shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2024-10-27 10:25:07 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2082 from cgwalters/finalize-sandbox

Browse Source 
finalize-staged: Add ProtectHome=yes and ReadOnlyPaths=/etc
This commit is contained in:
OpenShift Merge Robot 2020-04-22 18:51:15 +02:00 committed by GitHub
commit 66527efcb8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/boot/ostree-finalize-staged.service
View File

@ -39,3 +39,11 @@ ExecStop=/usr/bin/ostree admin finalize-staged
# here is that people don't get an upgrade. We need to handle
# cases with slow rotational media, etc.
TimeoutStopSec=5m
# OSTree should never touch /var at all...except, we need to remove
# the /var/.updated flag, so we can't just `InaccessiblePaths=/var` right now.
# For now, let's at least use ProtectHome just so we have some sandboxing
# of that.
ProtectHome=yes
# And we shouldn't affect the current deployment's /etc.
ReadOnlyPaths=/etc
# We write to /sysroot and /boot of course.