transient: Warn or disallow changes outside /usr and /etc

[evan-goode]

@cgwalters said #2195 (comment):

At some point we are going to need to fix the problem that dnf upgrade should probably error out if an attempt is made to change nontrivial things outside of /usr and probably /etc. The key ones here are kernel (needs deeper integration, ref coreos/rpm-ostree#5135 ) and selinux-policy (ref https://bugzilla.redhat.com/show_bug.cgi?id=1290659 ) and shim/grub (ref https://github.com/coreos/bootupd/ )

Ideally we error before we even start an install; if we download filelists this would be pretty easy; without filelists maybe we should have a Provides that flags these special cases? Or we could inject into the base image something that denylists them in the dnf config?

[evan-goode]

I'd prefer something based on filelists rather than doing this on a per-package level. That way, third-party packages will be handled correctly too. Either way, we are going to need to have some list, either of "untouchable paths" or "forbidden packages" that we'll need to keep updated. The list of paths is probably going to change less often than the list of packages.

Implementation-wise it should be easy to have persistence=transient imply loading the filelists.

And there should probably be some way for the user to override this check for testing. (Maybe that way will just be to run ostree admin unlock and not use --transient).