PAM: Add application services

Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.

Reviewed-by: Sumit Bose <sbose@redhat.com>

3 files changed, 3 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 070994bcd..a29d51e0d 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -102,6 +102,7 @@ option_strings = {
     'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'),
     'pam_cert_db_path' : _('Path to certificate databse with PKCS#11 modules.'),
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
+    'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 8fd2d2c52..1a749db75 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -119,6 +119,7 @@ option = pam_account_locked_message
 option = pam_cert_auth
 option = pam_cert_db_path
 option = p11_child_timeout
+option = pam_app_services
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a38b24208..a1a0c2992 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -73,6 +73,7 @@ pam_account_locked_message = str, None, false
 pam_cert_auth = bool, None, false
 pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
+pam_app_services = str, None, false
 
 [sudo]
 # sudo service