[PATCH 3/3] pam_namespace: Use functions added in patch #2
Janak Desai
janak at us.ibm.com
Mon Jul 24 21:14:39 UTC 2006
Hello David,
Patches 1 and 2 look good. This 3rd one doesn't apply because it
has wrapped lines. At a cursory glance it looks ok, but I would like
to apply, compile and test it. Please resend this patch.
-Janak
On Mon, 2006-07-24 at 13:23 -0400, David Quigley wrote:
> From: David Quigley <dpquigl at tycho.nsa.gov>
>
> This patch makes changes to existing functions to make use of the new
> functions added in patch #2.
>
> Signed-Off-By: David Quigley <dpquigl at tycho.nsa.gov>
> ---
>
> pam_namespace.c | 186
> +++++++-------------------------------------------------
> 1 file changed, 25 insertions(+), 161 deletions(-)
>
> diff -uprN -X dontdiff pam_namespace_functions/pam_namespace.c
> pam_namespace_cleanup/pam_namespace.c
> --- pam_namespace_functions/pam_namespace.c 2006-07-24
> 13:01:34.000000000 -0400
> +++ pam_namespace_cleanup/pam_namespace.c 2006-07-24 12:59:12.000000000
> -0400
> @@ -67,7 +67,7 @@ static int add_polydir_entry(struct inst
> const struct polydir_s *ent)
> {
> struct polydir_s *pent;
> - unsigned int i;
> + int rc = 0;
>
> /*
> * Allocate an entry to hold information about a directory to
> @@ -76,27 +76,14 @@ static int add_polydir_entry(struct inst
> * directories.
> */
> pent = (struct polydir_s *) malloc(sizeof(struct polydir_s));
> - if (!pent)
> - return -1;
> -
> + if (!pent) {
> + rc = -1;
> + goto out;
> + }
> /* Make copy */
> - strcpy(pent->dir, ent->dir);
> - strcpy(pent->instance_prefix, ent->instance_prefix);
> - pent->method = ent->method;
> - pent->num_uids = ent->num_uids;
> - if (ent->num_uids) {
> - uid_t *pptr, *eptr;
> -
> - pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t));
> - if (!(pent->uid)) {
> - free(pent);
> - return -1;
> - }
> - for (i = 0, pptr = pent->uid, eptr = ent->uid; i <
> ent->num_uids;
> - i++, eptr++, pptr++)
> - *pptr = *eptr;
> - } else
> - pent->uid = NULL;
> + rc = copy_ent(ent,pent);
> + if(rc < 0)
> + goto out_clean;
>
> /* Now attach to linked list */
> pent->next = NULL;
> @@ -110,8 +97,11 @@ static int add_polydir_entry(struct inst
> tail = tail->next;
> tail->next = pent;
> }
> -
> - return 0;
> + goto out;
> +out_clean:
> + free(pent);
> +out:
> + return rc;
> }
>
>
> @@ -504,49 +494,10 @@ static int poly_name(const struct polydi
> struct instance_data *idata)
> #endif
> {
> -#ifdef WITH_SELINUX
> - security_context_t scon = NULL;
> - security_class_t tclass;
> -#endif
> int rc;
>
> # ifdef WITH_SELINUX
> - /*
> - * Get the security context of the directory to polyinstantiate.
> - */
> - rc = getfilecon(polyptr->dir, origcon);
> - if (rc < 0 || *origcon == NULL) {
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Error getting poly dir context, %m");
> - return PAM_SESSION_ERR;
> - }
> -
> - /*
> - * If polyinstantiating based on security context, get current
> - * process security context, get security class for directories,
> - * and ask the policy to provide security context of the
> - * polyinstantiated instance directory.
> - */
> - if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
> - rc = getexeccon(&scon);
> - if (rc < 0 || scon == NULL) {
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Error getting exec context, %m");
> - return PAM_SESSION_ERR;
> - }
> - tclass = string_to_security_class("dir");
> -
> - if (security_compute_member(scon, *origcon, tclass,
> - i_context) < 0) {
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Error computing poly dir member context");
> - freecon(scon);
> - return PAM_SESSION_ERR;
> - } else if (idata->flags & PAMNS_DEBUG)
> - pam_syslog(idata->pamh, LOG_DEBUG,
> - "member context returned by policy %s", *i_context);
> - freecon(scon);
> - }
> + rc = form_context(polyptr, i_context, origcon, idata);
> #endif
> rc = PAM_SUCCESS;
>
> @@ -719,16 +670,14 @@ static int create_dirs(const struct poly
> struct instance_data *idata)
> #endif
> {
> - struct stat statbuf, newstatbuf, instpbuf;
> - int fd, status;
> - char *inst_parent, *trailing_slash;
> - pid_t rc, pid;
> - sighandler_t osighand = NULL;
> + struct stat statbuf, newstatbuf;
> + int rc, fd;
>
> /*
> * stat the directory to polyinstantiate, so its owner-group-mode
> * can be propagated to instance directory
> */
> + rc = PAM_SUCCESS;
> if (stat(polyptr->dir, &statbuf) < 0) {
> pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
> polyptr->dir);
> @@ -743,49 +692,12 @@ static int create_dirs(const struct poly
> polyptr->dir);
> return PAM_SESSION_ERR;
> }
> -
> - /*
> - * stat the instance parent path to make sure it exists
> - * and is a directory. Check that its mode is 000 (unless the
> - * admin explicitly instructs to ignore the instance parent
> - * mode by the "ignore_instance_parent_mode" argument).
> - */
> - inst_parent = (char *) malloc(strlen(ipath)+1);
> - if (!inst_parent) {
> - pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
> - return PAM_SESSION_ERR;
> - }
> -
> - strcpy(inst_parent, ipath);
> - trailing_slash = strrchr(inst_parent, '/');
> - if (trailing_slash)
> - *trailing_slash = '\0';
> -
> - if (stat(inst_parent, &instpbuf) < 0) {
> - pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
> inst_parent);
> - free(inst_parent);
> - return PAM_SESSION_ERR;
> - }
> -
> - /*
> - * Make sure we are dealing with a directory
> - */
> - if (!S_ISDIR(instpbuf.st_mode)) {
> - pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
> - inst_parent);
> - free(inst_parent);
> - return PAM_SESSION_ERR;
> - }
> -
> - if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
> - if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
> - pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
> - inst_parent);
> - free(inst_parent);
> - return PAM_SESSION_ERR;
> - }
> - }
> - free(inst_parent);
> +
> + /*
> + * Check to make sure instance parent is valid.
> + */
> + if (check_inst_parent(ipath, idata))
> + return PAM_SESSION_ERR;
>
> /*
> * Create instance directory and set its security context to the
> context
> @@ -867,56 +779,8 @@ static int create_dirs(const struct poly
> */
>
> inst_init:
> - osighand = signal(SIGCHLD, SIG_DFL);
> - if (osighand == SIG_ERR) {
> - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
> - return PAM_SESSION_ERR;
> - }
> -
> - if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) {
> - if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) {
> - if (idata->flags & PAMNS_DEBUG)
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Namespace init script not executable");
> - (void) signal(SIGCHLD, osighand);
> - return PAM_SESSION_ERR;
> - } else {
> - pid = fork();
> - if (pid == 0) {
> -#ifdef WITH_SELINUX
> - if (idata->flags & PAMNS_SELINUX_ENABLED) {
> - if (setexeccon(NULL) < 0)
> - exit(1);
> - }
> -#endif
> - if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
> - polyptr->dir, ipath, (char *)NULL) < 0)
> - exit(1);
> - } else if (pid > 0) {
> - while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1)
> &&
> - (errno == EINTR));
> - if (rc == (pid_t)-1) {
> - pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %
> m");
> - (void) signal(SIGCHLD, osighand);
> - return PAM_SESSION_ERR;
> - }
> - if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Error initializing instance");
> - (void) signal(SIGCHLD, osighand);
> - return PAM_SESSION_ERR;
> - }
> - } else if (pid < 0) {
> - pam_syslog(idata->pamh, LOG_ERR,
> - "Cannot fork to run namespace init script, %
> m");
> - (void) signal(SIGCHLD, osighand);
> - return PAM_SESSION_ERR;
> - }
> - }
> - }
> -
> - (void) signal(SIGCHLD, osighand);
> - return PAM_SUCCESS;
> + rc = inst_init(polyptr, ipath, idata);
> + return rc;
> }
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list