dia 1.0

data/README.md

@@ -0,0 +1,56 @@
+## "Dia"
+
+"Dia" allows you to sandbox applications on the OSX platform by restricting what access to Operating System resources they can have.  
+
+## What restrictions can you apply?  
+
+* No internet access.
+* No network access of any kind.
+* No file system writes.
+* No file system writes, exlcuding writing to /tmp.
+* A complete lockdown of Operating System resources.
+
+## How?
+FFI, and the C header "sandbox.h" (found on OSX).
+
+## Example?
+
+    require 'rubygems'
+    require 'dia'
+
+    sandbox = Dia::SandBox.new("/Applications/Firefox.app/Contents/MacOS/firefox-bin", Dia::Profiles::NO_INTERNET)
+    sandbox.run
+    puts "Launched #{sandbox.app_path} with a pid of #{sandbox.pid} using the profile #{sandbox.profile}"
+
+## Install?
+
+Right now, the github repository is where you can install "Dia" from.  
+There is a "gemspec" in the root of the project.  
+    gem build *.gemspec; 
+    gem install *.gem 
+... after cloning the repository.
+
+## License(MIT)
+
+ Copyright (c) 2010 Robert Gleeson   
+  
+ Permission is hereby granted, free of charge, to any person  
+ obtaining a copy of this software and associated documentation  
+ files (the "Software"), to deal in the Software without  
+ restriction, including without limitation the rights to use,  
+ copy, modify, merge, publish, distribute, sublicense, and/or sell  
+ copies of the Software, and to permit persons to whom the  
+ Software is furnished to do so, subject to the following  
+ conditions:  
+
+ The above copyright notice and this permission notice shall be  
+ included in all copies or substantial portions of the Software.  
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,  
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES  
+ OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND  
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT  
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,  
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING  
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR  
+ OTHER DEALINGS IN THE SOFTWARE.  

data/lib/dia.rb

@@ -0,0 +1,9 @@
+require 'ffi'
+require File.join(File.dirname(__FILE__), 'dia/profiles.rb')
+require File.join(File.dirname(__FILE__), 'dia/commonapi.rb')
+require File.join(File.dirname(__FILE__), 'dia/sandbox.rb')
+
+module Dia
+  class SandBoxException < StandardError; end
+end
+

data/lib/dia/commonapi.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'ffi'
+
+module Dia
+  module CommonAPI
+    extend FFI::Library
+    attach_function :sandbox_init, [ :string, :int, :pointer ], :int
+  end
+end

data/lib/dia/profiles.rb

@@ -0,0 +1,15 @@
+module Dia
+  
+  module Profiles
+    extend FFI::Library
+    
+    NO_INTERNET                    = attach_variable(:kSBXProfileNoInternet, :string).read_string
+    NO_NETWORKING                  = attach_variable(:kSBXProfileNoNetwork, :string).read_string
+    NO_FILESYSTEM_WRITE            = attach_variable(:kSBXProfileNoWrite, :string).read_string
+    NO_FILESYSTEM_WRITE_EXCEPT_TMP = attach_variable(:kSBXProfileNoWriteExceptTemporary, :string).read_string
+    NO_OS_SERVICES                 = attach_variable(:kSBXProfilePureComputation, :string).read_string
+    
+  end
+  
+end
+    

data/lib/dia/sandbox.rb

@@ -0,0 +1,27 @@
+module Dia
+  
+  class SandBox
+  
+    include Dia::CommonAPI
+    
+    attr_accessor :app_path
+    attr_accessor :profile
+    attr_accessor :pid
+    
+    def initialize app_path, profile
+      @app_path = app_path
+      @profile = profile
+    end
+    
+    def run
+      @pid = fork do
+        unless ( ret = sandbox_init(@profile, 0x0001, error = FFI::MemoryPointer.new(:pointer)) ) == 0
+          raise Dia::SandBoxException, "Couldn't sandbox #{@app_path}, sandbox_init returned #{ret} with error message: '#{error.get_pointer(0).read_string}'"
+        end
+        exec(@app_path)
+      end
+    end
+  
+  end
+  
+end

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification 
+name: dia
+version: !ruby/object:Gem::Version 
+  version: "1.0"
+platform: ruby
+authors: 
+- Robert
+- Gleeson
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-01-31 00:00:00 +00:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ffi
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: Dia allows you to sandbox applications on the OSX platform
+email: rob@flowof.info
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.md
+- lib/dia/commonapi.rb
+- lib/dia/profiles.rb
+- lib/dia/sandbox.rb
+- lib/dia.rb
+has_rdoc: true
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Dia allows you to sandbox applications on the OSX platform
+test_files: []
+