exec_sandbox 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/exec_sandbox.gemspec +88 -0
- data/lib/exec_sandbox/sandbox.rb +13 -14
- data/lib/exec_sandbox/wait4.rb +3 -3
- data/spec/exec_sandbox/wait4_spec.rb +23 -0
- data/spec/fixtures/churn.rb +11 -8
- metadata +19 -18
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.1
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
# Generated by jeweler
|
|
2
|
+
# DO NOT EDIT THIS FILE DIRECTLY
|
|
3
|
+
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
|
4
|
+
# -*- encoding: utf-8 -*-
|
|
5
|
+
|
|
6
|
+
Gem::Specification.new do |s|
|
|
7
|
+
s.name = "exec_sandbox"
|
|
8
|
+
s.version = "0.1.1"
|
|
9
|
+
|
|
10
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
|
+
s.authors = ["Victor Costan"]
|
|
12
|
+
s.date = "2011-10-13"
|
|
13
|
+
s.description = "Temporary users and groups, rlimits"
|
|
14
|
+
s.email = "costan@gmail.com"
|
|
15
|
+
s.extra_rdoc_files = [
|
|
16
|
+
"LICENSE.txt",
|
|
17
|
+
"README.rdoc"
|
|
18
|
+
]
|
|
19
|
+
s.files = [
|
|
20
|
+
".document",
|
|
21
|
+
".project",
|
|
22
|
+
".rspec",
|
|
23
|
+
"Gemfile",
|
|
24
|
+
"Gemfile.lock",
|
|
25
|
+
"LICENSE.txt",
|
|
26
|
+
"README.rdoc",
|
|
27
|
+
"Rakefile",
|
|
28
|
+
"VERSION",
|
|
29
|
+
"exec_sandbox.gemspec",
|
|
30
|
+
"lib/exec_sandbox.rb",
|
|
31
|
+
"lib/exec_sandbox/sandbox.rb",
|
|
32
|
+
"lib/exec_sandbox/spawn.rb",
|
|
33
|
+
"lib/exec_sandbox/users.rb",
|
|
34
|
+
"lib/exec_sandbox/wait4.rb",
|
|
35
|
+
"spec/exec_sandbox/sandbox_spec.rb",
|
|
36
|
+
"spec/exec_sandbox/spawn_spec.rb",
|
|
37
|
+
"spec/exec_sandbox/users_spec.rb",
|
|
38
|
+
"spec/exec_sandbox/wait4_spec.rb",
|
|
39
|
+
"spec/fixtures/buffer.rb",
|
|
40
|
+
"spec/fixtures/churn.rb",
|
|
41
|
+
"spec/fixtures/duplicate.rb",
|
|
42
|
+
"spec/fixtures/exit_arg.rb",
|
|
43
|
+
"spec/fixtures/fork.rb",
|
|
44
|
+
"spec/fixtures/pwd.rb",
|
|
45
|
+
"spec/fixtures/write_arg.rb",
|
|
46
|
+
"spec/spec_helper.rb",
|
|
47
|
+
"spec/support/code_fixture.rb"
|
|
48
|
+
]
|
|
49
|
+
s.homepage = "http://github.com/pwnall/exec_sandbox"
|
|
50
|
+
s.licenses = ["MIT"]
|
|
51
|
+
s.require_paths = ["lib"]
|
|
52
|
+
s.rubygems_version = "1.8.11"
|
|
53
|
+
s.summary = "Run foreign binaries using POSIX sandboxing features"
|
|
54
|
+
|
|
55
|
+
if s.respond_to? :specification_version then
|
|
56
|
+
s.specification_version = 3
|
|
57
|
+
|
|
58
|
+
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
|
|
59
|
+
s.add_runtime_dependency(%q<ffi>, [">= 1.0.9"])
|
|
60
|
+
s.add_development_dependency(%q<rdoc>, [">= 3.10"])
|
|
61
|
+
s.add_development_dependency(%q<rspec>, [">= 2.6.0"])
|
|
62
|
+
s.add_development_dependency(%q<yard>, [">= 0.7.2"])
|
|
63
|
+
s.add_development_dependency(%q<yard-rspec>, [">= 0.1"])
|
|
64
|
+
s.add_development_dependency(%q<bundler>, [">= 1.0.21"])
|
|
65
|
+
s.add_development_dependency(%q<jeweler>, [">= 1.6.4"])
|
|
66
|
+
s.add_development_dependency(%q<rcov>, [">= 0"])
|
|
67
|
+
else
|
|
68
|
+
s.add_dependency(%q<ffi>, [">= 1.0.9"])
|
|
69
|
+
s.add_dependency(%q<rdoc>, [">= 3.10"])
|
|
70
|
+
s.add_dependency(%q<rspec>, [">= 2.6.0"])
|
|
71
|
+
s.add_dependency(%q<yard>, [">= 0.7.2"])
|
|
72
|
+
s.add_dependency(%q<yard-rspec>, [">= 0.1"])
|
|
73
|
+
s.add_dependency(%q<bundler>, [">= 1.0.21"])
|
|
74
|
+
s.add_dependency(%q<jeweler>, [">= 1.6.4"])
|
|
75
|
+
s.add_dependency(%q<rcov>, [">= 0"])
|
|
76
|
+
end
|
|
77
|
+
else
|
|
78
|
+
s.add_dependency(%q<ffi>, [">= 1.0.9"])
|
|
79
|
+
s.add_dependency(%q<rdoc>, [">= 3.10"])
|
|
80
|
+
s.add_dependency(%q<rspec>, [">= 2.6.0"])
|
|
81
|
+
s.add_dependency(%q<yard>, [">= 0.7.2"])
|
|
82
|
+
s.add_dependency(%q<yard-rspec>, [">= 0.1"])
|
|
83
|
+
s.add_dependency(%q<bundler>, [">= 1.0.21"])
|
|
84
|
+
s.add_dependency(%q<jeweler>, [">= 1.6.4"])
|
|
85
|
+
s.add_dependency(%q<rcov>, [">= 0"])
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
|
data/lib/exec_sandbox/sandbox.rb
CHANGED
|
@@ -9,21 +9,17 @@ class Sandbox
|
|
|
9
9
|
# Empty sandbox.
|
|
10
10
|
#
|
|
11
11
|
# @param [String] admin the name of a user who will be able to peek into the
|
|
12
|
-
# sandbox
|
|
13
|
-
def initialize(admin
|
|
12
|
+
# sandbox
|
|
13
|
+
def initialize(admin)
|
|
14
14
|
@user_name = ExecSandbox::Users.temp
|
|
15
15
|
user_pwd = Etc.getpwnam @user_name
|
|
16
16
|
@user_uid = user_pwd.uid
|
|
17
17
|
@user_gid = user_pwd.gid
|
|
18
18
|
@path = user_pwd.dir
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
else
|
|
24
|
-
@admin_uid = @user_uid
|
|
25
|
-
@admin_gid = @user_gid
|
|
26
|
-
end
|
|
19
|
+
@admin_name = admin
|
|
20
|
+
admin_pwd = Etc.getpwnam(@admin_name)
|
|
21
|
+
@admin_uid = admin_pwd.uid
|
|
22
|
+
@admin_gid = admin_pwd.gid
|
|
27
23
|
@destroyed = false
|
|
28
24
|
|
|
29
25
|
# principal argument for Spawn.spawn()
|
|
@@ -61,11 +57,14 @@ class Sandbox
|
|
|
61
57
|
# @param [String] from relative path to the sandbox file or directory
|
|
62
58
|
# @param [String] to path where the file/directory will be copied
|
|
63
59
|
# @param [Hash] options tweaks the permissions and the path inside the sandbox
|
|
64
|
-
# @return [String] the path to the copied file / directory outside the
|
|
60
|
+
# @return [String] the path to the copied file / directory outside the
|
|
61
|
+
# sandbox, or nil if the file / directory does not exist
|
|
62
|
+
# inside the sandbox
|
|
65
63
|
def pull(from, to)
|
|
66
64
|
from = File.join @path, from
|
|
67
|
-
|
|
65
|
+
return nil unless File.exist? from
|
|
68
66
|
|
|
67
|
+
FileUtils.cp_r from, to
|
|
69
68
|
FileUtils.chmod_R 0770, to
|
|
70
69
|
FileUtils.chown_R @admin_uid, @admin_gid, to
|
|
71
70
|
# NOTE: making a file / directory read-only is useless -- the sandboxed
|
|
@@ -145,7 +144,7 @@ end # module ExecSandbox::Sandbox
|
|
|
145
144
|
# @param [String] admin the name of a user who will be able to peek into the
|
|
146
145
|
# sandbox (optional)
|
|
147
146
|
# @return the value returned from the block passed to this method
|
|
148
|
-
def self.use(admin =
|
|
147
|
+
def self.use(admin = Etc.getlogin, &block)
|
|
149
148
|
sandbox = ExecSandbox::Sandbox.new admin
|
|
150
149
|
begin
|
|
151
150
|
return yield(sandbox)
|
|
@@ -163,7 +162,7 @@ end # module ExecSandbox::Sandbox
|
|
|
163
162
|
# @param [String] admin the name of a user who will be able to peek into the
|
|
164
163
|
# sandbox (optional)
|
|
165
164
|
# @return the value returned from the block passed to this method
|
|
166
|
-
def self.open(admin =
|
|
165
|
+
def self.open(admin = Etc.getlogin)
|
|
167
166
|
ExecSandbox::Sandbox.new admin
|
|
168
167
|
end
|
|
169
168
|
end # namespace ExecSandbox
|
data/lib/exec_sandbox/wait4.rb
CHANGED
|
@@ -19,9 +19,9 @@ module Wait4
|
|
|
19
19
|
signal_code = status[:bits] & 0x7f
|
|
20
20
|
status[:exit_code] = (signal_code != 0) ? -signal_code : status[:bits] >> 8
|
|
21
21
|
status[:user_time] = rusage[:ru_utime_sec] +
|
|
22
|
-
|
|
23
|
-
status[:system_time] = rusage[:
|
|
24
|
-
|
|
22
|
+
rusage[:ru_utime_usec] * 0.000_001
|
|
23
|
+
status[:system_time] = rusage[:ru_stime_sec] +
|
|
24
|
+
rusage[:ru_stime_usec] * 0.000_001
|
|
25
25
|
status[:rss] = rusage[:ru_maxrss] / 1024.0
|
|
26
26
|
return status
|
|
27
27
|
end
|
|
@@ -20,5 +20,28 @@ describe ExecSandbox::Wait4 do
|
|
|
20
20
|
@status[:system_time].should < 1
|
|
21
21
|
end
|
|
22
22
|
end
|
|
23
|
+
|
|
24
|
+
describe 'churn.rb' do
|
|
25
|
+
before do
|
|
26
|
+
pid = Kernel.fork { Process.exec bin_fixture(:churn), '', '2' }
|
|
27
|
+
@status = ExecSandbox::Wait4.wait4 pid
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
it 'should have the correct exit status' do
|
|
31
|
+
@status[:exit_code].should == 0
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
it 'should not take more than 3s of user time' do
|
|
35
|
+
@status[:user_time].should < 3
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
it 'should not take less than 1s of user time' do
|
|
39
|
+
@status[:user_time].should > 1
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it 'should not take more than 1s of system time' do
|
|
43
|
+
@status[:system_time].should < 1
|
|
44
|
+
end
|
|
45
|
+
end
|
|
23
46
|
end
|
|
24
47
|
end
|
data/spec/fixtures/churn.rb
CHANGED
|
@@ -4,13 +4,16 @@
|
|
|
4
4
|
# then outputs a '+' and exists.
|
|
5
5
|
|
|
6
6
|
start = Time.now
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
7
|
+
loop do
|
|
8
|
+
j = 0
|
|
9
|
+
1.upto(1_000_000) { |i| j = i * i + 100 }
|
|
10
|
+
break if Time.now - start >= ARGV[1].to_i
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
unless ARGV[0].empty?
|
|
14
|
+
File.open(ARGV[0], 'wb') do |f|
|
|
15
|
+
f.sync = true
|
|
16
|
+
f.write '+'
|
|
17
|
+
f.flush
|
|
13
18
|
end
|
|
14
|
-
f.write '+'
|
|
15
|
-
f.flush
|
|
16
19
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: exec_sandbox
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -13,7 +13,7 @@ date: 2011-10-13 00:00:00.000000000Z
|
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: ffi
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &22094080 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 1.0.9
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *22094080
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: rdoc
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &22093480 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ! '>='
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: '3.10'
|
|
33
33
|
type: :development
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *22093480
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: rspec
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &22092840 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ! '>='
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 2.6.0
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *22092840
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: yard
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &22092240 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: 0.7.2
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *22092240
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: yard-rspec
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &22091600 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ! '>='
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: '0.1'
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *22091600
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: bundler
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &22090920 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,10 +76,10 @@ dependencies:
|
|
|
76
76
|
version: 1.0.21
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *22090920
|
|
80
80
|
- !ruby/object:Gem::Dependency
|
|
81
81
|
name: jeweler
|
|
82
|
-
requirement: &
|
|
82
|
+
requirement: &22089700 !ruby/object:Gem::Requirement
|
|
83
83
|
none: false
|
|
84
84
|
requirements:
|
|
85
85
|
- - ! '>='
|
|
@@ -87,10 +87,10 @@ dependencies:
|
|
|
87
87
|
version: 1.6.4
|
|
88
88
|
type: :development
|
|
89
89
|
prerelease: false
|
|
90
|
-
version_requirements: *
|
|
90
|
+
version_requirements: *22089700
|
|
91
91
|
- !ruby/object:Gem::Dependency
|
|
92
92
|
name: rcov
|
|
93
|
-
requirement: &
|
|
93
|
+
requirement: &22089180 !ruby/object:Gem::Requirement
|
|
94
94
|
none: false
|
|
95
95
|
requirements:
|
|
96
96
|
- - ! '>='
|
|
@@ -98,7 +98,7 @@ dependencies:
|
|
|
98
98
|
version: '0'
|
|
99
99
|
type: :development
|
|
100
100
|
prerelease: false
|
|
101
|
-
version_requirements: *
|
|
101
|
+
version_requirements: *22089180
|
|
102
102
|
description: Temporary users and groups, rlimits
|
|
103
103
|
email: costan@gmail.com
|
|
104
104
|
executables: []
|
|
@@ -116,6 +116,7 @@ files:
|
|
|
116
116
|
- README.rdoc
|
|
117
117
|
- Rakefile
|
|
118
118
|
- VERSION
|
|
119
|
+
- exec_sandbox.gemspec
|
|
119
120
|
- lib/exec_sandbox.rb
|
|
120
121
|
- lib/exec_sandbox/sandbox.rb
|
|
121
122
|
- lib/exec_sandbox/spawn.rb
|
|
@@ -149,7 +150,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
149
150
|
version: '0'
|
|
150
151
|
segments:
|
|
151
152
|
- 0
|
|
152
|
-
hash:
|
|
153
|
+
hash: 1718344234877287063
|
|
153
154
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
154
155
|
none: false
|
|
155
156
|
requirements:
|