[PATCH 3/3] pam_namespace: Use functions added in patch #2
David Quigley
dpquigl at tycho.nsa.gov
Tue Jul 25 13:08:26 UTC 2006
Hello,
I must have forgotten to put evolution in preformat mode when I
pasted it in. This should be correct now.
From: David Quigley <dpquigl at tycho.nsa.gov>
This patch makes changes to existing functions to make use of the new
functions added in patch #2.
Signed-Off-By: David Quigley <dpquigl at tycho.nsa.gov>
---
pam_namespace.c | 186 +++++++-------------------------------------------------
1 file changed, 25 insertions(+), 161 deletions(-)
diff -uprN -X dontdiff pam_namespace_functions/pam_namespace.c pam_namespace_cleanup/pam_namespace.c
--- pam_namespace_functions/pam_namespace.c 2006-07-24 13:01:34.000000000 -0400
+++ pam_namespace_cleanup/pam_namespace.c 2006-07-24 12:59:12.000000000 -0400
@@ -67,7 +67,7 @@ static int add_polydir_entry(struct inst
const struct polydir_s *ent)
{
struct polydir_s *pent;
- unsigned int i;
+ int rc = 0;
/*
* Allocate an entry to hold information about a directory to
@@ -76,27 +76,14 @@ static int add_polydir_entry(struct inst
* directories.
*/
pent = (struct polydir_s *) malloc(sizeof(struct polydir_s));
- if (!pent)
- return -1;
-
+ if (!pent) {
+ rc = -1;
+ goto out;
+ }
/* Make copy */
- strcpy(pent->dir, ent->dir);
- strcpy(pent->instance_prefix, ent->instance_prefix);
- pent->method = ent->method;
- pent->num_uids = ent->num_uids;
- if (ent->num_uids) {
- uid_t *pptr, *eptr;
-
- pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t));
- if (!(pent->uid)) {
- free(pent);
- return -1;
- }
- for (i = 0, pptr = pent->uid, eptr = ent->uid; i < ent->num_uids;
- i++, eptr++, pptr++)
- *pptr = *eptr;
- } else
- pent->uid = NULL;
+ rc = copy_ent(ent,pent);
+ if(rc < 0)
+ goto out_clean;
/* Now attach to linked list */
pent->next = NULL;
@@ -110,8 +97,11 @@ static int add_polydir_entry(struct inst
tail = tail->next;
tail->next = pent;
}
-
- return 0;
+ goto out;
+out_clean:
+ free(pent);
+out:
+ return rc;
}
@@ -504,49 +494,10 @@ static int poly_name(const struct polydi
struct instance_data *idata)
#endif
{
-#ifdef WITH_SELINUX
- security_context_t scon = NULL;
- security_class_t tclass;
-#endif
int rc;
# ifdef WITH_SELINUX
- /*
- * Get the security context of the directory to polyinstantiate.
- */
- rc = getfilecon(polyptr->dir, origcon);
- if (rc < 0 || *origcon == NULL) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error getting poly dir context, %m");
- return PAM_SESSION_ERR;
- }
-
- /*
- * If polyinstantiating based on security context, get current
- * process security context, get security class for directories,
- * and ask the policy to provide security context of the
- * polyinstantiated instance directory.
- */
- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
- rc = getexeccon(&scon);
- if (rc < 0 || scon == NULL) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error getting exec context, %m");
- return PAM_SESSION_ERR;
- }
- tclass = string_to_security_class("dir");
-
- if (security_compute_member(scon, *origcon, tclass,
- i_context) < 0) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error computing poly dir member context");
- freecon(scon);
- return PAM_SESSION_ERR;
- } else if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
- "member context returned by policy %s", *i_context);
- freecon(scon);
- }
+ rc = form_context(polyptr, i_context, origcon, idata);
#endif
rc = PAM_SUCCESS;
@@ -719,16 +670,14 @@ static int create_dirs(const struct poly
struct instance_data *idata)
#endif
{
- struct stat statbuf, newstatbuf, instpbuf;
- int fd, status;
- char *inst_parent, *trailing_slash;
- pid_t rc, pid;
- sighandler_t osighand = NULL;
+ struct stat statbuf, newstatbuf;
+ int rc, fd;
/*
* stat the directory to polyinstantiate, so its owner-group-mode
* can be propagated to instance directory
*/
+ rc = PAM_SUCCESS;
if (stat(polyptr->dir, &statbuf) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
polyptr->dir);
@@ -743,49 +692,12 @@ static int create_dirs(const struct poly
polyptr->dir);
return PAM_SESSION_ERR;
}
-
- /*
- * stat the instance parent path to make sure it exists
- * and is a directory. Check that its mode is 000 (unless the
- * admin explicitly instructs to ignore the instance parent
- * mode by the "ignore_instance_parent_mode" argument).
- */
- inst_parent = (char *) malloc(strlen(ipath)+1);
- if (!inst_parent) {
- pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
- return PAM_SESSION_ERR;
- }
-
- strcpy(inst_parent, ipath);
- trailing_slash = strrchr(inst_parent, '/');
- if (trailing_slash)
- *trailing_slash = '\0';
-
- if (stat(inst_parent, &instpbuf) < 0) {
- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent);
- free(inst_parent);
- return PAM_SESSION_ERR;
- }
-
- /*
- * Make sure we are dealing with a directory
- */
- if (!S_ISDIR(instpbuf.st_mode)) {
- pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
- inst_parent);
- free(inst_parent);
- return PAM_SESSION_ERR;
- }
-
- if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
- if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
- pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
- inst_parent);
- free(inst_parent);
- return PAM_SESSION_ERR;
- }
- }
- free(inst_parent);
+
+ /*
+ * Check to make sure instance parent is valid.
+ */
+ if (check_inst_parent(ipath, idata))
+ return PAM_SESSION_ERR;
/*
* Create instance directory and set its security context to the context
@@ -867,56 +779,8 @@ static int create_dirs(const struct poly
*/
inst_init:
- osighand = signal(SIGCHLD, SIG_DFL);
- if (osighand == SIG_ERR) {
- pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
- return PAM_SESSION_ERR;
- }
-
- if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) {
- if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) {
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_ERR,
- "Namespace init script not executable");
- (void) signal(SIGCHLD, osighand);
- return PAM_SESSION_ERR;
- } else {
- pid = fork();
- if (pid == 0) {
-#ifdef WITH_SELINUX
- if (idata->flags & PAMNS_SELINUX_ENABLED) {
- if (setexeccon(NULL) < 0)
- exit(1);
- }
-#endif
- if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
- polyptr->dir, ipath, (char *)NULL) < 0)
- exit(1);
- } else if (pid > 0) {
- while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
- (errno == EINTR));
- if (rc == (pid_t)-1) {
- pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
- (void) signal(SIGCHLD, osighand);
- return PAM_SESSION_ERR;
- }
- if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error initializing instance");
- (void) signal(SIGCHLD, osighand);
- return PAM_SESSION_ERR;
- }
- } else if (pid < 0) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Cannot fork to run namespace init script, %m");
- (void) signal(SIGCHLD, osighand);
- return PAM_SESSION_ERR;
- }
- }
- }
-
- (void) signal(SIGCHLD, osighand);
- return PAM_SUCCESS;
+ rc = inst_init(polyptr, ipath, idata);
+ return rc;
}
More information about the Pam-list
mailing list