master

分支 (29)

标签 (41)

管理

管理

master

openEuler-20.03-LTS-SP4

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP3

openEuler-24.03-LTS-SP2

openEuler-22.03-LTS-SP4

openEuler-25.09

openEuler-24.03-LTS-SP1

openEuler-22.03-LTS-SP3

openEuler-25.03

openEuler-22.03-LTS-SP1

openEuler-24.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-20.03-LTS-SP1

openEuler-23.09

openEuler-20.03-LTS-SP3

openEuler-23.03

openEuler-25.09-release

openEuler-20.03-LTS-SP4-update-20250711

openEuler-24.03-LTS-SP2-update-20250711

openEuler-22.03-LTS-SP3-update-20250704

openEuler-22.03-LTS-SP4-update-20250704

openEuler-24.03-LTS-update-20250704

openEuler-24.03-LTS-SP1-update-20250704

openEuler-24.03-LTS-SP2-release

openEuler-20.03-LTS-SP4-update-20250411

openEuler-25.03-release

openEuler-20.03-LTS-SP4-update-20250329

openEuler-22.03-LTS-SP4-update-20250329

openEuler-22.03-LTS-SP3-update-20250329

openEuler-24.03-LTS-SP1-update-20250329

openEuler-24.03-LTS-update-20250329

openEuler-24.03-LTS-SP1-release

openEuler-24.03-LTS-update-20241206

openEuler-22.03-LTS-SP4-update-20241206

openEuler-22.03-LTS-SP3-update-20241206

openEuler-22.03-LTS-SP1-update-20241206

pam
/
backport-pam_namespace_post170-07.patch

From 3db1fbfad402bedfd2177987cd260b79964ae8e4 Mon Sep 17 00:00:00 2001
From: Olivier Bal-Petre <olivier.bal-petre@ssi.gouv.fr>
Date: Tue, 4 Mar 2025 14:37:02 +0100
Subject: [PATCH] pam_namespace: cleanup: reduce excessive nesting in
 inst_init()

Signed-off-by: Olivier Bal-Petre <olivier.bal-petre@ssi.gouv.fr>

Conflict:NA
Reference:https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pam/1.5.3-5ubuntu5.4/pam_1.5.3-5ubuntu5.4.debian.tar.xz

---
 modules/pam_namespace/pam_namespace.c | 112 +++++++++++++-------------
 1 file changed, 56 insertions(+), 56 deletions(-)

--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1378,68 +1378,68 @@ static int inst_init(const struct polydi
 	if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script)
 		init_script = polyptr->init_script;

-	if (access(init_script, F_OK) == 0) {
-		if (access(init_script, X_OK) < 0) {
-			if (idata->flags & PAMNS_DEBUG)
-				pam_syslog(idata->pamh, LOG_ERR,
-						"Namespace init script not executable");
-			return PAM_SESSION_ERR;
-		} else {
-			struct sigaction newsa, oldsa;
-
-			memset(&newsa, '\0', sizeof(newsa));
-			newsa.sa_handler = SIG_DFL;
-			if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) {
-				pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler");
-				return PAM_SESSION_ERR;
-			}
-
-			pid = fork();
-			if (pid == 0) {
-				static char *envp[] = { NULL };
+	if (access(init_script, F_OK) != 0)
+		return PAM_SUCCESS;
+
+	if (access(init_script, X_OK) < 0) {
+		if (idata->flags & PAMNS_DEBUG)
+			pam_syslog(idata->pamh, LOG_ERR,
+					"Namespace init script not executable");
+		return PAM_SESSION_ERR;
+	}
+
+	struct sigaction newsa, oldsa;
+
+	memset(&newsa, '\0', sizeof(newsa));
+	newsa.sa_handler = SIG_DFL;
+	if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) {
+		pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler");
+		return PAM_SESSION_ERR;
+	}
+
+	pid = fork();
+	if (pid == 0) {
+		static char *envp[] = { NULL };
 #ifdef WITH_SELINUX
-				if (idata->flags & PAMNS_SELINUX_ENABLED) {
-					if (setexeccon(NULL) < 0)
-						_exit(1);
-				}
+		if (idata->flags & PAMNS_SELINUX_ENABLED) {
+			if (setexeccon(NULL) < 0)
+				_exit(1);
+		}
 #endif
-				/* Pass maximum privs when we exec() */
-				if (setuid(geteuid()) < 0) {
-					/* ignore failures, they don't matter */
-				}
-
-				close_fds_pre_exec(idata);
-
-				if (execle(init_script, init_script,
-					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
-					_exit(1);
-			} else if (pid > 0) {
-				while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
-						(errno == EINTR));
-				if (rc == (pid_t)-1) {
-					pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
-					rc = PAM_SESSION_ERR;
-					goto out;
-				}
-				if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
-					pam_syslog(idata->pamh, LOG_ERR,
-							"Error initializing instance");
-					rc = PAM_SESSION_ERR;
-					goto out;
-				}
-			} else if (pid < 0) {
-				pam_syslog(idata->pamh, LOG_ERR,
-						"Cannot fork to run namespace init script, %m");
-				rc = PAM_SESSION_ERR;
-				goto out;
-			}
-			rc = PAM_SUCCESS;
-out:
-			(void) sigaction(SIGCHLD, &oldsa, NULL);
-			return rc;
+		/* Pass maximum privs when we exec() */
+		if (setuid(geteuid()) < 0) {
+			/* ignore failures, they don't matter */
+		}
+
+		close_fds_pre_exec(idata);
+
+		if (execle(init_script, init_script,
+			polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+			_exit(1);
+	} else if (pid > 0) {
+		while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
+				(errno == EINTR));
+		if (rc == (pid_t)-1) {
+			pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
+			rc = PAM_SESSION_ERR;
+			goto out;
+		}
+		if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
+			pam_syslog(idata->pamh, LOG_ERR,
+					"Error initializing instance");
+			rc = PAM_SESSION_ERR;
+			goto out;
 		}
+	} else if (pid < 0) {
+		pam_syslog(idata->pamh, LOG_ERR,
+				"Cannot fork to run namespace init script, %m");
+		rc = PAM_SESSION_ERR;
+		goto out;
 	}
-	return PAM_SUCCESS;
+	rc = PAM_SUCCESS;
+out:
+	(void) sigaction(SIGCHLD, &oldsa, NULL);
+	return rc;
 }

 static int create_polydir(struct polydir_s *polyptr,