DLPX-86532 CIS: /tmp filesystem and mount options

live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary

@@ -223,6 +223,12 @@ zfs create \
 	-o mountpoint=legacy \
 	"$FSNAME/ROOT/$FSNAME/log"
 
+if [[ "$APPLIANCE_VARIANT" == "external-"* ]]; then
+  zfs create \
+    -o mountpoint=legacy \
+    "$FSNAME/ROOT/$FSNAME/tmp"
+fi
+
 #
 # Initialize the grub dataset. This dataset will be used to contain all
 # of the grub-specific files; this includes the "grub.cfg" file, along
@@ -273,6 +279,11 @@ mount -t zfs "$FSNAME/ROOT/$FSNAME/log" "$DIRECTORY/var/log"
 mkdir -p "/var/crash"
 mount -t zfs "$FSNAME/crashdump" "/var/crash"
 
+if [[ "$APPLIANCE_VARIANT" == "external-"* ]]; then
+  mkdir -p "/tmp"
+  mount -t zfs "$FSNAME/ROOT/$FSNAME/tmp" "/tmp"
+fi
+
 #
 # Populate the root filesystem with the contents of the "binary" directory
 # that (we assume) was previously generated by live-build.
@@ -298,6 +309,12 @@ cat <<-EOF >"$DIRECTORY/etc/fstab"
 	rpool/crashdump  /var/crash     zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
 EOF
 
+if [[ "$APPLIANCE_VARIANT" == "external-"* ]]; then
+  cat <<-EOF >"$DIRECTORY/etc/fstab"
+    rpool/ROOT/$FSNAME/tmp  /tmp zfs defaults,nosuid,nodev,noexec,x-systemd.before=zfs-import-cache.service 0 0
+  EOF
+fi
+
 #
 # Now we need to install the bootloader. In order to do that, we'll chroot
 # into the newly populated root filesystem, so that we use the grub-install