From: Matthieu Buffet <matthieu@buffet.re>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Günther Noack" <gnoack@google.com>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Ivanov Mikhail" <ivanov.mikhail1@huawei-partners.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Matthieu Buffet" <matthieu@buffet.re>
Subject: [PATCH v2 2/3] samples/landlock: Refactor --help message in function
Date: Thu, 3 Oct 2024 02:50:41 +0200 [thread overview]
Message-ID: <20241003005042.258991-2-matthieu@buffet.re> (raw)
In-Reply-To: <20241003005042.258991-1-matthieu@buffet.re>
Help message is getting larger with each new supported feature (scopes,
and soon UDP). Refactor it away into a separate helper function.
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
---
samples/landlock/sandboxer.c | 87 +++++++++++++++++++-----------------
1 file changed, 46 insertions(+), 41 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index aff5ef808e22..f16994d35d9e 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -295,6 +295,51 @@ static bool check_ruleset_scope(const char *const env_var,
#define LANDLOCK_ABI_LAST 6
+static void print_help(const char *argv0)
+{
+ fprintf(stderr,
+ "usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s "
+ "<cmd> [args]...\n\n",
+ ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
+ ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv0);
+ fprintf(stderr,
+ "Execute a command in a restricted environment.\n\n");
+ fprintf(stderr,
+ "Environment variables containing paths and ports "
+ "each separated by a colon:\n");
+ fprintf(stderr,
+ "* %s: list of paths allowed to be used in a read-only way.\n",
+ ENV_FS_RO_NAME);
+ fprintf(stderr,
+ "* %s: list of paths allowed to be used in a read-write way.\n\n",
+ ENV_FS_RW_NAME);
+ fprintf(stderr,
+ "Environment variables containing ports are optional "
+ "and could be skipped.\n");
+ fprintf(stderr,
+ "* %s: list of ports allowed to bind (server).\n",
+ ENV_TCP_BIND_NAME);
+ fprintf(stderr,
+ "* %s: list of ports allowed to connect (client).\n",
+ ENV_TCP_CONNECT_NAME);
+ fprintf(stderr, "* %s: list of scoped IPCs.\n",
+ ENV_SCOPED_NAME);
+ fprintf(stderr,
+ "\nexample:\n"
+ "%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
+ "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
+ "%s=\"9418\" "
+ "%s=\"80:443\" "
+ "%s=\"a:s\" "
+ "%s bash -i\n\n",
+ ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
+ ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv0);
+ fprintf(stderr,
+ "This sandboxer can use Landlock features "
+ "up to ABI version %d.\n",
+ LANDLOCK_ABI_LAST);
+}
+
int main(const int argc, char *const argv[], char *const *const envp)
{
const char *cmd_path;
@@ -313,47 +358,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
};
if (argc < 2) {
- fprintf(stderr,
- "usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s "
- "<cmd> [args]...\n\n",
- ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
- ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]);
- fprintf(stderr,
- "Execute a command in a restricted environment.\n\n");
- fprintf(stderr,
- "Environment variables containing paths and ports "
- "each separated by a colon:\n");
- fprintf(stderr,
- "* %s: list of paths allowed to be used in a read-only way.\n",
- ENV_FS_RO_NAME);
- fprintf(stderr,
- "* %s: list of paths allowed to be used in a read-write way.\n\n",
- ENV_FS_RW_NAME);
- fprintf(stderr,
- "Environment variables containing ports are optional "
- "and could be skipped.\n");
- fprintf(stderr,
- "* %s: list of ports allowed to bind (server).\n",
- ENV_TCP_BIND_NAME);
- fprintf(stderr,
- "* %s: list of ports allowed to connect (client).\n",
- ENV_TCP_CONNECT_NAME);
- fprintf(stderr, "* %s: list of scoped IPCs.\n",
- ENV_SCOPED_NAME);
- fprintf(stderr,
- "\nexample:\n"
- "%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
- "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
- "%s=\"9418\" "
- "%s=\"80:443\" "
- "%s=\"a:s\" "
- "%s bash -i\n\n",
- ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
- ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]);
- fprintf(stderr,
- "This sandboxer can use Landlock features "
- "up to ABI version %d.\n",
- LANDLOCK_ABI_LAST);
+ print_help(argv[0]);
return 1;
}
--
2.39.2
next prev parent reply other threads:[~2024-10-03 0:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-03 0:50 [PATCH v2 1/3] samples/landlock: Fix port parsing in sandboxer Matthieu Buffet
2024-10-03 0:50 ` Matthieu Buffet [this message]
2024-10-03 15:27 ` [PATCH v2 2/3] samples/landlock: Refactor --help message in function Mickaël Salaün
2024-10-03 0:50 ` [PATCH v2 3/3] samples/landlock: Clarify option parsing behaviour Matthieu Buffet
2024-10-03 15:29 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241003005042.258991-2-matthieu@buffet.re \
--to=matthieu@buffet.re \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).