From 433d39ad2b0d01092f84f9f47b34d590f18efd04 Mon Sep 17 00:00:00 2001
From: re2zero <yangwu@uniontech.com>
Date: Wed, 24 Dec 2025 15:31:23 +0800
Subject: [PATCH] feat: enhance security and resource limits

- Harden systemd service with restrictive security settings
- Add memory limits, IO weight, and OOM protection
- Restrict file system access with ProtectSystem and ProtectHome
- Define explicit read/write/exec paths and capabilities

Log: enhance security and resource limits for diskmanager service.
---
 .gitignore                                    |  1 +
 .../assets/data/diskmanager-daemon.service    | 45 ++++++++++++++++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 4de13d8..3994482 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ build
 .cursorindexingignore
 .specstory/
 .claude/*
+.auto-claude/
 
 # debian output
 debian/.debhelper/
diff --git a/service/assets/data/diskmanager-daemon.service b/service/assets/data/diskmanager-daemon.service
index 0af2239..476c3f9 100644
--- a/service/assets/data/diskmanager-daemon.service
+++ b/service/assets/data/diskmanager-daemon.service
@@ -6,8 +6,49 @@ After=local-fs.target udisks2.service
 Type=dbus
 BusName=com.deepin.diskmanager
 ExecStart=/usr/lib/deepin-daemon/deepin-diskmanager-service
-CapabilityBoundingSet=~CAP_NET_RAW
-MemoryMax=8G
+User=root
+StandardOutput=journal
+MemoryMax=1G
+IOWeight=200
+ProtectSystem=full
+ProtectHome=true
+ProtectProc=invisible
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=false
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
+LimitMEMLOCK=infinity
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FSETID CAP_KILL CAP_SETFCAP CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_RESOURCE CAP_SYS_NICE CAP_LINUX_IMMUTABLE
+AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_MKNOD CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FSETID CAP_KILL CAP_SETFCAP CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_RESOURCE CAP_SYS_NICE CAP_LINUX_IMMUTABLE
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections/
+InaccessiblePaths=-/etc/pam.d/
+InaccessiblePaths=-/etc/security/
+InaccessiblePaths=-/etc/selinux/
+InaccessiblePaths=-/etc/deepin-elf-verify/
+InaccessiblePaths=-/etc/filearmor.d/
+InaccessiblePaths=-/sysroot/ostree/repo/
+InaccessiblePaths=-/persistent/ostree/repo/
+InaccessiblePaths=-/usr/share/uadp
+InaccessiblePaths=-/etc/sudoers
+InaccessiblePaths=-/etc/sudoers.d
+InaccessiblePaths=-/root
+InaccessiblePaths=-/var/cache
+ReadWritePaths=/var/log/deepin
+ReadWritePaths=/tmp
+ReadWritePaths=/var/tmp
+ReadWritePaths=/media
+ReadWritePaths=/mnt
+ReadOnlyPaths=/etc/fstab
+ReadOnlyPaths=/etc/crypttab
+ReadOnlyPaths=/etc/udev/rules.d
+ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /usr/lib /proc /sys
+NoExecPaths=/home /root
+OOMScoreAdjust=-500
+Nice=-5
 
 [Install]
 WantedBy=multi-user.target