Do not unmount anything by default in pam_namespace close session call.

* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
the unmount_on_close option and make the default to be to not unmount.
* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
PAMNS_UNMOUNT_ON_CLOSE.
* modules/pam_namespace/pam_namespace.8.xml: Document the change.

3 files changed, 23 insertions, 20 deletions

diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 6ec3ad23..f0f80d33 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -44,7 +44,7 @@
         ignore_instance_parent_mode
       </arg>
       <arg choice="opt">
-        no_unmount_on_close
+        unmount_on_close
       </arg>
       <arg choice="opt">
         use_current_context
@@ -195,16 +195,17 @@
 
       <varlistentry>
         <term>
-          <option>no_unmount_on_close</option>
+          <option>unmount_on_close</option>
         </term>
         <listitem>
           <para>
-           For certain trusted programs such as newrole, open session
-           is called from a child process while the parent performs
-           close session and pam end functions. For these commands
-           use this option to instruct pam_close_session to not
-           unmount the bind mounted polyinstantiated directory in the
-            parent.
+           Explicitly unmount the polyinstantiated directories instead
+           of relying on automatic namespace destruction after the last
+           process in a namespace exits. This option should be used
+           only in case it is ensured by other means that there cannot be
+           any processes running in the private namespace left after the
+           session close. It is also useful only in case there are
+           multiple pam session calls in sequence from the same process.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 470f493b..a40f05e6 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -2108,24 +2108,26 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
             idata.flags |= PAMNS_DEBUG;
         if (strcmp(argv[i], "ignore_config_error") == 0)
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
-        if (strcmp(argv[i], "no_unmount_on_close") == 0)
-            idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
+        if (strcmp(argv[i], "unmount_on_close") == 0)
+            idata.flags |= PAMNS_UNMOUNT_ON_CLOSE;
     }
 
     if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
 
     /*
-     * For certain trusted programs such as newrole, open session
-     * is called from a child process while the parent perfoms
-     * close session and pam end functions. For these commands
-     * pam_close_session should not perform the unmount of the
-     * polyinstantiatied directory because it will result in
-     * undoing of parents polyinstantiatiaion. These commands
-     * will invoke pam_namespace with the "no_unmount_on_close"
-     * argument.
+     * Normally the unmount is implicitly done when the last
+     * process in the private namespace exits.
+     * If it is ensured that there are no child processes left in
+     * the private namespace by other means and if there are
+     * multiple sessions opened and closed sequentially by the
+     * same process, the "unmount_on_close" option might be
+     * used to unmount the polydirs explicitly.
      */
-    if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+    if (!(idata.flags & PAMNS_UNMOUNT_ON_CLOSE)) {
+	pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
+	pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL);
+
 	if (idata.flags & PAMNS_DEBUG)
 	    pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
         return PAM_SUCCESS;
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
index 6bca31c4..1d0c11c6 100644
--- a/modules/pam_namespace/pam_namespace.h
+++ b/modules/pam_namespace/pam_namespace.h
@@ -101,7 +101,7 @@
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
 #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
-#define PAMNS_NO_UNMOUNT_ON_CLOSE  0x00010000 /* no unmount at session close */
+#define PAMNS_UNMOUNT_ON_CLOSE  0x00010000 /* Unmount at session close */
 #define PAMNS_USE_CURRENT_CONTEXT  0x00020000 /* use getcon instead of getexeccon */
 #define PAMNS_USE_DEFAULT_CONTEXT  0x00040000 /* use get_default_context instead of getexeccon */
 #define PAMNS_MOUNT_PRIVATE   0x00080000 /* Make the polydir mounts private */