chore: systemd hardening

加固 dbus 进程

Task: https://pms.uniontech.com/task-view-361197.html

misc/deepin-service-group@.service.in

@@ -9,4 +9,27 @@ Restart=always
 RestartSec=3
 @SYSTEMD_SLICE@
 
+ReadOnlyPaths=/usr/share/deepin-service-manager/
+ReadOnlyPaths=/usr/lib/deepin-service-manager/
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 @SYSTEMD_INSTALL@

misc/deepin-service-manager.service.in

@@ -8,4 +8,27 @@ Restart=always
 RestartSec=3
 @SYSTEMD_SLICE@
 
+ReadOnlyPaths=/usr/share/deepin-service-manager/
+ReadOnlyPaths=/usr/lib/deepin-service-manager/
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 @SYSTEMD_INSTALL@

misc/deepin-service-plugin@.service.in

@@ -6,4 +6,27 @@ After=dbus.service
 ExecStart=/usr/bin/deepin-service-manager -n %i
 @SYSTEMD_SLICE@
 
+ReadOnlyPaths=/usr/share/deepin-service-manager/
+ReadOnlyPaths=/usr/lib/deepin-service-manager/
+
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
 @SYSTEMD_INSTALL@