PUȹfdZddlZddlZddlZddlmZejeZdZ ddl Z n #e $rdZ YnwxYwdZ dZ dZd Zd Zd Zd Zd ZdZdZdZdS)u Thin Python wrapper around the _lvdmap C extension (backed by liblve). Public interface is unchanged — callers (lveapi.py, lvectllib.py) continue to import and use these functions exactly as before. N)LvdErrorz/etc/container/lvd_idsc2ttddS)Nz$_lvdmap C extension is not installed)_lvdmapr"py/websiteisolation/id_registry.py_require_lvdmapr s=>>>rc tj|j}n#t$rYdSwxYwtjtt|}tj |sdS|S)zmReturn the registry file path for *username*, or None if the user does not exist or has no registry file.N) pwdgetpwnampw_uidKeyErrorospathjoin LVD_IDS_DIRstrexists)usernameuidrs r registry_path_by_usernamer!sxl8$$+ tt 7<< SXX . .D 7>>$  t Ks  **ctjdkrtdtt j||}t d||||S)zzAssign a domain ID for a docroot. Returns existing ID if already assigned, otherwise allocates the next sequential ID.r"domain ID assignment requires rootz0assigned domain_id %d to docroot '%s' for uid %d)rgeteuidrr rassignloginfo)rdocroot domain_ids r assign_domain_idr!.sg z||q;<<<sG,,IHH ? &&& rcRtdStj||}|dkr|ndS)z;Look up domain ID by docroot. Returns None if not assigned.Nr)rlookup)rrrs r get_domain_idr%:s/tsG$$AQ11D rc<tiStj|S)z/Return dict of docroot -> domain_id for a user.)rget_all_entries)rs r r'r'Bs  "3 ' ''rcRttStjS)z@Return the set of every assigned domain LVE ID across all users.)rsetget_all_domain_idsrrr r*r*Isuu  % ' ''rc:tdStjS)zReturn the minimum domain LVE ID. Delegates to the C library which reads UID_MAX from /etc/login.defs and returns max(UID_MAX, 60000). Falls back to 60000 if the C extension is not available. Ni`)rmin_idrrr r,r,Psu >  rc@tjdkrtdtt j||}|t d||dSt j||}t d||||||S)zMove a domain mapping from *old_docroot* to *new_docroot*. Uses remove + assign via _lvdmap; the domain_id will be newly allocated (the C API does not support specifying a target ID). rz$domain ID reassignment requires rootNuUreassign_docroot: old_docroot '%s' not in registry for uid %d — nothing to reassignz?reassigned docroot from '%s' (id=%d) to '%s' (id=%d) for uid %d) rrrr rremoverwarningrr)r old_docroot new_docrootold_idnew_ids r reassign_docrootr4\s  z||q=>>> ^C - -F ~ 9:Es L L Lt ^C - -FHH& VSJJJ Mrctjdkrtdtt j||}|t d||||S)z?Remove a docroot from the registry. Returns the old ID or None.rdomain ID removal requires rootNz,removed domain_id %d for docroot '%s' uid %d)rrrr rr.rr)rrr2s r remove_domain_idr7rsj z||q8999 ^C ) )F  ?# ' ' ' Mrctjdkrtdtt j|}|r)t d|t||S)z@Remove all domain IDs for a user. Returns list of (docroot, id).rr6z.removed all domain IDs for uid %d (%d entries)) rrrr r remove_allrrlen)rremoveds r remove_all_entriesr<~so z||q8999 %%G$ Ac'll $ $ $ NrcXtjdkrtdtjtdd tjt}|jdzdkrtjtdn#t$rYnwxYwtj tt|}tj |sCtj |tjtjzd}tj|dSdS) aMark *uid* as domain-isolated by touching its per-user file. The file acts as a marker so that ``find_all_lve_ids_with_config()`` (which lists ``LVD_IDS_DIR``) can detect the user before any domains are assigned. The C library's ``lvd_map_assign()`` will later atomically replace this empty file with a proper hash-table via rename(2), so the marker never interferes with real data. rriT)modeexist_okiiN)rrrmakedirsrstatst_modechmodOSErrorrrrropenO_CREATO_WRONLYclose)rstmarkerfds r create_empty_registryrLs z||q;<<<K %$7777 W[ ! ! :  & & H[% ( ( (      W\\+s3xx 0 0F 7>>& ! ! WVRZ"+5u = =  sAB BB)__doc__r loggingr exceptionsr getLogger__name__rrr ImportErrorr rr!r%r'r*r,r4r7r<rLrrr rSs8    g!!& NNNNGGG???      !!!((((((   ,      s -77