cap2 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/ext/cap2/cap2.c +21 -46
- data/ext/cap2/cap2.h +43 -0
- data/ext/cap2/extconf.rb +25 -0
- data/lib/cap2.so +0 -0
- data/lib/cap2/version.rb +1 -1
- data/spec/file_spec.rb +6 -6
- metadata +3 -2
data/ext/cap2/cap2.c
CHANGED
|
@@ -2,11 +2,12 @@
|
|
|
2
2
|
#include <errno.h>
|
|
3
3
|
#include <unistd.h>
|
|
4
4
|
#include <sys/capability.h>
|
|
5
|
+
#include "cap2.h"
|
|
5
6
|
|
|
6
7
|
/*
|
|
7
8
|
* Converts a Ruby symbol into cap_flag_t set, defined in <sys/capability.h>
|
|
8
9
|
*
|
|
9
|
-
* Raises an ArgumentError if set is not a valid capability set
|
|
10
|
+
* Raises an ArgumentError if set is not a valid capability set.
|
|
10
11
|
*/
|
|
11
12
|
cap_flag_t cap2_sym_to_set(VALUE set) {
|
|
12
13
|
char *set_s;
|
|
@@ -24,62 +25,36 @@ cap_flag_t cap2_sym_to_set(VALUE set) {
|
|
|
24
25
|
}
|
|
25
26
|
|
|
26
27
|
/*
|
|
27
|
-
*
|
|
28
|
-
*
|
|
28
|
+
* Lookup the value of a capability in cap2_caps, defined in cap2.h
|
|
29
|
+
* (cap2.h is generated dynamically by extconf.rb).
|
|
29
30
|
*
|
|
30
|
-
* Raises an ArgumentError if
|
|
31
|
+
* Raises an ArgumentError if name is not a valid capability name.
|
|
31
32
|
*/
|
|
32
|
-
cap_value_t
|
|
33
|
-
|
|
33
|
+
cap_value_t cap2_cap_value(const char *name) {
|
|
34
|
+
int i;
|
|
35
|
+
|
|
36
|
+
for(i = 0; i < __CAP_COUNT; i++) {
|
|
37
|
+
if(strcmp(cap2_caps[i].name, name) == 0)
|
|
38
|
+
return cap2_caps[i].value;
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
rb_raise(rb_eArgError, "unknown capability %s", name);
|
|
42
|
+
}
|
|
34
43
|
|
|
44
|
+
/*
|
|
45
|
+
* Converts a Ruby symbol into a cap_value_t capability value.
|
|
46
|
+
*/
|
|
47
|
+
cap_value_t cap2_sym_to_cap(VALUE cap) {
|
|
35
48
|
Check_Type(cap, T_SYMBOL);
|
|
36
49
|
|
|
37
50
|
cap = rb_sym_to_s(cap);
|
|
38
51
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
if(strcmp(cap_s, "chown") == 0) return CAP_CHOWN;
|
|
42
|
-
else if(strcmp(cap_s, "dac_override") == 0) return CAP_DAC_OVERRIDE;
|
|
43
|
-
else if(strcmp(cap_s, "dac_read_search") == 0) return CAP_DAC_READ_SEARCH;
|
|
44
|
-
else if(strcmp(cap_s, "fowner") == 0) return CAP_FOWNER;
|
|
45
|
-
else if(strcmp(cap_s, "fsetid") == 0) return CAP_FSETID;
|
|
46
|
-
else if(strcmp(cap_s, "kill") == 0) return CAP_KILL;
|
|
47
|
-
else if(strcmp(cap_s, "setgid") == 0) return CAP_SETGID;
|
|
48
|
-
else if(strcmp(cap_s, "setuid") == 0) return CAP_SETUID;
|
|
49
|
-
else if(strcmp(cap_s, "setpcap") == 0) return CAP_SETPCAP;
|
|
50
|
-
else if(strcmp(cap_s, "linux_immutable") == 0) return CAP_LINUX_IMMUTABLE;
|
|
51
|
-
else if(strcmp(cap_s, "net_bind_service") == 0) return CAP_NET_BIND_SERVICE;
|
|
52
|
-
else if(strcmp(cap_s, "net_broadcast") == 0) return CAP_NET_BROADCAST;
|
|
53
|
-
else if(strcmp(cap_s, "net_admin") == 0) return CAP_NET_ADMIN;
|
|
54
|
-
else if(strcmp(cap_s, "net_raw") == 0) return CAP_NET_RAW;
|
|
55
|
-
else if(strcmp(cap_s, "ipc_lock") == 0) return CAP_IPC_LOCK;
|
|
56
|
-
else if(strcmp(cap_s, "ipc_owner") == 0) return CAP_IPC_OWNER;
|
|
57
|
-
else if(strcmp(cap_s, "sys_module") == 0) return CAP_SYS_MODULE;
|
|
58
|
-
else if(strcmp(cap_s, "sys_rawio") == 0) return CAP_SYS_RAWIO;
|
|
59
|
-
else if(strcmp(cap_s, "sys_chroot") == 0) return CAP_SYS_CHROOT;
|
|
60
|
-
else if(strcmp(cap_s, "sys_ptrace") == 0) return CAP_SYS_PTRACE;
|
|
61
|
-
else if(strcmp(cap_s, "sys_pacct") == 0) return CAP_SYS_PACCT;
|
|
62
|
-
else if(strcmp(cap_s, "sys_admin") == 0) return CAP_SYS_ADMIN;
|
|
63
|
-
else if(strcmp(cap_s, "sys_boot") == 0) return CAP_SYS_BOOT;
|
|
64
|
-
else if(strcmp(cap_s, "sys_nice") == 0) return CAP_SYS_NICE;
|
|
65
|
-
else if(strcmp(cap_s, "sys_resource") == 0) return CAP_SYS_RESOURCE;
|
|
66
|
-
else if(strcmp(cap_s, "sys_time") == 0) return CAP_SYS_TIME;
|
|
67
|
-
else if(strcmp(cap_s, "sys_tty_config") == 0) return CAP_SYS_TTY_CONFIG;
|
|
68
|
-
else if(strcmp(cap_s, "mknod") == 0) return CAP_MKNOD;
|
|
69
|
-
else if(strcmp(cap_s, "lease") == 0) return CAP_LEASE;
|
|
70
|
-
else if(strcmp(cap_s, "audit_write") == 0) return CAP_AUDIT_WRITE;
|
|
71
|
-
else if(strcmp(cap_s, "audit_control") == 0) return CAP_AUDIT_CONTROL;
|
|
72
|
-
else if(strcmp(cap_s, "setfcap") == 0) return CAP_SETFCAP;
|
|
73
|
-
else if(strcmp(cap_s, "mac_override") == 0) return CAP_MAC_OVERRIDE;
|
|
74
|
-
else if(strcmp(cap_s, "mac_admin") == 0) return CAP_MAC_ADMIN;
|
|
75
|
-
else if(strcmp(cap_s, "syslog") == 0) return CAP_SYSLOG;
|
|
76
|
-
else if(strcmp(cap_s, "wake_alarm") == 0) return CAP_WAKE_ALARM;
|
|
77
|
-
else rb_raise(rb_eArgError, "unknown capability %s", cap_s);
|
|
52
|
+
return cap2_cap_value(StringValueCStr(cap));
|
|
78
53
|
}
|
|
79
54
|
|
|
80
55
|
/*
|
|
81
56
|
* Returns a boolean representing whether cap_d has the given capability enabled
|
|
82
|
-
* in the given set
|
|
57
|
+
* in the given set.
|
|
83
58
|
*/
|
|
84
59
|
VALUE cap2_has_cap(cap_t cap_d, VALUE set_sym, VALUE cap_sym) {
|
|
85
60
|
cap_flag_t set;
|
data/ext/cap2/cap2.h
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
struct {
|
|
2
|
+
int value;
|
|
3
|
+
char name[32];
|
|
4
|
+
} cap2_caps[] = {
|
|
5
|
+
{ 0, "chown" },
|
|
6
|
+
{ 1, "dac_override" },
|
|
7
|
+
{ 2, "dac_read_search" },
|
|
8
|
+
{ 3, "fowner" },
|
|
9
|
+
{ 4, "fsetid" },
|
|
10
|
+
{ 5, "kill" },
|
|
11
|
+
{ 6, "setgid" },
|
|
12
|
+
{ 7, "setuid" },
|
|
13
|
+
{ 8, "setpcap" },
|
|
14
|
+
{ 9, "linux_immutable" },
|
|
15
|
+
{ 10, "net_bind_service" },
|
|
16
|
+
{ 11, "net_broadcast" },
|
|
17
|
+
{ 12, "net_admin" },
|
|
18
|
+
{ 13, "net_raw" },
|
|
19
|
+
{ 14, "ipc_lock" },
|
|
20
|
+
{ 15, "ipc_owner" },
|
|
21
|
+
{ 16, "sys_module" },
|
|
22
|
+
{ 17, "sys_rawio" },
|
|
23
|
+
{ 18, "sys_chroot" },
|
|
24
|
+
{ 19, "sys_ptrace" },
|
|
25
|
+
{ 20, "sys_pacct" },
|
|
26
|
+
{ 21, "sys_admin" },
|
|
27
|
+
{ 22, "sys_boot" },
|
|
28
|
+
{ 23, "sys_nice" },
|
|
29
|
+
{ 24, "sys_resource" },
|
|
30
|
+
{ 25, "sys_time" },
|
|
31
|
+
{ 26, "sys_tty_config" },
|
|
32
|
+
{ 27, "mknod" },
|
|
33
|
+
{ 28, "lease" },
|
|
34
|
+
{ 29, "audit_write" },
|
|
35
|
+
{ 30, "audit_control" },
|
|
36
|
+
{ 31, "setfcap" },
|
|
37
|
+
{ 32, "mac_override" },
|
|
38
|
+
{ 33, "mac_admin" },
|
|
39
|
+
{ 34, "syslog" },
|
|
40
|
+
{ 35, "wake_alarm" }
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
#define __CAP_COUNT 36
|
data/ext/cap2/extconf.rb
CHANGED
|
@@ -10,6 +10,31 @@ unless have_header('sys/capability.h')
|
|
|
10
10
|
EOS
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
+
# Generate cap2.h dynamically to define cap2_caps, an array of capability
|
|
14
|
+
# name / value pairs, with values as defined in <linux/capability.h>
|
|
15
|
+
File.open(File.dirname(__FILE__) + '/cap2.h', 'w') do |file|
|
|
16
|
+
cap_count = 0
|
|
17
|
+
caps = []
|
|
18
|
+
|
|
19
|
+
File.
|
|
20
|
+
readlines('/usr/include/linux/capability.h').
|
|
21
|
+
grep(/#define CAP_([\w_]+)\s+(\d+)/) do
|
|
22
|
+
caps << %[{ #{$2}, "#{$1.downcase}" }]
|
|
23
|
+
cap_count += 1
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
file.puts <<-EOS
|
|
27
|
+
struct {
|
|
28
|
+
int value;
|
|
29
|
+
char name[32];
|
|
30
|
+
} cap2_caps[] = {
|
|
31
|
+
#{caps.join(",\n ")}
|
|
32
|
+
};
|
|
33
|
+
|
|
34
|
+
#define __CAP_COUNT #{cap_count}
|
|
35
|
+
EOS
|
|
36
|
+
end
|
|
37
|
+
|
|
13
38
|
unless have_library('cap')
|
|
14
39
|
abort <<-EOS
|
|
15
40
|
-----
|
data/lib/cap2.so
CHANGED
|
Binary file
|
data/lib/cap2/version.rb
CHANGED
data/spec/file_spec.rb
CHANGED
|
@@ -10,9 +10,9 @@ describe Cap2::File do
|
|
|
10
10
|
it { should_not be_permitted(:dac_override) }
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
context 'when the
|
|
13
|
+
context 'when the file does have the given capability' do
|
|
14
14
|
before(:each) do
|
|
15
|
-
|
|
15
|
+
run_as_root('permit(:dac_override)')
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it { should be_permitted(:dac_override) }
|
|
@@ -24,9 +24,9 @@ describe Cap2::File do
|
|
|
24
24
|
it { should_not be_effective(:dac_override) }
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
-
context 'when the
|
|
27
|
+
context 'when the file does have the given capability' do
|
|
28
28
|
before(:each) do
|
|
29
|
-
|
|
29
|
+
run_as_root('permit(:dac_override)', 'enable_on_exec(:dac_override)')
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it { should be_effective(:dac_override) }
|
|
@@ -38,9 +38,9 @@ describe Cap2::File do
|
|
|
38
38
|
it { should_not be_inheritable(:dac_override) }
|
|
39
39
|
end
|
|
40
40
|
|
|
41
|
-
context 'when the
|
|
41
|
+
context 'when the file does have the given capability' do
|
|
42
42
|
before(:each) do
|
|
43
|
-
|
|
43
|
+
run_as_root('allow_inherit(:dac_override)')
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
it { should be_inheritable(:dac_override) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cap2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-
|
|
12
|
+
date: 2012-09-02 00:00:00.000000000 Z
|
|
13
13
|
dependencies: []
|
|
14
14
|
description: ! " Cap2 is a Ruby library for managing the POSIX 1003.1e capabilities\n
|
|
15
15
|
\ available in Linux kernels.\n\n These capabilities are a partitioning of
|
|
@@ -25,6 +25,7 @@ files:
|
|
|
25
25
|
- README.md
|
|
26
26
|
- Rakefile
|
|
27
27
|
- LICENSE
|
|
28
|
+
- ext/cap2/cap2.h
|
|
28
29
|
- ext/cap2/extconf.rb
|
|
29
30
|
- ext/cap2/cap2.c
|
|
30
31
|
- lib/cap2.rb
|