setpriv: improve landlock usage() output

* Add help for rights names
* Keep usage() output for Landlock more structured
* Add a note to the man page that "fs" is subject to change

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/setpriv-landlock.c b/sys-utils/setpriv-landlock.c
index 6a9c959b86c2bf7ffe7a23a0baec96ced3527794..90ab8954b84f5f474f44751254b1db34ce9f643c 100644 (file)
--- a/sys-utils/setpriv-landlock.c
+++ b/sys-utils/setpriv-landlock.c
@@ -59,28 +59,29 @@ struct landlock_rule_entry {
 static const struct {
        unsigned long long value;
        const char *type;
+       const char *help;
 } landlock_access_fs[] = {
-       { LANDLOCK_ACCESS_FS_EXECUTE,     "execute"     },
-       { LANDLOCK_ACCESS_FS_WRITE_FILE,  "write-file"  },
-       { LANDLOCK_ACCESS_FS_READ_FILE,   "read-file"   },
-       { LANDLOCK_ACCESS_FS_READ_DIR,    "read-dir"    },
-       { LANDLOCK_ACCESS_FS_REMOVE_DIR,  "remove-dir"  },
-       { LANDLOCK_ACCESS_FS_REMOVE_FILE, "remove-file" },
-       { LANDLOCK_ACCESS_FS_MAKE_CHAR,   "make-char"   },
-       { LANDLOCK_ACCESS_FS_MAKE_DIR,    "make-dir"    },
-       { LANDLOCK_ACCESS_FS_MAKE_REG,    "make-reg"    },
-       { LANDLOCK_ACCESS_FS_MAKE_SOCK,   "make-sock"   },
-       { LANDLOCK_ACCESS_FS_MAKE_FIFO,   "make-fifo"   },
-       { LANDLOCK_ACCESS_FS_MAKE_BLOCK,  "make-block"  },
-       { LANDLOCK_ACCESS_FS_MAKE_SYM,    "make-sym"    },
+       { LANDLOCK_ACCESS_FS_EXECUTE,     "execute",     N_("execute a file") },
+       { LANDLOCK_ACCESS_FS_WRITE_FILE,  "write-file",  N_("open a file with write access") },
+       { LANDLOCK_ACCESS_FS_READ_FILE,   "read-file",   N_("open a file with read access") },
+       { LANDLOCK_ACCESS_FS_READ_DIR,    "read-dir",    N_("open a directory or list its content") },
+       { LANDLOCK_ACCESS_FS_REMOVE_DIR,  "remove-dir",  N_("remove an empty directory or rename one")  },
+       { LANDLOCK_ACCESS_FS_REMOVE_FILE, "remove-file", N_("unlink (or rename) a file") },
+       { LANDLOCK_ACCESS_FS_MAKE_CHAR,   "make-char",   N_("create (or rename or link) a character device") },
+       { LANDLOCK_ACCESS_FS_MAKE_DIR,    "make-dir",    N_("create (or rename) a directory") },
+       { LANDLOCK_ACCESS_FS_MAKE_REG,    "make-reg",    N_("create (or rename or link) a regular file") },
+       { LANDLOCK_ACCESS_FS_MAKE_SOCK,   "make-sock",   N_("create (or rename or link) a UNIX domain socket") },
+       { LANDLOCK_ACCESS_FS_MAKE_FIFO,   "make-fifo",   N_("create (or rename or link) a named pipe") },
+       { LANDLOCK_ACCESS_FS_MAKE_BLOCK,  "make-block",  N_("create (or rename or link) a block device") },
+       { LANDLOCK_ACCESS_FS_MAKE_SYM,    "make-sym",    N_("create (or rename or link) a symbolic link") },
 #ifdef LANDLOCK_ACCESS_FS_REFER
-       { LANDLOCK_ACCESS_FS_REFER,       "refer"       },
+       { LANDLOCK_ACCESS_FS_REFER,       "refer",       N_("link or rename a file from or to a different directory") },
 #endif
 #ifdef LANDLOCK_ACCESS_FS_TRUNCATE
-       { LANDLOCK_ACCESS_FS_TRUNCATE,    "truncate"    },
+       { LANDLOCK_ACCESS_FS_TRUNCATE,    "truncate",    N_("truncate a file with truncate(2)") },
 #endif
 #ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
-       { LANDLOCK_ACCESS_FS_IOCTL_DEV,   "ioctl-dev"   },
+       { LANDLOCK_ACCESS_FS_IOCTL_DEV,   "ioctl-dev",   N_("invoke ioctl(2) on an opened character or block device") },
 #endif
 };
 
@@ -197,21 +198,23 @@ void do_landlock(const struct setpriv_landlock_opts *opts)
                err(SETPRIV_EXIT_PRIVERR, _("landlock_restrict_self failed"));
 }
 
-void usage_setpriv(FILE *out)
+void usage_landlock(FILE *out)
 {
        size_t i;
 
-       fprintf(out, "\n");
-       fprintf(out, _("Landlock accesses:\n"));
-       fprintf(out, " Access: fs\n");
-       fprintf(out, " Rule types: path-beneath\n");
+       fputs(USAGE_ARGUMENTS, out);
+       fputs(_(" <access> is a landlock access; syntax is fs[:<right>, ...>]\n"), out);
+       fputs(_(" <rule> is a landlock rule; syntax is <type>:<right>:<argument>\n"), out);
 
-       fprintf(out, " Rules: ");
+       fputs(USAGE_SEPARATOR, out);
+       fputs(_(" available landlock rule types are:\n"), out);
+       /* TRANSLATORS: Keep *{path-beneath}* untranslated, it's a type name */
+       fputs(_("  path-beneath - filesystem based rule; <argument> is a path\n"), out);
+
+       fputs(USAGE_SEPARATOR, out);
+       fputs(_(" available landlock filesystems rights are:\n"), out);
        for (i = 0; i < ARRAY_SIZE(landlock_access_fs); i++) {
-               fprintf(out, "%s", landlock_access_fs[i].type);
-               if (i == ARRAY_SIZE(landlock_access_fs) - 1)
-                       fprintf(out, "\n");
-               else
-                       fprintf(out, ",");
+               fprintf(out, "  %12s - %s\n", landlock_access_fs[i].type,
+                                       _(landlock_access_fs[i].help));
        }
 }

diff --git a/sys-utils/setpriv-landlock.h b/sys-utils/setpriv-landlock.h
index d66f86d71a371acfbfac6ac5b894955e45a62f7c..814a996aaff5b305bf011fa2536559868acf4c68 100644 (file)
--- a/sys-utils/setpriv-landlock.h
+++ b/sys-utils/setpriv-landlock.h
@@ -27,7 +27,7 @@ void do_landlock(const struct setpriv_landlock_opts *opts);
 void parse_landlock_access(struct setpriv_landlock_opts *opts, const char *str);
 void parse_landlock_rule(struct setpriv_landlock_opts *opts, const char *str);
 void init_landlock_opts(struct setpriv_landlock_opts *opts);
-void usage_setpriv(FILE *out);
+void usage_landlock(FILE *out);
 
 #else
 
@@ -45,7 +45,7 @@ static inline void parse_landlock_access(
 }
 #define parse_landlock_rule parse_landlock_access
 static inline void init_landlock_opts(void *opts __attribute__((unused))) {}
-static inline void usage_setpriv(FILE *out __attribute__((unused))) {}
+static inline void usage_landlock(FILE *out __attribute__((unused))) {}
 
 #endif /* HAVE_LINUX_LANDLOCK_H */
 

diff --git a/sys-utils/setpriv.1.adoc b/sys-utils/setpriv.1.adoc
index a5b30159badb808f52c8007f40deaa0f6e7d7df2..edcf41c909b93a9189d1ee754f8154e1b4449394 100644 (file)
--- a/sys-utils/setpriv.1.adoc
+++ b/sys-utils/setpriv.1.adoc
@@ -101,6 +101,9 @@ Block all file deletions and directory creations:
 *setpriv --landlock-access fs:remove-file,make-dir*
 +
 For a complete set of supported access categories use *setpriv --help*.
++
+The generic placeholder "fs" are subject to change and maybe be extened in future versoions
+to support new access types.
 
 *--landlock-rule* _rule_::
 

diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c
index a5c832f381a462656af52aed0e43723b6966c5c7..c218be8e5e3c15f1cd4a40ec7980b8312819229d 100644 (file)
--- a/sys-utils/setpriv.c
+++ b/sys-utils/setpriv.c
@@ -159,15 +159,15 @@ static void __attribute__((__noreturn__)) usage(void)
        fputs(_(" --seccomp-filter <file>     load seccomp filter from file\n"), out);
        fputs(_(" --reset-env                 clear all environment and initialize\n"
                "                               HOME, SHELL, USER, LOGNAME and PATH\n"), out);
-
        fputs(USAGE_SEPARATOR, out);
        fprintf(out, USAGE_HELP_OPTIONS(29));
+
+       usage_landlock(out);
+
        fputs(USAGE_SEPARATOR, out);
-       fputs(_(" This tool can be dangerous.  Read the manpage, and be careful.\n"), out);
+       fputs(_("This tool can be dangerous.  Read the manpage, and be careful."), out);
        fprintf(out, USAGE_MAN_TAIL("setpriv(1)"));
 
-       usage_setpriv(out);
-
        exit(EXIT_SUCCESS);
 }