From 94611c2d7c32cf27475735cd3fa884de0a1dc374 Mon Sep 17 00:00:00 2001 From: zhangkun Date: Mon, 23 Jun 2025 17:20:34 +0800 Subject: [PATCH] feat: use `deepin-immutable-ctrl` to wrap and call `locale-gen` Avoiding permission issues caused by immutable systems Log: use `deepin-immutable-ctrl` to wrap and call `locale-gen` --- locale-helper/main.go | 36 +++++++++++++++---- .../system/deepin-locale-helper.service | 14 +++++--- 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/locale-helper/main.go b/locale-helper/main.go index 8c8013b..ccd0cf6 100644 --- a/locale-helper/main.go +++ b/locale-helper/main.go @@ -11,15 +11,17 @@ import ( "github.com/linuxdeepin/go-lib/dbusutil" "github.com/linuxdeepin/go-lib/log" + dutils "github.com/linuxdeepin/go-lib/utils" ) //go:generate dbusutil-gen em -type Helper const ( - dbusServiceName = "org.deepin.dde.LocaleHelper1" - dbusPath = "/org/deepin/dde/LocaleHelper1" - dbusInterface = dbusServiceName - localeGenBin = "/usr/sbin/locale-gen" + dbusServiceName = "org.deepin.dde.LocaleHelper1" + dbusPath = "/org/deepin/dde/LocaleHelper1" + dbusInterface = dbusServiceName + localeGenBin = "/usr/sbin/locale-gen" + deepinImmutableCtlBin = "/usr/sbin/deepin-immutable-ctl" ) type Helper struct { @@ -90,10 +92,32 @@ func (h *Helper) canQuit() bool { } func (h *Helper) doGenLocale() error { - return exec.Command(localeGenBin).Run() + if !dutils.IsFileExist(deepinImmutableCtlBin) { + logger.Warning("deepin-immutable-ctl not found, use locale-gen directly") + return exec.Command(localeGenBin).Run() + } else { + // TODO 在磐石适配 locale-gen 前使用 deepin-immutable-ctl 执行 locale-gen,否则有权限问题 + output, err := exec.Command(deepinImmutableCtlBin, "admin", "exec", localeGenBin).CombinedOutput() + if err != nil { + logger.Warning("deepin-immutable-ctl exec locale-gen failed, err:", err, "output:", string(output)) + return err + } + return nil + } } // locales version <= 2.13 func (h *Helper) doGenLocaleWithParam(locale string) error { - return exec.Command(localeGenBin, locale).Run() + if !dutils.IsFileExist(deepinImmutableCtlBin) { + logger.Warning("deepin-immutable-ctl not found, use locale-gen directly") + return exec.Command(localeGenBin, locale).Run() + } else { + // TODO 在磐石适配 locale-gen 前使用 deepin-immutable-ctl 执行 locale-gen,否则有权限问题 + output, err := exec.Command(deepinImmutableCtlBin, "admin", "exec", "--", localeGenBin, locale).CombinedOutput() + if err != nil { + logger.Warning("deepin-immutable-ctl exec locale-gen failed, err:", err, "output:", string(output)) + return err + } + return nil + } } diff --git a/misc/systemd/system/deepin-locale-helper.service b/misc/systemd/system/deepin-locale-helper.service index 0e029c1..9d3f36d 100644 --- a/misc/systemd/system/deepin-locale-helper.service +++ b/misc/systemd/system/deepin-locale-helper.service @@ -12,12 +12,14 @@ ExecStart=/usr/lib/deepin-api/locale-helper ReadWritePaths=/etc/default/locale ReadWritePaths=/etc/locale.gen -ReadWritePaths=/usr/lib/locale/ -ExecPaths=/usr/sbin/locale-gen + +# Temporary workaround: ReadWritePaths conflicts with deepin-immutable-ctl +# TODO: Remove this comment when immutable system wraps locale-gen properly +# ReadWritePaths=/usr/lib/locale/ DevicePolicy=closed -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes PrivateTmp=yes PrivateDevices=yes @@ -29,7 +31,11 @@ ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_UNIX -RestrictNamespaces=yes + +# Need to call /usr/sbin/deepin-immutable-ctl command +# TODO: Remove this comment when immutable system wraps locale-gen properly +# RestrictNamespaces=yes + LockPersonality=yes RestrictRealtime=yes RestrictSUIDSGID=yes