chore: enhance service security

[re2zero]

• Update deepin-boot-maker.service with enhanced security settings
• Replace StandardOutput=syslog with journal
• Add comprehensive security restrictions and capabilities
• Set MemoryMax instead of MemoryLimit
• Configure various system call and path restrictions

Log: enhance service security.

Summary by Sourcery

Tighten the deepin-boot-maker systemd service configuration with stricter security and resource limits.

Enhancements:

• Harden the deepin-boot-maker.service unit with additional security restrictions, capability controls, and syscall/path limitations.
• Adjust service logging to use the systemd journal instead of syslog and update memory limit configuration to use MemoryMax.

Chores:

• Update .gitignore entries related to service data or build artifacts as part of housekeeping.

[deepin-ci-robot]

deepin pr auto review

我来对这个diff进行详细审查：

1. .gitignore变更分析：

• 新增了.auto-claude/目录的忽略规则，这是合理的，因为这类自动生成的目录通常不需要版本控制。
• 格式规范，符合.gitignore的语法要求。

2. deepin-boot-maker.service变更分析：

安全性改进：
优点：

• 增加了多层安全保护机制，如ProtectSystem、ProtectKernelTunables等
• 通过InaccessiblePaths限制了对系统关键文件的访问
• 使用MemoryDenyWriteExecute防止内存执行攻击
• 启用了NoNewPrivileges防止权限提升
• 限制了系统调用(SystemCallFilter)

潜在问题：

1. ProtectHome=false可能存在安全隐患，建议明确指定是否真的需要访问用户主目录
2. PrivateTmp=false可能允许临时文件泄露，建议评估是否真的需要禁用
3. ProtectKernelModules=false允许加载内核模块，这可能带来安全风险

性能优化：
优点：

• MemoryMax=10G限制了内存使用
• IOWeight=200合理控制了IO权重
• OOMScoreAdjust=-500降低了被OOM killer杀掉的概率
• Nice=-5提高了进程优先级

建议改进：

1. SystemCallFilter过于严格，可能会影响正常功能，建议测试确认
2. ExecPaths和NoExecPaths的配置需要验证是否覆盖了所有必要的路径
3. ReadWritePaths包含了一些敏感路径(/dev)，建议评估必要性

其他建议：

1. AmbientCapabilities=~CAP_SYS_BPF CAP_NET_ADMIN的配置需要文档说明原因
2. 建议添加Restart=on-failure配置以提高服务可靠性
3. 建议添加TimeoutStartSec和TimeoutStopSec配置防止服务hang住

总体评价：
这次变更显著提高了服务的安全性，通过多层防护机制降低了潜在风险。但在配置某些安全选项时过于宽松(如ProtectHome=false)，建议重新评估这些配置的必要性。性能优化配置合理，有助于保证服务的稳定运行。建议在部署前进行充分的测试，确保所有功能正常工作。

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR tightens the systemd unit configuration for deepin-boot-maker by switching logging to the journal and adding stricter security, capability, memory, syscall, and filesystem restrictions, plus a small .gitignore adjustment.

File-Level Changes

Change	Details	Files
Harden the deepin-boot-maker systemd service with stricter security and resource limits.	Switch service logging from syslog to the systemd journal via StandardOutput changes. Replace deprecated or less precise MemoryLimit setting with MemoryMax. Add or refine systemd security directives (e.g., capability bounding, sandboxing, protect system/home/tmp, private namespaces). Introduce or adjust syscall filters and file/path access restrictions to limit what the service can do on the host.	src/service/data/deepin-boot-maker.service
Adjust Git ignore rules for the repository.	Update .gitignore patterns to match new build artifacts, generated files, or service-related outputs.	.gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Double-check that the newly added sandboxing directives (e.g., system call filters, path restrictions, capabilities) align with the actual runtime needs of deepin-boot-maker so the service doesn’t lose required access to devices, mounts, or GUI-related resources.
• Since you switched from StandardOutput=syslog to journal, consider whether any external log processing or monitoring tools depend on the old syslog output format and, if so, ensure they are still able to ingest logs from journald.
• Verify that all newly used systemd options (such as MemoryMax and any advanced security directives) are supported on the minimum systemd version we target, to avoid failures on older deployments.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Double-check that the newly added sandboxing directives (e.g., system call filters, path restrictions, capabilities) align with the actual runtime needs of deepin-boot-maker so the service doesn’t lose required access to devices, mounts, or GUI-related resources.
- Since you switched from StandardOutput=syslog to journal, consider whether any external log processing or monitoring tools depend on the old syslog output format and, if so, ensure they are still able to ingest logs from journald.
- Verify that all newly used systemd options (such as MemoryMax and any advanced security directives) are supported on the minimum systemd version we target, to avoid failures on older deployments.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, re2zero

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[re2zero]

/merge