fix: enhance service security with systemd hardening

[fly602]

fix: enhance systemd service security hardening
Added comprehensive security hardening options to the deepin-update-
[email protected] systemd unit file. The changes are organized in three
phases based on priority and potential impact. Phase 1 includes high-
priority security configurations that can be implemented immediately,
such as protecting kernel tunables, clock settings, and restricting
SUID/SGID binaries. Phase 2 contains medium-priority configurations that
require testing before full implementation. Phase 3 includes additional
security measures with some options commented out due to specific
service requirements, like accessing /tmp/deepin-update-ui and D-Bus
communication needs.

These security enhancements are necessary to reduce the attack surface
and improve the overall security posture of the update log copy service
by restricting privileges, protecting system resources, and limiting
potential exploitation vectors.

Log: Enhanced security hardening for update log copy service

Influence:

1. Test update log copying functionality to ensure it works with new
   security restrictions
2. Verify service can still access required resources like /tmp/deepin-
   update-ui
3. Confirm D-Bus communication remains functional with restricted
   address families
4. Check that kernel module and tunable protections don't interfere with
   normal operations
5. Validate that real-time scheduling restrictions don't impact
   performance
6. Test service behavior with private devices and IPC namespaces

fix: 增强 systemd 服务安全加固

为 [email protected] systemd 单元文件添加了全面的安全加固
选项。这些更改按优先级和潜在影响分为三个阶段。第一阶段包含可立即实施的
高优先级安全配置，如保护内核可调参数、时钟设置和限制 SUID/SGID 二进制文
件。第二阶段包含需要测试后才能完全实施的中等优先级配置。第三阶段包含额
外的安全措施，其中一些选项因特定服务需求而被注释掉，例如需要访问 /tmp/
deepin-update-ui 和 D-Bus 通信需求。

这些安全增强对于减少攻击面、通过限制权限、保护系统资源和限制潜在利用向量
来提高更新日志复制服务的整体安全态势是必要的。

Log: 增强更新日志复制服务的安全加固

Influence:

1. 测试更新日志复制功能，确保在新安全限制下正常工作
2. 验证服务仍能访问所需资源，如 /tmp/deepin-update-ui
3. 确认在受限地址族情况下 D-Bus 通信仍能正常进行
4. 检查内核模块和可调参数保护是否干扰正常操作
5. 验证实时调度限制是否影响性能
6. 测试服务在私有设备和 IPC 命名空间下的行为

[deepin-bot]

TAG Bot

New tag: 1.0.38
DISTRIBUTION: unstable
Suggest: synchronizing this PR through rebase #208

[deepin-ci-robot]

deepin pr auto review

我来对这个 systemd 服务单元文件的修改进行审查：

1. 安全性改进分析：

• 优点：添加了多层安全加固配置，遵循了最小权限原则
• 分阶段实施策略合理，优先实现高优先级的安全配置

2. 具体配置审查：

高优先级配置（已启用）：

• NoNewPrivileges=yes：防止进程获取新权限，合理
• ProtectKernelTunables=yes：保护内核参数，合理
• ProtectClock=yes：保护系统时钟，合理
• MemoryDenyWriteExecute=yes：防止内存执行，合理
• RestrictSUIDSGID=yes：限制SUID/SGID，合理

中等优先级配置（已启用）：

• PrivateDevices=yes：隔离设备访问，合理
• PrivateIPC=yes：隔离IPC，合理

其他配置：

• ProtectControlGroups=yes：合理
• ProtectHostname=yes：合理
• LockPersonality=yes：合理
• RestrictNamespaces=yes：合理

3. 注释掉的配置分析：

• PrivateTmp：注释掉是正确的，因为服务需要访问特定临时目录
• RestrictAddressFamilies：注释掉是正确的，避免影响D-Bus通信

4. 改进建议：

a) 建议添加以下配置：

# 限制文件系统访问
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/tmp/deepin-update-ui

# 限制网络访问
# 如果不需要网络访问，可以添加：
# PrivateNetwork=yes

# 限制系统调用
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

b) 建议添加服务超时限制：

TimeoutStartSec=5min
TimeoutStopSec=30s

c) 建议添加资源限制：

MemoryMax=100M
TasksMax=100

5. 总体评价：

• 安全加固措施合理且全面
• 分阶段实施策略得当
• 注释说明清晰
• 建议按照上述建议进一步完善配置

这些改进将进一步提高服务的安全性，同时保持必要的功能可用性。建议在测试环境验证所有配置后再部署到生产环境。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fly602, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-bot]

TAG Bot

New tag: 1.0.39
DISTRIBUTION: unstable
Suggest: synchronizing this PR through rebase #215