diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch new file mode 100644 index 0000000000..8a8a7f8f49 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch @@ -0,0 +1,167 @@ +From 3eb1fea6104cd4bbc978e11974f337549edaf2e4 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 9 Oct 2025 17:32:38 +0200 +Subject: [PATCH 1/2] Reorganize the login sessions + +- Move selinux parts from system-login to separate a system-selinux + file. It is conditionally included by system-local-login and + system-remote-login if selinux is enabled. This makes + "pam_selinux.so close" and "pam_selinux.so open" as first rules to + be called in the session. This more or less follows what systemd and + Fedora is doing in its systemd-user PAM config (Fedora seems to be + sandwiching loginuid between the pam_selinux rules, but it should + not matter, since pam_selinux actions affects the process after + execve). This also drops the "multiple" option from "pam_selinux.so + open" rule, because this flag was dropped from the module in 2007. + +- Move the "not minimal" parts from system-login to + system-postlogin. This file gets included by system-remote-login and + system-local-login conditionally, like it used to be in + system-login. + +- Add pam_namespace.so and pam_keyinit.so to system-login. + +- Add pam_umask.so to system-session. + +With these changes, the session part of the systemd-user PAM config in +sys-apps/systemd FILESDIR can be simplified to something like +(assuming that pambase was installed with USE=systemd): + +session pam_selinux.so close +session pam_selinux.so open nottys +session include system-login + +In the selinux-disabled variant of the systemd-user PAM config, the +pam_selinux.so lines would be absent. + +Signed-off-by: Krzesimir Nowak +--- + pambase.py | 2 ++ + templates/system-local-login.tpl | 9 +++++++++ + templates/system-login.tpl | 17 +++-------------- + templates/system-postlogin.tpl | 3 +++ + templates/system-remote-login.tpl | 7 +++++++ + templates/system-selinux.tpl | 2 ++ + templates/system-session.tpl | 1 + + 7 files changed, 27 insertions(+), 14 deletions(-) + create mode 100644 templates/system-postlogin.tpl + create mode 100644 templates/system-selinux.tpl + +diff --git a/pambase.py b/pambase.py +index 4180cbb..0c7450d 100755 +--- a/pambase.py ++++ b/pambase.py +@@ -105,6 +105,8 @@ def parse_templates(processed_args): + "su", + "system-auth", + "system-login", ++ "system-postlogin", ++ "system-selinux", + "system-services", + ] + +diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl +index 5e01090..34d8459 100644 +--- a/templates/system-local-login.tpl ++++ b/templates/system-local-login.tpl +@@ -2,12 +2,21 @@ auth include system-login + {% if gnome_keyring %} + auth optional pam_gnome_keyring.so + {% endif %} ++ + account include system-login ++ + password include system-login + {% if gnome_keyring %} + password optional pam_gnome_keyring.so use_authtok + {% endif %} ++ ++{% if selinux %} ++session include system-selinux ++{% endif %} + {% if gnome_keyring %} + session optional pam_gnome_keyring.so auto_start + {% endif %} + session include system-login ++{% if not minimal %} ++session include system-postlogin ++{% endif %} +diff --git a/templates/system-login.tpl b/templates/system-login.tpl +index 77926b7..58018f7 100644 +--- a/templates/system-login.tpl ++++ b/templates/system-login.tpl +@@ -10,23 +10,12 @@ account required pam_time.so + account include system-auth + + password include system-auth +-session optional pam_loginuid.so +-{% if selinux %} +-session required pam_selinux.so close +-{% endif %} + ++session optional pam_loginuid.so + session required pam_env.so envfile=/etc/profile.env {{ debug }} ++session required pam_namespace.so ++session optional pam_keyinit.so force revoke + session include system-auth +-{% if selinux %} +-# Note: modules that run in the user's context must come after this line. +-session required pam_selinux.so multiple open +-{% endif %} +- +-{% if not minimal %} +-session optional pam_motd.so motd=/etc/motd +-session optional pam_lastlog.so never showfailed {{ debug }} +-session optional pam_mail.so +-{% endif %} + + {% if systemd %} + -session optional pam_systemd.so +diff --git a/templates/system-postlogin.tpl b/templates/system-postlogin.tpl +new file mode 100644 +index 0000000..06e30cd +--- /dev/null ++++ b/templates/system-postlogin.tpl +@@ -0,0 +1,3 @@ ++session optional pam_motd.so motd=/etc/motd ++session optional pam_lastlog.so never showfailed {{ debug }} ++session optional pam_mail.so +diff --git a/templates/system-remote-login.tpl b/templates/system-remote-login.tpl +index 2f415ed..7a06341 100644 +--- a/templates/system-remote-login.tpl ++++ b/templates/system-remote-login.tpl +@@ -1,4 +1,11 @@ + auth include system-login + account include system-login + password include system-login ++ ++{% if selinux %} ++session include system-selinux ++{% endif %} + session include system-login ++{% if not minimal %} ++session include system-postlogin ++{% endif %} +diff --git a/templates/system-selinux.tpl b/templates/system-selinux.tpl +new file mode 100644 +index 0000000..c094c88 +--- /dev/null ++++ b/templates/system-selinux.tpl +@@ -0,0 +1,2 @@ ++session required pam_selinux.so close ++session required pam_selinux.so open +diff --git a/templates/system-session.tpl b/templates/system-session.tpl +index 150061f..690396f 100644 +--- a/templates/system-session.tpl ++++ b/templates/system-session.tpl +@@ -12,6 +12,7 @@ session [success=1 default=ignore] pam_krb5.so {{ debug }} ignore_root try_firs + session [success=1 default=ignore] pam_systemd_home.so + {% endif %} + ++session optional pam_umask.so {% if debug %}debug{% else %}silent{% endif +%} + session required pam_unix.so {{ debug }} + + {% if sssd %} +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch new file mode 100644 index 0000000000..7776e58d0a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch @@ -0,0 +1,52 @@ +From 55c811bb55334a9c5ba19e5c7ec61a9ede365a37 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 10 Oct 2025 11:47:43 +0200 +Subject: [PATCH 2/2] Flatcar modifications + +--- + templates/system-auth.tpl | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl +index 905d04f..c78f9d6 100644 +--- a/templates/system-auth.tpl ++++ b/templates/system-auth.tpl +@@ -9,11 +9,15 @@ auth [default={{ 3 + homed + (sssd * 3) }}] pam_permit.so + {% endif %} + + {% if sssd %} +-auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +-auth [default=3 ignore=ignore success=ok] pam_localuser.so ++# FLATCAR: Removed. We aren't limiting login to regular users. ++# auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++# FLATCAR: Removed. We have some users and groups in ++# /usr/share/baselayout/passwd, not only in /etc/passwd. ++# auth [default=3 ignore=ignore success=ok] pam_localuser.so + {% endif %} + +-auth requisite pam_faillock.so preauth ++# FLATCAR: Added deny, unlock_time and fail_interval to override defaults. ++auth requisite pam_faillock.so preauth preauth deny=5 unlock_time=60 fail_interval=120 + + {% if homed %} + auth [success=2 default=ignore] pam_systemd_home.so +@@ -45,9 +49,13 @@ account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so + account required pam_unix.so {{ debug }} + account required pam_faillock.so + {% if sssd %} +-account sufficient pam_localuser.so +-account sufficient pam_usertype.so issystem +-account [default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug }} ++# FLATCAR: Removed. We have some users and groups in ++# /usr/share/baselayout/passwd, not only in /etc/passwd. ++# account sufficient pam_localuser.so ++# FLATCAR: Removed. Maybe we could keep it? ++# account sufficient pam_usertype.so issystem ++# FLATCAR: Added ignore when sssd is not running ++account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so {{ debug }} + account required pam_permit.so + {% endif %} + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md new file mode 100644 index 0000000000..b36dac0439 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md @@ -0,0 +1,6 @@ +The `0001-Reorganize-the-login-sessions.patch` is something we could +try to upstream if it is proven to work. + +The `0002-Flatcar-modifications.patch` is just some Flatcar-specific +changes. Not sure if all them are necessary, but it is trying to +more-or-less match the config files from old baselayout.