feat: 对org.deepin.dde.PasswdConf1服务进行安全加固

通过配置systemd service,限制进程的权限范围,提升安全性； Task: https://pms.uniontech.com/task-view-361195.html
linuxdeepin · Sep 2, 2024 · 78489c6 · 78489c6
1 parent 3da10e2
commit 78489c6
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -74,6 +74,8 @@ install: translate
 	cp out/bin/deepin-pw-check ${DESTDIR}${PREFIX}/lib/deepin-pw-check/
 	mkdir -p ${DESTDIR}${PREFIX}/share/polkit-1/actions
 	cp -r misc/polkit-action/*.policy ${DESTDIR}${PREFIX}/share/polkit-1/actions
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	cp  misc/systemd-service/deepin-passwd-conf.service ${DESTDIR}/lib/systemd/system/
 
 test: $(addprefix unit_test/, $(SRCS_C)) clean_test
 

diff --git a/debian/compat b/debian/compat
diff --git a/debian/control b/debian/control
@@ -3,7 +3,7 @@ Section: devel
 Priority: optional
 Maintainer: Deepin Packages Builder <[email protected]>
 Build-Depends:
- debhelper (>= 9),
+ debhelper-compat (= 11),
  libcrack2-dev,
  libpam-dev,
  libiniparser-dev,

diff --git a/debian/deepin-pw-check.tmpfiles b/debian/deepin-pw-check.tmpfiles
@@ -0,0 +1,2 @@
+#Type Path                  Mode User  Group Age         Argument
+d     /etc/deepin/dde.conf  0644 root  root  -           -
diff --git a/debian/rules b/debian/rules
@@ -21,3 +21,7 @@ override_dh_link:
 		usr/lib/libdeepin_pw_check.so
 	dh_link -plibdeepin-pw-check usr/lib/libdeepin_pw_check.so.1.1 \
 		usr/lib/libdeepin_pw_check.so.1
+
+override_dh_auto_install:
+	dh_auto_install
+	dh_installtmpfiles deepin-pw-check.tmpfiles
diff --git a/misc/system-services/org.deepin.dde.PasswdConf1.service b/misc/system-services/org.deepin.dde.PasswdConf1.service
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.deepin.dde.PasswdConf1
-Exec=/usr/lib/deepin-pw-check/deepin-pw-check
-User=root
+Exec=/bin/false
+SystemdService=deepin-passwd-conf.service
diff --git a/misc/systemd-service/deepin-passwd-conf.service b/misc/systemd-service/deepin-passwd-conf.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Deepin password check config service
+
+[Service]
+Type=dbus
+BusName=com.deepin.daemon.PasswdConf
+# TODO /etc/deepin/dde.conf使用方确认后修改为deepin-daemon
+User=root
+ExecStart=/usr/lib/deepin-pw-check/deepin-pw-check
+StandardOutput=null
+StandardError=journal
+
+ProtectSystem=strict
+
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections
+InaccessiblePaths=-/etc/pam.d
+InaccessiblePaths=-/usr/share/uadp/
+
+ReadWritePaths=-/etc/deepin/dde.conf
+
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+# 需要读取sender数据
+#PrivateUsers=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RemoveIPC=yes
+# 和golang -pie参数冲突，导致进程无法启动
+#MemoryDenyWriteExecute=yes