From 47a3096ab8130e7306069faefeba9c02e5171d3c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 22 Apr 2020 14:26:23 +0000
Subject: [PATCH] finalize-staged: Add ProtectHome=yes and ReadOnlyPaths=/etc

Same motivation as
https://github.com/coreos/rpm-ostree/pull/2060

I tried `InaccessiblePaths=/var` first and was very sad to find
out we have one tiny exception that breaks it.  Otherwise it'd
be so elegant.  Maybe in the future we split out that one thing
to a separate `ostree-finalized-stage-var.service` that's just
`ExecStart=/bin/rm -vf /var/.updated` and is otherwise
`ProtectSystem=strict` etc.
---
 src/boot/ostree-finalize-staged.service | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/boot/ostree-finalize-staged.service b/src/boot/ostree-finalize-staged.service
index 9c4706e8..8152e596 100644
--- a/src/boot/ostree-finalize-staged.service
+++ b/src/boot/ostree-finalize-staged.service
@@ -39,3 +39,11 @@ ExecStop=/usr/bin/ostree admin finalize-staged
 # here is that people don't get an upgrade.  We need to handle
 # cases with slow rotational media, etc.
 TimeoutStopSec=5m
+# OSTree should never touch /var at all...except, we need to remove
+# the /var/.updated flag, so we can't just `InaccessiblePaths=/var` right now.
+# For now, let's at least use ProtectHome just so we have some sandboxing
+# of that.
+ProtectHome=yes
+# And we shouldn't affect the current deployment's /etc.
+ReadOnlyPaths=/etc
+# We write to /sysroot and /boot of course.