Add custom PAM configuration to start gnome-keyring

cosmic-greeter.toml

@@ -2,7 +2,7 @@
 vt = "1"
 
 [general]
-service = "login"
+service = "cosmic-greeter"
 
 [default_session]
 command = "cosmic-comp systemd-cat -t cosmic-greeter cosmic-greeter"

debian/cosmic-greeter.pam

@@ -0,0 +1,25 @@
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth	required	pam_succeed_if.so user != root quiet_success
+@include common-auth
+auth    optional        pam_gnome_keyring.so
+@include common-account
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without this it is possible 
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+@include common-session
+session optional        pam_gnome_keyring.so auto_start
+@include common-password

debian/rules

@@ -22,6 +22,7 @@ override_dh_auto_install:
 	just rootdir=$(DESTDIR) install-debian
 
 execute_after_dh_install:
+	dh_installpam
 	dh_installsysusers
 
 override_dh_installsystemd:

examples/pam.rs

@@ -5,7 +5,7 @@ fn main() {
     let passwd = pwd::Passwd::current_user().expect("Failed to get current user");
 
     let mut context = Context::new(
-        "login",             // Service name, decides which policy is used (see `/etc/pam.d`)
+        "cosmic-greeter",    // Service name, decides which policy is used (see `/etc/pam.d`)
         Some(&passwd.name),  // Optional preset user name
         Conversation::new(), // Handler for user interaction
     )

src/locker.rs

@@ -83,8 +83,7 @@ pub fn pam_thread(username: String, conversation: Conversation) -> Result<(), pa
     //TODO: send errors to GUI, restart process
 
     // Create PAM context
-    //TODO: search for and use custom context?
+    let mut context = pam_client::Context::new("cosmic-greeter", Some(&username), conversation)?;
-    let mut context = pam_client::Context::new("login", Some(&username), conversation)?;
 
     // Authenticate the user (ask for password, 2nd-factor token, fingerprint, etc.)
     log::info!("authenticate");