overlay coreos/user-patches: Add patches for sys-auth/pambase

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
2026-02-14 20:21:19 +01:00 · 2025-10-16 17:30:24 +02:00 · 2025-10-16 17:30:24 +02:00 · fa4e6f2bd0
commit fa4e6f2bd0
parent 14c8a7bc0c
3 changed files with 225 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch
@ -0,0 +1,167 @@
+From 3eb1fea6104cd4bbc978e11974f337549edaf2e4 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <knowak@microsoft.com>
+Date: Thu, 9 Oct 2025 17:32:38 +0200
+Subject: [PATCH 1/2] Reorganize the login sessions
+
+- Move selinux parts from system-login to separate a system-selinux
+  file. It is conditionally included by system-local-login and
+  system-remote-login if selinux is enabled. This makes
+  "pam_selinux.so close" and "pam_selinux.so open" as first rules to
+  be called in the session. This more or less follows what systemd and
+  Fedora is doing in its systemd-user PAM config (Fedora seems to be
+  sandwiching loginuid between the pam_selinux rules, but it should
+  not matter, since pam_selinux actions affects the process after
+  execve). This also drops the "multiple" option from "pam_selinux.so
+  open" rule, because this flag was dropped from the module in 2007.
+
+- Move the "not minimal" parts from system-login to
+  system-postlogin. This file gets included by system-remote-login and
+  system-local-login conditionally, like it used to be in
+  system-login.
+
+- Add pam_namespace.so and pam_keyinit.so to system-login.
+
+- Add pam_umask.so to system-session.
+
+With these changes, the session part of the systemd-user PAM config in
+sys-apps/systemd FILESDIR can be simplified to something like
+(assuming that pambase was installed with USE=systemd):
+
+session pam_selinux.so close
+session pam_selinux.so open nottys
+session include system-login
+
+In the selinux-disabled variant of the systemd-user PAM config, the
+pam_selinux.so lines would be absent.
+
+Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
+---
+ pambase.py                        |  2 ++
+ templates/system-local-login.tpl  |  9 +++++++++
+ templates/system-login.tpl        | 17 +++--------------
+ templates/system-postlogin.tpl    |  3 +++
+ templates/system-remote-login.tpl |  7 +++++++
+ templates/system-selinux.tpl      |  2 ++
+ templates/system-session.tpl      |  1 +
+ 7 files changed, 27 insertions(+), 14 deletions(-)
+ create mode 100644 templates/system-postlogin.tpl
+ create mode 100644 templates/system-selinux.tpl
+
+diff --git a/pambase.py b/pambase.py
+index 4180cbb..0c7450d 100755
+--- a/pambase.py
+++ b/pambase.py
+@@ -105,6 +105,8 @@ def parse_templates(processed_args):
+         "su",
+         "system-auth",
+         "system-login",
+        "system-postlogin",
+        "system-selinux",
+         "system-services",
+     ]
+ 
+diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl
+index 5e01090..34d8459 100644
+--- a/templates/system-local-login.tpl
+++ b/templates/system-local-login.tpl
+@@ -2,12 +2,21 @@ auth		include		system-login
+ {% if gnome_keyring %}
+ auth		optional	pam_gnome_keyring.so
+ {% endif %}
+
+ account		include		system-login
+
+ password	include		system-login
+ {% if gnome_keyring %}
+ password	optional	pam_gnome_keyring.so use_authtok
+ {% endif %}
+
+{% if selinux %}
+session		include		system-selinux
+{% endif %}
+ {% if gnome_keyring %}
+ session		optional	pam_gnome_keyring.so auto_start
+ {% endif %}
+ session		include		system-login
+{% if not minimal %}
+session		include		system-postlogin
+{% endif %}
+diff --git a/templates/system-login.tpl b/templates/system-login.tpl
+index 77926b7..58018f7 100644
+--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
+@@ -10,23 +10,12 @@ account		required	pam_time.so
+ account		include		system-auth
+ 
+ password	include		system-auth
+-session		optional	pam_loginuid.so
+-{% if selinux %}
+-session		required	pam_selinux.so close
+-{% endif %}
+ 
+session		optional	pam_loginuid.so
+ session		required	pam_env.so envfile=/etc/profile.env {{ debug }}
+session		required	pam_namespace.so
+session		optional	pam_keyinit.so force revoke
+ session		include		system-auth
+-{% if selinux %}
+-# Note: modules that run in the user's context must come after this line.
+-session		required	pam_selinux.so multiple open
+-{% endif %}
+-
+-{% if not minimal %}
+-session		optional	pam_motd.so motd=/etc/motd
+-session		optional	pam_lastlog.so never showfailed {{ debug }}
+-session		optional	pam_mail.so
+-{% endif %}
+ 
+ {% if systemd %}
+ -session	optional	pam_systemd.so
+diff --git a/templates/system-postlogin.tpl b/templates/system-postlogin.tpl
+new file mode 100644
+index 0000000..06e30cd
+--- /dev/null
+++ b/templates/system-postlogin.tpl
+@@ -0,0 +1,3 @@
+session		optional	pam_motd.so motd=/etc/motd
+session		optional	pam_lastlog.so never showfailed {{ debug }}
+session		optional	pam_mail.so
+diff --git a/templates/system-remote-login.tpl b/templates/system-remote-login.tpl
+index 2f415ed..7a06341 100644
+--- a/templates/system-remote-login.tpl
+++ b/templates/system-remote-login.tpl
+@@ -1,4 +1,11 @@
+ auth		include		system-login
+ account		include		system-login
+ password	include		system-login
+
+{% if selinux %}
+session		include		system-selinux
+{% endif %}
+ session		include		system-login
+{% if not minimal %}
+session		include		system-postlogin
+{% endif %}
+diff --git a/templates/system-selinux.tpl b/templates/system-selinux.tpl
+new file mode 100644
+index 0000000..c094c88
+--- /dev/null
+++ b/templates/system-selinux.tpl
+@@ -0,0 +1,2 @@
+session		required	pam_selinux.so close
+session		required	pam_selinux.so open
+diff --git a/templates/system-session.tpl b/templates/system-session.tpl
+index 150061f..690396f 100644
+--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
+@@ -12,6 +12,7 @@ session		[success=1 default=ignore]	pam_krb5.so {{ debug }} ignore_root try_firs
+ session		[success=1 default=ignore]	pam_systemd_home.so
+ {% endif %}
+ 
+session		optional	pam_umask.so {% if debug %}debug{% else %}silent{% endif +%}
+ session		required	pam_unix.so {{ debug }}
+ 
+ {% if sssd %}
+-- 
+2.51.0
+
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch
@ -0,0 +1,52 @@
+From 55c811bb55334a9c5ba19e5c7ec61a9ede365a37 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <knowak@microsoft.com>
+Date: Fri, 10 Oct 2025 11:47:43 +0200
+Subject: [PATCH 2/2] Flatcar modifications
+
+---
+ templates/system-auth.tpl | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
+index 905d04f..c78f9d6 100644
+--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
+@@ -9,11 +9,15 @@ auth		[default={{ 3 + homed + (sssd * 3) }}]	pam_permit.so
+ {% endif %}
+ 
+ {% if sssd %}
+-auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
+-auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
+# FLATCAR: Removed. We aren't limiting login to regular users.
+# auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
+# FLATCAR: Removed. We have some users and groups in
+# /usr/share/baselayout/passwd, not only in /etc/passwd.
+# auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
+ {% endif %}
+ 
+-auth		requisite	pam_faillock.so preauth
+# FLATCAR: Added deny, unlock_time and fail_interval to override defaults.
+auth		requisite	pam_faillock.so preauth preauth deny=5 unlock_time=60 fail_interval=120
+ 
+ {% if homed %}
+ auth		[success=2 default=ignore]	pam_systemd_home.so
+@@ -45,9 +49,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
+ account		required	pam_unix.so {{ debug }}
+ account		required	pam_faillock.so
+ {% if sssd %}
+-account		sufficient	pam_localuser.so
+-account		sufficient	pam_usertype.so issystem
+-account		[default=bad success=ok user_unknown=ignore]	pam_sss.so {{ debug }}
+# FLATCAR: Removed. We have some users and groups in
+# /usr/share/baselayout/passwd, not only in /etc/passwd.
+# account		sufficient	pam_localuser.so
+# FLATCAR: Removed. Maybe we could keep it?
+# account		sufficient	pam_usertype.so issystem
+# FLATCAR: Added ignore when sssd is not running
+account		[default=bad success=ok user_unknown=ignore authinfo_unavail=ignore]	pam_sss.so {{ debug }}
+ account		required	pam_permit.so
+ {% endif %}
+ 
+-- 
+2.51.0
+
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
@ -0,0 +1,6 @@
+The `0001-Reorganize-the-login-sessions.patch` is something we could
+try to upstream if it is proven to work.
+
+The `0002-Flatcar-modifications.patch` is just some Flatcar-specific
+changes. Not sure if all them are necessary, but it is trying to
+more-or-less match the config files from old baselayout.