chore: systemd hardening

加固 dbus 进程
linuxdeepin · Jun 26, 2024 · 4c91a37 · 4c91a37
1 parent 48e5ee4
commit 4c91a37
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 8 deletions.
diff --git a/dconfig-center/dde-dconfig-daemon/services/dde-dconfig-daemon.service b/dconfig-center/dde-dconfig-daemon/services/dde-dconfig-daemon.service
@@ -1,9 +1,39 @@
 [Unit]
 Description=dde-dconfig-daemon service
 
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
 [Service]
 Type=dbus
 User=dde-dconfig-daemon
 BusName=org.desktopspec.ConfigManager
 ExecStart=/usr/bin/dde-dconfig-daemon
 Environment=DSG_DATA_DIRS=/usr/share/dsg:/persistent/linglong/entries/share/dsg
+
+ReadOnlyPaths=/usr/share/dsg -/persistent/linglong/entries/share/dsg
+StateDirectory=dde-dconfig-daemon
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.desktopspec.ConfigManager.service
diff --git a/dconfig-center/dde-dconfig-daemon/services/org.desktopspec.ConfigManager.service b/dconfig-center/dde-dconfig-daemon/services/org.desktopspec.ConfigManager.service
@@ -2,4 +2,4 @@
 Name=org.desktopspec.ConfigManager
 Exec=/usr/bin/dde-dconfig-daemon
 User=dde-dconfig-daemon
-SystemdService=dde-dconfig-daemon.service
+SystemdService=dbus-org.desktopspec.ConfigManager.service
diff --git a/debian/dde-dconfig-daemon.tmpfiles b/debian/dde-dconfig-daemon.tmpfiles
diff --git a/debian/rules b/debian/rules
@@ -13,4 +13,3 @@ override_dh_auto_configure:
 override_dh_auto_install:
 	dh_auto_install
 	dh_installsysusers dde-dconfig-daemon.sysusers
-	dh_installtmpfiles dde-dconfig-daemon.tmpfiles