Skip to content

feat: Add security restriction configurations to all service files #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
electricface merged 1 commit into from
Dec 25, 2025
Merged

feat: Add security restriction configurations to all service files #271

electricface merged 1 commit into from
Dec 25, 2025

Conversation

@electricface
Copy link
Member

@electricface electricface commented Dec 22, 2025

  • Use the deepin-daemon user to run services whenever possible,
    reducing privilege risks;
  • Add a D-Bus policy to allow the deepin-daemon user to invoke the
    HandleSystemEvent method;
  • Deny users other than root and deepin-daemon from calling
    HandleSystemEvent, strengthening access control.

@deepin-ci-robot
Copy link

deepin-ci-robot commented Dec 22, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@electricface electricface force-pushed the swt/security branch 8 times, most recently from 954b8da to 1d4121c Compare December 24, 2025 11:06
@electricface electricface marked this pull request as ready for review December 24, 2025 11:06
zhaohuiw42
zhaohuiw42 reviewed Dec 25, 2025
View reviewed changes
electricface
electricface commented Dec 25, 2025
View reviewed changes
Copy link
Member Author

@electricface electricface left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

改好了。

@electricface
feat: Add security restriction configurations to all service files
dfe0d4a 
- Use the deepin-daemon user to run services whenever possible,
  reducing privilege risks;
- Add a D-Bus policy to allow the deepin-daemon user to invoke the
  HandleSystemEvent method;
- Deny users other than root and deepin-daemon from calling
  HandleSystemEvent, strengthening access control;
- "Remove the unused update-metadata-info related scripts and
  services.

Task: https://pms.uniontech.com/task-view-385069.html
@deepin-ci-robot
Copy link

deepin-ci-robot commented Dec 25, 2025

deepin pr auto review

我来对这段代码进行审查,主要从安全性、性能和代码质量几个方面进行分析:

  1. 安全性改进:
  • 在多个systemd服务配置中增加了安全限制,如CapabilityBoundingSet、InaccessiblePaths、NoNewPrivileges等,这是一个很好的安全实践。
  • 在lastore-daemon.service中添加了详细的注释说明为什么不能启用某些安全特性,这有助于后续维护。
  • 在gen_upgrade_check_config.sh中添加了start_lastore_daemon函数,使用busctl替代直接调用systemctl,减少了权限提升的风险。
  1. 性能优化:
  • 移除了update_metadata_info相关的服务和脚本,简化了系统启动流程。
  • 在build_safecache.sh中使用临时文件的方式替代直接复制,避免了文件写入过程中的竞态条件。
  • 在build_system_info中使用--ignore-ancestors参数,避免了误判父进程的情况。
  1. 代码质量改进:
  • 在gen_upgrade_check_config.sh中定义了常量UPDATE_RUN_FLAG,提高了代码可维护性。
  • 在smartmirror.go中添加了文件操作的错误处理,提高了代码健壮性。
  • 在deprecated.go中增加了文件删除操作,避免了权限不足导致的写入失败。

建议的进一步改进:

  1. 在manager.go中,isAllowedToTriggerSystemEvent函数的TODO注释应该尽快处理,明确哪些用户可以触发特定事件。

  2. 在smartmirror.go中,可以考虑添加文件操作的原子性保证,比如使用临时文件+重命名的方式。

  3. 在build_system_info中,可以考虑添加超时机制,避免脚本长时间运行。

  4. 在gen_upgrade_check_config.sh中,可以考虑添加日志记录,便于问题追踪。

  5. 建议在所有systemd服务配置中统一使用相同的用户(deepin-daemon),避免权限混乱。

  6. 在文件操作相关代码中,建议统一使用filepath.Join而不是直接使用字符串拼接,提高跨平台兼容性。

这些改进主要围绕安全性、可靠性和可维护性展开,有助于提高系统的整体质量。

@deepin-ci-robot
Copy link

deepin-ci-robot commented Dec 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: electricface, zhaohuiw42

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@electricface electricface merged commit 3373ac8 into linuxdeepin:master Dec 25, 2025
15 of 16 checks passed
@electricface electricface deleted the swt/security branch December 25, 2025 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhaohuiw42 zhaohuiw42 zhaohuiw42 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@electricface @deepin-ci-robot @zhaohuiw42