From 089d4a554f5cdbd12c5ebcc41847cf08799d8977 Mon Sep 17 00:00:00 2001 From: re2zero Date: Wed, 24 Dec 2025 15:06:58 +0800 Subject: [PATCH] chore: harden service security - Fix CMake variable name from CVERSION to VERSION in debian/rules - Enhance deepin-devicecontrol service with comprehensive sandboxing: - Apply strict resource limits (2G memory, IO weight 200) - Enable filesystem protection (ProtectSystem, ProtectHome, PrivateTmp) - Restrict executable paths and set write permissions selectively - Add security restrictions (NoNewPrivileges, MemoryDenyWriteExecute) - Define specific accessible and inaccessible system paths - Set capability bounding set and ambient capabilities - Adjust scheduling priority and OOM score Log: harden service security. --- .gitignore | 6 +++ debian/rules | 2 +- .../deepin-devicecontrol.service | 51 ++++++++++++++++++- 3 files changed, 56 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index dfd34ec7..1033bae4 100644 --- a/.gitignore +++ b/.gitignore @@ -47,6 +47,12 @@ CMakeLists.txt.user* .cursor .specstory .cursorindexingignore +.claude_settings.json +# Auto Claude data directory +.auto-claude/ + +# vs code +.vscode/ # debian debian/.debhelper/ diff --git a/debian/rules b/debian/rules index 00e3d416..dc5b699e 100755 --- a/debian/rules +++ b/debian/rules @@ -32,7 +32,7 @@ override_dh_auto_configure: -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_INSTALL_PREFIX=/usr \ -DAPP_VERSION=$(DEB_VERSION_UPSTREAM) \ - -DCVERSION=$(DEB_VERSION_UPSTREAM) \ + -DVERSION=$(DEB_VERSION_UPSTREAM) \ -DQT_DIR=$(QT_DIR) %: dh $@ --parallel diff --git a/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service b/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service index 6d312cc2..4cc9ad4d 100644 --- a/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service +++ b/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service @@ -6,8 +6,55 @@ Type=dbus BusName=org.deepin.DeviceControl User=root ExecStart=/usr/bin/deepin-devicecontrol -CapabilityBoundingSet=~CAP_NET_RAW -MemoryMax=8G +StandardOutput=journal +MemoryMax=2G +IOWeight=200 +ProtectSystem=full +ProtectHome=true +ProtectProc=invisible +PrivateTmp=true +PrivateDevices=false +PrivateIPC=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=false +NoNewPrivileges=true +MemoryDenyWriteExecute=true +RestrictSUIDSGID=true +LimitMEMLOCK=infinity +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE +ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64 +NoExecPaths=/tmp /var/tmp /home /root +ReadWritePaths=/var/lib/deepin-devicemanager +ReadWritePaths=/var/log +ReadWritePaths=/var/cache +ReadWritePaths=/tmp +ReadWritePaths=/var/tmp +ReadWritePaths=/etc/modprobe.d +ReadWritePaths=/run +ReadOnlyPaths=/sys +ReadOnlyPaths=/proc +ReadOnlyPaths=/etc +ReadOnlyPaths=/usr +ReadOnlyPaths=/lib +ReadOnlyPaths=/boot +InaccessiblePaths=-/etc/shadow +InaccessiblePaths=-/etc/NetworkManager/system-connections/ +InaccessiblePaths=-/etc/pam.d/ +InaccessiblePaths=-/etc/security/ +InaccessiblePaths=-/etc/selinux/ +InaccessiblePaths=-/etc/deepin-elf-verify/ +InaccessiblePaths=-/etc/filearmor.d/ +InaccessiblePaths=-/etc/crypttab +InaccessiblePaths=-/etc/fstab +InaccessiblePaths=-/sysroot/ostree/repo/ +InaccessiblePaths=-/persistent/ostree/repo/ +InaccessiblePaths=-/usr/share/uadp +InaccessiblePaths=-/etc/sudoers +InaccessiblePaths=-/etc/sudoers.d +OOMScoreAdjust=-500 +Nice=-5 [Install] WantedBy=multi-user.target