(from jmichael@suse.de)

This patch adds support for a 'debug' flag to the pam_apparmor pam module, which will cause it to report more of its attempted operations to syslog.
2025-08-22 10:07:12 +00:00 · 2006-10-31 16:33:02 +00:00 · 2006-10-31 16:33:02 +00:00 · 53f1a9cdc5
commit 53f1a9cdc5
parent 8cf0339798
4 changed files with 22 additions and 20 deletions
--- a/changehat/pam_apparmor/README
+++ b/changehat/pam_apparmor/README
@ -60,6 +60,10 @@ Some exmaple configurations:
  # DEFAULT if the prior hats do not exist in the apparmor profile
  session  optional       pam_apparmor.so order=user,group,default

+You can also add a 'debug' flag to the pam_apparmor session line; this
+will cause the pam module to report more of what it is attempting to do
+to syslog.
+
 References
 ----------
 Project webpage:
--- a/changehat/pam_apparmor/get_options.c
+++ b/changehat/pam_apparmor/get_options.c
@ -53,8 +53,7 @@

 #include "pam_apparmor.h"

-#define DEBUG 1
-
+#define DEBUG_STRING "debug"
 #define ORDER_PREFIX "order="

 static int parse_option(pam_handle_t *pamh, struct config **config, const char *argv)
@ -64,8 +63,10 @@ static int parse_option(pam_handle_t *pamh, struct config **config, const char *
 	if (argv == NULL || argv[0] == '\0')
 		return 0;

-	/* someday we may have more option. Gasp! */
-	if (strncasecmp(argv, ORDER_PREFIX, strlen(ORDER_PREFIX)) != 0) {
+	if (strcasecmp(argv, DEBUG_STRING) == 0) {
+		debug_flag = 1;
+		return 0;
+	} else if (strncasecmp(argv, ORDER_PREFIX, strlen(ORDER_PREFIX)) != 0) {
 		pam_syslog (pamh, LOG_ERR, "Unknown option: `%s'\n", argv);
 		return PAM_SESSION_ERR;
 	}
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@ -38,7 +38,7 @@

 #include "pam_apparmor.h"

-#define DEBUG 0
+int debug_flag = 0;

 static struct config default_config = {
 	.hat_type[0] = eGroupname,
@ -115,21 +115,18 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 		const char *hat = NULL;
 		switch (config->hat_type[i]) {
 		case eGroupname:
-#if DEBUG
-			pam_syslog(pamh, LOG_DEBUG, "Using groupname\n");
-#endif
 			hat = gr->gr_name;
+			if (debug_flag)
+				pam_syslog(pamh, LOG_DEBUG, "Using groupname '%s'\n", hat);
 			break;
 		case eUsername:
-#if DEBUG
-			pam_syslog(pamh, LOG_DEBUG, "Using username\n");
-#endif
 			hat = user;
+			if (debug_flag)
+				pam_syslog(pamh, LOG_DEBUG, "Using username '%s'\n", hat);
 			break;
 		case eDefault:
-#if DEBUG
-			pam_syslog(pamh, LOG_DEBUG, "Using DEFAULT\n");
-#endif
+			if (debug_flag)
+				pam_syslog(pamh, LOG_DEBUG, "Using DEFAULT\n");
 			hat = "DEFAULT";
 			break;
 		default:
@ -142,9 +139,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 		retval = change_hat(hat, magic_token);
 		if (retval == 0) {
 			/* success, let's bail */
-#if DEBUG
-			pam_syslog(pamh, LOG_DEBUG, "Successfully changed to hat '%s'\n", hat);
-#endif
+			if (debug_flag)
+				pam_syslog(pamh, LOG_DEBUG, "Successfully changed to hat '%s'\n", hat);
 			goto out;
 		}

@ -155,10 +151,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 		case EINVAL:
 			/* apparmor is not loaded or application is unconfined,
 			 * stop attempting to use change_hat */
-#if DEBUG
-			pam_syslog(pamh, LOG_DEBUG,
+			if (debug_flag)
+				pam_syslog(pamh, LOG_DEBUG,
 				   "AppArmor not loaded, or application is unconfined\n");
-#endif
 			pam_retval = PAM_SUCCESS;
 			goto out;
 			break;
--- a/changehat/pam_apparmor/pam_apparmor.h
+++ b/changehat/pam_apparmor/pam_apparmor.h
@ -52,5 +52,7 @@ struct config {
 	hat_t hat_type[MAX_HAT_TYPES];
 };

+extern int debug_flag;
+
 extern int get_options(pam_handle_t *pamh, struct config **config,
 		int argc, const char **argv);