1 |
commit: 51ed8963a91ca0cf0263995205ce5e7ca47d53c2 |
2 |
Author: Daniel Jurgens <danielj <AT> mellanox <DOT> com> |
3 |
AuthorDate: Wed May 24 14:14:59 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 16:32:29 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51ed8963 |
7 |
|
8 |
refpolicy: Infiniband pkeys and endports |
9 |
|
10 |
Every Infiniband network will have a default pkey, so that is labeled. |
11 |
The rest of the pkey configuration is network specific. The policy allows |
12 |
access to the default and unlabeled pkeys for sysadm and staff users. |
13 |
kernel_t is allowed access to all pkeys, which it needs to process and |
14 |
route management datagrams. |
15 |
|
16 |
Endports are all unlabeled by default, sysadm users are allowed to |
17 |
manage the subnet on unlabeled endports. kernel_t is allowed to manage |
18 |
the subnet on all ibendports, which is required for configuring the HCA. |
19 |
|
20 |
This patch requires selinux series: "SELinux user space support for |
21 |
Infiniband RDMA", due to the new ipkeycon labeling mechanism. |
22 |
|
23 |
Signed-off-by: Daniel Jurgens <danielj <AT> mellanox.com> |
24 |
|
25 |
Makefile | 2 +- |
26 |
Rules.modular | 2 + |
27 |
Rules.monolithic | 2 + |
28 |
policy/flask/access_vectors | 10 +++ |
29 |
policy/flask/security_classes | 4 ++ |
30 |
policy/modules/kernel/corenetwork.if.in | 118 ++++++++++++++++++++++++++++++++ |
31 |
policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++++++ |
32 |
policy/modules/kernel/corenetwork.te.in | 8 +++ |
33 |
policy/modules/kernel/corenetwork.te.m4 | 26 +++++++ |
34 |
policy/modules/kernel/kernel.if | 37 ++++++++++ |
35 |
policy/modules/kernel/kernel.te | 5 ++ |
36 |
policy/modules/roles/staff.te | 1 + |
37 |
policy/modules/roles/sysadm.te | 3 + |
38 |
support/comment_move_decl.sed | 2 +- |
39 |
14 files changed, 282 insertions(+), 2 deletions(-) |
40 |
|
41 |
diff --git a/Makefile b/Makefile |
42 |
index ed3453e0..89387367 100644 |
43 |
--- a/Makefile |
44 |
+++ b/Makefile |
45 |
@@ -372,7 +372,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke |
46 |
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ |
47 |
@echo "#" >> $@ |
48 |
$(verbose) cat $@.in >> $@ |
49 |
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ |
50 |
+ $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ |
51 |
| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ |
52 |
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ |
53 |
|
54 |
|
55 |
diff --git a/Rules.modular b/Rules.modular |
56 |
index 49d3cca9..331a979d 100644 |
57 |
--- a/Rules.modular |
58 |
+++ b/Rules.modular |
59 |
@@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con |
60 |
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true |
61 |
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true |
62 |
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true |
63 |
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true |
64 |
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true |
65 |
|
66 |
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf |
67 |
$(verbose) $(comment_move_decl) $^ > $@ |
68 |
|
69 |
diff --git a/Rules.monolithic b/Rules.monolithic |
70 |
index ce112d78..80e00821 100644 |
71 |
--- a/Rules.monolithic |
72 |
+++ b/Rules.monolithic |
73 |
@@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con |
74 |
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true |
75 |
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true |
76 |
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true |
77 |
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true |
78 |
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true |
79 |
|
80 |
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf |
81 |
$(verbose) $(comment_move_decl) $^ > $@ |
82 |
|
83 |
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors |
84 |
index 7652a313..f20e5c1e 100644 |
85 |
--- a/policy/flask/access_vectors |
86 |
+++ b/policy/flask/access_vectors |
87 |
@@ -927,6 +927,16 @@ inherits database |
88 |
set_value |
89 |
} |
90 |
|
91 |
+class infiniband_pkey |
92 |
+{ |
93 |
+ access |
94 |
+} |
95 |
+ |
96 |
+class infiniband_endport |
97 |
+{ |
98 |
+ manage_subnet |
99 |
+} |
100 |
+ |
101 |
class db_language |
102 |
inherits database |
103 |
{ |
104 |
|
105 |
diff --git a/policy/flask/security_classes b/policy/flask/security_classes |
106 |
index 18c4f974..ce3268da 100644 |
107 |
--- a/policy/flask/security_classes |
108 |
+++ b/policy/flask/security_classes |
109 |
@@ -139,6 +139,10 @@ class netlink_crypto_socket |
110 |
class x_pointer # userspace |
111 |
class x_keyboard # userspace |
112 |
|
113 |
+# Infiniband |
114 |
+class infiniband_pkey |
115 |
+class infiniband_endport |
116 |
+ |
117 |
# More Database stuff |
118 |
class db_schema # userspace |
119 |
class db_view # userspace |
120 |
|
121 |
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in |
122 |
index 4babd24f..46fc4f11 100644 |
123 |
--- a/policy/modules/kernel/corenetwork.if.in |
124 |
+++ b/policy/modules/kernel/corenetwork.if.in |
125 |
@@ -3153,3 +3153,121 @@ interface(`corenet_unconfined',` |
126 |
|
127 |
typeattribute $1 corenet_unconfined_type; |
128 |
') |
129 |
+ |
130 |
+######################################## |
131 |
+## <summary> |
132 |
+## Define type to be an infiniband pkey type |
133 |
+## </summary> |
134 |
+## <desc> |
135 |
+## <p> |
136 |
+## Define type to be an infiniband pkey type |
137 |
+## </p> |
138 |
+## <p> |
139 |
+## This is for supporting third party modules and its |
140 |
+## use is not allowed in upstream reference policy. |
141 |
+## </p> |
142 |
+## </desc> |
143 |
+## <param name="domain"> |
144 |
+## <summary> |
145 |
+## Type to be used for infiniband pkeys. |
146 |
+## </summary> |
147 |
+## </param> |
148 |
+# |
149 |
+interface(`corenet_ib_pkey',` |
150 |
+ gen_require(` |
151 |
+ attribute ibpkey_type; |
152 |
+ ') |
153 |
+ |
154 |
+ typeattribute $1 ibpkey_type; |
155 |
+') |
156 |
+ |
157 |
+######################################## |
158 |
+## <summary> |
159 |
+## Access unlabeled infiniband pkeys. |
160 |
+## </summary> |
161 |
+## <param name="domain"> |
162 |
+## <summary> |
163 |
+## Domain allowed access. |
164 |
+## </summary> |
165 |
+## </param> |
166 |
+# |
167 |
+interface(`corenet_ib_access_unlabeled_pkeys',` |
168 |
+ kernel_ib_access_unlabeled_pkeys($1) |
169 |
+') |
170 |
+ |
171 |
+######################################## |
172 |
+## <summary> |
173 |
+## Access all labeled infiniband pkeys. |
174 |
+## </summary> |
175 |
+## <param name="domain"> |
176 |
+## <summary> |
177 |
+## Domain allowed access. |
178 |
+## </summary> |
179 |
+## </param> |
180 |
+# |
181 |
+interface(`corenet_ib_access_all_pkeys',` |
182 |
+ gen_require(` |
183 |
+ attribute ibpkey_type; |
184 |
+ ') |
185 |
+ |
186 |
+ allow $1 ibpkey_type:infiniband_pkey access; |
187 |
+') |
188 |
+ |
189 |
+######################################## |
190 |
+## <summary> |
191 |
+## Define type to be an infiniband endport |
192 |
+## </summary> |
193 |
+## <desc> |
194 |
+## <p> |
195 |
+## Define type to be an infiniband endport |
196 |
+## </p> |
197 |
+## <p> |
198 |
+## This is for supporting third party modules and its |
199 |
+## use is not allowed in upstream reference policy. |
200 |
+## </p> |
201 |
+## </desc> |
202 |
+## <param name="domain"> |
203 |
+## <summary> |
204 |
+## Type to be used for infiniband endports. |
205 |
+## </summary> |
206 |
+## </param> |
207 |
+# |
208 |
+interface(`corenet_ib_endport',` |
209 |
+ gen_require(` |
210 |
+ attribute ibendport_type; |
211 |
+ ') |
212 |
+ |
213 |
+ typeattribute $1 ibendport_type; |
214 |
+') |
215 |
+ |
216 |
+######################################## |
217 |
+## <summary> |
218 |
+## Manage subnets on all labeled Infiniband endports |
219 |
+## </summary> |
220 |
+## <param name="domain"> |
221 |
+## <summary> |
222 |
+## Domain allowed access. |
223 |
+## </summary> |
224 |
+## </param> |
225 |
+# |
226 |
+interface(`corenet_ib_manage_subnet_all_endports',` |
227 |
+ gen_require(` |
228 |
+ attribute ibendport_type; |
229 |
+ ') |
230 |
+ |
231 |
+ allow $1 ibendport_type:infiniband_endport manage_subnet; |
232 |
+') |
233 |
+ |
234 |
+######################################## |
235 |
+## <summary> |
236 |
+## Manage subnet on all unlabeled Infiniband endports |
237 |
+## </summary> |
238 |
+## <param name="domain"> |
239 |
+## <summary> |
240 |
+## Domain allowed access. |
241 |
+## </summary> |
242 |
+## </param> |
243 |
+# |
244 |
+interface(`corenet_ib_manage_subnet_unlabeled_endports',` |
245 |
+ kernel_ib_manage_subnet_unlabeled_endports($1) |
246 |
+') |
247 |
|
248 |
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 |
249 |
index 468fb344..fad84ca9 100644 |
250 |
--- a/policy/modules/kernel/corenetwork.if.m4 |
251 |
+++ b/policy/modules/kernel/corenetwork.if.m4 |
252 |
@@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',` |
253 |
') |
254 |
'') dnl end create_port_interfaces |
255 |
|
256 |
+define(`create_ibpkey_interfaces',`` |
257 |
+######################################## |
258 |
+## <summary> |
259 |
+## Access the infiniband fabric on the $1 ibpkey. |
260 |
+## </summary> |
261 |
+## <param name="domain"> |
262 |
+## <summary> |
263 |
+## Domain allowed access. |
264 |
+## </summary> |
265 |
+## </param> |
266 |
+## <infoflow type="both" weight="10"/> |
267 |
+# |
268 |
+interface(`corenet_ib_access_$1_pkey',` |
269 |
+ gen_require(` |
270 |
+ $3 $1_$2; |
271 |
+ ') |
272 |
+ |
273 |
+ allow dollarsone $1_$2:infiniband_pkey access; |
274 |
+') |
275 |
+'') dnl end create_ibpkey_interfaces |
276 |
+ |
277 |
+define(`create_ibendport_interfaces',`` |
278 |
+######################################## |
279 |
+## <summary> |
280 |
+## Manage the subnet on $1 ibendport. |
281 |
+## </summary> |
282 |
+## <param name="domain"> |
283 |
+## <summary> |
284 |
+## Domain allowed access. |
285 |
+## </summary> |
286 |
+## </param> |
287 |
+## <infoflow type="both" weight="10"/> |
288 |
+# |
289 |
+interface(`corenet_ib_manage_subnet_$1_endport',` |
290 |
+ gen_require(` |
291 |
+ $3 $1_$2; |
292 |
+ ') |
293 |
+ |
294 |
+ allow dollarsone $1_$2:infiniband_endport manage_subnet; |
295 |
+') |
296 |
+'') dnl end create_ibendport_interfaces |
297 |
+ |
298 |
# |
299 |
# create_netif_*_interfaces(linux_interfacename) |
300 |
# |
301 |
@@ -851,3 +893,25 @@ define(`network_packet',` |
302 |
create_packet_interfaces($1_client) |
303 |
create_packet_interfaces($1_server) |
304 |
') |
305 |
+ |
306 |
+# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity) |
307 |
+# (these wrap create_port_interfaces to handle attributes and types) |
308 |
+define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))') |
309 |
+ |
310 |
+# |
311 |
+# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity) |
312 |
+# |
313 |
+define(`ib_pkey',` |
314 |
+create_ibpkey_type_interfaces($*) |
315 |
+') |
316 |
+ |
317 |
+# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity) |
318 |
+# (these wrap create_port_interfaces to handle attributes and types) |
319 |
+define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))') |
320 |
+ |
321 |
+# |
322 |
+# ib_endport(name,device_name, portnum mls_sensitivity) |
323 |
+# |
324 |
+define(`ib_endport',` |
325 |
+create_ibendport_type_interfaces($*) |
326 |
+') |
327 |
|
328 |
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in |
329 |
index b3db0139..dbe009c8 100644 |
330 |
--- a/policy/modules/kernel/corenetwork.te.in |
331 |
+++ b/policy/modules/kernel/corenetwork.te.in |
332 |
@@ -16,6 +16,8 @@ attribute port_type; |
333 |
attribute reserved_port_type; |
334 |
attribute rpc_port_type; |
335 |
attribute server_packet_type; |
336 |
+attribute ibpkey_type; |
337 |
+attribute ibendport_type; |
338 |
# This is an optimization for { port_type -reserved_port_type } |
339 |
attribute unreserved_port_type; |
340 |
|
341 |
@@ -364,3 +366,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; |
342 |
# Bind to any network address. |
343 |
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; |
344 |
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; |
345 |
+ |
346 |
+# Infiniband |
347 |
+corenet_ib_access_all_pkeys(corenet_unconfined_type) |
348 |
+corenet_ib_manage_subnet_all_endports(corenet_unconfined_type) |
349 |
+corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type) |
350 |
+corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type) |
351 |
|
352 |
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 |
353 |
index 3f6e1688..380e64f3 100644 |
354 |
--- a/policy/modules/kernel/corenetwork.te.m4 |
355 |
+++ b/policy/modules/kernel/corenetwork.te.m4 |
356 |
@@ -111,3 +111,29 @@ define(`network_packet',` |
357 |
type $1_client_packet_t, packet_type, client_packet_type; |
358 |
type $1_server_packet_t, packet_type, server_packet_type; |
359 |
') |
360 |
+ |
361 |
+define(`declare_ibpkeycons',`dnl |
362 |
+ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4) |
363 |
+ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl |
364 |
+') |
365 |
+ |
366 |
+# |
367 |
+# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) |
368 |
+# |
369 |
+define(`ib_pkey',` |
370 |
+type $1_ibpkey_t, ibpkey_type; |
371 |
+ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl |
372 |
+') |
373 |
+ |
374 |
+define(`declare_ibendportcons',`dnl |
375 |
+ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4) |
376 |
+ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl |
377 |
+') |
378 |
+ |
379 |
+# |
380 |
+# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]]) |
381 |
+# |
382 |
+define(`ib_endport',` |
383 |
+type $1_ibendport_t, ibendport_type; |
384 |
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl |
385 |
+') |
386 |
|
387 |
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
388 |
index cecf5d86..d6705437 100644 |
389 |
--- a/policy/modules/kernel/kernel.if |
390 |
+++ b/policy/modules/kernel/kernel.if |
391 |
@@ -3553,3 +3553,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',` |
392 |
kernel_search_vm_sysctl($1) |
393 |
allow $1 sysctl_vm_overcommit_t:file rw_file_perms; |
394 |
') |
395 |
+ |
396 |
+######################################## |
397 |
+## <summary> |
398 |
+## Access unlabeled infiniband pkeys. |
399 |
+## </summary> |
400 |
+## <param name="domain"> |
401 |
+## <summary> |
402 |
+## Domain allowed access. |
403 |
+## </summary> |
404 |
+## </param> |
405 |
+# |
406 |
+interface(`kernel_ib_access_unlabeled_pkeys',` |
407 |
+ gen_require(` |
408 |
+ type unlabeled_t; |
409 |
+ ') |
410 |
+ |
411 |
+ allow $1 unlabeled_t:infiniband_pkey access; |
412 |
+') |
413 |
+ |
414 |
+######################################## |
415 |
+## <summary> |
416 |
+## Manage subnet on unlabeled Infiniband endports. |
417 |
+## </summary> |
418 |
+## <param name="domain"> |
419 |
+## <summary> |
420 |
+## Domain allowed access. |
421 |
+## </summary> |
422 |
+## </param> |
423 |
+# |
424 |
+interface(`kernel_ib_manage_subnet_unlabeled_endports',` |
425 |
+ gen_require(` |
426 |
+ type unlabeled_t; |
427 |
+ ') |
428 |
+ |
429 |
+ allow $1 unlabeled_t:infiniband_endport manage_subnet; |
430 |
+') |
431 |
+ |
432 |
|
433 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
434 |
index a2869be7..b9ae4b6a 100644 |
435 |
--- a/policy/modules/kernel/kernel.te |
436 |
+++ b/policy/modules/kernel/kernel.te |
437 |
@@ -259,6 +259,11 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) |
438 |
corenet_raw_send_generic_node(kernel_t) |
439 |
corenet_send_all_packets(kernel_t) |
440 |
|
441 |
+corenet_ib_access_all_pkeys(kernel_t) |
442 |
+corenet_ib_access_unlabeled_pkeys(kernel_t) |
443 |
+corenet_ib_manage_subnet_all_endports(kernel_t) |
444 |
+corenet_ib_manage_subnet_unlabeled_endports(kernel_t) |
445 |
+ |
446 |
dev_mounton_sysfs(kernel_t) |
447 |
dev_read_sysfs(kernel_t) |
448 |
dev_search_usbfs(kernel_t) |
449 |
|
450 |
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te |
451 |
index 06e5087c..c19212c1 100644 |
452 |
--- a/policy/modules/roles/staff.te |
453 |
+++ b/policy/modules/roles/staff.te |
454 |
@@ -13,6 +13,7 @@ userdom_unpriv_user_template(staff) |
455 |
# |
456 |
# Local policy |
457 |
# |
458 |
+corenet_ib_access_unlabeled_pkeys(staff_t) |
459 |
|
460 |
optional_policy(` |
461 |
apache_role(staff_r, staff_t) |
462 |
|
463 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
464 |
index baebc901..aa687f78 100644 |
465 |
--- a/policy/modules/roles/sysadm.te |
466 |
+++ b/policy/modules/roles/sysadm.te |
467 |
@@ -46,6 +46,9 @@ selinux_read_policy(sysadm_t) |
468 |
userdom_manage_user_home_dirs(sysadm_t) |
469 |
userdom_home_filetrans_user_home_dir(sysadm_t) |
470 |
|
471 |
+corenet_ib_access_unlabeled_pkeys(sysadm_t) |
472 |
+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) |
473 |
+ |
474 |
ifdef(`direct_sysadm_daemon',` |
475 |
optional_policy(` |
476 |
init_run_daemon(sysadm_t, sysadm_r) |
477 |
|
478 |
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed |
479 |
index 00b94b6a..90813480 100644 |
480 |
--- a/support/comment_move_decl.sed |
481 |
+++ b/support/comment_move_decl.sed |
482 |
@@ -6,7 +6,7 @@ |
483 |
/optional \{/,/} # end optional/b nextline |
484 |
|
485 |
/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ |
486 |
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ |
487 |
+/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ |
488 |
/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/ |
489 |
/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/ |
490 |
/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/ |