From 94a98153627b5ef84d914d0009a96bc9050840c7 Mon Sep 17 00:00:00 2001 From: Will Thompson Date: Mon, 4 Mar 2019 10:26:53 +0000 Subject: [PATCH] data: tell systemd to create state directory If the directory referred to by ReadWritePaths= does not exist, the service fails to start: systemd[1]: Starting Fingerprint Authentication Daemon... systemd[9736]: fprintd.service: Failed to set up mount namespacing: No such file or directory systemd[9736]: fprintd.service: Failed at step NAMESPACE spawning /usr/lib/fprintd/fprintd: No such file or directory systemd[1]: fprintd.service: Main process exited, code=exited, status=226/NAMESPACE systemd[1]: fprintd.service: Failed with result 'exit-code'. systemd[1]: Failed to start Fingerprint Authentication Daemon. This may happen when booting with an empty /var filesystem. For a system service, "StateDirectory=fprint" causes /var/lib/fprint and any parent directories to be created if missing (with mode 0755 by default, owned by the user and group of the service, which in this case is root). In combination with ProtectSystem=strict, this state directory will be mounted read-write. StateDirectory was introduced in systemd 235, so require at least this version. The /var/lib prefix is hardcoded in systemd. (Since systemd 240, the full path(s) to StateDirectory are provided as $STATE_DIRECTORY, but since it is always /var/lib, we continue to just hardcode that path.) On non-systemd systems, since fprintd runs as root with no confinement, it can create its state directory as needed (with g_mkdir_with_parents() in file_storage_print_data_save()). --- configure.ac | 2 ++ data/fprintd.service.in | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 9c8d979..41804ae 100644 --- a/configure.ac +++ b/configure.ac @@ -60,6 +60,8 @@ AC_ARG_WITH([systemdsystemunitdir], [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)]) AS_IF([test "x$with_systemdsystemunitdir" != "xno"], [ + # StateDirectory was introduced in systemd 235 + PKG_CHECK_MODULES(SYSTEMD, systemd >= 235) AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir]) ]) AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir"]) diff --git a/data/fprintd.service.in b/data/fprintd.service.in index f2ebd98..9ea7a2a 100644 --- a/data/fprintd.service.in +++ b/data/fprintd.service.in @@ -11,7 +11,8 @@ ExecStart=@libexecdir@/fprintd ProtectSystem=strict ProtectKernelTunables=true ProtectControlGroups=true -ReadWritePaths=/var/lib/fprint +# This always corresponds to /var/lib/fprint +StateDirectory=fprint ProtectHome=true PrivateTmp=true