diff options
Diffstat (limited to 'modules/pam_namespace')
21 files changed, 5764 insertions, 0 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am new file mode 100644 index 0000000..47cc38e --- /dev/null +++ b/modules/pam_namespace/Makefile.am @@ -0,0 +1,48 @@ +# +# Copyright (c) 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2006 Red Hat, Inc. +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = $(XMLS) + +if HAVE_DOC +dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 +endif +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(systemdunitdir) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) +AM_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +noinst_HEADERS = md5.h pam_namespace.h argv_parse.h + +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ + +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service + +install-data-local: + mkdir -p $(DESTDIR)$(namespaceddir) + +sbin_SCRIPTS = pam_namespace_helper + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in new file mode 100644 index 0000000..e21c836 --- /dev/null +++ b/modules/pam_namespace/Makefile.in @@ -0,0 +1,1348 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2006 Red Hat, Inc. +# + + + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_namespace +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(dist_secureconf_SCRIPTS) $(am__dist_noinst_DATA_DIST) \ + $(dist_secureconf_DATA) $(noinst_HEADERS) $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = pam_namespace_helper pam_namespace.service +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)" +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_namespace_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am_pam_namespace_la_OBJECTS = pam_namespace.lo md5.lo argv_parse.lo +pam_namespace_la_OBJECTS = $(am_pam_namespace_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +SCRIPTS = $(dist_secureconf_SCRIPTS) $(sbin_SCRIPTS) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/argv_parse.Plo ./$(DEPDIR)/md5.Plo \ + ./$(DEPDIR)/pam_namespace.Plo +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(pam_namespace_la_SOURCES) +DIST_SOURCES = $(pam_namespace_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) $(service_DATA) +HEADERS = $(noinst_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='[0;31m'; \ + grn='[0;32m'; \ + lgn='[1;32m'; \ + blu='[1;34m'; \ + mgn='[0;35m'; \ + brg='[1m'; \ + std='[m'; \ + fi; \ +} +am__recheck_rx = ^[ ]*:recheck:[ ]* +am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* +am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub("[ ]*$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' +RECHECK_LOGS = $(TEST_LOGS) +AM_RECURSIVE_TARGETS = check recheck +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = @EXEEXT@ .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ + $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(srcdir)/pam_namespace.service.in \ + $(srcdir)/pam_namespace_helper.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +BUILD_CFLAGS = @BUILD_CFLAGS@ +BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ +BUILD_LDFLAGS = @BUILD_LDFLAGS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NIS_CFLAGS = @NIS_CFLAGS@ +NIS_LIBS = @NIS_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSL_CFLAGS = @NSL_CFLAGS@ +NSL_LIBS = @NSL_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ +STRIP = @STRIP@ +TIRPC_CFLAGS = @TIRPC_CFLAGS@ +TIRPC_LIBS = @TIRPC_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(systemdunitdir) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +noinst_HEADERS = md5.h pam_namespace.h argv_parse.h +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service +sbin_SCRIPTS = pam_namespace_helper +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_namespace/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_namespace/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +pam_namespace_helper: $(top_builddir)/config.status $(srcdir)/pam_namespace_helper.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pam_namespace.service: $(top_builddir)/config.status $(srcdir)/pam_namespace.service.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ + +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_namespace.la: $(pam_namespace_la_OBJECTS) $(pam_namespace_la_DEPENDENCIES) $(EXTRA_pam_namespace_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) +install-dist_secureconfSCRIPTS: $(dist_secureconf_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(secureconfdir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(secureconfdir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-dist_secureconfSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-sbinSCRIPTS: $(sbin_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_parse.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_secureconfDATA: $(dist_secureconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(secureconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ + done + +uninstall-dist_secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-serviceDATA: $(service_DATA) + @$(NORMAL_INSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(servicedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(servicedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(servicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(servicedir)" || exit $$?; \ + done + +uninstall-serviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(servicedir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + elif test -n "$$redo_logs"; then \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: $(dist_check_SCRIPTS) + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all $(dist_check_SCRIPTS) + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +tst-pam_namespace.log: tst-pam_namespace + @p='tst-pam_namespace'; \ + b='tst-pam_namespace'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.test.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-man \ + install-securelibLTLIBRARIES install-serviceDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinSCRIPTS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man \ + uninstall-sbinSCRIPTS uninstall-securelibLTLIBRARIES \ + uninstall-serviceDATA + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man5 \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinSCRIPTS install-securelibLTLIBRARIES \ + install-serviceDATA install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am recheck tags tags-am \ + uninstall uninstall-am uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-sbinSCRIPTS \ + uninstall-securelibLTLIBRARIES uninstall-serviceDATA + +.PRECIOUS: Makefile + + +install-data-local: + mkdir -p $(DESTDIR)$(namespaceddir) +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README new file mode 100644 index 0000000..106a073 --- /dev/null +++ b/modules/pam_namespace/README @@ -0,0 +1,227 @@ +pam_namespace — PAM module for configuring namespace for a session + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_namespace PAM module sets up a private namespace for a session with +polyinstantiated directories. A polyinstantiated directory provides a different +instance of itself based on user name, or when using SELinux, user name, +security context or both. If an executable script /etc/security/namespace.init +exists, it is used to initialize the instance directory after it is set up and +mounted on the polyinstantiated directory. The script receives the +polyinstantiated directory path, the instance directory path, flag whether the +instance directory was newly created (0 for no, 1 for yes), and the user name +as its arguments. + +The pam_namespace module disassociates the session namespace from the parent +namespace. Any mounts/unmounts performed in the parent namespace, such as +mounting of devices, are not reflected in the session namespace. To propagate +selected mount/unmount events from the parent namespace into the disassociated +session namespace, an administrator may use the special shared-subtree feature. +For additional information on shared-subtree feature, please refer to the mount +(8) man page and the shared-subtree description at http://lwn.net/Articles/ +159077 and http://lwn.net/Articles/159092. + +OPTIONS + +debug + + A lot of debug information is logged using syslog + +unmnt_remnt + + For programs such as su and newrole, the login session has already setup a + polyinstantiated namespace. For these programs, polyinstantiation is + performed based on new user id or security context, however the command + first needs to undo the polyinstantiation performed by login. This argument + instructs the command to first undo previous polyinstantiation before + proceeding with new polyinstantiation based on new id/context + +unmnt_only + + For trusted programs that want to undo any existing bind mounts and process + instance directories on their own, this argument allows them to unmount + currently mounted instance directories + +require_selinux + + If selinux is not enabled, return failure + +gen_hash + + Instead of using the security context string for the instance name, + generate and use its md5 hash. + +ignore_config_error + + If a line in the configuration file corresponding to a polyinstantiated + directory contains format error, skip that line process the next line. + Without this option, pam will return an error to the calling program + resulting in termination of the session. + +ignore_instance_parent_mode + + Instance parent directories by default are expected to have the restrictive + mode of 000. Using this option, an administrator can choose to ignore the + mode of the instance parent. This option should be used with caution as it + will reduce security and isolation goals of the polyinstantiation + mechanism. + +unmount_on_close + + Explicitly unmount the polyinstantiated directories instead of relying on + automatic namespace destruction after the last process in a namespace + exits. This option should be used only in case it is ensured by other means + that there cannot be any processes running in the private namespace left + after the session close. It is also useful only in case there are multiple + pam session calls in sequence from the same process. + +use_current_context + + Useful for services which do not change the SELinux context with setexeccon + call. The module will use the current SELinux context of the calling + process for the level and context polyinstantiation. + +use_default_context + + Useful for services which do not use pam_selinux for changing the SELinux + context with setexeccon call. The module will use the default SELinux + context of the user for the level and context polyinstantiation. + +mount_private + + This option can be used on systems where the / mount point or its submounts + are made shared (for example with a mount --make-rshared / command). The + module will mark the whole directory tree so any mount and unmount + operations in the polyinstantiation namespace are private. Normally the + pam_namespace will try to detect the shared / mount point and make the + polyinstantiated directories private automatically. This option has to be + used just when only a subtree is shared and / is not. + + Note that mounts and unmounts done in the private namespace will not affect + the parent namespace if this option is used or when the shared / mount + point is autodetected. + +DESCRIPTION + +The pam_namespace.so module allows setup of private namespaces with +polyinstantiated directories. Directories can be polyinstantiated based on user +name or, in the case of SELinux, user name, sensitivity level or complete +security context. If an executable script /etc/security/namespace.init exists, +it is used to initialize the namespace every time an instance directory is set +up and mounted. The script receives the polyinstantiated directory path and the +instance directory path as its arguments. + +The /etc/security/namespace.conf file specifies which directories are +polyinstantiated, how they are polyinstantiated, how instance directories would +be named, and any users for whom polyinstantiation would not be performed. + +When someone logs in, the file namespace.conf is scanned. Comments are marked +by # characters. Each non comment line represents one polyinstantiated +directory. The fields are separated by spaces but can be quoted by " characters +also escape sequences \b, \n, and \t are recognized. The fields are as follows: + +polydir instance_prefix method list_of_uids + +The first field, polydir, is the absolute pathname of the directory to +polyinstantiate. The special string $HOME is replaced with the user's home +directory, and $USER with the username. This field cannot be blank. + +The second field, instance_prefix is the string prefix used to build the +pathname for the instantiation of <polydir>. Depending on the polyinstantiation +method it is then appended with "instance differentiation string" to generate +the final instance directory path. This directory is created if it did not +exist already, and is then bind mounted on the <polydir> to provide an instance +of <polydir> based on the <method> column. The special string $HOME is replaced +with the user's home directory, and $USER with the username. This field cannot +be blank. + +The third field, method, is the method used for polyinstantiation. It can take +these values; "user" for polyinstantiation based on user name, "level" for +polyinstantiation based on process MLS level and user name, "context" for +polyinstantiation based on process security context and user name, "tmpfs" for +mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating +temporary directory as an instance dir which is removed when the user's session +is closed. Methods "context" and "level" are only available with SELinux. This +field cannot be blank. + +The fourth field, list_of_uids, is a comma separated list of user names for +whom the polyinstantiation is not performed. If left blank, polyinstantiation +will be performed for all users. If the list is preceded with a single "~" +character, polyinstantiation is performed only for users in the list. + +The method field can contain also following optional flags separated by : +characters. + +create=mode,owner,group - create the polyinstantiated directory. The mode, +owner and group parameters are optional. The default for mode is determined by +umask, the default owner is the user whose session is opened, the default group +is the primary group of the user. + +iscript=path - path to the instance directory init script. The base directory +for relative paths is /etc/security/namespace.d. + +noinit - instance directory init script will not be executed. + +shared - the instance directories for "context" and "level" methods will not +contain the user name and will be shared among all users. + +mntopts=value - value of this flag is passed to the mount call when the tmpfs +mount is done. It allows for example the specification of the maximum size of +the tmpfs instance that is created by the mount call. In addition to options +specified in the tmpfs(5) manual the nosuid, noexec, and nodev flags can be +used to respectively disable setuid bit effect, disable running executables, +and disable devices to be interpreted on the mounted tmpfs filesystem. + +The directory where polyinstantiated instances are to be created, must exist +and must have, by default, the mode of 0000. The requirement that the instance +parent be of mode 0000 can be overridden with the command line option +ignore_instance_parent_mode + +In case of context or level polyinstantiation the SELinux context which is used +for polyinstantiation is the context used for executing a new process as +obtained by getexeccon. This context must be set by the calling application or +pam_selinux.so module. If this context is not set the polyinstatiation will be +based just on user name. + +The "instance differentiation string" is <user name> for "user" method and +<user name>_<raw directory context> for "context" and "level" methods. If the +whole string is too long the end of it is replaced with md5sum of itself. Also +when command line option gen_hash is used the whole string is replaced with +md5sum of itself. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +namespace.conf. + + + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user's home directories. /tmp and /var/tmp + # will be polyinstantiated based on the security level + # as well as user name, whereas home directory will be + # polyinstantiated based on the full security context and user name. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory. In the examples below, + # instances of /tmp will be created in /tmp-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated. + # + /tmp /tmp-inst/ level root,adm + /var/tmp /var/tmp/tmp-inst/ level root,adm + $HOME $HOME/$USER.inst/inst- context + + +For the <service>s you need polyinstantiation (login for example) put the +following line in /etc/pam.d/<service> as the last line for session group: + +session required pam_namespace.so [arguments] + +This module also depends on pam_selinux.so setting the context. + diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml new file mode 100644 index 0000000..4ef99c9 --- /dev/null +++ b/modules/pam_namespace/README.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> +--> +<!-- +<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> + </section> + +</article> diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c new file mode 100644 index 0000000..4051054 --- /dev/null +++ b/modules/pam_namespace/argv_parse.c @@ -0,0 +1,172 @@ +/* + * argv_parse.c --- utility function for parsing a string into a + * argc, argv array. + * + * This file defines a function argv_parse() which parsing a + * passed-in string, handling double quotes and backslashes, and + * creates an allocated argv vector which can be freed using the + * argv_free() function. + * + * See argv_parse.h for the formal definition of the functions. + * + * Copyright 1999 by Theodore Ts'o. + * + * Permission to use, copy, modify, and distribute this software for + * any purpose with or without fee is hereby granted, provided that + * the above copyright notice and this permission notice appear in all + * copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + * it sick that the U.S. culture of lawsuit-happy lawyers requires + * this kind of disclaimer?) + * + * Version 1.1, modified 2/27/1999 + */ + +#include <stdlib.h> +#include <ctype.h> +#include <string.h> +#include "argv_parse.h" + +#define STATE_WHITESPACE 1 +#define STATE_TOKEN 2 +#define STATE_QUOTED 3 + +/* + * Returns 0 on success, -1 on failure. + */ +int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) +{ + int argc = 0, max_argc = 0; + char **argv, **new_argv, *buf, ch; + const char *cp = NULL; + char *outcp = NULL; + int state = STATE_WHITESPACE; + + buf = malloc(strlen(in_buf)+1); + if (!buf) + return -1; + + argv = NULL; + outcp = buf; + for (cp = in_buf; (ch = *cp); cp++) { + if (state == STATE_WHITESPACE) { + if (isspace((int) ch)) + continue; + /* Not whitespace, so start a new token */ + state = STATE_TOKEN; + if (argc >= max_argc) { + max_argc += 3; + new_argv = realloc(argv, + (max_argc+1)*sizeof(char *)); + if (!new_argv) { + if (argv) free(argv); + free(buf); + return -1; + } + argv = new_argv; + } + argv[argc++] = outcp; + } + if (state == STATE_QUOTED) { + if (ch == '"') + state = STATE_TOKEN; + else + *outcp++ = ch; + continue; + } + /* Must be processing characters in a word */ + if (isspace((int) ch)) { + /* + * Terminate the current word and start + * looking for the beginning of the next word. + */ + *outcp++ = 0; + state = STATE_WHITESPACE; + continue; + } + if (ch == '"') { + state = STATE_QUOTED; + continue; + } + if (ch == '\\') { + ch = *++cp; + switch (ch) { + case '\0': + ch = '\\'; cp--; break; + case 'n': + ch = '\n'; break; + case 't': + ch = '\t'; break; + case 'b': + ch = '\b'; break; + } + } + *outcp++ = ch; + } + if (state != STATE_WHITESPACE) + *outcp++ = '\0'; + if (ret_argv) { + if (argv == NULL) { + free(buf); + if ((argv=malloc(sizeof(char *))) == NULL) + return -1; + } + argv[argc] = NULL; + *ret_argv = argv; + } else { + free(buf); + free(argv); + } + if (ret_argc) + *ret_argc = argc; + return 0; +} + +void argv_free(char **argv) +{ + if (argv) { + if (*argv) + free(*argv); + free(argv); + } +} + +#ifdef DEBUG_ARGV_PARSE +/* + * For debugging + */ + +#include <stdio.h> + +int main(int argc, char **argv) +{ + int ac, ret; + char **av, **cpp; + char buf[256]; + + while (!feof(stdin)) { + if (fgets(buf, sizeof(buf), stdin) == NULL) + break; + ret = argv_parse(buf, &ac, &av); + if (ret != 0) { + printf("Argv_parse returned %d!\n", ret); + continue; + } + printf("Argv_parse returned %d arguments...\n", ac); + for (cpp = av; *cpp; cpp++) { + if (cpp != av) + printf(", "); + printf("'%s'", *cpp); + } + printf("\n"); + argv_free(av); + } + exit(0); +} +#endif diff --git a/modules/pam_namespace/argv_parse.h b/modules/pam_namespace/argv_parse.h new file mode 100644 index 0000000..c7878fc --- /dev/null +++ b/modules/pam_namespace/argv_parse.h @@ -0,0 +1,43 @@ +/* + * argv_parse.h --- header file for the argv parser. + * + * This file defines the interface for the functions argv_parse() and + * argv_free(). + * + *********************************************************************** + * int argv_parse(char *in_buf, int *ret_argc, char ***ret_argv) + * + * This function takes as its first argument a string which it will + * parse into an argv argument vector, with each white-space separated + * word placed into its own slot in the argv. This function handles + * double quotes and backslashes so that the parsed words can contain + * special characters. The count of the number words found in the + * parsed string, as well as the argument vector, are returned into + * ret_argc and ret_argv, respectively. + *********************************************************************** + * extern void argv_free(char **argv); + * + * This function frees the argument vector created by argv_parse(). + *********************************************************************** + * + * Copyright 1999 by Theodore Ts'o. + * + * Permission to use, copy, modify, and distribute this software for + * any purpose with or without fee is hereby granted, provided that + * the above copyright notice and this permission notice appear in all + * copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + * it sick that the U.S. culture of lawsuit-happy lawyers requires + * this kind of disclaimer?) + * + * Version 1.1, modified 2/27/1999 + */ + +extern int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv); +extern void argv_free(char **argv); diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c new file mode 100644 index 0000000..22e41ee --- /dev/null +++ b/modules/pam_namespace/md5.c @@ -0,0 +1,261 @@ +/* + * $Id$ + * + * This code implements the MD5 message-digest algorithm. + * The algorithm is due to Ron Rivest. This code was + * written by Colin Plumb in 1993, no copyright is claimed. + * This code is in the public domain; do with it what you wish. + * + * Equivalent code is available from RSA Data Security, Inc. + * This code has been tested against that, and is equivalent, + * except that you don't need to include two pages of legalese + * with every copy. + * + * To compute the message digest of a chunk of bytes, declare an + * MD5Context structure, pass it to MD5Init, call MD5Update as + * needed on buffers full of bytes, and then call MD5Final, which + * will fill a supplied 16-byte array with the digest. + * + */ + +#include "md5.h" +#include <string.h> + +#define MD5Name(x) x + +#ifdef WORDS_BIGENDIAN +typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; + +static void byteReverse(uint8_aligned *buf, unsigned longs); + +/* + * Note: this code is harmless on little-endian machines. + */ +static void byteReverse(uint8_aligned *buf, unsigned longs) +{ + uint32 t; + do { + t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | + ((unsigned) buf[1] << 8 | buf[0]); + *(uint32 *) buf = t; + buf += 4; + } while (--longs); +} +#else +#define byteReverse(buf, len) /* Nothing */ +#endif + +/* + * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious + * initialization constants. + */ +void MD5Name(MD5Init)(struct MD5Context *ctx) +{ + ctx->buf.i[0] = 0x67452301U; + ctx->buf.i[1] = 0xefcdab89U; + ctx->buf.i[2] = 0x98badcfeU; + ctx->buf.i[3] = 0x10325476U; + + ctx->bits[0] = 0; + ctx->bits[1] = 0; +} + +/* + * Update context to reflect the concatenation of another buffer full + * of bytes. + */ +void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len) +{ + uint32 t; + + /* Update bitcount */ + + t = ctx->bits[0]; + if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) + ctx->bits[1]++; /* Carry from low to high */ + ctx->bits[1] += len >> 29; + + t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ + + /* Handle any leading odd-sized chunks */ + + if (t) { + unsigned char *p = ctx->in.c + t; + + t = 64 - t; + if (len < t) { + memcpy(p, buf, len); + return; + } + memcpy(p, buf, t); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + buf += t; + len -= t; + } + /* Process data in 64-byte chunks */ + + while (len >= 64) { + memcpy(ctx->in.c, buf, 64); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + buf += 64; + len -= 64; + } + + /* Handle any remaining bytes of data. */ + + memcpy(ctx->in.c, buf, len); +} + +/* + * Final wrapup - pad to 64-byte boundary with the bit pattern + * 1 0* (64-bit count of bits processed, MSB-first) + */ +void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) +{ + unsigned count; + unsigned char *p; + + /* Compute number of bytes mod 64 */ + count = (ctx->bits[0] >> 3) & 0x3F; + + /* Set the first char of padding to 0x80. This is safe since there is + always at least one byte free */ + p = ctx->in.c + count; + *p++ = 0x80; + + /* Bytes of padding needed to make 64 bytes */ + count = 64 - 1 - count; + + /* Pad out to 56 mod 64 */ + if (count < 8) { + /* Two lots of padding: Pad the first block to 64 bytes */ + memset(p, 0, count); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + + /* Now fill the next block with 56 bytes */ + memset(ctx->in.c, 0, 56); + } else { + /* Pad block to 56 bytes */ + memset(p, 0, count - 8); + } + byteReverse(ctx->in.c, 14); + + /* Append length in bits and transform */ + memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); + + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + byteReverse(ctx->buf.c, 4); + memcpy(digest, ctx->buf.c, 16); + memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ +} + +/* The four core functions - F1 is optimized somewhat */ + +/* #define F1(x, y, z) (x & y | ~x & z) */ +#define F1(x, y, z) (z ^ (x & (y ^ z))) +#define F2(x, y, z) F1(z, x, y) +#define F3(x, y, z) (x ^ y ^ z) +#define F4(x, y, z) (y ^ (x | ~z)) + +/* This is the central step in the MD5 algorithm. */ +#define MD5STEP(f, w, x, y, z, data, s) \ + ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) + +/* + * The core of the MD5 algorithm, this alters an existing MD5 hash to + * reflect the addition of 16 longwords of new data. MD5Update blocks + * the data and converts bytes into longwords for this routine. + */ +void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16]) +{ + register uint32 a, b, c, d; + + a = buf[0]; + b = buf[1]; + c = buf[2]; + d = buf[3]; + + MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); + MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); + MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); + MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); + MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); + MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); + MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); + MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); + MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); + MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); + + MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); + MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); + MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); + MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); + MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); + MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); + MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); + MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); + MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); + MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); + + MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); + MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); + MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); + MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); + MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); + MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); + MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); + MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); + MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); + MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); + + MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); + MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); + MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); + MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); + MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); + MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); + MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); + MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); + MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); + MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); + + buf[0] += a; + buf[1] += b; + buf[2] += c; + buf[3] += d; +} + +void MD5Name(MD5)(unsigned const char *buf, unsigned len, unsigned char digest[16]) +{ + struct MD5Context ctx; + MD5Name(MD5Init)(&ctx); + MD5Name(MD5Update)(&ctx, buf, len); + MD5Name(MD5Final)(digest, &ctx); +} diff --git a/modules/pam_namespace/md5.h b/modules/pam_namespace/md5.h new file mode 100644 index 0000000..501aab4 --- /dev/null +++ b/modules/pam_namespace/md5.h @@ -0,0 +1,36 @@ + +#ifndef MD5_H +#define MD5_H + +#include "pam_cc_compat.h" + +typedef unsigned int uint32; + +struct MD5Context { + union { + uint32 i[4]; + unsigned char c[16] PAM_ATTRIBUTE_ALIGNED(4); + } buf; + uint32 bits[2]; + union { + uint32 i[16]; + unsigned char c[64] PAM_ATTRIBUTE_ALIGNED(4); + } in; +}; + +#define MD5_DIGEST_LENGTH 16 + +void MD5Init(struct MD5Context *); +void MD5Update(struct MD5Context *, unsigned const char *, unsigned); +void MD5Final(unsigned char digest[MD5_DIGEST_LENGTH], struct MD5Context *); +void MD5Transform(uint32 buf[4], uint32 const in[MD5_DIGEST_LENGTH]); +void MD5(unsigned const char *, unsigned, unsigned char digest[MD5_DIGEST_LENGTH]); + + +/* + * This is needed to make RSAREF happy on some MS-DOS compilers. + */ + +typedef struct MD5Context MD5_CTX; + +#endif /* MD5_H */ diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf new file mode 100644 index 0000000..75ec619 --- /dev/null +++ b/modules/pam_namespace/namespace.conf @@ -0,0 +1,31 @@ +# /etc/security/namespace.conf +# +# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. +# +# Uncommenting the following three lines will polyinstantiate +# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. The parent directories (except $HOME) are created +# at boot by pam_namespace_helper, but in a live system, system +# administrators should create the parent directories before enabling +# them here. +# +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 new file mode 100644 index 0000000..ff122cb --- /dev/null +++ b/modules/pam_namespace/namespace.conf.5 @@ -0,0 +1,168 @@ +'\" t +.\" Title: namespace.conf +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "NAMESPACE\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +namespace.conf \- the namespace configuration file +.SH "DESCRIPTION" +.PP +The +\fIpam_namespace\&.so\fR +module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\&. If an executable script +/etc/security/namespace\&.init +exists, it is used to initialize the namespace every time an instance directory is set up and mounted\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&. +.PP +The +/etc/security/namespace\&.conf +file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&. +.PP +When someone logs in, the file +namespace\&.conf +is scanned\&. Comments are marked by +\fI#\fR +characters\&. Each non comment line represents one polyinstantiated directory\&. The fields are separated by spaces but can be quoted by +\fI"\fR +characters also escape sequences +\fI\eb\fR, +\fI\en\fR, and +\fI\et\fR +are recognized\&. The fields are as follows: +.PP +\fIpolydir\fR +\fIinstance_prefix\fR +\fImethod\fR +\fIlist_of_uids\fR +.PP +The first field, +\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. The special string +\fI$HOME\fR +is replaced with the user\*(Aqs home directory, and +\fI$USER\fR +with the username\&. This field cannot be blank\&. +.PP +The second field, +\fIinstance_prefix\fR +is the string prefix used to build the pathname for the instantiation of <polydir>\&. Depending on the polyinstantiation +\fImethod\fR +it is then appended with "instance differentiation string" to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string +\fI$HOME\fR +is replaced with the user\*(Aqs home directory, and +\fI$USER\fR +with the username\&. This field cannot be blank\&. +.PP +The third field, +\fImethod\fR, is the method used for polyinstantiation\&. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\*(Aqs session is closed\&. Methods "context" and "level" are only available with SELinux\&. This field cannot be blank\&. +.PP +The fourth field, +\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\&. +.PP +The +\fImethod\fR +field can contain also following optional flags separated by +\fI:\fR +characters\&. +.PP +\fIcreate\fR=\fImode\fR,\fIowner\fR,\fIgroup\fR +\- create the polyinstantiated directory\&. The mode, owner and group parameters are optional\&. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\&. +.PP +\fIiscript\fR=\fIpath\fR +\- path to the instance directory init script\&. The base directory for relative paths is +/etc/security/namespace\&.d\&. +.PP +\fInoinit\fR +\- instance directory init script will not be executed\&. +.PP +\fIshared\fR +\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\&. +.PP +\fImntopts\fR=\fIvalue\fR +\- value of this flag is passed to the mount call when the tmpfs mount is done\&. It allows for example the specification of the maximum size of the tmpfs instance that is created by the mount call\&. In addition to options specified in the +\fBtmpfs\fR(5) +manual the +\fInosuid\fR, +\fInoexec\fR, and +\fInodev\fR +flags can be used to respectively disable setuid bit effect, disable running executables, and disable devices to be interpreted on the mounted tmpfs filesystem\&. +.PP +The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\&. The requirement that the instance parent be of mode 0000 can be overridden with the command line option +\fIignore_instance_parent_mode\fR +.PP +In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\&. This context must be set by the calling application or +pam_selinux\&.so +module\&. If this context is not set the polyinstatiation will be based just on user name\&. +.PP +The "instance differentiation string" is <user name> for "user" method and <user name>_<raw directory context> for "context" and "level" methods\&. If the whole string is too long the end of it is replaced with md5sum of itself\&. Also when command line option +\fIgen_hash\fR +is used the whole string is replaced with md5sum of itself\&. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +/etc/security/namespace\&.conf\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user\*(Aqs home directories\&. /tmp and /var/tmp + # will be polyinstantiated based on the security level + # as well as user name, whereas home directory will be + # polyinstantiated based on the full security context and user name\&. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users\&. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory\&. In the examples below, + # instances of /tmp will be created in /tmp\-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated\&. + # + /tmp /tmp\-inst/ level root,adm + /var/tmp /var/tmp/tmp\-inst/ level root,adm + $HOME $HOME/$USER\&.inst/inst\- context + +.fi +.if n \{\ +.RE +.\} +.PP +For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group: +.PP +session required pam_namespace\&.so [arguments] +.PP +This module also depends on pam_selinux\&.so setting the context\&. +.SH "SEE ALSO" +.PP +\fBpam_namespace\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHORS" +.PP +The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml new file mode 100644 index 0000000..a94b49e --- /dev/null +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -0,0 +1,223 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="namespace.conf"> + + <refmeta> + <refentrytitle>namespace.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>namespace.conf</refname> + <refpurpose>the namespace configuration file</refpurpose> + </refnamediv> + + + <refsect1 id='namespace.conf-description'> + <title>DESCRIPTION</title> + + <para> + The <emphasis>pam_namespace.so</emphasis> module allows setup of + private namespaces with polyinstantiated directories. + Directories can be polyinstantiated based on user name + or, in the case of SELinux, user name, sensitivity level or complete security context. If an + executable script <filename>/etc/security/namespace.init</filename> + exists, it is used to initialize the namespace every time an instance + directory is set up and mounted. The script receives the polyinstantiated + directory path and the instance directory path as its arguments. + </para> + + <para> + The <filename>/etc/security/namespace.conf</filename> file specifies + which directories are polyinstantiated, how they are polyinstantiated, + how instance directories would be named, and any users for whom + polyinstantiation would not be performed. + </para> + + <para> + When someone logs in, the file <filename>namespace.conf</filename> is + scanned. Comments are marked by <emphasis>#</emphasis> characters. + Each non comment line represents one polyinstantiated + directory. The fields are separated by spaces but can be quoted by + <emphasis>"</emphasis> characters also escape + sequences <emphasis>\b</emphasis>, <emphasis>\n</emphasis>, and + <emphasis>\t</emphasis> are recognized. The fields are as follows: + </para> + + <para><replaceable>polydir</replaceable> <replaceable>instance_prefix</replaceable> <replaceable>method</replaceable> <replaceable>list_of_uids</replaceable> + </para> + + <para> + The first field, <replaceable>polydir</replaceable>, is the absolute + pathname of the directory to polyinstantiate. The special string + <emphasis>$HOME</emphasis> is replaced with the user's home directory, + and <emphasis>$USER</emphasis> with the username. This field cannot + be blank. + </para> + + <para> + The second field, <replaceable>instance_prefix</replaceable> is + the string prefix used to build the pathname for the instantiation + of <polydir>. Depending on the polyinstantiation + <replaceable>method</replaceable> it is then appended with + "instance differentiation string" to generate the final + instance directory path. This directory is created if it did not exist + already, and is then bind mounted on the <polydir> to provide an + instance of <polydir> based on the <method> column. + The special string <emphasis>$HOME</emphasis> is replaced with the + user's home directory, and <emphasis>$USER</emphasis> with the username. + This field cannot be blank. + </para> + + <para> + The third field, <replaceable>method</replaceable>, is the method + used for polyinstantiation. It can take these values; "user" + for polyinstantiation based on user name, "level" for + polyinstantiation based on process MLS level and user name, "context" for + polyinstantiation based on process security context and user name, + "tmpfs" for mounting tmpfs filesystem as an instance dir, and + "tmpdir" for creating temporary directory as an instance dir which is + removed when the user's session is closed. + Methods "context" and "level" are only available with SELinux. This + field cannot be blank. + </para> + + <para> + The fourth field, <replaceable>list_of_uids</replaceable>, is + a comma separated list of user names for whom the polyinstantiation + is not performed. If left blank, polyinstantiation will be performed + for all users. If the list is preceded with a single "~" character, + polyinstantiation is performed only for users in the list. + </para> + + <para> + The <replaceable>method</replaceable> field can contain also following + optional flags separated by <emphasis>:</emphasis> characters. + </para> + + <para><emphasis>create</emphasis>=<replaceable>mode</replaceable>,<replaceable>owner</replaceable>,<replaceable>group</replaceable> + - create the polyinstantiated directory. The mode, owner and group parameters + are optional. The default for mode is determined by umask, the default + owner is the user whose session is opened, the default group is the + primary group of the user. + </para> + + <para><emphasis>iscript</emphasis>=<replaceable>path</replaceable> + - path to the instance directory init script. The base directory for relative + paths is <filename>/etc/security/namespace.d</filename>. + </para> + + <para><emphasis>noinit</emphasis> + - instance directory init script will not be executed. + </para> + + <para><emphasis>shared</emphasis> + - the instance directories for "context" and "level" methods will not + contain the user name and will be shared among all users. + </para> + + <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable> + - value of this flag is passed to the mount call when the tmpfs mount is + done. It allows for example the specification of the maximum size of the + tmpfs instance that is created by the mount call. In addition to + options specified in the <citerefentry> + <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> manual the <emphasis>nosuid</emphasis>, + <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags + can be used to respectively disable setuid bit effect, disable running + executables, and disable devices to be interpreted on the mounted + tmpfs filesystem. + </para> + + <para> + The directory where polyinstantiated instances are to be + created, must exist and must have, by default, the mode of 0000. The + requirement that the instance parent be of mode 0000 can be overridden + with the command line option <emphasis>ignore_instance_parent_mode</emphasis> + </para> + + <para> + In case of context or level polyinstantiation the SELinux context + which is used for polyinstantiation is the context used for executing + a new process as obtained by getexeccon. This context must be set + by the calling application or <filename>pam_selinux.so</filename> + module. If this context is not set the polyinstatiation will be + based just on user name. + </para> + + <para> + The "instance differentiation string" is <user name> for "user" + method and <user name>_<raw directory context> for "context" + and "level" methods. If the whole string is too long the end of it is + replaced with md5sum of itself. Also when command line option + <emphasis>gen_hash</emphasis> is used the whole string is replaced + with md5sum of itself. + </para> + + </refsect1> + + <refsect1 id="namespace.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/namespace.conf</filename>. + </para> + + <literallayout> + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user's home directories. /tmp and /var/tmp + # will be polyinstantiated based on the security level + # as well as user name, whereas home directory will be + # polyinstantiated based on the full security context and user name. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory. In the examples below, + # instances of /tmp will be created in /tmp-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated. + # + /tmp /tmp-inst/ level root,adm + /var/tmp /var/tmp/tmp-inst/ level root,adm + $HOME $HOME/$USER.inst/inst- context + </literallayout> + + <para> + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + </para> + + <para> + session required pam_namespace.so [arguments] + </para> + + <para> + This module also depends on pam_selinux.so setting the context. + </para> + + </refsect1> + + <refsect1 id="namespace.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="namespace.conf-author"> + <title>AUTHORS</title> + <para> + The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. + More features added by Tomas Mraz <tmraz@redhat.com>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init new file mode 100755 index 0000000..67d4aa2 --- /dev/null +++ b/modules/pam_namespace/namespace.init @@ -0,0 +1,25 @@ +#!/bin/sh +# It receives polydir path as $1, the instance path as $2, +# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, +# and user name in $4. +# +# The following section will copy the contents of /etc/skel if this is a +# newly created home directory. +if [ "$3" = 1 ]; then + # This line will fix the labeling on all newly created directories + [ -x /sbin/restorecon ] && /sbin/restorecon "$1" + user="$4" + passwd=$(getent passwd "$user") + homedir=$(echo "$passwd" | cut -f6 -d":") + if [ "$1" = "$homedir" ]; then + gid=$(echo "$passwd" | cut -f4 -d":") + cp -rT /etc/skel "$homedir" + chown -R "$user":"$gid" "$homedir" + mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) + mode=$(printf "%o" $((0777 & ~$mask))) + chmod ${mode:-700} "$homedir" + [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" + fi +fi + +exit 0 diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 new file mode 100644 index 0000000..d0afb6c --- /dev/null +++ b/modules/pam_namespace/pam_namespace.8 @@ -0,0 +1,154 @@ +'\" t +.\" Title: pam_namespace +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_NAMESPACE" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_namespace \- PAM module for configuring namespace for a session +.SH "SYNOPSIS" +.HP \w'\fBpam_namespace\&.so\fR\ 'u +\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [unmount_on_close] [use_current_context] [use_default_context] [mount_private] +.SH "DESCRIPTION" +.PP +The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\&. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\&. If an executable script +/etc/security/namespace\&.init +exists, it is used to initialize the instance directory after it is set up and mounted on the polyinstantiated directory\&. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\&. +.PP +The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +A lot of debug information is logged using syslog +.RE +.PP +\fBunmnt_remnt\fR +.RS 4 +For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context +.RE +.PP +\fBunmnt_only\fR +.RS 4 +For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories +.RE +.PP +\fBrequire_selinux\fR +.RS 4 +If selinux is not enabled, return failure +.RE +.PP +\fBgen_hash\fR +.RS 4 +Instead of using the security context string for the instance name, generate and use its md5 hash\&. +.RE +.PP +\fBignore_config_error\fR +.RS 4 +If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. +.RE +.PP +\fBignore_instance_parent_mode\fR +.RS 4 +Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. +.RE +.PP +\fBunmount_on_close\fR +.RS 4 +Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. +.RE +.PP +\fBuse_current_context\fR +.RS 4 +Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. +.RE +.PP +\fBuse_default_context\fR +.RS 4 +Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. +.RE +.PP +\fBmount_private\fR +.RS 4 +This option can be used on systems where the / mount point or its submounts are made shared (for example with a +\fBmount \-\-make\-rshared /\fR +command)\&. The module will mark the whole directory tree so any mount and unmount operations in the polyinstantiation namespace are private\&. Normally the pam_namespace will try to detect the shared / mount point and make the polyinstantiated directories private automatically\&. This option has to be used just when only a subtree is shared and / is not\&. +.sp +Note that mounts and unmounts done in the private namespace will not affect the parent namespace if this option is used or when the shared / mount point is autodetected\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBsession\fR +module type is provided\&. The module must not be called from multithreaded processes\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +Namespace setup was successful\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Unexpected system error occurred while setting up namespace\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Unexpected namespace configuration error occurred\&. +.RE +.SH "FILES" +.PP +/etc/security/namespace\&.conf +.RS 4 +Main configuration file +.RE +.PP +/etc/security/namespace\&.d +.RS 4 +Directory for additional configuration files +.RE +.PP +/etc/security/namespace\&.init +.RS 4 +Init script for instance directories +.RE +.SH "EXAMPLES" +.PP +For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group: +.PP +session required pam_namespace\&.so [arguments] +.PP +To use polyinstantiation with graphical display manager gdm, please refer to gdm\*(Aqs documentation\&. +.SH "SEE ALSO" +.PP +\fBnamespace.conf\fR(5), +\fBpam.d\fR(5), +\fBmount\fR(8), +\fBpam\fR(8)\&. +.SH "AUTHORS" +.PP +The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml new file mode 100644 index 0000000..57c44c4 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -0,0 +1,381 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_namespace'> + + <refmeta> + <refentrytitle>pam_namespace</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_namespace-name'> + <refname>pam_namespace</refname> + <refpurpose> + PAM module for configuring namespace for a session + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <command>pam_namespace.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + unmnt_remnt + </arg> + <arg choice="opt"> + unmnt_only + </arg> + <arg choice="opt"> + require_selinux + </arg> + <arg choice="opt"> + gen_hash + </arg> + <arg choice="opt"> + ignore_config_error + </arg> + <arg choice="opt"> + ignore_instance_parent_mode + </arg> + <arg choice="opt"> + unmount_on_close + </arg> + <arg choice="opt"> + use_current_context + </arg> + <arg choice="opt"> + use_default_context + </arg> + <arg choice="opt"> + mount_private + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_namespace-description"> + <title>DESCRIPTION</title> + <para> + The pam_namespace PAM module sets up a private namespace for a session + with polyinstantiated directories. A polyinstantiated directory + provides a different instance of itself based on user name, or when + using SELinux, user name, security context or both. If an executable + script <filename>/etc/security/namespace.init</filename> exists, it + is used to initialize the instance directory after it is set up + and mounted on the polyinstantiated directory. The script receives the + polyinstantiated directory path, the instance directory path, flag + whether the instance directory was newly created (0 for no, 1 for yes), + and the user name as its arguments. + </para> + + <para> + The pam_namespace module disassociates the session namespace from + the parent namespace. Any mounts/unmounts performed in the parent + namespace, such as mounting of devices, are not reflected in the + session namespace. To propagate selected mount/unmount events from + the parent namespace into the disassociated session namespace, an + administrator may use the special shared-subtree feature. For + additional information on shared-subtree feature, please refer to + the mount(8) man page and the shared-subtree description at + http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092. + </para> + + </refsect1> + + <refsect1 id="pam_namespace-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + A lot of debug information is logged using syslog + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>unmnt_remnt</option> + </term> + <listitem> + <para> + For programs such as su and newrole, the login + session has already setup a polyinstantiated + namespace. For these programs, polyinstantiation + is performed based on new user id or security + context, however the command first needs to + undo the polyinstantiation performed by login. + This argument instructs the command to + first undo previous polyinstantiation before + proceeding with new polyinstantiation based on + new id/context + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>unmnt_only</option> + </term> + <listitem> + <para> + For trusted programs that want to undo any + existing bind mounts and process instance + directories on their own, this argument allows + them to unmount currently mounted instance + directories + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>require_selinux</option> + </term> + <listitem> + <para> + If selinux is not enabled, return failure + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>gen_hash</option> + </term> + <listitem> + <para> + Instead of using the security context string + for the instance name, generate and use its + md5 hash. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ignore_config_error</option> + </term> + <listitem> + <para> + If a line in the configuration file corresponding + to a polyinstantiated directory contains format + error, skip that line process the next line. + Without this option, pam will return an error + to the calling program resulting in termination + of the session. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ignore_instance_parent_mode</option> + </term> + <listitem> + <para> + Instance parent directories by default are expected to have + the restrictive mode of 000. Using this option, an administrator + can choose to ignore the mode of the instance parent. This option + should be used with caution as it will reduce security and + isolation goals of the polyinstantiation mechanism. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>unmount_on_close</option> + </term> + <listitem> + <para> + Explicitly unmount the polyinstantiated directories instead + of relying on automatic namespace destruction after the last + process in a namespace exits. This option should be used + only in case it is ensured by other means that there cannot be + any processes running in the private namespace left after the + session close. It is also useful only in case there are + multiple pam session calls in sequence from the same process. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>use_current_context</option> + </term> + <listitem> + <para> + Useful for services which do not change the SELinux context + with setexeccon call. The module will use the current SELinux + context of the calling process for the level and context + polyinstantiation. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>use_default_context</option> + </term> + <listitem> + <para> + Useful for services which do not use pam_selinux for changing + the SELinux context with setexeccon call. The module will use + the default SELinux context of the user for the level and context + polyinstantiation. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>mount_private</option> + </term> + <listitem> + <para> + This option can be used on systems where the / mount point or + its submounts are made shared (for example with a + <command>mount --make-rshared /</command> command). + The module will mark the whole directory tree so any mount and + unmount operations in the polyinstantiation namespace are private. + Normally the pam_namespace will try to detect the + shared / mount point and make the polyinstantiated directories + private automatically. This option has to be used just when + only a subtree is shared and / is not. + </para> + <para> + Note that mounts and unmounts done in the private namespace will not + affect the parent namespace if this option is used or when the + shared / mount point is autodetected. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>session</option> module type is provided. + The module must not be called from multithreaded processes. + </para> + </refsect1> + + <refsect1 id="pam_namespace-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Namespace setup was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Unexpected system error occurred while setting up namespace. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Unexpected namespace configuration error occurred. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/namespace.conf</filename></term> + <listitem> + <para>Main configuration file</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><filename>/etc/security/namespace.d</filename></term> + <listitem> + <para>Directory for additional configuration files</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><filename>/etc/security/namespace.init</filename></term> + <listitem> + <para>Init script for instance directories</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-examples"> + <title>EXAMPLES</title> + + <para> + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + </para> + + <para> + session required pam_namespace.so [arguments] + </para> + + <para> + To use polyinstantiation with graphical display manager gdm, please refer + to gdm's documentation. + </para> + + </refsect1> + + <refsect1 id="pam_namespace-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>namespace.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_namespace-authors"> + <title>AUTHORS</title> + <para> + The namespace setup scheme was designed by Stephen Smalley, Janak Desai + and Chad Sellers. + The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, + Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. + Additional improvements by Xavier Toth <txtoth@gmail.com> and Tomas Mraz + <tmraz@redhat.com>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c new file mode 100644 index 0000000..4d4188d --- /dev/null +++ b/modules/pam_namespace/pam_namespace.c @@ -0,0 +1,2272 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default namespace after + * establishing a session via PAM. + * + * (C) Copyright IBM Corporation 2005 + * (C) Copyright Red Hat, Inc. 2006, 2008 + * All Rights Reserved. + * + * Written by: Janak Desai <janak@us.ibm.com> + * With Revisions by: Steve Grubb <sgrubb@redhat.com> + * Contributions by: Xavier Toth <txtoth@gmail.com>, + * Tomas Mraz <tmraz@redhat.com> + * Derived from a namespace setup patch by Chad Sellers <cdselle@tycho.nsa.gov> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * on the rights to use, copy, modify, merge, publish, distribute, sub + * license, and/or sell copies of the Software, and to permit persons to whom + * the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL + * IBM AND/OR THEIR SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#define _ATFILE_SOURCE + +#include "pam_cc_compat.h" +#include "pam_inline.h" +#include "pam_namespace.h" +#include "argv_parse.h" + +/* + * Adds an entry for a polyinstantiated directory to the linked list of + * polyinstantiated directories. It is called from process_line() while + * parsing the namespace configuration file. + */ +static void add_polydir_entry(struct instance_data *idata, + struct polydir_s *ent) +{ + /* Now attach to linked list */ + ent->next = NULL; + if (idata->polydirs_ptr == NULL) + idata->polydirs_ptr = ent; + else { + struct polydir_s *tail; + + tail = idata->polydirs_ptr; + while (tail->next) + tail = tail->next; + tail->next = ent; + } +} + +static void del_polydir(struct polydir_s *poly) +{ + if (poly) { + free(poly->uid); + free(poly->init_script); + free(poly->mount_opts); + free(poly); + } +} + +/* + * Deletes all the entries in the linked list. + */ +static void del_polydir_list(struct polydir_s *polydirs_ptr) +{ + struct polydir_s *dptr = polydirs_ptr; + + while (dptr) { + struct polydir_s *tptr = dptr; + dptr = dptr->next; + del_polydir(tptr); + } +} + +static void unprotect_dirs(struct protect_dir_s *dir) +{ + struct protect_dir_s *next; + + while (dir != NULL) { + umount(dir->dir); + free(dir->dir); + next = dir->next; + free(dir); + dir = next; + } +} + +static void cleanup_polydir_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) +{ + del_polydir_list(data); +} + +static void cleanup_protect_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) +{ + unprotect_dirs(data); +} + +static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[]) +{ + const char *src = orig; + char *dst; + char *expanded; + char c; + size_t dstlen = 0; + while (*src) { + if (*src == '$') { + int i; + for (i = 0; var_names[i]; i++) { + int namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dstlen += strlen(var_values[i]) - 1; /* $ */ + src += namelen; + break; + } + } + } + ++dstlen; + ++src; + } + if ((dst=expanded=malloc(dstlen + 1)) == NULL) + return NULL; + src = orig; + while ((c=*src) != '\0') { + if (c == '$') { + int i; + for (i = 0; var_names[i]; i++) { + int namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dst = stpcpy(dst, var_values[i]); + --dst; + c = *dst; /* replace $ */ + src += namelen; + break; + } + } + } + *dst = c; + ++dst; + ++src; + } + *dst = '\0'; + return expanded; +} + +static int parse_create_params(char *params, struct polydir_s *poly) +{ + char *next; + struct passwd *pwd = NULL; + struct group *grp; + + poly->mode = (mode_t)ULONG_MAX; + poly->owner = (uid_t)ULONG_MAX; + poly->group = (gid_t)ULONG_MAX; + + if (*params != '=') + return 0; + params++; + + next = strchr(params, ','); + if (next != NULL) { + *next = '\0'; + next++; + } + + if (*params != '\0') { + errno = 0; + poly->mode = (mode_t)strtoul(params, NULL, 0); + if (errno != 0) { + poly->mode = (mode_t)ULONG_MAX; + } + } + + params = next; + if (params == NULL) + return 0; + next = strchr(params, ','); + if (next != NULL) { + *next = '\0'; + next++; + } + + if (*params != '\0') { + pwd = getpwnam(params); /* session modules are not reentrant */ + if (pwd == NULL) + return -1; + poly->owner = pwd->pw_uid; + } + + params = next; + if (params == NULL || *params == '\0') { + if (pwd != NULL) + poly->group = pwd->pw_gid; + return 0; + } + grp = getgrnam(params); + if (grp == NULL) + return -1; + poly->group = grp->gr_gid; + + return 0; +} + +static int parse_iscript_params(char *params, struct polydir_s *poly) +{ + if (*params != '=') + return 0; + params++; + + if (*params != '\0') { + if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */ + if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1) + return -1; + } else { + poly->init_script = strdup(params); + } + if (poly->init_script == NULL) + return -1; + } + return 0; +} + +struct mntflag { + const char *name; + size_t len; + unsigned long flag; +}; + +#define LITERAL_AND_LEN(x) x, sizeof(x) - 1 + +static const struct mntflag mntflags[] = { + { LITERAL_AND_LEN("noexec"), MS_NOEXEC }, + { LITERAL_AND_LEN("nosuid"), MS_NOSUID }, + { LITERAL_AND_LEN("nodev"), MS_NODEV } + }; + +static int filter_mntopts(const char *opts, char **filtered, + unsigned long *mountflags) +{ + size_t origlen = strlen(opts); + const char *end; + char *dest; + + dest = *filtered = NULL; + *mountflags = 0; + + if (origlen == 0) + return 0; + + do { + size_t len; + unsigned int i; + + end = strchr(opts, ','); + if (end == NULL) { + len = strlen(opts); + } else { + len = end - opts; + } + + for (i = 0; i < PAM_ARRAY_SIZE(mntflags); i++) { + if (mntflags[i].len != len) + continue; + if (memcmp(mntflags[i].name, opts, len) == 0) { + *mountflags |= mntflags[i].flag; + opts = end; + break; + } + } + + if (opts != end) { + if (dest != NULL) { + *dest = ','; + ++dest; + } else { + dest = *filtered = calloc(1, origlen + 1); + if (dest == NULL) + return -1; + } + memcpy(dest, opts, len); + dest += len; + } + + opts = end + 1; + } while (end != NULL); + + return 0; +} + +static int parse_method(char *method, struct polydir_s *poly, + struct instance_data *idata) +{ + enum polymethod pm; + char *sptr = NULL; + static const char *method_names[] = { "user", "context", "level", "tmpdir", + "tmpfs", NULL }; + static const char *flag_names[] = { "create", "noinit", "iscript", + "shared", "mntopts", NULL }; + static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, + POLYDIR_ISCRIPT, POLYDIR_SHARED, POLYDIR_MNTOPTS }; + int i; + char *flag; + + method = strtok_r(method, ":", &sptr); + pm = NONE; + + for (i = 0; method_names[i]; i++) { + if (strcmp(method, method_names[i]) == 0) { + pm = i + 1; /* 0 = NONE */ + } + } + + if (pm == NONE) { + pam_syslog(idata->pamh, LOG_NOTICE, "Unknown method"); + return -1; + } + + poly->method = pm; + + while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) { + for (i = 0; flag_names[i]; i++) { + int namelen = strlen(flag_names[i]); + + if (strncmp(flag, flag_names[i], namelen) == 0) { + poly->flags |= flag_values[i]; + switch (flag_values[i]) { + case POLYDIR_CREATE: + if (parse_create_params(flag+namelen, poly) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Invalid create parameters"); + return -1; + } + break; + + case POLYDIR_ISCRIPT: + if (parse_iscript_params(flag+namelen, poly) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + return -1; + }; + break; + + case POLYDIR_MNTOPTS: + if (flag[namelen] != '=') + break; + if (poly->method != TMPFS) { + pam_syslog(idata->pamh, LOG_WARNING, "Mount options applicable only to tmpfs method"); + break; + } + free(poly->mount_opts); /* if duplicate mntopts specified */ + poly->mount_opts = NULL; + if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + break; + } + } + } + } + + return 0; +} + +/* + * Called from parse_config_file, this function processes a single line + * of the namespace configuration file. It skips over comments and incomplete + * or malformed lines. It processes a valid line with information on + * polyinstantiating a directory by populating appropriate fields of a + * polyinstatiated directory structure and then calling add_polydir_entry to + * add that entry to the linked list of polyinstantiated directories. + */ +static int process_line(char *line, const char *home, const char *rhome, + struct instance_data *idata) +{ + char *dir = NULL, *instance_prefix = NULL, *rdir = NULL; + char *method, *uids; + char *tptr; + struct polydir_s *poly; + int retval = 0; + char **config_options = NULL; + static const char *var_names[] = {"HOME", "USER", NULL}; + const char *var_values[] = {home, idata->user}; + const char *rvar_values[] = {rhome, idata->ruser}; + int len; + + /* + * skip the leading white space + */ + while (*line && isspace(*line)) + line++; + + /* + * Rip off the comments + */ + tptr = strchr(line,'#'); + if (tptr) + *tptr = '\0'; + + /* + * Rip off the newline char + */ + tptr = strchr(line,'\n'); + if (tptr) + *tptr = '\0'; + + /* + * Anything left ? + */ + if (line[0] == 0) + return 0; + + poly = calloc(1, sizeof(*poly)); + if (poly == NULL) + goto erralloc; + + /* + * Initialize and scan the five strings from the line from the + * namespace configuration file. + */ + retval = argv_parse(line, NULL, &config_options); + if (retval != 0) { + goto erralloc; + } + + dir = config_options[0]; + if (dir == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); + goto skipping; + } + instance_prefix = config_options[1]; + if (instance_prefix == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); + instance_prefix = NULL; + goto skipping; + } + method = config_options[2]; + if (method == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method"); + instance_prefix = NULL; + dir = NULL; + goto skipping; + } + + /* + * Only the uids field is allowed to be blank, to indicate no + * override users for polyinstantiation of that directory. If + * any of the other fields are blank, the line is incomplete so + * skip it. + */ + uids = config_options[3]; + + /* + * Expand $HOME and $USER in poly dir and instance dir prefix + */ + if ((rdir=expand_variables(dir, var_names, rvar_values)) == NULL) { + instance_prefix = NULL; + dir = NULL; + goto erralloc; + } + + if ((dir=expand_variables(dir, var_names, var_values)) == NULL) { + instance_prefix = NULL; + goto erralloc; + } + + if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values)) + == NULL) { + goto erralloc; + } + + if (idata->flags & PAMNS_DEBUG) { + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded polydir: '%s'", dir); + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded ruser polydir: '%s'", rdir); + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded instance prefix: '%s'", instance_prefix); + } + + len = strlen(dir); + if (len > 0 && dir[len-1] == '/') { + dir[len-1] = '\0'; + } + + len = strlen(rdir); + if (len > 0 && rdir[len-1] == '/') { + rdir[len-1] = '\0'; + } + + if (dir[0] == '\0' || rdir[0] == '\0') { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir"); + goto skipping; + } + + /* + * Populate polyinstantiated directory structure with appropriate + * pathnames and the method with which to polyinstantiate. + */ + if (strlen(dir) >= sizeof(poly->dir) + || strlen(rdir) >= sizeof(poly->rdir) + || strlen(instance_prefix) >= sizeof(poly->instance_prefix)) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } + strcpy(poly->dir, dir); + strcpy(poly->rdir, rdir); + strcpy(poly->instance_prefix, instance_prefix); + + if (parse_method(method, poly, idata) != 0) { + goto skipping; + } + + if (poly->method == TMPDIR) { + if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } + strcat(poly->instance_prefix, "XXXXXX"); + } + + /* + * Ensure that all pathnames are absolute path names. + */ + if ((poly->dir[0] != '/') || (poly->method != TMPFS && poly->instance_prefix[0] != '/')) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'"); + goto skipping; + } + if (strstr(dir, "..") || strstr(poly->instance_prefix, "..")) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'"); + goto skipping; + } + + /* + * If the line in namespace.conf for a directory to polyinstantiate + * contains a list of override users (users for whom polyinstantiation + * is not performed), read the user ids, convert names into uids, and + * add to polyinstantiated directory structure. + */ + if (uids) { + uid_t *uidptr; + const char *ustr, *sstr; + int count, i; + + if (*uids == '~') { + poly->flags |= POLYDIR_EXCLUSIVE; + uids++; + } + for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) + sstr = strchr(ustr, ','); + + poly->num_uids = count; + poly->uid = (uid_t *) malloc(count * sizeof (uid_t)); + uidptr = poly->uid; + if (uidptr == NULL) { + goto erralloc; + } + + ustr = uids; + for (i = 0; i < count; i++) { + struct passwd *pwd; + + tptr = strchr(ustr, ','); + if (tptr) + *tptr = '\0'; + + pwd = pam_modutil_getpwnam(idata->pamh, ustr); + if (pwd == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); + poly->num_uids--; + } else { + *uidptr = pwd->pw_uid; + uidptr++; + } + ustr = tptr + 1; + } + } + + /* + * Add polyinstantiated directory structure to the linked list + * of all polyinstantiated directory structures. + */ + add_polydir_entry(idata, poly); + + goto out; + +erralloc: + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + +skipping: + if (idata->flags & PAMNS_IGN_CONFIG_ERR) + retval = 0; + else + retval = PAM_SERVICE_ERR; + del_polydir(poly); +out: + free(rdir); + free(dir); + free(instance_prefix); + argv_free(config_options); + return retval; +} + + +/* + * Parses /etc/security/namespace.conf file to build a linked list of + * polyinstantiated directory structures of type polydir_s. Each entry + * in the linked list contains information needed to polyinstantiate + * one directory. + */ +static int parse_config_file(struct instance_data *idata) +{ + FILE *fil; + char *home, *rhome; + const char *confname; + struct passwd *cpwd; + char *line; + int retval; + size_t len = 0; + glob_t globbuf; + const char *oldlocale; + size_t n; + + /* + * Extract the user's home directory to resolve $HOME entries + * in the namespace configuration file. + */ + cpwd = pam_modutil_getpwnam(idata->pamh, idata->user); + if (!cpwd) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting home dir for '%s'", idata->user); + return PAM_SESSION_ERR; + } + if ((home=strdup(cpwd->pw_dir)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + return PAM_SESSION_ERR; + } + + cpwd = pam_modutil_getpwnam(idata->pamh, idata->ruser); + if (!cpwd) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting home dir for '%s'", idata->ruser); + free(home); + return PAM_SESSION_ERR; + } + + if ((rhome=strdup(cpwd->pw_dir)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + free(home); + return PAM_SESSION_ERR; + } + + /* + * Open configuration file, read one line at a time and call + * process_line to process each line. + */ + + memset(&globbuf, '\0', sizeof(globbuf)); + oldlocale = setlocale(LC_COLLATE, "C"); + glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); + if (oldlocale != NULL) + setlocale(LC_COLLATE, oldlocale); + + confname = PAM_NAMESPACE_CONFIG; + n = 0; + for (;;) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s", + confname); + fil = fopen(confname, "r"); + if (fil == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", + confname); + globfree(&globbuf); + free(rhome); + free(home); + return PAM_SERVICE_ERR; + } + + /* Use unlocked IO */ + __fsetlocking(fil, FSETLOCKING_BYCALLER); + + line = NULL; + /* loop reading the file */ + while (getline(&line, &len, fil) > 0) { + retval = process_line(line, home, rhome, idata); + if (retval) { + pam_syslog(idata->pamh, LOG_ERR, + "Error processing conf file %s line %s", confname, line); + fclose(fil); + free(line); + globfree(&globbuf); + free(rhome); + free(home); + return PAM_SERVICE_ERR; + } + } + fclose(fil); + free(line); + + if (n >= globbuf.gl_pathc) + break; + + confname = globbuf.gl_pathv[n]; + n++; + } + + globfree(&globbuf); + free(rhome); + free(home); + + /* All done...just some debug stuff */ + if (idata->flags & PAMNS_DEBUG) { + struct polydir_s *dptr = idata->polydirs_ptr; + uid_t *iptr; + uid_t i; + + pam_syslog(idata->pamh, LOG_DEBUG, + dptr?"Configured poly dirs:":"No configured poly dirs"); + while (dptr) { + pam_syslog(idata->pamh, LOG_DEBUG, "dir='%s' iprefix='%s' meth=%d", + dptr->dir, dptr->instance_prefix, dptr->method); + for (i = 0, iptr = dptr->uid; i < dptr->num_uids; i++, iptr++) + pam_syslog(idata->pamh, LOG_DEBUG, "override user %d ", *iptr); + dptr = dptr->next; + } + } + + return PAM_SUCCESS; +} + + +/* + * This function returns true if a given uid is present in the polyinstantiated + * directory's list of override uids. If the uid is one of the override + * uids for the polyinstantiated directory, polyinstantiation is not + * performed for that user for that directory. + * If exclusive is set the returned values are opposite. + */ +static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, + uid_t uid) +{ + unsigned int i; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Checking for ns override in dir %s for uid %d", + polyptr->dir, uid); + + for (i = 0; i < polyptr->num_uids; i++) { + if (uid == polyptr->uid[i]) { + return !(polyptr->flags & POLYDIR_EXCLUSIVE); + } + } + + return !!(polyptr->flags & POLYDIR_EXCLUSIVE); +} + +/* + * md5hash generates a hash of the passed in instance directory name. + */ +static char *md5hash(const char *instname, struct instance_data *idata) +{ + int i; + char *md5inst = NULL; + char *to; + unsigned char inst_digest[MD5_DIGEST_LENGTH]; + + /* + * Create MD5 hashes for instance pathname. + */ + + MD5((const unsigned char *)instname, strlen(instname), inst_digest); + + if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, "Unable to allocate buffer"); + return NULL; + } + + to = md5inst; + for (i = 0; i < MD5_DIGEST_LENGTH; i++) { + snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); + to += 2; + } + + return md5inst; +} + +#ifdef WITH_SELINUX +static int form_context(const struct polydir_s *polyptr, + char **i_context, char **origcon, + struct instance_data *idata) +{ + int rc = PAM_SUCCESS; + char *scon = NULL; + security_class_t tclass; + + /* + * Get the security context of the directory to polyinstantiate. + */ + rc = getfilecon(polyptr->dir, origcon); + if (rc < 0 || *origcon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting poly dir context, %m"); + return PAM_SESSION_ERR; + } + + if (polyptr->method == USER) return PAM_SUCCESS; + + if (idata->flags & PAMNS_USE_CURRENT_CONTEXT) { + rc = getcon(&scon); + } else if (idata->flags & PAMNS_USE_DEFAULT_CONTEXT) { + char *seuser = NULL, *level = NULL; + + if ((rc=getseuserbyname(idata->user, &seuser, &level)) == 0) { + rc = get_default_context_with_level(seuser, level, NULL, &scon); + free(seuser); + free(level); + } + } else { + rc = getexeccon(&scon); + } + if (rc < 0 || scon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting exec context, %m"); + return PAM_SESSION_ERR; + } + + /* + * If polyinstantiating based on security context, get current + * process security context, get security class for directories, + * and ask the policy to provide security context of the + * polyinstantiated instance directory. + */ + + if (polyptr->method == CONTEXT) { + tclass = string_to_security_class("dir"); + if (tclass == 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting dir security class"); + freecon(scon); + return PAM_SESSION_ERR; + } + + if (security_compute_member(scon, *origcon, tclass, + i_context) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error computing poly dir member context"); + freecon(scon); + return PAM_SESSION_ERR; + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "member context returned by policy %s", *i_context); + freecon(scon); + return PAM_SUCCESS; + } + + /* + * If polyinstantiating based on security level, get current + * process security context, get security class for directories, + * and change the directories MLS Level to match process. + */ + + if (polyptr->method == LEVEL) { + context_t scontext = NULL; + context_t fcontext = NULL; + rc = PAM_SESSION_ERR; + + scontext = context_new(scon); + if (! scontext) { + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); + goto fail; + } + fcontext = context_new(*origcon); + if (! fcontext) { + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); + goto fail; + } + if (context_range_set(fcontext, context_range_get(scontext)) != 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Component of context"); + goto fail; + } + *i_context=strdup(context_str(fcontext)); + if (! *i_context) { + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); + goto fail; + } + + rc = PAM_SUCCESS; + fail: + context_free(scontext); + context_free(fcontext); + freecon(scon); + return rc; + } + /* Should never get here */ + return PAM_SUCCESS; +} +#endif + +/* + * poly_name returns the name of the polyinstantiated instance directory + * based on the method used for polyinstantiation (user, context or level) + * In addition, the function also returns the security contexts of the + * original directory to polyinstantiate and the polyinstantiated instance + * directory. + */ +#ifdef WITH_SELINUX +static int poly_name(const struct polydir_s *polyptr, char **i_name, + char **i_context, char **origcon, + struct instance_data *idata) +#else +static int poly_name(const struct polydir_s *polyptr, char **i_name, + struct instance_data *idata) +#endif +{ + int rc; + char *hash = NULL; + enum polymethod pm; +#ifdef WITH_SELINUX + char *rawcon = NULL; +#endif + + *i_name = NULL; +#ifdef WITH_SELINUX + *i_context = NULL; + *origcon = NULL; + if ((idata->flags & PAMNS_SELINUX_ENABLED) && + (rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) { + return rc; + } +#endif + + rc = PAM_SESSION_ERR; + /* + * Set the name of the polyinstantiated instance dir based on the + * polyinstantiation method. + */ + + pm = polyptr->method; + if (pm == LEVEL || pm == CONTEXT) +#ifdef WITH_SELINUX + if (!(idata->flags & PAMNS_CTXT_BASED_INST)) { +#else + { + pam_syslog(idata->pamh, LOG_NOTICE, + "Context and level methods not available, using user method"); +#endif + if (polyptr->flags & POLYDIR_SHARED) { + rc = PAM_IGNORE; + goto fail; + } + pm = USER; + } + + switch (pm) { + case USER: + if (asprintf(i_name, "%s", idata->user) < 0) { + *i_name = NULL; + goto fail; + } + break; + +#ifdef WITH_SELINUX + case LEVEL: + case CONTEXT: + if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); + goto fail; + } + if (polyptr->flags & POLYDIR_SHARED) { + if (asprintf(i_name, "%s", rawcon) < 0) { + *i_name = NULL; + goto fail; + } + } else { + if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { + *i_name = NULL; + goto fail; + } + } + break; + +#endif /* WITH_SELINUX */ + + case TMPDIR: + case TMPFS: + if ((*i_name=strdup("")) == NULL) + goto fail; + return PAM_SUCCESS; + + default: + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); + goto fail; + } + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); + + if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { + hash = md5hash(*i_name, idata); + if (hash == NULL) { + goto fail; + } + if (idata->flags & PAMNS_GEN_HASH) { + free(*i_name); + *i_name = hash; + hash = NULL; + } else { + char *newname; + if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), + *i_name, hash) < 0) { + goto fail; + } + free(*i_name); + *i_name = newname; + } + } + rc = PAM_SUCCESS; + +fail: + free(hash); +#ifdef WITH_SELINUX + freecon(rawcon); +#endif + if (rc != PAM_SUCCESS) { +#ifdef WITH_SELINUX + freecon(*i_context); + *i_context = NULL; + freecon(*origcon); + *origcon = NULL; +#endif + free(*i_name); + *i_name = NULL; + } + return rc; +} + +static int protect_mount(int dfd, const char *path, struct instance_data *idata) +{ + struct protect_dir_s *dir = idata->protect_dirs; + char tmpbuf[64]; + + while (dir != NULL) { + if (strcmp(path, dir->dir) == 0) { + return 0; + } + dir = dir->next; + } + + dir = calloc(1, sizeof(*dir)); + + if (dir == NULL) { + return -1; + } + + dir->dir = strdup(path); + + if (dir->dir == NULL) { + free(dir); + return -1; + } + + snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); + + if (idata->flags & PAMNS_DEBUG) { + pam_syslog(idata->pamh, LOG_INFO, + "Protect mount of %s over itself", path); + } + + if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { + int save_errno = errno; + pam_syslog(idata->pamh, LOG_ERR, + "Protect mount of %s failed: %m", tmpbuf); + free(dir->dir); + free(dir); + errno = save_errno; + return -1; + } + + dir->next = idata->protect_dirs; + idata->protect_dirs = dir; + + return 0; +} + +static int protect_dir(const char *path, mode_t mode, int do_mkdir, + struct instance_data *idata) +{ + char *p = strdup(path); + char *d; + char *dir = p; + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; + int flags = O_RDONLY; + int rv = -1; + struct stat st; + + if (p == NULL) { + goto error; + } + + if (*dir == '/') { + dfd = open("/", flags); + if (dfd == -1) { + goto error; + } + dir++; /* assume / is safe */ + } + + while ((d=strchr(dir, '/')) != NULL) { + *d = '\0'; + dfd_next = openat(dfd, dir, flags); + if (dfd_next == -1) { + goto error; + } + + if (dfd != AT_FDCWD) + close(dfd); + dfd = dfd_next; + + if (fstat(dfd, &st) != 0) { + goto error; + } + + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(dfd, p, idata) == -1) + goto error; + } else if (st.st_uid != 0 || st.st_gid != 0 || + (st.st_mode & S_IWOTH)) { + /* do not follow symlinks on subdirectories */ + flags |= O_NOFOLLOW; + } + + *d = '/'; + dir = d + 1; + } + + rv = openat(dfd, dir, flags); + + if (rv == -1) { + if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { + goto error; + } + rv = openat(dfd, dir, flags); + } + + if (rv != -1) { + if (fstat(rv, &st) != 0) { + save_errno = errno; + close(rv); + rv = -1; + errno = save_errno; + goto error; + } + if (!S_ISDIR(st.st_mode)) { + close(rv); + errno = ENOTDIR; + rv = -1; + goto error; + } + } + + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { + save_errno = errno; + close(rv); + rv = -1; + errno = save_errno; + } + } + +error: + save_errno = errno; + free(p); + if (dfd != AT_FDCWD && dfd >= 0) + close(dfd); + errno = save_errno; + + return rv; +} + +static int check_inst_parent(char *ipath, struct instance_data *idata) +{ + struct stat instpbuf; + char *inst_parent, *trailing_slash; + int dfd; + /* + * stat the instance parent path to make sure it exists + * and is a directory. Check that its mode is 000 (unless the + * admin explicitly instructs to ignore the instance parent + * mode by the "ignore_instance_parent_mode" argument). + */ + inst_parent = (char *) malloc(strlen(ipath)+1); + if (!inst_parent) { + pam_syslog(idata->pamh, LOG_CRIT, "Error allocating pathname string"); + return PAM_SESSION_ERR; + } + + strcpy(inst_parent, ipath); + trailing_slash = strrchr(inst_parent, '/'); + if (trailing_slash) + *trailing_slash = '\0'; + + dfd = protect_dir(inst_parent, 0, 1, idata); + + if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating or accessing instance parent %s, %m", inst_parent); + if (dfd != -1) + close(dfd); + free(inst_parent); + return PAM_SESSION_ERR; + } + + if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { + if ((instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) || instpbuf.st_uid != 0) { + pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000 or owner not root", + inst_parent); + close(dfd); + free(inst_parent); + return PAM_SESSION_ERR; + } + } + close(dfd); + free(inst_parent); + return PAM_SUCCESS; +} + +/* +* Check to see if there is a namespace initialization script in +* the /etc/security directory. If such a script exists +* execute it and pass directory to polyinstantiate and instance +* directory as arguments. +*/ +static int inst_init(const struct polydir_s *polyptr, const char *ipath, + struct instance_data *idata, int newdir) +{ + pid_t rc, pid; + struct sigaction newsa, oldsa; + int status; + const char *init_script = NAMESPACE_INIT_SCRIPT; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); + return PAM_SESSION_ERR; + } + + if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) + init_script = polyptr->init_script; + + if (access(init_script, F_OK) == 0) { + if (access(init_script, X_OK) < 0) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, + "Namespace init script not executable"); + rc = PAM_SESSION_ERR; + goto out; + } else { + pid = fork(); + if (pid == 0) { + static char *envp[] = { NULL }; +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setexeccon(NULL) < 0) + _exit(1); + } +#endif + /* Pass maximum privs when we exec() */ + if (setuid(geteuid()) < 0) { + /* ignore failures, they don't matter */ + } + + if (execle(init_script, init_script, + polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) + _exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); + if (rc == (pid_t)-1) { + pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m"); + rc = PAM_SESSION_ERR; + goto out; + } + if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error initializing instance"); + rc = PAM_SESSION_ERR; + goto out; + } + } else if (pid < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Cannot fork to run namespace init script, %m"); + rc = PAM_SESSION_ERR; + goto out; + } + } + } + rc = PAM_SUCCESS; +out: + (void) sigaction(SIGCHLD, &oldsa, NULL); + + return rc; +} + +static int create_polydir(struct polydir_s *polyptr, + struct instance_data *idata) +{ + mode_t mode; + int rc; +#ifdef WITH_SELINUX + char *dircon_raw, *oldcon_raw = NULL; + struct selabel_handle *label_handle; +#endif + const char *dir = polyptr->dir; + uid_t uid; + gid_t gid; + + if (polyptr->mode != (mode_t)ULONG_MAX) + mode = polyptr->mode; + else + mode = 0777; + +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + getfscreatecon_raw(&oldcon_raw); + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to initialize SELinux labeling handle: %m"); + } else { + rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR); + if (rc) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, dircon_raw); + if (setfscreatecon_raw(dircon_raw) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon_raw); + } + selabel_close(label_handle); + } + } +#endif + + rc = protect_dir(dir, mode, 1, idata); + if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); + return PAM_SESSION_ERR; + } + +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setfscreatecon_raw(oldcon_raw) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error resetting fs create context: %m"); + freecon(oldcon_raw); + } +#endif + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Created polydir %s", dir); + + if (polyptr->mode != (mode_t)ULONG_MAX) { + /* explicit mode requested */ + if (fchmod(rc, mode) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing mode of directory %s: %m", dir); + close(rc); + umount(dir); /* undo the eventual protection bind mount */ + rmdir(dir); + return PAM_SESSION_ERR; + } + } + + if (polyptr->owner != (uid_t)ULONG_MAX) + uid = polyptr->owner; + else + uid = idata->uid; + + if (polyptr->group != (gid_t)ULONG_MAX) + gid = polyptr->group; + else + gid = idata->gid; + + if (fchown(rc, uid, gid) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to change owner on directory %s: %m", dir); + close(rc); + umount(dir); /* undo the eventual protection bind mount */ + rmdir(dir); + return PAM_SESSION_ERR; + } + + close(rc); + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir owner %u group %u", uid, gid); + + return PAM_SUCCESS; +} + +/* + * Create polyinstantiated instance directory (ipath). + */ +#ifdef WITH_SELINUX +static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, + const char *icontext, const char *ocontext, + struct instance_data *idata) +#else +static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, + struct instance_data *idata) +#endif +{ + struct stat newstatbuf; + int fd; + + /* + * Check to make sure instance parent is valid. + */ + if (check_inst_parent(ipath, idata)) + return PAM_SESSION_ERR; + + /* + * Create instance directory and set its security context to the context + * returned by the security policy. Set its mode and ownership + * attributes to match that of the original directory that is being + * polyinstantiated. + */ + + if (polyptr->method == TMPDIR) { + if (mkdtemp(polyptr->instance_prefix) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m", + polyptr->instance_prefix); + polyptr->method = NONE; /* do not clean up! */ + return PAM_SESSION_ERR; + } + /* copy the actual directory name to ipath */ + strcpy(ipath, polyptr->instance_prefix); + } else if (mkdir(ipath, S_IRUSR) < 0) { + if (errno == EEXIST) + return PAM_IGNORE; + else { + pam_syslog(idata->pamh, LOG_ERR, "Error creating %s, %m", + ipath); + return PAM_SESSION_ERR; + } + } + + /* Open a descriptor to it to prevent races */ + fd = open(ipath, O_DIRECTORY | O_RDONLY); + if (fd < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error opening %s, %m", ipath); + rmdir(ipath); + return PAM_SESSION_ERR; + } +#ifdef WITH_SELINUX + /* If SE Linux is disabled, no need to label it */ + if (idata->flags & PAMNS_SELINUX_ENABLED) { + /* If method is USER, icontext is NULL */ + if (icontext) { + if (fsetfilecon(fd, icontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error setting context of %s to %s", ipath, icontext); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } else { + if (fsetfilecon(fd, ocontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error setting context of %s to %s", ipath, ocontext); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } + } +#endif + if (fstat(fd, &newstatbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + ipath); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + if (newstatbuf.st_uid != statbuf->st_uid || + newstatbuf.st_gid != statbuf->st_gid) { + if (fchown(fd, statbuf->st_uid, statbuf->st_gid) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing owner for %s, %m", + ipath); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } + if (fchmod(fd, statbuf->st_mode & 07777) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error changing mode for %s, %m", + ipath); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + close(fd); + return PAM_SUCCESS; +} + + +/* + * This function performs the namespace setup for a particular directory + * that is being polyinstantiated. It calls poly_name to create name of instance + * directory, calls create_instance to mkdir it with appropriate + * security attributes, and performs bind mount to setup the process + * namespace. + */ +static int ns_setup(struct polydir_s *polyptr, + struct instance_data *idata) +{ + int retval; + int newdir = 1; + char *inst_dir = NULL; + char *instname = NULL; + struct stat statbuf; +#ifdef WITH_SELINUX + char *instcontext = NULL, *origcontext = NULL; +#endif + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Set namespace for directory %s", polyptr->dir); + + retval = protect_dir(polyptr->dir, 0, 0, idata); + + if (retval < 0 && errno != ENOENT) { + pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", + polyptr->dir); + return PAM_SESSION_ERR; + } + + if (retval < 0) { + if ((polyptr->flags & POLYDIR_CREATE) && + create_polydir(polyptr, idata) != PAM_SUCCESS) + return PAM_SESSION_ERR; + } else { + close(retval); + } + + if (polyptr->method == TMPFS) { + if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; + } + + if (polyptr->flags & POLYDIR_NOINIT) + return PAM_SUCCESS; + + return inst_init(polyptr, "tmpfs", idata, 1); + } + + if (stat(polyptr->dir, &statbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s: %m", + polyptr->dir); + return PAM_SESSION_ERR; + } + + /* + * Obtain the name of instance pathname based on the + * polyinstantiation method and instance context returned by + * security policy. + */ +#ifdef WITH_SELINUX + retval = poly_name(polyptr, &instname, &instcontext, + &origcontext, idata); +#else + retval = poly_name(polyptr, &instname, idata); +#endif + + if (retval != PAM_SUCCESS) { + if (retval != PAM_IGNORE) + pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); + goto cleanup; + } else { +#ifdef WITH_SELINUX + if ((idata->flags & PAMNS_DEBUG) && + (idata->flags & PAMNS_SELINUX_ENABLED)) + pam_syslog(idata->pamh, LOG_DEBUG, "Inst ctxt %s Orig ctxt %s", + instcontext, origcontext); +#endif + } + + if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) + goto error_out; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "instance_dir %s", + inst_dir); + + /* + * Create instance directory with appropriate security + * contexts, owner, group and mode bits. + */ +#ifdef WITH_SELINUX + retval = create_instance(polyptr, inst_dir, &statbuf, instcontext, + origcontext, idata); +#else + retval = create_instance(polyptr, inst_dir, &statbuf, idata); +#endif + + if (retval == PAM_IGNORE) { + newdir = 0; + retval = PAM_SUCCESS; + } + + if (retval != PAM_SUCCESS) { + goto error_out; + } + + /* + * Bind mount instance directory on top of the polyinstantiated + * directory to provide an instance of polyinstantiated directory + * based on polyinstantiated method. + */ + if (mount(inst_dir, polyptr->dir, NULL, MS_BIND, NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting %s on %s, %m", + inst_dir, polyptr->dir); + goto error_out; + } + + if (!(polyptr->flags & POLYDIR_NOINIT)) + retval = inst_init(polyptr, inst_dir, idata, newdir); + + goto cleanup; + + /* + * various error exit points. Free allocated memory and set return + * value to indicate a pam session error. + */ +error_out: + retval = PAM_SESSION_ERR; + +cleanup: + free(inst_dir); + free(instname); +#ifdef WITH_SELINUX + freecon(instcontext); + freecon(origcontext); +#endif + return retval; +} + + +/* + * This function checks to see if the current working directory is + * inside the directory passed in as the first argument. + */ +static int cwd_in(char *dir, struct instance_data *idata) +{ + int retval = 0; + char cwd[PATH_MAX]; + + if (getcwd(cwd, PATH_MAX) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Can't get current dir, %m"); + return -1; + } + + if (strncmp(cwd, dir, strlen(dir)) == 0) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "cwd is inside %s", dir); + retval = 1; + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "cwd is outside %s", dir); + } + + return retval; +} + +static int cleanup_tmpdirs(struct instance_data *idata) +{ + struct polydir_s *pptr; + pid_t rc, pid; + struct sigaction newsa, oldsa; + int status; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); + return PAM_SESSION_ERR; + } + + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) { + pid = fork(); + if (pid == 0) { + static char *envp[] = { NULL }; +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setexeccon(NULL) < 0) + _exit(1); + } +#endif + if (execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp) < 0) + _exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); + if (rc == (pid_t)-1) { + pam_syslog(idata->pamh, LOG_ERR, "waitpid failed: %m"); + rc = PAM_SESSION_ERR; + goto out; + } + if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error removing %s", pptr->instance_prefix); + } + } else if (pid < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Cannot fork to run namespace init script, %m"); + rc = PAM_SESSION_ERR; + goto out; + } + } + } + + rc = PAM_SUCCESS; +out: + sigaction(SIGCHLD, &oldsa, NULL); + return rc; +} + +/* + * This function checks to see if polyinstantiation is needed for any + * of the directories listed in the configuration file. If needed, + * cycles through all polyinstantiated directory entries and calls + * ns_setup to setup polyinstantiation for each one of them. + */ +static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) +{ + int retval = 0, need_poly = 0, changing_dir = 0; + char *cptr, *fptr, poly_parent[PATH_MAX]; + struct polydir_s *pptr; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", + getpid()); + + /* + * Cycle through all polyinstantiated directory entries to see if + * polyinstantiation is needed at all. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (ns_override(pptr, idata, idata->uid)) { + if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Overriding poly for user %d for dir %s", + idata->uid, pptr->dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Need unmount ns for user %d for dir %s", + idata->ruid, pptr->dir); + need_poly = 1; + break; + } + continue; + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Need poly ns for user %d for dir %s", + idata->uid, pptr->dir); + need_poly = 1; + break; + } + } + + /* + * If polyinstantiation is needed, call the unshare system call to + * disassociate from the parent namespace. + */ + if (need_poly) { + if (unshare(CLONE_NEWNS) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to unshare from parent namespace, %m"); + return PAM_SESSION_ERR; + } + if (idata->flags & PAMNS_MOUNT_PRIVATE) { + /* + * Remount / as SLAVE so that nothing mounted in the namespace + * shows up in the parent + */ + if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Failed to mark / as a slave mount point, %m"); + return PAM_SESSION_ERR; + } + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "The / mount point was marked as slave"); + } + } else { + del_polydir_list(idata->polydirs_ptr); + return PAM_SUCCESS; + } + + /* + * Again cycle through all polyinstantiated directories, this time, + * call ns_setup to setup polyinstantiation for a particular entry. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + enum unmnt_op dir_unmnt = unmnt; + + if (ns_override(pptr, idata, idata->ruid)) { + dir_unmnt = NO_UNMNT; + } + if (ns_override(pptr, idata, idata->uid)) { + if (dir_unmnt == NO_UNMNT) { + continue; + } else { + dir_unmnt = UNMNT_ONLY; + } + } + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Setting poly ns for user %d for dir %s", + idata->uid, pptr->dir); + + if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) { + /* + * Check to see if process current directory is in the + * bind mounted instance_parent directory that we are trying to + * umount + */ + if ((changing_dir = cwd_in(pptr->rdir, idata)) < 0) { + retval = PAM_SESSION_ERR; + goto out; + } else if (changing_dir) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd"); + + /* + * Change current working directory to the parent of + * the mount point, that is parent of the orig + * directory where original contents of the polydir + * are available from + */ + strcpy(poly_parent, pptr->rdir); + fptr = strchr(poly_parent, '/'); + cptr = strrchr(poly_parent, '/'); + if (fptr && cptr && (fptr == cptr)) + strcpy(poly_parent, "/"); + else if (cptr) + *cptr = '\0'; + if (chdir(poly_parent) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Can't chdir to %s, %m", poly_parent); + } + } + + if (umount(pptr->rdir) < 0) { + int saved_errno = errno; + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->rdir); + if (saved_errno != EINVAL) { + retval = PAM_SESSION_ERR; + goto out; + } + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", + pptr->rdir); + } + + if (dir_unmnt != UNMNT_ONLY) { + retval = ns_setup(pptr, idata); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; + if (retval != PAM_SUCCESS) + break; + } + } +out: + if (retval != PAM_SUCCESS) { + cleanup_tmpdirs(idata); + unprotect_dirs(idata->protect_dirs); + } else if (pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, idata->protect_dirs, + cleanup_protect_data) != PAM_SUCCESS) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace protect data"); + cleanup_tmpdirs(idata); + unprotect_dirs(idata->protect_dirs); + return PAM_SYSTEM_ERR; + } else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, + cleanup_polydir_data) != PAM_SUCCESS) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace polydir data"); + cleanup_tmpdirs(idata); + pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + idata->protect_dirs = NULL; + return PAM_SYSTEM_ERR; + } + return retval; +} + + +/* + * Orig namespace. This function is called from when closing a pam + * session. If authorized, it unmounts instance directory. + */ +static int orig_namespace(struct instance_data *idata) +{ + struct polydir_s *pptr; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "orig namespace for pid %d", + getpid()); + + /* + * Cycle through all polyinstantiated directories from the namespace + * configuration file to see if polyinstantiation was performed for + * this user for each of the entry. If it was, try and unmount + * appropriate polyinstantiated instance directories. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (ns_override(pptr, idata, idata->uid)) + continue; + else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Unmounting instance dir for user %d & dir %s", + idata->uid, pptr->dir); + + if (umount(pptr->dir) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->dir); + return PAM_SESSION_ERR; + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded", + pptr->dir); + } + } + + cleanup_tmpdirs(idata); + return 0; +} + + +#ifdef WITH_SELINUX +/* + * This function checks if the calling program has requested context + * change by calling setexeccon(). If context change is not requested + * then it does not make sense to polyinstantiate based on context. + * The return value from this function is used when selecting the + * polyinstantiation method. If context change is not requested then + * the polyinstantiation method is set to USER, even if the configuration + * file lists the method as "context" or "level". + */ +static int ctxt_based_inst_needed(void) +{ + char *scon = NULL; + int rc = 0; + + rc = getexeccon(&scon); + if (rc < 0 || scon == NULL) + return 0; + else { + freecon(scon); + return 1; + } +} +#endif + +static int root_shared(void) +{ + FILE *f; + char *line = NULL; + size_t n = 0; + int rv = 0; + + f = fopen("/proc/self/mountinfo", "r"); + + if (f == NULL) + return 0; + + while(getline(&line, &n, f) != -1) { + char *l; + char *sptr; + int i; + + l = line; + sptr = NULL; + for (i = 0; i < 7; i++) { + char *tok; + + tok = strtok_r(l, " ", &sptr); + l = NULL; + if (tok == NULL) + /* next mountinfo line */ + break; + + if (i == 4 && strcmp(tok, "/") != 0) + /* next mountinfo line */ + break; + + if (i == 6) { + if (pam_str_skip_prefix(tok, "shared:") != NULL) + /* there might be more / mounts, the last one counts */ + rv = 1; + else + rv = 0; + } + } + } + + free(line); + fclose(f); + + return rv; +} + +static int get_user_data(struct instance_data *idata) +{ + int retval; + char *user_name; + struct passwd *pwd; + /* + * Lookup user and fill struct items + */ + retval = pam_get_item(idata->pamh, PAM_USER, (void*) &user_name ); + if ( user_name == NULL || retval != PAM_SUCCESS ) { + pam_syslog(idata->pamh, LOG_ERR, "Error recovering pam user name"); + return PAM_SESSION_ERR; + } + + pwd = pam_modutil_getpwnam(idata->pamh, user_name); + if (!pwd) { + pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_USER_UNKNOWN; + } + + /* + * Add the user info to the instance data so we can refer to them later. + */ + idata->user[0] = 0; + strncat(idata->user, user_name, sizeof(idata->user) - 1); + idata->uid = pwd->pw_uid; + idata->gid = pwd->pw_gid; + + /* Fill in RUSER too */ + retval = pam_get_item(idata->pamh, PAM_RUSER, (void*) &user_name ); + if ( user_name != NULL && retval == PAM_SUCCESS && user_name[0] != '\0' ) { + strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); + pwd = pam_modutil_getpwnam(idata->pamh, user_name); + } else { + pwd = pam_modutil_getpwuid(idata->pamh, getuid()); + } + if (!pwd) { + pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_USER_UNKNOWN; + } + user_name = pwd->pw_name; + + idata->ruser[0] = 0; + strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); + idata->ruid = pwd->pw_uid; + + return PAM_SUCCESS; +} + +/* + * Entry point from pam_open_session call. + */ +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, retval; + struct instance_data idata; + enum unmnt_op unmnt = NO_UNMNT; + + /* init instance data */ + idata.flags = 0; + idata.polydirs_ptr = NULL; + idata.protect_dirs = NULL; + idata.pamh = pamh; +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + idata.flags |= PAMNS_SELINUX_ENABLED; + if (ctxt_based_inst_needed()) + idata.flags |= PAMNS_CTXT_BASED_INST; +#endif + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) + idata.flags |= PAMNS_DEBUG; + if (strcmp(argv[i], "gen_hash") == 0) + idata.flags |= PAMNS_GEN_HASH; + if (strcmp(argv[i], "ignore_config_error") == 0) + idata.flags |= PAMNS_IGN_CONFIG_ERR; + if (strcmp(argv[i], "ignore_instance_parent_mode") == 0) + idata.flags |= PAMNS_IGN_INST_PARENT_MODE; + if (strcmp(argv[i], "use_current_context") == 0) { + idata.flags |= PAMNS_USE_CURRENT_CONTEXT; + idata.flags |= PAMNS_CTXT_BASED_INST; + } + if (strcmp(argv[i], "use_default_context") == 0) { + idata.flags |= PAMNS_USE_DEFAULT_CONTEXT; + idata.flags |= PAMNS_CTXT_BASED_INST; + } + if (strcmp(argv[i], "mount_private") == 0) { + idata.flags |= PAMNS_MOUNT_PRIVATE; + } + if (strcmp(argv[i], "unmnt_remnt") == 0) + unmnt = UNMNT_REMNT; + if (strcmp(argv[i], "unmnt_only") == 0) + unmnt = UNMNT_ONLY; + if (strcmp(argv[i], "require_selinux") == 0) { + if (!(idata.flags & PAMNS_SELINUX_ENABLED)) { + pam_syslog(idata.pamh, LOG_ERR, + "selinux_required option given and selinux is disabled"); + return PAM_SESSION_ERR; + } + } + } + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "open_session - start"); + + retval = get_user_data(&idata); + if (retval != PAM_SUCCESS) + return retval; + + if (root_shared()) { + idata.flags |= PAMNS_MOUNT_PRIVATE; + } + + /* + * Parse namespace configuration file which lists directories to + * polyinstantiate, directory where instance directories are to + * be created and the method used for polyinstantiation. + */ + retval = parse_config_file(&idata); + if (retval != PAM_SUCCESS) { + del_polydir_list(idata.polydirs_ptr); + return PAM_SESSION_ERR; + } + + if (idata.polydirs_ptr) { + retval = setup_namespace(&idata, unmnt); + if (idata.flags & PAMNS_DEBUG) { + if (retval) + pam_syslog(idata.pamh, LOG_DEBUG, + "namespace setup failed for pid %d", getpid()); + else + pam_syslog(idata.pamh, LOG_DEBUG, + "namespace setup ok for pid %d", getpid()); + } + } else if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate"); + + if (retval != PAM_SUCCESS) + del_polydir_list(idata.polydirs_ptr); + return retval; +} + + +/* + * Entry point from pam_close_session call. + */ +int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, retval; + struct instance_data idata; + const void *polyptr; + + /* init instance data */ + idata.flags = 0; + idata.polydirs_ptr = NULL; + idata.pamh = pamh; +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + idata.flags |= PAMNS_SELINUX_ENABLED; + if (ctxt_based_inst_needed()) + idata.flags |= PAMNS_CTXT_BASED_INST; +#endif + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) + idata.flags |= PAMNS_DEBUG; + if (strcmp(argv[i], "ignore_config_error") == 0) + idata.flags |= PAMNS_IGN_CONFIG_ERR; + if (strcmp(argv[i], "unmount_on_close") == 0) + idata.flags |= PAMNS_UNMOUNT_ON_CLOSE; + } + + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); + + /* + * Normally the unmount is implicitly done when the last + * process in the private namespace exits. + * If it is ensured that there are no child processes left in + * the private namespace by other means and if there are + * multiple sessions opened and closed sequentially by the + * same process, the "unmount_on_close" option might be + * used to unmount the polydirs explicitly. + */ + if (!(idata.flags & PAMNS_UNMOUNT_ON_CLOSE)) { + pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); + pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - successful"); + return PAM_SUCCESS; + } + + retval = get_user_data(&idata); + if (retval != PAM_SUCCESS) + return retval; + + retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, &polyptr); + if (retval != PAM_SUCCESS || polyptr == NULL) + /* nothing to reset */ + return PAM_SUCCESS; + + DIAG_PUSH_IGNORE_CAST_QUAL; + idata.polydirs_ptr = (void *)polyptr; + DIAG_POP_IGNORE_CAST_QUAL; + + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", + getpid()); + + retval = orig_namespace(&idata); + if (idata.flags & PAMNS_DEBUG) { + if (retval) + pam_syslog(idata.pamh, LOG_DEBUG, + "resetting namespace failed for pid %d", getpid()); + else + pam_syslog(idata.pamh, LOG_DEBUG, + "resetting namespace ok for pid %d", getpid()); + } + + pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); + pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + + return PAM_SUCCESS; +} diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h new file mode 100644 index 0000000..b51f284 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.h @@ -0,0 +1,192 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default namespace after + * establishing a session via PAM. + * + * (C) Copyright IBM Corporation 2005 + * (C) Copyright Red Hat 2006 + * All Rights Reserved. + * + * Written by: Janak Desai <janak@us.ibm.com> + * With Revisions by: Steve Grubb <sgrubb@redhat.com> + * Derived from a namespace setup patch by Chad Sellers <cdselle@tycho.nsa.gov> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * on the rights to use, copy, modify, merge, publish, distribute, sub + * license, and/or sell copies of the Software, and to permit persons to whom + * the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL + * IBM AND/OR THEIR SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#if !(defined(linux)) +#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! +#endif + +#include "config.h" + +#include <stdio.h> +#include <stdio_ext.h> +#include <unistd.h> +#include <string.h> +#include <ctype.h> +#include <stdlib.h> +#include <errno.h> +#include <syslog.h> +#include <dlfcn.h> +#include <stdarg.h> +#include <pwd.h> +#include <grp.h> +#include <limits.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/resource.h> +#include <sys/mount.h> +#include <sys/wait.h> +#include <libgen.h> +#include <fcntl.h> +#include <sched.h> +#include <glob.h> +#include <locale.h> +#include "security/pam_modules.h" +#include "security/pam_modutil.h" +#include "security/pam_ext.h" +#include "md5.h" + +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#include <selinux/context.h> +#include <selinux/label.h> +#endif + +#ifndef CLONE_NEWNS +#define CLONE_NEWNS 0x00020000 /* Flag to create new namespace */ +#endif + +/* mount flags for mount_private */ +#ifndef MS_REC +#define MS_REC (1<<14) +#endif +#ifndef MS_PRIVATE +#define MS_PRIVATE (1<<18) +#endif +#ifndef MS_SLAVE +#define MS_SLAVE (1<<19) +#endif + + +/* + * Module defines + */ +#ifndef SECURECONF_DIR +#define SECURECONF_DIR "/etc/security/" +#endif + +#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") +#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") +#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") + +/* module flags */ +#define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ +#define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ +#define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */ +#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ +#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ +#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ +#define PAMNS_UNMOUNT_ON_CLOSE 0x00010000 /* Unmount at session close */ +#define PAMNS_USE_CURRENT_CONTEXT 0x00020000 /* use getcon instead of getexeccon */ +#define PAMNS_USE_DEFAULT_CONTEXT 0x00040000 /* use get_default_context instead of getexeccon */ +#define PAMNS_MOUNT_PRIVATE 0x00080000 /* Make the polydir mounts private */ + +/* polydir flags */ +#define POLYDIR_EXCLUSIVE 0x00000001 /* polyinstatiate exclusively for override uids */ +#define POLYDIR_CREATE 0x00000002 /* create the polydir */ +#define POLYDIR_NOINIT 0x00000004 /* no init script */ +#define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */ +#define POLYDIR_ISCRIPT 0x00000010 /* non default init script */ +#define POLYDIR_MNTOPTS 0x00000020 /* mount options for tmpfs mount */ + + +#define NAMESPACE_MAX_DIR_LEN 80 +#define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" +#define NAMESPACE_PROTECT_DATA "pam_namespace:protect_data" + +/* + * Polyinstantiation method options, based on user, security context + * or both + */ +enum polymethod { + NONE, + USER, + CONTEXT, + LEVEL, + TMPDIR, + TMPFS +}; + +/* + * Depending on the application using this namespace module, we + * may need to unmount previously bind mounted instance directory. + * Applications such as login and sshd, that establish a new + * session unmount of instance directory is not needed. For applications + * such as su and newrole, that switch the identity, this module + * has to unmount previous instance directory first and re-mount + * based on the new identity. For other trusted applications that + * just want to undo polyinstantiation, only unmount of previous + * instance directory is needed. + */ +enum unmnt_op { + NO_UNMNT, + UNMNT_REMNT, + UNMNT_ONLY, +}; + +/* + * Structure that holds information about a directory to polyinstantiate + */ +struct polydir_s { + char dir[PATH_MAX]; /* directory to polyinstantiate */ + char rdir[PATH_MAX]; /* directory to unmount (based on RUSER) */ + char instance_prefix[PATH_MAX]; /* prefix for instance dir path name */ + enum polymethod method; /* method used to polyinstantiate */ + unsigned int num_uids; /* number of override uids */ + uid_t *uid; /* list of override uids */ + unsigned int flags; /* polydir flags */ + char *init_script; /* path to init script */ + char *mount_opts; /* mount options for tmpfs mount */ + unsigned long mount_flags; /* mount flags for tmpfs mount */ + uid_t owner; /* user which should own the polydir */ + gid_t group; /* group which should own the polydir */ + mode_t mode; /* mode of the polydir */ + struct polydir_s *next; /* pointer to the next polydir entry */ +}; + +struct protect_dir_s { + char *dir; /* protected directory */ + struct protect_dir_s *next; /* next entry */ +}; + +struct instance_data { + pam_handle_t *pamh; /* The pam handle for this instance */ + struct polydir_s *polydirs_ptr; /* The linked list pointer */ + struct protect_dir_s *protect_dirs; /* The pointer to stack of mount-protected dirs */ + char user[LOGIN_NAME_MAX]; /* User name */ + char ruser[LOGIN_NAME_MAX]; /* Requesting user name */ + uid_t uid; /* The uid of the user */ + gid_t gid; /* The gid of the user's primary group */ + uid_t ruid; /* The uid of the requesting user */ + unsigned long flags; /* Flags for debug, selinux etc */ +}; diff --git a/modules/pam_namespace/pam_namespace.service.in b/modules/pam_namespace/pam_namespace.service.in new file mode 100644 index 0000000..e231191 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.service.in @@ -0,0 +1,11 @@ +[Unit] +After=local-fs.target +Before=multi-user.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +Description=Make sure parent directories configured in @SCONFIGDIR@/namespace.conf for polyinstantiation exist +Documentation=man:pam_namespace(8) + +[Service] +ExecStart=@sbindir@/pam_namespace_helper +Type=oneshot diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 new file mode 100644 index 0000000..df93df2 --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -0,0 +1,49 @@ +'\" t +.\" Title: pam_namespace_helper +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_NAMESPACE_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_namespace_helper \- Helper binary that creates home directories +.SH "SYNOPSIS" +.HP \w'\fBpam_namespace_helper\fR\ 'u +\fBpam_namespace_helper\fR +.SH "DESCRIPTION" +.PP +\fIpam_namespace_helper\fR +is a helper program for the +\fIpam_namespace\fR +module that sets up a private namespace for a session with polyinstantiated directories\&. The helper ensures that the namespace mount points exist before they are started to be used for the polyinstantiated directories\&. Mount points for home directories (lines with $HOME) are not created\&. +.PP +\fIpam_namespace_helper\fR +should be run by systemd at system startup\&. It should also be run by the administrator after defining the polyinstantiated directories but before enabling them\&. +.SH "SEE ALSO" +.PP +\fBpam_namespace\fR(8) +.SH "AUTHOR" +.PP +Written by Topi Miettinen\&. diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml new file mode 100644 index 0000000..2f5adbe --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_namespace_helper"> + + <refmeta> + <refentrytitle>pam_namespace_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_namespace_helper-name"> + <refname>pam_namespace_helper</refname> + <refpurpose>Helper binary that creates home directories</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_namespace_helper-cmdsynopsis"> + <command>pam_namespace_helper</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_namespace_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pam_namespace_helper</emphasis> is a helper program + for the <emphasis>pam_namespace</emphasis> module that sets up a + private namespace for a session with polyinstantiated + directories. The helper ensures that the namespace mount points + exist before they are started to be used for the + polyinstantiated directories. Mount points for home directories + (lines with $HOME) are not created. + </para> + + <para> + <emphasis>pam_namespace_helper</emphasis> should be run by + systemd at system startup. It should also be run by the + administrator after defining the polyinstantiated directories + but before enabling them. + </para> + </refsect1> + + <refsect1 id='pam_namespace_helper-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_namespace_helper-author'> + <title>AUTHOR</title> + <para> + Written by Topi Miettinen. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_namespace/pam_namespace_helper.in b/modules/pam_namespace/pam_namespace_helper.in new file mode 100644 index 0000000..b9c361f --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.in @@ -0,0 +1,15 @@ +#!/bin/sh + +CONF=@SCONFIGDIR@/namespace.conf + +# Match logic of process_line(), except lines with $HOME are ignored +# skip the leading white space, rip off the comments, ignore empty lines +sed -e 's/^[ ]*//g' -e 's/#.*//g' -e '/.*\$HOME.*/d' -e '/^$/d' < $CONF | \ + while read polydir instance_prefix method uids; do + if [ ! -e "$instance_prefix" ]; then + echo "mkdir $instance_prefix" + mkdir --parents --mode=0 -Z "$instance_prefix" + fi + done + +exit 0 diff --git a/modules/pam_namespace/tst-pam_namespace b/modules/pam_namespace/tst-pam_namespace new file mode 100755 index 0000000..c929dfc --- /dev/null +++ b/modules/pam_namespace/tst-pam_namespace @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_namespace.so |