From dc6242a1bf47aadd1cb3ab8572167969f48621c0 Mon Sep 17 00:00:00 2001
From: Olivier Bal-Petre <olivier.bal-petre@ssi.gouv.fr>
Date: Mon, 24 Feb 2025 10:09:21 +0100
Subject: pam_namespace: fix logic in return value handling

The case in which protect_dir() returns an error and the flag
POLYDIR_CREATE (flag "create" in namespace.conf) is not set was
not handled. Therefore, the program continued without a polydir
and returned later on failed mount(2) or stat(2) calls.

Signed-off-by: Olivier Bal-Petre <olivier.bal-petre@ssi.gouv.fr>
---
 modules/pam_namespace/pam_namespace.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index ba7910f6..4b62700d 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1654,16 +1654,14 @@ static int ns_setup(struct polydir_s *polyptr,
 
     retval = protect_dir(polyptr->dir, 0, 0, idata);
 
-    if (retval < 0 && errno != ENOENT) {
-	pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m",
-		polyptr->dir);
-	return PAM_SESSION_ERR;
-    }
-
     if (retval < 0) {
-	if ((polyptr->flags & POLYDIR_CREATE) &&
-		create_polydir(polyptr, idata) != PAM_SUCCESS)
-		return PAM_SESSION_ERR;
+        if (errno != ENOENT || !(polyptr->flags & POLYDIR_CREATE)) {
+            pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m",
+                    polyptr->dir);
+            return PAM_SESSION_ERR;
+        }
+        if (create_polydir(polyptr, idata) != PAM_SUCCESS)
+            return PAM_SESSION_ERR;
     } else {
 	close(retval);
     }
-- 
cgit v1.2.3