chore: systemd hardening

加固 dbus 进程 Task: https://pms.uniontech.com/task-view-361181.html
caixr23 · Sep 25, 2024 · ea8ccf1 · ea8ccf1
1 parent 6bb42a8
commit ea8ccf1
Show file tree

Hide file tree

Showing 25 changed files with 157 additions and 50 deletions.
diff --git a/misc/system-services/org.deepin.dde.Accounts1.service b/misc/system-services/org.deepin.dde.Accounts1.service
@@ -1,4 +1,5 @@
 [D-BUS Service]
 Name=org.deepin.dde.Accounts1
 Exec=/bin/false
+SystemdService=dde-system-daemon.service
 SystemdService=deepin-accounts1-daemon.service
diff --git a/misc/system-services/org.deepin.dde.AirplaneMode1.service b/misc/system-services/org.deepin.dde.AirplaneMode1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.AirplaneMode1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Apps1.service b/misc/system-services/org.deepin.dde.Apps1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Apps1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Authority1.service b/misc/system-services/org.deepin.dde.Authority1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Authority1
 Exec=/bin/false
-SystemdService=deepin-authority.service
+SystemdService=dde-authority.service
diff --git a/misc/system-services/org.deepin.dde.BacklightHelper1.service b/misc/system-services/org.deepin.dde.BacklightHelper1.service
@@ -1,5 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.BacklightHelper1
 Exec=/bin/false
-User=root
-SystemdService=deepin-helper-backlight.service
+SystemdService=dde-backlight-helper.service
diff --git a/misc/system-services/org.deepin.dde.Bluetooth1.service b/misc/system-services/org.deepin.dde.Bluetooth1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Bluetooth1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Daemon1.service b/misc/system-services/org.deepin.dde.Daemon1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Daemon1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Display1.service b/misc/system-services/org.deepin.dde.Display1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Display1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Fprintd1.service b/misc/system-services/org.deepin.dde.Fprintd1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Fprintd1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Gesture1.service b/misc/system-services/org.deepin.dde.Gesture1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Gesture1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Greeter1.service b/misc/system-services/org.deepin.dde.Greeter1.service
@@ -1,4 +1,5 @@
 [D-BUS Service]
 Name=org.deepin.dde.Greeter1
 Exec=/bin/false
-SystemdService=deepin-greeter-setter.service
+User=root
+SystemdService=dde-greeter-setter.service
diff --git a/misc/system-services/org.deepin.dde.ImageEffect1.service b/misc/system-services/org.deepin.dde.ImageEffect1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.ImageEffect1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.LockService1.service b/misc/system-services/org.deepin.dde.LockService1.service
@@ -1,5 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.LockService1
 Exec=/bin/false
-User=deepin-daemon
-SystemdService=deepin-user-lock.service
+SystemdService=dde-lock-service.service
diff --git a/misc/system-services/org.deepin.dde.Network1.service b/misc/system-services/org.deepin.dde.Network1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Network1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Power1.service b/misc/system-services/org.deepin.dde.Power1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Power1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.SwapSchedHelper1.service b/misc/system-services/org.deepin.dde.SwapSchedHelper1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.SwapSchedHelper1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Timedate1.service b/misc/system-services/org.deepin.dde.Timedate1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Timedate1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/misc/system-services/org.deepin.dde.Uadp1.service b/misc/system-services/org.deepin.dde.Uadp1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.Uadp1
 Exec=/bin/false
-SystemdService=deepin-accounts1-daemon.service
+SystemdService=dde-system-daemon.service
diff --git a/.../services/system/deepin-authority.service → ...emd/services/system/dde-authority.service b/.../services/system/deepin-authority.service → ...emd/services/system/dde-authority.service
@@ -34,3 +34,7 @@ RestrictRealtime=yes
 RemoveIPC=yes
 # 和golang -pie参数冲突，导致进程无法启动
 #MemoryDenyWriteExecute=yes
+MemoryLimit=100M
+
+[Install]
+Alias=dbus-org.deepin.dde.Authority1.service
diff --git a/...es/system/deepin-helper-backlight.service → ...vices/system/dde-backlight-helper.service b/...es/system/deepin-helper-backlight.service → ...vices/system/dde-backlight-helper.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=deepin backlight helper service
+Description=dde backlight helper service
 
 [Service]
 Type=dbus
@@ -35,3 +35,7 @@ LockPersonality=yes
 RestrictRealtime=yes
 RemoveIPC=yes
 #MemoryDenyWriteExecute=yes
+MemoryLimit=100M
+
+[Install]
+Alias=dbus-org.deepin.dde.BacklightHelper1.service
diff --git a/...ices/system/deepin-greeter-setter.service → ...ervices/system/dde-greeter-setter.service b/...ices/system/deepin-greeter-setter.service → ...ervices/system/dde-greeter-setter.service
@@ -34,3 +34,7 @@ RestrictRealtime=yes
 RemoveIPC=yes
 # 和golang -pie参数冲突，导致进程无法启动
 #MemoryDenyWriteExecute=yes
+MemoryLimit=100M
+
+[Install]
+Alias=dbus-org.deepin.dde.Greeter1.service
diff --git a/.../services/system/deepin-user-lock.service → .../services/system/dde-lock-service.service b/.../services/system/deepin-user-lock.service → .../services/system/dde-lock-service.service
@@ -3,10 +3,9 @@ Description=deepin user lock service
 
 [Service]
 Type=dbus
-BusName=org.deepin.dde.LockService1
+BusName=org.deepin.dde.LockService
 ExecStart=/usr/lib/deepin-daemon/dde-lockservice
 # display和lockservice都会读写/var/lib/lightdm/lightdm-deepin-greeter/state_user文件,因此无法将lockservice单独改为非root
-#User=deepin-daemon
 User=root
 StandardOutput=journal
 StandardError=journal
@@ -17,7 +16,7 @@ InaccessiblePaths=-/etc/NetworkManager/system-connections
 InaccessiblePaths=-/etc/pam.d
 InaccessiblePaths=-/usr/share/uadp/
 
-ReadWritePaths=-/var/lib/lightdm
+ReadWritePaths=-/var/lib/lightdm/lightdm-deepin-greeter
 
 NoNewPrivileges=true
 PrivateMounts=yes
@@ -37,3 +36,7 @@ RestrictRealtime=yes
 RemoveIPC=yes
 # 和golang -pie参数冲突，导致进程无法启动
 #MemoryDenyWriteExecute=yes
+MemoryLimit=100M
+
+[Install]
+Alias=dbus-org.deepin.dde.LockService.service
diff --git a/misc/systemd/services/system/dde-system-daemon.service b/misc/systemd/services/system/dde-system-daemon.service
@@ -0,0 +1,115 @@
+[Unit]
+Description=Accounts1 Service
+
+# In order to avoid races with identity-providing services like SSSD or
+# winbind, we need to ensure that Accounts Service starts after
+# nss-user-lookup.target
+After=nss-user-lookup.target lightdm.service
+Wants=nss-user-lookup.target fprintd.service
+
+[Service]
+Type=simple
+ExecStart=/usr/lib/deepin-daemon/dde-system-daemon
+StandardOutput=journal
+Environment=GVFS_DISABLE_FUSE=1
+Environment=GIO_USE_VFS=local
+Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1
+
+ReadWritePaths=/usr/share/dde-daemon/
+ReadWritePaths=/var/lib/dde-daemon/
+ReadWritePaths=/var/cache/deepin/dde-daemon/
+ReadWritePaths=-/etc/dde-daemon/
+ReadOnlyPaths=/proc/
+
+DevicePolicy=closed
+
+# clear tty
+DeviceAllow=char-pts
+
+# bluetooth
+ReadOnlyPaths=/var/lib/bluetooth
+
+# network
+ReadOnlyPaths=/etc/NetworkManager/system-connections
+
+# plymouth
+ReadOnlyPaths=/etc/os-version
+ExecPaths=/usr/bin/uname
+ExecPaths=/usr/sbin/plymouth-set-default-theme
+ExecPaths=/usr/sbin/update-initramfs
+
+# wallpapers
+ReadWritePaths=/usr/share/wallpapers/custom-wallpapers/
+
+# Accounts
+ReadOnlyPaths=/etc/deepin-version
+ExecPaths=/usr/lib/dde-control-center/reset-password-dialog
+ReadOnlyPaths=/etc/passwd
+ReadOnlyPaths=/etc/group
+ReadOnlyPaths=/etc/shadow
+ReadOnlyPaths=/etc/sudoers
+ReadOnlyPaths=/etc/lightdm/lightdm.conf
+ReadOnlyPaths=-/usr/share/config/kdm/kdmrc
+ReadOnlyPaths=-/etc/gdm/custom.conf
+ReadOnlyPaths=/var/cache/image-blur/
+ReadWritePaths=/var/lib/AccountsService/
+ReadOnlyPaths=/home/
+ReadOnlyPaths=/var/log/btmp
+ReadOnlyPaths=/var/log/wtmp
+
+# AirplaneMode
+DeviceAllow=/dev/rfkill
+
+# Bluetooth
+ReadOnlyPaths=/var/lib/bluetooth
+
+# Gesture
+DeviceAllow=char-input
+
+# InputDevices、KeyEvent
+ReadOnlyPaths=/sys/bus/usb/devices/
+
+# Power
+ReadOnlyPaths=-/usr/share/uos-hw-config
+BindPaths=/sys/class/drm/
+ReadWritePaths=/sys/devices/system/cpu/
+
+# PowerManager
+ReadOnlyPaths=-/sys/power/mem_sleep
+
+# Scheduler
+ReadOnlyPaths=/etc/deepin/scheduler/config.json
+ReadOnlyPaths=/usr/share/deepin/scheduler/config.json
+
+# Timezone
+ReadWritePaths=/etc/timezone
+ReadWritePaths=/etc/systemd/timesyncd.conf.d/deepin.conf
+
+# UADP
+DeviceAllow=char-tpm
+ReadWritePaths=/usr/share/uadp/
+
+ProtectSystem=full
+#ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+#ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+# We pull this in by graphical.target instead of waiting for the bus
+# activation, to speed things up a little: gdm uses this anyway so it is nice
+# if it is already around when gdm wants to use it and doesn't have to wait for
+# it.
+WantedBy=graphical.target
diff --git a/misc/systemd/services/system/deepin-accounts1-daemon.service b/misc/systemd/services/system/deepin-accounts1-daemon.service
diff --git a/misc/systemd/services/system/deepin-grub2.service b/misc/systemd/services/system/deepin-grub2.service
@@ -42,3 +42,7 @@ RestrictRealtime=yes
 RemoveIPC=yes
 # 和golang -pie参数冲突，导致进程无法启动
 #MemoryDenyWriteExecute=yes
+MemoryLimit=100M
+
+[Install]
+Alias=dbus-org.deepin.dde.Grub2.service