namespace: cover /boot with ProtectSystem= again

Now that we properly exclude autofs mounts from ProtectSystem= we can
include it in the effect of ProtectSystem= again.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index f11065ee4bdade83d78373d7f4bb09cfda15723a..3b5402b7cd8c4851b087101e13859e1f32c48f41 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -367,7 +367,7 @@ int setup_namespace(
                 strv_length(inaccessible_dirs) +
                 private_dev +
                 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
-                (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) +
+                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
                 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
 
         if (n > 0) {
@@ -409,7 +409,7 @@ int setup_namespace(
                 }
 
                 if (protect_system != PROTECT_SYSTEM_NO) {
-                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY);
+                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
                         if (r < 0)
                                 return r;
                 }