The dependency list of libfprint used to be a direct copy of the
libfprint CI list. However, many of the dependencies are not needed as
only a minimal version of libfprint is built for testing purposes.
The state directory will generally be the same as the hardcoded one.
However, being able to override it is important for testing purposes, so
add the option.
These utilities are generally useful beyond only testing purproses. And,
since it is desirable to have automated tests inside the tests
subdirecty, it makes sense to move them elsewhere.
Some devices require storing the print on the device, to support this,
try deleting prints from the device before deleting them from local
storage.
To handle these devices, add a new API that requires the device to be
claimed rather than allowing deletion without claiming the device first.
Also add appropriate fallbacks so that the old API will continue to
work, but warn about its use.
When creating the FprintManager object the devices will be enumerated.
This operation calls the mainloop recursively. We do not want to receive
any client requests before the initial enumeration has happened. Because
of this, move the registration of the common name to happen after the
enumeration has finished.
The new libfprint version has support for devices that store data on the
sensor. In that case, the on-sensor storage might fill up when the user
tries to enroll a new print.
The strategy introduced here to handle this is to try and delete prints
from the device that we do not know about (assuming, it is e.g. from an
old installation and unusable).
It can also happen that we are not able to garbage collect old prints.
If that happens, a new error code "enroll-data-full" will be returned
signalling the situation to the enrolling application.
For sensors with internal storage we may want to garbage collect prints.
Adding this API means we can list all local prints, allowing us to find
out whether there are prints on the device's storage with no
corresponding print on the host.
The libfprint master branch will soon contain the v2 API. So change to
use the libfprint-1-0 which will mean that the CI will continue to work.
Note that the build_stable target will need to be removed when the new
libfprint version reaches fedora rawhide.
fprintd's API docs say that "retry" errors for verification
"the verification is still ongoing" and that "[the] user should retry
scanning their finger.
Unfortunately, retry errors are fatal in libfprint. Make fprintd restart
operations when "retry" is the error for either identification or
verification purposes.
We need to also make sure that a "*Stop" D-Bus call will return as
normal if called while we're stopping a verification or identification
in order to restart it.
Closes: #22
Fix incorrect configuration path when the sysconfdir is relative to the
prefix argument:
fprintd-WARNING **: 12:22:38.816: Could not open "${prefix}/etc/fprintd.conf": No such file or directory
The path needs to be expanded before it's substituted.
As written in the "Linux-PAM Application Developers' Guide"
at http://www.linux-pam.org/Linux-PAM-html/adg-security-user-identity.html:
"
As a general rule, the following convention for its value can be
assumed: NULL = unknown; localhost = invoked directly from the
local system; other.place.xyz = some component of the user's
connection originates from this remote/requesting host.
"
So also exit early if the hostname isn't localhost as it should be.
Closes: #21
If the directory referred to by ReadWritePaths= does not exist, the
service fails to start:
systemd[1]: Starting Fingerprint Authentication Daemon...
systemd[9736]: fprintd.service: Failed to set up mount namespacing: No such file or directory
systemd[9736]: fprintd.service: Failed at step NAMESPACE spawning /usr/lib/fprintd/fprintd: No such file or directory
systemd[1]: fprintd.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: fprintd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Fingerprint Authentication Daemon.
This may happen when booting with an empty /var filesystem.
For a system service, "StateDirectory=fprint" causes /var/lib/fprint and
any parent directories to be created if missing (with mode 0755 by
default, owned by the user and group of the service, which in this case
is root). In combination with ProtectSystem=strict, this state
directory will be mounted read-write. StateDirectory was introduced in
systemd 235, so require at least this version.
The /var/lib prefix is hardcoded in systemd. (Since systemd 240, the
full path(s) to StateDirectory are provided as $STATE_DIRECTORY, but
since it is always /var/lib, we continue to just hardcode that path.)
On non-systemd systems, since fprintd runs as root with no confinement,
it can create its state directory as needed (with g_mkdir_with_parents()
in file_storage_print_data_save()).
--localstatedir (and --prefix) will now be ignored in favour of this
hardcoded path. This is in preparation for a change to use systemd's
StateDirectory feature.
Otherwise you could get into a state where the daemon could not start
because the directory listed as a ReadWritePaths in the .service file is
missing.
Spotted by Will Thompson.
See: !5
The gettext in fprintd would be getting confused by a new file in
libfprint that looks like it should have been translated. Ignore this
file in our build.
Fix a possible crash when an fprintd client disappears. If the client
requested for the device to be released, then, without waiting for the
reply of that release, disappeared from the bus, we would try to close
it a second time, accessing a function pointer that didn't exist
anymore.
See https://bugzilla.redhat.com/show_bug.cgi?id=1515720
