feat: Secure the Logviewer service

Secure the Logviewer service Log: Secure the Logviewer service Task: https://pms.uniontech.com/task-view-355359.html
linuxdeepin · Dec 20, 2024 · 98da0d9 · 98da0d9
1 parent 6edca8a
commit 98da0d9
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -30,6 +30,7 @@ debian/*
 !debian/control
 !debian/compat
 !debian/source/*
+!debian/deepin-log-viewer.sysusers
 # cmake dir
 obj-x86_64-linux-gnu/*
 *.txt.user

diff --git a/application/dbusproxy/dldbushandler.cpp b/application/dbusproxy/dldbushandler.cpp
@@ -165,8 +165,15 @@ bool DLDBusHandler::exportLog(const QString &outDir, const QString &in, bool isF
 
 bool DLDBusHandler::isFileExist(const QString &filePath)
 {
-    QString ret = m_dbus->isFileExist(filePath);
-    return ret == "exist";
+    QDBusPendingReply<bool> reply = m_dbus->isFileExist(filePath);
+    reply.waitForFinished();
+    bool bRet = false;
+    if (reply.isError()) {
+        qCWarning(logDBusHandler) << "call dbus iterface 'isFileExist()' failed. error info:" << reply.error().message();
+    } else {
+        bRet = reply.value();
+    }
+    return bRet;
 }
 
 quint64 DLDBusHandler::getFileSize(const QString &filePath)

diff --git a/logViewerService/assets/data/deepin-log-viewer-daemon.service b/logViewerService/assets/data/deepin-log-viewer-daemon.service
@@ -1,12 +1,42 @@
 [Unit]
 Description=Deepin Log Viewer Daemon
+Wants=dbus.socket
+After=dbus.socket
 
 [Service]
 Type=dbus
 BusName=com.deepin.logviewer
 ExecStart=/usr/lib/deepin-daemon/log-view-service
-CapabilityBoundingSet=~CAP_NET_RAW
+# cap能力不能填为空，否则日志收集工具启动卡，并且不能查看/var/log下日志，建议cap能力不能为dbus必查项
+#CapabilityBoundingSet=~CAP_NET_RAW
 MemoryLimit=8G
+# 非root有阻塞，deepin-daemon启动后不能通过/proc/pid/exe获取启动进程全路径，下一阶段再按deepin-dameon启动
+#User=deepin-daemon
+ProtectSystem=strict
+
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections
+InaccessiblePaths=-/etc/pam.d
+InaccessiblePaths=-/usr/share/uadp/
+
+NoNewPrivileges=yes
+# 传参需要/home，比如导出日志到/home路径下，读取/home/$user/.cache下应用日志
+#ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateMounts=yes 
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RemoveIPC=yes
+MemoryDenyWriteExecute=yes
+
+# 需要device权限，可能导出日志到U盘等外部设备
+#DeviceAllow=/dev/loop-control
+# 需要使用network，进行埋点上报
+#RestrictFileSystems=~@network
 
-[Install]
-WantedBy=multi-user.target