[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 3/3] pam_namespace: Use functions added in patch #2



Hello David,

Patches 1 and 2 look good. This 3rd one doesn't apply because it 
has wrapped lines. At a cursory glance it looks ok, but I would like
to apply, compile and test it. Please resend this patch.

-Janak

On Mon, 2006-07-24 at 13:23 -0400, David Quigley wrote:
> From: David Quigley <dpquigl tycho nsa gov>
> 
> This patch makes changes to existing functions to make use of the new
> functions added in patch #2.
> 
> Signed-Off-By: David Quigley <dpquigl tycho nsa gov>
> ---
> 
>  pam_namespace.c |  186
> +++++++-------------------------------------------------
>  1 file changed, 25 insertions(+), 161 deletions(-)
> 
> diff -uprN -X dontdiff pam_namespace_functions/pam_namespace.c
> pam_namespace_cleanup/pam_namespace.c
> --- pam_namespace_functions/pam_namespace.c	2006-07-24
> 13:01:34.000000000 -0400
> +++ pam_namespace_cleanup/pam_namespace.c	2006-07-24 12:59:12.000000000
> -0400
> @@ -67,7 +67,7 @@ static int add_polydir_entry(struct inst
>  	const struct polydir_s *ent)
>  {
>      struct polydir_s *pent;
> -    unsigned int i;
> +    int rc = 0;
>  
>      /*
>       * Allocate an entry to hold information about a directory to
> @@ -76,27 +76,14 @@ static int add_polydir_entry(struct inst
>       * directories.
>       */
>      pent = (struct polydir_s *) malloc(sizeof(struct polydir_s));
> -    if (!pent) 
> -        return -1;
> -
> +	if (!pent) { 
> +		rc = -1;
> +		goto out;
> +	}
>      /* Make copy */
> -    strcpy(pent->dir, ent->dir);
> -    strcpy(pent->instance_prefix, ent->instance_prefix);
> -    pent->method = ent->method;
> -    pent->num_uids = ent->num_uids;
> -    if (ent->num_uids) {
> -        uid_t *pptr, *eptr;
> -
> -        pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t));
> -        if (!(pent->uid)) {
> -            free(pent);
> -            return -1;
> -        }
> -        for (i = 0, pptr = pent->uid, eptr = ent->uid; i <
> ent->num_uids;
> -                 i++, eptr++, pptr++)
> -             *pptr = *eptr;
> -    } else 
> -        pent->uid = NULL;
> +	rc = copy_ent(ent,pent);
> +	if(rc < 0)
> +		goto out_clean;
>  
>      /* Now attach to linked list */
>      pent->next = NULL;
> @@ -110,8 +97,11 @@ static int add_polydir_entry(struct inst
>              tail = tail->next;
>          tail->next = pent;
>      }
> -
> -    return 0;
> +    goto out;
> +out_clean:
> +	free(pent);
> +out:
> +	return rc;
>  }
>  
> 
> @@ -504,49 +494,10 @@ static int poly_name(const struct polydi
>  	struct instance_data *idata)
>  #endif
>  {
> -#ifdef WITH_SELINUX
> -    security_context_t scon = NULL;
> -    security_class_t tclass;
> -#endif
>      int rc;
>  
>  # ifdef WITH_SELINUX
> -    /*
> -     * Get the security context of the directory to polyinstantiate.
> -     */
> -    rc = getfilecon(polyptr->dir, origcon);
> -    if (rc < 0 || *origcon == NULL) {
> -       pam_syslog(idata->pamh, LOG_ERR,
> -		"Error getting poly dir context, %m");
> -       return PAM_SESSION_ERR;
> -    }
> -
> -    /*
> -     * If polyinstantiating based on security context, get current
> -     * process security context, get security class for directories,
> -     * and ask the policy to provide security context of the
> -     * polyinstantiated instance directory.
> -     */
> -    if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
> -        rc = getexeccon(&scon);
> -        if (rc < 0 || scon == NULL) {
> -            pam_syslog(idata->pamh, LOG_ERR, 
> -		"Error getting exec context, %m");
> -            return PAM_SESSION_ERR;
> -	}
> -        tclass = string_to_security_class("dir");
> -
> -        if (security_compute_member(scon, *origcon, tclass,
> -						i_context) < 0) {
> -    	    pam_syslog(idata->pamh, LOG_ERR,
> -                       "Error computing poly dir member context");
> -	    freecon(scon);
> -    	    return PAM_SESSION_ERR;
> -        } else if (idata->flags & PAMNS_DEBUG)
> -    	    pam_syslog(idata->pamh, LOG_DEBUG, 
> -		    "member context returned by policy %s", *i_context);
> -	freecon(scon);
> -    }
> +    rc = form_context(polyptr, i_context, origcon, idata);
>  #endif
>      rc = PAM_SUCCESS;
>  
> @@ -719,16 +670,14 @@ static int create_dirs(const struct poly
>  	struct instance_data *idata)
>  #endif
>  {
> -    struct stat statbuf, newstatbuf, instpbuf;
> -    int fd, status;
> -    char *inst_parent, *trailing_slash;
> -    pid_t rc, pid;
> -    sighandler_t osighand = NULL;
> +	struct stat statbuf, newstatbuf;
> +	int rc, fd;
>  
>      /*
>       * stat the directory to polyinstantiate, so its owner-group-mode
>       * can be propagated to instance directory
>       */
> +	rc = PAM_SUCCESS;
>      if (stat(polyptr->dir, &statbuf) < 0) {
>          pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
>  		polyptr->dir);
> @@ -743,49 +692,12 @@ static int create_dirs(const struct poly
>  		polyptr->dir);
>          return PAM_SESSION_ERR;
>      }
> -
> -    /*
> -     * stat the instance parent path to make sure it exists
> -     * and is a directory. Check that its mode is 000 (unless the
> -     * admin explicitly instructs to ignore the instance parent
> -     * mode by the "ignore_instance_parent_mode" argument).
> -     */
> -    inst_parent = (char *) malloc(strlen(ipath)+1);
> -    if (!inst_parent) {
> -	pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
> -        return PAM_SESSION_ERR;
> -    }
> -
> -    strcpy(inst_parent, ipath);
> -    trailing_slash = strrchr(inst_parent, '/');
> -    if (trailing_slash)
> -        *trailing_slash = '\0';
> -
> -    if (stat(inst_parent, &instpbuf) < 0) {
> -        pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
> inst_parent);
> -        free(inst_parent);
> -        return PAM_SESSION_ERR;
> -    }
> -
> -    /*
> -     * Make sure we are dealing with a directory
> -     */
> -    if (!S_ISDIR(instpbuf.st_mode)) {
> -	pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
> -		inst_parent);
> -        free(inst_parent);
> -        return PAM_SESSION_ERR;
> -    }
> -
> -    if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
> -        if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
> -	    pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
> -		    inst_parent);
> -            free(inst_parent);
> -            return PAM_SESSION_ERR;
> -        }
> -    }
> -    free(inst_parent);
> +	
> +	/*
> +	 * Check to make sure instance parent is valid.
> +	 */
> +	if (check_inst_parent(ipath, idata))
> +		return PAM_SESSION_ERR;
>  
>      /*
>       * Create instance directory and set its security context to the
> context
> @@ -867,56 +779,8 @@ static int create_dirs(const struct poly
>       */
>  
>  inst_init:
> -    osighand = signal(SIGCHLD, SIG_DFL);
> -    if (osighand == SIG_ERR) {
> -        pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
> -        return PAM_SESSION_ERR;
> -    }
> -
> -    if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) {
> -        if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) {
> -            if (idata->flags & PAMNS_DEBUG)
> -                pam_syslog(idata->pamh, LOG_ERR,
> -                           "Namespace init script not executable");
> -            (void) signal(SIGCHLD, osighand);
> -            return PAM_SESSION_ERR;
> -        } else {
> -            pid = fork();
> -	    if (pid == 0) {
> -#ifdef WITH_SELINUX
> -		if (idata->flags & PAMNS_SELINUX_ENABLED) {
> -		    if (setexeccon(NULL) < 0)
> -			exit(1);
> -		}
> -#endif
> -	        if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
> -		          polyptr->dir, ipath, (char *)NULL) < 0)
> -		    exit(1);
> -            } else if (pid > 0) {
> -                while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1)
> &&
> -                       (errno == EINTR));
> -                if (rc == (pid_t)-1) {
> -                    pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %
> m");
> -                    (void) signal(SIGCHLD, osighand);
> -                    return PAM_SESSION_ERR;
> -                }
> -                if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
> -                    pam_syslog(idata->pamh, LOG_ERR,
> -                               "Error initializing instance");
> -                    (void) signal(SIGCHLD, osighand);
> -                    return PAM_SESSION_ERR;
> -                }
> -	    } else if (pid < 0) {
> -                pam_syslog(idata->pamh, LOG_ERR,
> -                           "Cannot fork to run namespace init script, %
> m");
> -                (void) signal(SIGCHLD, osighand);
> -                return PAM_SESSION_ERR;
> -	    }
> -        }
> -    }
> -
> -    (void) signal(SIGCHLD, osighand);
> -    return PAM_SUCCESS;
> +	rc = inst_init(polyptr, ipath, idata); 
> +    return rc;
>  }
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]