From b6a52281ca90f79e9c6b21fd8f8202af4450ffc7 Mon Sep 17 00:00:00 2001 From: zsien Date: Mon, 24 Jun 2024 14:38:02 +0800 Subject: [PATCH] chore: systemd hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 加固 dbus 进程 --- .../org.deepin.dde.LocaleHelper1.service | 1 + .../org.deepin.dde.SoundThemePlayer1.service | 1 + .../system/deepin-locale-helper.service | 39 ++++++++++++++++++ .../systemd/system/deepin-login-sound.service | 19 ++++++--- .../system/deepin-shutdown-sound.service | 27 ++++++++---- .../system/deepin-sound-theme-player.service | 41 +++++++++++++++++++ 6 files changed, 114 insertions(+), 14 deletions(-) create mode 100644 misc/systemd/system/deepin-locale-helper.service create mode 100644 misc/systemd/system/deepin-sound-theme-player.service diff --git a/misc/system-services/org.deepin.dde.LocaleHelper1.service b/misc/system-services/org.deepin.dde.LocaleHelper1.service index 10ea87e..59ce300 100644 --- a/misc/system-services/org.deepin.dde.LocaleHelper1.service +++ b/misc/system-services/org.deepin.dde.LocaleHelper1.service @@ -2,3 +2,4 @@ Name=org.deepin.dde.LocaleHelper1 Exec=/usr/lib/deepin-api/locale-helper User=root +SystemdService=dbus-org.deepin.dde.LocaleHelper1.service diff --git a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service index 76006e0..2dc2943 100644 --- a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service +++ b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service @@ -2,3 +2,4 @@ Name=org.deepin.dde.SoundThemePlayer1 Exec=/usr/lib/deepin-api/sound-theme-player User=deepin-sound-player +SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service new file mode 100644 index 0000000..cdc7277 --- /dev/null +++ b/misc/systemd/system/deepin-locale-helper.service @@ -0,0 +1,39 @@ +[Unit] +Description=Deepin Locale Helper + +# Ask for the dbus socket. +Wants=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +BusName=org.deepin.dde.LocaleHelper1 +ExecStart=/usr/lib/deepin-api/locale-helper + +ReadWritePaths=/etc/default/locale +ReadWritePaths=/etc/locale.gen +ReadWritePaths=/usr/lib/locale/ +ExecPaths=/usr/sbin/locale-gen + +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateNetwork=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true + +[Install] +Alias=dbus-org.deepin.dde.LocaleHelper1.service diff --git a/misc/systemd/system/deepin-login-sound.service b/misc/systemd/system/deepin-login-sound.service index 9a09ae3..92fb164 100644 --- a/misc/systemd/system/deepin-login-sound.service +++ b/misc/systemd/system/deepin-login-sound.service @@ -4,22 +4,29 @@ Requires=sound.target After=dbus.service lightdm.service [Service] -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +Type=oneshot +ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin +RemainAfterExit=yes + +DevicePolicy=closed + ProtectSystem=full ProtectHome=true +PrivateTmp=true PrivateDevices=true +PrivateNetwork=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true RestrictRealtime=true -# end of automatic additions -Type=oneshot -ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin -RemainAfterExit=yes +RestrictSUIDSGID=true +RemoveIPC=true [Install] WantedBy=multi-user.target diff --git a/misc/systemd/system/deepin-shutdown-sound.service b/misc/systemd/system/deepin-shutdown-sound.service index 36fbb43..fa2819c 100644 --- a/misc/systemd/system/deepin-shutdown-sound.service +++ b/misc/systemd/system/deepin-shutdown-sound.service @@ -6,24 +6,35 @@ Conflicts=shutdown.target Before=shutdown.target [Service] -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +Type=simple +ExecStart=/usr/bin/true +ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound +RemainAfterExit=yes +TimeoutStopSec=7s + +ReadOnlyPaths=/var/lib/deepin-sound-player +BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json + +DeviceAllow=char-alsa rw +DevicePolicy=closed + ProtectSystem=full ProtectHome=true +PrivateTmp=true #PrivateDevices=true +PrivateNetwork=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true RestrictRealtime=true -# end of automatic additions -Type=simple -ExecStart=/usr/bin/true -ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound -RemainAfterExit=yes -TimeoutStopSec=7s +RestrictSUIDSGID=true +RemoveIPC=true [Install] WantedBy=graphical.target diff --git a/misc/systemd/system/deepin-sound-theme-player.service b/misc/systemd/system/deepin-sound-theme-player.service new file mode 100644 index 0000000..a3c18a4 --- /dev/null +++ b/misc/systemd/system/deepin-sound-theme-player.service @@ -0,0 +1,41 @@ +[Unit] +Description=Deepin Sound Theme Player + +Requisite=sound.target +After=sound.target + +# Ask for the dbus socket. +Wants=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +BusName=org.deepin.dde.SoundThemePlayer1 +User=deepin-sound-player +ExecStart=/usr/lib/deepin-api/sound-theme-player + +ReadWritePaths=/var/lib/deepin-sound-player + +DeviceAllow=char-alsa rw +DevicePolicy=closed + +ProtectSystem=full +ProtectHome=true +#PrivateTmp=true +#PrivateDevices=true +PrivateNetwork=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true + +[Install] +Alias=dbus-org.deepin.dde.SoundThemePlayer1.service