cap2 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -2,11 +2,12 @@
2
2
  #include <errno.h>
3
3
  #include <unistd.h>
4
4
  #include <sys/capability.h>
5
+ #include "cap2.h"
5
6
 
6
7
  /*
7
8
  * Converts a Ruby symbol into cap_flag_t set, defined in <sys/capability.h>
8
9
  *
9
- * Raises an ArgumentError if set is not a valid capability set
10
+ * Raises an ArgumentError if set is not a valid capability set.
10
11
  */
11
12
  cap_flag_t cap2_sym_to_set(VALUE set) {
12
13
  char *set_s;
@@ -24,62 +25,36 @@ cap_flag_t cap2_sym_to_set(VALUE set) {
24
25
  }
25
26
 
26
27
  /*
27
- * Converts a Ruby symbol into cap_value_t capability value, defined
28
- * in <linux/capability.h>
28
+ * Lookup the value of a capability in cap2_caps, defined in cap2.h
29
+ * (cap2.h is generated dynamically by extconf.rb).
29
30
  *
30
- * Raises an ArgumentError if cap is not a valid capability value.
31
+ * Raises an ArgumentError if name is not a valid capability name.
31
32
  */
32
- cap_value_t cap2_sym_to_cap(VALUE cap) {
33
- char *cap_s;
33
+ cap_value_t cap2_cap_value(const char *name) {
34
+ int i;
35
+
36
+ for(i = 0; i < __CAP_COUNT; i++) {
37
+ if(strcmp(cap2_caps[i].name, name) == 0)
38
+ return cap2_caps[i].value;
39
+ }
40
+
41
+ rb_raise(rb_eArgError, "unknown capability %s", name);
42
+ }
34
43
 
44
+ /*
45
+ * Converts a Ruby symbol into a cap_value_t capability value.
46
+ */
47
+ cap_value_t cap2_sym_to_cap(VALUE cap) {
35
48
  Check_Type(cap, T_SYMBOL);
36
49
 
37
50
  cap = rb_sym_to_s(cap);
38
51
 
39
- cap_s = StringValueCStr(cap);
40
-
41
- if(strcmp(cap_s, "chown") == 0) return CAP_CHOWN;
42
- else if(strcmp(cap_s, "dac_override") == 0) return CAP_DAC_OVERRIDE;
43
- else if(strcmp(cap_s, "dac_read_search") == 0) return CAP_DAC_READ_SEARCH;
44
- else if(strcmp(cap_s, "fowner") == 0) return CAP_FOWNER;
45
- else if(strcmp(cap_s, "fsetid") == 0) return CAP_FSETID;
46
- else if(strcmp(cap_s, "kill") == 0) return CAP_KILL;
47
- else if(strcmp(cap_s, "setgid") == 0) return CAP_SETGID;
48
- else if(strcmp(cap_s, "setuid") == 0) return CAP_SETUID;
49
- else if(strcmp(cap_s, "setpcap") == 0) return CAP_SETPCAP;
50
- else if(strcmp(cap_s, "linux_immutable") == 0) return CAP_LINUX_IMMUTABLE;
51
- else if(strcmp(cap_s, "net_bind_service") == 0) return CAP_NET_BIND_SERVICE;
52
- else if(strcmp(cap_s, "net_broadcast") == 0) return CAP_NET_BROADCAST;
53
- else if(strcmp(cap_s, "net_admin") == 0) return CAP_NET_ADMIN;
54
- else if(strcmp(cap_s, "net_raw") == 0) return CAP_NET_RAW;
55
- else if(strcmp(cap_s, "ipc_lock") == 0) return CAP_IPC_LOCK;
56
- else if(strcmp(cap_s, "ipc_owner") == 0) return CAP_IPC_OWNER;
57
- else if(strcmp(cap_s, "sys_module") == 0) return CAP_SYS_MODULE;
58
- else if(strcmp(cap_s, "sys_rawio") == 0) return CAP_SYS_RAWIO;
59
- else if(strcmp(cap_s, "sys_chroot") == 0) return CAP_SYS_CHROOT;
60
- else if(strcmp(cap_s, "sys_ptrace") == 0) return CAP_SYS_PTRACE;
61
- else if(strcmp(cap_s, "sys_pacct") == 0) return CAP_SYS_PACCT;
62
- else if(strcmp(cap_s, "sys_admin") == 0) return CAP_SYS_ADMIN;
63
- else if(strcmp(cap_s, "sys_boot") == 0) return CAP_SYS_BOOT;
64
- else if(strcmp(cap_s, "sys_nice") == 0) return CAP_SYS_NICE;
65
- else if(strcmp(cap_s, "sys_resource") == 0) return CAP_SYS_RESOURCE;
66
- else if(strcmp(cap_s, "sys_time") == 0) return CAP_SYS_TIME;
67
- else if(strcmp(cap_s, "sys_tty_config") == 0) return CAP_SYS_TTY_CONFIG;
68
- else if(strcmp(cap_s, "mknod") == 0) return CAP_MKNOD;
69
- else if(strcmp(cap_s, "lease") == 0) return CAP_LEASE;
70
- else if(strcmp(cap_s, "audit_write") == 0) return CAP_AUDIT_WRITE;
71
- else if(strcmp(cap_s, "audit_control") == 0) return CAP_AUDIT_CONTROL;
72
- else if(strcmp(cap_s, "setfcap") == 0) return CAP_SETFCAP;
73
- else if(strcmp(cap_s, "mac_override") == 0) return CAP_MAC_OVERRIDE;
74
- else if(strcmp(cap_s, "mac_admin") == 0) return CAP_MAC_ADMIN;
75
- else if(strcmp(cap_s, "syslog") == 0) return CAP_SYSLOG;
76
- else if(strcmp(cap_s, "wake_alarm") == 0) return CAP_WAKE_ALARM;
77
- else rb_raise(rb_eArgError, "unknown capability %s", cap_s);
52
+ return cap2_cap_value(StringValueCStr(cap));
78
53
  }
79
54
 
80
55
  /*
81
56
  * Returns a boolean representing whether cap_d has the given capability enabled
82
- * in the given set
57
+ * in the given set.
83
58
  */
84
59
  VALUE cap2_has_cap(cap_t cap_d, VALUE set_sym, VALUE cap_sym) {
85
60
  cap_flag_t set;
@@ -0,0 +1,43 @@
1
+ struct {
2
+ int value;
3
+ char name[32];
4
+ } cap2_caps[] = {
5
+ { 0, "chown" },
6
+ { 1, "dac_override" },
7
+ { 2, "dac_read_search" },
8
+ { 3, "fowner" },
9
+ { 4, "fsetid" },
10
+ { 5, "kill" },
11
+ { 6, "setgid" },
12
+ { 7, "setuid" },
13
+ { 8, "setpcap" },
14
+ { 9, "linux_immutable" },
15
+ { 10, "net_bind_service" },
16
+ { 11, "net_broadcast" },
17
+ { 12, "net_admin" },
18
+ { 13, "net_raw" },
19
+ { 14, "ipc_lock" },
20
+ { 15, "ipc_owner" },
21
+ { 16, "sys_module" },
22
+ { 17, "sys_rawio" },
23
+ { 18, "sys_chroot" },
24
+ { 19, "sys_ptrace" },
25
+ { 20, "sys_pacct" },
26
+ { 21, "sys_admin" },
27
+ { 22, "sys_boot" },
28
+ { 23, "sys_nice" },
29
+ { 24, "sys_resource" },
30
+ { 25, "sys_time" },
31
+ { 26, "sys_tty_config" },
32
+ { 27, "mknod" },
33
+ { 28, "lease" },
34
+ { 29, "audit_write" },
35
+ { 30, "audit_control" },
36
+ { 31, "setfcap" },
37
+ { 32, "mac_override" },
38
+ { 33, "mac_admin" },
39
+ { 34, "syslog" },
40
+ { 35, "wake_alarm" }
41
+ };
42
+
43
+ #define __CAP_COUNT 36
@@ -10,6 +10,31 @@ unless have_header('sys/capability.h')
10
10
  EOS
11
11
  end
12
12
 
13
+ # Generate cap2.h dynamically to define cap2_caps, an array of capability
14
+ # name / value pairs, with values as defined in <linux/capability.h>
15
+ File.open(File.dirname(__FILE__) + '/cap2.h', 'w') do |file|
16
+ cap_count = 0
17
+ caps = []
18
+
19
+ File.
20
+ readlines('/usr/include/linux/capability.h').
21
+ grep(/#define CAP_([\w_]+)\s+(\d+)/) do
22
+ caps << %[{ #{$2}, "#{$1.downcase}" }]
23
+ cap_count += 1
24
+ end
25
+
26
+ file.puts <<-EOS
27
+ struct {
28
+ int value;
29
+ char name[32];
30
+ } cap2_caps[] = {
31
+ #{caps.join(",\n ")}
32
+ };
33
+
34
+ #define __CAP_COUNT #{cap_count}
35
+ EOS
36
+ end
37
+
13
38
  unless have_library('cap')
14
39
  abort <<-EOS
15
40
  -----
Binary file
@@ -1,3 +1,3 @@
1
1
  module Cap2
2
- Version = '0.1.0'
2
+ Version = '0.1.1'
3
3
  end
@@ -10,9 +10,9 @@ describe Cap2::File do
10
10
  it { should_not be_permitted(:dac_override) }
11
11
  end
12
12
 
13
- context 'when the process does have the given capability' do
13
+ context 'when the file does have the given capability' do
14
14
  before(:each) do
15
- system %{sudo setcap "cap_dac_override+p" #{file.path}}
15
+ run_as_root('permit(:dac_override)')
16
16
  end
17
17
 
18
18
  it { should be_permitted(:dac_override) }
@@ -24,9 +24,9 @@ describe Cap2::File do
24
24
  it { should_not be_effective(:dac_override) }
25
25
  end
26
26
 
27
- context 'when the process does have the given capability' do
27
+ context 'when the file does have the given capability' do
28
28
  before(:each) do
29
- system %{sudo setcap "cap_dac_override+pe" #{file.path}}
29
+ run_as_root('permit(:dac_override)', 'enable_on_exec(:dac_override)')
30
30
  end
31
31
 
32
32
  it { should be_effective(:dac_override) }
@@ -38,9 +38,9 @@ describe Cap2::File do
38
38
  it { should_not be_inheritable(:dac_override) }
39
39
  end
40
40
 
41
- context 'when the process does have the given capability' do
41
+ context 'when the file does have the given capability' do
42
42
  before(:each) do
43
- system %{sudo setcap "cap_dac_override+i" #{file.path}}
43
+ run_as_root('allow_inherit(:dac_override)')
44
44
  end
45
45
 
46
46
  it { should be_inheritable(:dac_override) }
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cap2
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-08-30 00:00:00.000000000 Z
12
+ date: 2012-09-02 00:00:00.000000000 Z
13
13
  dependencies: []
14
14
  description: ! " Cap2 is a Ruby library for managing the POSIX 1003.1e capabilities\n
15
15
  \ available in Linux kernels.\n\n These capabilities are a partitioning of
@@ -25,6 +25,7 @@ files:
25
25
  - README.md
26
26
  - Rakefile
27
27
  - LICENSE
28
+ - ext/cap2/cap2.h
28
29
  - ext/cap2/extconf.rb
29
30
  - ext/cap2/cap2.c
30
31
  - lib/cap2.rb