From b8af6bf8dfa1fb83350d7c0e143c5bcfd0b17a08 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Sat, 7 Mar 2009 12:54:24 -0800
Subject: 027_pam_limits_better_init_allow_explicit_root: set the
 RLIMIT_MEMLOCK limit correctly to match the kernel default, which is not
 RLIM_INFINITY.

---
 debian/changelog                                   |  2 +
 .../027_pam_limits_better_init_allow_explicit_root | 43 +++++++++++++++++-----
 2 files changed, 36 insertions(+), 9 deletions(-)

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index 16b1464f..a4700724 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ pam (1.0.1-8) UNRELEASED; urgency=low
       (closes: #518329)
     - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335) 
     - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #518341)
+  * 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK
+    limit correctly to match the kernel default, which is not RLIM_INFINITY.
 
  -- Steve Langasek <vorlon@debian.org>  Wed, 04 Mar 2009 11:37:27 -0800
 
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
index b061152f..574c99b1 100644
--- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -4,7 +4,18 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
 ===================================================================
 --- pam.deb.orig/modules/pam_limits/pam_limits.c
 +++ pam.deb/modules/pam_limits/pam_limits.c
-@@ -74,6 +74,7 @@
+@@ -45,6 +45,10 @@
+ #include <libaudit.h>                                                                                                                                            
+ #endif
+ 
++#ifndef MLOCK_LIMIT
++#define MLOCK_LIMIT (64*1024)
++#endif
++
+ /* Module defines */
+ #define LINE_LENGTH 1024
+ 
+@@ -74,6 +78,7 @@
  
  /* internal data */
  struct pam_limit_s {
@@ -12,15 +23,26 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
      int login_limit;     /* the max logins limit */
      int login_limit_def; /* which entry set the login limit */
      int flag_numsyslogins; /* whether to limit logins only for a
-@@ -231,6 +232,7 @@
+@@ -228,9 +233,18 @@
+ {
+     int i;
+     int retval = PAM_SUCCESS;
++    static int mlock_limit = 0;
  
      D(("called."));
  
 +    pl->root = 0;
++
++    if (mlock_limit == 0) {
++	mlock_limit = sysconf(_SC_PAGESIZE);
++	if (mlock_limit < MLOCK_LIMIT)
++		mlock_limit = MLOCK_LIMIT;
++    }
++
      for(i = 0; i < RLIM_NLIMITS; i++) {
  	int r = getrlimit(i, &pl->limits[i].limit);
  	if (r == -1) {
-@@ -240,8 +242,53 @@
+@@ -240,8 +254,56 @@
  	    }
  	} else {
  	    pl->limits[i].supported = 1;
@@ -34,7 +56,6 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
 +		case RLIMIT_DATA:
 +		case RLIMIT_RSS:
 +		case RLIMIT_NPROC:
-+		case RLIMIT_MEMLOCK:
 +#ifdef RLIMIT_AS
 +		case RLIMIT_AS:
 +#endif
@@ -44,6 +65,10 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
 +		    pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
 +		    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
 +		    break;
++		case RLIMIT_MEMLOCK:
++		    pl->limits[i].limit.rlim_cur = mlock_limit;
++		    pl->limits[i].limit.rlim_max = mlock_limit;
++		    break;
 +#ifdef RLIMIT_SIGPENDING
 +		case RLIMIT_SIGPENDING:
 +		    pl->limits[i].limit.rlim_cur = 16382;
@@ -76,7 +101,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
  	}
      }
  
-@@ -524,7 +571,7 @@
+@@ -524,7 +586,7 @@
  
              if (strcmp(uname, domain) == 0) /* this user have a limit */
                  process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
@@ -85,7 +110,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
  		    if (ctrl & PAM_DEBUG_ARG) {
  			pam_syslog(pamh, LOG_DEBUG,
  				   "checking if %s is in group %s",
-@@ -533,7 +580,7 @@
+@@ -533,7 +595,7 @@
                  if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
                      process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
  				  pl);
@@ -94,7 +119,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
  		    if (ctrl & PAM_DEBUG_ARG) {
  			pam_syslog(pamh, LOG_DEBUG,
  				   "checking if %s is in group %s",
-@@ -547,7 +594,7 @@
+@@ -547,7 +609,7 @@
                      process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
  				  pl);
  		}
@@ -103,7 +128,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
                  process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
  			      pl);
  	} else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
-@@ -582,6 +629,12 @@
+@@ -582,6 +644,12 @@
      int status;
      int retval = LIMITED_OK;
  
@@ -116,7 +141,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
      for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
  	if (!pl->limits[i].supported) {
  	    /* skip it if its not known to the system */
-@@ -675,6 +728,8 @@
+@@ -675,6 +743,8 @@
          return PAM_ABORT;
      }
  
-- 
cgit v1.2.3