feat: use deepin-immutable-ctrl to wrap and call locale-gen

mhduiy · mhduiy · commit 94611c2d7c32 · 2025-06-23T20:39:26.000+08:00
Avoiding permission issues caused by immutable systems

Log: use `deepin-immutable-ctrl` to wrap and call `locale-gen`
diff --git a/locale-helper/main.go b/locale-helper/main.go
@@ -11,15 +11,17 @@ import (
 
 	"github.com/linuxdeepin/go-lib/dbusutil"
 	"github.com/linuxdeepin/go-lib/log"
+	dutils "github.com/linuxdeepin/go-lib/utils"
 )
 
 //go:generate dbusutil-gen em -type Helper
 
 const (
-	dbusServiceName = "org.deepin.dde.LocaleHelper1"
-	dbusPath        = "/org/deepin/dde/LocaleHelper1"
-	dbusInterface   = dbusServiceName
-	localeGenBin    = "/usr/sbin/locale-gen"
+	dbusServiceName       = "org.deepin.dde.LocaleHelper1"
+	dbusPath              = "/org/deepin/dde/LocaleHelper1"
+	dbusInterface         = dbusServiceName
+	localeGenBin          = "/usr/sbin/locale-gen"
+	deepinImmutableCtlBin = "/usr/sbin/deepin-immutable-ctl"
 )
 
 type Helper struct {
@@ -90,10 +92,32 @@ func (h *Helper) canQuit() bool {
 }
 
 func (h *Helper) doGenLocale() error {
-	return exec.Command(localeGenBin).Run()
+	if !dutils.IsFileExist(deepinImmutableCtlBin) {
+		logger.Warning("deepin-immutable-ctl not found, use locale-gen directly")
+		return exec.Command(localeGenBin).Run()
+	} else {
+		// TODO 在磐石适配 locale-gen 前使用 deepin-immutable-ctl 执行 locale-gen，否则有权限问题
+		output, err := exec.Command(deepinImmutableCtlBin, "admin", "exec", localeGenBin).CombinedOutput()
+		if err != nil {
+			logger.Warning("deepin-immutable-ctl exec locale-gen failed, err:", err, "output:", string(output))
+			return err
+		}
+		return nil
+	}
 }
 
 // locales version <= 2.13
 func (h *Helper) doGenLocaleWithParam(locale string) error {
-	return exec.Command(localeGenBin, locale).Run()
+	if !dutils.IsFileExist(deepinImmutableCtlBin) {
+		logger.Warning("deepin-immutable-ctl not found, use locale-gen directly")
+		return exec.Command(localeGenBin, locale).Run()
+	} else {
+		// TODO 在磐石适配 locale-gen 前使用 deepin-immutable-ctl 执行 locale-gen，否则有权限问题
+		output, err := exec.Command(deepinImmutableCtlBin, "admin", "exec", "--", localeGenBin, locale).CombinedOutput()
+		if err != nil {
+			logger.Warning("deepin-immutable-ctl exec locale-gen failed, err:", err, "output:", string(output))
+			return err
+		}
+		return nil
+	}
 }
diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service
@@ -12,12 +12,14 @@ ExecStart=/usr/lib/deepin-api/locale-helper
 
 ReadWritePaths=/etc/default/locale
 ReadWritePaths=/etc/locale.gen
-ReadWritePaths=/usr/lib/locale/
-ExecPaths=/usr/sbin/locale-gen
+
+# Temporary workaround: ReadWritePaths conflicts with deepin-immutable-ctl
+# TODO: Remove this comment when immutable system wraps locale-gen properly
+# ReadWritePaths=/usr/lib/locale/
 
 DevicePolicy=closed
 
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 PrivateTmp=yes
 PrivateDevices=yes
@@ -29,7 +31,11 @@ ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
 RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
+
+# Need to call /usr/sbin/deepin-immutable-ctl command
+# TODO: Remove this comment when immutable system wraps locale-gen properly
+# RestrictNamespaces=yes
+
 LockPersonality=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
