Skip to content

Commit

Permalink
service: Enable ProtectHome=true
Browse files Browse the repository at this point in the history 
We have no business accessing `/var/roothome` or `/var/home`.  In general
the ostree design clearly avoids touching those, but since systemd offers
us easy tools to toggle on protection, let's use them.  In the future
it'd be nice to do something like using `DynamicUser=yes` for the main service,
and have a system `rpm-ostreed-transaction.service` that runs privileged
but as a subprocess.
  • Loading branch information
@cgwalters @openshift-merge-robot
cgwalters authored and openshift-merge-robot committed Nov 16, 2020
1 parent a76ddf0 commit 341ec7d
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/daemon/rpm-ostreed.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,13 @@ Type=dbus
BusName=org.projectatomic.rpmostree1
# To use the read-only sysroot bits
MountFlags=slave
# We have no business accessing /var/roothome or /var/home. In general
# the ostree design clearly avoids touching those, but since systemd offers
# us easy tools to toggle on protection, let's use them. In the future
# it'd be nice to do something like using DynamicUser=yes for the main service,
# and have a system rpm-ostreed-transaction.service that runs privileged
# but as a subprocess.
ProtectHome=true
NotifyAccess=main
@SYSTEMD_ENVIRON@
ExecStart=@bindir@/rpm-ostree start-daemon
Expand Down

0 comments on commit 341ec7d

Please sign in to comment.