feat: dde-api安全整改，音效服务用户改成deepin-daemon

 /lib/systemd/system/deepin-sound-theme-player.service User不应该再使用deepin-sound-player

Log: dde-api安全整改
PMS: TASK-369021

Author: fly602

archlinux/deepin-api.install

@@ -3,9 +3,6 @@
 
 set -e
 
-player_user=deepin-sound-player
-player_home=/var/lib/$player_user
-
 themeDir="/boot/grub/themes/deepin"
 fallbackThemeDir=$themeDir-fallback
 adjustGrubThemeBin="/usr/lib/deepin-api/adjust-grub-theme"
@@ -45,17 +42,6 @@ adjustGrubTheme () {
 
 case "$1" in
     configure)
-        if ! getent group $player_user >/dev/null; then
-            addgroup --quiet --system $player_user
-        fi
-        if ! getent passwd $player_user >/dev/null; then
-            adduser --quiet --system --ingroup $player_user --home $player_home $player_user
-            adduser --quiet $player_user audio
-        fi
-
-        runuser -u $player_user -- mkdir -p $player_home/.config/pulse
-        runuser - deepin-sound-player -s /bin/sh -c "echo 'autospawn = no' > $player_home/.config/pulse/client.conf"
-
         adjustGrubTheme
         setupFallbackTheme
     ;;

archlinux/deepin-api.sysusers

@@ -5,8 +5,8 @@
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
 
-  <!-- Only user deepin-sound-player can own the service -->
-  <policy user="deepin-sound-player">
+  <!-- Only user deepin-daemon can own the service -->
+  <policy user="deepin-daemon">
     <allow own="org.deepin.dde.SoundThemePlayer1"/>
   </policy>
 

debian/dde-api.postinst

@@ -1,5 +1,5 @@
 [D-BUS Service]
 Name=org.deepin.dde.SoundThemePlayer1
 Exec=/usr/lib/deepin-api/sound-theme-player
-User=deepin-sound-player
+User=deepin-daemon
 SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service

debian/dde-api.postrm

@@ -17,23 +17,32 @@ ExecStart=/usr/lib/deepin-api/device
 DeviceAllow=/dev/rfkill rw
 DevicePolicy=closed
 
-ProtectSystem=full
+ProtectSystem=strict
+
+InaccessiblePaths=/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections
+InaccessiblePaths=-/etc/pam.d
+InaccessiblePaths=-/usr/share/uadp/
+
+NoNewPrivileges=yes
 ProtectHome=yes
-PrivateTmp=yes
-#PrivateDevices=yes
-PrivateNetwork=yes
-ProtectHostname=yes
-ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
-ProtectKernelLogs=yes
 ProtectControlGroups=yes
-RestrictAddressFamilies=AF_UNIX
+PrivateMounts=yes
+PrivateTmp=yes
+# 需要操作rfkill
+#PrivateDevices=yes
+PrivateNetwork=yes
+# 需要读取/proc的exe字段数据
+#PrivateUsers=yes
 RestrictNamespaces=yes
 LockPersonality=yes
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RemoveIPC=yes
+# 和golang -pie参数冲突，导致进程无法启动
+#MemoryDenyWriteExecute=yes
+MemoryLimit=100M
 
 [Install]
 Alias=dbus-org.deepin.dde.Device1.service

misc/conf/org.deepin.dde.SoundThemePlayer1.conf

@@ -5,7 +5,8 @@ After=dbus.service lightdm.service
 
 [Service]
 Type=oneshot
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin
 RemainAfterExit=yes
 
@@ -28,3 +29,6 @@ LockPersonality=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RemoveIPC=yes
+
+[Install]
+WantedBy=multi-user.target

misc/system-services/org.deepin.dde.SoundThemePlayer1.service

@@ -7,13 +7,14 @@ Before=shutdown.target
 
 [Service]
 Type=simple
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/bin/true
 ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound
 RemainAfterExit=yes
 TimeoutStopSec=7s
 
-ReadOnlyPaths=/var/lib/deepin-sound-player
+StateDirectory=deepin-sound-player
 BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json
 
 DeviceAllow=char-alsa rw
@@ -36,3 +37,6 @@ LockPersonality=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RemoveIPC=yes
+
+[Install]
+WantedBy=graphical.target

misc/systemd/system/deepin-api-device.service

@@ -11,7 +11,8 @@ After=dbus.socket
 [Service]
 Type=dbus
 BusName=org.deepin.dde.SoundThemePlayer1
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/lib/deepin-api/sound-theme-player
 
 StateDirectory=deepin-sound-player