diff options
Diffstat (limited to 'modules/pam_namespace')
| -rw-r--r-- | modules/pam_namespace/Makefile.am | 2 | ||||
| -rw-r--r-- | modules/pam_namespace/Makefile.in | 36 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.c | 48 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.h | 10 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5 | 4 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8 | 36 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8.xml | 41 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 63 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.h | 1 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8 | 4 |
10 files changed, 102 insertions, 143 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 21e1b33a..47cc38e1 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -18,7 +18,7 @@ TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d -servicedir = $(prefix)/lib/systemd/system +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index 7524287e..e21c836d 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -99,18 +99,21 @@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_namespace ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ @@ -384,6 +387,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -430,6 +434,9 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -443,6 +450,8 @@ ECONF_CFLAGS = @ECONF_CFLAGS@ ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ @@ -462,7 +471,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -509,8 +517,6 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -521,6 +527,7 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ @@ -570,7 +577,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -578,9 +584,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -590,6 +593,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -604,7 +608,7 @@ TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d -servicedir = $(prefix)/lib/systemd/system +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) @@ -1094,7 +1098,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index b9a7f084..22e41ee0 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -18,14 +18,12 @@ * */ -#include <string.h> #include "md5.h" +#include <string.h> #define MD5Name(x) x -#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) -#define byteReverse(buf, len) /* Nothing */ -#else +#ifdef WORDS_BIGENDIAN typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; static void byteReverse(uint8_aligned *buf, unsigned longs); @@ -43,6 +41,8 @@ static void byteReverse(uint8_aligned *buf, unsigned longs) buf += 4; } while (--longs); } +#else +#define byteReverse(buf, len) /* Nothing */ #endif /* @@ -51,10 +51,10 @@ static void byteReverse(uint8_aligned *buf, unsigned longs) */ void MD5Name(MD5Init)(struct MD5Context *ctx) { - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; + ctx->buf.i[0] = 0x67452301U; + ctx->buf.i[1] = 0xefcdab89U; + ctx->buf.i[2] = 0x98badcfeU; + ctx->buf.i[3] = 0x10325476U; ctx->bits[0] = 0; ctx->bits[1] = 0; @@ -80,7 +80,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign /* Handle any leading odd-sized chunks */ if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; + unsigned char *p = ctx->in.c + t; t = 64 - t; if (len < t) { @@ -88,24 +88,24 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign return; } memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += t; len -= t; } /* Process data in 64-byte chunks */ while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + memcpy(ctx->in.c, buf, 64); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += 64; len -= 64; } /* Handle any remaining bytes of data. */ - memcpy(ctx->in, buf, len); + memcpy(ctx->in.c, buf, len); } /* @@ -122,7 +122,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) /* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */ - p = ctx->in + count; + p = ctx->in.c + count; *p++ = 0x80; /* Bytes of padding needed to make 64 bytes */ @@ -132,23 +132,23 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) if (count < 8) { /* Two lots of padding: Pad the first block to 64 bytes */ memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); + memset(ctx->in.c, 0, 56); } else { /* Pad block to 56 bytes */ memset(p, 0, count - 8); } - byteReverse(ctx->in, 14); + byteReverse(ctx->in.c, 14); /* Append length in bits and transform */ - memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + byteReverse(ctx->buf.c, 4); + memcpy(digest, ctx->buf.c, 16); memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ } diff --git a/modules/pam_namespace/md5.h b/modules/pam_namespace/md5.h index bded3302..501aab4b 100644 --- a/modules/pam_namespace/md5.h +++ b/modules/pam_namespace/md5.h @@ -7,9 +7,15 @@ typedef unsigned int uint32; struct MD5Context { - uint32 buf[4]; + union { + uint32 i[4]; + unsigned char c[16] PAM_ATTRIBUTE_ALIGNED(4); + } buf; uint32 bits[2]; - unsigned char in[64] PAM_ATTRIBUTE_ALIGNED(4); + union { + uint32 i[16]; + unsigned char c[64] PAM_ATTRIBUTE_ALIGNED(4); + } in; }; #define MD5_DIGEST_LENGTH 16 diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index be186c9d..ff122cbf 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -2,12 +2,12 @@ .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Date: 09/03/2021 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index 6fca41f4..d0afb6c6 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -2,12 +2,12 @@ .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Date: 09/03/2021 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -142,37 +142,7 @@ For the <service>s you need polyinstantiation (login for example) put the follow .PP session required pam_namespace\&.so [arguments] .PP -To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: -.PP -/usr/sbin/gdm\-safe\-restart -.PP -This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script -/etc/security/namespace\&.init -to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script -/etc/security/namespace\&.init\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: -.PP -.if n \{\ -.RS 4 -.\} -.nf - 1\&. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg\&.conf\&. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/\&.font\-unix from the - polyinstantiated /tmp\&. - 2\&. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam\&.d/gdm\&. - 3\&. Ensure that the display manager is configured to restart X server - with each new session\&. This default setup can be verified by - making sure that /usr/share/gdm/defaults\&.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom\&.conf\&. - -.fi -.if n \{\ -.RE -.\} -.sp +To use polyinstantiation with graphical display manager gdm, please refer to gdm\*(Aqs documentation\&. .SH "SEE ALSO" .PP \fBnamespace.conf\fR(5), diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index f0f80d33..57c44c4b 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -343,45 +343,8 @@ </para> <para> - To use polyinstantiation with graphical display manager gdm, insert the - following line, before exit 0, in /etc/gdm/PostSession/Default: - </para> - - <para> - /usr/sbin/gdm-safe-restart - </para> - - <para> - This allows gdm to restart after each session and appropriately adjust - namespaces of display manager and the X server. If polyinstantiation - of /tmp is desired along with the graphical environment, then additional - configuration changes are needed to address the interaction of X server - and font server namespaces with their use of /tmp to create - communication sockets. Please use the initialization script - <filename>/etc/security/namespace.init</filename> to ensure that - the X server and its clients can appropriately access the - communication socket X0. Please refer to the sample instructions - provided in the comment section of the instance initialization script - <filename>/etc/security/namespace.init</filename>. In addition, - perform the following changes to use graphical environment with - polyinstantiation of /tmp: - </para> - - <para> - <literallayout> - 1. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg.conf. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/.font-unix from the - polyinstantiated /tmp. - 2. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam.d/gdm. - 3. Ensure that the display manager is configured to restart X server - with each new session. This default setup can be verified by - making sure that /usr/share/gdm/defaults.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom.conf. - </literallayout> + To use polyinstantiation with graphical display manager gdm, please refer + to gdm's documentation. </para> </refsect1> diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 63b5c665..4d4188d0 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -797,11 +797,11 @@ static char *md5hash(const char *instname, struct instance_data *idata) #ifdef WITH_SELINUX static int form_context(const struct polydir_s *polyptr, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) { int rc = PAM_SUCCESS; - security_context_t scon = NULL; + char *scon = NULL; security_class_t tclass; /* @@ -844,6 +844,12 @@ static int form_context(const struct polydir_s *polyptr, if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); + if (tclass == 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting dir security class"); + freecon(scon); + return PAM_SESSION_ERR; + } if (security_compute_member(scon, *origcon, tclass, i_context) < 0) { @@ -910,7 +916,7 @@ static int form_context(const struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int poly_name(const struct polydir_s *polyptr, char **i_name, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) #else static int poly_name(const struct polydir_s *polyptr, char **i_name, @@ -921,7 +927,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, char *hash = NULL; enum polymethod pm; #ifdef WITH_SELINUX - security_context_t rawcon = NULL; + char *rawcon = NULL; #endif *i_name = NULL; @@ -1318,7 +1324,8 @@ static int create_polydir(struct polydir_s *polyptr, mode_t mode; int rc; #ifdef WITH_SELINUX - security_context_t dircon, oldcon = NULL; + char *dircon_raw, *oldcon_raw = NULL; + struct selabel_handle *label_handle; #endif const char *dir = polyptr->dir; uid_t uid; @@ -1331,21 +1338,28 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - getfscreatecon(&oldcon); - rc = matchpathcon(dir, S_IFDIR, &dircon); - if (rc) { - pam_syslog(idata->pamh, LOG_NOTICE, - "Unable to get default context for directory %s, check your policy: %m", dir); - } else { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Polydir %s context: %s", dir, (char *)dircon); - if (setfscreatecon(dircon) != 0) + getfscreatecon_raw(&oldcon_raw); + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to initialize SELinux labeling handle: %m"); + } else { + rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR); + if (rc) { pam_syslog(idata->pamh, LOG_NOTICE, - "Error setting context for directory %s: %m", dir); - freecon(dircon); - } - matchpathcon_fini(); + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, dircon_raw); + if (setfscreatecon_raw(dircon_raw) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon_raw); + } + selabel_close(label_handle); + } } #endif @@ -1358,10 +1372,10 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - if (setfscreatecon(oldcon) != 0) + if (setfscreatecon_raw(oldcon_raw) != 0) pam_syslog(idata->pamh, LOG_NOTICE, "Error resetting fs create context: %m"); - freecon(oldcon); + freecon(oldcon_raw); } #endif @@ -1413,7 +1427,7 @@ static int create_polydir(struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - security_context_t icontext, security_context_t ocontext, + const char *icontext, const char *ocontext, struct instance_data *idata) #else static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, @@ -1488,6 +1502,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * if (fstat(fd, &newstatbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", ipath); + close(fd); rmdir(ipath); return PAM_SESSION_ERR; } @@ -1530,7 +1545,7 @@ static int ns_setup(struct polydir_s *polyptr, char *instname = NULL; struct stat statbuf; #ifdef WITH_SELINUX - security_context_t instcontext = NULL, origcontext = NULL; + char *instcontext = NULL, *origcontext = NULL; #endif if (idata->flags & PAMNS_DEBUG) @@ -1965,7 +1980,7 @@ static int orig_namespace(struct instance_data *idata) */ static int ctxt_based_inst_needed(void) { - security_context_t scon = NULL; + char *scon = NULL; int rc = 0; rc = getexeccon(&scon); diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 3a1e4ba3..b51f2841 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -68,6 +68,7 @@ #include <selinux/selinux.h> #include <selinux/get_context_list.h> #include <selinux/context.h> +#include <selinux/label.h> #endif #ifndef CLONE_NEWNS diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 index 88fbe71f..df93df2e 100644 --- a/modules/pam_namespace/pam_namespace_helper.8 +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -2,12 +2,12 @@ .\" Title: pam_namespace_helper .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Date: 09/03/2021 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_NAMESPACE_HELPER" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NAMESPACE_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- |