1#@!#!123s

: / opt / cloudlinux / venv / lib / python3.11 / site-packages / clcagefslib /
Filename : cli.py
back
# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2025 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
"""
CLI helper utilities for CageFS user commands.

Provides functions for:
- Re-entering CageFS environment
- Calling commands via proxyexec for privilege escalation
"""

import logging
import os
import pwd
import subprocess
import sys

from clcommon import clcagefs

logger = logging.getLogger(__name__)

CAGEFS_TOKEN_PATH = "/var/.cagefs/.cagefs.token"


def get_cagefs_token():
    """
    Read the CageFS token from the token file.

    Returns:
        str: The CageFS token, or None if not found
    """
    try:
        with open(CAGEFS_TOKEN_PATH, "r") as f:
            return f.read().strip()
    except (IOError, OSError):
        return None


def is_running_via_proxyexec():
    """
    Check if the script is running via proxyexec.

    When running via proxyexec, PROXYEXEC_UID environment variable is set.

    Returns:
        bool: True if running via proxyexec, False otherwise
    """
    return os.environ.get("PROXYEXEC_UID") is not None


def call_via_proxyexec(alias, args_list):
    """
    Call a command via proxyexec to execute with root privileges.

    Args:
        alias: The proxyexec command alias (e.g., "CAGEFSCTL_USER_SITE_ISOLATION_LIST")
        args_list: Additional arguments to pass

    Returns:
        int: Exit code from the proxyexec command, or None on error
    """
    token = get_cagefs_token()
    if not token:
        logger.error("Failed to read CageFS token")
        return None

    username = pwd.getpwuid(os.getuid()).pw_name
    cwd = os.getcwd()
    pid = str(os.getpid())

    # Build proxyexec command
    # Format: /usr/sbin/proxyexec -c cagefs.sock USER CWD ALIAS PID [ARGS...]
    cmd = [
        "/usr/sbin/proxyexec",
        "-c", "cagefs.sock",
        username,
        cwd,
        alias,
        pid,
    ] + args_list

    env = {"CAGEFS_TOKEN": token}

    p = subprocess.Popen(cmd, stdout=sys.stdout, stderr=sys.stderr, stdin=sys.stdin, env=env)
    p.communicate()
    return p.returncode


def reenter_cagefs(argv=None):
    """
    Re-execute inside CageFS when running outside.

    Args:
        argv: Command line arguments to pass (defaults to sys.argv)

    Returns:
        int: Exit code from the re-executed command
    """
    if argv is None:
        argv = sys.argv

    cmd = ["/bin/cagefs_enter"] + argv
    p = subprocess.Popen(cmd, stdout=sys.stdout, stderr=sys.stderr, stdin=sys.stdin, env={})
    p.communicate()
    return p.returncode


def in_cagefs():
    """
    Check if currently running inside CageFS.

    Returns:
        bool: True if inside CageFS, False otherwise
    """
    return clcagefs.in_cagefs()