PNG
�
���
IHDR�������������x����sBIT����|�d��� pHYs�������+������tEXtSoftware�www.inkscape.org<���,tEXtComment�
File Manager
File Manager
Viewing File: domain.py
#!/opt/cloudlinux/venv/bin/python3 -sbb
# -*- coding: utf-8 -*-
#
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2021 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
#
import logging
import os
import shutil
import subprocess
import tempfile
from collections import defaultdict
from pathlib import Path
from clcommon.clcagefs import setup_mount_dir_cagefs, CAGEFSCTL_TOOL
from clcommon.cpapi import cpusers
from clcommon.cpapi import docroot as get_domain_docroot
from clcommon.cpapi.cpapiexceptions import NoDomain
from .fs import user_exists
from .exceptions import UserNotFoundError
from .webisolation import admin_config, config, jail_utils
from .webisolation.config import DOCROOTS_ISOLATED_BASE
from .webisolation.jail_config_builder import write_jail_mounts_config
from .webisolation.php import reload_processes_with_docroots
from .webisolation.service import start_monitoring_service, stop_monitoring_service
from .webisolation.triggers import trigger_xray_ini_regeneration, trigger_ssa_ini_regeneration
def is_website_isolation_allowed_server_wide():
return os.path.isfile(admin_config.WEBSITE_ISOLATION_MARKER)
def is_website_isolation_feature_available():
return os.path.isfile(admin_config.WEBSITE_ISOLATION_AVAILABLE_MARKER)
def get_isolation_user_mode() -> str | None:
"""Return the current user mode for website isolation.
Returns:
``"allow_all"`` – all users allowed, denied dir lists exceptions.
``"deny_all"`` – no users allowed, allowed dir lists exceptions.
``None`` – not initialised yet.
"""
has_denied = os.path.isdir(admin_config.ISOLATION_DENIED_DIR)
has_allowed = os.path.isdir(admin_config.ISOLATION_ALLOWED_DIR)
if has_denied and has_allowed:
# Error state – both dirs present. Treat as allow_all and clean up.
logging.warning(
"Both site-isolation.users.allowed and site-isolation.users.denied "
"directories exist. Removing allowed directory, treating as allow_all mode."
)
shutil.rmtree(admin_config.ISOLATION_ALLOWED_DIR, ignore_errors=True)
return "allow_all"
if has_denied:
return "allow_all"
if has_allowed:
return "deny_all"
return None
def is_website_isolation_allowed_for_user(user: str) -> bool:
"""Check whether *user* is allowed to use website isolation.
Combines the global marker with the two-mode user model:
* **allow_all** – allowed unless the user is in the denied directory.
* **deny_all** – denied unless the user is in the allowed directory.
"""
if not os.path.isfile(admin_config.WEBSITE_ISOLATION_MARKER):
return False
mode = get_isolation_user_mode()
if mode == "allow_all":
return not admin_config.user_in_dir(admin_config.ISOLATION_DENIED_DIR, user)
if mode == "deny_all":
return admin_config.user_in_dir(admin_config.ISOLATION_ALLOWED_DIR, user)
return False # not initialised
def _ensure_isolation_mount_and_marker():
"""Set up mount directories and the global marker if not already done."""
if not os.path.isfile(admin_config.WEBSITE_ISOLATION_MARKER):
setup_mount_dir_cagefs(
str(DOCROOTS_ISOLATED_BASE), prefix="*",
remount_cagefs=True, remount_in_background=False,
)
marker_path = Path(admin_config.WEBSITE_ISOLATION_MARKER)
marker_path.parent.mkdir(parents=True, exist_ok=True)
marker_path.touch()
# Remount kills redis processes, restart clwpos_monitoring service if it's running
subprocess.run(
["/usr/bin/systemctl", "try-restart", "clwpos_monitoring.service"],
capture_output=True,
text=True
)
PROXY_COMMANDS_PATH = "/etc/cagefs/proxy.commands"
CAGEFSCTL_USER_PROXY_ENTRY = "CAGEFSCTL_USER:noproceed=root:/usr/sbin/cagefsctl-user"
CAGEFSCTL_USER_BINARIES = [
"/usr/sbin/cagefsctl-user",
]
def ensure_proxyexec_command():
"""Register the ``cagefsctl-user`` proxyexec alias if not already present.
Appends the ``CAGEFSCTL_USER`` entry to ``/etc/cagefs/proxy.commands``
and runs ``cagefsctl --update-list`` to pull the required binaries into
the CageFS skeleton. This is a no-op when the entry already exists.
"""
try:
with open(PROXY_COMMANDS_PATH, "r", encoding="utf-8") as f:
content = f.read()
except FileNotFoundError:
content = ""
if "CAGEFSCTL_USER" in content:
return
logging.info("Registering cagefsctl-user in %s", PROXY_COMMANDS_PATH)
new_content = content
if new_content and not new_content.endswith("\n"):
new_content += "\n"
new_content += CAGEFSCTL_USER_PROXY_ENTRY + "\n"
proxy_dir = os.path.dirname(PROXY_COMMANDS_PATH)
os.makedirs(proxy_dir, exist_ok=True)
fd, tmp_path = tempfile.mkstemp(dir=proxy_dir, prefix=".proxy.commands.")
try:
with os.fdopen(fd, "w", encoding="utf-8") as f:
f.write(new_content)
os.replace(tmp_path, PROXY_COMMANDS_PATH)
except BaseException:
os.unlink(tmp_path)
raise
update_list = ("\n".join(CAGEFSCTL_USER_BINARIES) + "\n").encode()
subprocess.run(
[CAGEFSCTL_TOOL, "--wait-lock", "--update-list"],
input=update_list,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
check=False,
)
def toggle_isolation_user_mode() -> str:
"""Flip the isolation user mode without modifying any per-user state.
Unlike :func:`allow_website_isolation_server_wide` and
:func:`deny_website_isolation_server_wide`, this function only flips
the mode indicator directories. It does **not** clean up existing
user isolation or alter the per-user exception lists.
* ``allow_all`` → ``deny_all``
* ``deny_all`` → ``allow_all``
* not initialised → ``allow_all``
Returns:
The new mode after toggling (``"allow_all"`` or ``"deny_all"``).
"""
_ensure_isolation_mount_and_marker()
current = get_isolation_user_mode()
if current == "allow_all":
new_mode = "deny_all"
os.makedirs(admin_config.ISOLATION_ALLOWED_DIR, mode=admin_config.DIR_MODE, exist_ok=True)
shutil.rmtree(admin_config.ISOLATION_DENIED_DIR, ignore_errors=True)
else:
# deny_all or not initialised → allow_all
new_mode = "allow_all"
os.makedirs(admin_config.ISOLATION_DENIED_DIR, mode=admin_config.DIR_MODE, exist_ok=True)
shutil.rmtree(admin_config.ISOLATION_ALLOWED_DIR, ignore_errors=True)
return new_mode
def allow_website_isolation_server_wide():
"""Switch to *allow_all* mode – all users are allowed by default."""
_ensure_isolation_mount_and_marker()
ensure_proxyexec_command()
# Create empty denied-users directory → allow_all mode indicator
os.makedirs(admin_config.ISOLATION_DENIED_DIR, mode=admin_config.DIR_MODE, exist_ok=True)
# Remove allowed-users directory (belongs to deny_all mode)
shutil.rmtree(admin_config.ISOLATION_ALLOWED_DIR, ignore_errors=True)
def deny_website_isolation_server_wide():
"""Switch to *deny_all* mode – no users are allowed by default.
Disables domain isolation for every user and switches the mode.
"""
_cleanup_all_users_isolation()
_ensure_isolation_mount_and_marker()
# Create empty allowed-users directory → deny_all mode indicator
os.makedirs(admin_config.ISOLATION_ALLOWED_DIR, mode=admin_config.DIR_MODE, exist_ok=True)
# Remove denied-users directory (belongs to allow_all mode)
shutil.rmtree(admin_config.ISOLATION_DENIED_DIR, ignore_errors=True)
def allow_website_isolation_for_user(username: str):
"""Allow website isolation for *username* (mode-aware).
* **allow_all** – removes *username* from the denied directory.
* **deny_all** – adds *username* to the allowed directory.
* **not initialised** – sets up infrastructure in *deny_all* mode
with *username* as the first allowed user.
"""
_ensure_isolation_mount_and_marker()
ensure_proxyexec_command()
mode = get_isolation_user_mode()
if mode == "allow_all":
admin_config.remove_user_from_dir(admin_config.ISOLATION_DENIED_DIR, username)
elif mode == "deny_all":
admin_config.add_user_to_dir(admin_config.ISOLATION_ALLOWED_DIR, username)
else:
# Not initialised → start in deny_all mode with this user allowed
os.makedirs(admin_config.ISOLATION_ALLOWED_DIR, mode=admin_config.DIR_MODE, exist_ok=True)
admin_config.add_user_to_dir(admin_config.ISOLATION_ALLOWED_DIR, username)
def deny_website_isolation_for_user(username: str):
"""Deny website isolation for *username* (mode-aware).
* **allow_all** – adds *username* to the denied directory.
* **deny_all** – removes *username* from the allowed directory.
Also disables all domain isolation for the user.
"""
mode = get_isolation_user_mode()
if mode == "allow_all":
admin_config.add_user_to_dir(admin_config.ISOLATION_DENIED_DIR, username)
elif mode == "deny_all":
admin_config.remove_user_from_dir(admin_config.ISOLATION_ALLOWED_DIR, username)
# Clean up existing domain isolation for the user
_cleanup_user_isolation(username)
def _cleanup_user_isolation(username: str):
"""Remove all domain isolation state for a single user."""
if not user_exists(username):
return
user_cfg = config.load_user_config(username)
if not user_cfg.enabled_websites:
return
domain_docroot_map = {
d: _get_docroot_or_none(d) for d in user_cfg.enabled_websites
}
config.save_user_config(username, config=None)
write_jail_mounts_config(username, user_config=None)
reload_processes_with_docroots(
username, filter_by_docroots=list(domain_docroot_map.values())
)
for d, docroot in domain_docroot_map.items():
if docroot is None:
logging.error(
"Unable to detect document root for domain %s, "
"configuration cleanup failed. Contact CloudLinux support "
"if the error repeats.",
d,
)
continue
jail_utils.remove_website_token_directory(username, docroot)
def _cleanup_all_users_isolation():
"""Remove domain isolation state for every user that has it."""
for username in list(users_with_enabled_domain_isolation()):
try:
_cleanup_user_isolation(username)
except Exception:
logging.exception(
"Unable to disable website isolation for user %s, skipping.",
username,
)
users_left = users_with_enabled_domain_isolation()
if not users_left:
stop_monitoring_service()
def _get_docroot_or_none(domain: str):
try:
return get_domain_docroot(domain)[0]
except (NoDomain, IndexError):
return None
def is_isolation_enabled(user):
if not is_website_isolation_allowed_server_wide():
return False
try:
domains_config_path = jail_utils.get_jail_config_path(user)
except UserNotFoundError:
return False
return os.path.exists(domains_config_path)
def users_with_enabled_domain_isolation() -> dict:
users = [u for u in cpusers() if user_exists(u) and is_isolation_enabled(u)]
user_domain_pairs = {}
for user in users:
domains_with_isolation = get_websites_with_enabled_isolation(user)
if domains_with_isolation:
user_domain_pairs[user] = domains_with_isolation
return user_domain_pairs
def get_websites_with_enabled_isolation(user: str):
if not user_exists(user):
logging.warning(
"User %s not found, cannot get websites with enabled isolation", user)
return []
return config.load_user_config(user).enabled_websites
def get_docroots_of_isolated_websites() -> dict:
"""
Returns pairs user: set(docroots) for all users with website isolation enabled
Used by monitoring service to watch docroots changes to load actual list of docroot paths
instead of stale storage
"""
users_with_isolation = users_with_enabled_domain_isolation()
pairs = defaultdict(set)
for user, domains in users_with_isolation.items():
for domain in domains:
try:
dr = get_domain_docroot(domain)[0]
except (NoDomain, IndexError):
continue
pairs[user].add(dr)
return pairs
def enable_website_isolation(user, domain):
if not user_exists(user):
logging.warning(
"User %s not found, cannot enable website isolation", user)
return
user_config = config.load_user_config(user)
if domain not in user_config.enabled_websites:
user_config.enabled_websites.append(domain)
# if it crashes just let the command fail with NoDomain
# exception, it should be a very rare case because
# we validate input domain name in cagefsctl.py
document_root = get_domain_docroot(domain)[0]
# Create website token directory and overlay storage
jail_utils.create_website_token_directory(user, document_root)
jail_utils.create_overlay_storage_directory(user, document_root)
config.save_user_config(user, user_config)
# regenerate alt-php ini configuration for selector for the specific domain
subprocess.run(["cagefsctl", "--rebuild-alt-php-ini", "--domain", domain], check=True)
write_jail_mounts_config(user, user_config)
reload_processes_with_docroots(user, filter_by_docroots=[_get_docroot_or_none(domain)])
start_monitoring_service()
# Trigger xray/ssa ini regeneration for per-domain PHP selector
trigger_xray_ini_regeneration(user, domain)
trigger_ssa_ini_regeneration(user)
def regenerate_isolation_configuration(user):
if not user_exists(user):
logging.warning(
"User %s not found, cannot regenerate website isolation configuration", user)
return
user_config = config.load_user_config(user)
write_jail_mounts_config(user, user_config)
document_roots = []
for domain in user_config.enabled_websites:
document_root = _get_docroot_or_none(domain)
if document_root is None:
logging.warning(
"Unable to find document root for domain %s, "
"please contact CloudLinux support if the issue persists.",
domain,
)
continue
document_roots.append(document_root)
try:
# recreate tokens and storage e.g. when username changes
jail_utils.create_website_token_directory(user, document_root)
jail_utils.create_overlay_storage_directory(user, document_root)
except Exception as e:
logging.error("Unable to recreate token/storage for domain=%s, Error=%s", domain, e)
continue
reload_processes_with_docroots(user, filter_by_docroots=document_roots)
def disable_website_isolation(user: str, domain: str | None = None):
if not user_exists(user):
logging.warning(
"User %s not found, cannot disable website isolation", user)
return
user_config = config.load_user_config(user)
reload_docroots = None
if domain is None:
reload_docroots = [
_get_docroot_or_none(website) for website in user_config.enabled_websites
]
user_config.enabled_websites = []
elif domain in user_config.enabled_websites:
reload_docroots = [_get_docroot_or_none(domain)]
user_config.enabled_websites.remove(domain)
config.save_user_config(user, user_config)
write_jail_mounts_config(user, user_config)
if reload_docroots:
reload_processes_with_docroots(user, filter_by_docroots=reload_docroots)
for document_root in reload_docroots:
if document_root is None:
continue
jail_utils.remove_website_token_directory(user, document_root)
# get actual docroots for all users with website isolation enabled
users_with_isolation = users_with_enabled_domain_isolation()
if not users_with_isolation:
stop_monitoring_service()
�b�� �IDATxytVսϓ�22� ��A@�I�R�:hCi�Z[v*E:WũZA ^d�Q�e�Q @ !�jZ'>gsV仿$|?g)&x-E�IENT ;�@x�T.i%-X�}�Sv��S5.r/��UHz^_$-W"�w)Ɗ/�@Z &IoX��P$K}��JzX:;`�� �&, �ŋui,e6mX
�Եr��Kb1ԗ)����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������݀!I*]R;I2$e�Z#ORZSrr�6mteffu*((Pu'v{����DIߔ4^pIm��'77WEEE�;vƎ�4-����$]'RI{���\I&G� ��:IHJ
�DWBB=\WRm�
��o$K(V�9��ABB.�}jѢv��`^?IOȅ}���ڶmG�}T#FJ`5��6$-���ھ}F�I&v;0(h;��Б����38CӧOWf!;�A
�i:F��_m�9s&�|��q�%=#���wZprrrl��a
�A� &��P\\СC[A#�!� {��olF}
`E2}�MK/v�V��)i�{��4BffV\|ۭX��`�b�@kɶ@��%i$K���z5zhmX���[��IXZ��` 'b%$�r5�M4º��/l
ԃ�ߖ��xhʔ)[@=}
K6IM}^��5k㏷݆z
ΗÿO:gdGBmyT/�@+Vɶ�纽zl.yit뭷zV��0[Y^�>Wsqs}\/�@$(T7f.Inݺi����R$푔n.�~?H))\Z��RW'Mo~v
Ov�6oԃ���xz!��S,&xm/yɞԟ?'ua�S�ѽb,�8GלKboi&3�t7Y,�)JJ�����c[nzӳd�E�&K�sZLӄ��I���?�@���&�%ӟ۶mSMMњ0�iؐSZ,���|J+N
�~�,0A�0!5%Q-�YQQa�3��}$_vVr�f9f?S��8`��z���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����d�qP,تmMmg��1V?�rSI꒟]u|l
R�CyEf٢9�jURbztѰ!m5~tGj2DhG*{H9)꒟ר3:(+3\?/;TUݭʴ~S6lڧUJ�*�i$d(#=Yݺd{,p|3B))���q:vN0Y.jkק6;Sɶ�VzHJJЀ-utѹսk>QUU�\~]fFnK?�&ߡ�5b=z9)^|u�_k-[��y%ZNU6 7Mi�:]ۦ�tk�[n
�X(e6��Bb."8cۭ|~te��uu�w|ήI-5"~U�k;ZicEm�N/:]M>
��c�Q^uiƞ�??Ң�p�c#��TUU3UakNwA`�:�Y_V-8.KKfRi�tv*
�9S6ֿj,Ճ�NOMߤ]z^fOh|<>�@Å5���_�/Iu?{SY4hK�/2�]�4%it5�q]GGe��2%iR|
�W&�f��*^]??v�q[LgE_3f}Fxu~}qd-ږFxu~I N��>\;͗O֊:̗WJ�@���Bh�W�=y�|GgwܷH_NY�?)�Tdi'?խw�hlmQi� ��!SUUs�w4kӺe�4rfxu�-[nHt�MFj}H_u~w>)oV}(T'ebʒv3_[+vn����@Ȭ\S}ot}w=k�HFnxg�S 0eޢm�~l}u�qZf�F��oZuuEg
�`z�t~?�b;t%�>WTkķh[����2eG8LIWx,�^\thr�l^Ϊ�{�=dž�<}qV@ �⠨W�y^L�F_>0Uk��D�uʫuCs$)I��v�:IK�;��6ֲ4{^6����եm+l��3>݆�uM 9�u�����?>Zc�}g~qhKwڭ�e���FMM~pМuq�ǿz6Tb@8�@Y|jx]�(^]gf}�M"tG
����-w.@�vOqh~/HII�`���S[l.6nØXL9v�U���cOoB\�xo�Ǥ'T&I��Ǎ�Qw_wpv[kmO{w~>#=P1P�ɞa-we:iǏlHo꒟f9SzH?+shk%Fs:����q��VhqY�`jvO'ρ?PyX3lх]˾uV{ݞ]1,MzYNW~̈́�joYn}ȚF߾mS]F� z+EDxm/���d{F�{-W-4wY듏:??_gPf
^3��ecg ���ҵs�8R2מz�@T�A�N�Gj)}CNi/R~}c:5{!�ZHӋӾ�6}T]��G�]7W6^�n
9*,Y�qOZj�:P?Q� D���FL|?-^.Ɵ7��}fFhxe2Ps���cz1�&�5\��cn[=Vn�[ĶE鎀u�ˌd3GII ��k;lNmشOuuRVfBE]ۣ��e���Ӷu�
:X-[(�e�r4~LHi6�:Ѻ@ԅ��r���ST�0�trk%$Č�0���ez"� *�z�"�T/X9|8.C5Feg}�C�Q%͞�ˣJ�v�L/?�����j^��h��&��9xF`њZ�(��&��yF&Iݻf�g�����#W;3^{Wo^4'v������V[[K';+mӍִ]��AC�@��W?1^{එyh�����+^]fm~iԵ]��AB�@WTk̏t�uR?l.OIHiYyԶ]��Aˀ�7c:q}ힽaf6Z~қ�m(+sK4{^6}T�*UUu]�n.:kx{:2 ��_m=�sAߤU@?���Z-Vކе��z왍Nэ{�|5��� pڶn�b
p-@sPg]0G7fy-M{GCF'%{4`���=$-Ge\��eU:m+Zt'W�jO!O�AF�@ik&t݆�ϥ�_
e}=]��"���Wz_.͜E3leW�������Fih|t-wZۍ-uw=6���YN�{6|}��|�*={Ѽn.�S��.�z1z�jۻTH]흾 D�uD�v��mvK�.`���V]yY~sI@t?/ϓ. �����m&[�"��+P?MzovV�ЫG3-�G�RR��[�(!!\_,�^%?v�@���ҵő
m`Y)te�m8GM��x.))A]Y�i`ViW`��?^�~!�S#^+ѽ��GZj?Vģ����0.))AlzL*�]�OXrY���`DBBLOj{-MH'ii-ϰ�o�k7^��
�)쭡��b]UXS�ְmռY|5�*cֽk�0B7镹%ڽP#�8nȎq}mJr23�_>�l�E5$iwui+ ��H~F`�IjƵ�@q
��\�� ��@#qG�0"��.�0"����� l���������`������.�0!����� ,��AQ�HN6�qz�kKJ#�o;`Xv�2>,tێJJ7Z/*�A���.@fفjMzk�g�����@Tv�ZH3Zxu6Ra'%O?/�d���Q�5x�Yk�U]Rֽkق@���Da�S^RS�ּ5�|BeHNN͘p
��H�v���cYcC5:y
#`οb;�z����2��.!kr}gUWkyZn=�f ����P�v��s�n3p~�;4p˚=ē~NmI] ��¾�0lH[_L�hs�h_�ғߤ�c_њe��c)��g�7V�IZ5�yrgk̞W#IjӪv>՞y睝M8[��|�]\շ�8M�6%|@P����ZڨI-m>=k�=��'a�iRo-x�?>Q.����}�`Ȏ:Wsm�u u� ��>
.@,&;�+!!�˱tﭧD����Qw�RW\v�F\~Q7>sp���Yw�$�%A~;~}6���¾�g��&if_��=j,v+U���L�1(tW�a�ke�:�@Ș>j$Gq2t7S?v�L|]u/ .(�0�E��6Mk6hiۺzښOr�ifޱxm/Gx>� �Lal%%~{lBsR4*�}{0Z/�tN�IɚpV�^#�Lf:u@k#RS�u
=S^ZyuR/�.@n&z~B=0eg�뺆#�,Þ[����B�/?H �uUf7y
Wy}Bw�egל`�Wh(||`l`.;Ws�?V@"�c:iɍL֯PGv�6z�ctM̠':wuW��;d=;E�veD}9J�@���B(�0iհ���bvP1{\P&G7DIy�_$-Q��jm~Yrr&]C�Dv%��bh|�Yzni�_���R�;kg}nJOIIw��y�u�L}{ЌNj}:+3Y?:W�J/N+Rzd=hb�;d�j͒suݔ@NKMԄ�jqzC5�@y°h�L�m;*5ezᕏ=ep
�XL�n?מ:r`��۵�tŤZ|1v`V뽧_csج'ߤ%oTuumk%%%h)uy]Nk�[n
�'b2 ��l.=�͜E%�gf$[c;s:�V-͞WߤWh-j7]4��=F-X]>ZLSi[Y*We;�Zan(Ӈ�W|e(HNNP�5[=
r4tP�
�&0<�p�c#�`vTNV
GFqvTi�*�Tyam$ߏWyE*�VJKMTfF�w�����>'�$-ؽ.Ho.8c�"@���D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A~�j*�֘,��N;Pi3599h=g�oض��L��giJ5փy~�}&Zd9�p֚
e:|hL`�`b/d9�p?�fgg+%%hMg�Xosج�, �ΩOl0Zh=x�djL���mhݻ��o��O��[g_l,�8a]٭+ӧ0�$I�]����c]:粹:Teꢢ"5a^Kgh,&�=��=�՟�^߶ߢE�ܹS J}I%:8��
IDAT~,9/ʃ�PW'Mo�}zNƍ쨓zPb��NZ~^z�=4mswg;5 Y�~�SVMR��XUյڱRf?s:w
;�6��H:º���i�5�-maM�&O�3�;�1IKeam��Zh͛7+##v+c� ~u~ca]�GnF'ټL~����PPPbn
v�oC���4R,�ӟgg��%hq}�@#M4IÇ��� �Oy^xM��Zx
) ���yO�w��@HkN˖-Sǎ�mb]X�@�n+i͖��!++K3gd\��$mt$^���Yf��J�\�8PRF��)77Wא!Cl����$i:��@@_o�G��� I{$# ��8磌ŋ9�1A�(�Im7��֭>}ߴJq�7ޗt^� -[ԩSj*�}�%]&'
-��ɓ'ꫯVzzvB#;�a
�7@GxI{�jƌ�.LÇ�WBB7�`O"I$�/@R���@�eee@���۷��>}0���,ɒ2$53Xs|cS~r�pTYYY}� k�Hc��%&k�.], �@��A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A�����D���A������@lT<%''*Lo^={رc5h %$�+CnܸQ3fҥK}vUVVs9G�
R,_{�xˇ�3��o߾;TTTd�}�馛]uuuG~iԩ�@4����bn�vmv�fϞ�/Peeeq}}�z���a
�I~,誫{UWW뮻}_~YƍSMMMYχ��֝waw��\�ď�cxꩧtE�ƍ�կ_?۷5�@u���?�1kNׯWzz/wy>}zj3 k��(ٺu�q_Zvf̘:~��AB�Q&r|��!�%KҥKg�����Ԟ={<_X-z� !�C�yFUUz~��AB�QIIIjݺ�W��$���UXXDٳZ~��AB�Qƍec�W��$<�(~<��RSSvZujjjԧO�ZQu�@4 8m&&&jԩg��$�ď�1h ͟?_{768��@��g
�=�@���`)))5o6m�3����)��ѣƌ�J;wҿUTT��/KZR{��~a=�@��0o<*狔�iFɶ[ˎ�;T]]��OX�@�?K.ۈxN ����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������p����������pP���fl߾]��,{ァk۶mڿo5�����BTӦMӴiӴ|r D����B2e�|An�!D��y'tkΝ[A��� $***t5'
"���!駟�oa�D�����nΝ�:t֭[g�D����ШQ�0����6qD;@���� x M6v�(����Piizm�Z����4e�w��"��@��������̴ixf������[~-F���ٱc�&I�Z����2|n�!�?�$��@{[�HTɏ����#@h�����Ȏ����I�#�_m��(���F��/6Z3�z'\r,�����r!;�w2Z3j=~�G���Y�7"I$i����I.����p_"����?���p�����N`�����y�D���D�����?:��� �_����������������������� �G����ÿa���b7�����J�!���Bx���@0 ���Bo�����
����cG���������@`1C�����[���@0G����
����@`0C�����_���u�����V1 ���aC���X����>���W�` ���|�������`!���<�����S�`"���<�.�����`#���c�����`�?�����c�A����������C���4
?����c���� �p#����~���@0����?:���0���8&����_�M���Q1���J�h#����?���/`���7;����I����������q�7���a�w���Q����A����1�H���p
�!��#�<���8/#��@1Ul7��=S=K.4Z�?�E����_$i�@��������!���1�!E���4�?���`����P_�� ��������@��B���ă�1���0#���:�"����a�U,xb��F�Y1
[n��|��n
���#'��v��EH:`�x��b
��#��v����D��4�Y hi.i&�EΖv#��O�� H��4�IŶ�}:Ik��h��@�tZRF���#�(tXҙ��zZ ?�I3l7��q��@õ|ۍ�1,�G��puY�� �Ꮿ@�hJv#��x��xk$
v#�9��5�}_$��c �S#=+"K�{F�*m7`#�%H:NRS��p6I?sIՖ{A�p$I�$�I:QRv2$Z�@UJ*$]<��F�O4�����IENDB`