From 902026536a826400014a7508b008e41269d081e6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Fri, 18 Apr 2008 12:53:38 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2008-04-18  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_namespace/pam_namespace.c: New functions
        unprotect_dirs(), cleanup_protect_data(), protect_mount(),
        protect_dir() to protect directory by bind mount.
        (cleanup_data): Renamed to cleanup_polydir_data().
        (parse_create_params): Allow missing specification of mode
        or owner.
        (check_inst_parent): Call protect_dir() on the instance parent
        directory. The directory is created when it doesn't exist.
        (create_polydir): Protect and make the polydir by protect_dir(),
        remove potential races.
        (create_dirs): Renamed to create_instance(), remove call to
        inst_init().
        (ns_setup): Call protect_dir() on the polydir if it already exists.
        Call inst_init() after the polydir is mounted.
        (setup_namespace): Set the namespace protect data to be cleaned up
        on pam_close_session()/pam_end().
        (pam_sm_open_session): Initialize the protect_dirs.
        (pam_sm_close_session): Cleanup namespace protect data.
        * modules/pam_namespace/pam_namespace.h: Define struct for the
        stack of protected dirs.
        * modules/pam_namespace/pam_namespace.8.xml: Document when the
        instance init script is called.
        * modules/pam_namespace/namespace.conf.5.xml: Likewise.
---
 modules/pam_namespace/pam_namespace.h | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'modules/pam_namespace/pam_namespace.h')

diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
index bfc0da17..da21bd70 100644
--- a/modules/pam_namespace/pam_namespace.h
+++ b/modules/pam_namespace/pam_namespace.h
@@ -107,6 +107,7 @@
 
 #define NAMESPACE_MAX_DIR_LEN 80
 #define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data"
+#define NAMESPACE_PROTECT_DATA "pam_namespace:protect_data"
 
 /*
  * Polyinstantiation method options, based on user, security context
@@ -156,9 +157,15 @@ struct polydir_s {
     struct polydir_s *next;		/* pointer to the next polydir entry */
 };
 
+struct protect_dir_s {
+    char *dir;				/* protected directory */
+    struct protect_dir_s *next;		/* next entry */
+};
+
 struct instance_data {
     pam_handle_t *pamh;		/* The pam handle for this instance */
     struct polydir_s *polydirs_ptr; /* The linked list pointer */
+    struct protect_dir_s *protect_dirs;	/* The pointer to stack of mount-protected dirs */
     char user[LOGIN_NAME_MAX];	/* User name */
     char ruser[LOGIN_NAME_MAX];	/* Requesting user name */
     uid_t uid;			/* The uid of the user */
@@ -166,3 +173,4 @@ struct instance_data {
     uid_t ruid;			/* The uid of the requesting user */
     unsigned long flags;	/* Flags for debug, selinux etc */
 };
+
-- 
cgit v1.2.3