From 747d14f1e998b15d2ec9f9548a472dc175fdb9c3 Mon Sep 17 00:00:00 2001
From: Jaemin Ryu <jm77.ryu@samsung.com>
Date: Tue, 14 Aug 2018 17:46:50 +0900
Subject: [PATCH] Use pam for containerization

Change-Id: Ie32c449436258cb1a87bb08819eff664c77c8ac0
Signed-off-by: Jaemin Ryu <jm77.ryu@samsung.com>
---
 module/CMakeLists.txt |  3 --
 module/krate.cpp      | 87 ++++++---------------------------------------------
 packaging/krate.spec  |  4 +--
 server/manager.cpp    |  2 --
 4 files changed, 11 insertions(+), 85 deletions(-)

diff --git a/module/CMakeLists.txt b/module/CMakeLists.txt
index 18f1e21..fa353f9 100644
--- a/module/CMakeLists.txt
+++ b/module/CMakeLists.txt
@@ -43,7 +43,4 @@ PKG_CHECK_MODULES(PAM_DEPS	REQUIRED
 INCLUDE_DIRECTORIES(${PAM_INCLUDE_DIR} ${PAM_DEPS_INCLUDE_DIRS})
 TARGET_LINK_LIBRARIES(${PAM_NAME} ${PAM_LIBRARY} ${PAM_DEPS_LIBRARIES} pthread)
 
-CONFIGURE_FILE(pam.d/systemd-user.in pam.d/systemd-user-${PROJECT_NAME})
-
 INSTALL(TARGETS ${PAM_NAME} DESTINATION ${LIB_INSTALL_DIR}/security)
-INSTALL(FILES pam.d/systemd-user-${PROJECT_NAME} DESTINATION ${PAMD_DIR})
diff --git a/module/krate.cpp b/module/krate.cpp
index 2862042..dda52c8 100644
--- a/module/krate.cpp
+++ b/module/krate.cpp
@@ -79,91 +79,18 @@ void enterKrate(const std::string& name)
 	}
 }
 
-static int wait_condition(void)
-{
-    int r;
-    void *h;
-
-    int (*wait_mount_user)(void);
-
-    r = access(LAZYMOUNT_LIB, F_OK);
-    if (r < 0){
-        fprintf(stderr, "cannot find lazymount module - No support lazymount\n");
-        return 0;
-    }
-
-    h = dlopen(LAZYMOUNT_LIB, RTLD_LAZY);
-    if (!h) {
-        fprintf(stderr, "lazymount module dlopen error\n");
-        return -1;
-    }
-
-	do{
-        wait_mount_user = (int (*)())dlsym(h, "wait_mount_user");
-        if (!wait_mount_user) {
-            fprintf(stderr, "dlsym wait_mount_user error\n");
-            dlclose(h);
-            return -1;
-        }
-    } while (0);
-
-    r = wait_mount_user();
-    if (r < 0) {
-        fprintf(stderr, "wait_mout_user failed\n");
-        dlclose(h);
-        return r;
-    }
-
-    dlclose(h);
-    return 0;
-}
-
 extern "C" {
-LAZYMOUNT_EXTERN  __attribute__((visibility("default")))
-int container_preprocess(char* id) {
-	std::cout << "kraterize (UID " << id << ")..." << std::endl << std::flush;
-	try {
-		runtime::User user(std::stoi(std::string(id)));
-
-		enterKrate(user.getName());
-
-		if (user.getUid() >= KRATE_UID_MIN && user.getUid() <= KRATE_UID_MAX ) {
-			wait_condition();
-		}
-	} catch (runtime::Exception& e) {
-		std::cerr << "krate error : " << e.what() <<std::endl << std::flush;
-		return -1;
-	}
-
-	std::cout << "krate preprocess completed!" << std::endl << std::flush;
-	return 0;
-}
-
-LAZYMOUNT_EXTERN  __attribute__((visibility("default")))
-int container_postprocess(char* id) {
-	try {
-		runtime::User user(std::stoi(std::string(id)));
-		KrateBuilder builder(user, buildKrateManifestPath(user.getName()));
-		builder.mountOwnFilesystem();
-	} catch (runtime::Exception& e) {
-		std::cerr << "krate error : " << e.what() << std::endl << std::flush;
-		return -1;
-	}
-	std::cout << "krate postprocess completed!" << std::endl << std::flush;
-	std::cout << "kraterized!" << std::endl << std::flush;
-	return 0;
-}
-
 PAM_EXTERN  __attribute__((visibility("default")))
 int pam_sm_open_session(pam_handle_t* pamh, int flags, int argc, const char* argv[])
 {
 	try {
 		runtime::User user(getKrateName(pamh));
-
 		enterKrate(user.getName());
-
-		KrateBuilder builder(user, buildKrateManifestPath(user.getName()));
-		builder.mountOwnFilesystem();
+		if (user.getUid() >= KRATE_UID_MIN && user.getUid() <= KRATE_UID_MAX ) {
+			runtime::File flag("/run/user/" + std::to_string(user.getUid()) + "/.container");
+			if (!flag.exists())
+				flag.create(0644);
+		}
 	} catch (runtime::Exception& e) {
 		::pam_syslog(pamh, LOG_ERR, "%s", e.what());
 		return PAM_SESSION_ERR;
@@ -181,6 +108,10 @@ int pam_sm_close_session(pam_handle_t* pamh, int flags, int argc, const char* ar
 		if (pids.size() <= 1) {
 			std::string path = CGROUP_SUBSYSTEM "/" + name;
 			runtime::Cgroup::destroy(CGROUP_SUBSYSTEM, path);
+			runtime::User user(name);
+			runtime::File flag("/run/user/" + std::to_string(user.getUid()) + "/.container");
+			if (flag.exists())
+				flag.remove(false);
 		}
 	} catch (runtime::Exception& e) {
 		::pam_syslog(pamh, LOG_ERR, "%s", e.what());
diff --git a/packaging/krate.spec b/packaging/krate.spec
index f4848f9..0ac2d13 100644
--- a/packaging/krate.spec
+++ b/packaging/krate.spec
@@ -43,7 +43,6 @@ krates.
 %attr(644,root,root) %{TZ_SYS_RO_ICONS}/krate/indicator_icon.png
 %attr(644,root,root) %{TZ_SYS_RO_ICONS}/krate/notification_sub_icon.png
 %attr(755,root,root) %{_libdir}/security/pam_krate.so
-%config /etc/pam.d/*
 
 %prep
 %setup -q
@@ -73,6 +72,7 @@ mkdir -p %{buildroot}/%{_unitdir}/multi-user.target.wants
 ln -s ../krate.service %{buildroot}/%{_unitdir}/multi-user.target.wants/krate.service
 
 %post
+echo "session  required pam_krate.so" >> /etc/pam.d/systemd-user
 
 %clean
 rm -rf %{buildroot}
@@ -80,4 +80,4 @@ rm -rf %{buildroot}
 %preun
 
 %postun
-mv /etc/pam.d/systemd-user.keep /etc/pam.d/systemd-user
+sed --in-place '/pam_krate.so/d' /etc/pam.d/systemd-user
diff --git a/server/manager.cpp b/server/manager.cpp
index 6085306..d3b0aa5 100755
--- a/server/manager.cpp
+++ b/server/manager.cpp
@@ -588,8 +588,6 @@ int Manager::createKrate(const std::string& name, const std::string& manifest)
 
 			runtime::User user(KRATE_ID_PREFIX + name);
 
-			maskUserServices(user);
-
 		    ::tzplatform_set_user(user.getUid());
 			runtime::File confDir(std::string(::tzplatform_getenv(TZ_USER_HOME)) + "/.config/krate");
 		    ::tzplatform_reset_user();
-- 
2.7.4