Skip to content

Commit 433d39a

Browse files
re2zerore2zero
committed
feat: enhance security and resource limits
- Harden systemd service with restrictive security settings - Add memory limits, IO weight, and OOM protection - Restrict file system access with ProtectSystem and ProtectHome - Define explicit read/write/exec paths and capabilities Log: enhance security and resource limits for diskmanager service.
1 parent ae4bb9f commit 433d39a

2 files changed

Lines changed: 44 additions & 2 deletions

File tree

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ build
1111
.cursorindexingignore
1212
.specstory/
1313
.claude/*
14+
.auto-claude/
1415

1516
# debian output
1617
debian/.debhelper/

service/assets/data/diskmanager-daemon.service

Lines changed: 43 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,49 @@ After=local-fs.target udisks2.service
66
Type=dbus
77
BusName=com.deepin.diskmanager
88
ExecStart=/usr/lib/deepin-daemon/deepin-diskmanager-service
9-
CapabilityBoundingSet=~CAP_NET_RAW
10-
MemoryMax=8G
9+
User=root
10+
StandardOutput=journal
11+
MemoryMax=1G
12+
IOWeight=200
13+
ProtectSystem=full
14+
ProtectHome=true
15+
ProtectProc=invisible
16+
PrivateTmp=true
17+
PrivateDevices=true
18+
ProtectKernelTunables=true
19+
ProtectKernelModules=false
20+
NoNewPrivileges=true
21+
MemoryDenyWriteExecute=true
22+
RestrictSUIDSGID=true
23+
LimitMEMLOCK=infinity
24+
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FSETID CAP_KILL CAP_SETFCAP CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_RESOURCE CAP_SYS_NICE CAP_LINUX_IMMUTABLE
25+
AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FSETID CAP_KILL CAP_SETFCAP CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_RESOURCE CAP_SYS_NICE CAP_LINUX_IMMUTABLE
26+
InaccessiblePaths=-/etc/shadow
27+
InaccessiblePaths=-/etc/NetworkManager/system-connections/
28+
InaccessiblePaths=-/etc/pam.d/
29+
InaccessiblePaths=-/etc/security/
30+
InaccessiblePaths=-/etc/selinux/
31+
InaccessiblePaths=-/etc/deepin-elf-verify/
32+
InaccessiblePaths=-/etc/filearmor.d/
33+
InaccessiblePaths=-/sysroot/ostree/repo/
34+
InaccessiblePaths=-/persistent/ostree/repo/
35+
InaccessiblePaths=-/usr/share/uadp
36+
InaccessiblePaths=-/etc/sudoers
37+
InaccessiblePaths=-/etc/sudoers.d
38+
InaccessiblePaths=-/root
39+
InaccessiblePaths=-/var/cache
40+
ReadWritePaths=/var/log/deepin
41+
ReadWritePaths=/tmp
42+
ReadWritePaths=/var/tmp
43+
ReadWritePaths=/media
44+
ReadWritePaths=/mnt
45+
ReadOnlyPaths=/etc/fstab
46+
ReadOnlyPaths=/etc/crypttab
47+
ReadOnlyPaths=/etc/udev/rules.d
48+
ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /usr/lib /proc /sys
49+
NoExecPaths=/home /root
50+
OOMScoreAdjust=-500
51+
Nice=-5
1152

1253
[Install]
1354
WantedBy=multi-user.target

0 commit comments

Comments
 (0)