#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
# Phase  : premount (executed by live-boot inside the initramfs).

set -eu

printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"

### Declare variables ----------------------------------------------------------------------------------------------------------
OVERLAY_BASE="/run/live/overlay"
UPPER="${OVERLAY_BASE}/upper"
WORK="${OVERLAY_BASE}/work"

### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile.
: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"

### Create a base dir with restrictive perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${OVERLAY_BASE}"

### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path.
mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"

# Prepare upper/work with tight perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${UPPER}" "${WORK}"

printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh