suggestion: decouple unshare from mounting in pam_namespace

[Louis-Dominique Dubeau <ldd lddubeau com>]

Hello everyone,

I'm writing from the perspective of someone using Ubuntu 8.04.  The
version of pam installed on my machine is 0.99.7.1-5ubuntu6.1.  However,
based on inspecting the latest version of pam, I believe what I'm
talking about applies to pam in general and not just the version shipped
with Ubuntu 8.04.

I have a suggestion for a change to pam_namespace.  As it is currently
coded, pam_namespace will make a call to unshare if and only if there
are mounts declared in /etc/security/namespace.conf and those mounts
apply to the session being established.  When pam_namespace determines
that it must perform a mount operation, it performs two tasks:

1. It makes a call to the unshare syscall to unshare filesystem
namespaces.

2. It performs the mounts as specified in /etc/security/namespace.conf.

I'm operating in a scenario where I do *not* want pam_namespace to
perform automatic mounts for me but I *do* want the filesystem
namespaces to be unshared.  (I.e. I want 1 above but I don't want 2.)

Yesterday, I quickly hacked something to get what I want. I've added a
parameter "unshare" to pam_namespace which basically means "unshare the
namespaces no matter what".  I'm attaching a patch against the version
of pam mentioned above.  This is for *illustrative* purposes only.  I'm
not pretending that this is the way a final solution should be
implemented. 

Can this be implemented in some form?

Thanks,
Louis


diff -urN pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.c pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.c
--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.c	2006-10-24 07:45:36.000000000 -0400
+++ pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.c	2008-05-22 19:44:42.000000000 -0400
@@ -998,7 +998,8 @@
      * disassociate from the parent namespace.
      */
     if (need_poly) {
-        if (unshare(CLONE_NEWNS) < 0) {
+        /* But don't call if PAMNS_UNSHARE is set: we've already called. */
+        if (!(idata->flags & PAMNS_UNSHARE) & (unshare(CLONE_NEWNS) < 0)) {
             pam_syslog(idata->pamh, LOG_ERR,
 		"Unable to unshare from parent namespace, %m");
             return PAM_SESSION_ERR;
@@ -1172,6 +1173,8 @@
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
         if (strcmp(argv[i], "ignore_instance_parent_mode") == 0)
             idata.flags |= PAMNS_IGN_INST_PARENT_MODE;
+        if (strcmp(argv[i], "unshare") == 0)
+            idata.flags |= PAMNS_UNSHARE;
         if (strcmp(argv[i], "unmnt_remnt") == 0)
             unmnt = UNMNT_REMNT;
         if (strcmp(argv[i], "unmnt_only") == 0)
@@ -1220,6 +1223,19 @@
         return PAM_SESSION_ERR;
     }
 
+
+    /*
+     * If polyinstnatiation is needed, call the unshare system call to
+     * disassociate from the parent namespace.
+     */
+    if (idata.flags & PAMNS_UNSHARE) {
+        if (unshare(CLONE_NEWNS) < 0) {
+            pam_syslog(idata.pamh, LOG_ERR,
+		"Unable to unshare from parent namespace, %m");
+            return PAM_SESSION_ERR;
+        }
+    } 
+
     if (idata.polydirs_ptr) {
         retval = setup_namespace(&idata, unmnt);
         if (idata.flags & PAMNS_DEBUG) {
diff -urN pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.h pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.h
--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_namespace/pam_namespace.h	2006-07-28 07:59:28.000000000 -0400
+++ pam-0.99.7.1/Linux-PAM/modules/pam_namespace/pam_namespace.h	2008-05-22 19:37:04.000000000 -0400
@@ -86,6 +86,7 @@
 #define PAMNS_GEN_HASH        0x00002000 /* Generate md5 hash for inst names */
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
 #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
+#define PAMNS_UNSHARE         0x00010000 /* Ignore instance parent mode */
 
 /*
  * Polyinstantiation method options, based on user, security context