chore: update device permissions for systemd service#56
Conversation
In the deepin-face.service file, modify the DeviceAllow directive to grant read-write access for char-video4linux, and add new allowances for char-media, char-drm, and /dev/vpu0 with read-write permissions. This change ensures that the deepin-face service can access necessary hardware devices for its functionality, such as video capture, media processing, and graphics rendering, which may be required for proper operation. Influence: 1. Test that the deepin-face service starts successfully with the updated device permissions. 2. Verify access to video devices (/dev/video4linux*), media devices (/ dev/media*), DRM devices (/dev/dri/*), and the specific device /dev/ vpu0. 3. Ensure the service operates correctly when using camera or graphics resources. 4. Confirm that permissions are appropriately scoped and do not introduce security vulnerabilities. chore: 更新系统服务的设备权限 在 deepin-face.service 文件中,更新 DeviceAllow 指令,为 char- video4linux 授予读写权限,并添加对 char-media、char-drm 和 /dev/vpu0 的 读写权限。此更改确保 deepin-face 服务能够访问其功能所需的硬件设备,如视 频捕获、媒体处理和图形渲染,这对于正常运行可能是必要的。 Influence: 1. 测试 deepin-face 服务在更新设备权限后能否正常启动。 2. 验证对视频设备、媒体设备、DRM 设备和特定设备 /dev/vpu0 的访问权限。 3. 确保服务在使用摄像头或图形资源时正常运行。 4. 确认权限范围适当,不会引入安全漏洞。 PMS: BUG-364933
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
deepin pr auto review★ 总体评分:40分■ 【总体评价】
■ 【详细分析】
■ 【改进建议代码示例】 --- a/msic/systemd/deepin-face.service
+++ b/msic/systemd/deepin-face.service
@@ -16,7 +16,10 @@ ProtectSystem=strict
#ReadOnlyPaths=/usr/share/seetaface-models/
ReadWritePaths=/var/log/deepin-face.log
-DeviceAllow=char-video4linux rw
-DeviceAllow=char-media rw
-DeviceAllow=char-drm rw
+# 限制仅访问特定的人脸识别摄像头及关联媒体设备,避免干扰其他硬件
+DeviceAllow=/dev/video0 rw
+DeviceAllow=/dev/media0 rw
+# DRM设备仅需读取图像帧,严禁授予写权限以防提权或导致图形崩溃
+DeviceAllow=char-drm r
DeviceAllow=/dev/vpu0 rw
DevicePolicy=closed |
|
/dev/video0 硬编码 — 摄像头如果在 /dev/video1 就找不到,char-video4linux 能自动匹配所有视频设备,安全性一样但更健壮 /dev/media0 同理 — 序号不固定 char-drm r 只读 — Vulkan 渲染节点需要写权限提交命令缓冲区,只读会导致回退到 Lavapipe 软件模拟,实测 6881ms,跟不加一样慢 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fly602, mhduiy The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
3 participants
In the deepin-face.service file, modify the DeviceAllow directive to grant read-write access for char-video4linux, and add new allowances for char-media, char-drm, and /dev/vpu0 with read-write permissions. This change ensures that the deepin-face service can access necessary hardware devices for its functionality, such as video capture, media processing, and graphics rendering, which may be required for proper operation.
Influence:
chore: 更新系统服务的设备权限
在 deepin-face.service 文件中,更新 DeviceAllow 指令,为 char- video4linux 授予读写权限,并添加对 char-media、char-drm 和 /dev/vpu0 的 读写权限。此更改确保 deepin-face 服务能够访问其功能所需的硬件设备,如视
频捕获、媒体处理和图形渲染,这对于正常运行可能是必要的。
Influence:
PMS: BUG-364933