From 933cdb8c0a7e0766c8bae9f7cad7a4d89cf163a3 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Tue, 25 Jan 2022 20:16:29 +0300
Subject: [PATCH] docs: update extension spec

Specify allowed contents of the `rootfs`.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 028b110a..db7d40e8 100644
--- a/README.md
+++ b/README.md
@@ -64,3 +64,18 @@ One important note is that the final directory tree of the generated package sho
 ```
 
 Note that the `manifest.yaml` file lives at the root, while all installed files live under `/rootfs` with the full tree of where they should live on the eventual Talos Linux install.
+
+### `rootfs` Restrictions
+
+The following restrictions are applied to the contents of the `rootfs` of the system extension:
+
+- no symlinks, no hardlinks
+- no special files (FIFOs, devices, etc.)
+- no world-writeable files or directories
+- no empty directories
+
+Any paths in the `rootfs` should be contained within the following hierarchies:
+
+- `/etc/cri/conf.d/`
+- `/lib/firmware/`
+- `/usr/local/`