From 700e153782dd7358907cf5087f2fee6214aa399a Mon Sep 17 00:00:00 2001 From: wangrong Date: Thu, 25 Dec 2025 21:22:01 +0800 Subject: [PATCH 1/2] feat: Enhance systemd service sandboxing for logger and server As title. Task: https://pms.uniontech.com/task-view-385043.html --- src/logger/deepin-anything-logger.service | 29 +++++++++++++++++++++++ src/server/deepin-anything-server.service | 28 ++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/src/logger/deepin-anything-logger.service b/src/logger/deepin-anything-logger.service index 948b336..6926d01 100644 --- a/src/logger/deepin-anything-logger.service +++ b/src/logger/deepin-anything-logger.service @@ -7,6 +7,35 @@ Group=root ExecStart=/usr/libexec/deepin-anything-logger Restart=on-failure RestartSec=30 +ProtectProc=invisible +SupplementaryGroups= +CapabilityBoundingSet= +AmbientCapabilities= +NoNewPrivileges=true +OOMScoreAdjust=-500 +Nice=-5 +ProtectSystem=full +ProtectHome=true +InaccessiblePaths=-/etc/shadow +InaccessiblePaths=-/etc/pam.d/ +InaccessiblePaths=-/etc/NetworkManager/system-connections/ +InaccessiblePaths=-/etc/security/ +InaccessiblePaths=-/etc/selinux/ +InaccessiblePaths=-/etc/deepin-elf-verify/ +InaccessiblePaths=-/etc/filearmor.d/ +InaccessiblePaths=-/etc/crypttab +InaccessiblePaths=-/etc/fstab +InaccessiblePaths=-/sysroot/ostree/repo/ +InaccessiblePaths=-/persistent/ostree/repo/ +ExecPaths= +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +MemoryDenyWriteExecute=true +RestrictSUIDSGID=true [Install] WantedBy=multi-user.target diff --git a/src/server/deepin-anything-server.service b/src/server/deepin-anything-server.service index 30c11b9..c74fd03 100644 --- a/src/server/deepin-anything-server.service +++ b/src/server/deepin-anything-server.service @@ -10,6 +10,34 @@ ExecStartPre=modprobe vfs_monitor ExecStopPost=rmmod vfs_monitor Restart=always RestartSec=30 +ProtectProc=invisible +SupplementaryGroups= +CapabilityBoundingSet=CAP_SYS_MODULE +AmbientCapabilities=CAP_SYS_MODULE +NoNewPrivileges=true +OOMScoreAdjust=-500 +Nice=-5 +ProtectSystem=full +ProtectHome=true +InaccessiblePaths=-/etc/shadow +InaccessiblePaths=-/etc/pam.d/ +InaccessiblePaths=-/etc/NetworkManager/system-connections/ +InaccessiblePaths=-/etc/security/ +InaccessiblePaths=-/etc/selinux/ +InaccessiblePaths=-/etc/deepin-elf-verify/ +InaccessiblePaths=-/etc/filearmor.d/ +InaccessiblePaths=-/etc/crypttab +InaccessiblePaths=-/etc/fstab +InaccessiblePaths=-/sysroot/ostree/repo/ +InaccessiblePaths=-/persistent/ostree/repo/ +ExecPaths= +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true +ProtectClock=true +ProtectKernelTunables=true +MemoryDenyWriteExecute=true +RestrictSUIDSGID=true [Install] WantedBy=multi-user.target From 3ce51d0470a6d84509e17bc7aec6813526ee6cde Mon Sep 17 00:00:00 2001 From: wangrong Date: Thu, 25 Dec 2025 21:26:50 +0800 Subject: [PATCH 2/2] chore: Update version to 7.0.35 As title. Log: Update version to 7.0.35 --- debian/changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3984965..a329fc4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +deepin-anything (7.0.35) unstable; urgency=medium + + * refactor: Refactor and improve configuration loading and path handling + * feat: Implement dynamic config change handling for blacklist paths + * feat: Add config item commit_persistent_index_timeout + * feat: Add updating index status for batch event processing + * feat: Support pending_events_trigger_updating dynamic update + * feat: Implement dynamic search strategy with fallback to filesystem scan + * feat: Enhance systemd service sandboxing for logger and server + + -- wangrong Thu, 25 Dec 2025 21:25:05 +0800 + deepin-anything (7.0.34) unstable; urgency=medium * feat: Add ancestor_paths field for lucene document