Allow fprintd suspend/resume

[benzea]

fprintd 1.94.0 is getting support for suspend/resume. This requires more permissions:

• logind inhibitor API (org.freedesktop.login1.Inhibit call and the associated FD passing)
• power/persist and power/wakeup sysfs attributes for USB devices

Note that we could unconditionally turn off power/persist. But it does make sense to runtime-configure wakeup (as there is no point in having USB wakeup enabled in the kernel unless really needed).

Aug 20 04:59:16 fedora audit[17453]: AVC avc:  denied  { write } for  pid=17453 comm="fprintd" name="wakeup" dev="sysfs" ino=28290 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Aug 20 04:59:16 fedora fprintd[17453]: 3658960783: ../libfprint/drivers/synaptics/synaptics.c:1225
Aug 20 04:59:16 fedora audit[17453]: AVC avc:  denied  { write } for  pid=17453 comm="gdbus" path="/run/systemd/inhibit/78.ref" dev="tmpfs" ino=2616 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file permissive=1

Not sure why only power/wakeup shows up here, power/persist is also written.

fprintd will run fine without the change other than printing some warnings. However, the change allows new features and should fix some problems around suspend/resume with fingerprint readers.

Note that testing requires fprintd/libfprint 1.94.0 (likely released very soon) and a synaptics prometheus fingerprint reader right now (and will only fully work with S0ix/s2idle suspend rather than S3).

[ghost]

Benjamin Berg ***@***.***> writes:

fprintd 1.94.0 is getting support for suspend/resume. This requires more permissions: * logind inhibitor API (org.freedesktop.login1.Inhibit call and the associated FD passing) * power/persist and power/wakeup sysfs attributes for USB devices Note that we could unconditionally turn off power/persist. But it does make sense to runtime-configure wakeup (as there is no point in having USB wakeup enabled in the kernel unless really needed). Aug 20 04:59:16 fedora audit[17453]: AVC avc: denied { write } for pid=17453 comm="fprintd" name="wakeup" dev="sysfs" ino=28290 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 Aug 20 04:59:16 fedora fprintd[17453]: 3658960783: ../libfprint/drivers/synaptics/synaptics.c:1225 Aug 20 04:59:16 fedora audit[17453]: AVC avc: denied { write } for pid=17453 comm="gdbus" path="/run/systemd/inhibit/78.ref" dev="tmpfs" ino=2616 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file permissive=1 Not sure why only power/wakeup shows up here, power/persist is also written.

it is in permissive mode and the event is the same, selinux does not log duplicate avc denials when in permissive mode to avoid log flooding. I would consider using genfscon to label those wakup and persist files with a private type if practical so that write access for fprintd can be granted to those two files only and not the remainder of /sys

…

fprintd will run fine without the change other than printing some warnings. However, the change allows new features and should fix some problems around suspend/resume with fingerprint readers. Note that testing requires fprintd/libfprint 1.94.0 (likely released very soon) and a synaptics prometheus fingerprint reader right now (and will only fully work with S0ix/s2idle suspend rather than S3). — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

-- gpg --locate-keys ***@***.*** Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift

[QuLogic]

Ping? This is now happening a lot in Fedora 35 now that it's out. https://bugzilla.redhat.com/show_bug.cgi?id=2010925