From 6a7d62608515f84ca9623f1c0666e462173e78b1 Mon Sep 17 00:00:00 2001
From: fuleyi <fuleyi@uniontech.com>
Date: Thu, 14 Aug 2025 14:17:03 +0800
Subject: [PATCH 1/4] =?UTF-8?q?feat:=20dde-api=E5=AE=89=E5=85=A8=E6=95=B4?=
 =?UTF-8?q?=E6=94=B9=20/lib/systemd/system/deepin-locale-helper.service=20?=
 =?UTF-8?q?=E5=BA=94=E8=AF=A5=E9=BB=98=E8=AE=A4=E4=BB=85deepin=E5=92=8Cuos?=
 =?UTF-8?q?=E6=89=93=E5=8C=85=EF=BC=9B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Log: dde-api安全整改
PMS: TASK-369021
---
 Makefile     | 8 ++++++++
 debian/rules | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index fcbccce..47eed04 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ libdir = /lib
 SYSTEMD_LIB_DIR = ${libdir}
 SYSTEMD_SERVICE_DIR = ${SYSTEMD_LIB_DIR}/systemd/system/
 GOBUILD = env GOPATH="${CURDIR}/${GOBUILD_DIR}:${GOPATH}" go build
+INSTALL_LOCALE_HELPER ?= 0
 
 TESTS = \
 	${GOPKG_PREFIX}/adjust-grub-theme \
@@ -141,6 +142,13 @@ install-binary:
 
 	mkdir -pv ${DESTDIR}${SYSTEMD_SERVICE_DIR}
 	cp -R misc/systemd/system/*.service ${DESTDIR}${SYSTEMD_SERVICE_DIR}
+	# 默认不安装 deepin-locale-helper.service，只有显式开启时才保留
+	if [ "${INSTALL_LOCALE_HELPER}" != "1" ]; then \
+		rm -f ${DESTDIR}${SYSTEMD_SERVICE_DIR}/deepin-locale-helper.service; \
+		rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system-services/org.deepin.dde.LocaleHelper1.service; \
+		rm -f ${DESTDIR}${PREFIX}/share/polkit-1/actions/org.deepin.dde.locale-helper.policy; \
+		rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system.d/org.deepin.dde.LocaleHelper1.conf; \
+	fi
 
 	mkdir -pv ${DESTDIR}${PREFIX}/share/icons/hicolor
 	cp -R misc/icons/* ${DESTDIR}${PREFIX}/share/icons/hicolor
diff --git a/debian/rules b/debian/rules
index ad14081..3fb3329 100755
--- a/debian/rules
+++ b/debian/rules
@@ -14,10 +14,10 @@ endif
 	dh $@ --buildsystem=makefile
 
 override_dh_auto_install:
-	dh_auto_install
+	dh_auto_install -- INSTALL_LOCALE_HELPER=1
 
 override_dh_strip:
 	dh_strip --dbgsym-migration=dde-api-dbg
 
 override_dh_installsystemd:
-	dh_installsystemd --no-start
+	dh_installsystemd --no-start --no-restart-on-upgrade

From 8f9ba0b377eda43618145f0587ec375141354990 Mon Sep 17 00:00:00 2001
From: fuleyi <fuleyi@uniontech.com>
Date: Thu, 14 Aug 2025 14:19:21 +0800
Subject: [PATCH 2/4] =?UTF-8?q?feat:=20dde-api=E5=AE=89=E5=85=A8=E6=95=B4?=
 =?UTF-8?q?=E6=94=B9=EF=BC=8C=E9=9F=B3=E6=95=88=E6=9C=8D=E5=8A=A1=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E6=94=B9=E6=88=90deepin-daemon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 /lib/systemd/system/deepin-sound-theme-player.service User不应该再使用deepin-sound-player

Log: dde-api安全整改
PMS: TASK-369021
---
 Makefile                                      |  6 ++---
 archlinux/deepin-api.install                  | 16 -----------
 archlinux/deepin-api.sysusers                 |  1 -
 debian/dde-api.postinst                       | 14 ----------
 debian/dde-api.postrm                         | 14 ----------
 .../org.deepin.dde.SoundThemePlayer1.conf     |  4 +--
 ...device.unblock-bluetooth-devices.policy.in |  1 +
 .../org.deepin.dde.SoundThemePlayer1.service  |  2 +-
 misc/systemd/system/deepin-api-device.service | 27 ++++++++++++-------
 .../systemd/system/deepin-login-sound.service |  6 ++++-
 .../system/deepin-shutdown-sound.service      |  8 ++++--
 .../system/deepin-sound-theme-player.service  |  3 ++-
 rpm/dde-api.spec                              | 16 +++++------
 sound-theme-player/config.go                  | 18 -------------
 sound-theme-player/main.go                    |  9 +------
 15 files changed, 47 insertions(+), 98 deletions(-)
 delete mode 100644 archlinux/deepin-api.install
 delete mode 100644 archlinux/deepin-api.sysusers
 delete mode 100755 debian/dde-api.postrm

diff --git a/Makefile b/Makefile
index 47eed04..15653f0 100644
--- a/Makefile
+++ b/Makefile
@@ -134,9 +134,9 @@ install-binary:
 	mkdir -pv ${DESTDIR}${PREFIX}/share/polkit-1/actions
 	cp misc/polkit-action/*.policy ${DESTDIR}${PREFIX}/share/polkit-1/actions/
 
-	mkdir -pv ${DESTDIR}/var/lib/polkit-1/localauthority/10-vendor.d
-	cp misc/polkit-localauthority/*.pkla ${DESTDIR}/var/lib/polkit-1/localauthority/10-vendor.d/
-
+	mkdir -pv ${DESTDIR}/var/lib/polkit-1/rules.d
+	cp misc/polkit-rules/*.rules ${DESTDIR}/var/lib/polkit-1/rules.d/
+	
 	mkdir -pv ${DESTDIR}${PREFIX}/share/dde-api
 	cp -R misc/data ${DESTDIR}${PREFIX}/share/dde-api
 
diff --git a/archlinux/deepin-api.install b/archlinux/deepin-api.install
deleted file mode 100644
index 6c80139..0000000
--- a/archlinux/deepin-api.install
+++ /dev/null
@@ -1,16 +0,0 @@
-post_install() {
-  # We need to know uid and gid to create /var/lib/deepin-sound-player with proper
-  # permissions. So keep systemd-sysusers invocation here despite having
-  # pacman hooks.
-  systemd-sysusers deepin-sound-player.conf
-  mkdir -p var/lib/deepin-sound-player
-  chown -R deepin-sound-player:deepin-sound-player var/lib/deepin-sound-player
-}
-
-post_upgrade() {
-  if (( $(vercmp $2 5.2.0.1-2) < 0)); then
-    usermod -d /var/lib/deepin-sound-player deepin-sound-player
-    mkdir -p var/lib/deepin-sound-player
-    chown -R deepin-sound-player:deepin-sound-player var/lib/deepin-sound-player
-  fi
-}
diff --git a/archlinux/deepin-api.sysusers b/archlinux/deepin-api.sysusers
deleted file mode 100644
index 513ebb1..0000000
--- a/archlinux/deepin-api.sysusers
+++ /dev/null
@@ -1 +0,0 @@
-u deepin-sound-player - "Deepin Sound Player" /var/lib/deepin-sound-player
diff --git a/debian/dde-api.postinst b/debian/dde-api.postinst
index b7add18..8d25efc 100644
--- a/debian/dde-api.postinst
+++ b/debian/dde-api.postinst
@@ -3,9 +3,6 @@
 
 set -e
 
-player_user=deepin-sound-player
-player_home=/var/lib/$player_user
-
 themeDir="/boot/grub/themes/deepin"
 fallbackThemeDir=$themeDir-fallback
 adjustGrubThemeBin="/usr/lib/deepin-api/adjust-grub-theme"
@@ -45,17 +42,6 @@ adjustGrubTheme () {
 
 case "$1" in
     configure)
-        if ! getent group $player_user >/dev/null; then
-            addgroup --quiet --system $player_user
-        fi
-        if ! getent passwd $player_user >/dev/null; then
-            adduser --quiet --system --ingroup $player_user --home $player_home $player_user
-            adduser --quiet $player_user audio
-        fi
-
-        runuser -u $player_user -- mkdir -p $player_home/.config/pulse
-        runuser - deepin-sound-player -s /bin/sh -c "echo 'autospawn = no' > $player_home/.config/pulse/client.conf"
-
         adjustGrubTheme
         setupFallbackTheme
     ;;
diff --git a/debian/dde-api.postrm b/debian/dde-api.postrm
deleted file mode 100755
index b301ccf..0000000
--- a/debian/dde-api.postrm
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-# postrm script for dde-api
-
-set -e
-sound_player_user=deepin-sound-player
-
-if [ "$1" = "purge" ]; then
-	deluser --quiet --system $sound_player_user >/dev/null || true
-	delgroup --quiet --system $sound_player_user >/dev/null || true
-	rm -rf /var/lib/$sound_player_user 2>/dev/null || true
-fi
-
-#DEBHELPER#
-exit 0
diff --git a/misc/conf/org.deepin.dde.SoundThemePlayer1.conf b/misc/conf/org.deepin.dde.SoundThemePlayer1.conf
index 45c20db..f9ad115 100644
--- a/misc/conf/org.deepin.dde.SoundThemePlayer1.conf
+++ b/misc/conf/org.deepin.dde.SoundThemePlayer1.conf
@@ -5,8 +5,8 @@
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
 
-  <!-- Only user deepin-sound-player can own the service -->
-  <policy user="deepin-sound-player">
+  <!-- Only user deepin-daemon can own the service -->
+  <policy user="deepin-daemon">
     <allow own="org.deepin.dde.SoundThemePlayer1"/>
   </policy>
 
diff --git a/misc/polkit-action/org.deepin.dde.device.unblock-bluetooth-devices.policy.in b/misc/polkit-action/org.deepin.dde.device.unblock-bluetooth-devices.policy.in
index 4b5a020..61c3d13 100644
--- a/misc/polkit-action/org.deepin.dde.device.unblock-bluetooth-devices.policy.in
+++ b/misc/polkit-action/org.deepin.dde.device.unblock-bluetooth-devices.policy.in
@@ -14,5 +14,6 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:deepin-daemon</annotate>
   </action>
 </policyconfig>
diff --git a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
index 2dc2943..72501fb 100644
--- a/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
+++ b/misc/system-services/org.deepin.dde.SoundThemePlayer1.service
@@ -1,5 +1,5 @@
 [D-BUS Service]
 Name=org.deepin.dde.SoundThemePlayer1
 Exec=/usr/lib/deepin-api/sound-theme-player
-User=deepin-sound-player
+User=deepin-daemon
 SystemdService=dbus-org.deepin.dde.SoundThemePlayer1.service
diff --git a/misc/systemd/system/deepin-api-device.service b/misc/systemd/system/deepin-api-device.service
index bfd4d2c..3723825 100644
--- a/misc/systemd/system/deepin-api-device.service
+++ b/misc/systemd/system/deepin-api-device.service
@@ -17,23 +17,32 @@ ExecStart=/usr/lib/deepin-api/device
 DeviceAllow=/dev/rfkill rw
 DevicePolicy=closed
 
-ProtectSystem=full
+ProtectSystem=strict
+
+InaccessiblePaths=/etc/shadow
+InaccessiblePaths=-/etc/NetworkManager/system-connections
+InaccessiblePaths=-/etc/pam.d
+InaccessiblePaths=-/usr/share/uadp/
+
+NoNewPrivileges=yes
 ProtectHome=yes
-PrivateTmp=yes
-#PrivateDevices=yes
-PrivateNetwork=yes
-ProtectHostname=yes
-ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
-ProtectKernelLogs=yes
 ProtectControlGroups=yes
-RestrictAddressFamilies=AF_UNIX
+PrivateMounts=yes
+PrivateTmp=yes
+# 需要操作rfkill
+#PrivateDevices=yes
+PrivateNetwork=yes
+# 需要读取/proc的exe字段数据
+#PrivateUsers=yes
 RestrictNamespaces=yes
 LockPersonality=yes
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RemoveIPC=yes
+# 和golang -pie参数冲突，导致进程无法启动
+#MemoryDenyWriteExecute=yes
+MemoryLimit=100M
 
 [Install]
 Alias=dbus-org.deepin.dde.Device1.service
diff --git a/misc/systemd/system/deepin-login-sound.service b/misc/systemd/system/deepin-login-sound.service
index ffd8d53..150cfd1 100644
--- a/misc/systemd/system/deepin-login-sound.service
+++ b/misc/systemd/system/deepin-login-sound.service
@@ -5,7 +5,8 @@ After=dbus.service lightdm.service
 
 [Service]
 Type=oneshot
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.SoundThemePlayer1 /org/deepin/dde/SoundThemePlayer1 org.deepin.dde.SoundThemePlayer1.PlaySoundDesktopLogin
 RemainAfterExit=yes
 
@@ -28,3 +29,6 @@ LockPersonality=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RemoveIPC=yes
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/misc/systemd/system/deepin-shutdown-sound.service b/misc/systemd/system/deepin-shutdown-sound.service
index 2e33d36..a9ec93d 100644
--- a/misc/systemd/system/deepin-shutdown-sound.service
+++ b/misc/systemd/system/deepin-shutdown-sound.service
@@ -7,13 +7,14 @@ Before=shutdown.target
 
 [Service]
 Type=simple
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/bin/true
 ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound
 RemainAfterExit=yes
 TimeoutStopSec=7s
 
-ReadOnlyPaths=/var/lib/deepin-sound-player
+StateDirectory=deepin-sound-player
 BindReadOnlyPaths=-/tmp/deepin-shutdown-sound.json
 
 DeviceAllow=char-alsa rw
@@ -36,3 +37,6 @@ LockPersonality=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RemoveIPC=yes
+
+[Install]
+WantedBy=graphical.target
\ No newline at end of file
diff --git a/misc/systemd/system/deepin-sound-theme-player.service b/misc/systemd/system/deepin-sound-theme-player.service
index 14c8282..3c3d030 100644
--- a/misc/systemd/system/deepin-sound-theme-player.service
+++ b/misc/systemd/system/deepin-sound-theme-player.service
@@ -11,7 +11,8 @@ After=dbus.socket
 [Service]
 Type=dbus
 BusName=org.deepin.dde.SoundThemePlayer1
-User=deepin-sound-player
+User=deepin-daemon
+Environment=HOME=/var/lib/deepin-sound-player
 ExecStart=/usr/lib/deepin-api/sound-theme-player
 
 StateDirectory=deepin-sound-player
diff --git a/rpm/dde-api.spec b/rpm/dde-api.spec
index 09b5b6b..3b4550b 100644
--- a/rpm/dde-api.spec
+++ b/rpm/dde-api.spec
@@ -88,15 +88,15 @@ for file in $(find . -iname "*.go" -o -iname "*.c" -o -iname "*.h" -o -iname "*.
     echo "%{gopath}/src/%{goipath}/$file" >> devel.file-list
 done
 %make_install SYSTEMD_SERVICE_DIR="%{_unitdir}" LIBDIR="%{_libexecdir}"
-# HOME directory for user deepin-sound-player
-mkdir -p %{buildroot}%{_sharedstatedir}/deepin-sound-player
+# HOME directory for user deepin-daemon
+mkdir -p %{buildroot}%{_sharedstatedir}/deepin-daemon
 
 %pre
-getent group deepin-sound-player >/dev/null || groupadd -r deepin-sound-player
-getent passwd deepin-sound-player >/dev/null || \
-    useradd -r -g deepin-sound-player -d %{_sharedstatedir}/deepin-sound-player\
+getent group deepin-daemon >/dev/null || groupadd -r deepin-daemon
+getent passwd deepin-daemon >/dev/null || \
+    useradd -r -g deepin-daemon -d %{_sharedstatedir}/deepin-daemon\
     -s /sbin/nologin \
-    -c "User of org.deepin.dde.SoundThemePlayer1.service" deepin-sound-player
+    -c "User of org.deepin.dde.SoundThemePlayer1.service" deepin-daemon
 exit 0
 
 %post
@@ -122,8 +122,8 @@ exit 0
 %{_datadir}/dde-api/data/grub-themes/
 %{_datadir}/polkit-1/actions/org.deepin.dde.locale-helper.policy
 %{_datadir}/polkit-1/actions/org.deepin.dde.device.unblock-bluetooth-devices.policy
-%{_var}/lib/polkit-1/localauthority/10-vendor.d/org.deepin.dde.device.pkla
-%attr(-, deepin-sound-player, deepin-sound-player) %{_sharedstatedir}/deepin-sound-player
+%{_var}/lib/polkit-1/rules.d/org.deepin.dde.device.rules
+%attr(-, deepin-daemon, deepin-daemon) %{_sharedstatedir}/deepin-daemon
 
 %files -n %{name}-devel -f devel.file-list
 
diff --git a/sound-theme-player/config.go b/sound-theme-player/config.go
index 36a6441..51b5053 100644
--- a/sound-theme-player/config.go
+++ b/sound-theme-player/config.go
@@ -9,9 +9,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
-
-	"github.com/linuxdeepin/dde-api/soundutils"
-	gio "github.com/linuxdeepin/go-gir/gio-2.0"
 )
 
 type config struct {
@@ -39,22 +36,7 @@ func saveUserConfig(uid int, cfg *config) error {
 	return saveConfig(filename, cfg)
 }
 
-var _loadDefaultCfgFromGSettings bool = false
-
 func loadConfig(filename string, cfg *config) error {
-	if _loadDefaultCfgFromGSettings {
-		// 从 gsettings 获取默认值
-		soundEffectGs := gio.NewSettings("com.deepin.dde.sound-effect")
-		defer soundEffectGs.Unref()
-		appearanceGs := gio.NewSettings("com.deepin.dde.appearance")
-		defer appearanceGs.Unref()
-
-		cfg.Enabled = soundEffectGs.GetBoolean("enabled")
-		cfg.DesktopLoginEnabled = soundEffectGs.GetBoolean(soundutils.EventDesktopLogin)
-		cfg.SystemShutdownEnabled = soundEffectGs.GetBoolean(soundutils.EventSystemShutdown)
-		cfg.Theme = appearanceGs.GetString("sound-theme")
-	}
-
 	data, err := ioutil.ReadFile(filename)
 	if err != nil {
 		return err
diff --git a/sound-theme-player/main.go b/sound-theme-player/main.go
index 6617a71..5bc2861 100644
--- a/sound-theme-player/main.go
+++ b/sound-theme-player/main.go
@@ -42,12 +42,7 @@ var (
 
 func init() {
 	flag.BoolVar(&optAutoQuit, "auto-quit", true, "auto quit")
-	u, err := user.Current()
-	if err != nil {
-		logger.Warning(err)
-	} else {
-		homeDir = u.HomeDir
-	}
+	homeDir = os.Getenv("HOME")
 	if homeDir == "" {
 		homeDir = defaultHomeDir
 	}
@@ -382,8 +377,6 @@ func main() {
 		logger.Fatalf("name %q already has the owner", dbusServiceName)
 	}
 
-	// 实际运行时才从 gsettings 加载默认设置，测试环境下没安装相关 gsettings schema 会导致崩溃。
-	_loadDefaultCfgFromGSettings = true
 	m := newManager(service)
 	err = service.Export(dbusPath, m)
 	if err != nil {

From f130a30856f1396598319dbf8b8a6c2dca3994cd Mon Sep 17 00:00:00 2001
From: fuleyi <fuleyi@uniontech.com>
Date: Fri, 15 Aug 2025 09:38:56 +0800
Subject: [PATCH 3/4] =?UTF-8?q?feat:=20dde-api=E5=AE=89=E5=85=A8=E6=95=B4?=
 =?UTF-8?q?=E6=94=B9=EF=BC=8Cpolkit=E6=8E=A7=E5=88=B6=E6=94=B9=E7=94=A8rul?=
 =?UTF-8?q?es?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

/var/lib/polkit-1/localauthority/10-vendor.d/org.deepin.dde.device.pkla 应该改用rules实现；

Log: dde-api安全整改
PMS: TASK-369021
---
 misc/polkit-localauthority/org.deepin.dde.device.pkla | 6 ------
 misc/polkit-rules/org.deepin.dde.device.rules         | 7 +++++++
 2 files changed, 7 insertions(+), 6 deletions(-)
 delete mode 100644 misc/polkit-localauthority/org.deepin.dde.device.pkla
 create mode 100644 misc/polkit-rules/org.deepin.dde.device.rules

diff --git a/misc/polkit-localauthority/org.deepin.dde.device.pkla b/misc/polkit-localauthority/org.deepin.dde.device.pkla
deleted file mode 100644
index 69acbb5..0000000
--- a/misc/polkit-localauthority/org.deepin.dde.device.pkla
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unblock bluetooth devices]
-Identity=unix-group:sudo
-Action=org.deepin.dde.device.unblock-bluetooth-devices
-ResultAny=no
-ResultInactive=no
-ResultActive=yes
diff --git a/misc/polkit-rules/org.deepin.dde.device.rules b/misc/polkit-rules/org.deepin.dde.device.rules
new file mode 100644
index 0000000..d75110a
--- /dev/null
+++ b/misc/polkit-rules/org.deepin.dde.device.rules
@@ -0,0 +1,7 @@
+polkit.addRule(function(action, subject) {
+    if (action.id === "org.deepin.dde.device.unblock-bluetooth-devices" &&
+        subject.isInGroup("sudo") &&
+        subject.active) {
+        return polkit.Result.YES;
+    }
+});
\ No newline at end of file

From 28a972188d5301e9c49bd3e15337a4408f67b0da Mon Sep 17 00:00:00 2001
From: fuleyi <fuleyi@uniontech.com>
Date: Fri, 15 Aug 2025 09:40:48 +0800
Subject: [PATCH 4/4] =?UTF-8?q?feat:=20dde-api=E5=AE=89=E5=85=A8=E6=95=B4?=
 =?UTF-8?q?=E6=94=B9=EF=BC=8C=E4=BC=98=E5=8C=96=E8=B0=83=E6=95=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

makefile中入参改用ifneq判断，dde-api安装时创建deepin-daemon用户

Log: dde-api安全整改
PMS: TASK-369021
---
 Makefile                         | 12 ++++++------
 debian/rules                     |  2 ++
 misc/sysusers/deepin-daemon.conf |  2 ++
 rpm/dde-api.spec                 | 10 ++--------
 4 files changed, 12 insertions(+), 14 deletions(-)
 create mode 100644 misc/sysusers/deepin-daemon.conf

diff --git a/Makefile b/Makefile
index 15653f0..1ad8b30 100644
--- a/Makefile
+++ b/Makefile
@@ -143,12 +143,12 @@ install-binary:
 	mkdir -pv ${DESTDIR}${SYSTEMD_SERVICE_DIR}
 	cp -R misc/systemd/system/*.service ${DESTDIR}${SYSTEMD_SERVICE_DIR}
 	# 默认不安装 deepin-locale-helper.service，只有显式开启时才保留
-	if [ "${INSTALL_LOCALE_HELPER}" != "1" ]; then \
-		rm -f ${DESTDIR}${SYSTEMD_SERVICE_DIR}/deepin-locale-helper.service; \
-		rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system-services/org.deepin.dde.LocaleHelper1.service; \
-		rm -f ${DESTDIR}${PREFIX}/share/polkit-1/actions/org.deepin.dde.locale-helper.policy; \
-		rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system.d/org.deepin.dde.LocaleHelper1.conf; \
-	fi
+ifneq ($(INSTALL_LOCALE_HELPER), 1)
+	rm -f ${DESTDIR}${SYSTEMD_SERVICE_DIR}/deepin-locale-helper.service; 
+	rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system-services/org.deepin.dde.LocaleHelper1.service; 
+	rm -f ${DESTDIR}${PREFIX}/share/polkit-1/actions/org.deepin.dde.locale-helper.policy; 
+	rm -f ${DESTDIR}${PREFIX}/share/dbus-1/system.d/org.deepin.dde.LocaleHelper1.conf; 
+endif
 
 	mkdir -pv ${DESTDIR}${PREFIX}/share/icons/hicolor
 	cp -R misc/icons/* ${DESTDIR}${PREFIX}/share/icons/hicolor
diff --git a/debian/rules b/debian/rules
index 3fb3329..a593980 100755
--- a/debian/rules
+++ b/debian/rules
@@ -14,6 +14,8 @@ endif
 	dh $@ --buildsystem=makefile
 
 override_dh_auto_install:
+	cp -f misc/sysusers/deepin-daemon.conf debian/deepin-daemon.sysusers
+	dh_installsysusers  --name=deepin-daemon
 	dh_auto_install -- INSTALL_LOCALE_HELPER=1
 
 override_dh_strip:
diff --git a/misc/sysusers/deepin-daemon.conf b/misc/sysusers/deepin-daemon.conf
new file mode 100644
index 0000000..5be71b7
--- /dev/null
+++ b/misc/sysusers/deepin-daemon.conf
@@ -0,0 +1,2 @@
+#Type Name                      ID                  GECOS              Home directory Shell
+u     deepin-daemon             -                   ""                  -              -
\ No newline at end of file
diff --git a/rpm/dde-api.spec b/rpm/dde-api.spec
index 3b4550b..aea7547 100644
--- a/rpm/dde-api.spec
+++ b/rpm/dde-api.spec
@@ -87,18 +87,11 @@ for file in $(find . -iname "*.go" -o -iname "*.c" -o -iname "*.h" -o -iname "*.
     cp -pav $file %{buildroot}/%{gopath}/src/%{goipath}/$file
     echo "%{gopath}/src/%{goipath}/$file" >> devel.file-list
 done
+install -D -m 0644 misc/sysusers/deepin-daemon.conf %{buildroot}%{_sysusersdir}/deepin-daemon.conf
 %make_install SYSTEMD_SERVICE_DIR="%{_unitdir}" LIBDIR="%{_libexecdir}"
 # HOME directory for user deepin-daemon
 mkdir -p %{buildroot}%{_sharedstatedir}/deepin-daemon
 
-%pre
-getent group deepin-daemon >/dev/null || groupadd -r deepin-daemon
-getent passwd deepin-daemon >/dev/null || \
-    useradd -r -g deepin-daemon -d %{_sharedstatedir}/deepin-daemon\
-    -s /sbin/nologin \
-    -c "User of org.deepin.dde.SoundThemePlayer1.service" deepin-daemon
-exit 0
-
 %post
 %systemd_post deepin-shutdown-sound.service
 
@@ -124,6 +117,7 @@ exit 0
 %{_datadir}/polkit-1/actions/org.deepin.dde.device.unblock-bluetooth-devices.policy
 %{_var}/lib/polkit-1/rules.d/org.deepin.dde.device.rules
 %attr(-, deepin-daemon, deepin-daemon) %{_sharedstatedir}/deepin-daemon
+%{_sysusersdir}/deepin-daemon.conf
 
 %files -n %{name}-devel -f devel.file-list