chore: systemd hardening

加固 dbus 进程
linuxdeepin · Jun 26, 2024 · 2c5870d · 2c5870d
1 parent 83b3e45
commit 2c5870d
Show file tree

Hide file tree

Showing 13 changed files with 186 additions and 28 deletions.
diff --git a/debian/postinst → debian/dde-api.postinst b/debian/postinst → debian/dde-api.postinst
diff --git a/debian/postrm → debian/dde-api.postrm b/debian/postrm → debian/dde-api.postrm
diff --git a/debian/dde-api.sysusers b/debian/dde-api.sysusers
@@ -0,0 +1,10 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+#Type Name               ID                  GECOS              Home directory Shell
+u     deepin-api-device  -                   -
+m     deepin-api-device  netdev
diff --git a/debian/rules b/debian/rules
@@ -13,6 +13,10 @@ endif
 %:
 	dh $@ --buildsystem=makefile
 
+override_dh_auto_install:
+	dh_auto_install
+	dh_installsysusers dde-api.sysusers
+
 override_dh_strip:
 	dh_strip --dbgsym-migration=dde-api-dbg
 

diff --git a/misc/conf/org.deepin.dde.Device1.conf b/misc/conf/org.deepin.dde.Device1.conf
@@ -6,7 +6,7 @@
 <busconfig>
 
   <!-- Only root can own the service -->
-  <policy user="root">
+  <policy user="deepin-api-device">
     <allow own="org.deepin.dde.Device1"/>
   </policy>
 

diff --git a/misc/system-services/org.deepin.dde.Device1.service b/misc/system-services/org.deepin.dde.Device1.service
@@ -1,4 +1,5 @@
 [D-BUS Service]
 Name=org.deepin.dde.Device1
 Exec=/usr/lib/deepin-api/device
-User=root
+User=deepin-api-device
+SystemdService=dbus-org.deepin.dde.Device1.service
diff --git a/misc/system-services/org.deepin.dde.LocaleHelper1.service b/misc/system-services/org.deepin.dde.LocaleHelper1.service
@@ -2,3 +2,4 @@
 Name=org.deepin.dde.LocaleHelper1
 Exec=/usr/lib/deepin-api/locale-helper
 User=root
+SystemdService=dbus-org.deepin.dde.LocaleHelper1.service
diff --git a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
@@ -2,3 +2,4 @@
 Name=org.deepin.dde.SoundThemePlayer1
 Exec=/usr/lib/deepin-api/sound-theme-player
 User=deepin-sound-player
+SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service
diff --git a/misc/systemd/system/deepin-api-device.service b/misc/systemd/system/deepin-api-device.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Deepin Device Api Service
+
+Requisite=sound.target
+After=sound.target
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+User=deepin-api-device
+BusName=org.deepin.dde.Device1
+ExecStart=/usr/lib/deepin-api/device
+
+BindReadOnlyPaths=/run/dbus/system_bus_socket
+
+DeviceAllow=/dev/rfkill rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.Device1.service
diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Deepin Locale Helper
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.deepin.dde.LocaleHelper1
+ExecStart=/usr/lib/deepin-api/locale-helper
+
+ReadWritePaths=/etc/default/locale
+ReadWritePaths=/etc/locale.gen
+ReadWritePaths=/usr/lib/locale/
+ExecPaths=/usr/sbin/locale-gen
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.LocaleHelper1.service
diff --git a/misc/systemd/system/deepin-login-sound.service b/misc/systemd/system/deepin-login-sound.service
@@ -4,22 +4,30 @@ Requires=sound.target
 After=dbus.service lightdm.service
 
 [Service]
-# added automatically, for details please see
-# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-ProtectSystem=full
-ProtectHome=true
-PrivateDevices=true
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# end of automatic additions 
 Type=oneshot
+User=deepin-sound-player
 ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin
 RemainAfterExit=yes
 
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 [Install]
 WantedBy=multi-user.target
diff --git a/misc/systemd/system/deepin-shutdown-sound.service b/misc/systemd/system/deepin-shutdown-sound.service
@@ -6,24 +6,36 @@ Conflicts=shutdown.target
 Before=shutdown.target
 
 [Service]
-# added automatically, for details please see
-# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-ProtectSystem=full
-ProtectHome=true
-#PrivateDevices=true
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# end of automatic additions 
 Type=simple
+User=deepin-sound-player
 ExecStart=/usr/bin/true
 ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound
 RemainAfterExit=yes
 TimeoutStopSec=7s
 
+ReadOnlyPaths=/var/lib/deepin-sound-player
+BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json
+
+DeviceAllow=char-alsa rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 [Install]
 WantedBy=graphical.target
diff --git a/misc/systemd/system/deepin-sound-theme-player.service b/misc/systemd/system/deepin-sound-theme-player.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Deepin Sound Theme Player
+
+Requisite=sound.target
+After=sound.target
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.deepin.dde.SoundThemePlayer1
+User=deepin-sound-player
+ExecStart=/usr/lib/deepin-api/sound-theme-player
+
+StateDirectory=deepin-sound-player
+
+DeviceAllow=char-alsa rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+#PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.SoundThemePlayer1.service