cap2 0.1.1 → 0.2.0

data/README.md

@@ -49,16 +49,16 @@ Capabilities are referenced using lower cased symbols, and without the CAP_ pref
 
 ### Querying Capabilities
 
-There are three methods - `permitted?`, `effective?` and `inheritable?` - defined on both `Cap2::Process` and `Cap2::File` for querying capabilities. Each take a capability symbol and return true / false if the capability is in / not in the relevant set:
+There are three methods - `permitted?`, `enabled?` and `inheritable?` - defined on both `Cap2::Process` and `Cap2::File` for querying capabilities. Each of these methods, Cap2::File#enabled? being the exception, take a capability symbol and return true / false if the capability is in / not in the relevant set:
 
 ```
-# the init daemon - all caps permitted & effective but not inheritable
+# the init daemon - all caps permitted & enabled but not inheritable
 init = Cap2.process(1)      # => #<Cap2::Process @pid=1>
 
 init.permitted?(:kill)      # => true
 init.permitted?(:chown)     # => true
 
-init.effective?(:fowner)    # => true
+init.enabled?(:fowner)      # => true
 
 init.inheritable?(:kill)    # => false
 init.inheritable?(:fowner)  # => false
@@ -69,11 +69,15 @@ ping = Cap2.file('/bin/ping')   # => #<Cap2::File @filename="/bin/ping">
 ping.permitted?(:net_raw)       # => true
 ping.permitted?(:mknod)         # => false
 
-ping.effective?(:net_raw)       # => true
+ping.enabled?                   # => true
 
 ping.inheritable?(:net_raw)     # => false
 ```
 
+#### Why does Cap2::File#enabled? not take an arguement?
+
+Under the hood, the file effective set is just a single bit. When enabled, any process which exec's the file will have the capabilities from it's resulting permitted set also in it's effective set.
+
 ### Modifying Capabilities
 
 Cap2 provides different levels of control over process and file capabilities.
@@ -83,7 +87,7 @@ Cap2 provides different levels of control over process and file capabilities.
 To modify the permitted capabilities of a file (i.e. the capabilities which will be permitted in any process that exec's the file), use `Cap2::File#permit` and `Cap2::File#unpermit`:
 
 ```
-Cap2.process.effective?(:setfcap)   # => true - needed to set file capabilities
+Cap2.process.enabled?(:setfcap)     # => true - needed to set file capabilities
 
 file = Cap2.file('/tmp/file')       # => #<Cap2::File @filename="/tmp/file">
 
@@ -96,26 +100,27 @@ file.unpermit(:mknod)               # => true
 file.permitted?(:mknod)             # => false
 ```
 
-To modify the effective capabilities of a file (i.e. the capabilities which will be enabled in any process that exec's the file), use `Cap2::File#enable_on_exec` and `Cap2::File#disable_on_exec`:
+To modify the effective bit of a file (i.e. whether the resulting permitted capabilities of any process that exec's the file will also be enabled in it's effective set), use `Cap2::File#enable` and `Cap2::File#disable`:
 
 ```
-Cap2.process.effective?(:setfcap)   # => true - needed to set file capabilities
+Cap2.process.enabled?(:setfcap)     # => true - needed to set file capabilities
 
 file = Cap2.file('/tmp/file')       # => #<Cap2::File @filename="/tmp/file">
 
-file.effective?(:net_raw)           # => false
+file.permitted?(:net_raw)           # => true
+file.enabled?                       # => false
 
-file.enable_on_exec(:net_raw)       # => true
-file.effective?(:net_raw)           # => true
+file.enable                         # => true
+file.enabled?                       # => true
 
-file.disable_on_exec(:net_raw)      # => true
-file.effective?(:net_raw)           # => false
+file.disable                        # => true
+file.enabled?                       # => false
 ```
 
 To modify the inheritable capabilities of a file (i.e. the capabilities which will be ANDed with the inheritable set of any process that exec's the file to determine which capabilities are in the permitted set of the process), use `Cap2::File#allow_inherit` and `Cap2::File#disallow_inherit`:
 
 ```
-Cap2.process.effective?(:setfcap)   # => true - needed to set file capabilities
+Cap2.process.enabled?(:setfcap)     # => true - needed to set file capabilities
 
 file = Cap2.file('/tmp/file')       # => #<Cap2::File @filename="/tmp/file">
 
@@ -132,22 +137,22 @@ file.inheritable?(:fowner)          # => false
 
 Cap2 can be used to enable / disable capabilities of the current Ruby process.
 
-Suppose the ruby binary file permits :kill, but does not enable it on exec:
+Suppose the ruby binary file permits `:kill`, but does not enable it on exec:
 
 ```
 ruby = Cap2.file('/usr/bin/ruby')   # => #<Cap2::File @filename="/usr/bin/ruby">
 ruby.permitted?(:kill)              # => true
-ruby.effective?(:kill)              # => false
+ruby.enabled?                       # => false
 ```
 
 and we want to kill a process running as root with pid 1000:
 
 ```
-Cap2.process.effective?(:kill)  # => false
+Cap2.process.enabled?(:kill)    # => false
 Process.kill("TERM", 1000)      # => Errno::EPERM: Operation not permitted
 
 Cap2.process.enable(:kill)      # => true
-Cap2.process.effective?(:kill)  # => true
+Cap2.process.enabled?(:kill)    # => true
 Process.kill("TERM", 1000)      # => 1
 ```
 

data/ext/cap2/cap2.c

@@ -1,29 +1,10 @@
 #include <ruby.h>
+#include <stdbool.h>
 #include <errno.h>
 #include <unistd.h>
 #include <sys/capability.h>
 #include "cap2.h"
 
-/*
- * Converts a Ruby symbol into cap_flag_t set, defined in <sys/capability.h>
- *
- * Raises an ArgumentError if set is not a valid capability set.
- */
-cap_flag_t cap2_sym_to_set(VALUE set) {
-  char *set_s;
-
-  Check_Type(set, T_SYMBOL);
-
-  set = rb_sym_to_s(set);
-
-  set_s = StringValueCStr(set);
-
-       if(strcmp(set_s, "permitted")   == 0) return CAP_PERMITTED;
-  else if(strcmp(set_s, "effective")   == 0) return CAP_EFFECTIVE;
-  else if(strcmp(set_s, "inheritable") == 0) return CAP_INHERITABLE;
-  else rb_raise(rb_eArgError, "unknown set %s", set_s);
-}
-
 /*
  * Lookup the value of a capability in cap2_caps, defined in cap2.h
  * (cap2.h is generated dynamically by extconf.rb).
@@ -52,21 +33,50 @@ cap_value_t cap2_sym_to_cap(VALUE cap) {
   return cap2_cap_value(StringValueCStr(cap));
 }
 
-/*
- * Returns a boolean representing whether cap_d has the given capability enabled
- * in the given set.
- */
-VALUE cap2_has_cap(cap_t cap_d, VALUE set_sym, VALUE cap_sym) {
-  cap_flag_t set;
-  cap_value_t cap;
-  cap_flag_value_t flag_value = CAP_CLEAR;
+VALUE cap2_caps_to_hash(cap_t cap_d) {
+  int i;
+  cap_flag_value_t cap_value;
+  VALUE caps, permitted, effective, inheritable;
+
+  permitted = rb_ary_new();
+  effective = rb_ary_new();
+  inheritable = rb_ary_new();
 
-  set = cap2_sym_to_set(set_sym);
-  cap = cap2_sym_to_cap(cap_sym);
+  for(i = 0; i < __CAP_COUNT; i++) {
+    cap_get_flag(cap_d, cap2_caps[i].value, CAP_PERMITTED, &cap_value);
+    if(cap_value == CAP_SET)
+      rb_ary_push(permitted, ID2SYM(rb_intern(cap2_caps[i].name)));
+
+    cap_get_flag(cap_d, cap2_caps[i].value, CAP_EFFECTIVE, &cap_value);
+    if(cap_value == CAP_SET)
+      rb_ary_push(effective, ID2SYM(rb_intern(cap2_caps[i].name)));
+
+    cap_get_flag(cap_d, cap2_caps[i].value, CAP_INHERITABLE, &cap_value);
+    if(cap_value == CAP_SET)
+      rb_ary_push(inheritable, ID2SYM(rb_intern(cap2_caps[i].name)));
+  }
 
-  cap_get_flag(cap_d, cap, set, &flag_value);
+  caps = rb_hash_new();
 
-  return flag_value == CAP_SET ? Qtrue : Qfalse;
+  rb_hash_aset(
+    caps,
+    ID2SYM(rb_intern("permitted")),
+    rb_funcall(permitted, rb_intern("to_set"), 0)
+  );
+
+  rb_hash_aset(
+    caps,
+    ID2SYM(rb_intern("effective")),
+    rb_funcall(effective, rb_intern("to_set"), 0)
+  );
+
+  rb_hash_aset(
+    caps,
+    ID2SYM(rb_intern("inheritable")),
+    rb_funcall(inheritable, rb_intern("to_set"), 0)
+  );
+
+  return caps;
 }
 
 /*
@@ -80,14 +90,12 @@ static int cap2_process_pid(VALUE process) {
   return FIX2INT(pid);
 }
 
-/*
- * Return a cap_t struct containing the capabilities of the given Process object.
- */
-static cap_t cap2_process_caps(VALUE process) {
+VALUE cap2_process_getcaps(VALUE self) {
   cap_t cap_d;
   int pid;
+  VALUE result;
 
-  pid = cap2_process_pid(process);
+  pid = cap2_process_pid(self);
 
   cap_d = cap_get_pid(pid);
 
@@ -97,102 +105,80 @@ static cap_t cap2_process_caps(VALUE process) {
       "Failed to get capabilities for proccess %d: (%s)\n",
       pid, strerror(errno)
     );
+  } else {
+    result = cap2_caps_to_hash(cap_d);
+    cap_free(cap_d);
+    return result;
   }
-
-  return cap_d;
 }
 
 /*
- * Enable/disable the given capability in the given set for the given Process
- * object.
+ * Set the capabilities for self from the caps hash stored in @caps.
  */
-static VALUE cap2_process_set_cap(VALUE process, cap_flag_t set, VALUE cap_sym, cap_flag_value_t set_or_clear) {
+VALUE cap2_process_setcaps(VALUE self) {
+  int i;
   cap_t cap_d;
-  int pid;
-  cap_value_t caps[1];
+  VALUE caps, cap_array, cap_sym;
+  cap_value_t cap_values[__CAP_COUNT];
 
-  pid = cap2_process_pid(process);
+  cap_d = cap_init();
 
-  if((pid_t) pid != getpid())
-    rb_raise(
-      rb_eRuntimeError,
-      "Cannot set capabilities for other processes"
-    );
+  caps = rb_iv_get(self, "@caps");
 
-  caps[0] = cap2_sym_to_cap(cap_sym);
+  // permitted
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("permitted"))),
+    rb_intern("to_a"),
+    0
+  );
 
-  cap_d = cap_get_pid(pid);
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
+
+  cap_set_flag(cap_d, CAP_PERMITTED, i, cap_values, CAP_SET);
 
-  cap_set_flag(cap_d, set, 1, caps, set_or_clear);
+  // effective
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("effective"))),
+    rb_intern("to_a"),
+    0
+  );
+
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
+
+  cap_set_flag(cap_d, CAP_EFFECTIVE, i, cap_values, CAP_SET);
+
+  // inheritable
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("inheritable"))),
+    rb_intern("to_a"),
+    0
+  );
+
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
+
+  cap_set_flag(cap_d, CAP_INHERITABLE, i, cap_values, CAP_SET);
 
   if(cap_set_proc(cap_d) == -1) {
     rb_raise(
       rb_eRuntimeError,
-      "Failed to set capabilities for process %d: (%s)\n",
-      pid, strerror(errno)
+      "Failed to set capabilities for current process: (%s)\n",
+      strerror(errno)
     );
   } else {
+    cap_free(cap_d);
     return Qtrue;
   }
 }
 
-/*
- * call-seq:
- *  has?(set, capability) -> true or false
- *
- * Return whether the process has the given capability enabled in the given set.
- *
- *   Cap2.process(1).has?(:permitted, :kill)    #=> true
- *   Cap2.process(1000).has?(:permitted, :kill) #=> false
- */
-VALUE cap2_process_has_cap(VALUE self, VALUE set_sym, VALUE cap_sym) {
-  cap_t cap_d;
-  VALUE result;
-
-  cap_d = cap2_process_caps(self);
-
-  result = cap2_has_cap(cap_d, set_sym, cap_sym);
-
-  cap_free(cap_d);
-
-  return result;
-}
-
-/*
- * call-seq:
- *  enable(capability) -> true or false
- *
- * Enable the given capability for this process.
- *
- * Raises a RuntimeError if the process's pid is not the same as the current
- * pid (you cannot enable capabilities for other processes, that's their job).
- *
- *   process = Cap2.process              #=> <Cap2::Process>
- *   process.permitted?(:kill)           #=> true
- *   process.effective?(:kill)           #=> false
- *   process.enable(:kill)               #=> true
- *   process.effective?(:kill)           #=> true
- */
-VALUE cap2_process_enable(VALUE self, VALUE cap_sym) {
-  return cap2_process_set_cap(self, CAP_EFFECTIVE, cap_sym, CAP_SET);
-}
-
-/*
- * call-seq:
- *  disable(capability) -> true or false
- *
- * Disable the given capability for this process.
- *
- *   process = Cap2.process              #=> <Cap2::Process>
- *   process.permitted?(:kill)           #=> true
- *   process.effective?(:kill)           #=> true
- *   process.disable(:kill)              #=> true
- *   process.effective?(:kill)           #=> false
- */
-VALUE cap2_process_disable(VALUE self, VALUE cap_sym) {
-  return cap2_process_set_cap(self, CAP_EFFECTIVE, cap_sym, CAP_CLEAR);
-}
-
 /*
  * Convert @filename stored in the given File object to a char* and return it.
  */
@@ -205,13 +191,14 @@ static char *cap2_file_filename(VALUE file) {
 }
 
 /*
- * Return a cap_t struct containing the capabilities of the given File object.
+ * Return a caps hash containing the capabilities of self.
  */
-static cap_t cap2_file_caps(VALUE file) {
+VALUE cap2_file_getcaps(VALUE self) {
   cap_t cap_d;
   char *filename;
+  VALUE result;
 
-  filename = cap2_file_filename(file);
+  filename = cap2_file_filename(self);
 
   cap_d = cap_get_file(filename);
 
@@ -221,30 +208,70 @@ static cap_t cap2_file_caps(VALUE file) {
       "Failed to get capabilities for file %s: (%s)\n",
       filename, strerror(errno)
     );
+  } else {
+    result = cap2_caps_to_hash(cap_d);
+    cap_free(cap_d);
+    return result;
   }
-
-  return cap_d;
 }
 
 /*
- * Enable/disable the given capability in the given set for the given File
- * object.
+ * Set the capabilities for self from the caps hash stored in @caps.
  */
-static VALUE cap2_file_set_cap(VALUE file, cap_flag_t set, VALUE cap_sym, cap_flag_value_t set_or_clear) {
+VALUE cap2_file_setcaps(VALUE self) {
+  int i;
   cap_t cap_d;
   char *filename;
-  cap_value_t caps[1];
+  VALUE caps, cap_array, cap_sym;
+  cap_value_t cap_values[__CAP_COUNT];
 
-  filename = cap2_file_filename(file);
+  cap_d = cap_init();
 
-  caps[0] = cap2_sym_to_cap(cap_sym);
+  caps = rb_iv_get(self, "@caps");
 
-  cap_d = cap_get_file(filename);
+  // permitted
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("permitted"))),
+    rb_intern("to_a"),
+    0
+  );
+
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
+
+  cap_set_flag(cap_d, CAP_PERMITTED, i, cap_values, CAP_SET);
+
+  // effective
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("effective"))),
+    rb_intern("to_a"),
+    0
+  );
+
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
+
+  cap_set_flag(cap_d, CAP_EFFECTIVE, i, cap_values, CAP_SET);
+
+  // inheritable
+  cap_array = rb_funcall(
+    rb_hash_aref(caps, ID2SYM(rb_intern("inheritable"))),
+    rb_intern("to_a"),
+    0
+  );
+
+  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
+    cap_sym = RARRAY_PTR(cap_array)[i];
+    cap_values[i] = cap2_sym_to_cap(cap_sym);
+  }
 
-  if(cap_d == NULL)
-    cap_d = cap_init();
+  cap_set_flag(cap_d, CAP_INHERITABLE, i, cap_values, CAP_SET);
 
-  cap_set_flag(cap_d, set, 1, caps, set_or_clear);
+  filename = cap2_file_filename(self);
 
   if(cap_set_file(filename, cap_d) == -1) {
     rb_raise(
@@ -253,123 +280,13 @@ static VALUE cap2_file_set_cap(VALUE file, cap_flag_t set, VALUE cap_sym, cap_fl
       filename, strerror(errno)
     );
   } else {
+    cap_free(cap_d);
     return Qtrue;
   }
 }
 
-/*
- * call-seq:
- *  has?(set, capability) -> true or false
- *
- * Return whether the file has the given capability enabled in the given set.
- *
- *   Cap2.file('/bin/ping').has?(:permitted, :net_raw)    #=> true
- *   Cap2.file('/tmp/ping').has?(:permitted, :net_raw)    #=> false
- */
-VALUE cap2_file_has_cap(VALUE self, VALUE set_sym, VALUE cap_sym) {
-  cap_t cap_d;
-  VALUE result;
-
-  cap_d = cap2_file_caps(self);
-
-  result = cap2_has_cap(cap_d, set_sym, cap_sym);
-
-  cap_free(cap_d);
-
-  return result;
-}
-
-/*
- * call-seq:
- *  permit(capability) -> true or false
- *
- * Permit processes executing this file to enable the given capability.
- *
- *   file = Cap2.file('/tmp/killer')    #=> <Cap2::File>
- *   file.permitted?(:kill)             #=> false
- *   file.permit(:kill)                 #=> true
- *   file.permitted?(:kill)             #=> true
- */
-VALUE cap2_file_permit(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_PERMITTED, cap_sym, CAP_SET);
-}
-
-/*
- * call-seq:
- *  unpermit(capability) -> true or false
- *
- * Dont permit processes executing ths file to enable the given capability.
- *
- *   file = Cap2.file('/tmp/foo')      #=> <Cap2::File>
- *   file.permit(:kill)                #=> true
- *   file.permitted?(:kill)            #=> true
- *   file.unpermit(:kill)              #=> true
- *   file.permitted?(:kill)            #=> false
- */
-VALUE cap2_file_unpermit(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_PERMITTED, cap_sym, CAP_CLEAR);
-}
-
-/*
- * call-seq:
- *  allow_inherit(capability) -> true or false
- *
- * Allow processes executing this file to inherit the given capability.
- *
- *   file = Cap2.file('/tmp/foo')      #=> <Cap2::File>
- *   file.inheritable?(:kill)          #=> false
- *   file.allow_inherit(:kill)         #=> true
- *   file.inheritable?(:kill)          #=> true
- */
-VALUE cap2_file_allow_inherit(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_INHERITABLE, cap_sym, CAP_SET);
-}
-
-/*
- * call-seq:
- *  disallow_inherit(capability) -> true or false
- *
- * Dont allow processes executing this file to inherit the given capability.
- *
- *   file = Cap2.file('/tmp/foo')      #=> <Cap2::File>
- *   file.inheritable?(:kill)          #=> true
- *   file.allow_inherit(:kill)         #=> true
- *   file.inheritable?(:kill)          #=> false
- */
-VALUE cap2_file_disallow_inherit(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_INHERITABLE, cap_sym, CAP_CLEAR);
-}
-
-/*
- * call-seq:
- *  set_effective(capability) -> true or false
- *
- * Enable the given capability when a proces executes this file.
- *
- *   file = Cap2.file('/tmp/foo')      #=> <Cap2::File>
- *   file.effective?(:kill)            #=> false
- *   file.set_effective(:kill)         #=> true
- *   file.effective?(:kill)            #=> true
- */
-VALUE cap2_file_set_effective(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_EFFECTIVE, cap_sym, CAP_SET);
-}
-
-/*
- * call-seq:
- *  disable_on_exec(capability) -> true or false
- *
- * Dont enable the given capability when a process executes this file.
- *
- *   file = Cap2.file('/tmp/foo')      #=> <Cap2::File>
- *   file.effective?(:kill)            #=> true
- *   file.disable_on_exec(:kill)       #=> true
- *   file.effective?(:kill)            #=> false
- */
-VALUE cap2_file_clear_effective(VALUE self, VALUE cap_sym) {
-  return cap2_file_set_cap(self, CAP_EFFECTIVE, cap_sym, CAP_CLEAR);
-}
 void Init_cap2(void) {
+  int i;
   VALUE rb_mCap2;
   VALUE rb_cCap2File;
   VALUE rb_cCap2Process;
@@ -377,16 +294,10 @@ void Init_cap2(void) {
   rb_mCap2 = rb_define_module("Cap2");
 
   rb_cCap2Process = rb_define_class_under(rb_mCap2, "Process", rb_cObject);
-  rb_define_method(rb_cCap2Process, "has?", cap2_process_has_cap, 2);
-  rb_define_method(rb_cCap2Process, "enable", cap2_process_enable, 1);
-  rb_define_method(rb_cCap2Process, "disable", cap2_process_disable, 1);
+  rb_define_method(rb_cCap2Process, "getcaps", cap2_process_getcaps, 0);
+  rb_define_method(rb_cCap2Process, "save", cap2_process_setcaps, 0);
 
   rb_cCap2File = rb_define_class_under(rb_mCap2, "File", rb_cObject);
-  rb_define_method(rb_cCap2File, "has?", cap2_file_has_cap, 2);
-  rb_define_method(rb_cCap2File, "permit", cap2_file_permit, 1);
-  rb_define_method(rb_cCap2File, "unpermit", cap2_file_unpermit, 1);
-  rb_define_method(rb_cCap2File, "allow_inherit", cap2_file_allow_inherit, 1);
-  rb_define_method(rb_cCap2File, "disallow_inherit", cap2_file_disallow_inherit, 1);
-  rb_define_method(rb_cCap2File, "set_effective", cap2_file_set_effective, 1);
-  rb_define_method(rb_cCap2File, "disable_on_exec", cap2_file_clear_effective, 1);
+  rb_define_method(rb_cCap2File, "getcaps", cap2_file_getcaps, 0);
+  rb_define_method(rb_cCap2File, "save", cap2_file_setcaps, 0);
 }

data/lib/cap2.rb

@@ -1,3 +1,4 @@
+require 'set'
 require 'cap2.so'
 require 'cap2/process'
 require 'cap2/file'
@@ -49,7 +50,4 @@ module Cap2
 
   # Raised when trying to initialise a File object for a non-existent file.
   class FileNotFound < StandardError; end
-
-  # Raised when trying to enable unpermitted / uninheritable file capabilities.
-  class IncompatibleCapabilities < StandardError; end
 end

data/lib/cap2/file.rb

@@ -1,26 +1,71 @@
-require 'cap2/set_methods'
-
 module Cap2
-  # A class with methods for querying capabilities for the
+  # A class with methods for managing capabilities for the
   # file with filename provided to the initialize method.
   class File
-    include SetMethods
-
     # Initialize a new File object for the given filename.
     def initialize(filename)
       @filename = filename
+      @caps     = getcaps
+    end
+
+    # Returns whether the given capability is permitted
+    def permitted?(capability)
+      reload
+      @caps[:permitted].include? capability
+    end
+
+    # Returns whether the given capability is inheritable
+    def inheritable?(capability)
+      reload
+      @caps[:inheritable].include? capability
+    end
+
+    # Returns whether or not the file has any effective
+    # capabilities.
+    def enabled?
+      reload
+      !@caps[:effective].empty?
+    end
+
+    # Permit processes executing this file to enable the given capability.
+    def permit(capability)
+      @caps[:permitted].add(capability)
+      save
+    end
+
+    # Dont permit processes executing this file to enable the given capability.
+    def unpermit(capability)
+      @caps[:permitted].delete(capability)
+      save
+    end
+
+    # Allow processes executing this file to inherit the given capability.
+    def allow_inherit(capability)
+      @caps[:inheritable].add(capability)
+      save
+    end
+
+    # Dont allow processes executing this file to inherit the given capability.
+    def disallow_inherit(capability)
+      @caps[:inheritable].delete(capability)
+      save
+    end
+
+    # Enable the permitted capabilities when a proces executes this file.
+    def enable
+      @caps[:effective] = @caps[:permitted] + @caps[:inheritable]
+      save
+    end
+
+    # Dont enable the permitted capabilities when a proces executes this file.
+    def disable
+      @caps[:effective].clear
+      save
     end
 
-    # Enable the given capability in the file's effective set.
-    #
-    # The capability must be either permitted or inheritable (or else it cannot
-    # possibly be enabled in the new process).
-    def enable_on_exec(capability)
-      if permitted?(capability) || inheritable?(capability)
-        set_effective(capability)
-      else
-        raise IncompatibleCapabilities, 'cannot enable_on_exec a capability which is neither permitted nor inheritable'
-      end
+    private
+    def reload
+      @caps = getcaps
     end
   end
 end

data/lib/cap2/process.rb

@@ -1,14 +1,56 @@
-require 'cap2/set_methods'
-
 module Cap2
-  # A class with methods for querying capabilities for the
+  # A class with methods for managing capabilities for the
   # process with pid provided to the initialize method.
   class Process
-    include SetMethods
-
     # Initialize a new Process object for the given pid.
     def initialize(pid)
-      @pid = pid
+      @pid  = pid
+      @caps = getcaps
+    end
+
+    # Returns whether the given capability is permitted
+    def permitted?(capability)
+      reload
+      @caps[:permitted].include? capability
+    end
+
+    # Returns whether the given capability is enabled
+    def enabled?(capability)
+      reload
+      @caps[:effective].include? capability
+    end
+
+    # Returns whether the given capability is inheritable
+    def inheritable?(capability)
+      reload
+      @caps[:inheritable].include? capability
+    end
+
+    # Enable the given capability for this process.
+    def enable(capability)
+      check_pid
+      @caps[:effective].add(capability)
+      save
+    end
+
+    # Disable the given capability for this process.
+    def disable(capability)
+      check_pid
+      @caps[:effective].delete(capability)
+      save
+    end
+
+    private
+    # Raises a RuntimeError if the process's pid is not the same as the current
+    # pid (you cannot enable capabilities for other processes, that's their job).
+    def check_pid
+      unless @pid == Process.pid
+        raise 'Cannot modify capabilities of other processes'
+      end
+    end
+
+    def reload
+      @caps = getcaps
     end
   end
 end

data/lib/cap2/version.rb

@@ -1,3 +1,3 @@
 module Cap2
-  Version = '0.1.1'
+  Version = '0.2.0'
 end

data/spec/file_spec.rb

@@ -19,17 +19,17 @@ describe Cap2::File do
     end
   end
 
-  describe '#effective?' do
-    context "when the file doesn't have the given capability" do
-      it { should_not be_effective(:dac_override) }
+  describe '#enabled?' do
+    context "when the file's enabled bit is not set" do
+      it { should_not be_enabled }
     end
 
-    context 'when the file does have the given capability' do
+    context "when the file's enabled bit is set" do
       before(:each) do
-        run_as_root('permit(:dac_override)', 'enable_on_exec(:dac_override)')
+        run_as_root('permit(:dac_override)', 'enable')
       end
 
-      it { should be_effective(:dac_override) }
+      it { should be_enabled }
     end
   end
 
@@ -83,48 +83,49 @@ describe Cap2::File do
     end
   end
 
-  describe '#enable_on_exec' do
-    context 'when the capability is not permitted or inheritable' do
-      specify do
-        expect { subject.enable_on_exec(:lease) }.to \
-          raise_error(
-            Cap2::IncompatibleCapabilities,
-            'cannot enable_on_exec a capability which is neither permitted nor inheritable'
-          )
-      end
-    end
-
-    context 'when the capability is permitted' do
+  context 'enabling and disabling' do
+    context 'when at least one capability is permitted' do
       before(:each) do
-        run_as_root('permit(:lease)')
+        run_as_root('permit(:kill)')
       end
 
-      specify do
-        expect { running_as_root('enable_on_exec(:lease)') }.to \
-          change { subject.effective?(:lease) }.from(false).to(true)
+      describe '#enable' do
+        specify do
+          expect { running_as_root('enable') }.to \
+            change { subject.enabled? }.from(false).to(true)
+        end
       end
-    end
 
-    context 'when the capability is inheritable' do
-      before(:each) do
-        run_as_root('allow_inherit(:lease)')
-      end
+      describe '#disable' do
+        before(:each) do
+          run_as_root('enable')
+        end
 
-      specify do
-        expect { running_as_root('enable_on_exec(:lease)') }.to \
-          change { subject.effective?(:lease) }.from(false).to(true)
+        specify do
+          expect { running_as_root('disable') }.to \
+            change { subject.enabled? }.from(true).to(false)
+        end
       end
     end
-  end
 
-  describe '#disable_on_exec' do
-    before(:each) do
-      run_as_root('permit(:kill)', 'enable_on_exec(:kill)')
-    end
+    context 'when no capabilities are permitted or inheritable' do
+      describe '#enable' do
+        specify do
+          expect { running_as_root('enable') }.to_not \
+            change { subject.enabled? }.from(false)
+        end
+      end
 
-    specify do
-      expect { running_as_root('disable_on_exec(:kill)') }.to \
-        change { subject.effective?(:kill) }.from(true).to(false)
+      describe '#disable' do
+        before(:each) do
+          run_as_root('enable')
+        end
+
+        specify do
+          expect { running_as_root('disable') }.to_not \
+            change { subject.enabled? }.from(false)
+        end
+      end
     end
   end
 

data/spec/process_spec.rb

@@ -15,17 +15,17 @@ describe Cap2::Process do
     end
   end
 
-  describe '#effective?' do
+  describe '#enabled?' do
     context "when the process doesn't have the given capability" do
       subject { Cap2::Process.new(Process.pid) }
 
-      it { should_not be_effective(:dac_override) }
+      it { should_not be_enabled(:dac_override) }
     end
 
     context 'when the process does have the given capability' do
       subject { Cap2::Process.new(1) }
 
-      it { should be_effective(:dac_override) }
+      it { should be_enabled(:dac_override) }
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cap2
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-09-02 00:00:00.000000000 Z
+date: 2012-09-07 00:00:00.000000000 Z
 dependencies: []
 description: ! "    Cap2 is a Ruby library for managing the POSIX 1003.1e capabilities\n
   \   available in Linux kernels.\n\n    These capabilities are a partitioning of
@@ -32,7 +32,6 @@ files:
 - lib/cap2/process.rb
 - lib/cap2/version.rb
 - lib/cap2/file.rb
-- lib/cap2/set_methods.rb
 - lib/cap2.so
 - spec/process_spec.rb
 - spec/cap2_spec.rb

data/lib/cap2/set_methods.rb

@@ -1,26 +0,0 @@
-module Cap2
-  # A mixin for the Cap2::Process and Cap2::File
-  # classes providing convenience methods for querying
-  # permitted, effective and inheritable capabilities.
-  #
-  # Each method takes a capability argument, a lower
-  # cased name of a capability, without the 'CAP_' prefix.
-  # For example, :chown would query the CAP_CHOWN capability.
-  module SetMethods
-    # Returns whether the given capability is permitted
-    def permitted?(capability)
-      has?(:permitted, capability)
-    end
-
-    # Returns whether the given capability is effective
-    def effective?(capability)
-      has?(:effective, capability)
-    end
-
-    # Returns whether the given capability is inheritable
-    def inheritable?(capability)
-      has?(:inheritable, capability)
-    end
-  end
-end
-