From 98da0d99ebd7343f8971ce96c1f1f7b9e70e4abb Mon Sep 17 00:00:00 2001 From: houchengqiu Date: Tue, 16 Jul 2024 11:31:02 +0800 Subject: [PATCH] feat: Secure the Logviewer service Secure the Logviewer service Log: Secure the Logviewer service Task: https://pms.uniontech.com/task-view-355359.html --- .gitignore | 1 + application/dbusproxy/dldbushandler.cpp | 11 ++++-- .../data/deepin-log-viewer-daemon.service | 36 +++++++++++++++++-- 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index f361d10b..1845e1b6 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,7 @@ debian/* !debian/control !debian/compat !debian/source/* +!debian/deepin-log-viewer.sysusers # cmake dir obj-x86_64-linux-gnu/* *.txt.user diff --git a/application/dbusproxy/dldbushandler.cpp b/application/dbusproxy/dldbushandler.cpp index 08cfaee0..91e1a302 100644 --- a/application/dbusproxy/dldbushandler.cpp +++ b/application/dbusproxy/dldbushandler.cpp @@ -165,8 +165,15 @@ bool DLDBusHandler::exportLog(const QString &outDir, const QString &in, bool isF bool DLDBusHandler::isFileExist(const QString &filePath) { - QString ret = m_dbus->isFileExist(filePath); - return ret == "exist"; + QDBusPendingReply reply = m_dbus->isFileExist(filePath); + reply.waitForFinished(); + bool bRet = false; + if (reply.isError()) { + qCWarning(logDBusHandler) << "call dbus iterface 'isFileExist()' failed. error info:" << reply.error().message(); + } else { + bRet = reply.value(); + } + return bRet; } quint64 DLDBusHandler::getFileSize(const QString &filePath) diff --git a/logViewerService/assets/data/deepin-log-viewer-daemon.service b/logViewerService/assets/data/deepin-log-viewer-daemon.service index 230ff752..7ce97a62 100644 --- a/logViewerService/assets/data/deepin-log-viewer-daemon.service +++ b/logViewerService/assets/data/deepin-log-viewer-daemon.service @@ -1,12 +1,42 @@ [Unit] Description=Deepin Log Viewer Daemon +Wants=dbus.socket +After=dbus.socket [Service] Type=dbus BusName=com.deepin.logviewer ExecStart=/usr/lib/deepin-daemon/log-view-service -CapabilityBoundingSet=~CAP_NET_RAW +# cap能力不能填为空,否则日志收集工具启动卡,并且不能查看/var/log下日志,建议cap能力不能为dbus必查项 +#CapabilityBoundingSet=~CAP_NET_RAW MemoryLimit=8G +# 非root有阻塞,deepin-daemon启动后不能通过/proc/pid/exe获取启动进程全路径,下一阶段再按deepin-dameon启动 +#User=deepin-daemon +ProtectSystem=strict + +InaccessiblePaths=-/etc/shadow +InaccessiblePaths=-/etc/NetworkManager/system-connections +InaccessiblePaths=-/etc/pam.d +InaccessiblePaths=-/usr/share/uadp/ + +NoNewPrivileges=yes +# 传参需要/home,比如导出日志到/home路径下,读取/home/$user/.cache下应用日志 +#ProtectHome=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +PrivateMounts=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +RestrictNamespaces=yes +LockPersonality=yes +RestrictRealtime=yes +RemoveIPC=yes +MemoryDenyWriteExecute=yes + +# 需要device权限,可能导出日志到U盘等外部设备 +#DeviceAllow=/dev/loop-control +# 需要使用network,进行埋点上报 +#RestrictFileSystems=~@network -[Install] -WantedBy=multi-user.target