analyze: clarify that security --offline=true requires an argument

Without `--root` or `--image`, the `security` command inspects all currently loaded service units if no unit name is specified. But with `--root` or `--image` with `--offline=true`, the `security` command exits silently if no unit name is specified. Also, fixed description of `--root` and `--image` in the man page, and added missing `--unit` option to help text.
2026-03-06 15:02:31 -08:00 · 2024-01-11 11:00:37 +01:00
parent ec6c7bac5c
commit 5e16328506
2 changed files with 13 additions and 4 deletions
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1107,8 +1107,10 @@ x86-64      native</programlisting>
      <varlistentry>
        <term><option>--root=<replaceable>PATH</replaceable></option></term>

-        <listitem><para>With <command>cat-files</command> and <command>verify</command>,
-        operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para>
+        <listitem><para>With <command>cat-config</command>, <command>verify</command>,
+        <command>condition</command> and <command>security</command> when used with
+        <option>--offline=</option>, operate on files underneath the specified root path
+        <replaceable>PATH</replaceable>.</para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>
@@ -1116,8 +1118,10 @@ x86-64      native</programlisting>
      <varlistentry>
        <term><option>--image=<replaceable>PATH</replaceable></option></term>

-        <listitem><para>With <command>cat-files</command> and <command>verify</command>,
-        operate on files inside the specified image path <replaceable>PATH</replaceable>.</para>
+        <listitem><para>With <command>cat-config</command>, <command>verify</command>,
+        <command>condition</command> and <command>security</command> when used with
+        <option>--offline=</option>, operate on files inside the specified image path
+        <replaceable>PATH</replaceable>.</para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -272,6 +272,7 @@ static int help(int argc, char *argv[], void *userdata) {
               "                             specified time\n"
               "     --profile=name|PATH     Include the specified profile in the\n"
               "                             security review of the unit(s)\n"
+               "     --unit=UNIT             Evaluate conditions and asserts of unit\n"
               "     --table                 Output plot's raw time data as a table\n"
               "  -h --help                  Show this help\n"
               "     --version               Show package version\n"
@@ -559,6 +560,10 @@ static int parse_argv(int argc, char *argv[]) {
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Option --offline= is only supported for security right now.");

+        if (arg_offline && optind >= argc - 1)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Option --offline= requires one or more units to perform a security review.");
+
        if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs", "architectures", "capability", "exit-status"))
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs, architectures, capability, exit-status right now.");