From 829669e2cd08e876d181eda55fd76b130c23c33b Mon Sep 17 00:00:00 2001 From: fuleyi Date: Mon, 22 Dec 2025 10:00:17 +0800 Subject: [PATCH] chore: harden systemd service security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added security hardening options to the application update notifier systemd service: 1. ProtectSystem=strict - Prevents writing to system directories 2. PrivateNetwork=yes - Isolates the service from network access 3. RestrictAddressFamilies=AF_UNIX - Limits socket communication to local Unix sockets only 4. NoNewPrivileges=yes - Prevents the service from gaining additional privileges These security measures follow systemd best practices to minimize the service's attack surface and contain potential security breaches by restricting filesystem access, network capabilities, and privilege escalation. Influence: 1. Verify the update notifier service starts correctly with new restrictions 2. Test that application update notifications still function properly 3. Confirm the service cannot access network resources 4. Validate that file system operations are properly restricted 5. Check that privilege escalation attempts are blocked chore: 增强 systemd 服务安全性 为应用程序更新通知器的 systemd 服务添加安全加固选项: 1. ProtectSystem=strict - 防止写入系统目录 2. PrivateNetwork=yes - 隔离服务与网络访问 3. RestrictAddressFamilies=AF_UNIX - 限制套接字通信仅限本地 Unix 套接字 4. NoNewPrivileges=yes - 防止服务获取额外权限 这些安全措施遵循 systemd 最佳实践,通过限制文件系统访问、网络能力和权限 提升来最小化服务的攻击面并遏制潜在的安全漏洞。 Influence: 1. 验证更新通知器服务在新增限制下能正确启动 2. 测试应用程序更新通知功能是否正常工作 3. 确认服务无法访问网络资源 4. 验证文件系统操作是否被正确限制 5. 检查权限提升尝试是否被阻止 --- .../org.desktopspec.ApplicationUpdateNotifier1.service.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apps/app-update-notifier/misc/systemd/system/org.desktopspec.ApplicationUpdateNotifier1.service.in b/apps/app-update-notifier/misc/systemd/system/org.desktopspec.ApplicationUpdateNotifier1.service.in index dea1acf2..88ba1643 100644 --- a/apps/app-update-notifier/misc/systemd/system/org.desktopspec.ApplicationUpdateNotifier1.service.in +++ b/apps/app-update-notifier/misc/systemd/system/org.desktopspec.ApplicationUpdateNotifier1.service.in @@ -11,3 +11,9 @@ User=deepin-daemon Group=deepin-daemon BusName=org.desktopspec.ApplicationUpdateNotifier1 ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/deepin/application-manager/app-update-notifier + +# Security hardening +ProtectSystem=strict +PrivateNetwork=yes +RestrictAddressFamilies=AF_UNIX +NoNewPrivileges=yes