If the file /etc/security/namespace.init exists it will be exec'd for every directory being polyinstantiated. The functionality of this script may not actually be required for all directories being polyinstantiated. However, the current implementation provides no mechanism to avoid this costly overhead. This patch adds a run option (run_init/no_init) to control the execution of the init script for each polyinstantiated directory. One side affect of this patch is the configuration of the override list is no longer optional so if no overrides are required 'none' must be specified. To deal with this side affect I've, in a seperate patch, added an awk script to the %post of the spec file to add default values for the override list and init script option. pam_namespace.c | 126 ++++++++++++++++++++++++++++++++------------------------ pam_namespace.h | 5 ++ 2 files changed, 78 insertions(+), 53 deletions(-) --- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c 2007-11-14 11:26:57.000000000 -0600 +++ Linux-PAM-0.99.8.1.new/modules/pam_namespace/pam_namespace.c 2007-11-14 11:28:09.000000000 -0600 @@ -43,6 +43,7 @@ static int copy_ent(const struct polydir strcpy(pent->dir, ent->dir); strcpy(pent->instance_prefix, ent->instance_prefix); pent->method = ent->method; + pent->run_init = ent->run_init; pent->num_uids = ent->num_uids; pent->exclusive = ent->exclusive; if (ent->num_uids) { @@ -139,7 +140,7 @@ static int process_line(char *line, cons struct instance_data *idata) { const char *dir, *instance_prefix; - const char *method, *uids; + const char *method, *uids, *run_init_script; char *tptr; struct polydir_s poly; int retval = 0; @@ -182,22 +183,24 @@ static int process_line(char *line, cons */ retval = argv_parse(line, &num_config_options, &config_options); if (retval != 0) { - pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); + pam_syslog(idata->pamh, LOG_NOTICE, "Error parsing configuration line"); goto skipping; } dir = config_options[0]; - if (dir == NULL) { + if (num_config_options < 1 || dir == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); goto skipping; } + instance_prefix = config_options[1]; - if (instance_prefix == NULL) { + if (num_config_options < 2 || instance_prefix == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); goto skipping; } + method = config_options[2]; - if (method == NULL) { + if (num_config_options < 3 || method == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method"); goto skipping; } @@ -216,60 +219,72 @@ static int process_line(char *line, cons * is not performed), read the user ids, convert names into uids, and * add to polyinstantiated directory structure. */ - if (uids) { - uid_t *uidptr; - char *saveptr, *token; - char *ustr, *sstr; - int count; - - sstr = uids; - if (*uids == '~') { - poly.exclusive = 1; - uids++; - } + if (num_config_options >= 4 && uids) { + if (strcmp(uids, "none") != 0) { + uid_t *uidptr; + char *saveptr, *token; + const char *ustr, *sstr; + int count, i; + + sstr = uids; + if (*uids == '~') { + poly.exclusive = 1; + uids++; + } - for (count = 0, ustr = uids; ; count++, ustr = NULL) { - token = strtok_r(ustr, ",", &saveptr); - if (token == NULL) - break; - } + for (count = 0, ustr = uids; ; count++, ustr = NULL) { + token = strtok_r(ustr, ",", &saveptr); + if (token == NULL) + break; + } - if (count == 0) { - pam_syslog(idata->pamh, LOG_NOTICE, "Invalid override list %s", sstr); - goto skipping; - } + if (count == 0) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid override list %s", sstr); + goto skipping; + } - poly.num_uids = count; - poly.uid = (uid_t *)malloc(count * sizeof(uid_t)); - if (poly.uid == NULL) { - pam_syslog(idata->pamh, LOG_NOTICE, "out of memory"); - goto skipping; - } - uidptr = poly.uid; + poly.num_uids = count; + poly.uid = (uid_t *)malloc(count * sizeof(uid_t)); + if (poly.uid == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "out of memory"); + goto skipping; + } + uidptr = poly.uid; - for (ustr = uids; ;ustr = NULL) { - struct passwd *pwd; - token = strtok_r(ustr, ",", &saveptr); - if (token == NULL) - break; - - pwd = getpwnam(token); - if (pwd == NULL) { - pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", token); - poly.num_uids--; - } else { - if (pwd->pw_uid == idata->uid) { - /* - * Why put it in the list if this - * user doesn't polyinstiate it - */ - free(poly.uid); - goto out; + for (ustr = uids; ;ustr = NULL) { + struct passwd *pwd; + token = strtok_r(ustr, ",", &saveptr); + if (token == NULL) + break; + + pwd = getpwnam(token); + if (pwd == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", token); + poly.num_uids--; + } else { + if (pwd->pw_uid == idata->uid) { + /* + * Why put it in the list if this + * user doesn't polyinstiate it + */ + free(poly.uid); + goto out; + } + *uidptr = pwd->pw_uid; + uidptr++; } - *uidptr = pwd->pw_uid; - uidptr++; } } + } else { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing override list or 'none'"); + goto skipping; + + } + + run_init_script = config_options[4]; + if (num_config_options < 5 || run_init_script == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing init script configuration"); + goto skipping; } /* @@ -313,6 +328,10 @@ static int process_line(char *line, cons strcpy(poly.dir, dir); strcpy(poly.instance_prefix, instance_prefix); + poly.run_init = DONT_RUN_INIT_SCRIPT; + if (strcmp(run_init_script, "run_init") == 0) + poly.run_init = RUN_INIT_SCRIPT; + poly.method = NONE; if (strcmp(method, "user") == 0) poly.method = USER; @@ -1041,7 +1060,8 @@ static int create_dirs(struct polydir_s */ inst_init: - rc = inst_init(polyptr, ipath, idata, newdir); + if (polyptr->run_init == RUN_INIT_SCRIPT) + rc = inst_init(polyptr, ipath, idata, newdir); return rc; } --- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h 2007-11-14 10:49:21.000000000 -0600 +++ Linux-PAM-0.99.8.1.new/modules/pam_namespace/pam_namespace.h 2007-11-14 10:48:57.000000000 -0600 @@ -131,6 +131,10 @@ enum unmnt_op { UNMNT_ONLY, }; +enum run_init_op { + RUN_INIT_SCRIPT, + DONT_RUN_INIT_SCRIPT +}; /* * Structure that holds information about a directory to polyinstantiate */ @@ -138,7 +142,8 @@ struct polydir_s { char dir[PATH_MAX]; /* directory to polyinstantiate */ char instance_prefix[PATH_MAX]; /* prefix for instance dir path name */ enum polymethod method; /* method used to polyinstantiate */ + enum run_init_op run_init; unsigned int num_uids; /* number of override uids */ uid_t *uid; /* list of override uids */ int exclusive; /* polyinstatiate exclusively for override uids */ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.