Commit 9604bb7
committed
fix: enhance service security with systemd hardening
Added security hardening options to the deepin-update-log-copy@.service
file to improve system security and limit potential attack surfaces.
The changes include enabling NoNewPrivileges to prevent privilege
escalation, setting ProtectSystem=strict to protect system directories,
and configuring specific ReadWritePaths to restrict file system access.
Additional protections include restricting kernel module loading and
real-time scheduling access.
Log: Enhanced security for update log copy service with systemd
hardening features
Influence:
1. Verify update log copy functionality still works correctly
2. Test service operation with different user accounts
3. Confirm log files are properly copied to designated paths
4. Validate service cannot access unauthorized system areas
5. Test service behavior under restricted privilege conditions
fix: 增强服务安全性,添加 systemd 加固选项
为 deepin-update-log-copy@.service 文件添加了安全加固选项,以提高系统
安全性并限制潜在攻击面。更改包括启用 NoNewPrivileges 防止权限提升,设置
ProtectSystem=strict 保护系统目录,以及配置特定的 ReadWritePaths 限制文
件系统访问。其他保护措施包括限制内核模块加载和实时调度访问。
Log: 通过 systemd 加固功能增强了更新日志复制服务的安全性
Influence:
1. 验证更新日志复制功能是否正常工作
2. 使用不同用户账户测试服务操作
3. 确认日志文件正确复制到指定路径
4. 验证服务无法访问未经授权的系统区域
5. 测试在受限权限条件下的服务行为1 parent 97922fc commit 9604bb7
1 file changed
+24
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
0 commit comments