chore: harden systemd service security

[fly602]

Added security hardening options to the application update notifier systemd service:

1. ProtectSystem=strict - Prevents writing to system directories
2. PrivateNetwork=yes - Isolates the service from network access
3. RestrictAddressFamilies=AF_UNIX - Limits socket communication to local Unix sockets only
4. NoNewPrivileges=yes - Prevents the service from gaining additional privileges

These security measures follow systemd best practices to minimize the service's attack surface and contain potential security breaches by restricting filesystem access, network capabilities, and privilege escalation.

Influence:

1. Verify the update notifier service starts correctly with new restrictions
2. Test that application update notifications still function properly
3. Confirm the service cannot access network resources
4. Validate that file system operations are properly restricted
5. Check that privilege escalation attempts are blocked

chore: 增强 systemd 服务安全性

为应用程序更新通知器的 systemd 服务添加安全加固选项：

1. ProtectSystem=strict - 防止写入系统目录
2. PrivateNetwork=yes - 隔离服务与网络访问
3. RestrictAddressFamilies=AF_UNIX - 限制套接字通信仅限本地 Unix 套接字
4. NoNewPrivileges=yes - 防止服务获取额外权限

这些安全措施遵循 systemd 最佳实践，通过限制文件系统访问、网络能力和权限
提升来最小化服务的攻击面并遏制潜在的安全漏洞。

Influence:

1. 验证更新通知器服务在新增限制下能正确启动
2. 测试应用程序更新通知功能是否正常工作
3. 确认服务无法访问网络资源
4. 验证文件系统操作是否被正确限制
5. 检查权限提升尝试是否被阻止

Summary by Sourcery

Enhancements:

• Tighten filesystem, network, and privilege-related security options on the application update notifier systemd unit to follow systemd hardening best practices.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Hardens the Application Update Notifier systemd service by adding several security-focused unit options that restrict filesystem access, networking, socket address families, and privilege escalation, following systemd hardening best practices.

File-Level Changes

Change	Details	Files
Tightened systemd service security configuration for the application update notifier.	Added ProtectSystem=strict to prevent the service from modifying system directories Enabled PrivateNetwork=yes to isolate the service from host network access Restricted allowed socket address families to AF_UNIX to limit communication to local Unix sockets Set NoNewPrivileges=yes to block the service and its children from gaining additional privileges	apps/app-update-notifier/misc/systemd/system/org.desktopspec.ApplicationUpdateNotifier1.service.in

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Given ProtectSystem=strict and the likely need to write state somewhere, consider explicitly declaring StateDirectory=/CacheDirectory=/RuntimeDirectory= (or otherwise ensuring writable paths under /var are clearly defined) so future changes don’t accidentally break the service’s ability to persist data.
• You might want to complement the existing hardening with other low-risk systemd protections that usually don’t interfere with D-Bus–only services, such as ProtectHome=yes, PrivateTmp=yes, and ProtectKernelTunables=yes, if they are compatible with how the notifier runs.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Given `ProtectSystem=strict` and the likely need to write state somewhere, consider explicitly declaring `StateDirectory=`/`CacheDirectory=`/`RuntimeDirectory=` (or otherwise ensuring writable paths under `/var` are clearly defined) so future changes don’t accidentally break the service’s ability to persist data.
- You might want to complement the existing hardening with other low-risk systemd protections that usually don’t interfere with D-Bus–only services, such as `ProtectHome=yes`, `PrivateTmp=yes`, and `ProtectKernelTunables=yes`, if they are compatible with how the notifier runs.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这是一个针对systemd服务单元文件的安全加固补丁，我来详细分析一下改进的各个方面：

1. 语法逻辑：

   • 语法完全正确，符合systemd服务单元文件的规范
   • 新增的安全选项都放在文件末尾，结构清晰

2. 代码质量：

   • 添加了注释说明这是安全加固配置，提高了可读性
   • 每个安全选项都单独一行，便于维护和审查

3. 安全性改进：

   • ProtectSystem=strict：提供最严格的系统保护，将服务限制在只读模式下运行，防止对系统文件进行修改
   • PrivateNetwork=yes：禁用网络访问，防止服务进行不必要的网络通信
   • RestrictAddressFamilies=AF_UNIX：只允许UNIX域套接字通信，限制网络地址族的使用
   • NoNewPrivileges=yes：防止进程通过setuid等机制获取新的权限

4. 性能影响：

   • 这些安全限制对性能影响很小
   • PrivateNetwork和RestrictAddressFamilies可能会限制某些功能，但对于一个更新通知服务来说是合适的

建议：

1. 考虑添加以下额外的安全加固选项：

   ProtectHome=yes
   ProtectKernelTunables=yes
   ProtectControlGroups=yes
   RestrictRealtime=yes
   

2. 如果服务需要访问某些特定的系统路径，可以考虑使用：

   ReadWritePaths=/path/to/needed/directory
   

3. 建议在提交信息中详细说明这些安全加固的必要性和影响

总的来说，这是一个很好的安全加固补丁，显著提高了服务的安全性，同时保持了服务的核心功能。这些改进符合最小权限原则，有效降低了潜在的安全风险。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fly602, zccrs

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zccrs]

为什么obs构建失败了