bsdcapsicum.rb 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d83ead7ffc798a1957614930e629c867be433fc59a7138327ccae20e2bb35d4
-  data.tar.gz: 9b91b67471e6cd11ebc3eced51face9e8cae9f96136763666e110b175c4a8f55
+  metadata.gz: 876adbe8c5b993392a5c0827d7de2cb90729a4e6084007be54c611e121efc938
+  data.tar.gz: 85effbf22c9f5f89ebb59478d17211d997ffa12bcd53a37c63b1b0989bf145d1
 SHA512:
-  metadata.gz: 315f60aad74e7db220c09cedc03fa4072fbd483de4cf851c6351f0df599249fc7752d892fc304636f4ca08d80735c88f7bc366854d4323f582d7406760c9c40a
-  data.tar.gz: ab6a6c0b337f9ddcbf98e97053379bba9c585d51ecc02b1cd72f55ef9add3be5bcf26d3d0da310d939230a9fb2bf66a483f3accefe94e3d4ad8c729efdefbc76
+  metadata.gz: 3112c288332876b7c959fa45d214c4be5f1b6dd4bf14ba1ec499dc97d017e2ea6f5d95122be24433c636a6228dc292aa1760b33b8a16dcd0b878217f15032a4e
+  data.tar.gz: baa07bdb4999eff23b9b3c27c695d428c63bf9a4c50395439a8b807e8aa810a906432af230f8d1aa8187ffa85b5c03f6e6b20862819e525168dbcf45c244d377

data/README.md

@@ -1,28 +1,43 @@
 ## About
 
-bsdcapsicum.rb provides Ruby bindings for
-[capsicum(4)](https://man.freebsd.org/cgi/man.cgi?query=capsicum&apropos=0&sektion=4&format=html).
+bsdcapsicum.rb provides Ruby bindings for FreeBSD's
+[capsicum(4)](https://man.freebsd.org/cgi/man.cgi?query=capsicum&apropos=0&sektion=4&format=html)
+via
+[fiddle](https://github.com/ruby/fiddle#readme). The capsicum framework
+provides a sandbox model where a process can enter into a mode of operation
+where it is exclusively capable of performing system calls on file descriptors
+that have been acquired before entering capability mode.  The file descriptors
+can also be limited to a subset of system calls, and a file descriptor could
+reference a file, a socket, or other IO objects.
 
 ## Examples
 
-__Capability mode__
+### BSD::Capsicum
+
+#### Capability mode
 
 A process can enter into capability mode by calling
-[BSD::Capsicum.enter!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#enter!-instance_method).
-After entering capability mode, the process has limited
-abilities. File descriptors acquired before entering into
-capability mode remain accessible and unrestricted, but
-their capabilites can be reduced. See the
+the
+[BSD::Capsicum.enter_capability_mode!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#enter!-instance_method)
+method. After entering capability mode, a process may only
+issue system calls operating on file descriptors that have already
+been acquired or by reading limited global system state.
+File descriptors acquired before entering capability mode remain
+fully capable but their capabilities can be reduced by calling
+the
+[BSD::Capsicum.permit!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#permit!-instance_method)
+method. See the
 [cap_enter(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_enter&apropos=0&sektion=2&format=html)
-manual page for more details:
+manual page or the rest of the README for more details:
 
 ```ruby
 #!/usr/bin/env ruby
 require "bsd/capsicum"
 
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
-print "Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "In capability mode: ", (BSD::Capsicum.capability_mode? ? "yes" : "no"), "\n"
+BSD::Capsicum.enter_capability_mode!
+print "Enter capability mode: ok", "\n"
+print "In capability mode: ", (BSD::Capsicum.capability_mode? ? "yes" : "no"), "\n"
 
 begin
   File.new(File::NULL)
@@ -37,77 +52,99 @@ end
 # Error: Not permitted in capability mode @ rb_sysopen - /dev/null (Errno::ECAPMODE)
 ```
 
-__IPC__
+#### File descriptors
 
-By spawning a child process and then entering capability mode, restrictions can be
-limited to a child process (and its child processes, if any). This can be helpful in
-an architecture where a parent process can spawn one or more child processes to handle
-certain tasks but with restrictions in place:
+The
+[BSD::Capsicum::IO#permit!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum/IO.html#permit!-instance_method)
+method can reduce the capabilities of a file descriptor by limiting what
+system calls it can be used with. In that sense it is roughly similar to OpenBSD's
+pledge but it operates on the file descriptor level rather than the process
+level.
+The following example obtains a file descriptor in a parent process (with
+full capabilities), then limits the capabilities of the file descriptor
+in a child process to allow only read operations. See the
+[rights(4)](https://man.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=4&format=html)
+and
+[cap_rights_limit(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_rights_limit&sektion=2&format=htmlman)
+manual pages for more information:
 
-```ruby
+``` ruby
 #!/usr/bin/env ruby
 require "bsd/capsicum"
+require "tmpdir"
 
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+path = File.join(Dir.tmpdir, "bsdcapsicum.txt")
+file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
+file.sync = true
+print "[parent] Obtain file descriptor (with full capabilities)", "\n"
 fork do
-  print "[subprocess] Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-  print "[subprocess] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
-  print "[subprocess] Exit", "\n"
-  exit 42
+  file.permit!(:read)
+  print "[child] Reduce capabilities to read", "\n"
+
+  file.gets
+  print "[child] Read OK", "\n"
+
+  begin
+    file.write "foo"
+  rescue Errno::ENOTCAPABLE => ex
+    print "[child] Error: #{ex.message} (#{ex.class})", "\n"
+  end
 end
 Process.wait
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+file.write "[parent] Hello from #{Process.pid}", "\n"
+print "[parent] Write OK", "\n"
 
 ##
-# [parent] In capability mode: no
-# [subprocess] Enter capability mode: ok
-# [subprocess] In capability mode: yes
-# [subprocess] Exit
-# [parent] In capability mode: no
+# [parent] Obtain file descriptor (with full capabilities)
+# [child] Reduce capabilities to read
+# [child] Read OK
+# [child] Error: Capabilities insufficient @ io_write - /tmp/bsdcapsicum.txt (Errno::ENOTCAPABLE)
+# [parent] Write OK
 ```
 
-__Rights__
+#### Fcntls
 
 The
-[BSD::Capsicum.set_rights!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#set_rights!-instance_method)
-method can reduce the capabilities of a file descriptor. The following
-example obtains a file descriptor in a parent process (with both read and
-write permissions), then limits the capabilities of the file descriptor
-in a child process to allow only read operations. See the
-[rights(4)](https://man.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=4&format=html)
-man page for a full list of capabilities:
+[BSD::Capsicum::IO#permit!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum/IO.html#permit!-instance_method)
+method can limit the fcntls capabilities of a file descriptor by limiting what
+fcntls operations it can be used with. This method requires the fcntl capability to already
+be present, and it can limit fnctls operations to a smaller subset of operations.
+The following example limits the fcntls capabilities of a file descriptor to allow
+only the `GETFL` operation, and prevents the `SETFL` operation:
 
-``` ruby
+```ruby
 #!/usr/bin/env ruby
 require "bsd/capsicum"
+require "tmpdir"
 
-path = File.join(Dir.home, "bsdcapsicum.txt")
+path = File.join(Dir.tmpdir, "bsdcapsicum.txt")
 file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
 file.sync = true
-print "[parent] obtain file descriptor (with read+write permissions)", "\n"
-fork do
-  BSD::Capsicum.set_rights!(file, %i[CAP_READ])
-  print "[subprocess] reduce rights to read-only", "\n"
+print "Obtain file descriptor (with full capabilities)", "\n"
 
-  file.gets
-  print "[subprocess] read successful", "\n"
+file.permit!(:fcntl)
+print "Reduce capabilities to fcntl", "\n"
 
-  begin
-    file.write "foo"
-  rescue Errno::ENOTCAPABLE => ex
-    print "[subprocess] Error: #{ex.message} (#{ex.class})", "\n"
-  end
+file.permit!(:GETFL, scope: :fcntl)
+print "Reduces fcntl capabilties to GETFL", "\n"
+
+flags = file.fcntl(Fcntl::F_GETFL)
+print "Get fcntl flags: OK", "\n"
+
+begin
+  print "Try to set fcntls flag ... ", "\n"
+  file.fcntl(Fcntl::F_SETFL, flags | Fcntl::O_APPEND)
+rescue Errno::ENOTCAPABLE => ex
+  print "Error: #{ex.message} (#{ex.class})", "\n"
 end
-Process.wait
-file.write "[parent] Hello from #{Process.pid}", "\n"
-print "[parent] write successful", "\n"
 
 ##
-# [parent] obtain file descriptor (with read+write permissions)
-# [subprocess] reduce rights to read-only
-# [subprocess] read successful
-# [subprocess] Error: Capabilities insufficient @ io_write - /home/user/bsdcapsicum.txt (Errno::ENOTCAPABLE)
-# [parent] write successful
+# Obtain file descriptor (with full capabilities)
+# Reduce capabilities to fcntl
+# Reduce fcntl capabilties to fcntl_getfl
+# Get fcntl flags: OK
+# Try to set fcntls flag ...
+# Error: Capabilities insufficient @ finish_narg - /tmp/bsdcapsicum.txt (Errno::ENOTCAPABLE)
 ```
 
 ## Documentation
@@ -122,14 +159,30 @@ bsdcapsicum.rb is available via rubygems.org:
 
 ## Sources
 
-* [GitHub](https://github.com/0x1eef/bsdcapsicum.rb#readme)
-* [git.HardenedBSD.org](https://git.hardenedbsd.org/0x1eef/bsdcapsicum.rb#about)
+* [github.com/@0x1eef](https://github.com/0x1eef/bsdcapsicum.rb#readme)
+* [gitlab.com/@0x1eef](https://gitlab.com/0x1eef/bsdcapsicum.rb#about)
+* [git.HardenedBSD.org/@0x1eef](https://git.hardenedbsd.org/0x1eef/bsdcapsicum.rb#about)
+* [brew.bsd.cafe/@0x1eef](https://brew.bsd.cafe/0x1eef/bsdcapsicum.rb)
 
 ## See also
 
 * [Freaky/ruby-capsicum](https://github.com/Freaky/ruby-capsicum) <br>
-  bsdcapsicum.rb is a fork of this project. It was a huge help both
-  in terms of code and documentation.
+  bsdcapsicum.rb is a fork of this project.
+
+## Status
+
+The following functions have an equivalent Ruby interface:
+
+* [x] [cap_enter(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_enter&apropos=0&sektion=2&format=html)
+* [x] [cap_getmode(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_getmode&apropos=0&sektion=2&format=html)
+* [x] [cap_rights_limit(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_rights_limit&sektion=2&format=html)
+* [x] [cap_fcntls_limit(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_fcntls_limit&sektion=2&format=html)
+
+The following functions complement
+[cap_rights_limit(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_rights_limit&sektion=2&format=html)
+but have not yet been implemented:
+
+* [ ] [cap_ioctls_limit(2)](https://man.freebsd.org/cgi/man.cgi?query=cap_ioctls_limit&sektion=2&format=html)
 
 ## License
 

data/bsdcapsicum.rb.gemspec

@@ -12,12 +12,22 @@ Gem::Specification.new do |spec|
   spec.summary       = "Ruby bindings for FreeBSD's capsicum(4)"
   spec.homepage      = "https://github.com/0x1eef/bsdcapsicum.rb"
   spec.licenses      = ["0BSD", "MIT"]
-  spec.files         = Dir["lib/*.rb", "lib/**/*.rb", "README.md", "LICENSE", "LICENSE.ruby-capsicum", "*.gemspec"]
+  spec.executables   = []
   spec.require_paths = ["lib"]
+  spec.files = Dir[
+    "*.gemspec",
+    "README.md",
+    "LICENSE",
+    "LICENSE.ruby-capsicum",
+    "lib/*.rb",
+    "lib/**/*.rb",
+    "share/**/*.rb",
+  ].select { File.file?(_1) }
 
   spec.add_runtime_dependency "fiddle", "~> 1.1"
   spec.add_development_dependency "bundler", "~> 2.5"
   spec.add_development_dependency "rake", "~> 13.2"
+  spec.add_development_dependency "rake-compiler", "~> 1.2"
   spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "standard", "~> 1.38"
   spec.add_development_dependency "test-cmd.rb", "~> 0.12"

data/lib/bsd/capsicum/constants.rb

@@ -6,90 +6,103 @@ module BSD::Capsicum
   # by sys/capsicum.h and sys/caprights.h. Their
   # documentation can be found in the
   # [rights(4)](https://man.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=4&format=html)
-  # man page
+  # man page, and they can be used with methods
+  # such as {BSD::Capsicum#limit! BSD::Capsicum#limit!}
   module Constants
     CAP_RIGHTS_VERSION = 0x0
 
     ##
     # @group File capabilties
-    CAP_READ           = 0x200000000000001
-    CAP_WRITE          = 0x200000000000002
-    CAP_SEEK           = 0x20000000000000c
-    CAP_PREAD          = 0x20000000000000d
-    CAP_PWRITE         = 0x20000000000000e
-    CAP_MMAP           = 0x200000000000010
-    CAP_CREATE         = 0x200000000000040
-    CAP_FEXECVE        = 0x200000000000080
-    CAP_FSYNC          = 0x200000000000100
-    CAP_FTRUNCATE      = 0x200000000000200
-    CAP_FCHFLAGS       = 0x200000000001000
-    CAP_FCHMOD         = 0x200000000002000
-    CAP_FCHMODAT       = 0x200000000002400
-    CAP_FCHOWN         = 0x200000000004000
-    CAP_FCHOWNAT       = 0x200000000004400
-    CAP_FLOCK          = 0x200000000010000
-    CAP_FPATHCONF      = 0x200000000020000
-    CAP_FSTAT          = 0x200000000080000
-    CAP_FSTATAT        = 0x200000000080400
-    CAP_FSTATFS        = 0x200000000100000
-    CAP_FUTIMES        = 0x200000000200000
-    CAP_FUTIMESAT      = 0x200000000200400
+    CAP_READ           = FFI::CAP_READ
+    CAP_WRITE          = FFI::CAP_WRITE
+    CAP_SEEK           = FFI::CAP_SEEK
+    CAP_PREAD          = FFI::CAP_PREAD
+    CAP_PWRITE         = FFI::CAP_PWRITE
+    CAP_MMAP           = FFI::CAP_MMAP
+    CAP_CREATE         = FFI::CAP_CREATE
+    CAP_FEXECVE        = FFI::CAP_FEXECVE
+    CAP_FSYNC          = FFI::CAP_FSYNC
+    CAP_FTRUNCATE      = FFI::CAP_FTRUNCATE
+    CAP_FCHFLAGS       = FFI::CAP_FCHFLAGS
+    CAP_FCHMOD         = FFI::CAP_FCHMOD
+    CAP_FCHMODAT       = FFI::CAP_FCHMODAT
+    CAP_FCHOWN         = FFI::CAP_FCHOWN
+    CAP_FCHOWNAT       = FFI::CAP_FCHOWNAT
+    CAP_FLOCK          = FFI::CAP_FLOCK
+    CAP_FPATHCONF      = FFI::CAP_FPATHCONF
+    CAP_FSTAT          = FFI::CAP_FSTAT
+    CAP_FSTATAT        = FFI::CAP_FSTATAT
+    CAP_FSTATFS        = FFI::CAP_FSTATFS
+    CAP_FUTIMES        = FFI::CAP_FUTIMES
+    CAP_FUTIMESAT      = FFI::CAP_FUTIMESAT
     # @endgroup
 
     ##
     # @group Socket capabilities
-    CAP_ACCEPT         = 0x200000020000000
-    CAP_BIND           = 0x200000040000000
-    CAP_CONNECT        = 0x200000080000000
-    CAP_GETPEERNAME    = 0x200000100000000
-    CAP_GETSOCKNAME    = 0x200000200000000
-    CAP_GETSOCKOPT     = 0x200000400000000
-    CAP_LISTEN         = 0x200000800000000
-    CAP_PEELOFF        = 0x200001000000000
-    CAP_RECV           = CAP_READ
-    CAP_SEND           = CAP_WRITE
-    CAP_SETSOCKOPT     = 0x200002000000000
-    CAP_SHUTDOWN       = 0x200004000000000
-    CAP_BINDAT         = 0x200008000000400
-    CAP_SOCK_CLIENT    = 0x200007780000003
-    CAP_SOCK_SERVER    = 0x200007f60000003
+    CAP_ACCEPT         = FFI::CAP_ACCEPT
+    CAP_BIND           = FFI::CAP_BIND
+    CAP_CONNECT        = FFI::CAP_CONNECT
+    CAP_GETPEERNAME    = FFI::CAP_GETPEERNAME
+    CAP_GETSOCKNAME    = FFI::CAP_GETSOCKNAME
+    CAP_GETSOCKOPT     = FFI::CAP_GETSOCKOPT
+    CAP_LISTEN         = FFI::CAP_LISTEN
+    CAP_PEELOFF        = FFI::CAP_PEELOFF
+    CAP_RECV           = FFI::CAP_RECV
+    CAP_SEND           = FFI::CAP_SEND
+    CAP_SETSOCKOPT     = FFI::CAP_SETSOCKOPT
+    CAP_SHUTDOWN       = FFI::CAP_SHUTDOWN
+    CAP_BINDAT         = FFI::CAP_BINDAT
+    CAP_SOCK_CLIENT    = FFI::CAP_SOCK_CLIENT
+    CAP_SOCK_SERVER    = FFI::CAP_SOCK_SERVER
     # @endgroup
 
     ##
     # @group ACL capabilities
-    CAP_ACL_CHECK      = 0x400000000010000
-    CAP_ACL_DELETE     = 0x400000000020000
-    CAP_ACL_GET        = 0x400000000040000
-    CAP_ACL_SET        = 0x400000000080000
+    CAP_ACL_CHECK      = FFI::CAP_ACL_CHECK
+    CAP_ACL_DELETE     = FFI::CAP_ACL_DELETE
+    CAP_ACL_GET        = FFI::CAP_ACL_GET
+    CAP_ACL_SET        = FFI::CAP_ACL_SET
     # @endgroup
 
     ##
     # @group Process capabilities
-    CAP_PDGETPID       = 0x400000000000200
-    CAP_PDKILL         = 0x400000000000800
-    CAP_PDWAIT         = 0x400000000000400
+    CAP_PDGETPID       = FFI::CAP_PDGETPID
+    CAP_PDKILL         = FFI::CAP_PDKILL
+    CAP_PDWAIT         = FFI::CAP_PDWAIT
+    # @endgroup
+
+    ##
+    # @group Fcntl capabilities
+    CAP_FCNTL_GETFL    = FFI::CAP_FCNTL_GETFL
+    CAP_FCNTL_SETFL    = FFI::CAP_FCNTL_SETFL
+    CAP_FCNTL_GETOWN   = FFI::CAP_FCNTL_GETOWN
+    CAP_FCNTL_SETOWN   = FFI::CAP_FCNTL_SETOWN
     # @endgroup
 
     ##
     # @group Uncategorized capabilities
-    CAP_CHFLAGSAT      = 0x200000000001400
-    CAP_EVENT          = 0x400000000000020
-    CAP_IOCTL          = 0x400000000000080
-    CAP_KQUEUE         = 0x400000000100040
-    CAP_LOOKUP         = 0x200000000000400
-    CAP_MAC_GET        = 0x400000000000001
-    CAP_MAC_SET        = 0x400000000000002
-    CAP_MKDIRAT        = 0x200000000800400
-    CAP_MKFIFOAT       = 0x200000001000400
-    CAP_MKNODAT        = 0x200000002000400
-    CAP_SEM_GETVALUE   = 0x400000000000004
-    CAP_SEM_POST       = 0x400000000000008
-    CAP_SEM_WAIT       = 0x400000000000010
-    CAP_TTYHOOK        = 0x400000000000100
-    CAP_UNLINKAT       = 0x200000010000400
-    CAP_FSCK           = 0x200000000040000
-    CAP_FCHDIR         = 0x200000000000800
-    CAP_FCNTL          = 0x200000000008000
+    CAP_CHFLAGSAT      = FFI::CAP_CHFLAGSAT
+    CAP_EVENT          = FFI::CAP_EVENT
+    CAP_IOCTL          = FFI::CAP_IOCTL
+    CAP_KQUEUE         = FFI::CAP_KQUEUE
+    CAP_LOOKUP         = FFI::CAP_LOOKUP
+    CAP_MAC_GET        = FFI::CAP_MAC_GET
+    CAP_MAC_SET        = FFI::CAP_MAC_SET
+    CAP_MKDIRAT        = FFI::CAP_MKDIRAT
+    CAP_MKFIFOAT       = FFI::CAP_MKFIFOAT
+    CAP_MKNODAT        = FFI::CAP_MKNODAT
+    CAP_SEM_GETVALUE   = FFI::CAP_SEM_GETVALUE
+    CAP_SEM_POST       = FFI::CAP_SEM_POST
+    CAP_SEM_WAIT       = FFI::CAP_SEM_WAIT
+    CAP_TTYHOOK        = FFI::CAP_TTYHOOK
+    CAP_UNLINKAT       = FFI::CAP_UNLINKAT
+    CAP_FSCK           = FFI::CAP_FSCK
+    CAP_FCHDIR         = FFI::CAP_FCHDIR
+    CAP_FCNTL          = FFI::CAP_FCNTL
+    # @endgroup
+
+    # @group Sizes
+    SIZEOF_CAP_RIGHTS_T = 16
     # @endgroup
   end
 end

data/lib/bsd/capsicum/ffi.rb

@@ -3,8 +3,16 @@
 module BSD::Capsicum
   module FFI
     require "fiddle"
+    require "fiddle/import"
     include Fiddle::Types
-    include Constants
+    extend Fiddle::Importer
+    dlload Dir["/lib/libc.*"].first
+
+    extern "int cap_getmode(u_int*)"
+    extern "int cap_enter(void)"
+    extern "int cap_rights_limit(int, const cap_rights_t*)"
+    extern "int cap_fcntls_limit(int, uint32_t)"
+    extern "cap_rights_t* __cap_rights_init(int version, cap_rights_t*, ...)"
 
     module_function
 
@@ -12,11 +20,7 @@ module BSD::Capsicum
     # Provides a Ruby interface for cap_enter(2)
     # @return [Integer]
     def cap_enter
-      Fiddle::Function.new(
-        libc["cap_enter"],
-        [],
-        INT
-      ).call
+      self["cap_enter"].call
     end
 
     ##
@@ -24,45 +28,88 @@ module BSD::Capsicum
     # @param [Fiddle::Pointer] uintp
     # @return [Integer]
     def cap_getmode(uintp)
-      Fiddle::Function.new(
-        libc["cap_getmode"],
-        [INTPTR_T],
-        INT
-      ).call(uintp)
+      self["cap_getmode"].call(uintp)
     end
 
     ##
     # Provides a Ruby interface for cap_rights_limit(2)
     # @param [Integer] fd
-    # @param [Fiddle::Pointer] rights
+    # @param [Fiddle::Pointer] rightsp
+    # @return [Integer]
+    def cap_rights_limit(fd, rightsp)
+      self["cap_rights_limit"].call(fd, rightsp)
+    end
+
+    ##
+    # Provides a Ruby interface for cap_fcntls_limit(2)
+    # @param [Integer] fd
+    # @param [Array<Integer>] capabilities
+    #  An allowed set of capabilities
     # @return [Integer]
-    def cap_rights_limit(fd, rights)
-      Fiddle::Function.new(
-        libc["cap_rights_limit"],
-        [INT, VOIDP],
-        INT
-      ).call(fd, rights)
+    def cap_fcntls_limit(fd, capabilities)
+      cap = Private.cap_lookup(capabilities, Private.cap_fcntls)
+      self["cap_fcntls_limit"].call(fd, cap.inject(&:|))
     end
 
     ##
     # Provides a Ruby interface for cap_rights_init(2)
-    # @param [Array<Integer>] rights
+    # @see BSD::Capsicum::Constants See Constants for a full list of capabilities
+    # @param [Fiddle::Pointer] rightsp
+    #  A pointer to initialize the `cap_rights_t` structure
+    # @param [Array<Symbol, Integer>] capabilities
+    #  An allowed set of capabilities
+    # @raise [TypeError]
+    #  When an unknown capability is provided
     # @return [Fiddle::Pointer]
-    def cap_rights_init(*rights)
-      voidp = Fiddle::Pointer.malloc(Fiddle::SIZEOF_VOIDP)
-      varargs = rights.flat_map { [ULONG_LONG, (Symbol === _1) ? Constants.const_get(_1) : _1] }
-      Fiddle::Function.new(
-        libc["__cap_rights_init"],
-        [INT, VOIDP, VARIADIC],
-        VOIDP
-      ).call(CAP_RIGHTS_VERSION, voidp, *varargs)
-      voidp
+    #  Returns a pointer to the structure `cap_rights_t`
+    def cap_rights_init(rightsp, *capabilities)
+      cap = Private.cap_lookup(capabilities, Private.cap_all)
+      self["__cap_rights_init"].call(
+        CAP_RIGHTS_VERSION,
+        rightsp,
+        *cap.flat_map { [ULONG_LONG, _1] }
+      )
     end
 
     ##
-    # @api private
-    def libc
-      @libc ||= Fiddle.dlopen Dir["/lib/libc.*"].first
+    # @api pricate
+    module Private
+      extend self
+      ##
+      # @api private
+      # @return [Array<Integer>]
+      #  Returns a list of capabilities (as integers)
+      def cap_lookup(capabilities, allowed)
+        capabilities.flat_map do |cap|
+          if Integer === cap
+            cap
+          elsif allowed.include?(cap)
+            FFI.const_get(cap)
+          elsif allowed.include?(:"CAP_#{cap.upcase}")
+            FFI.const_get(:"CAP_#{cap.upcase}")
+          elsif allowed.include?(:"CAP_FCNTL_#{cap.upcase}")
+            FFI.const_get(:"CAP_FCNTL_#{cap.upcase}")
+          else
+            raise TypeError, "unknown capability: #{cap}"
+          end
+        end
+      end
+
+      ##
+      # @api private
+      # @return [Array<Symbol>]
+      #  Returns all known capabilities
+      def cap_all
+        @cap_all ||= Constants.constants.select { _1.to_s.start_with?("CAP_") }
+      end
+
+      ##
+      # @api private
+      # @return [Array<Symbol>]
+      #  Returns all known fcntl capabilities
+      def cap_fcntls
+        @cap_fcntls ||= Constants.constants.select { _1.to_s.start_with?("CAP_FCNTL_") }
+      end
     end
   end
   private_constant :FFI

data/lib/bsd/capsicum/version.rb

@@ -4,5 +4,5 @@ module BSD
 end unless defined?(BSD)
 
 module BSD::Capsicum
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/lib/bsd/capsicum.rb

@@ -4,14 +4,14 @@ module BSD
 end unless defined?(BSD)
 
 module BSD::Capsicum
+  require "bsdcapsicum.rb.so"
   require_relative "capsicum/version"
-  require_relative "capsicum/constants"
   require_relative "capsicum/ffi"
+  require_relative "capsicum/constants"
   extend self
 
   ##
   # Check if we're in capability mode
-  #
   # @see https://man.freebsd.org/cgi/man.cgi?query=cap_getmode&apropos=0&sektion=2&format=html cap_getmode(2)
   # @raise [SystemCallError]
   #  Might raise a subclass of SystemCallError
@@ -31,7 +31,6 @@ module BSD::Capsicum
 
   ##
   # Enter a process into capability mode
-  #
   # @see https://man.freebsd.org/cgi/man.cgi?query=cap_enter&apropos=0&sektion=2&format=html cap_enter(2)
   # @raise [SystemCallError]
   #  Might raise a subclass of SystemCallError
@@ -42,28 +41,60 @@ module BSD::Capsicum
     raise(SystemCallError.new("cap_enter", Fiddle.last_error))
   end
   alias_method :enter_capability_mode!, :enter!
+  alias_method :enter_cap_mode!, :enter!
 
   ##
-  # Restrict the capabilities of a file descriptor
-  #
+  # Limit the capabilities of a file descriptor
   # @see https://man.freebsd.org/cgi/man.cgi?query=cap_rights_limit&apropos=0&sektion=2&format=html cap_rights_limit(2)
   # @see BSD::Capsicum::Constants See Constants for a full list of capabilities
   # @example
-  #   # Restrict capabilities of STDOUT to read / write
-  #   BSD::Capsicum.set_rights!(STDOUT, %i[CAP_READ CAP_WRITE])
+  #   # Permit standard output operations to read and write
+  #   BSD::Capsicum.permit!(STDOUT, :CAP_READ, :CAP_WRITE)
+  #   # Ditto
+  #   BSD::Capsicum.permit!(STDOUT, :read, :write)
   # @raise [SystemCallError]
   #  Might raise a subclass of SystemCallError
-  # @param [#to_i] io
+  # @param [#fileno,#to_i] io
   #  An IO object
-  # @param [Array<String>] rights
+  # @param [Array<Symbol, Integer>] caps
   #  An allowed set of capabilities
+  # @param [Symbol] scope
+  #  The scope of the permit, either `nil` or `:fcntl`
   # @return [Boolean]
   #  Returns true when successful
-  def set_rights!(io, rights)
-    voidp = FFI.cap_rights_init(*rights)
-    FFI.cap_rights_limit(io.to_i, voidp).zero? ||
-    raise(SystemCallError.new("cap_rights_limit", Fiddle.last_error))
+  def permit!(io, *caps, scope: :rights)
+    if scope == :fcntl
+      FFI.cap_fcntls_limit(io.to_i, caps).zero? ||
+        raise(SystemCallError.new("cap_fcntls_limit", Fiddle.last_error))
+    elsif scope == :rights
+      rightsp = Fiddle::Pointer.malloc(Constants::SIZEOF_CAP_RIGHTS_T)
+      FFI.cap_rights_init(rightsp, *caps)
+      FFI.cap_rights_limit(io.to_i, rightsp).zero? ||
+        raise(SystemCallError.new("cap_rights_limit", Fiddle.last_error))
+    else
+      raise ArgumentError, "invalid scope: #{scope}"
+    end
   ensure
-    voidp.call_free
+    rightsp&.call_free
+  end
+
+  ##
+  # This module is included into Ruby's IO class
+  module IO
+    ##
+    # Limit the capabilities of a file descriptor
+    # @param [Array<Symbol, Integer>] caps
+    #  An allowed set of capabilities
+    # @param [Symbol] scope
+    #  The scope of the permit, either `nil` or `:fcntl`
+    # @see BSD::Capsicum::Constants See CAP_FCNTLS_* for a full list of capabilities
+    # @see BSD::Capsicum::Constants See CAP_* for a full list of capabilities
+    def permit!(*caps, scope: :rights)
+      BSD::Capsicum.permit!(self, *caps, scope:)
+    end
   end
 end
+
+class IO
+  include BSD::Capsicum::IO
+end

data/share/examples/bsdcapsicum.rb/1_capability_mode_example.rb

@@ -0,0 +1,19 @@
+require "bundler/setup"
+require "bsd/capsicum"
+
+print "In capability mode: ", (BSD::Capsicum.capability_mode? ? "yes" : "no"), "\n"
+BSD::Capsicum.enter_capability_mode!
+print "Enter capability mode: ok", "\n"
+print "In capability mode: ", (BSD::Capsicum.capability_mode? ? "yes" : "no"), "\n"
+
+begin
+  File.new(File::NULL)
+rescue Errno::ECAPMODE => ex
+  print "Error: #{ex.message} (#{ex.class})", "\n"
+end
+
+##
+# In capability mode: no
+# Enter capability mode: ok
+# In capability mode: yes
+# Error: Not permitted in capability mode @ rb_sysopen - /dev/null (Errno::ECAPMODE)

data/share/examples/bsdcapsicum.rb/2_fork_example.rb

@@ -0,0 +1,19 @@
+require "bundler/setup"
+require "bsd/capsicum"
+
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
+fork do
+  print "[child] Enter capability mode: ", (BSD::Capsicum.enter! ? "ok" : "error"), "\n"
+  print "[child] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
+  print "[child] Exit", "\n"
+  exit 42
+end
+Process.wait
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
+
+##
+# [parent] In capability mode: no
+# [child] Enter capability mode: ok
+# [child] In capability mode: yes
+# [child] Exit
+# [parent] In capability mode: no

data/share/examples/bsdcapsicum.rb/3_set_rights_example.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+require "bsd/capsicum"
+require "tmpdir"
+
+path = File.join(Dir.tmpdir, "bsdcapsicum.txt")
+file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
+file.sync = true
+print "[parent] Obtain file descriptor (with full capabilities)", "\n"
+fork do
+  file.permit!(:read)
+  print "[child] Reduce capabilities to read", "\n"
+
+  file.gets
+  print "[child] Read OK", "\n"
+
+  begin
+    file.write "foo"
+  rescue Errno::ENOTCAPABLE => ex
+    print "[child] Error: #{ex.message} (#{ex.class})", "\n"
+  end
+end
+Process.wait
+file.write "[parent] Hello from #{Process.pid}", "\n"
+print "[parent] Write OK", "\n"
+
+##
+# [parent] Obtain file descriptor (with full capabilities)
+# [child] Reduce capabilities to read
+# [child] Read OK
+# [child] Error: Capabilities insufficient @ io_write - /tmp/bsdcapsicum.txt (Errno::ENOTCAPABLE)
+# [parent] Write OK

data/share/examples/bsdcapsicum.rb/4_fcntl_example.rb

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+require "bsd/capsicum"
+require "tmpdir"
+require "fcntl"
+
+path = File.join(Dir.tmpdir, "bsdcapsicum.txt")
+file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
+file.sync = true
+print "Obtain file descriptor (with full capabilities)", "\n"
+
+file.permit!(:fcntl)
+print "Reduce capabilities to fcntl", "\n"
+
+file.permit!(:GETFL, scope: :fcntl)
+print "Reduces fcntl capabilties to GETFL", "\n"
+
+flags = file.fcntl(Fcntl::F_GETFL)
+print "Get fcntl flags: OK", "\n"
+
+begin
+  print "Try to set fcntls flag ... ", "\n"
+  file.fcntl(Fcntl::F_SETFL, flags | Fcntl::O_APPEND)
+rescue Errno::ENOTCAPABLE => ex
+  print "Error: #{ex.message} (#{ex.class})", "\n"
+end
+
+##
+# Obtain file descriptor (with full capabilities)
+# Reduce capabilities to fcntl
+# Reduce fcntl capabilties to fcntl_getfl
+# Get fcntl flags: OK
+# Try to set fcntls flag ...
+# Error: Capabilities insufficient @ finish_narg - /tmp/bsdcapsicum.txt (Errno::ENOTCAPABLE)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bsdcapsicum.rb
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Thomas Hurst
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-27 00:00:00.000000000 Z
+date: 2025-04-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fiddle
@@ -53,6 +53,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '13.2'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -125,6 +139,10 @@ files:
 - lib/bsd/capsicum/ffi.rb
 - lib/bsd/capsicum/version.rb
 - lib/bsdcapsicum.rb
+- share/examples/bsdcapsicum.rb/1_capability_mode_example.rb
+- share/examples/bsdcapsicum.rb/2_fork_example.rb
+- share/examples/bsdcapsicum.rb/3_set_rights_example.rb
+- share/examples/bsdcapsicum.rb/4_fcntl_example.rb
 homepage: https://github.com/0x1eef/bsdcapsicum.rb
 licenses:
 - 0BSD
@@ -145,7 +163,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: Ruby bindings for FreeBSD's capsicum(4)