* limitations under the License
*/
+#include <dlfcn.h>
#include <syslog.h>
+#include <unistd.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>
#include <vector>
#include <iostream>
-#include "session.h"
-#include "krate-guard.h"
#include "krate-builder.h"
#include <klay/exception.h>
#include <klay/filesystem.h>
-#include <klay/xml/parser.h>
-#include <klay/xml/document.h>
-#define LAZYMOUNT_EXTERN extern
+#define KRATE_UID_MIN 6000
+#define KRATE_UID_MAX 6999
-std::string buildKrateManifestPath(const std::string& name)
-{
- return CONF_PATH "/" + name + ".xml";
+namespace {
+
+static std::string getFlagFilePath(runtime::User &user) {
+ return "/run/user/" + std::to_string(user.getUid()) + "/.container";
}
+} // namespace
+
std::string getKrateName(pam_handle_t* handle)
{
const void* retItem;
}
extern "C" {
-LAZYMOUNT_EXTERN __attribute__((visibility("default")))
-int container_preprocess(char* id) {
- std::cout << "kraterize (UID " << id << ")..." << std::endl << std::flush;
- try {
- runtime::User user(std::stoi(std::string(id)));
- KrateGuard krateGuard(user.getName());
- krateGuard.wait();
-
- auto sessionBuilder = [](const runtime::User& user) {
- KrateBuilder builder(user, buildKrateManifestPath(user.getName()));
- builder.unshareNamespace();
- };
- createSession(user, sessionBuilder);
- } catch (runtime::Exception& e) {
- std::cerr << "krate error : " << e.what() <<std::endl << std::flush;
- return -1;
- }
-
- std::cout << "krate preprocess completed!" << std::endl << std::flush;
- return 0;
-}
-
-LAZYMOUNT_EXTERN __attribute__((visibility("default")))
-int container_postprocess(char* id) {
- try {
- runtime::User user(std::stoi(std::string(id)));
- KrateBuilder builder(user, buildKrateManifestPath(user.getName()));
- builder.mountOwnFilesystem();
- } catch (runtime::Exception& e) {
- std::cerr << "krate error : " << e.what() << std::endl << std::flush;
- return -1;
- }
- std::cout << "krate postprocess completed!" << std::endl << std::flush;
- std::cout << "kraterized!" << std::endl << std::flush;
- return 0;
-}
-
PAM_EXTERN __attribute__((visibility("default")))
int pam_sm_open_session(pam_handle_t* pamh, int flags, int argc, const char* argv[])
{
try {
runtime::User user(getKrateName(pamh));
- KrateGuard krateGuard(user.getName());
- krateGuard.wait();
-
- auto sessionBuilder = [](const runtime::User& user) {
- KrateBuilder builder(user, buildKrateManifestPath(user.getName()));
- builder.unshareNamespace();
- builder.mountOwnFilesystem();
- };
- createSession(user, sessionBuilder);
+
+ KrateBuilder builder(user);
+ builder.enterKrate();
+
+ if (user.getUid() >= KRATE_UID_MIN && user.getUid() <= KRATE_UID_MAX ) {
+ runtime::File flag(getFlagFilePath(user));
+ if (!flag.exists())
+ flag.create(0644);
+ }
} catch (runtime::Exception& e) {
::pam_syslog(pamh, LOG_ERR, "%s", e.what());
return PAM_SESSION_ERR;
{
try {
runtime::User user(getKrateName(pamh));
- KrateGuard krateGuard(user.getName());
- krateGuard.wait();
- destroySession(user);
+ KrateBuilder builder(user);
+ builder.exitKrate();
+
+ runtime::File flag(getFlagFilePath(user));
+ if (flag.exists())
+ flag.remove(false);
} catch (runtime::Exception& e) {
::pam_syslog(pamh, LOG_ERR, "%s", e.what());
return PAM_SESSION_ERR;
projects / platform / core / security / krate.git / blobdiff