linuxdeepin · electricface · Dec 25, 2025 · Dec 22, 2025
diff --git a/debian/lastore-daemon.postinst b/debian/lastore-daemon.postinst
@@ -10,7 +10,6 @@ case "$1" in
             [ -e /lib/systemd/dbus-org.deepin.dde.Lastore1.service ] && rm /lib/systemd/system/dbus-org.deepin.dde.Lastore1.service || true
         fi
         systemctl daemon-reload || true
-        /var/lib/lastore/scripts/update_metadata_info || true
         /var/lib/lastore/scripts/build_system_info || true
         # Fix the problem that the machine id is the same after the system is installed.
         if [ -f /etc/machine-id ] && grep -q "a5fa4f1b04514009830c73f3b1f1dd4c" /etc/machine-id; then

diff --git a/lib/systemd/system/lastore-abort-auto-download.service b/lib/systemd/system/lastore-abort-auto-download.service
@@ -3,5 +3,20 @@ Description=System Update Auto Download Abort Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+User=deepin-daemon
diff --git a/lib/systemd/system/lastore-after-upgrade-check.service b/lib/systemd/system/lastore-after-upgrade-check.service
@@ -3,8 +3,26 @@ Description=generate config file for check system
 Before=display-manager.service
 
 [Service]
-Type=oneshot
+
+# PrivateTmp=true is not set because it needs to use /tmp to save state
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/gen_upgrade_check_config.sh
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/tmp/
+RestrictSUIDSGID=true
+Type=oneshot
+User=deepin-daemon
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/systemd/system/lastore-auto-download.service b/lib/systemd/system/lastore-auto-download.service
@@ -3,5 +3,19 @@ Description=System Update Auto Download Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+User=deepin-daemon
diff --git a/lib/systemd/system/lastore-build-system-info.service b/lib/systemd/system/lastore-build-system-info.service
@@ -2,9 +2,28 @@
 Description=Build system info
 
 [Service]
-Type=idle
-StartLimitInterval=10s
-StartLimitBurst=20
-RestartSec=5s
-Restart=on-failure
+
+# MemoryDenyWriteExecute=true is not set because the script calls lastore-tools (a Go program compiled with -pie option) which would fail.
+# ProtectProc=invisible is not set because the script uses pgrep to check if processes are running
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/build_system_info -now
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/
+Restart=on-failure
+RestartSec=5s
+RestrictSUIDSGID=true
+StartLimitBurst=20
+StartLimitInterval=10s
+StateDirectory=lastore
+Type=idle
+User=deepin-daemon
diff --git a/lib/systemd/system/lastore-daemon.service b/lib/systemd/system/lastore-daemon.service
@@ -3,12 +3,28 @@ Description=Deepin Lastore Daemon
 After=display-manager.service
 
 [Service]
-Type=dbus
+
+# CapabilityBoundingSet= is not set because it would cause apt execution errors, such as setegid and other operations failing due to insufficient permissions.
+# InaccessiblePaths is not set because dpkg needs to be called to upgrade the system.
+# MemoryDenyWriteExecute=yes is not set because this is a Go program compiled with -pie option, which would prevent the process from starting.
+# PrivateDevices=true is not set because grub-mkconfig is executed when creating backup deployment.
+# PrivateTmp=true is not set because it relies on /tmp to record state.
+# ProtectHome=true is not set because sudo is needed to connect to the user Session Bus and send DDE message notifications.
+# ProtectKernelModules=true is not set because kernel packages need to be installed
+# ProtectProc=true is not set because it needs to access caller process environment variables.
+# ProtectSystem=strict is not set because dpkg needs to be called to upgrade the system.
+# RestrictSUIDSGID=true is not set because some packages may need to set SUID and SGID during installation.
+# StateDirectory=lastore is not set because it would conflict with the ownership of smartmirror-daemon and build-system-info services, which need to be owned by deepin-daemon, and enabling this would set the owner to root.
+
 BusName=org.deepin.dde.Lastore1
-ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
-StandardOutput=null
-StandardError=null
-StateDirectory=lastore
 CacheDirectory=lastore
+ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
+NoNewPrivileges=true
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
 RuntimeDirectory=lastore
-RuntimeDirectoryMode=0750
+RuntimeDirectoryMode=0750
+StandardError=null
+StandardOutput=null
+Type=dbus
diff --git a/lib/systemd/system/lastore-smartmirror-daemon.service b/lib/systemd/system/lastore-smartmirror-daemon.service
@@ -5,35 +5,31 @@ Wants=dbus.socket
 After=dbus.socket
 
 [Service]
-Type=dbus
+# Cannot set PrivateNetwork=yes because network access is required.
+# Cannot set MemoryDenyWriteExecute=yes because this is a Go program compiled with -pie option, which would prevent the process from starting.
 BusName=org.deepin.dde.Lastore1.Smartmirror
-User=deepin-daemon
+CapabilityBoundingSet=
 ExecStart=/usr/libexec/lastore-daemon/lastore-smartmirror-daemon
-StandardOutput=null
-StandardError=journal
-
-ProtectSystem=strict
-StateDirectory=lastore
-InaccessiblePaths=/etc/shadow
-InaccessiblePaths=-/etc/NetworkManager/system-connections
-InaccessiblePaths=-/etc/pam.d
-InaccessiblePaths=-/usr/share/uadp/
-
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+LockPersonality=yes
 NoNewPrivileges=yes
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
+PrivateDevices=yes
+PrivateIPC=true
 PrivateMounts=yes
 PrivateTmp=yes
-PrivateDevices=yes
-# 需要联网
-#PrivateNetwork=yes
 PrivateUsers=yes
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RemoveIPC=yes
 RestrictNamespaces=yes
-LockPersonality=yes
 RestrictRealtime=yes
-RemoveIPC=yes
-# 和golang -pie参数冲突，导致进程无法启动
-#MemoryDenyWriteExecute=yes
-#MemoryLimit=100M
+RestrictSUIDSGID=true
+StandardError=journal
+StandardOutput=null
+StateDirectory=lastore
+Type=dbus
+User=deepin-daemon
diff --git a/lib/systemd/system/lastore-update-metadata-info.service b/lib/systemd/system/lastore-update-metadata-info.service
diff --git a/src/lastore-daemon/manager.go b/src/lastore-daemon/manager.go
@@ -662,9 +662,6 @@ func (m *Manager) handleAutoCheckEvent() error {
 			return err
 		}
 	}
-	if !m.config.DisableUpdateMetadata && !m.ImmutableAutoRecovery {
-		startUpdateMetadataInfoService()
-	}
 	return nil
 }
 

diff --git a/src/lastore-daemon/manager_unit.go b/src/lastore-daemon/manager_unit.go
@@ -10,6 +10,8 @@ import (
 	"fmt"
 	"math/rand"
 	"os/exec"
+	"os/user"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,6 +28,7 @@ const (
 	lastoreUnitCache = "/tmp/lastoreUnitCache"
 	run              = "systemd-run"
 	lastoreDBusCmd   = "dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent"
+	deepinDaemonUser = "deepin-daemon"
 )
 
 // isFirstBoot startOfflineTask执行前执行有效
@@ -38,7 +41,6 @@ type systemdEventType string
 const (
 	AutoCheck              systemdEventType = "AutoCheck"
 	AutoClean              systemdEventType = "AutoClean"
-	UpdateInfosChanged     systemdEventType = "UpdateInfosChanged"
 	OsVersionChanged       systemdEventType = "OsVersionChanged"
 	InitIdleDownload       systemdEventType = "InitIdleDownload"
 	AutoDownload           systemdEventType = "AutoDownload"
@@ -334,20 +336,45 @@ func (m *Manager) getNextUpdateDelay() time.Duration {
 	return remained + _minDelayTime
 }
 
+// isAllowedToTriggerSystemEvent checks if the uid is allowed to trigger system events
+func isAllowedToTriggerSystemEvent(uid uint32, eventType systemdEventType) bool {
+	// Allow regular users to trigger OsVersionChanged event
+	// TODO: This should be fixed in the future to only allow restricted users to trigger this event.
+	if eventType == OsVersionChanged {
+		return true
+	}
+
+	// Allow root user for all operations
+	if uid == 0 {
+		return true
+	}
+
+	// Allow deepin-daemon user for all operations
+	if u, err := user.Lookup(deepinDaemonUser); err == nil {
+		if daemonUID, err := strconv.ParseUint(u.Uid, 10, 32); err == nil && uid == uint32(daemonUID) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) error {
 	uid, err := m.service.GetConnUID(string(sender))
 	if err != nil {
 		logger.Warning(err)
 		return dbusutil.ToError(err)
 	}
-	if uid != 0 && systemdEventType(eventType) != OsVersionChanged {
-		err = fmt.Errorf("%q is not allowed to trigger system event", uid)
+
+	evType := systemdEventType(eventType)
+	if !isAllowedToTriggerSystemEvent(uid, evType) {
+		err = fmt.Errorf("uid %d is not allowed to trigger system event %v", uid, evType)
 		logger.Warning(err)
 		return dbusutil.ToError(err)
 	}
+
 	m.service.DelayAutoQuit()
-	typ := systemdEventType(eventType)
-	switch typ {
+	switch evType {
 	case AutoCheck:
 		go func() {
 			err := m.handleAutoCheckEvent()
@@ -363,9 +390,6 @@ func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) err
 				logger.Warning(err)
 			}
 		}()
-	// case UpdateInfosChanged:
-	// 	logger.Info("UpdateInfos Changed")
-	// 	m.handleUpdateInfosChanged()
 	case OsVersionChanged:
 		go updateplatform.UpdateTokenConfigFile(m.config.IncludeDiskInfo)
 	case InitIdleDownload:

diff --git a/src/lastore-daemon/updater.go b/src/lastore-daemon/updater.go
@@ -10,7 +10,6 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -133,14 +132,6 @@ func NewUpdater(service *dbusutil.Service, m *Manager, config *Config) *Updater
 	return u
 }
 
-func startUpdateMetadataInfoService() {
-	logger.Info("start update metadata info service")
-	err := exec.Command("systemctl", "start", "lastore-update-metadata-info.service").Run()
-	if err != nil {
-		logger.Warningf("AutoCheck Update failed: %v", err)
-	}
-}
-
 func SetAPTSmartMirror(url string) error {
 	return os.WriteFile("/etc/apt/apt.conf.d/99mirrors.conf",
 		([]byte)(fmt.Sprintf("Acquire::SmartMirrors::MirrorSource %q;", url)),

diff --git a/src/lastore-smartmirror-daemon/config.go b/src/lastore-smartmirror-daemon/config.go
@@ -5,6 +5,8 @@
 package main
 
 import (
+	"os"
+
 	"github.com/linuxdeepin/lastore-daemon/src/internal/system"
 )
 
@@ -33,5 +35,8 @@ func (c *config) setEnable(enable bool) error {
 }
 
 func (c *config) save() error {
+	if err := os.Remove(c.filePath); err != nil && !os.IsNotExist(err) {
+		logger.Warning("remove config file failed:", err)
+	}
 	return system.EncodeJson(c.filePath, c)
 }