fix: harden avatar load against symlink TOCTOU (v0.6.19)

SEC-01 (security audit, LOW): the avatar load followed symlinks via
gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the
project's lock-path hardening was applied inconsistently. Share one
read_file_nofollow loader for both file reads so they cannot diverge
again; a symlinked ~/.face now fails open with ELOOP and falls back to
the default avatar. Adds loader unit tests (regular file, symlink->ELOOP).

Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop
redundant gtk4_session_lock import, blur guard via .filter() (unifies
with moongreet/moonset).

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit

.gitignore

@@ -1,7 +1,3 @@
 /target
 
-# makepkg build artifacts
+.pytest_cache/
-pkg/src/
-pkg/pkg/
-pkg/moonlock/
-pkg/*.pkg.tar.*

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.17"
+version = "0.6.19"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.17"
+version = "0.6.19"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -28,7 +28,6 @@ tempfile = "3"
 glib-build-tools = "0.22"
 
 [profile.release]
-lto = "thin"
+lto = "fat"
 codegen-units = 1
-strip = false
+strip = true
-debug = true

DECISIONS.md

@@ -2,6 +2,27 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-17 – Harden avatar load against symlink TOCTOU via a shared O_NOFOLLOW loader (v0.6.19)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found SEC-01 (LOW): `set_avatar_from_file` (`lockscreen.rs`) opened `~/.face` / the AccountsService icon via `gio::File::for_path().read_future()`, which follows symlinks unconditionally, while the wallpaper load (`load_background_texture`) was already hardened with `O_NOFOLLOW` (2026-04-24). `users::get_avatar_path_with` rejects symlinks via `symlink_metadata()`, but a TOCTOU window remained between that stat and the GIO open. The root cause was not the avatar code per se but that the `O_NOFOLLOW` open idiom was inlined in one place and absent from the other — the project's own lock-path hardening contract was applied inconsistently. Impact is below the primary threat model (exploiting it needs write access to `~/.face`, i.e. an already-compromised session; the screen stays locked either way), hence LOW.
+- **Tradeoffs**: Extracted a shared `read_file_nofollow` rather than duplicating the open idiom, so the two file reads on the lock path cannot diverge again. The avatar read moved onto a blocking thread via `gio::spawn_blocking` (was a GIO async read) to keep the open off the GTK main loop, then decodes from an in-memory `MemoryInputStream`, preserving the scaled `AVATAR_SIZE` decode. No integration test for `set_avatar_from_file` itself — GTK + async, not unit-testable without a harness; the security primitive (`O_NOFOLLOW` → `ELOOP`) is covered by a unit test that goes red if the flag is removed (verified by temporarily dropping it). SEC-02 (fallback wallpaper `is_file()`) and SEC-03 (PAM `strdup` not zeroed) were reviewed and left as-is: the former is still protected by `O_NOFOLLOW` at open time and is a root-only system path, the latter is an inherent PAM-API limitation outside the lock threat model, already documented in `CLAUDE.md`.
+- **How**: (1) New `read_file_nofollow(&Path) -> io::Result<Vec<u8>>` in `lockscreen.rs`, used by both `load_background_texture` and `set_avatar_from_file`. (2) The avatar load reads via `gio::spawn_blocking(read_file_nofollow)` then decodes from a `MemoryInputStream`; a symlinked avatar now fails the open with `ELOOP`, logs a warning, and falls back to the default avatar. (3) Two unit tests for the loader (regular file → bytes; symlink → `ELOOP`). (4) Clippy cleanup bundled in: `c""` C-string literal in `auth.rs`, `let`-chains in `config.rs`/`users.rs`, removed redundant `use gtk4_session_lock;` in `main.rs`, blur guard collapsed to `blur_radius.filter(|s| *s > 0.0)` (unifies with moongreet/moonset, which already used that form). Verified: `cargo test` (48 passed), `cargo clippy --release` (0 warnings), `cargo build --release`.
+
+## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
+- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
+- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
+
+## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found the `[profile.release]` in `Cargo.toml` had silently drifted from the hardened profile decided on 2026-04-24 (`lto = "fat"`, `strip = true`). Git blame traced the drift to v0.6.14 (commit `85cf039`, "refactor: power-confirm via PowerAction table"): `lto` was reverted `fat`→`thin`, `strip` flipped `true`→`false`, and `debug = true` was added — all bundled into an unrelated refactor commit, with no commit-message mention and no entry here. The pattern (no strip + debug symbols + faster thin LTO) was a debug aid for the suspend/resume SIGSEGV hunt that ran v0.6.9–v0.6.17, giving symbolized coredump backtraces. That crash is fixed as of v0.6.17, so the debug profile has outlived its purpose, while shipping debug symbols on a security-critical auth binary eases reverse-engineering of the auth path and bloats the binary.
+- **Tradeoffs**: Restoring `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for better cross-crate inlining; acceptable for a binary compiled once per release. Dropping `strip = false` + `debug = true` means field coredumps are no longer symbolized out of the box — a deliberate trade now that the crash is resolved; debug symbols can be re-enabled temporarily if a new crash needs hunting. Not chosen: keeping `lto = "fat"` but retaining the debug symbols — rejected because the symbols' only justification (the crash hunt) is gone.
+- **How**: `Cargo.toml` `[profile.release]` restored to `lto = "fat"`, `strip = true`, with the `debug = true` line removed; `codegen-units = 1` unchanged. Verified via `file target/release/moonlock` reporting a stripped binary.
+
 ## 2026-06-02 – Real fix for the unlock SIGSEGV: quit in ::unlocked, never destroy windows ourselves (v0.6.17)
 
 - **Who**: ClaudeCode, Dom

pkg/PKGBUILD

@@ -1,51 +0,0 @@
-# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
-# ABOUTME: Builds from git source with automatic version detection.
-
-# Maintainer: Dominik Kressler
-
-pkgname=moonlock-git
-pkgver=0.4.1.r1.g78bcf90
-pkgrel=1
-pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
-arch=('x86_64')
-url="https://gitea.moonarch.de/nevaforget/moonlock"
-license=('MIT')
-depends=(
-    'gtk4'
-    'gtk4-layer-shell'
-    'gtk-session-lock'
-    'pam'
-    'systemd-libs'
-)
-makedepends=(
-    'git'
-    'cargo'
-)
-optdepends=(
-    'fprintd: fingerprint authentication support'
-)
-provides=('moonlock')
-conflicts=('moonlock')
-source=("git+${url}.git")
-sha256sums=('SKIP')
-
-pkgver() {
-    cd "$srcdir/moonlock"
-    git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
-}
-
-build() {
-    cd "$srcdir/moonlock"
-    cargo build --release --locked
-}
-
-package() {
-    cd "$srcdir/moonlock"
-    install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
-
-    # PAM configuration
-    install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
-
-    # Example config
-    install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
-}

src/auth.rs

@@ -115,7 +115,7 @@ unsafe extern "C" fn pam_conv_callback(
                 }
                 PAM_PROMPT_ECHO_ON => {
                     // Visible prompt — provide empty string, never the password
-                    let empty = libc::strdup(b"\0".as_ptr() as *const libc::c_char);
+                    let empty = libc::strdup(c"".as_ptr());
                     if empty.is_null() {
                         for j in 0..i {
                             let prev = resp_array.offset(j);

src/config.rs

@@ -72,8 +72,11 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if let Ok(meta) = path.symlink_metadata() {
+        if let Ok(meta) = path.symlink_metadata()
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(path); }
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(path);
         }
     }
     if moonarch_wallpaper.is_file() { return Some(moonarch_wallpaper.to_path_buf()); }

src/lockscreen.rs

@@ -24,7 +24,6 @@ use crate::users;
 pub struct LockscreenHandles {
     pub window: gtk::ApplicationWindow,
     pub fp_label: gtk::Label,
-    pub password_entry: gtk::PasswordEntry,
     pub unlock_callback: Rc<dyn Fn()>,
     pub username: String,
     state: Rc<RefCell<LockscreenState>>,
@@ -67,7 +66,6 @@ pub fn create_lockscreen_window(
             return LockscreenHandles {
                 window,
                 fp_label,
-                password_entry: gtk::PasswordEntry::new(),
                 unlock_callback,
                 username: String::new(),
                 state: Rc::new(RefCell::new(LockscreenState {
@@ -357,7 +355,6 @@ pub fn create_lockscreen_window(
     LockscreenHandles {
         window,
         fp_label,
-        password_entry: password_entry.clone(),
         unlock_callback,
         username: user.username,
         state: state.clone(),
@@ -445,6 +442,23 @@ pub fn start_fingerprint(
     });
 }
 
+/// Read a file with O_NOFOLLOW so a symlink swapped in after a prior
+/// stat-based check (TOCTOU) fails the open with ELOOP instead of being
+/// followed. Shared by the wallpaper and avatar loads — the two file reads
+/// on the lock path.
+fn read_file_nofollow(path: &Path) -> std::io::Result<Vec<u8>> {
+    use std::io::Read;
+    use std::os::unix::fs::OpenOptionsExt;
+
+    let mut file = std::fs::OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(path)?;
+    let mut bytes = Vec::new();
+    file.read_to_end(&mut bytes)?;
+    Ok(bytes)
+}
+
 /// Load the wallpaper as a texture once, for sharing across all windows.
 /// Returns None if no wallpaper path is provided or the file cannot be loaded.
 /// Blur is applied at render time via GPU (GskBlurNode), not here.
@@ -453,25 +467,13 @@ pub fn start_fingerprint(
 /// symlink check in `resolve_background_path_with` and this read. If the path
 /// was swapped for a symlink after the check, `open` fails with ELOOP.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    use std::io::Read;
+    let bytes = match read_file_nofollow(bg_path) {
-    use std::os::unix::fs::OpenOptionsExt;
+        Ok(b) => b,
-
-    let mut file = match std::fs::OpenOptions::new()
-        .read(true)
-        .custom_flags(libc::O_NOFOLLOW)
-        .open(bg_path)
-    {
-        Ok(f) => f,
         Err(e) => {
-            log::warn!("Failed to open wallpaper {}: {e}", bg_path.display());
+            log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
             return None;
         }
     };
-    let mut bytes = Vec::new();
-    if let Err(e) = file.read_to_end(&mut bytes) {
-        log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
-        return None;
-    }
     let glib_bytes = glib::Bytes::from_owned(bytes);
     match gdk::Texture::from_bytes(&glib_bytes) {
         Ok(texture) => Some(texture),
@@ -498,21 +500,19 @@ fn create_background_picture(
     background.set_hexpand(true);
     background.set_vexpand(true);
 
-    if let Some(sigma) = blur_radius {
+    if let Some(sigma) = blur_radius.filter(|s| *s > 0.0) {
-        if sigma > 0.0 {
+        let texture = texture.clone();
-            let texture = texture.clone();
+        let cache = blur_cache.clone();
-            let cache = blur_cache.clone();
+        background.connect_realize(move |picture| {
-            background.connect_realize(move |picture| {
+            if let Some(ref cached) = *cache.borrow() {
-                if let Some(ref cached) = *cache.borrow() {
+                picture.set_paintable(Some(cached));
-                    picture.set_paintable(Some(cached));
+                return;
-                    return;
+            }
-                }
+            if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
-                if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
+                picture.set_paintable(Some(&blurred));
-                    picture.set_paintable(Some(&blurred));
+                *cache.borrow_mut() = Some(blurred);
-                    *cache.borrow_mut() = Some(blurred);
+            }
-                }
+        });
-            });
-        }
     }
 
     background
@@ -588,18 +588,25 @@ fn set_avatar_from_file(
     image.set_icon_name(Some("avatar-default-symbolic"));
 
     let display_path = path.to_path_buf();
-    let file = gio::File::for_path(path);
+    let read_path = path.to_path_buf();
     let image_clone = image.clone();
     let cache_clone = cache.clone();
 
     glib::spawn_future_local(async move {
-        let stream = match file.read_future(glib::Priority::default()).await {
+        // Read with O_NOFOLLOW on a blocking thread to close the TOCTOU window
-            Ok(s) => s,
+        // between the symlink check in users::get_avatar_path_with and this open.
-            Err(e) => {
+        let bytes = match gio::spawn_blocking(move || read_file_nofollow(&read_path)).await {
+            Ok(Ok(b)) => b,
+            Ok(Err(e)) => {
                 log::warn!("Failed to open avatar {}: {e}", display_path.display());
                 return;
             }
+            Err(_) => {
+                log::warn!("Avatar read task failed for {}", display_path.display());
+                return;
+            }
         };
+        let stream = gio::MemoryInputStream::from_bytes(&glib::Bytes::from_owned(bytes));
         match Pixbuf::from_stream_at_scale_future(&stream, AVATAR_SIZE, AVATAR_SIZE, true).await {
             Ok(pixbuf) => {
                 let texture = gdk::Texture::for_pixbuf(&pixbuf);
@@ -834,4 +841,25 @@ mod tests {
     fn avatar_size_matches_css() {
         assert_eq!(AVATAR_SIZE, 128);
     }
+
+    #[test]
+    fn read_file_nofollow_reads_regular_file() {
+        let dir = tempfile::tempdir().unwrap();
+        let file = dir.path().join("avatar.png");
+        std::fs::write(&file, b"avatar-bytes").unwrap();
+        assert_eq!(read_file_nofollow(&file).unwrap(), b"avatar-bytes");
+    }
+
+    #[test]
+    fn read_file_nofollow_rejects_symlink() {
+        use std::os::unix::fs::symlink;
+        let dir = tempfile::tempdir().unwrap();
+        let target = dir.path().join("secret");
+        std::fs::write(&target, b"secret").unwrap();
+        let link = dir.path().join("avatar.png");
+        symlink(&target, &link).unwrap();
+        // O_NOFOLLOW makes the open fail with ELOOP instead of following the link.
+        let err = read_file_nofollow(&link).unwrap_err();
+        assert_eq!(err.raw_os_error(), Some(libc::ELOOP));
+    }
 }

src/main.rs

@@ -12,7 +12,6 @@ mod users;
 use gdk4 as gdk;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use gtk4_session_lock;
 use std::cell::{Cell, RefCell};
 use std::rc::Rc;
 

src/users.rs

@@ -12,7 +12,6 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
-    pub uid: u32,
 }
 
 pub fn get_current_user() -> Option<User> {
@@ -29,7 +28,7 @@ pub fn get_current_user() -> Option<User> {
         let first = gecos.split(',').next().unwrap_or("");
         if first.is_empty() { nix_user.name.clone() } else { first.to_string() }
     } else { nix_user.name.clone() };
-    Some(User { username: nix_user.name, display_name, home: nix_user.dir, uid: uid.as_raw() })
+    Some(User { username: nix_user.name, display_name, home: nix_user.dir })
 }
 
 pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
@@ -39,14 +38,20 @@ pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
 pub fn get_avatar_path_with(home: &Path, username: &str, accountsservice_dir: &Path) -> Option<PathBuf> {
     // ~/.face takes priority — single stat via symlink_metadata to avoid TOCTOU
     let face = home.join(".face");
-    if let Ok(meta) = face.symlink_metadata() {
+    if let Ok(meta) = face.symlink_metadata()
-        if meta.is_file() && !meta.file_type().is_symlink() { return Some(face); }
+        && meta.is_file()
+        && !meta.file_type().is_symlink()
+    {
+        return Some(face);
     }
     // AccountsService icon
     if accountsservice_dir.exists() {
         let icon = accountsservice_dir.join(username);
-        if let Ok(meta) = icon.symlink_metadata() {
+        if let Ok(meta) = icon.symlink_metadata()
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(icon); }
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(icon);
         }
     }
     None