Harden updater user service filesystem surface

[nisavid]

Summary

Narrow updater user service filesystem access around explicit runtime and build paths.

Source

Migrated from docs/maintainers/security-backlog.md.

Maintained Docs

• Security backlog index and review workflow: docs/maintainers/security-backlog.md
• Threat model: docs/maintainers/threat-model.md
• Package and runtime maintenance: docs/maintainers/package-runtime-maintenance.md

Context

The packaged user service uses a constrained PATH, PrivateTmp=yes, RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6, and UMask=077. NoNewPrivileges remains unset because the daemon must invoke pkexec.

Review Gate

Run the @codex-security workflow before treating implementation as review-ready.

Desired State

• Filesystem protections are narrowed around explicit XDG config, state, cache, and build workspace paths.
• Update, rebuild, and install flows are tested under those restrictions before enabling them in packages.

[coderabbitai]

🔗 Related PRs

#8 - [codex] merge upstream warm-start, zypper, and updater lock updates [merged]
#9 - Fix updater builder ownership and launch races [merged]
#39 - Allow building native packages without the updater [merged]
#41 - Fix package updater opt-out review issues [merged]
#47 - chore(sync): merge upstream main [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!