uses the linux kernel definitions of them.
(It also adds to the simple capbilities regression tests verifying the
parser can parse the new audit capiability names.)
(updated) error codes returned by the module and the libapparmor
function. It also converts the package to use the svn repo version as
the package version.
pam_apparmor pam module. The default behavior is to use the user's
primary groupname, and to fall back to the DEFAULT hat. You can change
this behavior by appending order=type1[,type2,type3] to the pam_apparmor
session line in the pam config for the application you're applying
pam_apparmor to. The available types are 'user' for username, 'group'
for groupname, and 'default' for DEFAULT. Thus, adding a configuration
entry like:
session optional pam_apparmor.so order=group,default
is equivalent to the default behavior for pam_apparmor.
The parse_option code got a little more complicated than I'd hoped
it would be; I could have just had types by space delimited options to
module, but I thought I'd leave open the possibility of adding additional
options to the module ('debug' immediately comes to mind).
I disabled the short-circuit that occurs if EPERM is returned by
change_hat, as we can't detect that this is because there's no hats or
that the application is entirely undefined; if ECHILD makes it in then
we can re-enable this.
I am less convinced now that pam_apparmor needs to be 'optional' than
'required'; killing the session if none of the change_hats succeeds is
starting to feel like reasonable behavior.
---
changehat/pam_apparmor/Makefile | 11 +
changehat/pam_apparmor/README | 74 +++++++++++++
changehat/pam_apparmor/get_options.c | 157 ++++++++++++++++++++++++++++
changehat/pam_apparmor/pam_apparmor.c | 155 +++++++++++++++++++--------
changehat/pam_apparmor/pam_apparmor.h | 56 +++++++++
changehat/pam_apparmor/pam_apparmor.spec.in | 2
6 files changed, 406 insertions(+), 49 deletions(-)
creates a tarball i(and specfile) similar to 'make tarball' except that
it uses svn export to pull the latest committed version rather than the
currently contents of the tree (as make tarball does). This is to make
pristine checkins to SUSE's autobuild system and the openSUSE
buildservice easier.
