Mercurial > hgrepos > FreeBSD > ports > sysutils > local-bsdtools
diff sbin/fjail @ 181:d30a68e66d60
More dataset creation options: -t (tiny) and -T (extra tiny)
| author | Franz Glasner <hg@dom66.de> |
|---|---|
| date | Tue, 16 Aug 2022 12:37:02 +0200 |
| parents | 332276cc0bc8 |
| children | dbd62c32b3fd |
line wrap: on
line diff
--- a/sbin/fjail Tue Aug 16 12:06:13 2022 +0200 +++ b/sbin/fjail Tue Aug 16 12:37:02 2022 +0200 @@ -35,6 +35,8 @@ PARENT must exist already and CHILD must not exist. -s Also create a dataset for freebsd-update data files + -t Create a more tiny set of datasets + -T Create only an extra tiny set of datasets -u Do not automatically mount newly created datasets privs MOUNTPOINT @@ -123,13 +125,21 @@ local _pmp _get _dummy # full name of the dataset local _ds - # dynamic ZFS options -- create cache for freebsd-update - local _zfsopts _fbsdupdate + # dynamic ZFS options -- create cache for freebsd-update -- use a more tiny layout + local _zfsopts _fbsdupdate _tiny _zfsopts="" _fbsdupdate="" - while getopts "us" _opt ; do + _tiny="no" + while getopts "ustT" _opt ; do case ${_opt} in + t) + # use a more tiny layout + _tiny="yes" + ;; + T) # extra tiny layout + _tiny="extra" + ;; u) # do not mount newly created datasets _zfsopts="${_zfsopts} -u" @@ -179,18 +189,48 @@ echo "ERROR: dataset \`${_ds}' does already exist" >&2 return 1 fi + + # + # NOTE: For BEs these directory will be *excluded* from the BE + # + # /tmp + # /usr/home + # /usr/ports + # /usr/src + # /var/audit + # /var/crash + # /var/log + # /var/mail + # /var/tmp + # zfs create ${_zfsopts} -o atime=off "${_ds}" zfs create ${_zfsopts} -o sync=disabled -o setuid=off "${_ds}/tmp" - zfs create ${_zfsopts} "${_ds}/usr" - zfs create ${_zfsopts} -o setuid=off "${_ds}/usr/home" - zfs create ${_zfsopts} "${_ds}/usr/local" - zfs create ${_zfsopts} "${_ds}/var" - zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/audit" - zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/cache" - zfs create ${_zfsopts} -o exec=off -o setuid=off -o primarycache=metadata -o compression=off "${_ds}/var/cache/pkg" - zfs create ${_zfsopts} -o exec=off -o setuid=off -o compression=off "${_ds}/var/crash" + if [ "{_tiny}" != "extra" ]; then + if [ "${_tiny}" = "yes" ]; then + zfs create ${_zfsopts} -o canmount=off "${_ds}/usr" + else + zfs create ${_zfsopts} "${_ds}/usr" + fi + zfs create ${_zfsopts} -o setuid=off "${_ds}/usr/home" + zfs create ${_zfsopts} "${_ds}/usr/local" + fi + if [ \( "${_tiny}" = "yes" \) -o \( "{_tiny}" = "extra" \) ]; then + zfs create ${_zfsopts} -o canmount=off "${_ds}/var" + else + zfs create ${_zfsopts} "${_ds}/var" + fi + if [ "${_tiny}" != "extra" ]; then + zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/audit" + zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/cache" + zfs create ${_zfsopts} -o exec=off -o setuid=off -o primarycache=metadata -o compression=off "${_ds}/var/cache/pkg" + zfs create ${_zfsopts} -o exec=off -o setuid=off -o compression=off "${_ds}/var/crash" + fi if [ "$_fbsdupdate" = "yes" ]; then - zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/db" + if [ \( "${_tiny}" = "yes" \) -o \( "{_tiny}" = "extra" \) ]; then + zfs create ${_zfsopts} -o canmount=off -o exec=off -o setuid=off "${_ds}/var/db" + else + zfs create ${_zfsopts} -o exec=off -o setuid=off "${_ds}/var/db" + fi zfs create ${_zfsopts} -o exec=off -o setuid=off -o primarycache=metadata -o compression=off "${_ds}/var/db/freebsd-update" fi zfs create ${_zfsopts} -o readonly=on -o exec=off -o setuid=off "${_ds}/var/empty"