[Unit]
Description=Upgrade Additional Software Packages
Documentation=https://tails.boum.org/contribute/design/persistence/
After=tails-additional-software-install.service
After=tor-has-bootstrapped.service
ConditionFileNotEmpty=/live/persistence/TailsData_unlocked/live-additional-software.conf

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/tails-additional-software upgrade
ExecStartPost=/usr/bin/install -m 0644 -D /dev/null /run/live-additional-software/upgraded
TimeoutStartSec=infinity
PrivateDevices=yes
PrivateTmp=yes
# Capabilities needed by tails-additional-software
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# Capabilities needed by apt/dpkg
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
ProtectSystem=no
# Capabilities needed by tails-notify-user
CapabilityBoundingSet=CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SYS_RESOURCE
ProtectHome=no