This can be handled by the module loader (i.e. GDM) and in any case we
may want to have setups where fprintd is always active waiting for a
fingerprint, as modern devices support this with no problems.
PrivateNetwork=true is a bad idea, as it means that udev events cannot
be delivered. Remove it, we already restrict the address families
sufficiently anyway.
Closes: #119
This was never really used and it's breaking meson 60.
While this may just become a warning in 60.1, it's just better to avoid
using it.
See: https://github.com/mesonbuild/meson/issues/9441
fprintd only needs very few syscalls. Mainly normal IO operations and
ioctl for USB access. All of this is covered by @system-service, we
could likely restrict it quite a bit more though.
In the way the rule is currently set it would allow clients to send
messages with the fprintd interface to any other service, while we only
allow them to be redirected to fprintd itself.
This was causing a debian linter failure [1].
[1] https://lintian.debian.org/tags/dbus-policy-without-send-destination.html
When user is requested for enrolling, we should ask for password as
anyone who has physical access to the machine could otherwise enroll
its own fingers, and have access to it.
Fixes#5
The current lockdown rules prevent USB devices from being accessed and
cause threading to not work.
As such, revert them until it is clear on how/if we can apply these
measures. It is primarily not clear on how to prevent fork/clone as
fprintd does not need those.
This reverts commit 2fd86624e5.
See: #82
If the directory referred to by ReadWritePaths= does not exist, the
service fails to start:
systemd[1]: Starting Fingerprint Authentication Daemon...
systemd[9736]: fprintd.service: Failed to set up mount namespacing: No such file or directory
systemd[9736]: fprintd.service: Failed at step NAMESPACE spawning /usr/lib/fprintd/fprintd: No such file or directory
systemd[1]: fprintd.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: fprintd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Fingerprint Authentication Daemon.
This may happen when booting with an empty /var filesystem.
For a system service, "StateDirectory=fprint" causes /var/lib/fprint and
any parent directories to be created if missing (with mode 0755 by
default, owned by the user and group of the service, which in this case
is root). In combination with ProtectSystem=strict, this state
directory will be mounted read-write. StateDirectory was introduced in
systemd 235, so require at least this version.
The /var/lib prefix is hardcoded in systemd. (Since systemd 240, the
full path(s) to StateDirectory are provided as $STATE_DIRECTORY, but
since it is always /var/lib, we continue to just hardcode that path.)
On non-systemd systems, since fprintd runs as root with no confinement,
it can create its state directory as needed (with g_mkdir_with_parents()
in file_storage_print_data_save()).
--localstatedir (and --prefix) will now be ignored in favour of this
hardcoded path. This is in preparation for a change to use systemd's
StateDirectory feature.
Give read-write access to USB devices in /dev, and the location of the
fingerprints, access to Unix sockets for D-Bus and
close everything else down.
See systemd.exec(5) for details about the options.
