systemd/0002-pam-add-a-call-to-pam_namespace.patch
Zbigniew Jędrzejewski-Szmek 2a3fc2e21f Use upstream pam systemd-auth file with a patch, add pam_keyinit
This file changes rarely, but it does every one in a while. And since we have an
independent copy, we forget to adjust it. We have had already two bugs because
of this. I submitted a PR upstream to include pam_namespace (because that makes
sense for all distros), so the diff between upstream and us now is just the
inclusion of system-auth (which is not upstreamable).

Effectively, the only difference right now is that 'pam_keyinit force revoke'
is included. It was added upstream with the comment:

   We want that systemd --user gets its own keyring as usual, even if the
   barebones PAM snippet we ship upstream is used. If we don't do this we get
   the basic keyring systemd --system sets up for us.
2022-12-14 22:35:52 +01:00

42 lines
1.7 KiB
Diff

From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Nov 2022 16:09:56 +0100
Subject: [PATCH 2/2] pam: add a call to pam_namespace
A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes #17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
---
src/login/systemd-user.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index d5597d28cb..06f7e36458 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -15,6 +15,7 @@ session required pam_selinux.so nottys open
{% endif %}
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
+session required pam_namespace.so
{% if ENABLE_HOMED %}
-session optional pam_systemd_home.so
{% endif %}
--
2.38.1