feat: Create a new seatd service for DDE

[zccrs]

1. Introduce seatd-dde.service to avoid conflicts with the system's existing seatd.service. This allows Deepin Desktop Environment (DDE) to manage its seat without affecting other applications relying on seatd.
2. Remove the override for the global seatd.service. This prevents DDE's configuration from unintentionally altering the behavior of the system's seatd instance.
3. Modify ddm.service to depend on seatd-dde.service instead of seatd.service. This ensures that DDE's display manager (ddm) utilizes the dedicated seatd service for DDE.
4. The seatd-dde.service is configured to run as the dde user and group and sets SEATD_VTBOUND=0. It includes filesystem lockdown, privilege restriction, and network isolation settings for enhanced security.
5. The changes ensure that DDE's seat management operates independently, preventing potential interference with other system components.

feat: 为 DDE 创建新的 seatd 服务

1. 引入 seatd-dde.service 以避免与系统现有的 seatd.service 冲突。这 允许 Deepin 桌面环境 (DDE) 管理其会话，而不会影响依赖 seatd 的其他应用
   程序。
2. 移除对全局 seatd.service 的覆盖。这可以防止 DDE 的配置意外更改系统 seatd 实例的行为。
3. 修改 ddm.service 以依赖 seatd-dde.service 而不是 seatd.service。这确保了 DDE 的显示管理器 (ddm) 使用专用于 DDE 的 seatd 服务。
4. seatd-dde.service 配置为以 dde 用户和组运行，并设置 SEATD_VTBOUND=0。它包括文件系统锁定、权限限制和网络隔离设置，以增强安
   全性。
5. 这些更改确保 DDE 的会话管理独立运行，防止与其他系统组件的潜在干扰。

Summary by Sourcery

Isolate DDE’s seat management by introducing and installing a dedicated seatd-dde.service, updating ddm.service to use it, removing the global seatd override, and applying security hardening settings to the new unit.

New Features:

• Introduce a dedicated seatd-dde.service unit for DDE to manage seats independently

Enhancements:

• Modify ddm.service to depend on seatd-dde.service and remove the global seatd.service override to prevent interference
• Harden seatd-dde.service with SEATD_VTBOUND=0, user/group isolation, filesystem lockdown, privilege restrictions, and network isolation

Build:

• Add CMake installation rules for seatd-dde.service and remove installation of the global override.conf

[sourcery-ai]

Reviewer's Guide

Isolate DDE’s seat management by introducing a dedicated seatd-dde.service with enhanced security, updating CMake to install it, removing the global seatd override, and modifying ddm.service to depend on the new seatd-dde.service.

Flow diagram for installation and dependency changes

flowchart TD
    A[Install seatd-dde.service] --> B[Remove override for seatd.service]
    B --> C[Modify ddm.service to depend on seatd-dde.service]
    C --> D[DDE uses dedicated seatd-dde.service]
    D --> E[Other apps use system seatd.service]

Loading

File-Level Changes

Change	Details	Files
Add and install a new seatd-dde.service for DDE	Configure and generate seatd-dde.service from template Install seatd-dde.service alongside other systemd units	services/CMakeLists.txt services/seatd-dde.service.in
Remove unintended global seatd.service override	Delete override.conf installation directive Remove the override.conf file	data/systemd/CMakeLists.txt data/systemd/override.conf
Redirect ddm.service dependency to seatd-dde.service	Update ddm.service.in to require seatd-dde.service instead of seatd.service	services/ddm.service.in
Harden seatd-dde.service configuration	Run service as dde user and group Set SEATD_VTBOUND=0 Apply filesystem, privilege, and network isolation settings	services/seatd-dde.service.in

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @zccrs - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

代码审查意见：

1. CMakeLists.txt 文件修改：

   • 在 CMakeLists.txt 文件中，移除了对 override.conf 文件的安装命令，这可能是为了简化配置或者避免冲突。如果 override.conf 文件不再需要，建议确认这一改动是否与项目的其他部分保持一致。

2. services/CMakeLists.txt 文件修改：

   • 新增了 seatd-dde.service 文件的配置和安装命令，这是一个好的做法，因为它允许更细粒度的控制和管理 seatd 服务。但是，需要确保 seatd-dde.service 文件的内容是正确的，并且与 ddm.service 文件中的依赖关系保持一致。

3. ddm.service.in 文件修改：

   • 修改了 ddm.service 文件中的依赖关系，从 seatd.service 改为 seatd-dde.service。这是一个合理的改动，因为它反映了 seatd 服务的实际配置。但是，需要确保 seatd-dde.service 文件已经存在并且配置正确。

4. 新增 seatd-dde.service.in 文件：

   • 新增的 seatd-dde.service.in 文件包含了详细的 seatd 服务配置，包括环境变量、启动命令、安全设置等。这个文件看起来配置得非常全面，但是需要确保所有的安全设置都是必要的，并且不会对系统的其他部分产生负面影响。

5. 安全性考虑：

   • 在 seatd-dde.service.in 文件中，设置了多个安全相关的选项，如 ProtectHome、ProtectSystem、NoNewPrivileges 等。这些设置有助于提高服务的安全性，但是需要确保这些设置不会与系统的其他部分产生冲突。

6. 代码质量：

   • 代码的格式和风格需要保持一致，特别是在配置文件中。例如，seatd-dde.service.in 文件中的 [Unit] 和 [Service] 部分应该对齐，以提高可读性。

7. 文档和注释：

   • 虽然这个提交中没有包含具体的代码，但是建议在配置文件中添加必要的注释，解释每个配置项的目的和作用。这对于维护和未来的修改非常有帮助。

总体来说，这个提交的改动看起来是有意义的，但是需要确保所有的配置都是正确的，并且不会对系统的其他部分产生负面影响。同时，建议进行全面的测试，以确保这些改动不会引入新的问题。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: justforlxz, zccrs

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment