-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: 对org.deepin.dde.PasswdConf1服务进行安全加固
通过配置systemd service,限制进程的权限范围,提升安全性; Task: https://pms.uniontech.com/task-view-361195.html
- Loading branch information
echengqi
committed
Sep 2, 2024
1 parent
3da10e2
commit 78489c6
Showing
7 changed files
with
49 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ Section: devel | |
Priority: optional | ||
Maintainer: Deepin Packages Builder <[email protected]> | ||
Build-Depends: | ||
debhelper (>= 9), | ||
debhelper-compat (= 11), | ||
libcrack2-dev, | ||
libpam-dev, | ||
libiniparser-dev, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
#Type Path Mode User Group Age Argument | ||
d /etc/deepin/dde.conf 0644 root root - - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
[D-BUS Service] | ||
Name=org.deepin.dde.PasswdConf1 | ||
Exec=/usr/lib/deepin-pw-check/deepin-pw-check | ||
User=root | ||
Exec=/bin/false | ||
SystemdService=deepin-passwd-conf.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
[Unit] | ||
Description=Deepin password check config service | ||
|
||
[Service] | ||
Type=dbus | ||
BusName=com.deepin.daemon.PasswdConf | ||
# TODO /etc/deepin/dde.conf使用方确认后修改为deepin-daemon | ||
User=root | ||
ExecStart=/usr/lib/deepin-pw-check/deepin-pw-check | ||
StandardOutput=null | ||
StandardError=journal | ||
|
||
ProtectSystem=strict | ||
|
||
InaccessiblePaths=-/etc/shadow | ||
InaccessiblePaths=-/etc/NetworkManager/system-connections | ||
InaccessiblePaths=-/etc/pam.d | ||
InaccessiblePaths=-/usr/share/uadp/ | ||
|
||
ReadWritePaths=-/etc/deepin/dde.conf | ||
|
||
NoNewPrivileges=yes | ||
ProtectHome=yes | ||
ProtectKernelTunables=yes | ||
ProtectKernelModules=yes | ||
ProtectControlGroups=yes | ||
PrivateMounts=yes | ||
PrivateTmp=yes | ||
PrivateDevices=yes | ||
PrivateNetwork=yes | ||
# 需要读取sender数据 | ||
#PrivateUsers=yes | ||
RestrictNamespaces=yes | ||
LockPersonality=yes | ||
RestrictRealtime=yes | ||
RemoveIPC=yes | ||
# 和golang -pie参数冲突,导致进程无法启动 | ||
#MemoryDenyWriteExecute=yes |