From 2b120cc866f0bfb717b3741bb0efc17afb3904d2 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 17 Oct 2025 11:48:10 +0200
Subject: [PATCH] overlay profiles: Add a function for vendorizing pam files

This is meant to be used by packages installing pam config files. The
function should be invoked in a post src_install hook.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
 .../profiles/coreos/base/profile.bashrc         | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
index 3e89f0fb61..6165f45d05 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
@@ -134,6 +134,23 @@ cros_pre_pkg_postinst_no_modifications_of_users() {
     export ACCT_USER_NO_MODIFY=x
 }
 
+# Move pam files from /etc to /usr. It is a no-op for SDK builds.
+#
+# Invoke this in post_src_install hook.
+vendorize_pam_files() {
+    if [[ ${FLATCAR_TYPE} = 'sdk' ]]; then
+        # We don't care about PAM inside SDK.
+        return 0
+    fi
+
+    mkdir -p "${ED}/usr/lib/pam/security"
+
+    tar --create --remove-files --directory "${ED}/etc/security" . | \
+        tar --extract --directory "${ED}/usr/lib/pam/security"
+    tar --create --remove-files --directory "${ED}/etc/pam.d" . | \
+        tar --extract --directory "${ED}/usr/lib/pam"
+}
+
 # Source hooks for SLSA build provenance report generation
 source "${BASH_SOURCE[0]}.slsa-provenance"