fix(security): VPLUS-2026-34718 - fix DBus permission configuration

deepin-devicemanager-server/deepin-devicecontrol/org.deepin.devicecontrol.conf

@@ -4,16 +4,65 @@
  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
+  <!--
+    Security Policy for org.deepin.DeviceControl
+
+    This configuration implements method-level permission separation:
+    - Default policy: DENY all access
+    - Only whitelisted read-only methods are allowed for all users
+    - Dangerous methods (aptUpdate, installDriver, disableInDevice, etc.)
+      require authentication via Polkit
+
+    IMPORTANT: When adding new DBus methods to this service:
+    1. For read-only/query methods: Add them to the whitelist below
+    2. For privileged/modify methods: Do NOT add to whitelist (require Polkit auth)
+    3. Test both security scenarios before merging
+
+    Last updated: 2026-05-07 (VPLUS-2026-34718 security fix)
+  -->
 
-  <!-- Only root can own the service -->
   <policy user="root">
     <allow own="org.deepin.DeviceControl"/>
     <allow send_destination="org.deepin.DeviceControl"/>
   </policy>
 
-  <!-- Allow anyone to invoke methods on the interfaces -->
   <policy context="default">
-    <allow send_destination="org.deepin.DeviceControl"/>
+    <deny send_destination="org.deepin.DeviceControl"/>
+  </policy>
+
+  <!-- Whitelist: Read-only methods accessible to all users -->
+  <policy context="default">
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="getAuthorizedInfo"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="getRemoveInfo"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isDeviceEnabled"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="monitorWorkingDBFlag"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isNetworkWakeup"/>
+
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="checkModuleInUsed"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isDriverPackage"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isBlackListed"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isArchMatched"/>
+    <allow send_destination="org.deepin.DeviceControl"
+           send_interface="org.deepin.DeviceControl"
+           send_member="isDebValid"/>
   </policy>
 
 </busconfig>