From 341ec7d0446a0505d5a4e1747c2283d40ca4823b Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Sat, 14 Nov 2020 15:08:53 +0000
Subject: [PATCH] service: Enable ProtectHome=true

We have no business accessing `/var/roothome` or `/var/home`.  In general
the ostree design clearly avoids touching those, but since systemd offers
us easy tools to toggle on protection, let's use them.  In the future
it'd be nice to do something like using `DynamicUser=yes` for the main service,
and have a system `rpm-ostreed-transaction.service` that runs privileged
but as a subprocess.
---
 src/daemon/rpm-ostreed.service.in | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/daemon/rpm-ostreed.service.in b/src/daemon/rpm-ostreed.service.in
index 15faaa89..d78d5101 100644
--- a/src/daemon/rpm-ostreed.service.in
+++ b/src/daemon/rpm-ostreed.service.in
@@ -8,6 +8,13 @@ Type=dbus
 BusName=org.projectatomic.rpmostree1
 # To use the read-only sysroot bits
 MountFlags=slave
+# We have no business accessing /var/roothome or /var/home.  In general
+# the ostree design clearly avoids touching those, but since systemd offers
+# us easy tools to toggle on protection, let's use them.  In the future
+# it'd be nice to do something like using DynamicUser=yes for the main service,
+# and have a system rpm-ostreed-transaction.service that runs privileged
+# but as a subprocess.
+ProtectHome=true
 NotifyAccess=main
 @SYSTEMD_ENVIRON@
 ExecStart=@bindir@/rpm-ostree start-daemon