service: require KillMode=control-group when PAM is enabled

src/mount.c

@@ -303,6 +303,11 @@ static int mount_verify(Mount *m) {
                 return -EBADMSG;
         }
 
+        if (m->exec_context.pam_name && m->kill_mode != KILL_CONTROL_GROUP) {
+                log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", m->meta.id);
+                return -EINVAL;
+        }
+
         return 0;
 }
 

src/service.c

@@ -817,7 +817,12 @@ static int service_verify(Service *s) {
         }
 
         if (s->type == SERVICE_DBUS && !s->bus_name) {
-                log_error("%s is of type D-Bus but no D-Bus service name has been specified. Refusing.", UNIT(s)->meta.id);
+                log_error("%s is of type D-Bus but no D-Bus service name has been specified. Refusing.", s->meta.id);
+                return -EINVAL;
+        }
+
+        if (s->exec_context.pam_name && s->kill_mode != KILL_CONTROL_GROUP) {
+                log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", s->meta.id);
                 return -EINVAL;
         }
 

src/socket.c

@@ -153,7 +153,12 @@ static int socket_verify(Socket *s) {
         }
 
         if (s->accept && s->max_connections <= 0) {
-                log_error("%s's MaxConnection setting too small. Refusing.", UNIT(s)->meta.id);
+                log_error("%s's MaxConnection setting too small. Refusing.", s->meta.id);
+                return -EINVAL;
+        }
+
+        if (s->exec_context.pam_name && s->kill_mode != KILL_CONTROL_GROUP) {
+                log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", s->meta.id);
                 return -EINVAL;
         }