This commit teaches pam_apparmor about the current errno returned by the

kernel when the hat that was passed does not exist in the profile (but other hats exist). It also removes the very old EPERM case, which hasn't been accurate for a while. (LP: #619521)
2025-08-22 10:07:12 +00:00 · 2010-08-19 08:24:41 -07:00 · 2010-08-19 08:24:41 -07:00 · 6c31d0d894
commit 6c31d0d894
parent 40751c2ed3
1 changed files with 7 additions and 3 deletions
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@ -1,10 +1,14 @@
 /* pam_apparmor module */

 /*
- * $Id$
+ * Copyright (c) 2006
+ * NOVELL (All rights reserved)
+ *
+ * Copyright (c) 2010
+ * Canonical, Ltd. (All rights reserved)
 *
 * Written by Jesse Michael <jmichael@suse.de> 2006/08/24
- *	  and Steve Beattie <sbeattie@suse.de> 2006/10/25
+ *	  and Steve Beattie <sbeattie@ubuntu.com> 2006/10/25
 *
 * Based off of pam_motd by:
 *   Ben Collins <bcollins@debian.org> 2005/10/04
@ -165,8 +169,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 			 * stop attempting to use change_hat */
 			goto nodefault;
 			break;
-		case EPERM: /* Disable when ECHILD patch gets accepted */
 		case EACCES:
+		case ENOENT:
 			/* failed to change into attempted hat, so we'll
 			 * jump back out and try the next one */
 			break;