close_session = true;
- if ((pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | PAM_SILENT)) != PAM_SUCCESS)
- goto fail;
-
if ((!(e = pam_getenvlist(handle)))) {
pam_code = PAM_BUF_ERR;
goto fail;
/* This string must fit in 10 chars (i.e. the length
* of "/sbin/init") */
- rename_process("sd:pam");
+ rename_process("sd(PAM)");
/* Make sure we don't keep open the passed fds in this
child. We assume that otherwise only those fds are
/* Check if our parent process might already have
* died? */
if (getppid() == parent_pid) {
- if (sigwait(&ss, &sig) < 0)
- goto child_finish;
+ for (;;) {
+ if (sigwait(&ss, &sig) < 0) {
+ if (errno == EINTR)
+ continue;
- assert(sig == SIGTERM);
+ goto child_finish;
+ }
+
+ assert(sig == SIGTERM);
+ break;
+ }
}
- /* Only if our parent died we'll end the session */
+ /* If our parent died we'll end the session */
if (getppid() != parent_pid)
if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
goto child_finish;
* cleanups, so forget about the handle here. */
handle = NULL;
- /* Unblock SIGSUR1 again in the parent */
+ /* Unblock SIGTERM again in the parent */
if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
goto fail;
r = EXIT_STDIN;
goto fail_child;
}
- }
-#ifdef HAVE_PAM
- if (context->pam_name && username) {
- if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
- r = EXIT_PAM;
- goto fail_child;
- }
+ if (cgroup_bondings && context->control_group_modify)
+ if (cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid) < 0 ||
+ cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid) < 0) {
+ r = EXIT_CGROUP;
+ goto fail_child;
+ }
}
-#endif
if (apply_permissions)
if (enforce_groups(context, username, uid) < 0) {
umask(context->umask);
+#ifdef HAVE_PAM
+ if (context->pam_name && username) {
+ if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
+ r = EXIT_PAM;
+ goto fail_child;
+ }
+ }
+#endif
+
if (strv_length(context->read_write_dirs) > 0 ||
strv_length(context->read_only_dirs) > 0 ||
strv_length(context->inaccessible_dirs) > 0 ||
"%sWorkingDirectory: %s\n"
"%sRootDirectory: %s\n"
"%sNonBlocking: %s\n"
- "%sPrivateTmp: %s\n",
+ "%sPrivateTmp: %s\n"
+ "%sControlGroupModify: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
prefix, c->root_directory ? c->root_directory : "/",
prefix, yes_no(c->non_blocking),
- prefix, yes_no(c->private_tmp));
+ prefix, yes_no(c->private_tmp),
+ prefix, yes_no(c->control_group_modify));
STRV_FOREACH(e, c->environment)
fprintf(f, "%sEnvironment: %s\n", prefix, *e);