From: David Quigley <dpquigl@xxxxxxxxxxxxx> This patch makes changes to existing functions to make use of the new functions added in patch #2. Signed-Off-By: David Quigley <dpquigl@xxxxxxxxxxxxx> --- pam_namespace.c | 186 +++++++------------------------------------------------- 1 file changed, 25 insertions(+), 161 deletions(-) diff -uprN -X dontdiff pam_namespace_functions/pam_namespace.c pam_namespace_cleanup/pam_namespace.c --- pam_namespace_functions/pam_namespace.c 2006-07-24 13:01:34.000000000 -0400 +++ pam_namespace_cleanup/pam_namespace.c 2006-07-24 12:59:12.000000000 -0400 @@ -67,7 +67,7 @@ static int add_polydir_entry(struct inst const struct polydir_s *ent) { struct polydir_s *pent; - unsigned int i; + int rc = 0; /* * Allocate an entry to hold information about a directory to @@ -76,27 +76,14 @@ static int add_polydir_entry(struct inst * directories. */ pent = (struct polydir_s *) malloc(sizeof(struct polydir_s)); - if (!pent) - return -1; - + if (!pent) { + rc = -1; + goto out; + } /* Make copy */ - strcpy(pent->dir, ent->dir); - strcpy(pent->instance_prefix, ent->instance_prefix); - pent->method = ent->method; - pent->num_uids = ent->num_uids; - if (ent->num_uids) { - uid_t *pptr, *eptr; - - pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t)); - if (!(pent->uid)) { - free(pent); - return -1; - } - for (i = 0, pptr = pent->uid, eptr = ent->uid; i < ent->num_uids; - i++, eptr++, pptr++) - *pptr = *eptr; - } else - pent->uid = NULL; + rc = copy_ent(ent,pent); + if(rc < 0) + goto out_clean; /* Now attach to linked list */ pent->next = NULL; @@ -110,8 +97,11 @@ static int add_polydir_entry(struct inst tail = tail->next; tail->next = pent; } - - return 0; + goto out; +out_clean: + free(pent); +out: + return rc; } @@ -504,49 +494,10 @@ static int poly_name(const struct polydi struct instance_data *idata) #endif { -#ifdef WITH_SELINUX - security_context_t scon = NULL; - security_class_t tclass; -#endif int rc; # ifdef WITH_SELINUX - /* - * Get the security context of the directory to polyinstantiate. - */ - rc = getfilecon(polyptr->dir, origcon); - if (rc < 0 || *origcon == NULL) { - pam_syslog(idata->pamh, LOG_ERR, - "Error getting poly dir context, %m"); - return PAM_SESSION_ERR; - } - - /* - * If polyinstantiating based on security context, get current - * process security context, get security class for directories, - * and ask the policy to provide security context of the - * polyinstantiated instance directory. - */ - if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) { - rc = getexeccon(&scon); - if (rc < 0 || scon == NULL) { - pam_syslog(idata->pamh, LOG_ERR, - "Error getting exec context, %m"); - return PAM_SESSION_ERR; - } - tclass = string_to_security_class("dir"); - - if (security_compute_member(scon, *origcon, tclass, - i_context) < 0) { - pam_syslog(idata->pamh, LOG_ERR, - "Error computing poly dir member context"); - freecon(scon); - return PAM_SESSION_ERR; - } else if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "member context returned by policy %s", *i_context); - freecon(scon); - } + rc = form_context(polyptr, i_context, origcon, idata); #endif rc = PAM_SUCCESS; @@ -719,16 +670,14 @@ static int create_dirs(const struct poly struct instance_data *idata) #endif { - struct stat statbuf, newstatbuf, instpbuf; - int fd, status; - char *inst_parent, *trailing_slash; - pid_t rc, pid; - sighandler_t osighand = NULL; + struct stat statbuf, newstatbuf; + int rc, fd; /* * stat the directory to polyinstantiate, so its owner-group-mode * can be propagated to instance directory */ + rc = PAM_SUCCESS; if (stat(polyptr->dir, &statbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", polyptr->dir); @@ -743,49 +692,12 @@ static int create_dirs(const struct poly polyptr->dir); return PAM_SESSION_ERR; } - - /* - * stat the instance parent path to make sure it exists - * and is a directory. Check that its mode is 000 (unless the - * admin explicitly instructs to ignore the instance parent - * mode by the "ignore_instance_parent_mode" argument). - */ - inst_parent = (char *) malloc(strlen(ipath)+1); - if (!inst_parent) { - pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string"); - return PAM_SESSION_ERR; - } - - strcpy(inst_parent, ipath); - trailing_slash = strrchr(inst_parent, '/'); - if (trailing_slash) - *trailing_slash = '\0'; - - if (stat(inst_parent, &instpbuf) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent); - free(inst_parent); - return PAM_SESSION_ERR; - } - - /* - * Make sure we are dealing with a directory - */ - if (!S_ISDIR(instpbuf.st_mode)) { - pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir", - inst_parent); - free(inst_parent); - return PAM_SESSION_ERR; - } - - if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { - if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) { - pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000", - inst_parent); - free(inst_parent); - return PAM_SESSION_ERR; - } - } - free(inst_parent); + + /* + * Check to make sure instance parent is valid. + */ + if (check_inst_parent(ipath, idata)) + return PAM_SESSION_ERR; /* * Create instance directory and set its security context to the context @@ -867,56 +779,8 @@ static int create_dirs(const struct poly */ inst_init: - osighand = signal(SIGCHLD, SIG_DFL); - if (osighand == SIG_ERR) { - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); - return PAM_SESSION_ERR; - } - - if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) { - if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_ERR, - "Namespace init script not executable"); - (void) signal(SIGCHLD, osighand); - return PAM_SESSION_ERR; - } else { - pid = fork(); - if (pid == 0) { -#ifdef WITH_SELINUX - if (idata->flags & PAMNS_SELINUX_ENABLED) { - if (setexeccon(NULL) < 0) - exit(1); - } -#endif - if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT, - polyptr->dir, ipath, (char *)NULL) < 0) - exit(1); - } else if (pid > 0) { - while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && - (errno == EINTR)); - if (rc == (pid_t)-1) { - pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- % m"); - (void) signal(SIGCHLD, osighand); - return PAM_SESSION_ERR; - } - if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { - pam_syslog(idata->pamh, LOG_ERR, - "Error initializing instance"); - (void) signal(SIGCHLD, osighand); - return PAM_SESSION_ERR; - } - } else if (pid < 0) { - pam_syslog(idata->pamh, LOG_ERR, - "Cannot fork to run namespace init script, % m"); - (void) signal(SIGCHLD, osighand); - return PAM_SESSION_ERR; - } - } - } - - (void) signal(SIGCHLD, osighand); - return PAM_SUCCESS; + rc = inst_init(polyptr, ipath, idata); + return rc; } _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list