[PATCH v3 3/3] samples/landlock: Clarify option parsing behaviour

Matthieu Buffet posted 3 patches 1 month, 1 week ago
[PATCH v3 3/3] samples/landlock: Clarify option parsing behaviour
Posted by Matthieu Buffet 1 month, 1 week ago
Clarify the distinction between filesystem variables (mandatory)
and all others (optional).
For optional variables, explain the difference between unset variables
(no access check performed) and empty variables (nothing allowed for
lists of allowed paths/ports, or no effect for lists of scopes).
List LL_SCOPED values understood and their effect.

Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
---
 samples/landlock/sandboxer.c | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 38fc6ebd7222..96b451cf0531 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -296,23 +296,24 @@ static bool check_ruleset_scope(const char *const env_var,
 /* clang-format off */
 
 static const char help[] =
-	"usage: "
-	ENV_FS_RO_NAME "=\"...\" "
-	ENV_FS_RW_NAME "=\"...\" "
-	ENV_TCP_BIND_NAME "=\"...\" "
-	ENV_TCP_CONNECT_NAME "=\"...\" "
-	ENV_SCOPED_NAME "=\"...\" %1$s <cmd> [args]...\n"
+	"usage: " ENV_FS_RO_NAME "=\"...\" " ENV_FS_RW_NAME "=\"...\" "
+	"[other environment variables] %1$s <cmd> [args]...\n"
 	"\n"
-	"Execute a command in a restricted environment.\n"
+	"Execute the given command in a restricted environment.\n"
+	"Multi-valued settings (lists of ports, paths, scopes) are colon-delimited.\n"
 	"\n"
-	"Environment variables containing paths and ports each separated by a colon:\n"
-	"* " ENV_FS_RO_NAME ": list of paths allowed to be used in a read-only way\n"
-	"* " ENV_FS_RW_NAME ": list of paths allowed to be used in a read-write way\n"
+	"Mandatory settings:\n"
+	"* " ENV_FS_RO_NAME ": paths allowed to be used in a read-only way\n"
+	"* " ENV_FS_RW_NAME ": paths allowed to be used in a read-write way\n"
 	"\n"
-	"Environment variables containing ports are optional and could be skipped.\n"
-	"* " ENV_TCP_BIND_NAME ": list of ports allowed to bind (server)\n"
-	"* " ENV_TCP_CONNECT_NAME ": list of ports allowed to connect (client)\n"
-	"* " ENV_SCOPED_NAME ": list of scoped IPCs\n"
+	"Optional settings (when not set, their associated access check "
+	"is always allowed, which is different from an empty string which "
+	"means an empty list)\n"
+	"* " ENV_TCP_BIND_NAME ": ports allowed to bind (server)\n"
+	"* " ENV_TCP_CONNECT_NAME ": ports allowed to connect (client)\n"
+	"* " ENV_SCOPED_NAME ": actions denied on the outside of the landlock domain\n"
+	"  - \"a\" to restrict opening abstract unix sockets\n"
+	"  - \"s\" to restrict sending signals\n"
 	"\n"
 	"Example:\n"
 	ENV_FS_RO_NAME "=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
-- 
2.39.5
Re: [PATCH v3 3/3] samples/landlock: Clarify option parsing behaviour
Posted by Mickaël Salaün 1 month ago
On Sat, Oct 19, 2024 at 05:15:34PM +0200, Matthieu Buffet wrote:
> Clarify the distinction between filesystem variables (mandatory)
> and all others (optional).
> For optional variables, explain the difference between unset variables
> (no access check performed) and empty variables (nothing allowed for
> lists of allowed paths/ports, or no effect for lists of scopes).
> List LL_SCOPED values understood and their effect.
> 
> Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
> ---
>  samples/landlock/sandboxer.c | 29 +++++++++++++++--------------
>  1 file changed, 15 insertions(+), 14 deletions(-)
> 
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index 38fc6ebd7222..96b451cf0531 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -296,23 +296,24 @@ static bool check_ruleset_scope(const char *const env_var,
>  /* clang-format off */
>  
>  static const char help[] =
> -	"usage: "
> -	ENV_FS_RO_NAME "=\"...\" "
> -	ENV_FS_RW_NAME "=\"...\" "
> -	ENV_TCP_BIND_NAME "=\"...\" "
> -	ENV_TCP_CONNECT_NAME "=\"...\" "
> -	ENV_SCOPED_NAME "=\"...\" %1$s <cmd> [args]...\n"
> +	"usage: " ENV_FS_RO_NAME "=\"...\" " ENV_FS_RW_NAME "=\"...\" "
> +	"[other environment variables] %1$s <cmd> [args]...\n"
>  	"\n"
> -	"Execute a command in a restricted environment.\n"
> +	"Execute the given command in a restricted environment.\n"
> +	"Multi-valued settings (lists of ports, paths, scopes) are colon-delimited.\n"
>  	"\n"
> -	"Environment variables containing paths and ports each separated by a colon:\n"
> -	"* " ENV_FS_RO_NAME ": list of paths allowed to be used in a read-only way\n"
> -	"* " ENV_FS_RW_NAME ": list of paths allowed to be used in a read-write way\n"
> +	"Mandatory settings:\n"
> +	"* " ENV_FS_RO_NAME ": paths allowed to be used in a read-only way\n"
> +	"* " ENV_FS_RW_NAME ": paths allowed to be used in a read-write way\n"
>  	"\n"
> -	"Environment variables containing ports are optional and could be skipped.\n"
> -	"* " ENV_TCP_BIND_NAME ": list of ports allowed to bind (server)\n"
> -	"* " ENV_TCP_CONNECT_NAME ": list of ports allowed to connect (client)\n"
> -	"* " ENV_SCOPED_NAME ": list of scoped IPCs\n"
> +	"Optional settings (when not set, their associated access check "
> +	"is always allowed, which is different from an empty string which "
> +	"means an empty list)\n"

I would just add ":" at the end of the line.  No need to send another
patch for that.

> +	"* " ENV_TCP_BIND_NAME ": ports allowed to bind (server)\n"
> +	"* " ENV_TCP_CONNECT_NAME ": ports allowed to connect (client)\n"
> +	"* " ENV_SCOPED_NAME ": actions denied on the outside of the landlock domain\n"
> +	"  - \"a\" to restrict opening abstract unix sockets\n"
> +	"  - \"s\" to restrict sending signals\n"
>  	"\n"
>  	"Example:\n"
>  	ENV_FS_RO_NAME "=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
> -- 
> 2.39.5
> 
>