feat: dbus安全整改

[fly602]

服务所有权分离： 只保留在 中，确保只有 root 用户可以拥有这些服务

Task: https://pms.uniontech.com/task-view-343075.html
Influence: 不对功能造成影响

Summary by Sourcery

Harden D-Bus service ownership for core daemon services and clean up unused backlight manager code.

Enhancements:

• Restrict D-Bus service ownership for BacklightHelper, Daemon, Greeter, and Timedate to non-default policies, preventing general users from claiming these service names.
• Remove unused X11-related import and timestamp field from the DDCCI backlight manager to simplify the implementation.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR tightens D-Bus security policies by restricting service ownership to root-only policies and removes now-unused code related to X11 timestamps in the backlight helper manager.

Class diagram for updated backlight Manager struct

classDiagram
  class Manager {
    +dbusutil.Service service
    +ddcci ddcci
    +sync.RWMutex PropsMu
  }

  class dbusutil.Service
  class ddcci
  class sync.RWMutex

  Manager --> dbusutil.Service
  Manager --> ddcci
  Manager --> sync.RWMutex

Loading

File-Level Changes

Change	Details	Files
Restrict D-Bus service ownership so only root can own core dde services while keeping method access policies unchanged for other users.	Remove entries from default D-Bus policy sections for dde BacklightHelper, Daemon, Greeter, and Timedate services so non-root users cannot own these well-known names Preserve send_destination permissions so existing clients can still call these services without functional changes	misc/conf/org.deepin.dde.BacklightHelper1.conf misc/conf/org.deepin.dde.Daemon1.conf misc/conf/org.deepin.dde.Greeter1.conf misc/conf/org.deepin.dde.Timedate1.conf
Clean up unused X11-related code in the backlight helper manager struct.	Drop unused dependency on github.com/linuxdeepin/go-x11-client Remove the configTimestamp field from Manager, leaving only the synchronization mutex	bin/backlight_helper/ddcci/manager.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Since configTimestamp and the go-x11-client dependency are removed, double-check for any remaining timestamp-related logic that may now be redundant and could be cleaned up for clarity.
• PropsMu is still exported but appears to be internal synchronization for Manager; consider making it unexported if it is not intended to be accessed from outside this package.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since `configTimestamp` and the `go-x11-client` dependency are removed, double-check for any remaining timestamp-related logic that may now be redundant and could be cleaned up for clarity.
- `PropsMu` is still exported but appears to be internal synchronization for `Manager`; consider making it unexported if it is not intended to be accessed from outside this package.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-bot]

TAG Bot

New tag: 6.1.71
DISTRIBUTION: unstable
Suggest: synchronizing this PR through rebase #998

[deepin-ci-robot]

deepin pr auto review

这份代码变更涉及对 DDE (Deepin Desktop Environment) 中多个系统服务的 D-Bus 权限配置文件的修改，以及一个 Go 代码文件的清理。以下是详细的代码审查意见：

1. 总体评价

这次修改的主要目的是收紧系统服务的安全策略，移除了未使用的代码依赖。从安全角度来看，这是一个积极的变更，因为它限制了普通用户或非特权进程"拥有"（own）系统级 D-Bus 名称的能力，防止了潜在的权限提升或服务劫持攻击。

2. 详细审查

A. 代码逻辑与语法

• Go 代码 (manager.go):

  • 删除未使用的导入: 移除了 x "github.com/linuxdeepin/go-x11-client"。由于 configTimestamp 字段也随之被删除，且该字段依赖于 X11 库，如果该模块不再需要处理 X11 相关的时间戳或事件，这是正确的清理操作。
  • 删除未使用的字段: 移除了 configTimestamp x.Timestamp。这表明 Manager 结构体不再追踪 X11 的配置时间戳。需确认业务逻辑是否确实不再需要此字段来触发更新或校验。

• D-Bus 配置文件 (.conf):

  • 语法正确: D-Bus 配置文件的 XML 格式修改符合规范。
  • 逻辑一致性: 所有四个配置文件（BacklightHelper1, Daemon1, Greeter1, Timedate1）都执行了相同的操作：移除了 <allow own="..."/>。这表明这是一次系统性的安全加固。

B. 代码安全

• 关键改进: 移除 <allow own="org.deepin.dde.ServiceName"/> 是非常重要的安全增强。
  • 原状风险: 在默认策略中允许任何用户 "own"（拥有）一个系统服务的名称是危险的。这意味着恶意用户可以编写一个程序，抢先注册该服务名，从而劫持系统服务，拦截、修改或拒绝其他组件发出的请求（中间人攻击或拒绝服务）。
  • 修改后: 只有在特定的 policy 上下文（通常是 root 或特定的系统用户）中显式允许 "own" 权限，服务才能启动。虽然 diff 中未展示，但必须确保这些服务启动时的用户（通常是 root）在其他配置段（如 <policy user="root">）中拥有 "own" 权限，否则服务将无法启动。
  • 保留的权限: 保留了 <allow send_destination="..."/>，这意味着普通客户端程序依然可以调用这些服务的方法，这符合正常的功能需求。

C. 代码质量

• 清理冗余: Go 代码中删除了未使用的导入和字段，提高了代码的整洁度，减少了编译时的依赖。
• 一致性: 对所有相关服务配置文件进行了统一的修改，保持了代码库的一致性。

D. 代码性能

• 无直接影响: D-Bus 策略的变更主要影响安全检查逻辑，对运行时性能影响微乎其微。Go 代码删除字段对内存占用有极小的正面影响。

3. 改进建议与潜在风险

1. 验证服务启动:

   • 风险: 移除默认的 "own" 权限后，如果服务本身没有配置正确的用户权限，或者服务降权运行（非 root），它可能无法获取总线名称。
   • 建议: 必须在测试环境中验证所有受影响的服务（dde-backlight-helper, dde-daemon, dde-greeter, dde-timedate）能否正常启动并注册到 D-Bus 总线上。检查系统日志（journalctl）中是否有 "Connection ":1.xxx is not allowed to own the service..." 的错误。

2. 确认业务逻辑变更:

   • 风险: manager.go 中移除了 configTimestamp。如果原来的逻辑依赖此字段来判断 X11 配置是否发生变化并触发刷新，移除它可能导致背光或其他设置无法自动同步。
   • 建议: 审查 manager.go 的完整逻辑，确认是否有其他机制替代了 configTimestamp 的作用（例如 D-Bus 信号、文件监听等）。

3. D-Bus 策略的完整性:

   • 建议: 确认这些 .conf 文件中是否包含针对特定用户（如 root）的 <policy user="root"> 段，并确保其中有 <allow own="org.deepin.dde.ServiceName"/>。如果没有，服务将无法运行。

4. 总结

这是一次高质量的安全加固提交。

• 优点: 显著提升了 D-Bus 服务的安全性，防止了服务名劫持风险；清理了 Go 代码中的死代码。
• 注意事项: 必须重点测试服务的启动情况，并确认 manager.go 中移除 X11 时间戳字段不会导致功能缺失。

结论: 建议合并，但需附带完整的回归测试，特别是服务启动和核心功能（背光调节、时间日期、登录欢迎界面）的测试。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fly602, robertkill

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment