Initial cut at a hooks implementation. The plugin can register

hooks for getenv, putenv, setenv and unsetenv.  This makes it
possible for the plugin to trap changes to the environment made by
authentication methods such as PAM or BSD auth so that such changes
are reflected in the environment passed back to sudo for execve().

include/sudo_plugin.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -29,7 +29,7 @@
 #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
     *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
 } while(0)
-#define SUDO_VERSION_SET_MINOR(vp, n) do { \
+#define SUDO_API_VERSION_SET_MINOR(vp, n) do { \
     *(vp) = (*(vp) & 0xffff0000) | (n); \
 } while(0)
 
@@ -55,6 +55,60 @@ typedef int (*sudo_conv_t)(int num_msgs, const struct sudo_conv_message msgs[],
 	struct sudo_conv_reply replies[]);
 typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
 
+/*
+ * Hook structure for the optional plugin hook list.
+ * This allows the plugin to hook into specific sudo and/or libc functions.
+ */
+struct sudo_hook {
+    int hook_version;
+    int hook_type;
+    int (*hook_fn)();
+    void *closure;
+};
+
+/* Hook API version major/minor */
+#define SUDO_HOOK_VERSION_MAJOR	1
+#define SUDO_HOOK_VERSION_MINOR	0
+#define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+#define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR, SUDO_HOOK_VERSION_MINOR)
+
+/* Getters and setters for hook API version */
+#define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
+    *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+} while(0)
+#define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
+    *(vp) = (*(vp) & 0xffff0000) | (n); \
+} while(0)
+
+/*
+ * Hook function return values.
+ */
+#define SUDO_HOOK_RET_ERROR	-1	/* error */
+#define SUDO_HOOK_RET_NEXT	0	/* go to the next hook in the list */
+#define SUDO_HOOK_RET_STOP	1	/* stop here, skip the rest of tghe list */
+
+/*
+ * Hooks for setenv/unsetenv/putenv/getenv.
+ * This allows the plugin to be notified when a PAM module modifies
+ * the environment so it can update the copy of the environment that
+ * is passed to execve().
+ */
+#define SUDO_HOOK_SETENV	1
+#define SUDO_HOOK_UNSETENV	2
+#define SUDO_HOOK_PUTENV	3
+#define SUDO_HOOK_GETENV	4
+
+/*
+ * Hook functions types.
+ */
+typedef int (*sudo_hook_fn_t)();
+typedef int (*sudo_hook_fn_setenv_t)(const char *name, const char *value, int overwrite, void *closure);
+typedef int (*sudo_hook_fn_putenv_t)(char *string, void *closure);
+typedef int (*sudo_hook_fn_getenv_t)(const char *name, char **value, void *closure);
+typedef int (*sudo_hook_fn_unsetenv_t)(const char *name, void *closure);
+
 /* Policy plugin type and defines */
 struct passwd;
 struct policy_plugin {
@@ -75,6 +129,8 @@ struct policy_plugin {
     int (*validate)(void);
     void (*invalidate)(int remove);
     int (*init_session)(struct passwd *pwd);
+    void (*register_hooks)(int version, int (*register_hook)(struct sudo_hook *hook));
+    void (*deregister_hooks)(int version, int (*deregister_hook)(struct sudo_hook *hook));
 };
 
 /* I/O plugin type and defines */
@@ -94,6 +150,8 @@ struct io_plugin {
     int (*log_stdin)(const char *buf, unsigned int len);
     int (*log_stdout)(const char *buf, unsigned int len);
     int (*log_stderr)(const char *buf, unsigned int len);
+    void (*register_hooks)(int version, int (*register_hook)(struct sudo_hook *hook));
+    void (*deregister_hooks)(int version, int (*deregister_hook)(struct sudo_hook *hook));
 };
 
 /* Sudoers group plugin version major/minor */