Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
S
systemd
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
steam
systemd
Commits
74fe1fe3
Commit
74fe1fe3
authored
Nov 17, 2010
by
Lennart Poettering
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
pam: duplicate cgroup tree in the cpu hierarchy by default, optionally more
parent
04d14845
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
85 additions
and
14 deletions
+85
-14
TODO
TODO
+4
-0
src/pam-module.c
src/pam-module.c
+81
-14
No files found.
TODO
View file @
74fe1fe3
...
...
@@ -88,6 +88,10 @@
* add to cpu cgroup by default
* introduce crypttab.target
* make cryptsetup lower --iter-time
External:
* patch kernel for xattr support in /dev, /proc/, /sys and /sys/fs/cgroup.
...
...
src/pam-module.c
View file @
74fe1fe3
...
...
@@ -35,14 +35,17 @@
#include "cgroup-util.h"
#include "macro.h"
#include "sd-daemon.h"
#include "strv.h"
static
int
parse_argv
(
pam_handle_t
*
handle
,
int
argc
,
const
char
**
argv
,
bool
*
create_session
,
bool
*
kill_session
,
bool
*
kill_user
)
{
bool
*
kill_user
,
char
***
controllers
)
{
unsigned
i
;
bool
controller_set
=
false
;
assert
(
argc
>=
0
);
assert
(
argc
==
0
||
argv
);
...
...
@@ -58,6 +61,7 @@ static int parse_argv(pam_handle_t *handle,
if
(
create_session
)
*
create_session
=
k
;
}
else
if
(
startswith
(
argv
[
i
],
"kill-session="
))
{
if
((
k
=
parse_boolean
(
argv
[
i
]
+
13
))
<
0
)
{
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to parse kill-session= argument."
);
...
...
@@ -75,12 +79,43 @@ static int parse_argv(pam_handle_t *handle,
if
(
kill_user
)
*
kill_user
=
k
;
}
else
if
(
startswith
(
argv
[
i
],
"controllers="
))
{
if
(
controllers
)
{
char
**
l
;
if
(
!
(
l
=
strv_split
(
argv
[
i
]
+
12
,
","
)))
{
pam_syslog
(
handle
,
LOG_ERR
,
"Out of memory."
);
return
-
ENOMEM
;
}
strv_free
(
*
controllers
);
*
controllers
=
l
;
}
controller_set
=
true
;
}
else
{
pam_syslog
(
handle
,
LOG_ERR
,
"Unknown parameter '%s'."
,
argv
[
i
]);
return
-
EINVAL
;
}
}
if
(
!
controller_set
&&
controllers
)
{
char
**
l
;
if
(
!
(
l
=
strv_new
(
"cpu"
,
NULL
)))
{
pam_syslog
(
handle
,
LOG_ERR
,
"Out of memory"
);
return
-
ENOMEM
;
}
*
controllers
=
l
;
}
if
(
controllers
)
strv_remove
(
*
controllers
,
"name=systemd"
);
if
(
kill_session
&&
*
kill_session
&&
kill_user
)
*
kill_user
=
true
;
...
...
@@ -226,16 +261,23 @@ static int get_user_data(
return
PAM_SUCCESS
;
}
static
int
create_user_group
(
pam_handle_t
*
handle
,
const
char
*
group
,
struct
passwd
*
pw
,
bool
attach
,
bool
remember
)
{
static
int
create_user_group
(
pam_handle_t
*
handle
,
const
char
*
controller
,
const
char
*
group
,
struct
passwd
*
pw
,
bool
attach
,
bool
remember
)
{
int
r
;
assert
(
handle
);
assert
(
group
);
if
(
attach
)
r
=
cg_create_and_attach
(
SYSTEMD_CGROUP_CONTROLLER
,
group
,
0
);
r
=
cg_create_and_attach
(
controller
,
group
,
0
);
else
r
=
cg_create
(
SYSTEMD_CGROUP_CONTROLLER
,
group
);
r
=
cg_create
(
controller
,
group
);
if
(
r
<
0
)
{
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to create cgroup: %s"
,
strerror
(
-
r
));
...
...
@@ -253,8 +295,8 @@ static int create_user_group(pam_handle_t *handle, const char *group, struct pas
}
}
if
((
r
=
cg_set_task_access
(
SYSTEMD_CGROUP_CONTROLLER
,
group
,
0755
,
pw
->
pw_uid
,
pw
->
pw_gid
))
<
0
||
(
r
=
cg_set_group_access
(
SYSTEMD_CGROUP_CONTROLLER
,
group
,
0755
,
pw
->
pw_uid
,
pw
->
pw_gid
))
<
0
)
{
if
((
r
=
cg_set_task_access
(
controller
,
group
,
0644
,
pw
->
pw_uid
,
pw
->
pw_gid
))
<
0
||
(
r
=
cg_set_group_access
(
controller
,
group
,
0755
,
pw
->
pw_uid
,
pw
->
pw_gid
))
<
0
)
{
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to change access modes: %s"
,
strerror
(
-
r
));
return
PAM_SESSION_ERR
;
}
...
...
@@ -273,18 +315,19 @@ _public_ PAM_EXTERN int pam_sm_open_session(
char
*
buf
=
NULL
;
int
lock_fd
=
-
1
;
bool
create_session
=
true
;
char
**
controllers
=
NULL
,
**
c
;
assert
(
handle
);
/* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */
if
(
parse_argv
(
handle
,
argc
,
argv
,
&
create_session
,
NULL
,
NULL
)
<
0
)
return
PAM_SESSION_ERR
;
/* Make this a NOP on non-systemd systems */
if
(
sd_booted
()
<=
0
)
return
PAM_SUCCESS
;
if
(
parse_argv
(
handle
,
argc
,
argv
,
&
create_session
,
NULL
,
NULL
,
&
controllers
)
<
0
)
return
PAM_SESSION_ERR
;
if
((
r
=
get_user_data
(
handle
,
&
username
,
&
pw
))
!=
PAM_SUCCESS
)
goto
finish
;
...
...
@@ -362,9 +405,14 @@ _public_ PAM_EXTERN int pam_sm_open_session(
pam_syslog
(
handle
,
LOG_INFO
,
"Moving new user session for %s into control group %s."
,
username
,
buf
);
if
((
r
=
create_user_group
(
handle
,
buf
,
pw
,
true
,
true
))
!=
PAM_SUCCESS
)
if
((
r
=
create_user_group
(
handle
,
SYSTEMD_CGROUP_CONTROLLER
,
buf
,
pw
,
true
,
true
))
!=
PAM_SUCCESS
)
goto
finish
;
/* The additional controllers don't really matter, so we
* ignore the return value */
STRV_FOREACH
(
c
,
controllers
)
create_user_group
(
handle
,
*
c
,
buf
,
pw
,
true
,
false
);
r
=
PAM_SUCCESS
;
finish:
...
...
@@ -373,6 +421,8 @@ finish:
if
(
lock_fd
>=
0
)
close_nointr_nofail
(
lock_fd
);
strv_free
(
controllers
);
return
r
;
}
...
...
@@ -415,16 +465,17 @@ _public_ PAM_EXTERN int pam_sm_close_session(
const
char
*
id
;
struct
passwd
*
pw
;
const
void
*
created
=
NULL
;
char
**
controllers
=
NULL
,
**
c
;
assert
(
handle
);
if
(
parse_argv
(
handle
,
argc
,
argv
,
NULL
,
&
kill_session
,
&
kill_user
)
<
0
)
return
PAM_SESSION_ERR
;
/* Make this a NOP on non-systemd systems */
if
(
sd_booted
()
<=
0
)
return
PAM_SUCCESS
;
if
(
parse_argv
(
handle
,
argc
,
argv
,
NULL
,
&
kill_session
,
&
kill_user
,
&
controllers
)
<
0
)
return
PAM_SESSION_ERR
;
if
((
r
=
get_user_data
(
handle
,
&
username
,
&
pw
))
!=
PAM_SUCCESS
)
goto
finish
;
...
...
@@ -438,6 +489,10 @@ _public_ PAM_EXTERN int pam_sm_close_session(
if
((
r
=
cg_attach
(
SYSTEMD_CGROUP_CONTROLLER
,
"/user"
,
0
))
<
0
)
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to move us away: %s"
,
strerror
(
-
r
));
STRV_FOREACH
(
c
,
controllers
)
if
((
r
=
cg_attach
(
*
c
,
"/user"
,
0
))
<
0
)
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to move us away in %s hierarchy: %s"
,
*
c
,
strerror
(
-
r
));
if
(
asprintf
(
&
user_path
,
"/user/%s"
,
username
)
<
0
)
{
r
=
PAM_BUF_ERR
;
goto
finish
;
...
...
@@ -466,11 +521,18 @@ _public_ PAM_EXTERN int pam_sm_close_session(
* cgroup. First, try to create the user group
* in case it doesn't exist yet. Also, delete
* the session group. */
create_user_group
(
handle
,
nosession_path
,
pw
,
false
,
false
);
create_user_group
(
handle
,
SYSTEMD_CGROUP_CONTROLLER
,
nosession_path
,
pw
,
false
,
false
);
if
((
r
=
cg_migrate_recursive
(
SYSTEMD_CGROUP_CONTROLLER
,
session_path
,
nosession_path
,
false
,
true
))
<
0
)
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to migrate session cgroup: %s"
,
strerror
(
-
r
));
}
STRV_FOREACH
(
c
,
controllers
)
{
create_user_group
(
handle
,
*
c
,
nosession_path
,
pw
,
false
,
false
);
if
((
r
=
cg_migrate_recursive
(
*
c
,
session_path
,
nosession_path
,
false
,
true
))
<
0
)
pam_syslog
(
handle
,
LOG_ERR
,
"Failed to migrate session cgroup in hierarchy %s: %s"
,
*
c
,
strerror
(
-
r
));
}
}
/* GC user tree */
...
...
@@ -500,6 +562,9 @@ _public_ PAM_EXTERN int pam_sm_close_session(
r
=
-
EBUSY
;
}
STRV_FOREACH
(
c
,
controllers
)
cg_trim
(
*
c
,
user_path
,
true
);
if
(
r
>=
0
)
{
const
char
*
runtime_dir
;
...
...
@@ -520,5 +585,7 @@ finish:
free
(
nosession_path
);
free
(
user_path
);
strv_free
(
controllers
);
return
r
;
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
