sane-sandboxed: add a help message

modules/programs/sane-sandboxed

@@ -80,6 +80,56 @@ profilesNamed=()
 firejailFlags=()
 bwrapFlags=()
 
+usage() {
+  echo 'sane-sandboxed: run a program inside a sandbox'
+  echo 'USAGE: sane-sandboxed [sandbox-arg ...] program [sandbox-arg|program-arg ...] [--] [program-arg ...]'
+  echo ''
+  echo 'sandbox args and program args may be intermixed, but the first `--` anywhere signals the end of the sandbox args and the start of program args'
+  echo
+  echo 'sandbox args:'
+  echo '  --sane-sandbox-help'
+  echo '      show this message'
+  echo '  --sane-sandbox-debug'
+  echo '      print debug messages to stderr'
+  echo '  --sane-sandbox-replace-cli <bin>'
+  echo '      invoke <bin> under the sandbox instead of any program previously listed'
+  echo '      also clears and earlier arguments intended for the program'
+  echo '  --sane-sandbox-disable'
+  echo '      invoke the program directly, instead of inside a sandbox'
+  echo '  --sane-sandbox-dry-run'
+  echo '      show what would be `exec`uted but do not perform any action'
+  echo '  --sane-sandbox-method <bwrap|capshonly|firejail|landlock|none>'
+  echo '      use a specific sandboxer'
+  echo '  --sane-sandbox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
+  echo '      add files which appear later as CLI arguments into the sandbox'
+  echo '  --sane-sandbox-cap <sys_admin|sys_net|...>'
+  echo '      allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
+  echo '  --sane-sandbox-portal'
+  echo '      set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
+  echo '  --sane-sandbox-dns <server>'
+  echo '  --sane-sandbox-firejail-arg <arg>'
+  echo '  --sane-sandbox-bwrap-arg <arg>'
+  echo '  --sane-sandbox-net <iface>'
+  echo '  --sane-sandbox-keep-namespace <cgroup|ipc|pid|uts|all>'
+  echo '      do not unshare the provided linux namespace'
+  echo '  --sane-sandbox-path <path>'
+  echo '      allow access to the host <path> within the sandbox'
+  echo '  --sane-sandbox-add-pwd'
+  echo '      shorthand for `--sane-sandbox-path $PWD`'
+  echo '  --sane-sandbox-profile <profile>'
+  echo '  --sane-sandbox-profile-dir <dir>'
+  echo
+  echo 'the following environment variables are also considered and propagated to children:'
+  echo '  SANE_SANDBOX_DISABLE=1'
+  echo '      equivalent to `--sane-sandbox-disable`'
+  echo '  SANE_SANDBOX_DEBUG=1'
+  echo '      equivalent to `--sane-sandbox-debug`, but activates earlier'
+  echo '  SANE_SANDBOX_PREPEND=...'
+  echo '      act as though the provided arg string appeared at the start of the CLI'
+  echo '  SANE_SANDBOX_APPEND=...'
+  echo '      act as though the provided arg string appeared at the end of the CLI'
+}
+
 
 ## UTILITIES/BOILERPLATE
 
@@ -300,6 +350,10 @@ parseArgs() {
         parseArgsExtra+=("$@")
         break
         ;;
+      (--sane-sandbox-help)
+        usage
+        exit 0
+        ;;
       (--sane-sandbox-debug)
         enableDebug
         ;;