--size: Update completions and documentation

Signed-off-by: Tom Smeding <tom@tomsmeding.com>

3 files changed, 46 insertions, 2 deletions

diff --git a/bwrap.xml b/bwrap.xml
index 2baec5d..46e2478 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -207,6 +207,9 @@
     (rwxr-xr-x). However, if a <option>--perms</option> option is in effect, and
     it sets the permissions for group or other to zero, then newly-created
     parent directories will also have their corresponding permission set to zero.
+    <option>--size</option> modifies the size of the created mount when preceding a
+    <option>--tmpfs</option> action; <option>--perms</option> and <option>--size</option>
+    can be combined.
   </para>
   <variablelist>
     <varlistentry>
@@ -217,7 +220,24 @@
         Subsequent operations are not affected: for example,
         <literal>--perms 0700 --tmpfs /a --tmpfs /b</literal> will mount
         <filename>/a</filename> with permissions 0700, then return to
-        the default permissions for <filename>/b</filename>.</para></listitem>
+        the default permissions for <filename>/b</filename>.
+        Note that <option>--perms</option> and <option>--size</option> can be
+        combined: <literal>--perms 0700 --size 10485760 --tmpfs /s</literal> will apply
+        permissions as well as a maximum size to the created tmpfs.</para></listitem>
+    </varlistentry>
+    <varlistentry>
+      <term><option>--size <arg choice="plain">BYTES</arg></option></term>
+      <listitem><para>This option does nothing on its own, and must be followed
+        by <literal>--tmpfs</literal>. It sets the size in bytes for the next tmpfs.
+        For example, <literal>--size 10485760 --tmpfs /tmp</literal> will create a tmpfs
+        at <filename>/tmp</filename> of size 10MiB. Subsequent operations are not
+        affected: for example,
+        <literal>--size 10485760 --tmpfs /a --tmpfs /b</literal> will mount
+        <filename>/a</filename> with size 10MiB, then return to the default size for
+        <filename>/b</filename>.
+        Note that <option>--perms</option> and <option>--size</option> can be
+        combined: <literal>--size 10485760 --perms 0700 --tmpfs /s</literal> will apply
+        permissions as well as a maximum size to the created tmpfs.</para></listitem>
     </varlistentry>
     <varlistentry>
       <term><option>--bind <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term>
@@ -260,7 +280,9 @@
       <listitem>
         <para>Mount new tmpfs on <arg choice="plain">DEST</arg>.
           If the previous option was <option>--perms</option>, it sets the
-          mode of the tmpfs. Otherwise, the tmpfs has mode 0755.</para>
+          mode of the tmpfs. Otherwise, the tmpfs has mode 0755.
+          If the previous option was <option>--size</option>, it sets the
+          size in bytes of the tmpfs. Otherwise, the tmpfs has the default size.</para>
       </listitem>
     </varlistentry>
     <varlistentry>
diff --git a/completions/bash/bwrap b/completions/bash/bwrap
index c57d9ab..e796be3 100644
--- a/completions/bash/bwrap
+++ b/completions/bash/bwrap
@@ -54,6 +54,7 @@ _bwrap() {
 		--ro-bind
 		--seccomp
 		--setenv
+		--size
 		--symlink
 		--sync-fd
 		--uid
diff --git a/completions/zsh/_bwrap b/completions/zsh/_bwrap
index 1e365f0..f81ffaf 100644
--- a/completions/zsh/_bwrap
+++ b/completions/zsh/_bwrap
@@ -1,11 +1,23 @@
 #compdef bwrap
 
+_bwrap_args_after_perms_size=(
+    # Please sort alphabetically (in LC_ALL=C order) by option name
+    '--tmpfs[Mount new tmpfs on DEST]:mount point for tmpfs:_files -/'
+)
+
 _bwrap_args_after_perms=(
     # Please sort alphabetically (in LC_ALL=C order) by option name
     '--bind-data[Copy from FD to file which is bind-mounted on DEST]: :_guard "[0-9]#" "file descriptor to read content":destination:_files'
     '--dir[Create dir at DEST]:directory to create:_files -/'
     '--file[Copy from FD to destination DEST]: :_guard "[0-9]#" "file descriptor to read content from":destination:_files'
     '--ro-bind-data[Copy from FD to file which is readonly bind-mounted on DEST]: :_guard "[0-9]#" "file descriptor to read content from":destination:_files'
+    '--size[Set size in bytes for next action argument]: :->after_perms_size'
+    '--tmpfs[Mount new tmpfs on DEST]:mount point for tmpfs:_files -/'
+)
+
+_bwrap_args_after_size=(
+    # Please sort alphabetically (in LC_ALL=C order) by option name
+    '--perms[Set permissions for next action argument]: :_guard "[0-7]#" "permissions in octal": :->after_perms_size'
     '--tmpfs[Mount new tmpfs on DEST]:mount point for tmpfs:_files -/'
 )
 
@@ -47,6 +59,7 @@ _bwrap_args=(
     '--ro-bind[Bind mount the host path SRC readonly on DEST]:source:_files:destination:_files'
     '--seccomp[Load and use seccomp rules from FD]: :_guard "[0-9]#" "file descriptor to read seccomp rules from"'
     '--setenv[Set an environment variable]:variable to set:_parameters -g "*export*":value of variable: :'
+    '--size[Set size in bytes for next action argument]: :->after_size'
     '--symlink[Create symlink at DEST with target SRC]:symlink target:_files:symlink to create:_files:'
     '--sync-fd[Keep this fd open while sandbox is running]: :_guard "[0-9]#" "file descriptor to keep open"'
     '--uid[Custom uid in the sandbox (requires --unshare-user or --userns)]: :_guard "[0-9]#" "numeric group ID"'
@@ -73,6 +86,14 @@ _bwrap() {
             _values -S ' ' 'option' $_bwrap_args_after_perms
             ;;
 
+        after_size)
+            _values -S ' ' 'option' $_bwrap_args_after_size
+            ;;
+
+        after_perms_size)
+            _values -S ' ' 'option' $_bwrap_args_after_perms_size
+            ;;
+
         caps)
             # $ grep -E '#define\sCAP_\w+\s+[0-9]+' /usr/include/linux/capability.h | awk '{print $2}' | xargs echo
             local all_caps=(