diff --git a/debian/changelog b/debian/changelog
index 3984965..a329fc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+deepin-anything (7.0.35) unstable; urgency=medium
+
+  * refactor: Refactor and improve configuration loading and path handling
+  * feat: Implement dynamic config change handling for blacklist paths
+  * feat: Add config item commit_persistent_index_timeout
+  * feat: Add updating index status for batch event processing
+  * feat: Support pending_events_trigger_updating dynamic update
+  * feat: Implement dynamic search strategy with fallback to filesystem scan
+  * feat: Enhance systemd service sandboxing for logger and server
+
+ -- wangrong <wangrong@uniontech.com>  Thu, 25 Dec 2025 21:25:05 +0800
+
 deepin-anything (7.0.34) unstable; urgency=medium
 
   * feat: Add ancestor_paths field for lucene document
diff --git a/src/logger/deepin-anything-logger.service b/src/logger/deepin-anything-logger.service
index 948b336..6926d01 100644
--- a/src/logger/deepin-anything-logger.service
+++ b/src/logger/deepin-anything-logger.service
@@ -7,6 +7,35 @@ Group=root
 ExecStart=/usr/libexec/deepin-anything-logger
 Restart=on-failure
 RestartSec=30
+ProtectProc=invisible
+SupplementaryGroups=
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+OOMScoreAdjust=-500
+Nice=-5
+ProtectSystem=full
+ProtectHome=true
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/pam.d/
+InaccessiblePaths=-/etc/NetworkManager/system-connections/
+InaccessiblePaths=-/etc/security/
+InaccessiblePaths=-/etc/selinux/
+InaccessiblePaths=-/etc/deepin-elf-verify/
+InaccessiblePaths=-/etc/filearmor.d/
+InaccessiblePaths=-/etc/crypttab
+InaccessiblePaths=-/etc/fstab
+InaccessiblePaths=-/sysroot/ostree/repo/
+InaccessiblePaths=-/persistent/ostree/repo/
+ExecPaths=
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/server/deepin-anything-server.service b/src/server/deepin-anything-server.service
index 30c11b9..c74fd03 100644
--- a/src/server/deepin-anything-server.service
+++ b/src/server/deepin-anything-server.service
@@ -10,6 +10,34 @@ ExecStartPre=modprobe vfs_monitor
 ExecStopPost=rmmod vfs_monitor
 Restart=always
 RestartSec=30
+ProtectProc=invisible
+SupplementaryGroups=
+CapabilityBoundingSet=CAP_SYS_MODULE
+AmbientCapabilities=CAP_SYS_MODULE
+NoNewPrivileges=true
+OOMScoreAdjust=-500
+Nice=-5
+ProtectSystem=full
+ProtectHome=true
+InaccessiblePaths=-/etc/shadow
+InaccessiblePaths=-/etc/pam.d/
+InaccessiblePaths=-/etc/NetworkManager/system-connections/
+InaccessiblePaths=-/etc/security/
+InaccessiblePaths=-/etc/selinux/
+InaccessiblePaths=-/etc/deepin-elf-verify/
+InaccessiblePaths=-/etc/filearmor.d/
+InaccessiblePaths=-/etc/crypttab
+InaccessiblePaths=-/etc/fstab
+InaccessiblePaths=-/sysroot/ostree/repo/
+InaccessiblePaths=-/persistent/ostree/repo/
+ExecPaths=
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
 
 [Install]
 WantedBy=multi-user.target