diff --git a/misc/system-services/org.deepin.dde.Device1.service b/misc/system-services/org.deepin.dde.Device1.service
index 1426950..d39e269 100644
--- a/misc/system-services/org.deepin.dde.Device1.service
+++ b/misc/system-services/org.deepin.dde.Device1.service
@@ -2,3 +2,4 @@
 Name=org.deepin.dde.Device1
 Exec=/usr/lib/deepin-api/device
 User=root
+SystemdService=dbus-org.deepin.dde.Device1.service
diff --git a/misc/system-services/org.deepin.dde.LocaleHelper1.service b/misc/system-services/org.deepin.dde.LocaleHelper1.service
index 10ea87e..59ce300 100644
--- a/misc/system-services/org.deepin.dde.LocaleHelper1.service
+++ b/misc/system-services/org.deepin.dde.LocaleHelper1.service
@@ -2,3 +2,4 @@
 Name=org.deepin.dde.LocaleHelper1
 Exec=/usr/lib/deepin-api/locale-helper
 User=root
+SystemdService=dbus-org.deepin.dde.LocaleHelper1.service
diff --git a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
index 76006e0..2dc2943 100644
--- a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
+++ b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
@@ -2,3 +2,4 @@
 Name=org.deepin.dde.SoundThemePlayer1
 Exec=/usr/lib/deepin-api/sound-theme-player
 User=deepin-sound-player
+SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service
diff --git a/misc/systemd/system/deepin-dde-device.service b/misc/systemd/system/deepin-dde-device.service
new file mode 100644
index 0000000..c5d8aef
--- /dev/null
+++ b/misc/systemd/system/deepin-dde-device.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Deepin Sound Theme Player
+
+Requisite=sound.target
+After=sound.target
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.deepin.dde.Device1
+ExecStart=/usr/lib/deepin-api/device
+
+BindReadOnlyPaths=/run/dbus/system_bus_socket
+
+DeviceAllow=DeviceAllow rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.Device1.service
diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service
new file mode 100644
index 0000000..0e029c1
--- /dev/null
+++ b/misc/systemd/system/deepin-locale-helper.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Deepin Locale Helper
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.deepin.dde.LocaleHelper1
+ExecStart=/usr/lib/deepin-api/locale-helper
+
+ReadWritePaths=/etc/default/locale
+ReadWritePaths=/etc/locale.gen
+ReadWritePaths=/usr/lib/locale/
+ExecPaths=/usr/sbin/locale-gen
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.LocaleHelper1.service
diff --git a/misc/systemd/system/deepin-login-sound.service b/misc/systemd/system/deepin-login-sound.service
index 9a09ae3..9f6aca7 100644
--- a/misc/systemd/system/deepin-login-sound.service
+++ b/misc/systemd/system/deepin-login-sound.service
@@ -4,22 +4,29 @@ Requires=sound.target
 After=dbus.service lightdm.service
 
 [Service]
-# added automatically, for details please see
-# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-ProtectSystem=full
-ProtectHome=true
-PrivateDevices=true
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# end of automatic additions 
 Type=oneshot
 ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin
 RemainAfterExit=yes
 
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 [Install]
 WantedBy=multi-user.target
diff --git a/misc/systemd/system/deepin-shutdown-sound.service b/misc/systemd/system/deepin-shutdown-sound.service
index 36fbb43..c5fb62c 100644
--- a/misc/systemd/system/deepin-shutdown-sound.service
+++ b/misc/systemd/system/deepin-shutdown-sound.service
@@ -6,24 +6,35 @@ Conflicts=shutdown.target
 Before=shutdown.target
 
 [Service]
-# added automatically, for details please see
-# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-ProtectSystem=full
-ProtectHome=true
-#PrivateDevices=true
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# end of automatic additions 
 Type=simple
 ExecStart=/usr/bin/true
 ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound
 RemainAfterExit=yes
 TimeoutStopSec=7s
 
+ReadOnlyPaths=/var/lib/deepin-sound-player
+BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json
+
+DeviceAllow=char-alsa rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 [Install]
 WantedBy=graphical.target
diff --git a/misc/systemd/system/deepin-sound-theme-player.service b/misc/systemd/system/deepin-sound-theme-player.service
new file mode 100644
index 0000000..27a1a27
--- /dev/null
+++ b/misc/systemd/system/deepin-sound-theme-player.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Deepin Sound Theme Player
+
+Requisite=sound.target
+After=sound.target
+
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.deepin.dde.SoundThemePlayer1
+User=deepin-sound-player
+ExecStart=/usr/lib/deepin-api/sound-theme-player
+
+ReadWritePaths=/var/lib/deepin-sound-player
+
+DeviceAllow=char-alsa rw
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+#PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.SoundThemePlayer1.service