chore: harden service security

[re2zero]

• Fix CMake variable name from CVERSION to VERSION in debian/rules
• Enhance deepin-devicecontrol service with comprehensive sandboxing:
  • Apply strict resource limits (2G memory, IO weight 200)
  • Enable filesystem protection (ProtectSystem, ProtectHome, PrivateTmp)
  • Restrict executable paths and set write permissions selectively
  • Add security restrictions (NoNewPrivileges, MemoryDenyWriteExecute)
  • Define specific accessible and inaccessible system paths
  • Set capability bounding set and ambient capabilities
  • Adjust scheduling priority and OOM score

Log: harden service security.

Summary by Sourcery

Harden the deepin-devicecontrol service security and correct a Debian packaging variable name.

Enhancements:

• Tighten systemd sandboxing and resource limits for the deepin-devicecontrol service, including filesystem, capability, and execution path restrictions.

Build:

• Fix a Debian rules CMake variable name from CVERSION to VERSION.

Chores:

• Update repository ignore patterns in .gitignore.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR hardens the deepin-devicecontrol systemd service using stricter sandboxing and resource constraints, and fixes a CMake-related variable name in debian packaging, along with a minor .gitignore update.

File-Level Changes

Change	Details	Files
Fix packaging build variable name to use the correct VERSION variable in debian rules.	Replace incorrect CVERSION variable reference with VERSION in the debian build rules. Ensure the packaging scripts correctly pick up the project version during builds.	debian/rules
Tighten systemd sandboxing and resource constraints for the deepin-devicecontrol service.	Configure memory and IO resource limits (e.g., 2G memory limit and IO weight). Enable filesystem protection options such as ProtectSystem, ProtectHome, and PrivateTmp. Restrict executable search paths and limit writable paths to a minimal set. Add security-focused flags including NoNewPrivileges and MemoryDenyWriteExecute. Specify explicit ReadOnlyPaths, ReadWritePaths, InaccessiblePaths, and related access controls. Define a minimal capability bounding set and ambient capabilities required by the service. Tune service scheduling priority and OOMScoreAdjust for better isolation and behavior under memory pressure.	deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service
Adjust VCS ignore configuration.	Update .gitignore patterns, likely to account for new build artifacts or editor files.	.gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• For the new systemd hardening options (memory limit, IO weight, OOMScoreAdjust, etc.), consider adding brief inline comments in the unit file explaining the rationale for the chosen values so future maintainers know why these specific thresholds were selected.
• Double-check whether any binaries or scripts the service might legitimately spawn outside the explicitly allowed executable paths are now blocked; if so, it may be safer to group such paths (e.g., a dedicated helper directory) rather than enumerating individual binaries to ease future changes.
• Given the aggressive filesystem and namespace restrictions (ProtectSystem, ProtectHome, PrivateTmp, InaccessiblePaths, etc.), validate that all required runtime write locations are explicitly covered by ReadWritePaths or similar directives to avoid subtle failures when the service writes logs, state, or sockets.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- For the new systemd hardening options (memory limit, IO weight, OOMScoreAdjust, etc.), consider adding brief inline comments in the unit file explaining the rationale for the chosen values so future maintainers know why these specific thresholds were selected.
- Double-check whether any binaries or scripts the service might legitimately spawn outside the explicitly allowed executable paths are now blocked; if so, it may be safer to group such paths (e.g., a dedicated helper directory) rather than enumerating individual binaries to ease future changes.
- Given the aggressive filesystem and namespace restrictions (ProtectSystem, ProtectHome, PrivateTmp, InaccessiblePaths, etc.), validate that all required runtime write locations are explicitly covered by ReadWritePaths or similar directives to avoid subtle failures when the service writes logs, state, or sockets.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来帮你分析这个diff的修改内容，主要涉及三个方面：

1. .gitignore的修改：

• 增加了对.claude_settings.json和.auto-claude/目录的忽略，这是合理的，因为这些是Claude AI工具的配置文件，不需要版本控制
• 增加了对.vscode/目录的忽略，这也是标准做法，因为VS Code的配置通常是个人偏好设置

2. debian/rules的修改：

• 将-DCVERSION改为-DVERSION，这个修改是合理的，因为VERSION是更标准的CMake变量命名方式

3. deepin-devicecontrol.service的修改：
   这是最关键的修改，涉及系统服务的安全加固。主要改进包括：

安全改进：

• 增加了ProtectSystem=full和ProtectHome=true，限制对系统目录的访问
• 添加了NoNewPrivileges=true，防止进程提升权限
• 增加了MemoryDenyWriteExecute=true，防止内存执行代码
• 设置了InaccessiblePaths，限制对敏感系统文件的访问
• 限制了可执行路径(ExecPaths)和非可执行路径(NoExecPaths)

性能优化：

• 将MemoryMax从8G降低到2G，更合理的内存限制
• 添加了IOWeight=200，控制IO优先级
• 设置了OOMScoreAdjust=-500和Nice=-5，提高进程优先级

权限管理：

• 明确定义了CapabilityBoundingSet和AmbientCapabilities，只授予必要的权限
• 设置了PrivateTmp=true，使用私有临时目录
• 配置了ProtectProc=invisible，限制对其他进程的访问

建议改进：

1. 考虑将ReadWritePaths中的/tmp和/var/tmp移除，因为已有PrivateTmp=true
2. 可以考虑添加RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6，限制网络协议族
3. 建议添加SystemCallFilter=@System-service，限制系统调用
4. 可以考虑添加RemoveIPC=true，清理IPC资源

总体来说，这些修改提高了系统的安全性和稳定性，是一个很好的安全加固方案。建议在部署前进行充分测试，确保所有功能正常工作。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, re2zero

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[re2zero]

/merge

[deepin-bot]

This pr cannot be merged! (status: unstable)

[re2zero]

/forcemerge

[deepin-bot]

This pr force merged! (status: unstable)