cap2 0.2.0 → 0.2.1

data/README.md

@@ -49,25 +49,26 @@ Capabilities are referenced using lower cased symbols, and without the CAP_ pref
 
 ### Querying Capabilities
 
-There are three methods - `permitted?`, `enabled?` and `inheritable?` - defined on both `Cap2::Process` and `Cap2::File` for querying capabilities. Each of these methods, Cap2::File#enabled? being the exception, take a capability symbol and return true / false if the capability is in / not in the relevant set:
+There are three methods - `permitted?`, `enabled?` and `inheritable?` - defined on both `Cap2::Process` and `Cap2::File` for querying capabilities. Each of these methods, Cap2::File#enabled? being the exception, take a list of capability symbols and return true / false if the capabilities are in / not in the relevant set:
 
 ```
 # the init daemon - all caps permitted & enabled but not inheritable
-init = Cap2.process(1)      # => #<Cap2::Process @pid=1>
+init = Cap2.process(1)            # => #<Cap2::Process @pid=1>
 
-init.permitted?(:kill)      # => true
-init.permitted?(:chown)     # => true
+init.permitted?(:kill)            # => true
+init.permitted?(:chown, :fowner)  # => true
 
-init.enabled?(:fowner)      # => true
+init.enabled?(:fowner)            # => true
+init.enabled?(:kill, :chown)      # => true
 
-init.inheritable?(:kill)    # => false
-init.inheritable?(:fowner)  # => false
+init.inheritable?(:chown)         # => false
+init.inheritable?(:fowner, :kill) # => false
 
 # assume /bin/ping is using file capabilities to enable CAP_NET_RAW on exec
 ping = Cap2.file('/bin/ping')   # => #<Cap2::File @filename="/bin/ping">
 
 ping.permitted?(:net_raw)       # => true
-ping.permitted?(:mknod)         # => false
+ping.permitted?(:mknod, :chown) # => false
 
 ping.enabled?                   # => true
 
@@ -87,17 +88,19 @@ Cap2 provides different levels of control over process and file capabilities.
 To modify the permitted capabilities of a file (i.e. the capabilities which will be permitted in any process that exec's the file), use `Cap2::File#permit` and `Cap2::File#unpermit`:
 
 ```
-Cap2.process.enabled?(:setfcap)     # => true - needed to set file capabilities
+Cap2.process.enabled?(:setfcap)          # => true - needed to set file capabilities
 
-file = Cap2.file('/tmp/file')       # => #<Cap2::File @filename="/tmp/file">
+file = Cap2.file('/tmp/file')            # => #<Cap2::File @filename="/tmp/file">
 
-file.permitted?(:mknod)             # => false
+file.permitted?(:mknod, :chown, :fowner) # => false
 
-file.permit(:mknod)                 # => true
-file.permitted?(:mknod)             # => true
+file.permit(:mknod)                      # => true
+file.permit(:chown, :fowner)             # => true
+file.permitted?(:mknod, :chown, :fowner) # => true
 
-file.unpermit(:mknod)               # => true
-file.permitted?(:mknod)             # => false
+file.unpermit(:mknod)                    # => true
+file.unpermit(:chown, :fowner)           # => true
+file.permitted?(:mknod, :chown, :fowner) # => false
 ```
 
 To modify the effective bit of a file (i.e. whether the resulting permitted capabilities of any process that exec's the file will also be enabled in it's effective set), use `Cap2::File#enable` and `Cap2::File#disable`:
@@ -133,6 +136,28 @@ file.disallow_inherit(:fowner)      # => true
 file.inheritable?(:fowner)          # => false
 ```
 
+To clear all capabilities for a file, use Cap2::File#clear:
+
+```
+Cap2.process.enabled?(:setfcap)     # => true - needed to set file capabilities
+
+file = Cap2.file('/tmp/file')       # => #<Cap2::File @filename="/tmp/file">
+
+file.permit(:kill, :mknod)          # => true
+file.allow_inherit(:kill, :mknod)   # => true
+file.enable                         # => true
+
+file.permitted?(:kill, :mknod)      # => true
+file.inheritable?(:kill, :mknod)    # => true
+file.enabled?                       # => true
+
+file.clear                          # => true
+
+file.permitted?(:kill, :mknod)      # => false
+file.inheritable?(:kill, :mknod)    # => false
+file.enabled?                       # => false
+```
+
 #### Processes
 
 Cap2 can be used to enable / disable capabilities of the current Ruby process.

data/lib/cap2/file.rb

@@ -8,16 +8,16 @@ module Cap2
       @caps     = getcaps
     end
 
-    # Returns whether the given capability is permitted
-    def permitted?(capability)
+    # Returns whether the given capabilities are permitted
+    def permitted?(*capabilities)
       reload
-      @caps[:permitted].include? capability
+      @caps[:permitted].superset? Set[*capabilities]
     end
 
-    # Returns whether the given capability is inheritable
-    def inheritable?(capability)
+    # Returns whether the given capabilities are inheritable
+    def inheritable?(*capabilities)
       reload
-      @caps[:inheritable].include? capability
+      @caps[:inheritable].superset? Set[*capabilities]
     end
 
     # Returns whether or not the file has any effective
@@ -28,26 +28,26 @@ module Cap2
     end
 
     # Permit processes executing this file to enable the given capability.
-    def permit(capability)
-      @caps[:permitted].add(capability)
+    def permit(*capabilities)
+      @caps[:permitted].merge(capabilities)
       save
     end
 
     # Dont permit processes executing this file to enable the given capability.
-    def unpermit(capability)
-      @caps[:permitted].delete(capability)
+    def unpermit(*capabilities)
+      @caps[:permitted].subtract(capabilities)
       save
     end
 
     # Allow processes executing this file to inherit the given capability.
-    def allow_inherit(capability)
-      @caps[:inheritable].add(capability)
+    def allow_inherit(*capabilities)
+      @caps[:inheritable].merge(capabilities)
       save
     end
 
     # Dont allow processes executing this file to inherit the given capability.
-    def disallow_inherit(capability)
-      @caps[:inheritable].delete(capability)
+    def disallow_inherit(*capabilities)
+      @caps[:inheritable].subtract(capabilities)
       save
     end
 
@@ -63,6 +63,12 @@ module Cap2
       save
     end
 
+    # Clear all capabilites
+    def clear
+      @caps.each_pair { |_, s| s.clear }
+      save
+    end
+
     private
     def reload
       @caps = getcaps

data/lib/cap2/process.rb

@@ -8,22 +8,22 @@ module Cap2
       @caps = getcaps
     end
 
-    # Returns whether the given capability is permitted
-    def permitted?(capability)
+    # Returns whether the given capabilities are permitted
+    def permitted?(*capabilities)
       reload
-      @caps[:permitted].include? capability
+      @caps[:permitted].superset? Set[*capabilities]
     end
 
-    # Returns whether the given capability is enabled
-    def enabled?(capability)
+    # Returns whether the given capabilities are enabled
+    def enabled?(*capabilities)
       reload
-      @caps[:effective].include? capability
+      @caps[:effective].superset? Set[*capabilities]
     end
 
-    # Returns whether the given capability is inheritable
-    def inheritable?(capability)
+    # Returns whether the given capabilities are inheritable
+    def inheritable?(capabilities)
       reload
-      @caps[:inheritable].include? capability
+      @caps[:inheritable].superset? Set[*capabilities]
     end
 
     # Enable the given capability for this process.
@@ -44,7 +44,7 @@ module Cap2
     # Raises a RuntimeError if the process's pid is not the same as the current
     # pid (you cannot enable capabilities for other processes, that's their job).
     def check_pid
-      unless @pid == Process.pid
+      unless @pid == ::Process.pid
         raise 'Cannot modify capabilities of other processes'
       end
     end

data/lib/cap2/version.rb

@@ -1,3 +1,3 @@
 module Cap2
-  Version = '0.2.0'
+  Version = '0.2.1'
 end

data/spec/file_spec.rb

@@ -5,17 +5,21 @@ describe Cap2::File do
 
   subject { Cap2::File.new(file.path) }
 
+  before(:each) do
+    run_as_root('clear')
+  end
+
   describe '#permitted?' do
-    context "when the file doesn't have the given capability" do
-      it { should_not be_permitted(:dac_override) }
+    context "when the file doesn't have the given capabilities" do
+      it { should_not be_permitted(:dac_override, :chown) }
     end
 
-    context 'when the file does have the given capability' do
+    context 'when the file does have the given capabilities' do
       before(:each) do
-        run_as_root('permit(:dac_override)')
+        run_as_root('permit(:dac_override, :chown)')
       end
 
-      it { should be_permitted(:dac_override) }
+      it { should be_permitted(:dac_override, :chown) }
     end
   end
 
@@ -34,35 +38,45 @@ describe Cap2::File do
   end
 
   describe '#inheritable?' do
-    context "when the file doesn't have the given capability" do
-      it { should_not be_inheritable(:dac_override) }
+    context "when the file doesn't have the given capabilities" do
+      it { should_not be_inheritable(:dac_override, :chown) }
     end
 
-    context 'when the file does have the given capability' do
+    context 'when the file does have the given capabilities' do
       before(:each) do
-        run_as_root('allow_inherit(:dac_override)')
+        run_as_root('allow_inherit(:dac_override, :chown)')
       end
 
-      it { should be_inheritable(:dac_override) }
+      it { should be_inheritable(:dac_override, :chown) }
     end
   end
 
   describe '#permit' do
     specify do
-      expect { running_as_root('permit(:fowner)') }.to \
+      expect { running_as_root('permit(:fowner, :kill)') }.to \
         change { subject.permitted?(:fowner) }.from(false).to(true)
     end
+
+    specify do
+      expect { running_as_root('permit(:fowner, :kill)') }.to \
+        change { subject.permitted?(:kill) }.from(false).to(true)
+    end
   end
 
   describe '#unpermit' do
     before(:each) do
-      run_as_root('permit(:fowner)')
+      run_as_root('permit(:fowner, :kill)')
     end
 
     specify do
-      expect { running_as_root('unpermit(:fowner)') }.to \
+      expect { running_as_root('unpermit(:fowner, :kill)') }.to \
         change { subject.permitted?(:fowner) }.from(true).to(false)
     end
+
+    specify do
+      expect { running_as_root('unpermit(:fowner, :kill)') }.to \
+        change { subject.permitted?(:kill) }.from(true).to(false)
+    end
   end
 
   describe '#allow_inherit' do
@@ -129,6 +143,18 @@ describe Cap2::File do
     end
   end
 
+  describe '#clear' do
+    it 'should clear all capabilities' do
+      run_as_root('permit(:kill)', 'allow_inherit(:kill)', 'enable')
+
+      run_as_root('clear')
+
+      subject.should_not be_permitted(:kill)
+      subject.should_not be_inheritable(:kill)
+      subject.should_not be_enabled
+    end
+  end
+
   # FIXME: Would like to call the given code on subject directly (e.g.
   #        `subject.permit(:fowner)`) but this would require the test
   #        suite to be run as root?

data/spec/process_spec.rb

@@ -2,30 +2,30 @@ require 'spec_helper'
 
 describe Cap2::Process do
   describe '#permitted?' do
-    context "when the process doesn't have the given capability" do
+    context "when the process doesn't have the given capabilities" do
       subject { Cap2::Process.new(Process.pid) }
 
-      it { should_not be_permitted(:dac_override) }
+      it { should_not be_permitted(:dac_override, :chown) }
     end
 
-    context 'when the process does have the given capability' do
+    context 'when the process does have the given capabilities' do
       subject { Cap2::Process.new(1) }
 
-      it { should be_permitted(:dac_override) }
+      it { should be_permitted(:dac_override, :chown) }
     end
   end
 
   describe '#enabled?' do
-    context "when the process doesn't have the given capability" do
+    context "when the process doesn't have the given capabilities" do
       subject { Cap2::Process.new(Process.pid) }
 
-      it { should_not be_enabled(:dac_override) }
+      it { should_not be_enabled(:dac_override, :chown) }
     end
 
-    context 'when the process does have the given capability' do
+    context 'when the process does have the given capabilities' do
       subject { Cap2::Process.new(1) }
 
-      it { should be_enabled(:dac_override) }
+      it { should be_enabled(:dac_override, :chown) }
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cap2
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-09-07 00:00:00.000000000 Z
+date: 2012-09-08 00:00:00.000000000 Z
 dependencies: []
 description: ! "    Cap2 is a Ruby library for managing the POSIX 1003.1e capabilities\n
   \   available in Linux kernels.\n\n    These capabilities are a partitioning of