modify the mode of read rules for pam_cgroup

(cherry picked from commit dea78b406677ed9f21196e084facdc755092a027)

libcgroup.spec

@@ -5,7 +5,7 @@
 Summary: Libcgroup is a library that abstracts the control group file system in Linux
 Name: libcgroup
 Version: 0.42.2
-Release: 3
+Release: 4
 License: LGPLv2+
 URL: http://libcg.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-v%{version}.tar.gz
@@ -18,6 +18,7 @@ Patch1: libcgroup-0.37-chmod.patch
 Patch2: libcgroup-0.40.rc1-coverity.patch
 Patch3: libcgroup-0.40.rc1-fread.patch
 Patch4: libcgroup-0.40.rc1-templates-fix.patch
+Patch5: pam-cgroup-cgflags-no-usecache.patch
 
 BuildRequires: autoconf, automake, libtool
 BuildRequires: gcc,gcc-c++,byacc
@@ -50,6 +51,7 @@ It provides helpful information for libcgroup-pam,libcgroup-devel,libcgroup-tool
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 autoreconf -vif
@@ -67,6 +69,7 @@ make DESTDIR=$RPM_BUILD_ROOT install
 install -d ${RPM_BUILD_ROOT}%{_sysconfdir}
 install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 install -m 644 samples/cgconfig.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgconfig.conf
+install -m 644 samples/cgrules.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgrules.conf
 install -m 644 samples/cgsnapshot_blacklist.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgsnapshot_blacklist.conf
 
 # Only one pam_cgroup.so is needed
@@ -108,6 +111,7 @@ getent group cgred >/dev/null || groupadd -r cgred
 %{_libdir}/libcgroup.so.*
 %config(noreplace) %{_sysconfdir}/cgsnapshot_blacklist.conf
 %config(noreplace) %{_sysconfdir}/cgconfig.conf
+%config(noreplace) %{_sysconfdir}/cgrules.conf
 /usr/bin/cgget
 /usr/bin/cgset
 /usr/bin/cgcreate
@@ -138,6 +142,12 @@ getent group cgred >/dev/null || groupadd -r cgred
 %attr(0644, root, root) %{_mandir}/man8/*
 
 %changelog
+* Tue Oct 24 wanfeng<wanfeng@kylinos.cn> - 0.42.2-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:modify the mode of read rules for pam_cgroup
+
 * Thu Nov 3 wuzx<wuzx1226@qq.com> - 0.42.2-3
 - Type:feature
 - CVE:NA

pam-cgroup-cgflags-no-usecache.patch

@@ -0,0 +1,26 @@
+diff --git a/include/libcgroup/tasks.h b/include/libcgroup/tasks.h
+index aad438a..22f17d8 100644
+--- a/include/libcgroup/tasks.h
++++ b/include/libcgroup/tasks.h
+@@ -20,6 +20,8 @@ enum cgflags {
+ 	CGFLAG_USECACHE = 0x01,
+ 	/** Use cached templates, do not read templates from disk. */
+ 	CGFLAG_USE_TEMPLATE_CACHE = 0x02,
++	/** read rules from disk. */
++	CGFLAG_NOUSECACHE = 0x04,
+ };
+ 
+ /** Flags for cgroup_register_unchanged_process(). */
+diff --git a/src/pam/pam_cgroup.c b/src/pam/pam_cgroup.c
+index 1d78b81..fb427b4 100644
+--- a/src/pam/pam_cgroup.c
++++ b/src/pam/pam_cgroup.c
+@@ -138,7 +138,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ 	 * under what egid service will be provided?
+ 	 */
+ 	ret = cgroup_change_cgroup_uid_gid_flags(pwd->pw_uid,
+-		pwd->pw_gid, pid, CGFLAG_USECACHE);
++		pwd->pw_gid, pid, CGFLAG_NOUSECACHE);
+ 	if (ret) {
+ 		if (ctrl & PAM_DEBUG_ARG)
+ 			pam_syslog(pamh, LOG_ERR, "Change of cgroup for process"