Skip to content

Commit 0dfcc46

Browse files
fly602fly602
authored
feat: dde-api安全整改 (#146)
* feat: dde-api安全整改 /lib/systemd/system/deepin-locale-helper.service 应该默认仅deepin和uos打包; Log: dde-api安全整改 PMS: TASK-369021 * feat: dde-api安全整改,音效服务用户改成deepin-daemon /lib/systemd/system/deepin-sound-theme-player.service User不应该再使用deepin-sound-player Log: dde-api安全整改 PMS: TASK-369021 * feat: dde-api安全整改,polkit控制改用rules /var/lib/polkit-1/localauthority/10-vendor.d/org.deepin.dde.device.pkla 应该改用rules实现; Log: dde-api安全整改 PMS: TASK-369021 * feat: dde-api安全整改,优化调整 makefile中入参改用ifneq判断,dde-api安装时创建deepin-daemon用户 Log: dde-api安全整改 PMS: TASK-369021
1 parent 8ffe988 commit 0dfcc46

19 files changed

+66
-110
lines changed

Makefile

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ libdir = /lib
66
SYSTEMD_LIB_DIR = ${libdir}
77
SYSTEMD_SERVICE_DIR = ${SYSTEMD_LIB_DIR}/systemd/system/
88
GOBUILD = env GOPATH="${CURDIR}/${GOBUILD_DIR}:${GOPATH}" go build
9+
INSTALL_LOCALE_HELPER ?= 0
910

1011
TESTS = \
1112
${GOPKG_PREFIX}/adjust-grub-theme \
@@ -133,14 +134,21 @@ install-binary:
133134
mkdir -pv ${DESTDIR}${PREFIX}/share/polkit-1/actions
134135
cp misc/polkit-action/*.policy ${DESTDIR}${PREFIX}/share/polkit-1/actions/
135136

136-
mkdir -pv ${DESTDIR}/var/lib/polkit-1/localauthority/10-vendor.d
137-
cp misc/polkit-localauthority/*.pkla ${DESTDIR}/var/lib/polkit-1/localauthority/10-vendor.d/
138-
137+
mkdir -pv ${DESTDIR}/var/lib/polkit-1/rules.d
138+
cp misc/polkit-rules/*.rules ${DESTDIR}/var/lib/polkit-1/rules.d/
139+
139140
mkdir -pv ${DESTDIR}${PREFIX}/share/dde-api
140141
cp -R misc/data ${DESTDIR}${PREFIX}/share/dde-api
141142

142143
mkdir -pv ${DESTDIR}${SYSTEMD_SERVICE_DIR}
143144
cp -R misc/systemd/system/*.service ${DESTDIR}${SYSTEMD_SERVICE_DIR}
145+
# 默认不安装 deepin-locale-helper.service,只有显式开启时才保留
146+
ifneq ($(INSTALL_LOCALE_HELPER), 1)
147+
rm -f ${DESTDIR}${SYSTEMD_SERVICE_DIR}/deepin-locale-helper.service;
148+
rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system-services/org.deepin.dde.LocaleHelper1.service;
149+
rm -f ${DESTDIR}${PREFIX}/share/polkit-1/actions/org.deepin.dde.locale-helper.policy;
150+
rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system.d/org.deepin.dde.LocaleHelper1.conf;
151+
endif
144152

145153
mkdir -pv ${DESTDIR}${PREFIX}/share/icons/hicolor
146154
cp -R misc/icons/* ${DESTDIR}${PREFIX}/share/icons/hicolor

archlinux/deepin-api.install

Lines changed: 0 additions & 16 deletions
This file was deleted.

archlinux/deepin-api.sysusers

Lines changed: 0 additions & 1 deletion
This file was deleted.

debian/dde-api.postinst

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,6 @@
33

44
set -e
55

6-
player_user=deepin-sound-player
7-
player_home=/var/lib/$player_user
8-
96
themeDir="/boot/grub/themes/deepin"
107
fallbackThemeDir=$themeDir-fallback
118
adjustGrubThemeBin="/usr/lib/deepin-api/adjust-grub-theme"
@@ -45,17 +42,6 @@ adjustGrubTheme () {
4542

4643
case "$1" in
4744
configure)
48-
if ! getent group $player_user >/dev/null; then
49-
addgroup --quiet --system $player_user
50-
fi
51-
if ! getent passwd $player_user >/dev/null; then
52-
adduser --quiet --system --ingroup $player_user --home $player_home $player_user
53-
adduser --quiet $player_user audio
54-
fi
55-
56-
runuser -u $player_user -- mkdir -p $player_home/.config/pulse
57-
runuser - deepin-sound-player -s /bin/sh -c "echo 'autospawn = no' > $player_home/.config/pulse/client.conf"
58-
5945
adjustGrubTheme
6046
setupFallbackTheme
6147
;;

debian/dde-api.postrm

Lines changed: 0 additions & 14 deletions
This file was deleted.

debian/rules

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,12 @@ endif
1414
dh $@ --buildsystem=makefile
1515

1616
override_dh_auto_install:
17-
dh_auto_install
17+
cp -f misc/sysusers/deepin-daemon.conf debian/deepin-daemon.sysusers
18+
dh_installsysusers --name=deepin-daemon
19+
dh_auto_install -- INSTALL_LOCALE_HELPER=1
1820

1921
override_dh_strip:
2022
dh_strip --dbgsym-migration=dde-api-dbg
2123

2224
override_dh_installsystemd:
23-
dh_installsystemd --no-start
25+
dh_installsystemd --no-start --no-restart-on-upgrade

misc/conf/org.deepin.dde.SoundThemePlayer1.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@
55
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
66
<busconfig>
77

8-
<!-- Only user deepin-sound-player can own the service -->
9-
<policy user="deepin-sound-player">
8+
<!-- Only user deepin-daemon can own the service -->
9+
<policy user="deepin-daemon">
1010
<allow own="org.deepin.dde.SoundThemePlayer1"/>
1111
</policy>
1212

misc/polkit-action/org.deepin.dde.device.unblock-bluetooth-devices.policy.in

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,6 @@
1414
<allow_inactive>no</allow_inactive>
1515
<allow_active>auth_admin_keep</allow_active>
1616
</defaults>
17+
<annotate key="org.freedesktop.policykit.owner">unix-user:deepin-daemon</annotate>
1718
</action>
1819
</policyconfig>

misc/polkit-localauthority/org.deepin.dde.device.pkla

Lines changed: 0 additions & 6 deletions
This file was deleted.

misc/polkit-rules/org.deepin.dde.device.rules

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
polkit.addRule(function(action, subject) {
2+
if (action.id === "org.deepin.dde.device.unblock-bluetooth-devices" &&
3+
subject.isInGroup("sudo") &&
4+
subject.active) {
5+
return polkit.Result.YES;
6+
}
7+
});

0 commit comments

Comments
 (0)