chore: harden service security

- Fix CMake variable name from CVERSION to VERSION in debian/rules
- Enhance deepin-devicecontrol service with comprehensive sandboxing:
  - Apply strict resource limits (2G memory, IO weight 200)
  - Enable filesystem protection (ProtectSystem, ProtectHome, PrivateTmp)
  - Restrict executable paths and set write permissions selectively
  - Add security restrictions (NoNewPrivileges, MemoryDenyWriteExecute)
  - Define specific accessible and inaccessible system paths
  - Set capability bounding set and ambient capabilities
  - Adjust scheduling priority and OOM score

Log: harden service security.

Author: re2zero

.gitignore

@@ -47,6 +47,12 @@ CMakeLists.txt.user*
 .cursor
 .specstory
 .cursorindexingignore
+.claude_settings.json
+# Auto Claude data directory
+.auto-claude/
+
+# vs code
+.vscode/
 
 # debian
 debian/.debhelper/

debian/rules

@@ -32,7 +32,7 @@ override_dh_auto_configure:
 	-DCMAKE_BUILD_TYPE=Release \
 	-DCMAKE_INSTALL_PREFIX=/usr \
 	-DAPP_VERSION=$(DEB_VERSION_UPSTREAM) \
-	-DCVERSION=$(DEB_VERSION_UPSTREAM) \
+	-DVERSION=$(DEB_VERSION_UPSTREAM) \
 	-DQT_DIR=$(QT_DIR)
 %:
 	dh $@ --parallel

deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service

@@ -6,8 +6,55 @@ Type=dbus
 BusName=org.deepin.DeviceControl
 User=root
 ExecStart=/usr/bin/deepin-devicecontrol
-CapabilityBoundingSet=~CAP_NET_RAW
-MemoryMax=8G
+StandardOutput=journal
+MemoryMax=2G
+IOWeight=200
+ProtectSystem=full
+ProtectHome=true
+ProtectProc=invisible
+PrivateTmp=true
+PrivateDevices=false
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=false
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
+LimitMEMLOCK=infinity
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE
+ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64
+NoExecPaths=/tmp /var/tmp /home /root
+ReadWritePaths=/var/lib/deepin-devicemanager
+ReadWritePaths=/var/log
+ReadWritePaths=/var/cache
+ReadWritePaths=/tmp
+ReadWritePaths=/var/tmp
+ReadWritePaths=/etc/modprobe.d
+ReadWritePaths=/run
+ReadOnlyPaths=/sys
+ReadOnlyPaths=/proc
+ReadOnlyPaths=/etc
+ReadOnlyPaths=/usr
+ReadOnlyPaths=/lib
+ReadOnlyPaths=/boot
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections/
+InaccessiblePaths=-/etc/pam.d/
+InaccessiblePaths=-/etc/security/
+InaccessiblePaths=-/etc/selinux/
+InaccessiblePaths=-/etc/deepin-elf-verify/
+InaccessiblePaths=-/etc/filearmor.d/
+InaccessiblePaths=-/etc/crypttab
+InaccessiblePaths=-/etc/fstab
+InaccessiblePaths=-/sysroot/ostree/repo/
+InaccessiblePaths=-/persistent/ostree/repo/
+InaccessiblePaths=-/usr/share/uadp
+InaccessiblePaths=-/etc/sudoers
+InaccessiblePaths=-/etc/sudoers.d
+OOMScoreAdjust=-500
+Nice=-5
 
 [Install]
 WantedBy=multi-user.target