diff --git a/debian/postinst b/debian/dde-api.postinst similarity index 100% rename from debian/postinst rename to debian/dde-api.postinst diff --git a/debian/postrm b/debian/dde-api.postrm similarity index 100% rename from debian/postrm rename to debian/dde-api.postrm diff --git a/debian/dde-api.sysusers b/debian/dde-api.sysusers new file mode 100644 index 00000000..aaffb646 --- /dev/null +++ b/debian/dde-api.sysusers @@ -0,0 +1,10 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +#Type Name ID GECOS Home directory Shell +u deepin-api-device - - +m deepin-api-device netdev diff --git a/debian/rules b/debian/rules index 2653713c..a3d2d3b8 100755 --- a/debian/rules +++ b/debian/rules @@ -13,6 +13,10 @@ endif %: dh $@ --buildsystem=makefile +override_dh_auto_install: + dh_auto_install + dh_installsysusers dde-api.sysusers + override_dh_strip: dh_strip --dbgsym-migration=dde-api-dbg diff --git a/misc/conf/org.deepin.dde.Device1.conf b/misc/conf/org.deepin.dde.Device1.conf index ba8446fd..3dce3182 100644 --- a/misc/conf/org.deepin.dde.Device1.conf +++ b/misc/conf/org.deepin.dde.Device1.conf @@ -6,7 +6,7 @@ - + diff --git a/misc/system-services/org.deepin.dde.Device1.service b/misc/system-services/org.deepin.dde.Device1.service index 14269504..d4077e8b 100644 --- a/misc/system-services/org.deepin.dde.Device1.service +++ b/misc/system-services/org.deepin.dde.Device1.service @@ -1,4 +1,5 @@ [D-BUS Service] Name=org.deepin.dde.Device1 Exec=/usr/lib/deepin-api/device -User=root +User=deepin-api-device +SystemdService=dbus-org.deepin.dde.Device1.service diff --git a/misc/system-services/org.deepin.dde.LocaleHelper1.service b/misc/system-services/org.deepin.dde.LocaleHelper1.service index 10ea87e2..59ce3002 100644 --- a/misc/system-services/org.deepin.dde.LocaleHelper1.service +++ b/misc/system-services/org.deepin.dde.LocaleHelper1.service @@ -2,3 +2,4 @@ Name=org.deepin.dde.LocaleHelper1 Exec=/usr/lib/deepin-api/locale-helper User=root +SystemdService=dbus-org.deepin.dde.LocaleHelper1.service diff --git a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service index 76006e0e..2dc2943a 100644 --- a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service +++ b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service @@ -2,3 +2,4 @@ Name=org.deepin.dde.SoundThemePlayer1 Exec=/usr/lib/deepin-api/sound-theme-player User=deepin-sound-player +SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service diff --git a/misc/systemd/system/deepin-api-device.service b/misc/systemd/system/deepin-api-device.service new file mode 100644 index 00000000..96b05047 --- /dev/null +++ b/misc/systemd/system/deepin-api-device.service @@ -0,0 +1,41 @@ +[Unit] +Description=Deepin Device Api Service + +Requisite=sound.target +After=sound.target + +# Ask for the dbus socket. +Wants=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +User=deepin-api-device +BusName=org.deepin.dde.Device1 +ExecStart=/usr/lib/deepin-api/device + +BindReadOnlyPaths=/run/dbus/system_bus_socket + +DeviceAllow=/dev/rfkill rw +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +#PrivateDevices=yes +PrivateNetwork=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + +[Install] +Alias=dbus-org.deepin.dde.Device1.service diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service new file mode 100644 index 00000000..0e029c1f --- /dev/null +++ b/misc/systemd/system/deepin-locale-helper.service @@ -0,0 +1,39 @@ +[Unit] +Description=Deepin Locale Helper + +# Ask for the dbus socket. +Wants=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +BusName=org.deepin.dde.LocaleHelper1 +ExecStart=/usr/lib/deepin-api/locale-helper + +ReadWritePaths=/etc/default/locale +ReadWritePaths=/etc/locale.gen +ReadWritePaths=/usr/lib/locale/ +ExecPaths=/usr/sbin/locale-gen + +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + +[Install] +Alias=dbus-org.deepin.dde.LocaleHelper1.service diff --git a/misc/systemd/system/deepin-login-sound.service b/misc/systemd/system/deepin-login-sound.service index 9a09ae35..d27813c1 100644 --- a/misc/systemd/system/deepin-login-sound.service +++ b/misc/systemd/system/deepin-login-sound.service @@ -4,22 +4,30 @@ Requires=sound.target After=dbus.service lightdm.service [Service] -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -ProtectSystem=full -ProtectHome=true -PrivateDevices=true -ProtectHostname=true -ProtectClock=true -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true -RestrictRealtime=true -# end of automatic additions Type=oneshot +User=deepin-sound-player ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin RemainAfterExit=yes +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + [Install] WantedBy=multi-user.target diff --git a/misc/systemd/system/deepin-shutdown-sound.service b/misc/systemd/system/deepin-shutdown-sound.service index 36fbb43f..3031a207 100644 --- a/misc/systemd/system/deepin-shutdown-sound.service +++ b/misc/systemd/system/deepin-shutdown-sound.service @@ -6,24 +6,36 @@ Conflicts=shutdown.target Before=shutdown.target [Service] -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -ProtectSystem=full -ProtectHome=true -#PrivateDevices=true -ProtectHostname=true -ProtectClock=true -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true -RestrictRealtime=true -# end of automatic additions Type=simple +User=deepin-sound-player ExecStart=/usr/bin/true ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound RemainAfterExit=yes TimeoutStopSec=7s +ReadOnlyPaths=/var/lib/deepin-sound-player +BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json + +DeviceAllow=char-alsa rw +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +#PrivateDevices=yes +PrivateNetwork=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + [Install] WantedBy=graphical.target diff --git a/misc/systemd/system/deepin-sound-theme-player.service b/misc/systemd/system/deepin-sound-theme-player.service new file mode 100644 index 00000000..14c82820 --- /dev/null +++ b/misc/systemd/system/deepin-sound-theme-player.service @@ -0,0 +1,41 @@ +[Unit] +Description=Deepin Sound Theme Player + +Requisite=sound.target +After=sound.target + +# Ask for the dbus socket. +Wants=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +BusName=org.deepin.dde.SoundThemePlayer1 +User=deepin-sound-player +ExecStart=/usr/lib/deepin-api/sound-theme-player + +StateDirectory=deepin-sound-player + +DeviceAllow=char-alsa rw +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=yes +#PrivateTmp=yes +#PrivateDevices=yes +PrivateNetwork=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + +[Install] +Alias=dbus-org.deepin.dde.SoundThemePlayer1.service