From patchwork Wed Jul 27 15:57:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maya <maya.omase@protonmail.com>
X-Patchwork-Id: 41015
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id F2ADA27BBEA; Wed, 27 Jul 2022 17:03:46 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,SPF_HELO_PASS,
	URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 64C7227BBE9
	for <patchwork@mira.cbaines.net>; Wed, 27 Jul 2022 17:03:46 +0100 (BST)
Received: from localhost ([::1]:34640 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1oGjVh-0001nn-EE
	for patchwork@mira.cbaines.net; Wed, 27 Jul 2022 12:03:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45878)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1oGjQA-0003Jy-PK
 for guix-patches@gnu.org; Wed, 27 Jul 2022 11:58:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:38834)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1oGjQA-00020A-FS
 for guix-patches@gnu.org; Wed, 27 Jul 2022 11:58:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1oGjQA-0008QQ-BA
 for guix-patches@gnu.org; Wed, 27 Jul 2022 11:58:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#56797] [PATCH] gnu: services: fprintd: Add PAM configuration.
Resent-From: Maya <maya.omase@protonmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 27 Jul 2022 15:58:02 +0000
Resent-Message-ID: <handler.56797.B.165893747532371@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 56797
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 56797@debbugs.gnu.org
X-Debbugs-Original-To: "guix-patches@gnu.org" <guix-patches@gnu.org>
Received: via spool by submit@debbugs.gnu.org id=B.165893747532371
 (code B ref -1); Wed, 27 Jul 2022 15:58:02 +0000
Received: (at submit) by debbugs.gnu.org; 27 Jul 2022 15:57:55 +0000
Received: from localhost ([127.0.0.1]:56816 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1oGjQ3-0008Q3-Dg
 for submit@debbugs.gnu.org; Wed, 27 Jul 2022 11:57:55 -0400
Received: from lists.gnu.org ([209.51.188.17]:39900)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maya.omase@protonmail.com>) id 1oGjPz-0008Ps-V5
 for submit@debbugs.gnu.org; Wed, 27 Jul 2022 11:57:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45824)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maya.omase@protonmail.com>)
 id 1oGjPy-00038M-TP
 for guix-patches@gnu.org; Wed, 27 Jul 2022 11:57:51 -0400
Received: from mail-40135.protonmail.ch ([185.70.40.135]:12429)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maya.omase@protonmail.com>)
 id 1oGjPw-0001yg-Ei
 for guix-patches@gnu.org; Wed, 27 Jul 2022 11:57:50 -0400
Date: Wed, 27 Jul 2022 15:57:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1658937465; x=1659196665;
 bh=ki2F7sqKV2MhuVsvWdMccbgIwCaadzKO1PSXukVRUyU=;
 h=Date:To:From:Reply-To:Subject:Message-ID:Feedback-ID:From:To:Cc:
 Date:Subject:Reply-To:Feedback-ID:Message-ID;
 b=T0peZ3poszs9pAy/VGCBjTnuxXIlzd3MPUxxkJMZtbLk/qIzJf+yYrCEgqZ8ZJ/d8
 sDt5Khnwf75TFOJMarFssrey9bic7slHfxU3+d3IW+sn7NYgulaGK8utxJ1Tr/4bgw
 gJNUHatBkiIisc0r35eK520v1XeBfkPK7HLKVUV0aETTBw7w4bCGP8EPNBO5nqhS33
 1iD9I3K7ruaQlcyjpOSUBOzOLVmPwwaUvaIq9RuWtourBCIK1xsvoLC4bUqVgDDywO
 Pe/wa5mzu1JPyqt+94bxgySc/f2XIAm7Jb+rG4k9FlPB4HNvosCOTWZvGQI9K5hgxh
 lAcRZCb2LP//Q==
Message-ID: 
 <4AtymQ5ic7YPCQjgRG3Dj73aZuO_Rx7GX8YSKBPeoVoOG_Z8LjXXbqvvfaq-ap0fgLADcsE8zibqDwkO7kazYXa0eMA3EeEaiU_6wGQ0yI8=@protonmail.com>
Feedback-ID: 44744921:user:proton
MIME-Version: 1.0
Received-SPF: pass client-ip=185.70.40.135;
 envelope-from=maya.omase@protonmail.com; helo=mail-40135.protonmail.ch
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
Reply-to: Maya <maya.omase@protonmail.com>
X-ACL-Warn: ,  Maya via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: Maya via Guix-patches via <guix-patches@gnu.org>
From: Maya <maya.omase@protonmail.com>
X-getmail-retrieved-from-mailbox: Patches

Added a feature to fprintd-service-type to allow unlocking PAM modules (ie. gdm login, gnome polkit etc.) by fingerprint.
---

 gnu/services/authentication.scm | 49 +++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 3 deletions(-)

--
2.37.0

I sincerely that the gdm pam module is correct. Guix uses non-standard way of defining pam services and it was hard for me to decipher needed contents for gdm-fingerprint. /However, I tested it on my laptop and it works! My only concern is security/

I chose the most usual modules to unlock by fingerprint, if you think that the list is missing something or has something that should not be there, let me know!

With wishes for zero-bug code,
Maya

diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..5737c15f4c 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -44,9 +44,50 @@ (define-module (gnu services authentication)
             nslcd-configuration?
             nslcd-service-type))

-(define-configuration fprintd-configuration
+(define-configuration/no-serialization fprintd-configuration
   (fprintd      (file-like fprintd)
-                "The fprintd package"))
+                "The fprintd package")
+  (unlock-gdm?
+   (boolean #t)
+   "Generate PAM configuration that unlocks gdm with fprintd.")
+  (unlock-other
+   (list '("polkit-1" "sddm")) ;; polkit-1 is the name of a PAM module for GNOME polkit
+   "List of other PAM modules that can be unlocked with fprintd.
+
+This depends on your desktop configuration. If you for example want GNOME prompts to be unlocked by fingerprint, you add @code{polkit-1} to this list. (This is enabled by default.)
+"))
+
+(define (fprintd-pam-other-services config fprintd-module)
+  (lambda (pam)
+    (if (member (pam-service-name pam)
+                (fprintd-configuration-unlock-other config))
+        (let ((sufficient
+               (pam-entry
+                (control "sufficient")
+                (module fprintd-module))))
+          (pam-service
+           (inherit pam)
+           (auth (cons sufficient (pam-service-auth pam)))))
+        pam)))
+
+(define (fprintd-pam-gdm-services fprintd-module)
+  (list
+   (pam-service
+    (inherit (unix-pam-service "gdm-fingerprint"
+                               #:login-uid? #t))
+    (auth (list
+           (pam-entry
+            (control "required")
+            (module fprintd-module)))))))
+
+(define (fprintd-pam-services config)
+  (let ((fprintd-module
+         #~(string-append #$(fprintd-configuration-fprintd config) "/lib/security/pam_fprintd.so")))
+    (cons
+     (fprintd-pam-other-services config fprintd-module)
+     (if fprintd-configuration-unlock-gdm?
+         (fprintd-pam-gdm-services fprintd-module)
+         '()))))

 (define (fprintd-dbus-service config)
   (list (fprintd-configuration-fprintd config)))
@@ -57,7 +98,9 @@ (define fprintd-service-type
                  (list (service-extension dbus-root-service-type
                                           fprintd-dbus-service)
                        (service-extension polkit-service-type
-                                          fprintd-dbus-service)))
+                                          fprintd-dbus-service)
+                       (service-extension pam-root-service-type
+                                          fprintd-pam-services)))
                 (default-value (fprintd-configuration))
                 (description
                  "Run fprintd, a fingerprint management daemon.")))