flatcar · krnowak · Nov 12, 2025 · Feb 26, 2024 · Oct 17, 2025 · Oct 17, 2025
@@ -179,6 +179,7 @@ app-shells/gentoo-bashcomp
 app-text/asciidoc
 app-text/build-docbook-catalog
 app-text/docbook-xml-dtd
+app-text/docbook-xsl-ns-stylesheets
 app-text/docbook-xsl-stylesheets
 app-text/mandoc
 app-text/manpager
@@ -318,8 +319,8 @@ dev-python/fastjsonschema
 dev-python/flit-core
 dev-python/gentoo-common
 dev-python/gpep517
-dev-python/hatchling
 dev-python/hatch-vcs
+dev-python/hatchling
 dev-python/idna
 dev-python/installer
 dev-python/jaraco-collections
@@ -504,8 +505,8 @@ licenses
 
 media-libs/libpng
 
-net-analyzer/openbsd-netcat
 net-analyzer/netperf
+net-analyzer/openbsd-netcat
 net-analyzer/tcpdump
 net-analyzer/traceroute
 
@@ -633,6 +634,7 @@ sys-apps/util-linux
 sys-apps/which
 sys-apps/zram-generator
 
+sys-auth/pambase
 sys-auth/polkit
 sys-auth/sssd
 
@@ -705,6 +707,7 @@ sys-libs/libunwind
 sys-libs/liburing
 sys-libs/libxcrypt
 sys-libs/ncurses
+sys-libs/pam
 sys-libs/readline
 sys-libs/talloc
 sys-libs/tdb

@@ -158,10 +158,14 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
 
-  # Move the PAM configuration into /usr
-  sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
-  sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
-  sudo rmdir ${root_fs_dir}/etc/pam.d
+  local -a bad_pam_files
+  mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
+  if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
+    error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
+    error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
+    error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
+    die "PAM config errors spotted"
+  fi
 
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/

@@ -266,13 +266,18 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
   # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
+  # systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd
   # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
+  # sys-libs/pam[systemd] -> sys-apps/system[pam] -> sys-libs/pam
+  #   not dropping pam from sys-apps/systemd, otherwise we would need
+  #   to drop pam from sys-auth/pambase
   break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
                  sys-fs/cryptsetup udev \
                  sys-fs/lvm2 udev,systemd \
                  sys-apps/systemd cryptsetup,tpm \
                  net-misc/curl http2 \
-                 net-libs/nghttp2 systemd
+                 net-libs/nghttp2 systemd \
+                 sys-libs/pam systemd
 fi
 
 if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then

@@ -0,0 +1 @@
+- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))
@@ -0,0 +1,2 @@
+- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
+- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))
@@ -8,8 +8,6 @@ cd "${rootfs}"
 
 # Move stuff out of /etc. The systemd unit files are patched to create
 # symlinks from /etc to those directories.
-mkdir -p usr/lib/pam.d
-mv etc/pam.d/vmtoolsd usr/lib/pam.d/vmtoolsd
 mkdir -p usr/share/flatcar/oem-vmware
 mv etc/vmware-tools usr/share/flatcar/oem-vmware/vmware-tools
 

@@ -1,9 +1,12 @@
-cros_post_src_install_keep_etc_sudoers_d() {
-    # Flatcar: Build system installs /etc/sudoers.d, let's make
-    # sure we keep having it.
+cros_post_src_install_flatcar_modifications() {
+    # Build system installs /etc/sudoers.d, let's make sure we keep
+    # having it.
     #
     # Upstream PR: https://github.com/gentoo/gentoo/pull/37397
     keepdir /etc/sudoers.d
+
+    # Move pam files to /usr.
+    vendorize_pam_files
 }
 
 # We don't ship OpenLDAP schemas (why?) and we provide sudo.conf

@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -3,3 +3,7 @@
 # obviously won't work in case of cross-compilation, so we state up
 # front that SPNEGO is supported.
 export ac_cv_gssapi_supports_spnego=yes
+
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -31,4 +31,7 @@ cros_post_src_install_samba_flatcar_modifications() {
     rm -rf "${ED}/usr/$(get_libdir)/perl"*
     rm -rf "${ED}/usr/$(get_libdir)/python"*
     rm -rf "${ED}/var"
+
+    # Move pam files to /usr.
+    vendorize_pam_files
 }
@@ -8,3 +8,7 @@ if [[ $(flatcar_target) != 'sdk' ]] ; then
 	INSTALL_MASK+="${openssh_mask}"
 	unset openssh_mask
 fi
+
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -14,3 +14,7 @@ cros_post_src_install_set_up_var_lib_selinux() {
     mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
     dosym -r /usr/lib/selinux/policy /var/lib/selinux
 }
+
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -72,4 +72,7 @@ ttyS0
 
 ${devs}
 EOF
+
+    # Move pam files to /usr.
+    vendorize_pam_files
 }
@@ -9,9 +9,6 @@ flatcar_systemd_meson_args_array=(
     -Dsystem-gid-max=999
     -Dsystem-uid-max=999
 
-    # PAM config directory.
-    -Dpamconfdir="${EPREFIX}/usr/share/pam.d"
-
     # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
     # as a sanity check for the minimum acceptable time. Explicitly
     # set to avoid using the current build time.
@@ -85,16 +82,24 @@ flatcar_systemctl_preset() {
 }
 
 cros_post_src_install_flatcar_stuff() {
-    # We provide our own systemd-user config file in baselayout.
-    #
-    # This one is installed by systemd build system regardless of
-    # USE=pam (the ebuild ought to pass -Dpamconfdir=no to disable the
-    # installation).
-    rm "${ED}/usr/share/pam.d/systemd-user" || die
-    # This one is installed by Gentoo's systemd ebuild only if USE=pam
-    # is enabled.
+    # Drop systemd PAM config files installed by systemd build
+    # system. We will replace them below with our own configs if we
+    # have pam enabled.
+    rm "${ED}"/usr/lib/pam.d/systemd-{user,run0} || die
     if use pam; then
-        rm "${ED}/etc/pam.d/systemd-user" || die
+        # Clobber systemd-user config file installed by the ebuild
+        # with our own.
+        newpamd - "systemd-user" <<'EOF'
+account include system-auth
+session include system-login
+EOF
+        newpamd - "systemd-run0" <<'EOF'
+account include system-auth
+session include system-login
+EOF
+
+        # And move them to /usr.
+        vendorize_pam_files
     fi
 
     # Ensure journal directory has correct ownership/mode in inital

@@ -1,3 +1,7 @@
 # New mount API does not work very well for mounting overlayfs when we
 # are building sysexts.
 export EXTRA_ECONF="--disable-libmount-mountfd-support"
+
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -2,14 +2,10 @@
 # plugin, even if sssd is not running.
 export EXTRA_ECONF="--enable-sss-default-nss-plugin"
 
-# We haven't switched to having pam config in /etc, so move the files
-# to /usr.
-cros_post_src_install_move_pamd() {
-	mkdir -p "${ED}/usr/share/"
-	mv "${ED}/etc/pam.d" "${ED}/usr/share/pam.d"
-}
+cros_post_src_install_flatcar_modifications() {
+    # This is to make sure that some sssd config is always in place.
+    cp -a "${ED}"/etc/sssd/sssd{-example,}.conf
 
-# This is to make sure that some sssd config is always in place.
-cros_post_src_set_initial_config() {
-	cp -a "${ED}"/etc/sssd/sssd{-example,}.conf
+    # Move pam files to /usr.
+    vendorize_pam_files
 }
@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}
@@ -0,0 +1,16 @@
+flatcar_pam_meson_args_array=(
+    '-Dvendordir=/usr/lib/pam'
+)
+export MYMESONARGS=${flatcar_pam_meson_args_array[*]@Q}
+unset 'flatcar_pam_meson_args_array'
+
+cros_post_src_install_stuff_in_etc() {
+    # Keep empty pam.d and security directories in /etc. In theory we
+    # could omit creating them, but 1. some kola tests rely on them to
+    # exist and 2. empty directories are probably less confusing to
+    # users then no directories at all. For the latter reason, create
+    # also the symlink to the environment file.
+    keepdir /etc/pam.d
+    keepdir /etc/security
+    dosym /usr/lib/pam/environment /etc/environment
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
		- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))
-Original file line number
+Diff line change
@@ Expand Up / @@ -72,4 +72,7 @@ ttyS0 @@
     ${devs}
     EOF
+        # Move pam files to /usr.
+        vendorize_pam_files
     }