From 7d6b2c9d971eecbe932152a2fcb3906d0efba002 Mon Sep 17 00:00:00 2001 From: zhanghongyuan Date: Tue, 6 Jan 2026 16:05:51 +0800 Subject: [PATCH] chore: temporarily disable security restrictions in service configuration temporarily disable security restrictions in service configuration log: temporarily disable security restrictions in service configuration bug: https://pms.uniontech.com/bug-view-346599.html --- .../deepin-devicecontrol.service | 94 +++++++++---------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service b/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service index 4cc9ad4d..085a98cb 100644 --- a/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service +++ b/deepin-devicemanager-server/deepin-devicecontrol/deepin-devicecontrol.service @@ -8,53 +8,53 @@ User=root ExecStart=/usr/bin/deepin-devicecontrol StandardOutput=journal MemoryMax=2G -IOWeight=200 -ProtectSystem=full -ProtectHome=true -ProtectProc=invisible -PrivateTmp=true -PrivateDevices=false -PrivateIPC=true -ProtectClock=true -ProtectKernelTunables=true -ProtectKernelModules=false -NoNewPrivileges=true -MemoryDenyWriteExecute=true -RestrictSUIDSGID=true -LimitMEMLOCK=infinity -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE -ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64 -NoExecPaths=/tmp /var/tmp /home /root -ReadWritePaths=/var/lib/deepin-devicemanager -ReadWritePaths=/var/log -ReadWritePaths=/var/cache -ReadWritePaths=/tmp -ReadWritePaths=/var/tmp -ReadWritePaths=/etc/modprobe.d -ReadWritePaths=/run -ReadOnlyPaths=/sys -ReadOnlyPaths=/proc -ReadOnlyPaths=/etc -ReadOnlyPaths=/usr -ReadOnlyPaths=/lib -ReadOnlyPaths=/boot -InaccessiblePaths=-/etc/shadow -InaccessiblePaths=-/etc/NetworkManager/system-connections/ -InaccessiblePaths=-/etc/pam.d/ -InaccessiblePaths=-/etc/security/ -InaccessiblePaths=-/etc/selinux/ -InaccessiblePaths=-/etc/deepin-elf-verify/ -InaccessiblePaths=-/etc/filearmor.d/ -InaccessiblePaths=-/etc/crypttab -InaccessiblePaths=-/etc/fstab -InaccessiblePaths=-/sysroot/ostree/repo/ -InaccessiblePaths=-/persistent/ostree/repo/ -InaccessiblePaths=-/usr/share/uadp -InaccessiblePaths=-/etc/sudoers -InaccessiblePaths=-/etc/sudoers.d -OOMScoreAdjust=-500 -Nice=-5 +#IOWeight=200 +#ProtectSystem=full +#ProtectHome=true +#ProtectProc=invisible +#PrivateTmp=true +#PrivateDevices=false +#PrivateIPC=true +#ProtectClock=true +#ProtectKernelTunables=true +#ProtectKernelModules=false +#NoNewPrivileges=true +#MemoryDenyWriteExecute=true +#RestrictSUIDSGID=true +#LimitMEMLOCK=infinity +#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_PTRACE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_BOOT CAP_KILL CAP_NET_BIND_SERVICE +#ExecPaths=/usr/bin /usr/sbin /bin /sbin /lib /lib64 /usr/lib /usr/lib64 +#NoExecPaths=/tmp /var/tmp /home /root +#ReadWritePaths=/var/lib/deepin-devicemanager +#ReadWritePaths=/var/log +#ReadWritePaths=/var/cache +#ReadWritePaths=/tmp +#ReadWritePaths=/var/tmp +#ReadWritePaths=/etc/modprobe.d +#ReadWritePaths=/run +#ReadOnlyPaths=/sys +#ReadOnlyPaths=/proc +#ReadOnlyPaths=/etc +#ReadOnlyPaths=/usr +#ReadOnlyPaths=/lib +#ReadOnlyPaths=/boot +#InaccessiblePaths=-/etc/shadow +#InaccessiblePaths=-/etc/NetworkManager/system-connections/ +#InaccessiblePaths=-/etc/pam.d/ +#InaccessiblePaths=-/etc/security/ +#InaccessiblePaths=-/etc/selinux/ +#InaccessiblePaths=-/etc/deepin-elf-verify/ +#InaccessiblePaths=-/etc/filearmor.d/ +#InaccessiblePaths=-/etc/crypttab +#InaccessiblePaths=-/etc/fstab +#InaccessiblePaths=-/sysroot/ostree/repo/ +#InaccessiblePaths=-/persistent/ostree/repo/ +#InaccessiblePaths=-/usr/share/uadp +#InaccessiblePaths=-/etc/sudoers +#InaccessiblePaths=-/etc/sudoers.d +#OOMScoreAdjust=-500 +#Nice=-5 [Install] WantedBy=multi-user.target