fix: audit fixes — CString zeroize, FP account check, PAM timeout, blur downscale (v0.6.5)
Update PKGBUILD version / update-pkgver (push) Successful in 1s
Update PKGBUILD version / update-pkgver (push) Successful in 1s
Address findings from second triple audit (quality, performance, security): - Wrap PAM CString password in Zeroizing<CString> to wipe on drop (S-H1) - Add check_account() for pam_acct_mgmt after fingerprint unlock, with resume_async() to restart FP on transient failure (S-M1) - 30s PAM timeout with generation counter to prevent stale result interference from parallel auth attempts (S-M3) - Downscale wallpaper to max 1920px before GPU blur, reducing work by ~4x on 4K wallpapers (P-M1) - exit(1) instead of return on no-monitor after lock.lock() (Q-2.1)
This commit is contained in:
+26
-7
@@ -154,6 +154,32 @@ impl FingerprintListener {
|
||||
G: Fn() + 'static,
|
||||
H: Fn() + 'static,
|
||||
{
|
||||
{
|
||||
let mut inner = listener.borrow_mut();
|
||||
inner.on_success = Some(Box::new(on_success));
|
||||
inner.on_failure = Some(Box::new(on_failure));
|
||||
inner.on_exhausted = Some(Box::new(on_exhausted));
|
||||
}
|
||||
|
||||
Self::begin_verification(listener, username).await;
|
||||
}
|
||||
|
||||
/// Resume fingerprint verification after a transient interruption (e.g. failed
|
||||
/// PAM account check). Reuses previously stored callbacks. Re-claims the device
|
||||
/// and restarts verification from scratch.
|
||||
pub async fn resume_async(
|
||||
listener: &Rc<RefCell<FingerprintListener>>,
|
||||
username: &str,
|
||||
) {
|
||||
Self::begin_verification(listener, username).await;
|
||||
}
|
||||
|
||||
/// Claim device, start verification, and connect D-Bus signal handler.
|
||||
/// Assumes device_proxy is set and callbacks are already stored.
|
||||
async fn begin_verification(
|
||||
listener: &Rc<RefCell<FingerprintListener>>,
|
||||
username: &str,
|
||||
) {
|
||||
let proxy = {
|
||||
let inner = listener.borrow();
|
||||
match inner.device_proxy.clone() {
|
||||
@@ -162,13 +188,6 @@ impl FingerprintListener {
|
||||
}
|
||||
};
|
||||
|
||||
{
|
||||
let mut inner = listener.borrow_mut();
|
||||
inner.on_success = Some(Box::new(on_success));
|
||||
inner.on_failure = Some(Box::new(on_failure));
|
||||
inner.on_exhausted = Some(Box::new(on_exhausted));
|
||||
}
|
||||
|
||||
// Claim the device
|
||||
let args = glib::Variant::from((&username,));
|
||||
if let Err(e) = proxy
|
||||
|
||||
Reference in New Issue
Block a user