feat: enhance security and resource limits

[re2zero]

• Harden systemd service with restrictive security settings
• Add memory limits, IO weight, and OOM protection
• Restrict file system access with ProtectSystem and ProtectHome
• Define explicit read/write/exec paths and capabilities

Log: enhance security and resource limits for diskmanager service.

Summary by Sourcery

Strengthen the diskmanager systemd service with stricter security hardening and resource limits.

Enhancements:

• Tighten systemd security settings for the diskmanager daemon, including restricted filesystem and capability access.
• Introduce memory, I/O, and OOM-related limits for the diskmanager service to improve robustness under resource pressure.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR hardens the diskmanager systemd service unit by tightening security-related directives and adding resource limits such as memory constraints, IO weight, and OOM protection, while also adjusting .gitignore to account for the updated service asset.

File-Level Changes

Change	Details	Files
Harden the diskmanager systemd service with stricter security and resource limit directives.	Add or tighten memory-related limits and OOM protection settings for the service process Configure IO scheduling/weight to control the service’s impact on disk throughput Restrict filesystem access using ProtectSystem/ProtectHome and explicit read/write/exec path settings Limit process capabilities and other systemd sandboxing options to the minimal required set	service/assets/data/diskmanager-daemon.service
Adjust gitignore configuration related to service assets.	Update .gitignore patterns so the modified diskmanager systemd unit file is tracked appropriately or other generated artifacts remain ignored	.gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

deepin pr auto review

我来对这个diff进行详细审查：

1. .gitignore的修改：

+.auto-claude/

这只是一个简单的添加，用于忽略.auto-claude/目录，没有明显问题。

2. diskmanager-daemon.service的修改：

安全相关改进：

• 优点：

  • 添加了ProtectSystem=full和ProtectHome=true，可以保护系统关键目录
  • 设置了PrivateTmp=true，隔离临时目录
  • 添加了NoNewPrivileges=true，防止权限提升
  • 使用InaccessiblePaths限制了对敏感文件的访问
  • 设置了MemoryDenyWriteExecute=true，防止内存执行代码

• 潜在问题：

  • CapabilityBoundingSet和AmbientCapabilities包含了过多权限，特别是CAP_SYS_ADMIN
  • ProtectKernelModules=false可能带来安全风险
  • 允许了过多的ReadWritePaths，包括/tmp和/var/tmp

性能相关：

• MemoryMax从8G降到1G是合理的
• 添加了IOWeight=200进行IO优先级控制
• OOMScoreAdjust=-500和Nice=-5的设置可以提高服务优先级

建议改进：

1. 减少CapabilityBoundingSet中的权限，只保留必要的权限
2. 启用ProtectKernelModules=true
3. 限制ReadWritePaths，移除不必要的/tmp和/var/tmp访问权限
4. 考虑添加RestrictAddressFamilies=AF_UNIX AF_NETLINK限制网络访问
5. 添加SystemCallFilter=@System-service限制系统调用

具体改进建议：

# 限制权限到最小必要集合
CapabilityBoundingSet=CAP_SYS_RAWIO CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE
AmbientCapabilities=CAP_SYS_RAWIO CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE

# 启用内核模块保护
ProtectKernelModules=true

# 限制网络访问
RestrictAddressFamilies=AF_UNIX

# 限制系统调用
SystemCallFilter=@system-service

# 限制可写路径
ReadWritePaths=/var/log/deepin /media /mnt

这些修改可以在保证功能的同时，提高系统的安全性和稳定性。

[sourcery-ai]

Hey - I've left some high level feedback:

• With the added ProtectSystem/ProtectHome and explicit ReadWritePaths/ReadOnlyPaths, double-check that all paths the daemon needs at runtime (e.g., under /run, /var, or device nodes) are explicitly allowed so the service doesn’t fail on less common code paths (e.g., error logging, tmp usage, or rare disk operations).
• Consider making the new memory/IO/OOM limit values configurable via environment or drop-in overrides rather than hardcoding them in the main unit, so operators can tune limits for different deployment sizes without forking the unit file.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- With the added ProtectSystem/ProtectHome and explicit ReadWritePaths/ReadOnlyPaths, double-check that all paths the daemon needs at runtime (e.g., under /run, /var, or device nodes) are explicitly allowed so the service doesn’t fail on less common code paths (e.g., error logging, tmp usage, or rare disk operations).
- Consider making the new memory/IO/OOM limit values configurable via environment or drop-in overrides rather than hardcoding them in the main unit, so operators can tune limits for different deployment sizes without forking the unit file.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, re2zero

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[re2zero]

/merge

[deepin-bot]

This pr cannot be merged! (status: unstable)