~GudZddlZddlZddlZddlZddlZddlmZeje Z dZ dZ dZ dZdZd Zd d Zd ZdS) z CLI helper utilities for CageFS user commands. Provides functions for: - Re-entering CageFS environment - Calling commands via proxyexec for privilege escalation N)clcagefsz/var/.cagefs/.cagefs.tokenc ttd5}|cdddS#1swxYwYdS#tt f$rYdSwxYw)zv Read the CageFS token from the token file. Returns: str: The CageFS token, or None if not found rN)openCAGEFS_TOKEN_PATHreadstripIOErrorOSError)fs Copt/cloudlinux/venv/lib/python3.11/site-packages/clcagefslib/cli.pyget_cagefs_tokenrs #S ) ) $Q6688>>## $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ W tts3A&A  A AAAAA,+A,/usr/sbin/proxyexecc tj}tjd|z}|dr|dt d }|t kS#t tf$rYdSwxYw)z Verify that the parent process is the proxyexec daemon by checking /proc//exe (kernel-controlled, not spoofable). Returns: bool: True if parent process is the proxyexec daemon z /proc/%d/exez (deleted)NF)osgetppidreadlinkendswithlenPROXYEXEC_DAEMON_PATHr r )ppid parent_exes r _is_parent_proxyexecr.sz||[$!677   | , , 9#$7c,&7&7%7$78J222 W uusA!A$$A98A9c`tjddStS)aG Check if the script is running via proxyexec. Verifies both that the PROXYEXEC_UID environment variable is set and that the parent process is the proxyexec daemon binary. This prevents spoofing via environment variable injection. Returns: bool: True if running via proxyexec, False otherwise PROXYEXEC_UIDNF)renvirongetrr is_running_via_proxyexecr As) z~~o&&.u  ! !!rct}|stddStjt jj}t j}tt j }ddd||||g|z}d|i}tj |tjtjtj|}||jS)a, Call a command via proxyexec to execute with root privileges. Args: alias: The proxyexec command alias (e.g., "CAGEFSCTL_USER_SITE_ISOLATION_LIST") args_list: Additional arguments to pass Returns: int: Exit code from the proxyexec command, or None on error zFailed to read CageFS tokenNrz-cz cagefs.sock CAGEFS_TOKENstdoutstderrstdinenv)rloggererrorpwdgetpwuidrgetuidpw_namegetcwdstrgetpid subprocessPopensysr$r%r& communicate returncode) alias args_listtokenusernamecwdpidcmdr'ps r call_via_proxyexecr>Qs   E  2333t|BIKK((0H )++C bikk  C  m      C 5 !CSZ #)Y\]]]AMMOOO <rc| tj}dg|z}tj|tjtjtji}||jS)z Re-execute inside CageFS when running outside. Args: argv: Command line arguments to pass (defaults to sys.argv) Returns: int: Exit code from the re-executed command Nz/bin/cagefs_enterr#) r3argvr1r2r$r%r&r4r5)r@r<r=s r reenter_cagefsrAwsT |x  $ &CSZ #)Y[\\\AMMOOO <rc(tjS)zv Check if currently running inside CageFS. Returns: bool: True if inside CageFS, False otherwise )r in_cagefsrrr rCrCs    r)N)__doc__loggingrr*r1r3clcommonr getLogger__name__r(rrrrr r>rArCrrr rIs    8 $ $0   .& " " " ###L&     r