0x6d, 0x3f, 0xff, 0xc6, 0x11,
+	0x57, 0x74, 0x0c, 0xc7, 0xd0, 0xe4, 0xef, 0x0e, 0x41, 0xbe, 0xde, 0x54, 0x34, 0x72, 0x04, 0x65,
-	0xd2, 0x55, 0xf6, 0xce, 0x56, 0xf7, 0x1b, 0xa7, 0xe0, 0xab, 0x96, 0xe4, 0x91, 0xfb, 0x1a, 0x4c,
+	0xd6, 0x9b, 0x91, 0x32, 0xab, 0xd7, 0x97, 0xe8, 0xdc, 0xaa, 0xcc, 0x0a, 0x0b, 0xc7, 0x2a, 0xac,
-	0x50, 0xfe, 0x6f, 0x0e, 0xfe, 0x33, 0x55, 0x8e, 0xaf, 0x45, 0xff, 0xcb, 0xb8, 0x46, 0x84, 0x8a,
+	0x17, 0xfb, 0x42, 0x3b, 0xb8, 0xb8, 0xfa, 0x1f, 0x18, 0xf3, 0x95, 0x0e, 0x96, 0xf3, 0xe5, 0x9f,
-	0x63, 0xdc, 0xb3, 0xd7, 0x61, 0x3c, 0xa2, 0x6c, 0xa0, 0x4f, 0x94, 0x7e, 0x2d, 0xc1, 0xb3, 0x3d,
+	0x0e, 0xc1, 0x78, 0x48, 0xc5, 0x80, 0x27, 0xc6, 0x56, 0xe4, 0xa4, 0xed, 0xe7, 0x7f, 0x52, 0x42,
-	0x6f, 0x39, 0xa8, 0x1a, 0xd9, 0x24, 0xe5, 0xd8, 0x26, 0x99, 0xcb, 0x06, 0x78, 0x82, 0xad, 0xee,
+	0xba, 0xca, 0xde, 0xd9, 0xea, 0x7e, 0xb0, 0x15, 0x7c, 0xa2, 0x93, 0x3c, 0x72, 0xdf, 0x80, 0x49,
-	0x77, 0x87, 0x00, 0x35, 0xb6, 0x55, 0xab, 0x55, 0x53, 0x2c, 0xda, 0xc5, 0xe2, 0x7f, 0x55, 0x8e,
+	0xca, 0xff, 0x67, 0xc3, 0x7f, 0x73, 0xcb, 0xf1, 0xb5, 0xe8, 0x7f, 0xe6, 0xd7, 0x88, 0x50, 0x71,
-	0x60, 0xc3, 0x5c, 0x85, 0xb1, 0x16, 0xb1, 0x9b, 0x96, 0xca, 0x83, 0x23, 0xaa, 0x73, 0xff, 0x25,
+	0x8c, 0x7b, 0xee, 0x3a, 0x4c, 0x44, 0x94, 0x0d, 0xf4, 0xbd, 0xd5, 0xaf, 0x24, 0x78, 0xbe, 0xe7,
-	0x60, 0x29, 0x20, 0xe1, 0x30, 0x1f, 0x7a, 0x13, 0x0a, 0xbb, 0xee, 0x3f, 0x3f, 0x79, 0x8d, 0x9c,
+	0x95, 0x0d, 0x55, 0x23, 0x9b, 0xa4, 0x1c, 0xdb, 0x24, 0xf3, 0xd9, 0x00, 0x4f, 0xb1, 0x6f, 0xff,
-	0x5e, 0x85, 0x64, 0xf0, 0xef, 0x52, 0xc1, 0xfa, 0x11, 0x03, 0x36, 0xf6, 0xc1, 0xe4, 0xf7, 0x25,
+	0xfe, 0x10, 0xa0, 0xc6, 0xb6, 0x6a, 0xb5, 0x6a, 0x8a, 0x45, 0xbb, 0x58, 0xfc, 0xe3, 0xcd, 0x11,
-	0x98, 0x49, 0x06, 0x62, 0x89, 0x99, 0xfa, 0xe4, 0x83, 0xf1, 0x0c, 0x0c, 0x73, 0x74, 0x16, 0x85,
+	0x6c, 0x98, 0xab, 0x30, 0xde, 0x22, 0x76, 0xd3, 0x52, 0x79, 0x70, 0x44, 0x75, 0xee, 0x3f, 0x6b,
-	0xe3, 0xee, 0xa3, 0x2c, 0xd3, 0x8c, 0xf9, 0xa8, 0xfc, 0x17, 0x09, 0x66, 0xd3, 0x4d, 0x3b, 0x82,
+	0x2c, 0x05, 0x24, 0x1c, 0xe6, 0x43, 0x6f, 0x41, 0x61, 0xd7, 0xfd, 0x4f, 0x2e, 0xaf, 0x2b, 0xd5,
-	0xb2, 0xfd, 0x6e, 0xb4, 0x6c, 0xef, 0x75, 0xd1, 0x4e, 0xb7, 0x33, 0xa3, 0x84, 0xff, 0x73, 0x6a,
+	0xab, 0x90, 0x0c, 0xfe, 0xf7, 0x2b, 0x58, 0x3f, 0x62, 0xc0, 0xc6, 0x3e, 0x98, 0xfc, 0xa1, 0x04,
-	0xcc, 0x8f, 0xc0, 0xa9, 0x8d, 0xa8, 0x53, 0x97, 0x07, 0x76, 0x2a, 0xdd, 0xa1, 0xea, 0xa5, 0x87,
+	0xb3, 0xc9, 0x40, 0x2c, 0x31, 0x53, 0x9f, 0x7e, 0x30, 0x9e, 0x83, 0x61, 0x8e, 0xce, 0xa2, 0x70,
-	0x9f, 0xcd, 0x1d, 0xfb, 0xe4, 0xb3, 0xb9, 0x63, 0x9f, 0x7e, 0x36, 0x77, 0xec, 0xbb, 0xfb, 0x73,
+	0xdc, 0x7d, 0x61, 0x66, 0x9a, 0x31, 0x1f, 0x95, 0xff, 0x2c, 0xc1, 0x5c, 0xba, 0x69, 0x47, 0x50,
-	0xd2, 0xc3, 0xfd, 0x39, 0xe9, 0x93, 0xfd, 0x39, 0xe9, 0xd3, 0xfd, 0x39, 0xe9, 0xef, 0xfb, 0x73,
+	0xb6, 0xdf, 0x8b, 0x96, 0xed, 0xbd, 0x5e, 0x0d, 0xd2, 0xed, 0xcc, 0x28, 0xe1, 0xff, 0x94, 0x1a,
-	0xd2, 0x8f, 0x3e, 0x9f, 0x3b, 0x76, 0x77, 0x54, 0xe0, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0x27,
+	0xf3, 0x23, 0x70, 0x6a, 0x23, 0xea, 0xd4, 0xe5, 0x81, 0x9d, 0x4a, 0x77, 0xa8, 0x7a, 0xe9, 0xd1,
-	0x77, 0x47, 0x4b, 0xbc, 0x39, 0x00, 0x00,
+	0x17, 0xf3, 0xc7, 0x3e, 0xfb, 0x62, 0xfe, 0xd8, 0xe7, 0x5f, 0xcc, 0x1f, 0xfb, 0xce, 0xfe, 0xbc,
+	0xf4, 0x68, 0x7f, 0x5e, 0xfa, 0x6c, 0x7f, 0x5e, 0xfa, 0x7c, 0x7f, 0x5e, 0xfa, 0xeb, 0xfe, 0xbc,
+	0xf4, 0xc3, 0x2f, 0xe7, 0x8f, 0xdd, 0x1b, 0x15, 0xb8, 0xff, 0x0a, 0x00, 0x00, 0xff, 0xff, 0xc0,
+	0x14, 0x27, 0xd4, 0x89, 0x3a, 0x00, 0x00,
 }

staging/src/k8s.io/api/extensions/v1beta1/generated.proto

@@ -723,6 +723,16 @@ message PodSecurityPolicySpec {
   // will not be forced to.
   // +optional
   optional bool readOnlyRootFilesystem = 14;
+
+  // DefaultAllowPrivilegeEscalation controls the default setting for whether a
+  // process can gain more privileges than it's parent process.
+  // +optional
+  optional bool defaultAllowPrivilegeEscalation = 15;
+
+  // AllowPrivilegeEscalation determines if a pod can request to allow
+  // privilege escalation.
+  // +optional
+  optional bool allowPrivilegeEscalation = 16;
 }
 
 // ReplicaSet represents the configuration of a ReplicaSet.

staging/src/k8s.io/api/extensions/v1beta1/types.generated.go

@@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 		} else {
 			yysep2 := !z.EncBinary()
 			yy2arr2 := z.EncBasicHandle().StructToArray
-			var yyq2 [14]bool
+			var yyq2 [16]bool
 			_, _, _ = yysep2, yyq2, yy2arr2
 			const yyr2 bool = false
 			yyq2[0] = x.Privileged != false
@@ -14764,9 +14764,11 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 			yyq2[7] = x.HostPID != false
 			yyq2[8] = x.HostIPC != false
 			yyq2[13] = x.ReadOnlyRootFilesystem != false
+			yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil
+			yyq2[15] = x.AllowPrivilegeEscalation != false
 			var yynn2 int
 			if yyr2 || yy2arr2 {
-				r.EncodeArrayStart(14)
+				r.EncodeArrayStart(16)
 			} else {
 				yynn2 = 4
 				for _, b := range yyq2 {
@@ -15111,6 +15113,66 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 					}
 				}
 			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[14] {
+					if x.DefaultAllowPrivilegeEscalation == nil {
+						r.EncodeNil()
+					} else {
+						yy54 := *x.DefaultAllowPrivilegeEscalation
+						yym55 := z.EncBinary()
+						_ = yym55
+						if false {
+						} else {
+							r.EncodeBool(bool(yy54))
+						}
+					}
+				} else {
+					r.EncodeNil()
+				}
+			} else {
+				if yyq2[14] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("defaultAllowPrivilegeEscalation"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					if x.DefaultAllowPrivilegeEscalation == nil {
+						r.EncodeNil()
+					} else {
+						yy56 := *x.DefaultAllowPrivilegeEscalation
+						yym57 := z.EncBinary()
+						_ = yym57
+						if false {
+						} else {
+							r.EncodeBool(bool(yy56))
+						}
+					}
+				}
+			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[15] {
+					yym59 := z.EncBinary()
+					_ = yym59
+					if false {
+					} else {
+						r.EncodeBool(bool(x.AllowPrivilegeEscalation))
+					}
+				} else {
+					r.EncodeBool(false)
+				}
+			} else {
+				if yyq2[15] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("allowPrivilegeEscalation"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					yym60 := z.EncBinary()
+					_ = yym60
+					if false {
+					} else {
+						r.EncodeBool(bool(x.AllowPrivilegeEscalation))
+					}
+				}
+			}
 			if yyr2 || yy2arr2 {
 				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 			} else {
@@ -15320,6 +15382,34 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod
 					*((*bool)(yyv26)) = r.DecodeBool()
 				}
 			}
+		case "defaultAllowPrivilegeEscalation":
+			if r.TryDecodeAsNil() {
+				if x.DefaultAllowPrivilegeEscalation != nil {
+					x.DefaultAllowPrivilegeEscalation = nil
+				}
+			} else {
+				if x.DefaultAllowPrivilegeEscalation == nil {
+					x.DefaultAllowPrivilegeEscalation = new(bool)
+				}
+				yym29 := z.DecBinary()
+				_ = yym29
+				if false {
+				} else {
+					*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
+				}
+			}
+		case "allowPrivilegeEscalation":
+			if r.TryDecodeAsNil() {
+				x.AllowPrivilegeEscalation = false
+			} else {
+				yyv30 := &x.AllowPrivilegeEscalation
+				yym31 := z.DecBinary()
+				_ = yym31
+				if false {
+				} else {
+					*((*bool)(yyv30)) = r.DecodeBool()
+				}
+			}
 		default:
 			z.DecStructFieldNotFound(-1, yys3)
 		} // end switch yys3
@@ -15331,16 +15421,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
-	var yyj28 int
+	var yyj32 int
-	var yyb28 bool
+	var yyb32 bool
-	var yyhl28 bool = l >= 0
+	var yyhl32 bool = l >= 0
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15348,21 +15438,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.Privileged = false
 	} else {
-		yyv29 := &x.Privileged
+		yyv33 := &x.Privileged
-		yym30 := z.DecBinary()
+		yym34 := z.DecBinary()
-		_ = yym30
+		_ = yym34
 		if false {
 		} else {
-			*((*bool)(yyv29)) = r.DecodeBool()
+			*((*bool)(yyv33)) = r.DecodeBool()
 		}
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15370,51 +15460,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.DefaultAddCapabilities = nil
 	} else {
-		yyv31 := &x.DefaultAddCapabilities
+		yyv35 := &x.DefaultAddCapabilities
-		yym32 := z.DecBinary()
-		_ = yym32
-		if false {
-		} else {
-			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv31), d)
-		}
-	}
-	yyj28++
-	if yyhl28 {
-		yyb28 = yyj28 > l
-	} else {
-		yyb28 = r.CheckBreak()
-	}
-	if yyb28 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.RequiredDropCapabilities = nil
-	} else {
-		yyv33 := &x.RequiredDropCapabilities
-		yym34 := z.DecBinary()
-		_ = yym34
-		if false {
-		} else {
-			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv33), d)
-		}
-	}
-	yyj28++
-	if yyhl28 {
-		yyb28 = yyj28 > l
-	} else {
-		yyb28 = r.CheckBreak()
-	}
-	if yyb28 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.AllowedCapabilities = nil
-	} else {
-		yyv35 := &x.AllowedCapabilities
 		yym36 := z.DecBinary()
 		_ = yym36
 		if false {
@@ -15422,13 +15468,57 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d)
 		}
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.RequiredDropCapabilities = nil
+	} else {
+		yyv37 := &x.RequiredDropCapabilities
+		yym38 := z.DecBinary()
+		_ = yym38
+		if false {
+		} else {
+			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d)
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.AllowedCapabilities = nil
+	} else {
+		yyv39 := &x.AllowedCapabilities
+		yym40 := z.DecBinary()
+		_ = yym40
+		if false {
+		} else {
+			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d)
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15436,21 +15526,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.Volumes = nil
 	} else {
-		yyv37 := &x.Volumes
+		yyv41 := &x.Volumes
-		yym38 := z.DecBinary()
+		yym42 := z.DecBinary()
-		_ = yym38
+		_ = yym42
 		if false {
 		} else {
-			h.decSliceFSType((*[]FSType)(yyv37), d)
+			h.decSliceFSType((*[]FSType)(yyv41), d)
 		}
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15458,51 +15548,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.HostNetwork = false
 	} else {
-		yyv39 := &x.HostNetwork
+		yyv43 := &x.HostNetwork
-		yym40 := z.DecBinary()
-		_ = yym40
-		if false {
-		} else {
-			*((*bool)(yyv39)) = r.DecodeBool()
-		}
-	}
-	yyj28++
-	if yyhl28 {
-		yyb28 = yyj28 > l
-	} else {
-		yyb28 = r.CheckBreak()
-	}
-	if yyb28 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.HostPorts = nil
-	} else {
-		yyv41 := &x.HostPorts
-		yym42 := z.DecBinary()
-		_ = yym42
-		if false {
-		} else {
-			h.decSliceHostPortRange((*[]HostPortRange)(yyv41), d)
-		}
-	}
-	yyj28++
-	if yyhl28 {
-		yyb28 = yyj28 > l
-	} else {
-		yyb28 = r.CheckBreak()
-	}
-	if yyb28 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.HostPID = false
-	} else {
-		yyv43 := &x.HostPID
 		yym44 := z.DecBinary()
 		_ = yym44
 		if false {
@@ -15510,13 +15556,57 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 			*((*bool)(yyv43)) = r.DecodeBool()
 		}
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.HostPorts = nil
+	} else {
+		yyv45 := &x.HostPorts
+		yym46 := z.DecBinary()
+		_ = yym46
+		if false {
+		} else {
+			h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d)
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.HostPID = false
+	} else {
+		yyv47 := &x.HostPID
+		yym48 := z.DecBinary()
+		_ = yym48
+		if false {
+		} else {
+			*((*bool)(yyv47)) = r.DecodeBool()
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15524,21 +15614,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.HostIPC = false
 	} else {
-		yyv45 := &x.HostIPC
+		yyv49 := &x.HostIPC
-		yym46 := z.DecBinary()
+		yym50 := z.DecBinary()
-		_ = yym46
+		_ = yym50
 		if false {
 		} else {
-			*((*bool)(yyv45)) = r.DecodeBool()
+			*((*bool)(yyv49)) = r.DecodeBool()
 		}
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15546,16 +15636,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.SELinux = SELinuxStrategyOptions{}
 	} else {
-		yyv47 := &x.SELinux
+		yyv51 := &x.SELinux
-		yyv47.CodecDecodeSelf(d)
+		yyv51.CodecDecodeSelf(d)
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15563,16 +15653,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.RunAsUser = RunAsUserStrategyOptions{}
 	} else {
-		yyv48 := &x.RunAsUser
+		yyv52 := &x.RunAsUser
-		yyv48.CodecDecodeSelf(d)
+		yyv52.CodecDecodeSelf(d)
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15580,16 +15670,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.SupplementalGroups = SupplementalGroupsStrategyOptions{}
 	} else {
-		yyv49 := &x.SupplementalGroups
+		yyv53 := &x.SupplementalGroups
-		yyv49.CodecDecodeSelf(d)
+		yyv53.CodecDecodeSelf(d)
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15597,16 +15687,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.FSGroup = FSGroupStrategyOptions{}
 	} else {
-		yyv50 := &x.FSGroup
+		yyv54 := &x.FSGroup
-		yyv50.CodecDecodeSelf(d)
+		yyv54.CodecDecodeSelf(d)
 	}
-	yyj28++
+	yyj32++
-	if yyhl28 {
+	if yyhl32 {
-		yyb28 = yyj28 > l
+		yyb32 = yyj32 > l
 	} else {
-		yyb28 = r.CheckBreak()
+		yyb32 = r.CheckBreak()
 	}
-	if yyb28 {
+	if yyb32 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15614,26 +15704,74 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.ReadOnlyRootFilesystem = false
 	} else {
-		yyv51 := &x.ReadOnlyRootFilesystem
+		yyv55 := &x.ReadOnlyRootFilesystem
-		yym52 := z.DecBinary()
+		yym56 := z.DecBinary()
-		_ = yym52
+		_ = yym56
 		if false {
 		} else {
-			*((*bool)(yyv51)) = r.DecodeBool()
+			*((*bool)(yyv55)) = r.DecodeBool()
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		if x.DefaultAllowPrivilegeEscalation != nil {
+			x.DefaultAllowPrivilegeEscalation = nil
+		}
+	} else {
+		if x.DefaultAllowPrivilegeEscalation == nil {
+			x.DefaultAllowPrivilegeEscalation = new(bool)
+		}
+		yym58 := z.DecBinary()
+		_ = yym58
+		if false {
+		} else {
+			*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
+		}
+	}
+	yyj32++
+	if yyhl32 {
+		yyb32 = yyj32 > l
+	} else {
+		yyb32 = r.CheckBreak()
+	}
+	if yyb32 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.AllowPrivilegeEscalation = false
+	} else {
+		yyv59 := &x.AllowPrivilegeEscalation
+		yym60 := z.DecBinary()
+		_ = yym60
+		if false {
+		} else {
+			*((*bool)(yyv59)) = r.DecodeBool()
 		}
 	}
 	for {
-		yyj28++
+		yyj32++
-		if yyhl28 {
+		if yyhl32 {
-			yyb28 = yyj28 > l
+			yyb32 = yyj32 > l
 		} else {
-			yyb28 = r.CheckBreak()
+			yyb32 = r.CheckBreak()
 		}
-		if yyb28 {
+		if yyb32 {
 			break
 		}
 		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-		z.DecStructFieldNotFound(yyj28-1, "")
+		z.DecStructFieldNotFound(yyj32-1, "")
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 }
@@ -21422,7 +21560,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co
 
 			yyrg1 := len(yyv1) > 0
 			yyv21 := yyv1
-			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 560)
+			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576)
 			if yyrt1 {
 				if yyrl1 <= cap(yyv1) {
 					yyv1 = yyv1[:yyrl1]

staging/src/k8s.io/api/extensions/v1beta1/types.go

@@ -954,6 +954,14 @@ type PodSecurityPolicySpec struct {
 	// will not be forced to.
 	// +optional
 	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
+	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
+	// process can gain more privileges than it's parent process.
+	// +optional
+	DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
+	// AllowPrivilegeEscalation determines if a pod can request to allow
+	// privilege escalation.
+	// +optional
+	AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
 }
 
 // FS Type gives strong typing to different file systems that are used by volumes.

staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go

@@ -410,21 +410,23 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
 }
 
 var map_PodSecurityPolicySpec = map[string]string{
-	"":                         "Pod Security Policy Spec defines the policy enforced.",
+	"":                                "Pod Security Policy Spec defines the policy enforced.",
-	"privileged":               "privileged determines if a pod can request to be run as privileged.",
+	"privileged":                      "privileged determines if a pod can request to be run as privileged.",
-	"defaultAddCapabilities":   "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
+	"defaultAddCapabilities":          "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
-	"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.",
+	"requiredDropCapabilities":        "RequiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.",
-	"allowedCapabilities":      "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
+	"allowedCapabilities":             "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
-	"volumes":                  "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",
+	"volumes":                         "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",
-	"hostNetwork":              "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
+	"hostNetwork":                     "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
-	"hostPorts":                "hostPorts determines which host port ranges are allowed to be exposed.",
+	"hostPorts":                       "hostPorts determines which host port ranges are allowed to be exposed.",
-	"hostPID":                  "hostPID determines if the policy allows the use of HostPID in the pod spec.",
+	"hostPID":                         "hostPID determines if the policy allows the use of HostPID in the pod spec.",
-	"hostIPC":                  "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
+	"hostIPC":                         "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
-	"seLinux":                  "seLinux is the strategy that will dictate the allowable labels that may be set.",
+	"seLinux":                         "seLinux is the strategy that will dictate the allowable labels that may be set.",
-	"runAsUser":                "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
+	"runAsUser":                       "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
-	"supplementalGroups":       "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
+	"supplementalGroups":              "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
-	"fsGroup":                  "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
+	"fsGroup":                         "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
-	"readOnlyRootFilesystem":   "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
+	"readOnlyRootFilesystem":          "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
+	"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
+	"allowPrivilegeEscalation":        "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
 }
 
 func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go

@@ -1321,6 +1321,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
 	in.RunAsUser.DeepCopyInto(&out.RunAsUser)
 	in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
 	in.FSGroup.DeepCopyInto(&out.FSGroup)
+	if in.DefaultAllowPrivilegeEscalation != nil {
+		in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
 	return
 }
 

test/e2e_node/BUILD

@@ -118,6 +118,7 @@ go_test(
         "//test/e2e_node/services:go_default_library",
         "//test/e2e_node/system:go_default_library",
         "//test/utils:go_default_library",
+        "//vendor/github.com/blang/semver:go_default_library",
         "//vendor/github.com/coreos/go-systemd/util:go_default_library",
         "//vendor/github.com/davecgh/go-spew/spew:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",

test/e2e_node/image_list.go

@@ -53,6 +53,7 @@ var NodeImageWhiteList = sets.NewString(
 	"gcr.io/google_containers/nginx-slim:0.7",
 	"gcr.io/google_containers/serve_hostname:v1.4",
 	"gcr.io/google_containers/netexec:1.7",
+	"gcr.io/google_containers/nonewprivs:1.2",
 	framework.GetPauseImageNameForHostArch(),
 )
 

test/e2e_node/security_context_test.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/kubernetes/test/e2e/framework"
 
+	"github.com/blang/semver"
 	. "github.com/onsi/ginkgo"
 )
 
@@ -375,4 +376,87 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			}
 		})
 	})
+
+	Context("when creating containers with AllowPrivilegeEscalation", func() {
+
+		BeforeEach(func() {
+			if framework.TestContext.ContainerRuntime == "docker" {
+				// parse the docker version
+				out, err := exec.Command("docker", "-v").CombinedOutput()
+				if err != nil {
+					framework.Failf("checking docker version failed output %s: %v", string(out), err)
+				}
+				parts := strings.Split(string(out), ",")
+				parts = strings.Split(parts[0], " ")
+				dversion := parts[len(parts)-1]
+				version, err := semver.New(dversion)
+				if err != nil {
+					framework.Failf("parsing docker version %q failed: %v", dversion, err)
+				}
+				if version.LT(semver.Version{Major: 1, Minor: 11}) {
+					// make sure its >= 1.11 thats when "no-new-privileges" was added
+					framework.Skipf("Skipping no_new_privs tests, docker version is < 1.11 it is %s", version.String())
+				}
+			}
+		})
+
+		makeAllowPrivilegeEscalationPod := func(podName string, allowPrivilegeEscalation *bool, uid int64) *v1.Pod {
+			return &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					Containers: []v1.Container{
+						{
+							Image: "gcr.io/google_containers/nonewprivs:1.2",
+							Name:  podName,
+							SecurityContext: &v1.SecurityContext{
+								AllowPrivilegeEscalation: allowPrivilegeEscalation,
+								RunAsUser:                &uid,
+							},
+						},
+					},
+				},
+			}
+		}
+		createAndMatchOutput := func(podName, output string, allowPrivilegeEscalation *bool, uid int64) error {
+			podClient.Create(makeAllowPrivilegeEscalationPod(podName,
+				allowPrivilegeEscalation,
+				uid,
+			))
+
+			podClient.WaitForSuccess(podName, framework.PodStartTimeout)
+
+			if err := podClient.MatchContainerOutput(podName, podName, output); err != nil {
+				return err
+			}
+
+			return nil
+		}
+
+		It("should allow privilege escalation when not explicitly set and uid != 0", func() {
+			podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
+			if err := createAndMatchOutput(podName, "Effective uid: 0", nil, 1000); err != nil {
+				framework.Failf("Match output for pod %q failed: %v", podName, err)
+			}
+		})
+
+		It("should not allow privilege escalation when false", func() {
+			podName := "alpine-nnp-false-" + string(uuid.NewUUID())
+			apeFalse := false
+			if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
+				framework.Failf("Match output for pod %q failed: %v", podName, err)
+			}
+		})
+
+		It("should allow privilege escalation when true", func() {
+			podName := "alpine-nnp-true-" + string(uuid.NewUUID())
+			apeTrue := true
+			if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, 1000); err != nil {
+				framework.Failf("Match output for pod %q failed: %v", podName, err)
+			}
+		})
+	})
+
 })

test/images/nonewprivs/.gitignore

@@ -0,0 +1 @@
+nnp

test/images/nonewprivs/Dockerfile

@@ -0,0 +1,20 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine:latest
+
+COPY nnp /usr/local/bin/nnp
+RUN chmod +s /usr/local/bin/nnp
+
+CMD ["nnp"]

test/images/nonewprivs/Makefile

@@ -0,0 +1,33 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.PHONY: all image push clean
+
+TAG = 1.2
+PREFIX = gcr.io/google_containers
+
+
+all: push
+
+nnp: nnp.c
+	gcc -static -o $@ $@.c
+
+image: nnp
+	docker build --pull -t $(PREFIX)/nonewprivs:$(TAG) .
+
+push: image
+	gcloud docker -- push $(PREFIX)/nonewprivs:$(TAG)
+
+clean:
+	rm -f nnp

test/images/nonewprivs/nnp.c

@@ -0,0 +1,22 @@
+// Copyright 2017 The Kubernetes Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+int main(int argc, char *argv[]){
+        printf("Effective uid: %d\n", geteuid());
+        return 0;
+}