core: add new ReadOnlySystem= and ProtectedHome= settings for service units

ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.

1 files changed, 15 insertions, 0 deletions

diff --git a/src/core/namespace.h b/src/core/namespace.h
index fb1fc6ec0d..b985bdf512 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -23,12 +23,24 @@
 
 #include <stdbool.h>
 
+#include "macro.h"
+
+typedef enum ProtectedHome {
+        PROTECTED_HOME_NO,
+        PROTECTED_HOME_YES,
+        PROTECTED_HOME_READ_ONLY,
+        _PROTECTED_HOME_MAX,
+        _PROTECTED_HOME_INVALID = -1
+} ProtectedHome;
+
 int setup_namespace(char **read_write_dirs,
                     char **read_only_dirs,
                     char **inaccessible_dirs,
                     char *tmp_dir,
                     char *var_tmp_dir,
                     bool private_dev,
+                    ProtectedHome protected_home,
+                    bool read_only_system,
                     unsigned mount_flags);
 
 int setup_tmp_dirs(const char *id,
@@ -36,3 +48,6 @@ int setup_tmp_dirs(const char *id,
                   char **var_tmp_dir);
 
 int setup_netns(int netns_storage_socket[2]);
+
+const char* protected_home_to_string(ProtectedHome p) _const_;
+ProtectedHome protected_home_from_string(const char *s) _pure_;