Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/scripts/build-deb.sh
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,10 @@ install -m644 systemd/facelock-daemon.service "${PKG_DIR}/usr/lib/systemd/system
install -m644 dbus/org.facelock.Daemon.conf "${PKG_DIR}/usr/share/dbus-1/system.d/org.facelock.Daemon.conf"
install -m644 dbus/org.facelock.Daemon.service "${PKG_DIR}/usr/share/dbus-1/system-services/org.facelock.Daemon.service"

# Polkit action (interactive authorization for preview frame bytes)
mkdir -p "${PKG_DIR}/usr/share/polkit-1/actions"
install -m644 dbus/org.facelock.policy "${PKG_DIR}/usr/share/polkit-1/actions/org.facelock.policy"

# sysusers.d and tmpfiles.d
install -m644 dist/facelock.sysusers "${PKG_DIR}/usr/lib/sysusers.d/facelock.conf"
install -m644 dist/facelock.tmpfiles "${PKG_DIR}/usr/lib/tmpfiles.d/facelock.conf"
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/scripts/validate-deb.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ CHECKS=(
"etc/facelock/config.toml:config"
"dbus-1/system.d/org.facelock.Daemon.conf:D-Bus policy"
"dbus-1/system-services/org.facelock.Daemon.service:D-Bus activation"
"polkit-1/actions/org.facelock.policy:polkit action policy"
"sysusers.d/facelock.conf:sysusers"
"tmpfiles.d/facelock.conf:tmpfiles"
"usr/lib/facelock/libonnxruntime.so:bundled ORT"
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/scripts/validate-rpm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ CHECKS=(
"etc/facelock/config.toml:config"
"dbus-1/system.d/org.facelock.Daemon.conf:D-Bus policy"
"dbus-1/system-services/org.facelock.Daemon.service:D-Bus activation"
"polkit-1/actions/org.facelock.policy:polkit action policy"
"sysusers.d/facelock.conf:sysusers"
"tmpfiles.d/facelock.conf:tmpfiles"
"authselect/vendor/facelock:authselect"
Expand Down
7 changes: 7 additions & 0 deletions book/src/contracts.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,13 @@ D-Bus system bus (`org.facelock.Daemon`). Only used in daemon mode. The daemon e
### Methods
`Authenticate`, `Enroll`, `ListModels`, `RemoveModel`, `ClearModels`, `PreviewFrame`, `PreviewDetectFrame`, `ListDevices`, `ReleaseCamera`, `Ping`, `Shutdown`

Raw camera frames require privilege. `PreviewFrame` remains root-only. `PreviewDetectFrame` returns the `jpeg_data` frame bytes to root unconditionally; a non-root caller receives them only after an interactive polkit authorization for the action `org.facelock.preview-frames` (checked via `org.freedesktop.PolicyKit1.Authority.CheckAuthorization`, `AllowUserInteraction=true`). While unauthorized — denied, prompt pending, polkit unreachable, or any D-Bus error — the daemon fails closed: `jpeg_data` is empty and the caller receives detection and recognition metadata only.

Capture concurrency: `Authenticate`, `Enroll`, `PreviewFrame`, and `PreviewDetectFrame` fail immediately with a `daemon busy` error while another capture is in flight. Clients treat this like any other daemon error and degrade to password auth.

### Signals
`AuthAttempted(user: s, matched: b)` — emitted after each authentication attempt. Carries no similarity score. Bus policy restricts reception to root and the `facelock` group.

### Return Types
`AuthResult`, `Enrolled`, `Models`, `Removed`, `Frame`, `DetectFrame`, `Devices`, `Ok`, `Error`

Expand Down
Loading
Loading