From 015cf8d250ccaca30f67a947d95ec9c5e743d6122ad374eee947f3eb726eb839 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= <bjorn.lie@gmail.com>
Date: Mon, 3 Apr 2023 10:23:15 +0000
Subject: [PATCH] Accepting request 1076827 from
 home:kukuk:branches:GNOME:Factory

- Create two set of pam configuration files:
  + *-sle.pamd are for SLES15 and older
  + add postlogin-* includes to the others as required by openSUSEs
    PAM config policy

OBS-URL: https://build.opensuse.org/request/show/1076827
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdm?expand=0&rev=518
---
 gdm-autologin-sle.pamd   | 11 +++++++++++
 gdm-autologin.pamd       |  9 ++++++---
 gdm-fingerprint-sle.pamd | 17 +++++++++++++++++
 gdm-fingerprint.pamd     |  4 +++-
 gdm-sle.pamd             |  9 +++++++++
 gdm-smartcard-sle.pamd   | 17 +++++++++++++++++
 gdm-smartcard.pamd       |  6 ++++--
 gdm.changes              |  8 ++++++++
 gdm.pamd                 | 12 ++++++++----
 gdm.spec                 | 22 ++++++++++++++++++++--
 10 files changed, 103 insertions(+), 12 deletions(-)
 create mode 100644 gdm-autologin-sle.pamd
 create mode 100644 gdm-fingerprint-sle.pamd
 create mode 100644 gdm-sle.pamd
 create mode 100644 gdm-smartcard-sle.pamd

diff --git a/gdm-autologin-sle.pamd b/gdm-autologin-sle.pamd
new file mode 100644
index 0000000..d9ca813
--- /dev/null
+++ b/gdm-autologin-sle.pamd
@@ -0,0 +1,11 @@
+#%PAM-1.0
+# GDM PAM configuration for autologin
+auth     requisite      pam_nologin.so
+auth     required       pam_permit.so
+auth     optional       pam_gdm.so
+auth     optional       pam_gnome_keyring.so
+account  include        common-account
+password include        common-password
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  include        common-session
diff --git a/gdm-autologin.pamd b/gdm-autologin.pamd
index d9ca813..778f54a 100644
--- a/gdm-autologin.pamd
+++ b/gdm-autologin.pamd
@@ -4,8 +4,11 @@ auth     requisite      pam_nologin.so
 auth     required       pam_permit.so
 auth     optional       pam_gdm.so
 auth     optional       pam_gnome_keyring.so
-account  include        common-account
-password include        common-password
+account  substack       common-account
+account  include        postlogin-account
+password substack       common-password
+password include        postlogin-password
 session  required       pam_loginuid.so
 session  optional       pam_keyinit.so force revoke
-session  include        common-session
+session  substack       common-session
+session  include        postlogin-session
diff --git a/gdm-fingerprint-sle.pamd b/gdm-fingerprint-sle.pamd
new file mode 100644
index 0000000..26ce17d
--- /dev/null
+++ b/gdm-fingerprint-sle.pamd
@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_fprintd.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
+
+account    include                     common-account
+
+password   required                    pam_deny.so
+
+session    include                     common-session
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/gdm-fingerprint.pamd b/gdm-fingerprint.pamd
index 26ce17d..b17ce2a 100644
--- a/gdm-fingerprint.pamd
+++ b/gdm-fingerprint.pamd
@@ -9,9 +9,11 @@ auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
 
+account    substack                    common-account
 account    include                     common-account
 
 password   required                    pam_deny.so
 
-session    include                     common-session
+session    substack                    common-session
+session    include                     postlogin-session
 session    optional                    pam_gnome_keyring.so auto_start
diff --git a/gdm-sle.pamd b/gdm-sle.pamd
new file mode 100644
index 0000000..1d1de06
--- /dev/null
+++ b/gdm-sle.pamd
@@ -0,0 +1,9 @@
+#%PAM-1.0
+# GDM PAM standard configuration (with passwords)
+auth     requisite      pam_nologin.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  include        common-session
diff --git a/gdm-smartcard-sle.pamd b/gdm-smartcard-sle.pamd
new file mode 100644
index 0000000..21b894a
--- /dev/null
+++ b/gdm-smartcard-sle.pamd
@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_pkcs11.so        wait_for_card card_only
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
+
+account    include                     common-account
+
+password   required                    pam_deny.so
+
+session    include                     common-session
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/gdm-smartcard.pamd b/gdm-smartcard.pamd
index 21b894a..5d23bbe 100644
--- a/gdm-smartcard.pamd
+++ b/gdm-smartcard.pamd
@@ -9,9 +9,11 @@ auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
 
-account    include                     common-account
+account    substack                    common-account
+account    include                     postlogin-account
 
 password   required                    pam_deny.so
 
-session    include                     common-session
+session    substack                    common-session
+session    include                     postlogin-session
 session    optional                    pam_gnome_keyring.so auto_start
diff --git a/gdm.changes b/gdm.changes
index 12eb0cc..375ecc4 100644
--- a/gdm.changes
+++ b/gdm.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 28 11:34:53 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- Create two set of pam configuration files:
+  + *-sle.pamd are for SLES15 and older
+  + add postlogin-* includes to the others as required by openSUSEs
+    PAM config policy
+
 -------------------------------------------------------------------
 Mon Mar 20 16:07:47 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
 
diff --git a/gdm.pamd b/gdm.pamd
index 1d1de06..7f8f5aa 100644
--- a/gdm.pamd
+++ b/gdm.pamd
@@ -1,9 +1,13 @@
 #%PAM-1.0
 # GDM PAM standard configuration (with passwords)
 auth     requisite      pam_nologin.so
-auth     include        common-auth
-account  include        common-account
-password include        common-password
+auth     substack       common-auth
+auth     include        postlogin-auth
+account  substack       common-account
+account  include        postlogin-account
+password substack       common-password
+password include        postlogin-password
 session  required       pam_loginuid.so
 session  optional       pam_keyinit.so force revoke
-session  include        common-session
+session  substack       common-session
+session  include        postlogin-session
diff --git a/gdm.spec b/gdm.spec
index d51b646..e018c3e 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -50,6 +50,11 @@ Source9:        gdm.tmpfiles
 Source10:       reserveVT.conf
 # Use sysusers to create gdm system user
 Source11:       gdm.sysusers
+# PAM configuration files for SLE15 and older
+Source12:       gdm-sle.pamd
+Source13:       gdm-autologin-sle.pamd
+Source14:       gdm-fingerprint-sle.pamd
+Source15:       gdm-smartcard-sle.pamd
 # WARNING: do not remove/significantly change patch0 without updating the relevant patch in accountsservice too
 # PATCH-FIX-OPENSUSE gdm-s390-not-require-g-s-d_wacom.patch bsc#1129412 yfjiang@suse.com -- Remove the runtime requirement of g-s-d Wacom plugin
 Patch0:         gdm-s390-not-require-g-s-d_wacom.patch
@@ -273,18 +278,31 @@ running display manager.
 %meson_install
 ## Install PAM files.
 mkdir -p %{buildroot}%{_pam_vendordir}
+# Pam config for the greeter session
+cp %{SOURCE3} %{buildroot}%{_pam_vendordir}/gdm-launch-environment
+%if 0%{?suse_version} >= 1550
 # Generic pam config
 cp %{SOURCE1} %{buildroot}%{_pam_vendordir}/gdm
 # Pam config for autologin
 cp %{SOURCE2} %{buildroot}%{_pam_vendordir}/gdm-autologin
-# Pam config for the greeter session
-cp %{SOURCE3} %{buildroot}%{_pam_vendordir}/gdm-launch-environment
 %if %{enable_split_authentication}
 # Pam config for fingerprint authentication
 cp %{SOURCE4} %{buildroot}%{_pam_vendordir}/gdm-fingerprint
 # Pam config for smartcard authentication
 cp %{SOURCE5} %{buildroot}%{_pam_vendordir}/gdm-smartcard
 %endif
+%else
+# Generic pam config
+cp %{SOURCE12} %{buildroot}%{_pam_vendordir}/gdm
+# Pam config for autologin
+cp %{SOURCE13} %{buildroot}%{_pam_vendordir}/gdm-autologin
+%if %{enable_split_authentication}
+# Pam config for fingerprint authentication
+cp %{SOURCE14} %{buildroot}%{_pam_vendordir}/gdm-fingerprint
+# Pam config for smartcard authentication
+cp %{SOURCE15} %{buildroot}%{_pam_vendordir}/gdm-smartcard
+%endif
+%endif
 # The default gdm pam configuration is the one to be used as pam-password too
 ln -s gdm %{buildroot}%{_pam_vendordir}/gdm-password
 ## Install other files