fix: enhance systemd service security hardening (#206)

Added comprehensive security hardening options to the deepin-update-
[email protected] systemd unit file. The changes are organized in three
phases based on priority and potential impact. Phase 1 includes high-
priority security configurations that can be implemented immediately,
such as protecting kernel tunables, clock settings, and restricting
SUID/SGID binaries. Phase 2 contains medium-priority configurations that
require testing before full implementation. Phase 3 includes additional
security measures with some options commented out due to specific
service requirements, like accessing /tmp/deepin-update-ui and D-Bus
communication needs.

These security enhancements are necessary to reduce the attack surface
and improve the overall security posture of the update log copy service
by restricting privileges, protecting system resources, and limiting
potential exploitation vectors.

Log: Enhanced security hardening for update log copy service

Influence:
1. Test update log copying functionality to ensure it works with new
security restrictions
2. Verify service can still access required resources like /tmp/deepin-
update-ui
3. Confirm D-Bus communication remains functional with restricted
address families
4. Check that kernel module and tunable protections don't interfere with
normal operations
5. Validate that real-time scheduling restrictions don't impact
performance
6. Test service behavior with private devices and IPC namespaces

fix: 增强 systemd 服务安全加固

为 [email protected] systemd 单元文件添加了全面的安全加固
选项。这些更改按优先级和潜在影响分为三个阶段。第一阶段包含可立即实施的
高优先级安全配置，如保护内核可调参数、时钟设置和限制 SUID/SGID 二进制文
件。第二阶段包含需要测试后才能完全实施的中等优先级配置。第三阶段包含额
外的安全措施，其中一些选项因特定服务需求而被注释掉，例如需要访问 /tmp/
deepin-update-ui 和 D-Bus 通信需求。

这些安全增强对于减少攻击面、通过限制权限、保护系统资源和限制潜在利用向量
来提高更新日志复制服务的整体安全态势是必要的。

Log: 增强更新日志复制服务的安全加固

Influence:
1. 测试更新日志复制功能，确保在新安全限制下正常工作
2. 验证服务仍能访问所需资源，如 /tmp/deepin-update-ui
3. 确认在受限地址族情况下 D-Bus 通信仍能正常进行
4. 检查内核模块和可调参数保护是否干扰正常操作
5. 验证实时调度限制是否影响性能
6. 测试服务在私有设备和 IPC 命名空间下的行为

Author: fly602

src/dde-update/misc/[email protected]

@@ -7,3 +7,27 @@ ExecStart=/usr/libexec/deepin-update-ui/copy-update-log.sh %i
 User=root
 StandardOutput=journal
 StandardError=journal
+
+# Security hardening
+NoNewPrivileges=yes
+# ProtectSystem=true
+ProtectKernelModules=yes
+RestrictRealtime=yes
+
+# Phase 1: High priority security configurations (immediate implementation)
+ProtectKernelTunables=yes
+ProtectClock=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+
+# Phase 2: Medium priority security configurations (implement after testing)
+PrivateDevices=yes
+PrivateIPC=yes
+
+# Phase 3: Additional security configurations
+# PrivateTmp=yes  # 注释掉：服务需要访问 /tmp/deepin-update-ui
+ProtectControlGroups=yes
+ProtectHostname=yes
+LockPersonality=yes
+RestrictNamespaces=yes
+# RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6  # 注释掉：可能影响D-Bus通信