fix(lock): Restore system PAM fallback, faillock support, and auth feedback

- Re-add loginConfigWatcher so installs can still fall through to /etc/pam.d instead of the bundled PAM assets - Add login-faillock bundled PAM asset at runtime. Use it as the bundled fallback when dankshell config is absent - Fix invalid bare property writes (u2fPending, u2fState, unlockInProgress, state) in Pam.qml - Improve lockscreen auth feedback
2026-04-04 21:02:06 -04:00 · 2026-03-25 16:39:37 -04:00
parent 8180e30e8e
commit 72b598057c
6 changed files with 90 additions and 39 deletions
--- a/quickshell/Common/settings/Processes.qml
+++ b/quickshell/Common/settings/Processes.qml
@@ -33,6 +33,7 @@ Singleton {
    property int pamSupportProbeExitCode: 0
    property bool pamFprintSupportDetected: false
    property bool pamU2fSupportDetected: false
+    property bool pamFaillockSupportDetected: false

    readonly property string homeDir: Quickshell.env("HOME") || ""
    readonly property string u2fKeysPath: homeDir ? homeDir + "/.config/Yubico/u2f_keys" : ""
@@ -70,14 +71,13 @@ Singleton {
            fingerprintProbeState = forcedFprintAvailable ? "ready" : "probe_failed";
        }

-        if (forcedFprintAvailable === null || forcedU2fAvailable === null) {
-            pamFprintSupportDetected = false;
-            pamU2fSupportDetected = false;
-            pamSupportProbeOutput = "";
-            pamSupportProbeStreamFinished = false;
-            pamSupportProbeExited = false;
-            pamSupportDetectionProcess.running = true;
-        }
+        pamFprintSupportDetected = false;
+        pamU2fSupportDetected = false;
+        pamFaillockSupportDetected = false;
+        pamSupportProbeOutput = "";
+        pamSupportProbeStreamFinished = false;
+        pamSupportProbeExited = false;
+        pamSupportDetectionProcess.running = true;

        recomputeAuthCapabilities();
    }
@@ -321,6 +321,7 @@ Singleton {
            return;
        recomputeFingerprintCapabilities();
        recomputeU2fCapabilities();
+        settingsRoot.lockFaillockSupported = pamFaillockSupportDetected;
        settingsRoot.fprintdAvailable = settingsRoot.lockFingerprintReady || settingsRoot.greeterFingerprintReady;
        settingsRoot.u2fAvailable = settingsRoot.lockU2fReady || settingsRoot.greeterU2fReady;
    }
@@ -338,6 +339,7 @@ Singleton {

        pamFprintSupportDetected = false;
        pamU2fSupportDetected = false;
+        pamFaillockSupportDetected = false;

        const lines = (pamSupportProbeOutput || "").trim().split(/\r?\n/);
        for (let i = 0; i < lines.length; i++) {
@@ -348,6 +350,8 @@ Singleton {
                pamFprintSupportDetected = parts[1] === "true";
            else if (parts[0] === "pam_u2f.so")
                pamU2fSupportDetected = parts[1] === "true";
+            else if (parts[0] === "pam_faillock.so")
+                pamFaillockSupportDetected = parts[1] === "true";
        }

        if (forcedFprintAvailable === null && fingerprintProbeState === "missing_pam_support")
@@ -401,7 +405,7 @@ Singleton {
    }

    property var pamSupportDetectionProcess: Process {
-        command: ["sh", "-c", "for module in pam_fprintd.so pam_u2f.so; do found=false; for dir in /usr/lib64/security /usr/lib/security /lib/security /lib/x86_64-linux-gnu/security /usr/lib/x86_64-linux-gnu/security /usr/lib/aarch64-linux-gnu/security /run/current-system/sw/lib/security; do if [ -f \"$dir/$module\" ]; then found=true; break; fi; done; printf '%s:%s\\n' \"$module\" \"$found\"; done"]
+        command: ["sh", "-c", "for module in pam_fprintd.so pam_u2f.so pam_faillock.so; do found=false; for dir in /usr/lib64/security /usr/lib/security /lib/security /lib/x86_64-linux-gnu/security /usr/lib/x86_64-linux-gnu/security /usr/lib/aarch64-linux-gnu/security /run/current-system/sw/lib/security; do if [ -f \"$dir/$module\" ]; then found=true; break; fi; done; printf '%s:%s\\n' \"$module\" \"$found\"; done"]
        running: false

        stdout: StdioCollector {
--- a/quickshell/Common/settings/SettingsSpec.js
+++ b/quickshell/Common/settings/SettingsSpec.js
@@ -328,6 +328,7 @@ var SPEC = {
    lockAtStartup: { def: false },
    enableFprint: { def: false },
    maxFprintTries: { def: 15 },
+    lockFaillockSupported: { def: false, persist: false },
    fprintdAvailable: { def: false, persist: false },
    lockFingerprintCanEnable: { def: false, persist: false },
    lockFingerprintReady: { def: false, persist: false },