From 9c23ccb58d4f31bf666010cf0c35116b96b2a3d9 Mon Sep 17 00:00:00 2001
From: beta <beta@yfqm.date>
Date: Fri, 1 Dec 2023 23:34:25 +0800
Subject: [PATCH] Add openEuler PAM config

Signed-off-by: beta <beta@yfqm.date>
---
 data/meson.build                              |  8 ++++++++
 data/pam-openeuler/gdm-autologin.pam          | 15 ++++++++++++++
 data/pam-openeuler/gdm-fingerprint.pam        | 15 ++++++++++++++
 data/pam-openeuler/gdm-launch-environment.pam |  9 +++++++++
 data/pam-openeuler/gdm-password.pam           | 19 ++++++++++++++++++
 data/pam-openeuler/gdm-pin.pam                | 20 +++++++++++++++++++
 data/pam-openeuler/gdm-smartcard.pam          | 15 ++++++++++++++
 meson.build                                   |  1 +
 meson_options.txt                             |  2 +-
 9 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 data/pam-openeuler/gdm-autologin.pam
 create mode 100644 data/pam-openeuler/gdm-fingerprint.pam
 create mode 100644 data/pam-openeuler/gdm-launch-environment.pam
 create mode 100644 data/pam-openeuler/gdm-password.pam
 create mode 100644 data/pam-openeuler/gdm-pin.pam
 create mode 100644 data/pam-openeuler/gdm-smartcard.pam

diff --git a/data/meson.build b/data/meson.build
index 05a2011..bb79abe 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -137,6 +137,14 @@ pam_data_files_map = {
     'gdm-password',
     'gdm-pin',
   ],
+  'openeuler': [
+    'gdm-autologin',
+    'gdm-launch-environment',
+    'gdm-fingerprint',
+    'gdm-smartcard',
+    'gdm-password',
+    'gdm-pin',
+  ],
   'none': [],
   # We should no longer have 'autodetect' at this point
 }
diff --git a/data/pam-openeuler/gdm-autologin.pam b/data/pam-openeuler/gdm-autologin.pam
new file mode 100644
index 0000000..97a4a13
--- /dev/null
+++ b/data/pam-openeuler/gdm-autologin.pam
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth       [success=ok default=1] pam_gdm.so
+-auth      optional    pam_gnome_keyring.so
+auth       sufficient  pam_permit.so
+account    required    pam_nologin.so
+account    include     system-auth
+password   include     system-auth
+session    required    pam_selinux.so close
+session    required    pam_loginuid.so
+session    required    pam_selinux.so open
+session    optional    pam_keyinit.so force revoke
+session    required    pam_namespace.so
+session    include     system-auth
+session    optional    pam_gnome_keyring.so auto_start
+session    include     postlogin
diff --git a/data/pam-openeuler/gdm-fingerprint.pam b/data/pam-openeuler/gdm-fingerprint.pam
new file mode 100644
index 0000000..628568e
--- /dev/null
+++ b/data/pam-openeuler/gdm-fingerprint.pam
@@ -0,0 +1,15 @@
+auth        substack      fingerprint-auth
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       fingerprint-auth
+
+password    include       fingerprint-auth
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       fingerprint-auth
+session     include       postlogin
diff --git a/data/pam-openeuler/gdm-launch-environment.pam b/data/pam-openeuler/gdm-launch-environment.pam
new file mode 100644
index 0000000..2e9ea2b
--- /dev/null
+++ b/data/pam-openeuler/gdm-launch-environment.pam
@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth       required    pam_env.so
+auth       required    pam_permit.so
+auth       include     postlogin
+account    required    pam_permit.so
+password   required    pam_permit.so
+session    optional    pam_keyinit.so force revoke
+session    include     system-auth
+session    include     postlogin
diff --git a/data/pam-openeuler/gdm-password.pam b/data/pam-openeuler/gdm-password.pam
new file mode 100644
index 0000000..c75da00
--- /dev/null
+++ b/data/pam-openeuler/gdm-password.pam
@@ -0,0 +1,19 @@
+auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
+auth        substack      password-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       password-auth
+
+password    substack       password-auth
+-password   optional       pam_gnome_keyring.so use_authtok
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       password-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
diff --git a/data/pam-openeuler/gdm-pin.pam b/data/pam-openeuler/gdm-pin.pam
new file mode 100644
index 0000000..66277d3
--- /dev/null
+++ b/data/pam-openeuler/gdm-pin.pam
@@ -0,0 +1,20 @@
+auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
+auth        requisite     pam_pin.so
+auth        substack      password-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       password-auth
+
+password    include       password-auth
+password    optional      pam_pin.so
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       password-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
diff --git a/data/pam-openeuler/gdm-smartcard.pam b/data/pam-openeuler/gdm-smartcard.pam
new file mode 100644
index 0000000..3264a71
--- /dev/null
+++ b/data/pam-openeuler/gdm-smartcard.pam
@@ -0,0 +1,15 @@
+auth        substack      smartcard-auth
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       smartcard-auth
+
+password    include       smartcard-auth
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       smartcard-auth
+session     include       postlogin
diff --git a/meson.build b/meson.build
index 4ace94b..49618e1 100644
--- a/meson.build
+++ b/meson.build
@@ -172,6 +172,7 @@ if default_pam_config == 'autodetect'
     '/etc/exherbo-release': 'exherbo',
     '/etc/arch-release': 'arch',
     '/etc/lfs-release': 'lfs',
+    '/etc/openEuler-release': 'openeuler',
   }
 
   foreach _file, _pam_conf : pam_autodetect_map
diff --git a/meson_options.txt b/meson_options.txt
index 49550bc..3c07d16 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -2,7 +2,7 @@ option('at-spi-registryd-dir', type: 'string', value: '', description: 'Specify
 option('check-accelerated-dir', type: 'string', value: '', description: 'Specify the directory of gnome-session-check-accelerated.')
 option('custom-conf', type: 'string', value: '', description: 'Filename to give to custom configuration file.')
 option('dbus-sys', type: 'string', value: '', description: 'Where D-Bus systemd directory is.')
-option('default-pam-config', type: 'combo', choices: [ 'autodetect', 'redhat', 'openembedded', 'exherbo', 'lfs', 'arch', 'none'], value: 'autodetect', description: '')
+option('default-pam-config', type: 'combo', choices: [ 'autodetect', 'redhat', 'openembedded', 'exherbo', 'lfs', 'arch', 'openeuler', 'none'], value: 'autodetect', description: '')
 option('default-path', type: 'string', value: '/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin', description: 'Path GDM will use as the user\'s default PATH.')
 option('defaults-conf', type: 'string', value: '', description: 'Filename to give to defaults file.')
 option('dmconfdir', type: 'string', value: '', description: 'Directory where sessions are stored.')
-- 
2.27.0