chore: temporarily disable security restrictions in service configura…

[add-uos]

…tion

temporarily disable security restrictions in service configuration

log: temporarily disable security restrictions in service configuration
bug: https://pms.uniontech.com/bug-view-346599.html

Summary by Sourcery

Enhancements:

• Modify deepin-devicecontrol.service to relax security restrictions in the service configuration.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR temporarily disables security-related constraints in the deepin-devicecontrol systemd service unit to work around a reported bug, adjusting the service configuration rather than application code.

File-Level Changes

Change	Details	Files
Relax security restrictions in the deepin-devicecontrol systemd service unit to allow the service to run without current hardening constraints.	Update the deepin-devicecontrol.service unit configuration to remove or disable security-hardening directives (e.g., sandboxing or namespace restrictions). Ensure the service can start and operate under a less restricted environment as a temporary workaround for the referenced bug.	deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: add-uos, lzwind

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

deepin pr auto review

我来对这个systemd服务配置文件的变更进行审查：

1. 安全性分析：
   这是一个非常危险的变更。原本的配置包含了大量的安全限制措施，包括：

• 文件系统访问控制(ProtectSystem, ProtectHome等)
• 权限控制(NoNewPrivileges, CapabilityBoundingSet等)
• 路径访问限制(ReadWritePaths, ReadOnlyPaths, InaccessiblePaths等)
• 内存保护(MemoryDenyWriteExecute)
• 进程隔离(PrivateTmp, PrivateIPC等)

现在所有这些安全配置都被注释掉了，这将使服务以完全不受限制的方式运行，这会带来严重的安全风险。

2. 性能影响：

• 移除了IOWeight限制，可能会影响系统整体IO性能
• 移除了OOMScoreAdjust和Nice设置，可能会影响系统资源分配

3. 建议改进：
   a) 不应该完全禁用所有安全限制，而是应该：

• 保留基本的安全限制如ProtectSystem、ProtectHome
• 只在确实需要时才开放特定权限
• 保留路径访问控制，只开放必要的读写路径

b) 如果确实需要某些特定权限，建议：

• 明确记录需要这些权限的原因
• 只开放最小必要的权限集合
• 考虑使用更细粒度的权限控制

d) 替代方案：

• 如果是为了调试目的，建议创建一个单独的调试配置文件
• 考虑使用systemd的Override机制来临时修改配置

4. 具体建议：

# 基本安全限制应该保留
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
NoNewPrivileges=true

# 如果确实需要特定权限，只开放必要的
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE
AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE

# 保持路径访问控制，但可以根据需要调整
ReadWritePaths=/var/lib/deepin-devicemanager
ReadWritePaths=/var/log
ReadOnlyPaths=/sys
ReadOnlyPaths=/proc

这个变更会显著降低系统的安全性，强烈建议不要完全禁用所有安全限制。如果确实需要某些权限，应该只开放最小必要的权限集合，并详细记录原因。

[add-uos]

/forcemerge

[deepin-bot]

This pr force merged! (status: unstable)