From: Karel Zak Date: Tue, 5 Aug 2025 11:18:32 +0000 (+0200) Subject: setpriv: improve landlock usage() output X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b8693c6f29aa477ed1d25ba093e3a6b76eb37e95;p=thirdparty%2Futil-linux.git setpriv: improve landlock usage() output * Add help for rights names * Keep usage() output for Landlock more structured * Add a note to the man page that "fs" is subject to change Signed-off-by: Karel Zak --- diff --git a/sys-utils/setpriv-landlock.c b/sys-utils/setpriv-landlock.c index 6a9c959b8..90ab8954b 100644 --- a/sys-utils/setpriv-landlock.c +++ b/sys-utils/setpriv-landlock.c @@ -59,28 +59,29 @@ struct landlock_rule_entry { static const struct { unsigned long long value; const char *type; + const char *help; } landlock_access_fs[] = { - { LANDLOCK_ACCESS_FS_EXECUTE, "execute" }, - { LANDLOCK_ACCESS_FS_WRITE_FILE, "write-file" }, - { LANDLOCK_ACCESS_FS_READ_FILE, "read-file" }, - { LANDLOCK_ACCESS_FS_READ_DIR, "read-dir" }, - { LANDLOCK_ACCESS_FS_REMOVE_DIR, "remove-dir" }, - { LANDLOCK_ACCESS_FS_REMOVE_FILE, "remove-file" }, - { LANDLOCK_ACCESS_FS_MAKE_CHAR, "make-char" }, - { LANDLOCK_ACCESS_FS_MAKE_DIR, "make-dir" }, - { LANDLOCK_ACCESS_FS_MAKE_REG, "make-reg" }, - { LANDLOCK_ACCESS_FS_MAKE_SOCK, "make-sock" }, - { LANDLOCK_ACCESS_FS_MAKE_FIFO, "make-fifo" }, - { LANDLOCK_ACCESS_FS_MAKE_BLOCK, "make-block" }, - { LANDLOCK_ACCESS_FS_MAKE_SYM, "make-sym" }, + { LANDLOCK_ACCESS_FS_EXECUTE, "execute", N_("execute a file") }, + { LANDLOCK_ACCESS_FS_WRITE_FILE, "write-file", N_("open a file with write access") }, + { LANDLOCK_ACCESS_FS_READ_FILE, "read-file", N_("open a file with read access") }, + { LANDLOCK_ACCESS_FS_READ_DIR, "read-dir", N_("open a directory or list its content") }, + { LANDLOCK_ACCESS_FS_REMOVE_DIR, "remove-dir", N_("remove an empty directory or rename one") }, + { LANDLOCK_ACCESS_FS_REMOVE_FILE, "remove-file", N_("unlink (or rename) a file") }, + { LANDLOCK_ACCESS_FS_MAKE_CHAR, "make-char", N_("create (or rename or link) a character device") }, + { LANDLOCK_ACCESS_FS_MAKE_DIR, "make-dir", N_("create (or rename) a directory") }, + { LANDLOCK_ACCESS_FS_MAKE_REG, "make-reg", N_("create (or rename or link) a regular file") }, + { LANDLOCK_ACCESS_FS_MAKE_SOCK, "make-sock", N_("create (or rename or link) a UNIX domain socket") }, + { LANDLOCK_ACCESS_FS_MAKE_FIFO, "make-fifo", N_("create (or rename or link) a named pipe") }, + { LANDLOCK_ACCESS_FS_MAKE_BLOCK, "make-block", N_("create (or rename or link) a block device") }, + { LANDLOCK_ACCESS_FS_MAKE_SYM, "make-sym", N_("create (or rename or link) a symbolic link") }, #ifdef LANDLOCK_ACCESS_FS_REFER - { LANDLOCK_ACCESS_FS_REFER, "refer" }, + { LANDLOCK_ACCESS_FS_REFER, "refer", N_("link or rename a file from or to a different directory") }, #endif #ifdef LANDLOCK_ACCESS_FS_TRUNCATE - { LANDLOCK_ACCESS_FS_TRUNCATE, "truncate" }, + { LANDLOCK_ACCESS_FS_TRUNCATE, "truncate", N_("truncate a file with truncate(2)") }, #endif #ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV - { LANDLOCK_ACCESS_FS_IOCTL_DEV, "ioctl-dev" }, + { LANDLOCK_ACCESS_FS_IOCTL_DEV, "ioctl-dev", N_("invoke ioctl(2) on an opened character or block device") }, #endif }; @@ -197,21 +198,23 @@ void do_landlock(const struct setpriv_landlock_opts *opts) err(SETPRIV_EXIT_PRIVERR, _("landlock_restrict_self failed")); } -void usage_setpriv(FILE *out) +void usage_landlock(FILE *out) { size_t i; - fprintf(out, "\n"); - fprintf(out, _("Landlock accesses:\n")); - fprintf(out, " Access: fs\n"); - fprintf(out, " Rule types: path-beneath\n"); + fputs(USAGE_ARGUMENTS, out); + fputs(_(" is a landlock access; syntax is fs[:, ...>]\n"), out); + fputs(_(" is a landlock rule; syntax is ::\n"), out); - fprintf(out, " Rules: "); + fputs(USAGE_SEPARATOR, out); + fputs(_(" available landlock rule types are:\n"), out); + /* TRANSLATORS: Keep *{path-beneath}* untranslated, it's a type name */ + fputs(_(" path-beneath - filesystem based rule; is a path\n"), out); + + fputs(USAGE_SEPARATOR, out); + fputs(_(" available landlock filesystems rights are:\n"), out); for (i = 0; i < ARRAY_SIZE(landlock_access_fs); i++) { - fprintf(out, "%s", landlock_access_fs[i].type); - if (i == ARRAY_SIZE(landlock_access_fs) - 1) - fprintf(out, "\n"); - else - fprintf(out, ","); + fprintf(out, " %12s - %s\n", landlock_access_fs[i].type, + _(landlock_access_fs[i].help)); } } diff --git a/sys-utils/setpriv-landlock.h b/sys-utils/setpriv-landlock.h index d66f86d71..814a996aa 100644 --- a/sys-utils/setpriv-landlock.h +++ b/sys-utils/setpriv-landlock.h @@ -27,7 +27,7 @@ void do_landlock(const struct setpriv_landlock_opts *opts); void parse_landlock_access(struct setpriv_landlock_opts *opts, const char *str); void parse_landlock_rule(struct setpriv_landlock_opts *opts, const char *str); void init_landlock_opts(struct setpriv_landlock_opts *opts); -void usage_setpriv(FILE *out); +void usage_landlock(FILE *out); #else @@ -45,7 +45,7 @@ static inline void parse_landlock_access( } #define parse_landlock_rule parse_landlock_access static inline void init_landlock_opts(void *opts __attribute__((unused))) {} -static inline void usage_setpriv(FILE *out __attribute__((unused))) {} +static inline void usage_landlock(FILE *out __attribute__((unused))) {} #endif /* HAVE_LINUX_LANDLOCK_H */ diff --git a/sys-utils/setpriv.1.adoc b/sys-utils/setpriv.1.adoc index a5b30159b..edcf41c90 100644 --- a/sys-utils/setpriv.1.adoc +++ b/sys-utils/setpriv.1.adoc @@ -101,6 +101,9 @@ Block all file deletions and directory creations: *setpriv --landlock-access fs:remove-file,make-dir* + For a complete set of supported access categories use *setpriv --help*. ++ +The generic placeholder "fs" are subject to change and maybe be extened in future versoions +to support new access types. *--landlock-rule* _rule_:: diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c index a5c832f38..c218be8e5 100644 --- a/sys-utils/setpriv.c +++ b/sys-utils/setpriv.c @@ -159,15 +159,15 @@ static void __attribute__((__noreturn__)) usage(void) fputs(_(" --seccomp-filter load seccomp filter from file\n"), out); fputs(_(" --reset-env clear all environment and initialize\n" " HOME, SHELL, USER, LOGNAME and PATH\n"), out); - fputs(USAGE_SEPARATOR, out); fprintf(out, USAGE_HELP_OPTIONS(29)); + + usage_landlock(out); + fputs(USAGE_SEPARATOR, out); - fputs(_(" This tool can be dangerous. Read the manpage, and be careful.\n"), out); + fputs(_("This tool can be dangerous. Read the manpage, and be careful."), out); fprintf(out, USAGE_MAN_TAIL("setpriv(1)")); - usage_setpriv(out); - exit(EXIT_SUCCESS); }