greetd.service hardening

[gngram]

Description of changes

• Hardened service config for greetd
• Exposure level after hardening: 3.5

Checklist for things done

• Summary of the proposed changes in the PR description
• More detailed description in the commit message(s)
• Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• PR linked to architecture documentation and requirement(s) (ticket id)
• Test procedure described (or includes tests). Select one or more:
  • Tested on Lenovo X1 x86_64
  • Tested on Jetson Orin NX or AGX aarch64
  • Tested on Polarfire riscv64
• Author has run make-checks and it passes
• All automatic Github Action checks pass - see actions
• Author has added reviewers and removed PR draft status
• Change requires full re-installation
• Change can be updated with nixos-rebuild ... switch

Instructions for Testing

• List all targets that this applies to:
  - Lenovo x1
• Is this a new feature
  • List the test steps to verify:
    • Boot the system and login, check if the system behaves normal.
• If it is an improvement how does it impact existing functionality?

[milva-unikie]

Tested on Lenovo-X1 (nixos-rebuild switch)

Issues:

• Changing volume with F1, F2 and F3 keys does not work.
• Can not enroll an fingerprint

[ghaf@gui-vm:~]$ fprintd-enroll -f right-index-finger
Using device /net/reactivated/Fprint/Device/0
failed to claim device: GDBus.Error:net.reactivated.Fprint.Error.PermissionDenied: Not Authorized: net.reactivated.fprint.device.setusername

• Can not load the falcon model

[ghaf@gui-vm:~]$ load-falcon 
Error: Head "http://127.0.0.1:11434/": dial tcp 127.0.0.1:11434: socket: address family not supported by protocol
Error: Head "http://127.0.0.1:11434/": dial tcp 127.0.0.1:11434: socket: address family not supported by protocol

Working:

• Can login
• Apps work
• Test-automation passes

Notes:

Ssh connection to host or to other vm:s does not work from the gui-vm. Is this intended behavior? Is there some other way to connect to host and vm:s?

[ghaf@gui-vm:~]$ ssh ghaf-host-debug 
socket: Address family not supported by protocol
ssh: connect to host ghaf-host-debug port 22: failure
[ghaf@gui-vm:~]$ ssh comms-vm-debug 
socket: Address family not supported by protocol
ssh: connect to host comms-vm-debug port 22: failure

Ssh connections still work through net-vm. EDIT: I tried ssh to net-vm from gui-vm again and now it is not working for some reason. I don't understand what changed.
EDIT2: Checked with new installation that it does not infact work. I blame nixos-rebuild switch for the confusion.

[milva-unikie]

I tested again with a new installation and noticed that some of the issues I pointed out yesterday are probably related to nixos-rebuild switch. I updated my comment above.

Please check the box "Change requires full re-installation" in the description of this pr.

[gngram]

@milva-unikie Please verify it again. I have updated the PR with fix.
In my setup, it works without full re-installation, however I mentioned it.

[milva-unikie]

Tested on Lenovo-X1 (full re-installation)

Issues:

• Log Out does not work. Same issue with Power menu and with lock-screen button. I believe it did work when I was testing this pr lat time.

Working:

• Previous issues have been fixed (F1, F2, F3, fingerprint enrollment and loading falcon)
• Apps work
• Test-automation passes (expect logging out after gui tests)

@milva-unikie Please verify it again. I have updated the PR with fix. In my setup, it works without full re-installation, however I mentioned it.
Thanks. I did have some weird problems when using rebuild-switch. Might have something to do with the specific version I was using. This time used a clean installation to be sure no extra issues are reported.

[gngram]

@milva-unikie Power menu and lock screen works fine for me I faced issue with logoff only. This issue was there from the first push, in the last push I had removed some restrictions.

I have fixed the logoff issue, please verify again.

[milva-unikie]

Tested on Lenovo-X1 ( full re-installation)

I think everything is good now!

• Log Out works from Power menu and from Lock screen.
• Test-automation passes when excluding the fixes that were added for Ghaf user accounts #827
• I did not do a full regression testing anymore after the latest changes, but with quick testing could not see anything broken. (Cameras are not working, but that is not caused by this pr).

@milva-unikie Power menu and lock screen works fine for me I faced issue with logoff only. This issue was there from the first push, in the last push I had removed some restrictions.

I have fixed the logoff issue, please verify again.

Sorry if I was a bit unclear. Only the Log Out was broken, but it was broken from the both menus mentioned. Now fixed!