pam_apparmor pam module. The default behavior is to use the user's
primary groupname, and to fall back to the DEFAULT hat. You can change
this behavior by appending order=type1[,type2,type3] to the pam_apparmor
session line in the pam config for the application you're applying
pam_apparmor to. The available types are 'user' for username, 'group'
for groupname, and 'default' for DEFAULT. Thus, adding a configuration
entry like:
session optional pam_apparmor.so order=group,default
is equivalent to the default behavior for pam_apparmor.
The parse_option code got a little more complicated than I'd hoped
it would be; I could have just had types by space delimited options to
module, but I thought I'd leave open the possibility of adding additional
options to the module ('debug' immediately comes to mind).
I disabled the short-circuit that occurs if EPERM is returned by
change_hat, as we can't detect that this is because there's no hats or
that the application is entirely undefined; if ECHILD makes it in then
we can re-enable this.
I am less convinced now that pam_apparmor needs to be 'optional' than
'required'; killing the session if none of the change_hats succeeds is
starting to feel like reasonable behavior.
---
changehat/pam_apparmor/Makefile | 11 +
changehat/pam_apparmor/README | 74 +++++++++++++
changehat/pam_apparmor/get_options.c | 157 ++++++++++++++++++++++++++++
changehat/pam_apparmor/pam_apparmor.c | 155 +++++++++++++++++++--------
changehat/pam_apparmor/pam_apparmor.h | 56 +++++++++
changehat/pam_apparmor/pam_apparmor.spec.in | 2
6 files changed, 406 insertions(+), 49 deletions(-)
