# HG changeset patch
# User Franz Glasner <hg@dom66.de>
# Date 1574250952 -3600
# Node ID 9bd38c55a75ccf27d86c61129298c62a896d53a3
# Parent  57b9b899bf77e0d2436581827d151dc10990e46d
When executing the "privs" command try to make <mountpoint>/var/empty writeable temporarily to set proper permissions and file flags

diff -r 57b9b899bf77 -r 9bd38c55a75c sbin/fjail
--- a/sbin/fjail	Wed Nov 20 09:11:48 2019 +0100
+++ b/sbin/fjail	Wed Nov 20 12:55:52 2019 +0100
@@ -272,7 +272,7 @@
 #
 command_privs() {
     # mountpoint
-    local _mp _d
+    local _mp _d _veds _get _vestatus
 
     _mp="$1"
     if [ -z "${_mp}" ]; then
@@ -288,6 +288,29 @@
     done
     chown root:mail "${_mp}/var/mail"
     chmod 0775 "${_mp}/var/mail"
+
+    #
+    # Handle <mountpoint>/var/empty specially:
+    # make it writeable temporarily if it is mounted read-only:
+    #
+    _vestatus=""
+    _veds=$(_get_dataset_for_varempty "${_mp}")
+    if [ $? -eq 0 ]; then
+        _get=$(zfs get -H readonly ${_veds} 2>/dev/null) || { echo "ERROR: cannot determine readonly status of ${_mp}/var/empty" >&2; return 1; }
+        IFS=$'\t' read _dummy _dummy _vestatus _dummy <<EOF
+${_get}
+EOF
+        if [ "${_vestatus}" = "on" ]; then
+            zfs set readonly=off ${_veds} >/dev/null 2>/dev/null || { echo "ERROR: cannot reset readonly-status of ${_mp}/var/empty" >&2; return 1; }
+        fi
+    fi
+    # Set the access rights and the file flags as given in mtree
+    chmod 0555 "${_mp}/var/empty"
+    chflags schg "${_mp}/var/empty"
+    # Reset the read-only status of the mountpoint as it was before
+    if [ "${_vestatus}" = "on" ]; then
+        zfs set readonly=on ${_veds} >/dev/null 2>/dev/null || { echo "ERROR: cannot reactivate readonly-status of ${_mp}/var/empty" >&2; return 1; }
+    fi
 }