chore: systemd hardening

zsien · zsien · commit 972f0bffaa93 · 2024-06-25T17:56:48.000+08:00
加固 dbus 进程
diff --git a/debian/rules b/debian/rules
@@ -20,4 +20,6 @@ export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
 
 
 override_dh_auto_install:
-	dh_auto_install -- prefix=/usr
+	dh_auto_install -- prefix=/usr
+	dh_installsysusers deepin-face.sysusers
+	dh_installtmpfiles deepin-face.tmpfiles
diff --git a/debian/sysusers b/debian/sysusers
@@ -0,0 +1,10 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+#Type Name               ID                  GECOS              Home directory Shell
+u     deepin-face        -                   -
+m     deepin-face        video
diff --git a/debian/tmpfiles b/debian/tmpfiles
@@ -0,0 +1,2 @@
+#Type Path                      Mode User        Group       Age         Argument
+f     /var/log/deepin-face.log  0644 deepin-face deepin-face -           -
diff --git a/msic/dbus-conf/org.deepin.dde.Face1.conf b/msic/dbus-conf/org.deepin.dde.Face1.conf
@@ -6,7 +6,7 @@
 <busconfig>
 
   <!-- Only root can own the service -->
-  <policy user="root">
+  <policy user="deepin-face">
     <allow own="org.deepin.dde.Face1"/>
   </policy>
 
diff --git a/msic/systemd/deepin-face.service b/msic/systemd/deepin-face.service
@@ -1,9 +1,39 @@
 [Unit]
 Description=Deepin Face Authenticate Driver 
 
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
 [Service]
-User=root
 Type=dbus
+User=deepin-face
 BusName=org.deepin.dde.Face1
 ExecStart=/usr/libexec/deepin-face
 
+ReadOnlyPaths=/usr/share/seetaface-models/
+ReadWritePaths=/var/log/deepin-face.log
+
+DeviceAllow=char-video4linux
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateNetwork=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+[Install]
+Alias=dbus-org.deepin.dde.Face1.service

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#Type Path Mode User Group Age Argument`
	`2`	`+f /var/log/deepin-face.log 0644 deepin-face deepin-face - -`