Spin-off from  issue 655606 : Re-exploitation of the system after verified boot typically depends on malicious data being staged in the stateful file system (we've seen symlinks, fifos, malicious data, etc.). We've also seen that exploits typically rely on multiple steps where the first one stages a file that a later stage will consume and similar.

To make it harder to pull off these attacks, it'd be helpful to restrict each init job / system daemon to only be able to access the parts of the stateful file system that it actually needs to access to operate correctly. In particular, we'd ideally not make the stateful mount visible in the root mount namespace and only inject stateful file system subtrees into a job's mount namespace if it explicitly requests that.