{1XHTddlZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z ddl mZmZddl mZddlmZddlmZdd lmZd d lmZd d lmZd d lmZmZmZd dl m!Z!d dl"m#Z#d dl$m%Z%d dl&m'Z'm(Z(d dl)m*Z*m+Z+dZ,dZ-de.dzfdZ/de.de0fdZ1dZ2dZ3dZ4dgZ5dddZ6d Z7d!Z8d"Z9de.fd#Z:ej;d $d%Zd(Z?d)Z@d*ZAd+ZBd,e.fd-ZCd,e.fd.ZDd,e.fd/ZEd0ZFd1e.fd2ZGd3ZHdeIfd4ZJde.fd5ZKdeIfd6ZLd7ZMd8ZNd:de.d1e.dzfd9ZOdS);N) defaultdict)Path)setup_mount_dir_cagefsCAGEFSCTL_TOOL)cpusersis_panel_feature_supported)docroot)Feature)NoDomain)PyLve) user_exists)UserNotFoundError) admin_configconfig jail_utils)DOCROOTS_ISOLATED_BASE)write_jail_mounts_config)reload_processes_with_docroots)start_monitoring_servicestop_monitoring_service)trigger_xray_ini_regenerationtrigger_ssa_ini_regenerationcTtjtjSN)ospathisfilerWEBSITE_ISOLATION_MARKERFopt/cloudlinux/venv/lib/python3.11/site-packages/clcagefslib/domain.py(is_website_isolation_allowed_server_wider#%s 7>>,? @ @@r!cTtjtjSr)rrrr"WEBSITE_ISOLATION_AVAILABLE_MARKERr r!r"&is_website_isolation_feature_availabler&)s 7>>,I J JJr!returnc.tjtj}tjtj}|r8|r6t jdtj tjddS|rdS|rdSdS)uReturn the current user mode for website isolation. Returns: ``"allow_all"`` – all users allowed, denied dir lists exceptions. ``"deny_all"`` – no users allowed, allowed dir lists exceptions. ``None`` – not initialised yet. zBoth site-isolation.users.allowed and site-isolation.users.denied directories exist. Removing allowed directory, treating as allow_all mode.T ignore_errors allow_alldeny_allN) rrisdirrISOLATION_DENIED_DIRISOLATION_ALLOWED_DIRloggingwarningshutilrmtree) has_denied has_alloweds r"get_isolation_user_moder6-s|@AAJ'-- BCCKk Y     l8MMMM{{z 4r!userctjtjsdSt }|dkr tjtj| S|dkrtjtj|SdS)uCheck whether *user* is allowed to use website isolation. Combines the global marker with the two-mode user model: * **allow_all** – allowed unless the user is in the denied directory. * **deny_all** – denied unless the user is in the allowed directory. Fr+r,) rrrrrr6 user_in_dirr.r/)r7modes r"%is_website_isolation_allowed_for_userr;Fsw 7>>,? @ @u " $ $D {+L,MtTTTT z' (JDQQQ 5r!cjtjtjst t tdddttj}|j dd| tj gddddSdS) zCSet up mount directories and the global marker if not already done.*TF)prefixremount_cagefsremount_in_background)parentsexist_ok)z/usr/bin/systemctlz try-restartzclwpos_monitoring.service)capture_outputtextN)rrrrrrstrrrparentmkdirtouch subprocessrun) marker_paths r""_ensure_isolation_mount_and_markerrLWs 7>>,? @ @   & ' 'u    <@AA    === N N N         r!z/etc/cagefs/proxy.commandsz> w~~f%%    7++D11  tOGc&&F&&&& E>r!cd}|D]e\}|vr tj|r*|d}fd|D}d|}d}f||fS)zRemove proxy entries whose binaries no longer exist on disk. Returns the (possibly updated) content string and a bool indicating whether any entries were removed. FT)keependscDg|]}|d|S)rQ) startswith).0lrXs r" z)_remove_proxy_entries..s0AAAqiii)@)@AAAAr!)rRrrrS splitlinesjoin)rUrVremovedrYlinesrXs @r"_remove_proxy_entriesrgs G}} V g    7>>& ! !  ""D"11AAAAEAAA''%.. G r!c ttdd5}|}dddn #1swxYwYn#t$rd}YnwxYwd}d|vrEt jdt|r|d s|d z }|td zz }d }t|t\}}|rt jd td }t|t\}}|rt jd td }|sdStj t}tj|d tj|d\}} tj|dd5}||dddn #1swxYwYtj|tn##t($rtj|wxYwd t.d z}t3jt6ddg|t2jt2jdt3jt6dgt2jt2jddS)aRegister the ``cagefsctl-user`` proxyexec alias if not already present. Appends the ``CAGEFSCTL_USER`` entry to ``/etc/cagefs/proxy.commands`` and runs ``cagefsctl --update-list`` to pull the required binaries into the CageFS skeleton. This is a no-op when the entry already exists. Also registers/unregisters the LVD helper binaries (``lvd-registry-helper``, ``lvd-limits-helper``) depending on whether they are present on disk. rzutf-8)encodingNrbFCAGEFSCTL_USERz Registering cagefsctl-user in %srPTzRegistering LVD helpers in %sz"Removing stale LVD helpers from %s)rBz.proxy.commands.)dirr>wz --wait-lockz --update-list)inputstdoutstderrcheckz--update-wrappers)rorprq)openPROXY_COMMANDS_PATHreadFileNotFoundErrorr0inforTCAGEFSCTL_USER_PROXY_ENTRYrZLVD_PROXY_ENTRIESrgrrdirnamemakedirstempfilemkstempfdopenwritereplace BaseExceptionunlinkrdCAGEFSCTL_USER_BINARIESencoderIrJrDEVNULL) frUchangedrWre proxy_dirfdtmp_path update_lists r"ensure_proxyexec_commandrs %sW = = = ffhhG                Gw&& 79LMMM  7++D11  tOG-44'1BCCNGU  46IJJJ,W6GHHGW 9;NOOO  344IK D))))# :LMMMLB Yr3 1 1 1 Q GGG                   801111  ( 99455<DDFFKN 8!! N ,-!! s^A: A>A>A AA'G>F  G F$$G'F$(G G&ctt}|dkrNd}tjtjtjdtjtj dnMd}tjtj tjdtjtjd|S)uFlip the isolation user mode without modifying any per-user state. Unlike :func:`allow_website_isolation_server_wide` and :func:`deny_website_isolation_server_wide`, this function only flips the mode indicator directories. It does **not** clean up existing user isolation or alter the per-user exception lists. * ``allow_all`` → ``deny_all`` * ``deny_all`` → ``allow_all`` * not initialised → ``allow_all`` Returns: The new mode after toggling (``"allow_all"`` or ``"deny_all"``). r+r,Tr:rBr)) rLr6rrzrr/DIR_MODEr2r3r.)currentnew_modes r"toggle_isolation_user_moders'(((%''G+ L6\=R]abbbb l7tLLLLL L5Lz+_cleanup_user_isolation..s0'(  " "r!)r) user_configfilter_by_docrootsz|Unable to detect document root for domain %s, configuration cleanup failed. Contact CloudLinux support if the error repeats.)rrload_user_configenabled_websitessave_user_configrrlistvaluesrRr0errorrremove_website_token_directory)ruser_cfgdomain_docroot_maprr s r"rrs" x &x00H  $,4,E HT2222X48888"T*<*C*C*E*E%F%F)..00 E E 7 ? M(     1(GDDDD E Er!cttD]7} t|#t$rt jd|Y4wxYwt}|st dSdS)z9Remove domain isolation state for every user that has it.z:Unable to disable website isolation for user %s, skipping.N)r#users_with_enabled_domain_isolationr Exceptionr0rr)r users_lefts r"rrs<>>??  #H - - - -     L       566J "!!!!!""s/AArc^ t|dS#ttf$rYdSwxYw)Nr)get_domain_docrootr IndexError)rs r"rrsA!&))!,, j !tts ,,ctsdS tj|}n#t$rYdSwxYwtj|S)NF)r#rget_jail_config_pathrrrrS)r7domains_config_paths r"is_isolation_enabledrse 3 5 5u(=dCC uu 7>>- . ..s ' 55cpdtD}i}|D]}t|}|r|||<|S)NcNg|]"}t|t| |#Sr )rr)r_us r"raz7users_with_enabled_domain_isolation..s1 P P P1[^^ P8LQ8O8O PQ P P Pr!)r#get_websites_with_enabled_isolation)usersuser_domain_pairsr7domains_with_isolations r"rrsV P P P P PE==!DT!J!J ! =&< d # r!ct|stjd|gStj|jS)Nz=User %s not found, cannot get websites with enabled isolation)rr0r1rrr)r7s r"rrsG t   KT S S S  "4 ( ( 99r!ct}tt}|D]S\}}|D]K} t |d}n#t t f$rY,wxYw|||LT|S)z Returns pairs user: set(docroots) for all users with website isolation enabled Used by monitoring service to watch docroots changes to load actual list of docroot paths instead of stale storage r)rrsetrRrr radd)users_with_isolationpairsr7domainsrdrs r"!get_docroots_of_isolated_websitesrs ?@@   E-3355  g  F '//2j)     $KOOB      LsAA+*A+ctt|stjd|dStj|}||jvr|j|t|d}tj ||tj ||tj ||tj ddd|gdt||t|t!|gt#t%||t'|t)||dS) Nz2User %s not found, cannot enable website isolationr cagefsctlz--rebuild-alt-php-iniz--domainT)rqr)rr0r1rrrappendrrcreate_website_token_directory create_overlay_storage_directoryrrIrJrrrrrrr)r7rr document_roots r"enable_website_isolationrsK t   @$ H H H)$//K [111$++F333 'v..q1M-dMBBB/mDDD D+...NK!8*fMUYZZZZT;///"4=QRX=Y=Y t   RTX Z Z Z)$//KT;///N.,V44  OK    m,,,   5dM J J J  7m L L L L    MTV\^_ ` ` ` HHHH #4NKKKKKKs*B>> C(C##C(ct|stjd|dStj|}d}g}|-t |j}d|jD}g|_n6||jvr-|g}t|g}|j|tj ||t|||r.t|||D]}|tj |||D]D} t||#tjt"f$rtjd|YAwxYwt'}|st)dSdS)Nz3User %s not found, cannot disable website isolationc,g|]}t|Sr r)r_websites r"raz-disable_website_isolation..@s.   .5  ) )   r!rz1Failed to unregister domain LVE for %s, skipping.)rr0r1rrrrrremoverrrrrrrIrrrrr)r7rrreload_docrootsdomains_to_unregisterrrrs r"disable_website_isolationr5s t   A4 I I I)$//KO ~ $[%A B B  9D9U   (* $$ ;/ / /!'/778$++F333 D+...T;///K&tPPPP, K KM$  5dM J J J J "HH H "4 + + + +-w7 H H H  CQ H H H H H H ?@@ "!!!!!""s>D+D=<D=r)P functoolsr0rr2rIr{ collectionsrpathlibrclcommon.clcagefsrrclcommon.cpapirrr rclcommon.constr clcommon.cpapi.cpapiexceptionsr lve_utils.pylve_wrapperr fsr exceptionsr webisolationrrrwebisolation.configr webisolation.jail_config_builderrwebisolation.phprwebisolation.servicerrwebisolation.triggersrrr#r&rEr6boolr;rLrsrwrrxrZrgrr lru_cacherrrrrrrrrrrrrdictrrrrrrr r!r"r s8 ######DDDDDDDD>>>>>>>>888888""""""333333))))))))))))::::::::::777777FFFFFF<<<<<<SSSSSSSS^^^^^^^^AAAKKKt2"   $3[ FA *&@@@FC:Q " "  "444444      ,III4#s####."c""""&EcEEEE8 " " "///T:c::::4$ ' ' 'FLLL>'"'"C'"t'"'"'"'"'"'"r!