diff --git a/changehat/pam_apparmor/README b/changehat/pam_apparmor/README index 088242d4d..90ae3e0bd 100644 --- a/changehat/pam_apparmor/README +++ b/changehat/pam_apparmor/README @@ -60,6 +60,10 @@ Some exmaple configurations: # DEFAULT if the prior hats do not exist in the apparmor profile session optional pam_apparmor.so order=user,group,default +You can also add a 'debug' flag to the pam_apparmor session line; this +will cause the pam module to report more of what it is attempting to do +to syslog. + References ---------- Project webpage: diff --git a/changehat/pam_apparmor/get_options.c b/changehat/pam_apparmor/get_options.c index e8ce4016a..0002c8745 100644 --- a/changehat/pam_apparmor/get_options.c +++ b/changehat/pam_apparmor/get_options.c @@ -53,8 +53,7 @@ #include "pam_apparmor.h" -#define DEBUG 1 - +#define DEBUG_STRING "debug" #define ORDER_PREFIX "order=" static int parse_option(pam_handle_t *pamh, struct config **config, const char *argv) @@ -64,8 +63,10 @@ static int parse_option(pam_handle_t *pamh, struct config **config, const char * if (argv == NULL || argv[0] == '\0') return 0; - /* someday we may have more option. Gasp! */ - if (strncasecmp(argv, ORDER_PREFIX, strlen(ORDER_PREFIX)) != 0) { + if (strcasecmp(argv, DEBUG_STRING) == 0) { + debug_flag = 1; + return 0; + } else if (strncasecmp(argv, ORDER_PREFIX, strlen(ORDER_PREFIX)) != 0) { pam_syslog (pamh, LOG_ERR, "Unknown option: `%s'\n", argv); return PAM_SESSION_ERR; } diff --git a/changehat/pam_apparmor/pam_apparmor.c b/changehat/pam_apparmor/pam_apparmor.c index 8bcf11b84..bf09748ec 100644 --- a/changehat/pam_apparmor/pam_apparmor.c +++ b/changehat/pam_apparmor/pam_apparmor.c @@ -38,7 +38,7 @@ #include "pam_apparmor.h" -#define DEBUG 0 +int debug_flag = 0; static struct config default_config = { .hat_type[0] = eGroupname, @@ -115,21 +115,18 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, const char *hat = NULL; switch (config->hat_type[i]) { case eGroupname: -#if DEBUG - pam_syslog(pamh, LOG_DEBUG, "Using groupname\n"); -#endif hat = gr->gr_name; + if (debug_flag) + pam_syslog(pamh, LOG_DEBUG, "Using groupname '%s'\n", hat); break; case eUsername: -#if DEBUG - pam_syslog(pamh, LOG_DEBUG, "Using username\n"); -#endif hat = user; + if (debug_flag) + pam_syslog(pamh, LOG_DEBUG, "Using username '%s'\n", hat); break; case eDefault: -#if DEBUG - pam_syslog(pamh, LOG_DEBUG, "Using DEFAULT\n"); -#endif + if (debug_flag) + pam_syslog(pamh, LOG_DEBUG, "Using DEFAULT\n"); hat = "DEFAULT"; break; default: @@ -142,9 +139,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, retval = change_hat(hat, magic_token); if (retval == 0) { /* success, let's bail */ -#if DEBUG - pam_syslog(pamh, LOG_DEBUG, "Successfully changed to hat '%s'\n", hat); -#endif + if (debug_flag) + pam_syslog(pamh, LOG_DEBUG, "Successfully changed to hat '%s'\n", hat); goto out; } @@ -155,10 +151,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, case EINVAL: /* apparmor is not loaded or application is unconfined, * stop attempting to use change_hat */ -#if DEBUG - pam_syslog(pamh, LOG_DEBUG, + if (debug_flag) + pam_syslog(pamh, LOG_DEBUG, "AppArmor not loaded, or application is unconfined\n"); -#endif pam_retval = PAM_SUCCESS; goto out; break; diff --git a/changehat/pam_apparmor/pam_apparmor.h b/changehat/pam_apparmor/pam_apparmor.h index 74162edcf..041cafb5e 100644 --- a/changehat/pam_apparmor/pam_apparmor.h +++ b/changehat/pam_apparmor/pam_apparmor.h @@ -52,5 +52,7 @@ struct config { hat_t hat_type[MAX_HAT_TYPES]; }; +extern int debug_flag; + extern int get_options(pam_handle_t *pamh, struct config **config, int argc, const char **argv);