sulincix/pam_sandbox.c

## pam_sandbox.c
#define _GNU_SOURCE
#include <sched.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <sys/stat.h>
#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>

PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {

    unshare(CLONE_NEWPID | CLONE_NEWNS);
    int pid = fork();
    if (pid != 0) {
        int status;
        waitpid(-1, &status, 0);
        exit(status);
    }

    if (mount("none", "/proc", NULL, MS_PRIVATE|MS_REC, NULL)) {
        printf("Cannot umount proc! errno=%i\n", errno);
        exit(1);
    }

    if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL)) {
        printf("Cannot mount proc! errno=%i\n", errno);
        exit(1);
    }


}
	#define _GNU_SOURCE
	#include <sched.h>
	#include <unistd.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/mount.h>
	#include <errno.h>
	#include <sys/types.h>
	#include <sys/wait.h>
	#include <security/pam_appl.h>
	#include <security/pam_modules.h>
	#include <security/pam_ext.h>
	#include <sys/stat.h>
	#include <stdbool.h>
	#include <stdlib.h>
	#include <stdio.h>

	PAM_EXTERN int pam_sm_open_session(pam_handle_t pamh, int flags, int argc, const char *argv) {

	unshare(CLONE_NEWPID \| CLONE_NEWNS);
	int pid = fork();
	if (pid != 0) {
	int status;
	waitpid(-1, &status, 0);
	exit(status);
	}

	if (mount("none", "/proc", NULL, MS_PRIVATE\|MS_REC, NULL)) {
	printf("Cannot umount proc! errno=%i\n", errno);
	exit(1);
	}

	if (mount("proc", "/proc", "proc", MS_NOSUID\|MS_NOEXEC\|MS_NODEV, NULL)) {
	printf("Cannot mount proc! errno=%i\n", errno);
	exit(1);
	}


	}