Another attempt at supporting Ambient vector setting from pam_cap.so.

While the session idea worked with contrib/sucap/su.c, it failed on
more traditional PAM apps. For a second (likely last) attempt to find a
path, I've deleted the session support and now attempt to do the setting
via a PAM data item cleanup() callback. In the contrib/sucap/su.c code,
evolved from the original SimplePAMApps 'su', there is a

   pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT)

from within the fork()d launcher code, so I hope this convention is
standard for all the PAM apps that came after.

The suggested config for this module for an app, that wants to support
the Ambient vector, is thus now:

    #%PAM-1.0
    auth            required pam_cap.so keepcaps defer
    auth            required pam_unix.so
    account         required pam_unix.so
    password        required pam_unix.so
    session         required pam_unix.so

This is all part of an effort to address:

   https://bugzilla.kernel.org/show_bug.cgi?id=214377

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

1 files changed, 12 insertions, 1 deletions

diff --git a/pam_cap/test_pam_cap.c b/pam_cap/test_pam_cap.c
index 0a58da6..886888e 100644
--- a/pam_cap/test_pam_cap.c
+++ b/pam_cap/test_pam_cap.c
@@ -51,6 +51,17 @@ int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item) {
     return 0;
 }
 
+int pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
+		 void (*cleanup)(pam_handle_t *pamh, void *data,
+				 int error_status)) {
+    if (cleanup != iab_apply) {
+	errno = EINVAL;
+	return -1;
+    }
+    cap_free(data);
+    return -1;
+}
+
 int getgrouplist(const char *user, gid_t group, gid_t *groups, int *ngroups) {
     int i,j;
     for (i = 0; i < n_users; i++) {
@@ -159,7 +170,7 @@ static int test_arg_parsing(void) {
 	},
 	{
 	    { 0, 0, 0, 1, NULL, NULL, NULL },
-	    { "use_session", NULL }
+	    { "defer", NULL }
 	},
 	{
 	    { 0, 0, 0, 0, NULL, NULL, NULL },