cap2 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ext/cap2/cap2.c +21 -46
- data/ext/cap2/cap2.h +43 -0
- data/ext/cap2/extconf.rb +25 -0
- data/lib/cap2.so +0 -0
- data/lib/cap2/version.rb +1 -1
- data/spec/file_spec.rb +6 -6
- metadata +3 -2
data/ext/cap2/cap2.c
CHANGED
|
@@ -2,11 +2,12 @@
|
|
|
2
2
|
#include <errno.h>
|
|
3
3
|
#include <unistd.h>
|
|
4
4
|
#include <sys/capability.h>
|
|
5
|
+
#include "cap2.h"
|
|
5
6
|
|
|
6
7
|
/*
|
|
7
8
|
* Converts a Ruby symbol into cap_flag_t set, defined in <sys/capability.h>
|
|
8
9
|
*
|
|
9
|
-
* Raises an ArgumentError if set is not a valid capability set
|
|
10
|
+
* Raises an ArgumentError if set is not a valid capability set.
|
|
10
11
|
*/
|
|
11
12
|
cap_flag_t cap2_sym_to_set(VALUE set) {
|
|
12
13
|
char *set_s;
|
|
@@ -24,62 +25,36 @@ cap_flag_t cap2_sym_to_set(VALUE set) {
|
|
|
24
25
|
}
|
|
25
26
|
|
|
26
27
|
/*
|
|
27
|
-
*
|
|
28
|
-
*
|
|
28
|
+
* Lookup the value of a capability in cap2_caps, defined in cap2.h
|
|
29
|
+
* (cap2.h is generated dynamically by extconf.rb).
|
|
29
30
|
*
|
|
30
|
-
* Raises an ArgumentError if
|
|
31
|
+
* Raises an ArgumentError if name is not a valid capability name.
|
|
31
32
|
*/
|
|
32
|
-
cap_value_t
|
|
33
|
-
|
|
33
|
+
cap_value_t cap2_cap_value(const char *name) {
|
|
34
|
+
int i;
|
|
35
|
+
|
|
36
|
+
for(i = 0; i < __CAP_COUNT; i++) {
|
|
37
|
+
if(strcmp(cap2_caps[i].name, name) == 0)
|
|
38
|
+
return cap2_caps[i].value;
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
rb_raise(rb_eArgError, "unknown capability %s", name);
|
|
42
|
+
}
|
|
34
43
|
|
|
44
|
+
/*
|
|
45
|
+
* Converts a Ruby symbol into a cap_value_t capability value.
|
|
46
|
+
*/
|
|
47
|
+
cap_value_t cap2_sym_to_cap(VALUE cap) {
|
|
35
48
|
Check_Type(cap, T_SYMBOL);
|
|
36
49
|
|
|
37
50
|
cap = rb_sym_to_s(cap);
|
|
38
51
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
if(strcmp(cap_s, "chown") == 0) return CAP_CHOWN;
|
|
42
|
-
else if(strcmp(cap_s, "dac_override") == 0) return CAP_DAC_OVERRIDE;
|
|
43
|
-
else if(strcmp(cap_s, "dac_read_search") == 0) return CAP_DAC_READ_SEARCH;
|
|
44
|
-
else if(strcmp(cap_s, "fowner") == 0) return CAP_FOWNER;
|
|
45
|
-
else if(strcmp(cap_s, "fsetid") == 0) return CAP_FSETID;
|
|
46
|
-
else if(strcmp(cap_s, "kill") == 0) return CAP_KILL;
|
|
47
|
-
else if(strcmp(cap_s, "setgid") == 0) return CAP_SETGID;
|
|
48
|
-
else if(strcmp(cap_s, "setuid") == 0) return CAP_SETUID;
|
|
49
|
-
else if(strcmp(cap_s, "setpcap") == 0) return CAP_SETPCAP;
|
|
50
|
-
else if(strcmp(cap_s, "linux_immutable") == 0) return CAP_LINUX_IMMUTABLE;
|
|
51
|
-
else if(strcmp(cap_s, "net_bind_service") == 0) return CAP_NET_BIND_SERVICE;
|
|
52
|
-
else if(strcmp(cap_s, "net_broadcast") == 0) return CAP_NET_BROADCAST;
|
|
53
|
-
else if(strcmp(cap_s, "net_admin") == 0) return CAP_NET_ADMIN;
|
|
54
|
-
else if(strcmp(cap_s, "net_raw") == 0) return CAP_NET_RAW;
|
|
55
|
-
else if(strcmp(cap_s, "ipc_lock") == 0) return CAP_IPC_LOCK;
|
|
56
|
-
else if(strcmp(cap_s, "ipc_owner") == 0) return CAP_IPC_OWNER;
|
|
57
|
-
else if(strcmp(cap_s, "sys_module") == 0) return CAP_SYS_MODULE;
|
|
58
|
-
else if(strcmp(cap_s, "sys_rawio") == 0) return CAP_SYS_RAWIO;
|
|
59
|
-
else if(strcmp(cap_s, "sys_chroot") == 0) return CAP_SYS_CHROOT;
|
|
60
|
-
else if(strcmp(cap_s, "sys_ptrace") == 0) return CAP_SYS_PTRACE;
|
|
61
|
-
else if(strcmp(cap_s, "sys_pacct") == 0) return CAP_SYS_PACCT;
|
|
62
|
-
else if(strcmp(cap_s, "sys_admin") == 0) return CAP_SYS_ADMIN;
|
|
63
|
-
else if(strcmp(cap_s, "sys_boot") == 0) return CAP_SYS_BOOT;
|
|
64
|
-
else if(strcmp(cap_s, "sys_nice") == 0) return CAP_SYS_NICE;
|
|
65
|
-
else if(strcmp(cap_s, "sys_resource") == 0) return CAP_SYS_RESOURCE;
|
|
66
|
-
else if(strcmp(cap_s, "sys_time") == 0) return CAP_SYS_TIME;
|
|
67
|
-
else if(strcmp(cap_s, "sys_tty_config") == 0) return CAP_SYS_TTY_CONFIG;
|
|
68
|
-
else if(strcmp(cap_s, "mknod") == 0) return CAP_MKNOD;
|
|
69
|
-
else if(strcmp(cap_s, "lease") == 0) return CAP_LEASE;
|
|
70
|
-
else if(strcmp(cap_s, "audit_write") == 0) return CAP_AUDIT_WRITE;
|
|
71
|
-
else if(strcmp(cap_s, "audit_control") == 0) return CAP_AUDIT_CONTROL;
|
|
72
|
-
else if(strcmp(cap_s, "setfcap") == 0) return CAP_SETFCAP;
|
|
73
|
-
else if(strcmp(cap_s, "mac_override") == 0) return CAP_MAC_OVERRIDE;
|
|
74
|
-
else if(strcmp(cap_s, "mac_admin") == 0) return CAP_MAC_ADMIN;
|
|
75
|
-
else if(strcmp(cap_s, "syslog") == 0) return CAP_SYSLOG;
|
|
76
|
-
else if(strcmp(cap_s, "wake_alarm") == 0) return CAP_WAKE_ALARM;
|
|
77
|
-
else rb_raise(rb_eArgError, "unknown capability %s", cap_s);
|
|
52
|
+
return cap2_cap_value(StringValueCStr(cap));
|
|
78
53
|
}
|
|
79
54
|
|
|
80
55
|
/*
|
|
81
56
|
* Returns a boolean representing whether cap_d has the given capability enabled
|
|
82
|
-
* in the given set
|
|
57
|
+
* in the given set.
|
|
83
58
|
*/
|
|
84
59
|
VALUE cap2_has_cap(cap_t cap_d, VALUE set_sym, VALUE cap_sym) {
|
|
85
60
|
cap_flag_t set;
|
data/ext/cap2/cap2.h
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
struct {
|
|
2
|
+
int value;
|
|
3
|
+
char name[32];
|
|
4
|
+
} cap2_caps[] = {
|
|
5
|
+
{ 0, "chown" },
|
|
6
|
+
{ 1, "dac_override" },
|
|
7
|
+
{ 2, "dac_read_search" },
|
|
8
|
+
{ 3, "fowner" },
|
|
9
|
+
{ 4, "fsetid" },
|
|
10
|
+
{ 5, "kill" },
|
|
11
|
+
{ 6, "setgid" },
|
|
12
|
+
{ 7, "setuid" },
|
|
13
|
+
{ 8, "setpcap" },
|
|
14
|
+
{ 9, "linux_immutable" },
|
|
15
|
+
{ 10, "net_bind_service" },
|
|
16
|
+
{ 11, "net_broadcast" },
|
|
17
|
+
{ 12, "net_admin" },
|
|
18
|
+
{ 13, "net_raw" },
|
|
19
|
+
{ 14, "ipc_lock" },
|
|
20
|
+
{ 15, "ipc_owner" },
|
|
21
|
+
{ 16, "sys_module" },
|
|
22
|
+
{ 17, "sys_rawio" },
|
|
23
|
+
{ 18, "sys_chroot" },
|
|
24
|
+
{ 19, "sys_ptrace" },
|
|
25
|
+
{ 20, "sys_pacct" },
|
|
26
|
+
{ 21, "sys_admin" },
|
|
27
|
+
{ 22, "sys_boot" },
|
|
28
|
+
{ 23, "sys_nice" },
|
|
29
|
+
{ 24, "sys_resource" },
|
|
30
|
+
{ 25, "sys_time" },
|
|
31
|
+
{ 26, "sys_tty_config" },
|
|
32
|
+
{ 27, "mknod" },
|
|
33
|
+
{ 28, "lease" },
|
|
34
|
+
{ 29, "audit_write" },
|
|
35
|
+
{ 30, "audit_control" },
|
|
36
|
+
{ 31, "setfcap" },
|
|
37
|
+
{ 32, "mac_override" },
|
|
38
|
+
{ 33, "mac_admin" },
|
|
39
|
+
{ 34, "syslog" },
|
|
40
|
+
{ 35, "wake_alarm" }
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
#define __CAP_COUNT 36
|
data/ext/cap2/extconf.rb
CHANGED
|
@@ -10,6 +10,31 @@ unless have_header('sys/capability.h')
|
|
|
10
10
|
EOS
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
+
# Generate cap2.h dynamically to define cap2_caps, an array of capability
|
|
14
|
+
# name / value pairs, with values as defined in <linux/capability.h>
|
|
15
|
+
File.open(File.dirname(__FILE__) + '/cap2.h', 'w') do |file|
|
|
16
|
+
cap_count = 0
|
|
17
|
+
caps = []
|
|
18
|
+
|
|
19
|
+
File.
|
|
20
|
+
readlines('/usr/include/linux/capability.h').
|
|
21
|
+
grep(/#define CAP_([\w_]+)\s+(\d+)/) do
|
|
22
|
+
caps << %[{ #{$2}, "#{$1.downcase}" }]
|
|
23
|
+
cap_count += 1
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
file.puts <<-EOS
|
|
27
|
+
struct {
|
|
28
|
+
int value;
|
|
29
|
+
char name[32];
|
|
30
|
+
} cap2_caps[] = {
|
|
31
|
+
#{caps.join(",\n ")}
|
|
32
|
+
};
|
|
33
|
+
|
|
34
|
+
#define __CAP_COUNT #{cap_count}
|
|
35
|
+
EOS
|
|
36
|
+
end
|
|
37
|
+
|
|
13
38
|
unless have_library('cap')
|
|
14
39
|
abort <<-EOS
|
|
15
40
|
-----
|
data/lib/cap2.so
CHANGED
|
Binary file
|
data/lib/cap2/version.rb
CHANGED
data/spec/file_spec.rb
CHANGED
|
@@ -10,9 +10,9 @@ describe Cap2::File do
|
|
|
10
10
|
it { should_not be_permitted(:dac_override) }
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
context 'when the
|
|
13
|
+
context 'when the file does have the given capability' do
|
|
14
14
|
before(:each) do
|
|
15
|
-
|
|
15
|
+
run_as_root('permit(:dac_override)')
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it { should be_permitted(:dac_override) }
|
|
@@ -24,9 +24,9 @@ describe Cap2::File do
|
|
|
24
24
|
it { should_not be_effective(:dac_override) }
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
-
context 'when the
|
|
27
|
+
context 'when the file does have the given capability' do
|
|
28
28
|
before(:each) do
|
|
29
|
-
|
|
29
|
+
run_as_root('permit(:dac_override)', 'enable_on_exec(:dac_override)')
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it { should be_effective(:dac_override) }
|
|
@@ -38,9 +38,9 @@ describe Cap2::File do
|
|
|
38
38
|
it { should_not be_inheritable(:dac_override) }
|
|
39
39
|
end
|
|
40
40
|
|
|
41
|
-
context 'when the
|
|
41
|
+
context 'when the file does have the given capability' do
|
|
42
42
|
before(:each) do
|
|
43
|
-
|
|
43
|
+
run_as_root('allow_inherit(:dac_override)')
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
it { should be_inheritable(:dac_override) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cap2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-
|
|
12
|
+
date: 2012-09-02 00:00:00.000000000 Z
|
|
13
13
|
dependencies: []
|
|
14
14
|
description: ! " Cap2 is a Ruby library for managing the POSIX 1003.1e capabilities\n
|
|
15
15
|
\ available in Linux kernels.\n\n These capabilities are a partitioning of
|
|
@@ -25,6 +25,7 @@ files:
|
|
|
25
25
|
- README.md
|
|
26
26
|
- Rakefile
|
|
27
27
|
- LICENSE
|
|
28
|
+
- ext/cap2/cap2.h
|
|
28
29
|
- ext/cap2/extconf.rb
|
|
29
30
|
- ext/cap2/cap2.c
|
|
30
31
|
- lib/cap2.rb
|