Created
June 11, 2024 11:27
-
-
Save sulincix/b7946a877c154e2186d96a9093ebd02d to your computer and use it in GitHub Desktop.
Pam user session isolate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <sched.h> | |
#include <unistd.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/mount.h> | |
#include <errno.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <security/pam_appl.h> | |
#include <security/pam_modules.h> | |
#include <security/pam_ext.h> | |
#include <sys/stat.h> | |
#include <stdbool.h> | |
#include <stdlib.h> | |
#include <stdio.h> | |
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { | |
unshare(CLONE_NEWPID | CLONE_NEWNS); | |
int pid = fork(); | |
if (pid != 0) { | |
int status; | |
waitpid(-1, &status, 0); | |
exit(status); | |
} | |
if (mount("none", "/proc", NULL, MS_PRIVATE|MS_REC, NULL)) { | |
printf("Cannot umount proc! errno=%i\n", errno); | |
exit(1); | |
} | |
if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL)) { | |
printf("Cannot mount proc! errno=%i\n", errno); | |
exit(1); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment