finalize-staged: Add ProtectHome=yes and ReadOnlyPaths=/etc

Same motivation as coreos/rpm-ostree#2060 I tried `InaccessiblePaths=/var` first and was very sad to find out we have one tiny exception that breaks it. Otherwise it'd be so elegant. Maybe in the future we split out that one thing to a separate `ostree-finalized-stage-var.service` that's just `ExecStart=/bin/rm -vf /var/.updated` and is otherwise `ProtectSystem=strict` etc.
agners · May 29, 2020 · a22e7d8 · a22e7d8
1 parent f61849a
commit a22e7d8
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/boot/ostree-finalize-staged.service b/src/boot/ostree-finalize-staged.service
@@ -39,3 +39,11 @@ ExecStop=/usr/bin/ostree admin finalize-staged
 # here is that people don't get an upgrade.  We need to handle
 # cases with slow rotational media, etc.
 TimeoutStopSec=5m
+# OSTree should never touch /var at all...except, we need to remove
+# the /var/.updated flag, so we can't just `InaccessiblePaths=/var` right now.
+# For now, let's at least use ProtectHome just so we have some sandboxing
+# of that.
+ProtectHome=yes
+# And we shouldn't affect the current deployment's /etc.
+ReadOnlyPaths=/etc
+# We write to /sysroot and /boot of course.