From 8ce32819a673ae346dfb2266935b289d52eca5b9 Mon Sep 17 00:00:00 2001
From: re2zero <yangwu@uniontech.com>
Date: Wed, 24 Dec 2025 18:07:14 +0800
Subject: [PATCH] chore:  enhance service security

- Update deepin-boot-maker.service with enhanced security settings
- Replace StandardOutput=syslog with journal
- Add comprehensive security restrictions and capabilities
- Set MemoryMax instead of MemoryLimit
- Configure various system call and path restrictions

Log: enhance service security.
---
 .gitignore                                 |  3 ++
 src/service/data/deepin-boot-maker.service | 44 +++++++++++++++++++++-
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 35bed4c7..ad8656af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,6 @@ osx
 .cursorindexingignore
 # SpecStory explanation file
 .specstory/.what-is-this.md
+
+# Auto Claude data directory
+.auto-claude/
diff --git a/src/service/data/deepin-boot-maker.service b/src/service/data/deepin-boot-maker.service
index 78239ff2..74d4b01e 100644
--- a/src/service/data/deepin-boot-maker.service
+++ b/src/service/data/deepin-boot-maker.service
@@ -5,11 +5,51 @@ Description=Deepin Boot Maker
 Type=dbus
 BusName=com.deepin.bootmaker
 ExecStart=/usr/lib/deepin-daemon/deepin-boot-maker-service
-StandardOutput=syslog
+StandardOutput=journal
 # Needs CAP_SYS_ADMIN umount u-disk.
 CapabilityBoundingSet=~CAP_SYS_BPF CAP_NET_ADMIN
-MemoryLimit=10G
+AmbientCapabilities=~CAP_SYS_BPF CAP_NET_ADMIN
+User=root
+MemoryMax=10G
 IOWeight=200
+ProtectSystem=full
+ProtectHome=false
+ProtectProc=default
+PrivateTmp=false
+PrivateDevices=false
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=false
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service readlink stat lstat
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections/
+InaccessiblePaths=-/etc/pam.d/
+InaccessiblePaths=-/etc/security/
+InaccessiblePaths=-/etc/selinux/
+InaccessiblePaths=-/etc/deepin-elf-verify/
+InaccessiblePaths=-/etc/filearmor.d/
+InaccessiblePaths=-/etc/crypttab
+InaccessiblePaths=-/etc/fstab
+InaccessiblePaths=-/sysroot/ostree/repo/
+InaccessiblePaths=-/persistent/ostree/repo/
+InaccessiblePaths=-/usr/share/uadp
+InaccessiblePaths=-/etc/sudoers
+InaccessiblePaths=-/etc/sudoers.d
+InaccessiblePaths=-/root
+ReadWritePaths=/var/log/deepin
+ReadWritePaths=/tmp /var/tmp /dev /run /media /mnt /home
+ReadOnlyPaths=/usr /boot /proc
+ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /usr/lib /proc /sys
+NoExecPaths=/home /root
+OOMScoreAdjust=-500
+Nice=-5
 
 [Install]
 WantedBy=multi-user.target