samples/landlock: Print hints about ABI versions

Extend the help with the latest Landlock ABI version supported by the
sandboxer.

Inform users about the sandboxer or the kernel not being up-to-date.

Make the version check code easier to update and harder to misuse.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 3e404e5..f29bb3c 100644 (file)
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -162,11 +162,10 @@ out_free_name:
        LANDLOCK_ACCESS_FS_MAKE_SYM | \
        LANDLOCK_ACCESS_FS_REFER)
 
-#define ACCESS_ABI_2 ( \
-       LANDLOCK_ACCESS_FS_REFER)
-
 /* clang-format on */
 
+#define LANDLOCK_ABI_LAST 2
+
 int main(const int argc, char *const argv[], char *const *const envp)
 {
        const char *cmd_path;
@@ -196,8 +195,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
                        "\nexample:\n"
                        "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
                        "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
-                       "%s bash -i\n",
+                       "%s bash -i\n\n",
                        ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
+               fprintf(stderr,
+                       "This sandboxer can use Landlock features "
+                       "up to ABI version %d.\n",
+                       LANDLOCK_ABI_LAST);
                return 1;
        }
 
@@ -225,12 +228,30 @@ int main(const int argc, char *const argv[], char *const *const envp)
                }
                return 1;
        }
+
        /* Best-effort security. */
-       if (abi < 2) {
-               ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2;
-               access_fs_ro &= ~ACCESS_ABI_2;
-               access_fs_rw &= ~ACCESS_ABI_2;
+       switch (abi) {
+       case 1:
+               /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
+               ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+
+               fprintf(stderr,
+                       "Hint: You should update the running kernel "
+                       "to leverage Landlock features "
+                       "provided by ABI version %d (instead of %d).\n",
+                       LANDLOCK_ABI_LAST, abi);
+               __attribute__((fallthrough));
+       case LANDLOCK_ABI_LAST:
+               break;
+       default:
+               fprintf(stderr,
+                       "Hint: You should update this sandboxer "
+                       "to leverage Landlock features "
+                       "provided by ABI version %d (instead of %d).\n",
+                       abi, LANDLOCK_ABI_LAST);
        }
+       access_fs_ro &= ruleset_attr.handled_access_fs;
+       access_fs_rw &= ruleset_attr.handled_access_fs;
 
        ruleset_fd =
                landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);