Tracker: Harden all our systemd units

[travier]

For the following Fedora 40 change, we should take a look at all our systemd units and make sure they are as hardened as possible: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

List of units to look at:

• ostree:
  • ostree-boot-complete.service
  • ostree-finalize-staged-hold.service
  • ostree-finalize-staged.service
  • ostree-prepare-root.service
  • ostree-remount.service
• rpm-ostree:
  • ?
• zincati:
  • ?
• ignition:
  • ?
• ?

[ruihe774]

Hi! FWIW I'm wondering if it is possible to add a global drop-in in ostree-enabled fedara editions to prevent other services that do not operate on ostree from accessing /sysroot. See previous discussions at ostreedev/ostree#3211 and https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423/31

[travier]

We did not complete this effort for F40 and the global change has been pushed to F41.

[Baigle]

Some users have published their successful systemd unit configs and triage methods during setup since the FESCo announcement. See here, though their efforts are incomplete and its effects and interactions widespread and sensitive on system function.