refactor: Enhance coredump reporter service and refine D-Bus authorization

- Coredump Reporter Service:
    - Migrated coredump-reporter.service and coredump-reporter.timer installation from user-specific systemd/user to system-wide systemd/system.
    - Removed debian/deepin-log-viewer.postinst as the service is now managed globally.
    - Hardened coredump-reporter.service with User=root, ProtectSystem=strict, InaccessiblePaths for sensitive directories, and MemoryMax to improve security and resource management.

- D-Bus Service Authorization:
    - Replaced the generic isValidInvoker function with specific checkAuth calls using action IDs (s_Action_View, s_Action_Export) in LogViewerService.
    - Removed the isValidInvoker function and its declaration, streamlining the authorization logic.

Author: wangrong1069

application/CMakeLists.txt

@@ -351,7 +351,7 @@ install(FILES configs/logconfig/deepin-log-viewer.json DESTINATION ${CMAKE_INSTA
 install(FILES configs/debugconfig/org.deepin.log.viewer.json DESTINATION ${CMAKE_INSTALL_PREFIX}/share/deepin-debug-config/deepin-debug-config.d/)
 
 # Install coredump report service&timer
-install(FILES ./configs/coredump-reporter.timer ./configs/coredump-reporter.service DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/user/)
+install(FILES ./configs/coredump-reporter.timer ./configs/coredump-reporter.service DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/system/)
 
 #安装DConfig配置
 set(APPID org.deepin.log.viewer)

application/configs/coredump-reporter.service

@@ -2,10 +2,14 @@
 Description=deepin-log-viewer coredump report activities
 
 [Service]
-
+Environment=HOME=/
+User=root
 ExecStart=/usr/bin/deepin-log-viewer --reportcoredump
-CapabilityBoundingSet=~
-MemoryLimit=8G
-
-[Install]
-WantedBy=multi-user.target
+ProtectSystem=strict
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections
+InaccessiblePaths=-/etc/pam.d
+InaccessiblePaths=-/usr/share/uadp
+InaccessiblePaths=-/etc/sudoers
+InaccessiblePaths=-/etc/sudoers.d
+MemoryMax=8G

debian/deepin-log-viewer.install

@@ -3,8 +3,8 @@ usr/bin/logViewerAuth
 usr/bin/logViewerTruncate
 usr/bin/deepin-logger
 usr/lib/deepin-daemon/log-view-service
-usr/lib/systemd/user/coredump-reporter.service
-usr/lib/systemd/user/coredump-reporter.timer
+usr/lib/systemd/system/coredump-reporter.service
+usr/lib/systemd/system/coredump-reporter.timer
 usr/lib/systemd/system/deepin-log-viewer-daemon.service
 usr/share/applications/deepin-log-viewer.desktop
 usr/share/dbus-1/system-services/com.deepin.logviewer.service

debian/deepin-log-viewer.postinst

@@ -478,8 +478,7 @@ qint64 LogViewerService::findLineStartOffsetWithCaching(const QString &filePath,
 qint64 LogViewerService::getLineCount(const QString &filePath)
 {
     qCDebug(logService) << "Getting line count for file:" << filePath;
-    if (!isValidInvoker()) {
-        qCWarning(logService) << "Invalid invoker for getLineCount";
+    if (!checkAuth(s_Action_View)) {
         return -1;
     }
 
@@ -524,8 +523,7 @@ QString LogViewerService::executeCmd(const QString &cmd)
     qCDebug(logService) << "Executing command:" << cmd;
     QString result("");
 
-    if (!isValidInvoker()) {
-        qCWarning(logService) << "Invalid invoker for executeCmd";
+    if (!checkAuth(s_Action_Export)) {
         return result;
     }
 
@@ -811,8 +809,7 @@ QStringList LogViewerService::getFileInfo(const QString &file, bool unzip)
 {
     qCDebug(logService) << "Getting file info for:" << file << "and unzip:" << unzip;
     // 判断非法调用
-    if(!isValidInvoker()) {
-        qCDebug(logService) << "Invalid invoker";
+    if(!checkAuth(s_Action_View)) {
         return {};
     }
 
@@ -933,8 +930,7 @@ QStringList LogViewerService::getOtherFileInfo(const QString &file, bool unzip)
 {
     qCDebug(logService) << "Getting other file info for:" << file << "and unzip:" << unzip;
     // 判断非法调用
-    if(!isValidInvoker()) {
-        qCDebug(logService) << "Invalid invoker";
+    if(!checkAuth(s_Action_View)) {
         return {};
     }
 
@@ -1177,109 +1173,6 @@ bool LogViewerService::exportLog(const QString &outDir, const QString &in, bool
     return true;
 }
 
-bool LogViewerService::isValidInvoker(bool checkAuth/* = true*/)
-{
-    qCDebug(logService) << "Checking if invoker is valid with checkAuth:" << checkAuth;
-   if (!calledFromDBus()) {
-       qCDebug(logService) << "Called not from dbus";
-       return false;
-   }
-
-    bool valid = false;
-    QDBusConnection conn = connection();
-    QDBusMessage msg = message();
-
-    //判断是否存在执行路径
-    uint pid = conn.interface()->servicePid(msg.service()).value();
-
-    // 判断是否存在执行路径且是否存在于可调用者名单中
-    QFile initNsMntFile("/proc/1/ns/mnt");
-    QFile senderNsMntFile(QString("/proc/%1/ns/mnt").arg(pid));
-    auto initNsMnt = initNsMntFile.symLinkTarget().trimmed().remove(0, QString("/proc/1/ns/mnt").length());
-    auto senderNsMnt = senderNsMntFile.symLinkTarget().trimmed().remove(0, QString("/proc/%1/ns/mnt").arg(pid).length());
-    if (initNsMnt != senderNsMnt) {
-        qCDebug(logService) << "Init ns mnt not equal to sender ns mnt";
-        sendErrorReply(QDBusError::ErrorType::Failed, "Illegal calls！！！！！");
-        return false;
-    }
-
-    //进制使用环境变量导入.so动态调用dbus接口
-    QProcess proc;
-    proc.start(QString("cat /proc/%1/maps").arg(pid));
-    proc.waitForStarted();
-    proc.waitForFinished();
-    QString maps = QString::fromLocal8Bit(proc.readAllStandardOutput()).trimmed();
-    proc.close();
-    QStringList libMaps = maps.split("\n", SKIP_EMPTY_PARTS);
-    QStringList allParts;
-    for (const QString &part : libMaps) {
-        QStringList subParts = part.split(' ');
-        for (const QString &subPart : subParts) {
-            if (!subPart.isEmpty()) {
-                allParts.append(subPart);
-            }
-        }
-    }
-    for (int j = 0; j < allParts.count(); ++j) {
-        QString libStr = allParts.at(j);
-        QFileInfo info(libStr);
-        if (info.isFile()) {
-            QString fileName = info.fileName();
-            if (fileName.contains(".so")) {
-                QStringList libpath = libStr.split("/", SKIP_EMPTY_PARTS);
-                if (libpath.count() > 2) {
-                    QString libhead = QString("/%1/%2").arg(libpath.at(0)).arg(libpath.at(1));
-                    if (libhead != "/usr/lib") {
-                        sendErrorReply(QDBusError::ErrorType::Failed, "Illegal calls!");
-                        return false;
-                    }
-                }
-            }
-        }
-    }
-
-    QFileInfo f(QString("/proc/%1/exe").arg(pid));
-    if (!f.exists()) {
-        valid = false;
-    } else {
-        valid = true;
-    }
-
-    //是否存在于可调用者名单中
-    QStringList ValidInvokerExePathList;
-    QString invokerPath = f.canonicalFilePath();
-    QStringList findPaths;//合法调用者查找目录列表
-    findPaths << "/usr/bin";
-    ValidInvokerExePathList << QStandardPaths::findExecutable("deepin-log-viewer", findPaths);
-
-    if (valid)
-        valid = ValidInvokerExePathList.contains(invokerPath);
-
-    // pokit前端进程鉴权
-    bool bAuthValid = true;
-    QString strCheckAuthTip;
-    if (valid && checkAuth) {
-        qCDebug(logService) << "Checking authorization for:" << m_actionId << "and pid:" << pid;
-        bAuthValid = checkAuthorization(m_actionId);
-        valid = bAuthValid;
-        if (!bAuthValid) {
-            strCheckAuthTip = "checkAuthorization failed.";
-            qCWarning(logService) << strCheckAuthTip;
-        }
-    }
-    //非法调用
-    if (!valid) {
-        qCDebug(logService) << "Invalid invoker";
-        sendErrorReply(QDBusError::ErrorType::Failed,
-                       QString("(pid: %1)[%2] is not allowed to configrate firewall. %3")
-                       .arg(pid)
-                       .arg((invokerPath))
-                       .arg(strCheckAuthTip));
-        return false;
-    }
-    return true;
-}
-
 bool LogViewerService::checkAuth(const QString &actionId)
 {
     qCDebug(logService) << "Checking auth for:" << actionId;

logViewerService/logviewerservice.cpp

@@ -75,11 +75,7 @@ public Q_SLOTS:
     QMap<QString, QString> m_commands;
     QMap<QString, std::pair<QString, QTextStream*>> m_logMap;
     QMap<QString, QList<uint64_t>> m_logLineIndex;
-    /**
-     * @brief isValidInvoker 检验调研者是否是日志
-     * @return
-     */
-    bool isValidInvoker(bool checkAuth = false);
+
     bool checkAuth(const QString &actionId);
     QByteArray processCatFile(const QString &filePath);
     void processCmdArgs(const QString &cmdStr, const QStringList &args);