From d84d7367fe4ff94d9f2e5fdfce848bc9ba190e17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@des.no>
Date: Thu, 30 Jul 2015 23:42:38 +0000
Subject: [PATCH] Add a feature flag to control whether to fall back to the
 "other" policy for chains that are still empty after the requested policy was
 loaded.

git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@862 185d5e19-27fe-0310-9dcf-9bff6b9f3609
---
 include/security/openpam.h     | 1 +
 lib/libpam/openpam_configure.c | 6 ++++--
 lib/libpam/openpam_features.c  | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/include/security/openpam.h b/include/security/openpam.h
index c20e577..048c1bc 100644
--- a/include/security/openpam.h
+++ b/include/security/openpam.h
@@ -186,6 +186,7 @@ enum {
 	OPENPAM_VERIFY_POLICY_FILE,
 	OPENPAM_RESTRICT_MODULE_NAME,
 	OPENPAM_VERIFY_MODULE_FILE,
+	OPENPAM_FALLBACK_TO_OTHER,
 	OPENPAM_NUM_FEATURES
 };
 
diff --git a/lib/libpam/openpam_configure.c b/lib/libpam/openpam_configure.c
index 96264de..66118f2 100644
--- a/lib/libpam/openpam_configure.c
+++ b/lib/libpam/openpam_configure.c
@@ -467,8 +467,10 @@ openpam_configure(pam_handle_t *pamh,
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL)
 			continue;
-		if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
-			goto load_err;
+		if (OPENPAM_FEATURE(FALLBACK_TO_OTHER)) {
+			if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
+				goto load_err;
+		}
 	}
 	RETURNC(PAM_SUCCESS);
 load_err:
diff --git a/lib/libpam/openpam_features.c b/lib/libpam/openpam_features.c
index ec32c4d..0fdfc6d 100644
--- a/lib/libpam/openpam_features.c
+++ b/lib/libpam/openpam_features.c
@@ -65,4 +65,9 @@ struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = {
 	    "Verify ownership and permissions of module files",
 	    1
 	),
+	STRUCT_OPENPAM_FEATURE(
+	    FALLBACK_TO_OTHER,
+	    "Fall back to \"other\" policy for empty chains",
+	    1
+	),
 };