Extending read-only state to /sysroot and /boot

[cgwalters]

Today ostree has a ro bind mount over /usr, but one can just do e.g. rm -rf /sysroot/* and the whole system is destroyed.

Similarly, we tried to have support for /boot as a ro mount but it needs work.

What we should do is have these be ro by default, and then have apps using libostree create a new mount namespace, and make manipulations there. That way the system stays read-only to everything else. Alternatively, we could teach libostree how to do that internally, but it'd get ugly fast...we'd need to fork off a subprocess basically.

For example rpm-ostreed and eos-updater could change their systemd unit files to create a new mount namespace, and tell libostree that one is set up.

(Conceptually this overlaps a ton with systemd's ProtectSystem=strict...we're basically imposing that on the whole system by default)

[cgwalters]

See also for /tmp:
https://pagure.io/fedora-atomic/pull-request/62
coreos/rpm-ostree#820

[giuseppe]

would this be an issue for system containers that use /ostree/deploy/$OS_NAME/$DEST_FILE for creating hard links?

[cgwalters]

@giuseppe an important bit from the above is:

...and then have apps using libostree create a new mount namespace, and make manipulations there.

The goal here isn't to make things truly immutable, it's to prevent things like restorecon -R / from destroying the system. And similar non-ostree-aware tools.

See also on-list discussion:

https://mail.gnome.org/archives/ostree-list/2017-December/msg00009.html

[giuseppe]

I see, thanks. Could the new API allow also the current mount namespace to be used? It will be the user responsibility to ensure a new mount namespace is created and /sysroot can be remounted as writeable (and back to ro if needed).

[cgwalters]

PR in #1767