capng_c 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bb0e5ea482272f6f1678202e013e2279429a8d8db9331560a0037d5d3affee5
-  data.tar.gz: d00913ec86725ff56ec782cec00ade00c12ce7583963dabe080d2ae7f43a6de2
+  metadata.gz: 1eaea356dec8a2e8049a45af2c57d5839e661f64cfcaa2379cb5f27e69ab6ff4
+  data.tar.gz: a900c6d4381d353872be092de3e3be68ae311c6c0a43a534da4800eb89b3bada
 SHA512:
-  metadata.gz: 7fffbe03cb38e5237a24a4dacd9c0b0908d9d63692f04ef2c8e4e0181d96860f3ca0c6d2a7c35319123aaf6176b1faca303c8a6d4ddff1cd7c413250297112b6
-  data.tar.gz: 022ef6afb55bcaac0b83e8a31ae634f7839a2f8a6f49dc493328f0dd8ee44f04420227cf37eee3169142d6b5bbe8ee1c5df976f4e0158deffa225545c6c863c9
+  metadata.gz: de48892bc4462b41a9d47eeccaf1397d62c3e03c8e6138600bec281ab4bf2b34b3d8352449bf52b2fe2fe7cbdd1717203d27d5d623e1e3cd3805bc119d031119
+  data.tar.gz: 6f4310683b133bcfb366366c670b68f8ad24eb6eb9065eb3c09a9d8b66e32106eeb38ac508dfd13a8d680d00ed74ba17618c25127f0dd0ecf0db199e2b0371d3

data/example/file_capability.rb

@@ -0,0 +1,36 @@
+# Copyright 2020- Hiroshi Hatake
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'capng'
+
+if ARGV.size != 1
+  puts "specify file path on ARGV."
+  exit 1
+end
+
+if Process.uid != 0
+  puts "Needed to run as root!"
+  exit 2
+end
+
+path = ARGV[0]
+capng = CapNG.new(:file, path)
+print = CapNG::Print.new
+puts "capability: #{print.caps_text(:buffer, :effective)}"
+capng.clear(:caps)
+ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED,
+                   [:dac_read_search, :dac_override])
+puts "updating capability: #{ret ? "success" : "fail"}"
+capng.apply_caps_file(path)
+puts "updated capability: #{print.caps_text(:buffer, :effective)}"

data/example/process_capability.rb

@@ -0,0 +1,59 @@
+# Copyright 2020- Hiroshi Hatake
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'capng'
+
+if Process.uid != 0
+  puts "Needed to run as root!"
+  exit 2
+end
+
+capng = CapNG.new(:current_process)
+
+print = CapNG::Print.new
+puts "capability: #{print.caps_text(:buffer, :effective)}"
+target_file = ARGV[0] || "/var/log/syslog"
+capng.clear(:caps)
+
+puts "capability: #{print.caps_text(:buffer, :effective)}"
+ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
+puts "CapNG#update: #{ret ? 'success' : 'fail'}"
+
+ret = capng.apply(:caps)
+puts "CapNG#apply(add): #{ret ? 'success' : 'fail'}"
+puts "capability: #{print.caps_text(:buffer, :effective)}"
+path = "/var/log/syslog"
+unless File.readable?(path)
+  puts "-----unreadable!!!!-----\ntarget: #{target_file}"
+end
+contents = File.read(target_file)
+if contents.length >= 0
+  puts "succeeded to read: #{target_file}"
+end
+
+ret = capng.update(:drop, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
+puts "CapNG#update(drop): #{ret ? 'success' : 'fail'}"
+puts "capability: #{print.caps_text(:buffer, :effective)}"
+
+ret = capng.apply(:caps)
+puts "CapNG#apply(drop): #{ret ? 'success' : 'fail'}"
+
+unless File.readable?(path)
+  puts "-----unreadable!!!!-----\ntarget: #{target_file}"
+end
+begin
+  File.read(target_file)
+rescue Errno::EACCES
+  puts "permission denied even if run as root"
+end

data/ext/capng/capng.c

@@ -88,14 +88,20 @@ rb_capng_initialize(int argc, VALUE *argv, VALUE self)
     fptr = RFILE(rb_pid_or_file)->fptr;
     fd = fptr->fd;
     result = capng_get_caps_fd(fd);
-    if (result != 0) {
-      rb_raise(rb_eRuntimeError, "Couldn't get current file capability");
-    }
+    /* Just store result into instance variable. */
+    /* This is because capng_get_caps_fd should return 0 if file cap is not set. */
+    rb_iv_set(self, "@return_code", INT2NUM(result));
   }
 
   return Qnil;
 }
 
+static VALUE
+rb_capng_return_code(VALUE self)
+{
+  return rb_iv_get(self, "@return_code");
+}
+
 static VALUE
 rb_capng_clear(VALUE self, VALUE rb_select_name_or_enum)
 {
@@ -398,6 +404,7 @@ Init_capng(void)
   rb_define_alloc_func(rb_cCapNG, rb_capng_alloc);
 
   rb_define_method(rb_cCapNG, "initialize", rb_capng_initialize, -1);
+  rb_define_method(rb_cCapNG, "return_code", rb_capng_return_code, 0);
   rb_define_method(rb_cCapNG, "clear", rb_capng_clear, 1);
   rb_define_method(rb_cCapNG, "fill", rb_capng_fill, 1);
   rb_define_method(rb_cCapNG, "setpid", rb_capng_setpid, 1);

data/lib/capng.rb

@@ -10,16 +10,14 @@ class CapNG
   alias_method :initialize_raw, :initialize
 
   def initialize(target = nil, pid_or_path = nil)
-    if target.nil?
-      initialize_raw
-    elsif target && pid_or_path.is_a?(Integer)
+    if target && pid_or_path.is_a?(Integer)
       initialize_raw(target, pid_or_path)
     elsif target && pid_or_path.is_a?(String) && File.exist?(pid_or_path)
-      File.open(pid_or_path) do
-        initialize_raw(target, pid_or_path);
+      File.open(pid_or_path) do |file|
+        initialize_raw(target, file);
       end
     else
-      initialize_raw
+      initialize_raw(target, pid_or_path)
     end
   end
 
@@ -38,7 +36,7 @@ class CapNG
   def apply_caps_file(file_or_string_path)
     if file_or_string_path.is_a?(String) && File.exist?(file_or_string_path)
       File.open(file_or_string_path) do |f|
-        apply_cps_file_raw(f)
+        apply_caps_file_raw(f)
       end
     elsif file_or_string_path.is_a?(File)
       apply_caps_file_raw(file_or_string_path)

data/lib/capng/version.rb

@@ -1,3 +1,3 @@
 class CapNG
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: capng_c
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Hiroshi Hatake
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-28 00:00:00.000000000 Z
+date: 2020-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -89,6 +89,8 @@ files:
 - bin/console
 - bin/setup
 - capng_c.gemspec
+- example/file_capability.rb
+- example/process_capability.rb
 - ext/capng/capability.c
 - ext/capng/capng.c
 - ext/capng/capng.h
@@ -120,7 +122,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: libcap-ng bindings for Ruby.