pam/pam-1.2.0-fix-running-in-containers.patch

--- Linux-PAM-1_2_0/libpam/pam_audit.c.omv~	2015-06-11 17:17:49.768740173 +0200
+++ Linux-PAM-1_2_0/libpam/pam_audit.c	2015-06-11 17:18:27.654412940 +0200
@@ -70,9 +70,10 @@ _pam_audit_open(pam_handle_t *pamh)
   audit_fd = audit_open();
   if (audit_fd < 0) {
     /* You get these error codes only when the kernel doesn't have
-     * audit compiled in. */
+     * audit compiled in. EPERM happens when running inside a container
+     * (e.g. systemd-nspawn, docker) */
     if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-        errno == EAFNOSUPPORT)
+        errno == EAFNOSUPPORT || errno == EPERM)
         return -2;
 
     /* this should only fail in case of extreme resource shortage,
--- Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c.omv~	2015-06-11 17:19:12.543025498 +0200
+++ Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c	2015-06-11 17:19:44.274751787 +0200
@@ -117,9 +117,10 @@ static int check_auditd(void)
 		/* This is here to let people that build their own kernel
 		   and disable the audit system get in. You get these error
 		   codes only when the kernel doesn't have audit
-		   compiled in. */
+		   compiled in. EPERM is when running inside systemd-nspawn
+		   or docker. */
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-		    errno == EAFNOSUPPORT)
+		    errno == EAFNOSUPPORT || errno == EPERM)
 			return PAM_SUCCESS;
 		return PAM_SESSION_ERR;
 	}
--- Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c.omv~	2015-06-11 17:18:49.540224003 +0200
+++ Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c	2015-06-11 17:19:05.000090583 +0200
@@ -517,7 +517,7 @@ tally_check (tally_t oldcnt, time_t oldt
     audit_fd = audit_open();
     /* If there is an error & audit support is in the kernel report error */
     if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
-                            errno == EAFNOSUPPORT))
+                            errno == EAFNOSUPPORT || errno == EPERM))
          return PAM_SYSTEM_ERR;
     (void)pam_get_item(pamh, PAM_TTY, &tty);
     (void)pam_get_item(pamh, PAM_RHOST, &rhost);
--- Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c.omv~	2015-06-11 17:20:06.152563149 +0200
+++ Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c	2015-06-11 17:20:29.964357904 +0200
@@ -66,9 +66,10 @@ static int _audit_log(int type, const ch
 	audit_fd = audit_open();
 	if (audit_fd < 0) {
 		/* You get these error codes only when the kernel doesn't have
-		 * audit compiled in. */
+		 * audit compiled in. EPERM is when running inside docker or
+		 * systemd-nspawn. */
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-			errno == EAFNOSUPPORT)
+			errno == EAFNOSUPPORT || errno == EPERM)
 			return PAM_SUCCESS;
 
 		helper_log_err(LOG_CRIT, "audit_open() failed: %m");
New version 1.3.0 Re-diff patches 2016-09-19 17:31:47 +10:00			`--- Linux-PAM-1_2_0/libpam/pam_audit.c.omv~ 2015-06-11 17:17:49.768740173 +0200`
			`+++ Linux-PAM-1_2_0/libpam/pam_audit.c 2015-06-11 17:18:27.654412940 +0200`
			`@@ -70,9 +70,10 @@ _pam_audit_open(pam_handle_t *pamh)`
			`audit_fd = audit_open();`
			`if (audit_fd < 0) {`
			`/* You get these error codes only when the kernel doesn't have`
			`- * audit compiled in. */`
			`+ * audit compiled in. EPERM happens when running inside a container`
			`+ * (e.g. systemd-nspawn, docker) */`
			`if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|`
			`- errno == EAFNOSUPPORT)`
			`+ errno == EAFNOSUPPORT \|\| errno == EPERM)`
			`return -2;`

			`/* this should only fail in case of extreme resource shortage,`
			`--- Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c.omv~ 2015-06-11 17:19:12.543025498 +0200`
			`+++ Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c 2015-06-11 17:19:44.274751787 +0200`
			`@@ -117,9 +117,10 @@ static int check_auditd(void)`
			`/* This is here to let people that build their own kernel`
			`and disable the audit system get in. You get these error`
			`codes only when the kernel doesn't have audit`
			`- compiled in. */`
			`+ compiled in. EPERM is when running inside systemd-nspawn`
			`+ or docker. */`
			`if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|`
			`- errno == EAFNOSUPPORT)`
			`+ errno == EAFNOSUPPORT \|\| errno == EPERM)`
			`return PAM_SUCCESS;`
			`return PAM_SESSION_ERR;`
			`}`
			`--- Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c.omv~ 2015-06-11 17:18:49.540224003 +0200`
			`+++ Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c 2015-06-11 17:19:05.000090583 +0200`
			`@@ -517,7 +517,7 @@ tally_check (tally_t oldcnt, time_t oldt`
			`audit_fd = audit_open();`
			`/* If there is an error & audit support is in the kernel report error */`
			`if ((audit_fd < 0) && !(errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|`
			`- errno == EAFNOSUPPORT))`
			`+ errno == EAFNOSUPPORT \|\| errno == EPERM))`
			`return PAM_SYSTEM_ERR;`
			`(void)pam_get_item(pamh, PAM_TTY, &tty);`
			`(void)pam_get_item(pamh, PAM_RHOST, &rhost);`
			`--- Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c.omv~ 2015-06-11 17:20:06.152563149 +0200`
			`+++ Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c 2015-06-11 17:20:29.964357904 +0200`
			`@@ -66,9 +66,10 @@ static int _audit_log(int type, const ch`
			`audit_fd = audit_open();`
			`if (audit_fd < 0) {`
			`/* You get these error codes only when the kernel doesn't have`
			`- * audit compiled in. */`
			`+ * audit compiled in. EPERM is when running inside docker or`
			`+ * systemd-nspawn. */`
			`if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|`
			`- errno == EAFNOSUPPORT)`
			`+ errno == EAFNOSUPPORT \|\| errno == EPERM)`
			`return PAM_SUCCESS;`

			`helper_log_err(LOG_CRIT, "audit_open() failed: %m");`