chore: temporarily disable security restrictions in service configuration

add-uos · deepin-bot[bot] · commit 394cff7b93c6 · 2026-01-06T08:08:03.000Z
temporarily disable security restrictions in service configuration log: temporarily disable security restrictions in service configuration bug: https://pms.uniontech.com/bug-view-346599.html
diff --git a/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service b/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service
@@ -8,53 +8,53 @@ User=root
 ExecStart=/usr/bin/deepin-devicecontrol
 StandardOutput=journal
 MemoryMax=2G
-IOWeight=200
-ProtectSystem=full
-ProtectHome=true
-ProtectProc=invisible
-PrivateTmp=true
-PrivateDevices=false
-PrivateIPC=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=false
-NoNewPrivileges=true
-MemoryDenyWriteExecute=true
-RestrictSUIDSGID=true
-LimitMEMLOCK=infinity
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
-ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64
-NoExecPaths=/tmp /var/tmp /home /root
-ReadWritePaths=/var/lib/deepin-devicemanager
-ReadWritePaths=/var/log
-ReadWritePaths=/var/cache
-ReadWritePaths=/tmp
-ReadWritePaths=/var/tmp
-ReadWritePaths=/etc/modprobe.d
-ReadWritePaths=/run
-ReadOnlyPaths=/sys
-ReadOnlyPaths=/proc
-ReadOnlyPaths=/etc
-ReadOnlyPaths=/usr
-ReadOnlyPaths=/lib
-ReadOnlyPaths=/boot
-InaccessiblePaths=-/etc/shadow
-InaccessiblePaths=-/etc/NetworkManager/system-connections/
-InaccessiblePaths=-/etc/pam.d/
-InaccessiblePaths=-/etc/security/
-InaccessiblePaths=-/etc/selinux/
-InaccessiblePaths=-/etc/deepin-elf-verify/
-InaccessiblePaths=-/etc/filearmor.d/
-InaccessiblePaths=-/etc/crypttab
-InaccessiblePaths=-/etc/fstab
-InaccessiblePaths=-/sysroot/ostree/repo/
-InaccessiblePaths=-/persistent/ostree/repo/
-InaccessiblePaths=-/usr/share/uadp
-InaccessiblePaths=-/etc/sudoers
-InaccessiblePaths=-/etc/sudoers.d
-OOMScoreAdjust=-500
-Nice=-5
+#IOWeight=200
+#ProtectSystem=full
+#ProtectHome=true
+#ProtectProc=invisible
+#PrivateTmp=true
+#PrivateDevices=false
+#PrivateIPC=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=false
+#NoNewPrivileges=true
+#MemoryDenyWriteExecute=true
+#RestrictSUIDSGID=true
+#LimitMEMLOCK=infinity
+#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
+#ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64
+#NoExecPaths=/tmp /var/tmp /home /root
+#ReadWritePaths=/var/lib/deepin-devicemanager
+#ReadWritePaths=/var/log
+#ReadWritePaths=/var/cache
+#ReadWritePaths=/tmp
+#ReadWritePaths=/var/tmp
+#ReadWritePaths=/etc/modprobe.d
+#ReadWritePaths=/run
+#ReadOnlyPaths=/sys
+#ReadOnlyPaths=/proc
+#ReadOnlyPaths=/etc
+#ReadOnlyPaths=/usr
+#ReadOnlyPaths=/lib
+#ReadOnlyPaths=/boot
+#InaccessiblePaths=-/etc/shadow
+#InaccessiblePaths=-/etc/NetworkManager/system-connections/
+#InaccessiblePaths=-/etc/pam.d/
+#InaccessiblePaths=-/etc/security/
+#InaccessiblePaths=-/etc/selinux/
+#InaccessiblePaths=-/etc/deepin-elf-verify/
+#InaccessiblePaths=-/etc/filearmor.d/
+#InaccessiblePaths=-/etc/crypttab
+#InaccessiblePaths=-/etc/fstab
+#InaccessiblePaths=-/sysroot/ostree/repo/
+#InaccessiblePaths=-/persistent/ostree/repo/
+#InaccessiblePaths=-/usr/share/uadp
+#InaccessiblePaths=-/etc/sudoers
+#InaccessiblePaths=-/etc/sudoers.d
+#OOMScoreAdjust=-500
+#Nice=-5
 
 [Install]
 WantedBy=multi-user.target
