feat: Add security restriction configurations to all service files

- Use the deepin-daemon user to run services whenever possible,
  reducing privilege risks;
- Add a D-Bus policy to allow the deepin-daemon user to invoke the
  HandleSystemEvent method;
- Deny users other than root and deepin-daemon from calling
  HandleSystemEvent, strengthening access control;
- Remove the unused update-metadata-info service.

Task: https://pms.uniontech.com/task-view-385069.html

Author: electricface

debian/lastore-daemon.postinst

@@ -10,7 +10,6 @@ case "$1" in
             [ -e /lib/systemd/dbus-org.deepin.dde.Lastore1.service ] && rm /lib/systemd/system/dbus-org.deepin.dde.Lastore1.service || true
         fi
         systemctl daemon-reload || true
-        /var/lib/lastore/scripts/update_metadata_info || true
         /var/lib/lastore/scripts/build_system_info || true
         # Fix the problem that the machine id is the same after the system is installed.
         if [ -f /etc/machine-id ] && grep -q "a5fa4f1b04514009830c73f3b1f1dd4c" /etc/machine-id; then

lib/systemd/system/lastore-abort-auto-download.service

@@ -3,5 +3,20 @@ Description=System Update Auto Download Abort Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+User=deepin-daemon

lib/systemd/system/lastore-after-upgrade-check.service

@@ -3,8 +3,26 @@ Description=generate config file for check system
 Before=display-manager.service
 
 [Service]
-Type=oneshot
+
+# PrivateTmp=true is not set because it needs to use /tmp to save state
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/gen_upgrade_check_config.sh
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/tmp/
+RestrictSUIDSGID=true
+Type=oneshot
+User=deepin-daemon
 
 [Install]
 WantedBy=multi-user.target

lib/systemd/system/lastore-auto-download.service

@@ -3,5 +3,19 @@ Description=System Update Auto Download Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+User=deepin-daemon

lib/systemd/system/lastore-build-system-info.service

@@ -2,9 +2,28 @@
 Description=Build system info
 
 [Service]
-Type=idle
-StartLimitInterval=10s
-StartLimitBurst=20
-RestartSec=5s
-Restart=on-failure
+
+# MemoryDenyWriteExecute=true is not set because the script calls lastore-tools (a Go program compiled with -pie option) which would fail.
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/build_system_info -now
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/
+Restart=on-failure
+RestartSec=5s
+RestrictSUIDSGID=true
+StartLimitBurst=20
+StartLimitInterval=10s
+StateDirectory=lastore
+Type=idle
+User=deepin-daemon

lib/systemd/system/lastore-daemon.service

@@ -3,12 +3,28 @@ Description=Deepin Lastore Daemon
 After=display-manager.service
 
 [Service]
-Type=dbus
+
+# CapabilityBoundingSet= is not set because it would cause apt execution errors, such as setegid and other operations failing due to insufficient permissions.
+# InaccessiblePaths is not set because dpkg needs to be called to upgrade the system.
+# MemoryDenyWriteExecute=yes is not set because this is a Go program compiled with -pie option, which would prevent the process from starting.
+# PrivateDevices=true is not set because grub-mkconfig is executed when creating backup deployment.
+# PrivateTmp=true is not set because it relies on /tmp to record state.
+# ProtectHome=true is not set because sudo is needed to connect to the user Session Bus and send DDE message notifications.
+# ProtectKernelModules=true is not set because kernel packages need to be installed
+# ProtectProc=true is not set because it needs to access caller process environment variables.
+# ProtectSystem=strict is not set because dpkg needs to be called to upgrade the system.
+# RestrictSUIDSGID=true is not set because some packages may need to set SUID and SGID during installation.
+# StateDirectory=lastore is not set because it would conflict with the ownership of smartmirror-daemon and build-system-info services, which need to be owned by deepin-daemon, and enabling this would set the owner to root.
+
 BusName=org.deepin.dde.Lastore1
-ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
-StandardOutput=null
-StandardError=null
-StateDirectory=lastore
 CacheDirectory=lastore
+ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
+NoNewPrivileges=true
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
 RuntimeDirectory=lastore
-RuntimeDirectoryMode=0750
+RuntimeDirectoryMode=0750
+StandardError=null
+StandardOutput=null
+Type=dbus

lib/systemd/system/lastore-smartmirror-daemon.service

@@ -5,35 +5,31 @@ Wants=dbus.socket
 After=dbus.socket
 
 [Service]
-Type=dbus
+# Cannot set PrivateNetwork=yes because network access is required.
+# Cannot set MemoryDenyWriteExecute=yes because this is a Go program compiled with -pie option, which would prevent the process from starting.
 BusName=org.deepin.dde.Lastore1.Smartmirror
-User=deepin-daemon
+CapabilityBoundingSet=
 ExecStart=/usr/libexec/lastore-daemon/lastore-smartmirror-daemon
-StandardOutput=null
-StandardError=journal
-
-ProtectSystem=strict
-StateDirectory=lastore
-InaccessiblePaths=/etc/shadow
-InaccessiblePaths=-/etc/NetworkManager/system-connections
-InaccessiblePaths=-/etc/pam.d
-InaccessiblePaths=-/usr/share/uadp/
-
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+LockPersonality=yes
 NoNewPrivileges=yes
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
+PrivateDevices=yes
+PrivateIPC=true
 PrivateMounts=yes
 PrivateTmp=yes
-PrivateDevices=yes
-# 需要联网
-#PrivateNetwork=yes
 PrivateUsers=yes
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RemoveIPC=yes
 RestrictNamespaces=yes
-LockPersonality=yes
 RestrictRealtime=yes
-RemoveIPC=yes
-# 和golang -pie参数冲突，导致进程无法启动
-#MemoryDenyWriteExecute=yes
-#MemoryLimit=100M
+RestrictSUIDSGID=true
+StandardError=journal
+StandardOutput=null
+StateDirectory=lastore
+Type=dbus
+User=deepin-daemon

lib/systemd/system/lastore-update-metadata-info.service

@@ -38,7 +38,6 @@ type systemdEventType string
 const (
 	AutoCheck              systemdEventType = "AutoCheck"
 	AutoClean              systemdEventType = "AutoClean"
-	UpdateInfosChanged     systemdEventType = "UpdateInfosChanged"
 	OsVersionChanged       systemdEventType = "OsVersionChanged"
 	InitIdleDownload       systemdEventType = "InitIdleDownload"
 	AutoDownload           systemdEventType = "AutoDownload"
@@ -335,16 +334,6 @@ func (m *Manager) getNextUpdateDelay() time.Duration {
 }
 
 func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) error {
-	uid, err := m.service.GetConnUID(string(sender))
-	if err != nil {
-		logger.Warning(err)
-		return dbusutil.ToError(err)
-	}
-	if uid != 0 && systemdEventType(eventType) != OsVersionChanged {
-		err = fmt.Errorf("%q is not allowed to trigger system event", uid)
-		logger.Warning(err)
-		return dbusutil.ToError(err)
-	}
 	m.service.DelayAutoQuit()
 	typ := systemdEventType(eventType)
 	switch typ {
@@ -363,9 +352,6 @@ func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) err
 				logger.Warning(err)
 			}
 		}()
-	// case UpdateInfosChanged:
-	// 	logger.Info("UpdateInfos Changed")
-	// 	m.handleUpdateInfosChanged()
 	case OsVersionChanged:
 		go updateplatform.UpdateTokenConfigFile(m.config.IncludeDiskInfo)
 	case InitIdleDownload:

src/lastore-daemon/manager_unit.go

@@ -5,6 +5,8 @@
 package main
 
 import (
+	"os"
+
 	"github.com/linuxdeepin/lastore-daemon/src/internal/system"
 )
 
@@ -33,5 +35,8 @@ func (c *config) setEnable(enable bool) error {
 }
 
 func (c *config) save() error {
+	if err := os.Remove(c.filePath); err != nil && !os.IsNotExist(err) {
+		logger.Warning("remove config file failed:", err)
+	}
 	return system.EncodeJson(c.filePath, c)
 }