# HG changeset patch # User Franz Glasner # Date 1565875888 -7200 # Node ID 2e991a00035bff11ba50cc3085f48fae2c82ebc8 # Parent 929051be78452b448a15c92db9b13f4d42ace3a4 Creation of Jail datasets done diff -r 929051be7845 -r 2e991a00035b bin/fjail --- a/bin/fjail Thu Aug 15 09:44:51 2019 +0200 +++ b/bin/fjail Thu Aug 15 15:31:28 2019 +0200 @@ -2,7 +2,100 @@ # -*- indent-tabs-mode: nil; -*- # @(#)$HGid$ -VERSION=@@VERSION@@ +set -e + +VERSION="@@VERSION@@" + +# Reset to standard umask +umask 0022 + +# +# "datasets" -- create the ZFS dataset tree +# +# command_datasets parent-dataset child-dataset +# +command_datasets() { + # parent ZFS dataset -- child ZFS dataset name + local _pds _cds + # and its mount point + local _pmp _get _dummy + # full name of the dataset + local _ds + + _pds="$1" + if [ -z "${_pds}" ]; then + echo "ERROR: no parent dataset given" >&2 + return 2 + fi + _get=$(zfs get -H mountpoint "${_pds}" 2>/dev/null) || { echo "ERROR: dataset \`${_pds}' does not exist" >&2; return 1; } + IFS=$'\t' read _dummy _dummy _pmp _dummy <&2 + return 1 + ;; + legacy) + echo "ERROR: dataset \`${_pds}' has a \`${_mp}' mountpoint" >&2 + return 1 + ;; + *) + # VOID + ;; + esac + _cds="$2" + if [ -z "${_cds}" ]; then + echo "ERROR: no child dataset given" >&2 + return 2 + fi + _ds="${_pds}/${_cds}" + echo "Resulting new root dataset is \`${_ds}' at mountpoint \`${_pmp}/${_cds}'" + if zfs get -H mountpoint "${_ds}" >/dev/null 2>/dev/null; then + echo "ERROR: dataset \`${_ds}' does already exist" >&2 + return 1 + fi + zfs create -o atime=off "${_ds}" + zfs create -o sync=disabled -o setuid=off "${_ds}/tmp" + zfs create "${_ds}/usr" + zfs create "${_ds}/var" + zfs create -o exec=off -o setuid=off "${_ds}/var/audit" + zfs create -o exec=off -o setuid=off "${_ds}/var/cache" + zfs create -o exec=off -o setuid=off -o compression=off "${_ds}/var/cache/pkg" + zfs create -o exec=off -o setuid=off -o compression=off "${_ds}/var/crash" + zfs create -o exec=off -o setuid=off "${_ds}/var/db" + zfs create -o exec=on -o setuid=off "${_ds}/var/db/pkg" + zfs create -o readonly=on -o exec=off -o setuid=off "${_ds}/var/empty" + zfs create -o exec=off -o setuid=off -o primarycache=metadata "${_ds}/var/log" + zfs create -o exec=off -o setuid=off -o atime=on "${_ds}/var/mail" + zfs create -o sync=disabled -o exec=off -o setuid=off -o compression=off -o primarycache=all "${_ds}/var/run" + zfs create -o sync=disabled -o setuid=off "${_ds}/var/tmp" +} + +# +# "privs" -- adjust privileges +# +# To be used when all ZFS datasets are mounted. +# +command_privs() { + # mountpoint + local _mp _d + + _mp="$1" + if [ -z "${_mp}" ]; then + echo "ERROR: no mountpoint given" >&2 + return 2 + fi + if [ ! -d "${_mp}" ]; then + echo "ERROR: directory \`${_mp}' does not exist" >&2 + return 1 + fi + for _d in tmp var/tmp ; do + chmod 01777 "${_mp}/${_d}" + done + chown root:mail "${_mp}/var/mail" + chmod 0775 "${_mp}/var/mail" +} # # Global option handling @@ -10,7 +103,7 @@ while getopts "h" _opt ; do case ${_opt} in h) - echo "Usage:" + echo "Usage: XXX TBD" exit 0 ;; \?|:) @@ -30,6 +123,12 @@ shift case "${command}" in + datasets) + command_datasets "$@" + ;; + privs) + command_privs "$@" + ;; test) echo "TEST" ;;