[PATCH 3/3] pam_namespace: Use functions added in patch #2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: David Quigley <dpquigl@xxxxxxxxxxxxx>

This patch makes changes to existing functions to make use of the new
functions added in patch #2.

Signed-Off-By: David Quigley <dpquigl@xxxxxxxxxxxxx>
---

 pam_namespace.c |  186
+++++++-------------------------------------------------
 1 file changed, 25 insertions(+), 161 deletions(-)

diff -uprN -X dontdiff pam_namespace_functions/pam_namespace.c
pam_namespace_cleanup/pam_namespace.c
--- pam_namespace_functions/pam_namespace.c	2006-07-24
13:01:34.000000000 -0400
+++ pam_namespace_cleanup/pam_namespace.c	2006-07-24 12:59:12.000000000
-0400
@@ -67,7 +67,7 @@ static int add_polydir_entry(struct inst
 	const struct polydir_s *ent)
 {
     struct polydir_s *pent;
-    unsigned int i;
+    int rc = 0;
 
     /*
      * Allocate an entry to hold information about a directory to
@@ -76,27 +76,14 @@ static int add_polydir_entry(struct inst
      * directories.
      */
     pent = (struct polydir_s *) malloc(sizeof(struct polydir_s));
-    if (!pent) 
-        return -1;
-
+	if (!pent) { 
+		rc = -1;
+		goto out;
+	}
     /* Make copy */
-    strcpy(pent->dir, ent->dir);
-    strcpy(pent->instance_prefix, ent->instance_prefix);
-    pent->method = ent->method;
-    pent->num_uids = ent->num_uids;
-    if (ent->num_uids) {
-        uid_t *pptr, *eptr;
-
-        pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t));
-        if (!(pent->uid)) {
-            free(pent);
-            return -1;
-        }
-        for (i = 0, pptr = pent->uid, eptr = ent->uid; i <
ent->num_uids;
-                 i++, eptr++, pptr++)
-             *pptr = *eptr;
-    } else 
-        pent->uid = NULL;
+	rc = copy_ent(ent,pent);
+	if(rc < 0)
+		goto out_clean;
 
     /* Now attach to linked list */
     pent->next = NULL;
@@ -110,8 +97,11 @@ static int add_polydir_entry(struct inst
             tail = tail->next;
         tail->next = pent;
     }
-
-    return 0;
+    goto out;
+out_clean:
+	free(pent);
+out:
+	return rc;
 }
 
 
@@ -504,49 +494,10 @@ static int poly_name(const struct polydi
 	struct instance_data *idata)
 #endif
 {
-#ifdef WITH_SELINUX
-    security_context_t scon = NULL;
-    security_class_t tclass;
-#endif
     int rc;
 
 # ifdef WITH_SELINUX
-    /*
-     * Get the security context of the directory to polyinstantiate.
-     */
-    rc = getfilecon(polyptr->dir, origcon);
-    if (rc < 0 || *origcon == NULL) {
-       pam_syslog(idata->pamh, LOG_ERR,
-		"Error getting poly dir context, %m");
-       return PAM_SESSION_ERR;
-    }
-
-    /*
-     * If polyinstantiating based on security context, get current
-     * process security context, get security class for directories,
-     * and ask the policy to provide security context of the
-     * polyinstantiated instance directory.
-     */
-    if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
-        rc = getexeccon(&scon);
-        if (rc < 0 || scon == NULL) {
-            pam_syslog(idata->pamh, LOG_ERR, 
-		"Error getting exec context, %m");
-            return PAM_SESSION_ERR;
-	}
-        tclass = string_to_security_class("dir");
-
-        if (security_compute_member(scon, *origcon, tclass,
-						i_context) < 0) {
-    	    pam_syslog(idata->pamh, LOG_ERR,
-                       "Error computing poly dir member context");
-	    freecon(scon);
-    	    return PAM_SESSION_ERR;
-        } else if (idata->flags & PAMNS_DEBUG)
-    	    pam_syslog(idata->pamh, LOG_DEBUG, 
-		    "member context returned by policy %s", *i_context);
-	freecon(scon);
-    }
+    rc = form_context(polyptr, i_context, origcon, idata);
 #endif
     rc = PAM_SUCCESS;
 
@@ -719,16 +670,14 @@ static int create_dirs(const struct poly
 	struct instance_data *idata)
 #endif
 {
-    struct stat statbuf, newstatbuf, instpbuf;
-    int fd, status;
-    char *inst_parent, *trailing_slash;
-    pid_t rc, pid;
-    sighandler_t osighand = NULL;
+	struct stat statbuf, newstatbuf;
+	int rc, fd;
 
     /*
      * stat the directory to polyinstantiate, so its owner-group-mode
      * can be propagated to instance directory
      */
+	rc = PAM_SUCCESS;
     if (stat(polyptr->dir, &statbuf) < 0) {
         pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
 		polyptr->dir);
@@ -743,49 +692,12 @@ static int create_dirs(const struct poly
 		polyptr->dir);
         return PAM_SESSION_ERR;
     }
-
-    /*
-     * stat the instance parent path to make sure it exists
-     * and is a directory. Check that its mode is 000 (unless the
-     * admin explicitly instructs to ignore the instance parent
-     * mode by the "ignore_instance_parent_mode" argument).
-     */
-    inst_parent = (char *) malloc(strlen(ipath)+1);
-    if (!inst_parent) {
-	pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string");
-        return PAM_SESSION_ERR;
-    }
-
-    strcpy(inst_parent, ipath);
-    trailing_slash = strrchr(inst_parent, '/');
-    if (trailing_slash)
-        *trailing_slash = '\0';
-
-    if (stat(inst_parent, &instpbuf) < 0) {
-        pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
inst_parent);
-        free(inst_parent);
-        return PAM_SESSION_ERR;
-    }
-
-    /*
-     * Make sure we are dealing with a directory
-     */
-    if (!S_ISDIR(instpbuf.st_mode)) {
-	pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir",
-		inst_parent);
-        free(inst_parent);
-        return PAM_SESSION_ERR;
-    }
-
-    if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) {
-        if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) {
-	    pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000",
-		    inst_parent);
-            free(inst_parent);
-            return PAM_SESSION_ERR;
-        }
-    }
-    free(inst_parent);
+	
+	/*
+	 * Check to make sure instance parent is valid.
+	 */
+	if (check_inst_parent(ipath, idata))
+		return PAM_SESSION_ERR;
 
     /*
      * Create instance directory and set its security context to the
context
@@ -867,56 +779,8 @@ static int create_dirs(const struct poly
      */
 
 inst_init:
-    osighand = signal(SIGCHLD, SIG_DFL);
-    if (osighand == SIG_ERR) {
-        pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
-        return PAM_SESSION_ERR;
-    }
-
-    if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) {
-        if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) {
-            if (idata->flags & PAMNS_DEBUG)
-                pam_syslog(idata->pamh, LOG_ERR,
-                           "Namespace init script not executable");
-            (void) signal(SIGCHLD, osighand);
-            return PAM_SESSION_ERR;
-        } else {
-            pid = fork();
-	    if (pid == 0) {
-#ifdef WITH_SELINUX
-		if (idata->flags & PAMNS_SELINUX_ENABLED) {
-		    if (setexeccon(NULL) < 0)
-			exit(1);
-		}
-#endif
-	        if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
-		          polyptr->dir, ipath, (char *)NULL) < 0)
-		    exit(1);
-            } else if (pid > 0) {
-                while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1)
&&
-                       (errno == EINTR));
-                if (rc == (pid_t)-1) {
-                    pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %
m");
-                    (void) signal(SIGCHLD, osighand);
-                    return PAM_SESSION_ERR;
-                }
-                if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
-                    pam_syslog(idata->pamh, LOG_ERR,
-                               "Error initializing instance");
-                    (void) signal(SIGCHLD, osighand);
-                    return PAM_SESSION_ERR;
-                }
-	    } else if (pid < 0) {
-                pam_syslog(idata->pamh, LOG_ERR,
-                           "Cannot fork to run namespace init script, %
m");
-                (void) signal(SIGCHLD, osighand);
-                return PAM_SESSION_ERR;
-	    }
-        }
-    }
-
-    (void) signal(SIGCHLD, osighand);
-    return PAM_SUCCESS;
+	rc = inst_init(polyptr, ipath, idata); 
+    return rc;
 }

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux