exec_sandbox 0.1.0

data/lib/exec_sandbox/wait4.rb

@@ -0,0 +1,85 @@
+# namespace
+module ExecSandbox
+
+# Interface to the wait4 system call using the ffi library.
+module Wait4
+  # Waits for a process to end, and collects its exit status and resource usage.
+  #
+  # @param [Fixnum] pid the PID of the process to wait for; should be a child of
+  #                     this process
+  # @return [Hash] exit code and resource usage information
+  def self.wait4(pid)
+    status_ptr = FFI::MemoryPointer.new :int
+    rusage = ExecSandbox::Wait4::Rusage.new
+    returned_pid = LibC.wait4(pid, status_ptr, 0, rusage.pointer)
+    raise SystemCallError, FFI.errno if returned_pid < 0
+    status = { :bits => status_ptr.read_int }
+    status_ptr.free
+    
+    signal_code = status[:bits] & 0x7f
+    status[:exit_code] = (signal_code != 0) ? -signal_code : status[:bits] >> 8
+    status[:user_time] = rusage[:ru_utime_sec] +
+                        rusage[:ru_utime_usec] * 0.000_001
+    status[:system_time] = rusage[:ru_utime_sec] +
+                          rusage[:ru_utime_usec] * 0.000_001 
+    status[:rss] = rusage[:ru_maxrss] / 1024.0
+    return status
+  end
+
+  # Maps wait4 in libc.
+  module LibC
+    extend FFI::Library
+    ffi_lib FFI::Library::LIBC
+    attach_function :wait4, [:int, :pointer, :int, :pointer], :int,
+                    :blocking => true
+  end  # module ExecSandbox::Wait4::Libc
+  
+  # Maps struct rusage in sys/resource.h, used by wait4.
+  class Rusage < FFI::Struct
+    # Total amount of user time used.
+    layout :ru_utime_sec, :time_t,
+           :ru_utime_usec, :suseconds_t,
+    # Total amount of system time used.
+           :ru_stime_sec, :time_t,
+           :ru_stime_usec, :suseconds_t,
+    # Maximum resident set size (in kilobytes).
+           :ru_maxrss, :long,
+    # Amount of sharing of text segment memory with other processes
+    # (kilobyte-seconds).
+           :ru_ixrss, :long,
+    # Amount of data segment memory used (kilobyte-seconds).
+           :ru_idrss, :long,
+    # Amount of stack memory used (kilobyte-seconds).
+           :ru_isrss, :long,
+    # Number of soft page faults (i.e. those serviced by reclaiming a page from
+    # the list of pages awaiting reallocation.
+           :ru_minflt, :long,
+    # Number of hard page faults (i.e. those that required I/O).
+           :ru_majflt, :long,
+    # Number of times a process was swapped out of physical memory.
+           :ru_nswap, :long,
+    # Number of input operations via the file system.  Note: This and
+    # `ru_oublock' do not include operations with the cache.
+           :ru_inblock, :long,
+    # Number of output operations via the file system.
+           :ru_oublock, :long,
+    # Number of IPC messages sent.
+           :ru_msgsnd, :long,
+    # Number of IPC messages received.
+           :ru_msgrcv, :long,
+    # Number of signals delivered.
+           :ru_nsignals, :long,
+    # Number of voluntary context switches, i.e. because the process gave up the
+    # process before it had to (usually to wait for some resource to be
+    # available).
+           :ru_nvcsw, :long,
+    # Number of involuntary context switches, i.e. a higher priority process
+    # became runnable or the current process used up its time slice.
+           :ru_nivcsw, :long,
+    # Padding, so we don't crash if the struct gets ammended on newer OSes.
+           :padding, :uchar, 256
+  end  # struct ExecSandbox::Wait4::Rusage
+
+end  # module ExecSandbox::Wait4
+  
+end  # namespace ExecSandbox

data/lib/exec_sandbox.rb

@@ -0,0 +1,23 @@
+# @title ExecSandbox - Run foreign binaries using POSIX sandboxing features 
+# @author Victor Costan
+
+# Standard library
+require 'English'
+require 'etc'
+require 'fcntl'
+require 'fileutils'
+require 'tempfile'
+require 'tmpdir'
+
+# Gems
+require 'ffi'
+
+# TODO(pwnall): documentation
+module ExecSandbox
+end  # namespace ExecSandbox
+
+# Code
+require 'exec_sandbox/sandbox.rb'
+require 'exec_sandbox/spawn.rb'
+require 'exec_sandbox/users.rb'
+require 'exec_sandbox/wait4.rb'

data/spec/exec_sandbox/sandbox_spec.rb

@@ -0,0 +1,138 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe ExecSandbox::Sandbox do  
+  describe 'IO redirection' do
+    before do
+      @temp_in = Tempfile.new 'exec_sandbox_rspec'
+      @temp_in.write "I/O test\n"
+      @temp_in.close
+      @temp_out = Tempfile.new 'exec_sandbox_rspec'
+      @temp_out.close
+      
+      ExecSandbox.use do |s|
+        @result = s.run bin_fixture(:duplicate), :in => @temp_in.path,
+                                                 :out => @temp_out.path
+      end
+    end
+    after do
+      @temp_in.unlink
+      @temp_out.unlink
+    end
+
+    it 'should not crash' do
+      @result[:exit_code].should == 0
+    end
+    
+    it 'should produce the correct result' do
+      File.read(@temp_out.path).should == "I/O test\nI/O test\n" 
+    end
+  end
+  
+  describe 'pipe redirection' do
+    before do
+      ExecSandbox.use do |s|
+        @result = s.run bin_fixture(:duplicate), :in_data => "Pipe test\n"
+      end
+    end
+    
+    it 'should not crash' do
+      @result[:exit_code].should == 0
+    end
+    
+    it 'should produce the correct result' do
+      @result[:out_data].should == "Pipe test\nPipe test\n"
+    end
+  end
+  
+  
+  describe 'resource limitations' do
+    describe 'churn.rb' do
+      before do
+        @temp_out = Tempfile.new 'exec_sandbox_rspec'
+        @temp_out.close
+      end
+      after do
+        @temp_out.unlink
+      end
+      
+      describe 'without limitations' do
+        before do
+          ExecSandbox.use do |s|
+            @result = s.run [bin_fixture(:churn), 'stdout', 3.to_s]
+            s.pull 'stdout', @temp_out.path
+          end
+        end
+  
+        it 'should not crash' do
+          @result[:exit_code].should == 0
+        end
+        
+        it 'should run for at least 2 seconds' do
+          (@result[:user_time] + @result[:system_time]).should > 2
+        end
+        
+        it 'should output something' do
+          File.stat(@temp_out.path).size.should > 0
+        end
+      end
+      
+      describe 'with CPU time limitation' do
+        before do
+          ExecSandbox.use do |s|
+            @result = s.run [bin_fixture(:churn), 'stdout', 3.to_s],
+                            :limits => {:cpu => 1}
+            s.pull 'stdout', @temp_out.path
+          end
+        end
+  
+        it 'should run for at least 0.5 seconds' do
+          (@result[:user_time] + @result[:system_time]).should >= 0.5
+        end
+  
+        it 'should run for less than 2 seconds' do
+          (@result[:user_time] + @result[:system_time]).should < 2
+        end
+        
+        it 'should not have a chance to output' do
+          File.stat(@temp_out.path).size.should == 0
+        end
+      end
+    end
+  end
+  
+  describe '#push' do
+    let(:test_user) { Etc.getlogin }
+    let(:test_uid) { Etc.getpwnam(test_user).uid }
+    let(:test_gid) { Etc.getpwnam(test_user).gid }
+    let(:test_group) { Etc.getgrgid(test_gid).name }
+
+    before do
+      @sandbox = ExecSandbox.open test_user
+    end
+    after do
+      @sandbox.close
+    end
+    
+    describe 'a file' do
+      before do
+        @to = @sandbox.push __FILE__
+      end
+      
+      it 'should copy straight to the sandbox directory' do
+        File.dirname(@to).should == @sandbox.path
+      end
+      
+      it 'should use the same file name' do
+        File.basename(@to).should == 'sandbox_spec.rb' 
+      end
+      
+      it "should set the file's owner to the admin" do
+        File.stat(@to).uid.should == test_uid
+      end
+      
+      it "should not set the file's group to the admin" do
+        File.stat(@to).gid.should_not == test_gid
+      end
+    end
+  end
+end

data/spec/exec_sandbox/spawn_spec.rb

@@ -0,0 +1,327 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe ExecSandbox::Spawn do
+  let(:test_user) { Etc.getlogin }
+  let(:test_uid) { Etc.getpwnam(test_user).uid }
+  let(:test_gid) { Etc.getpwnam(test_user).gid }
+  let(:test_group) { Etc.getgrgid(test_gid).name }
+  
+  describe '#spawn IO redirection' do
+    before do
+      @temp_in = Tempfile.new 'exec_sandbox_rspec'
+      @temp_in.write "Spawn IO test\n"
+      @temp_in.close
+      @temp_out = Tempfile.new 'exec_sandbox_rspec'
+      @temp_out.close
+    end
+    after do
+      @temp_in.unlink
+      @temp_out.unlink
+    end
+
+    shared_examples_for 'duplicate.rb' do
+      it 'should not crash' do
+        @status[:exit_code].should == 0
+      end
+      
+      it 'should write successfully' do
+        @temp_out.open
+        begin
+          @temp_out.read.should == "Spawn IO test\nSpawn IO test\n"
+        ensure
+          @temp_out.close
+        end
+      end
+    end
+    
+    describe 'with paths' do
+      before do
+        pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
+            {:in => @temp_in.path, :out => @temp_out.path}
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+
+      it_behaves_like 'duplicate.rb'        
+    end
+    
+    describe 'with file descriptors' do
+      before do
+        File.open(@temp_in.path, 'r') do |in_io|
+          File.open(@temp_out.path, 'w') do |out_io|
+            pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
+                {:in => in_io, :out => out_io, :err => STDERR}
+            @status = ExecSandbox::Wait4.wait4 pid
+          end
+        end
+      end
+
+      it_behaves_like 'duplicate.rb'
+    end
+    
+    describe 'without stdout' do
+      before do
+        pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
+                                       {:in => @temp_in.path}
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+      
+      it 'should crash' do
+        @status[:exit_code].should_not == 0
+      end
+    end
+  end
+
+  describe '#spawn principal' do
+    before do
+      @temp = Tempfile.new 'exec_sandbox_rspec'
+      @temp_path = @temp.path
+      @temp.close
+    end
+    after do
+      File.unlink(@temp_path) if File.exist?(@temp_path)
+    end
+    
+    describe 'with root credentials' do
+      before do
+        pid = ExecSandbox::Spawn.spawn [bin_fixture(:write_arg),
+            @temp_path, "Spawn uid test\n"], {:err => STDERR},
+            {:uid => 0, :gid => 0}
+        @status = ExecSandbox::Wait4.wait4 pid
+        @fstat = File.stat(@temp_path)
+      end
+      
+      it 'should not crash' do
+        @status[:exit_code].should == 0
+      end
+      
+      it 'should have the UID set to root' do
+        @fstat.uid.should == 0
+      end
+      it 'should have the GID set to root' do
+        @fstat.gid.should == 0
+      end
+
+      it 'should have the correct output' do
+        File.read(@temp_path).should == "Spawn uid test\n"
+      end
+    end
+    
+    describe 'with non-root credentials' do
+      before do
+        @temp.unlink
+        pid = ExecSandbox::Spawn.spawn [bin_fixture(:write_arg),
+            @temp_path, "Spawn uid test\n"], {:err => STDERR},
+            {:uid => test_uid, :gid => test_gid}
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+      
+      it 'should not crash' do
+        @status[:exit_code].should == 0
+      end
+      
+      it 'should have the UID set to the test user' do
+        File.stat(@temp_path).uid.should == test_uid
+      end
+      it 'should have the GID set to the test group' do
+        File.stat(@temp_path).gid.should == test_gid
+      end
+      
+      it 'should have the correct output' do
+        File.read(@temp_path).should == "Spawn uid test\n"
+      end
+    end
+
+    describe 'with non-root credentials and a root-owned redirect file' do
+      before do
+        File.chmod 0700, @temp_path
+        pid = ExecSandbox::Spawn.spawn [bin_fixture(:write_arg),
+            @temp_path, "Spawn uid test\n"], {},
+            {:uid => test_uid, :gid => test_gid}
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+      
+      it 'should crash (euid is set correctly)' do
+        @status[:exit_code].should_not == 0
+      end
+
+      it 'should not have the correct output' do
+        File.read(@temp_path).should_not == "Spawn uid test\n"
+      end
+    end
+    
+    describe 'with non-root credentials and a root-owned redirect file' do
+      before do
+        File.chmod 070, @temp_path
+        pid = ExecSandbox::Spawn.spawn [bin_fixture(:write_arg), @temp_path,
+            "Spawn uid test\n"], {},
+            {:uid => test_uid, :gid => test_gid}
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+      
+      it 'should crash (egid is set correctly)' do
+        @status[:exit_code].should_not == 0
+      end
+
+      it 'should not have the correct output' do
+        File.read(@temp_path).should_not == "Spawn uid test\n"
+      end
+    end
+    
+    describe 'with a working directory' do
+      before do
+        @temp_dir = Dir.mktmpdir 'exec_sandbox_rspec'
+        pid = ExecSandbox::Spawn.spawn [bin_fixture(:pwd), @temp_path],
+            {}, {:dir => @temp_dir}        
+        @status = ExecSandbox::Wait4.wait4 pid
+      end
+      after do
+        Dir.rmdir @temp_dir
+      end
+      
+      it 'should not crash' do
+        @status[:exit_code].should == 0
+      end
+      
+      it 'should set the working directory' do
+        File.read(@temp_path).should == @temp_dir
+      end
+    end
+  end
+  
+  describe '#spawn resource limits' do
+    before do
+      @temp = Tempfile.new 'exec_sandbox_rspec'
+      @temp_path = @temp.path
+      @temp.close
+    end
+    after do
+      File.unlink(@temp_path) if File.exist?(@temp_path)
+    end
+    
+    describe 'buffer.rb' do
+      describe 'without limitations' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
+              (100 * 1024 * 1024).to_s], {:err => STDERR}, {}, {}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+
+        it 'should not crash' do
+          @status[:exit_code].should == 0
+        end
+        
+        it 'should output 100 megs' do
+          File.stat(@temp_path).size.should == 100 * 1024 * 1024
+        end
+      end
+      
+      describe 'with memory limitation' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
+              (100 * 1024 * 1024).to_s], {}, {}, {:data => 64 * 1024 * 1024}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+        
+        it 'should crash' do
+          @status[:exit_code].should_not == 0
+        end
+        
+        it 'should not have a chance to output data' do
+          File.stat(@temp_path).size.should == 0
+        end
+      end
+      
+      describe 'with output limitation' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
+              (100 * 1024 * 1024).to_s], {}, {}, {:file_size => 8 * 1024 * 1024}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+        
+        it 'should crash' do
+          @status[:exit_code].should_not == 0
+        end
+        
+        it 'should not output more than 16 megs' do
+          File.stat(@temp_path).size.should <= 16 * 1024 * 1024
+        end
+      end
+    end
+    
+    describe 'fork.rb' do
+      describe 'without limitations' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:fork), @temp_path,
+              10.to_s], {:err => STDERR}, {}, {}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+
+        it 'should not crash' do
+          @status[:exit_code].should == 0
+        end
+        
+        it 'should output 10 +es' do
+          File.stat(@temp_path).size.should == 10
+        end
+      end
+      
+      describe 'with sub-process limitation' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:fork), @temp_path,
+              10.to_s], {}, {}, {:processes => 4}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+        
+        it 'should crash' do
+          @status[:exit_code].should_not == 0
+        end
+        
+        it 'should output less than 5 +es' do
+          File.stat(@temp_path).size.should < 5
+        end
+      end
+    end
+    
+    describe 'churn.rb' do
+      describe 'without limitations' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:churn), @temp_path,
+              3.to_s], {:err => STDERR}, {}, {}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+
+        it 'should not crash' do
+          @status[:exit_code].should == 0
+        end
+        
+        it 'should run for at least 2 seconds' do
+          (@status[:user_time] + @status[:system_time]).should > 2
+        end
+        
+        it 'should output something' do
+          File.stat(@temp_path).size.should > 0
+        end
+      end
+      
+      describe 'with CPU time limitation' do
+        before do
+          pid = ExecSandbox::Spawn.spawn [bin_fixture(:churn), @temp_path,
+              10.to_s], {}, {}, {:cpu => 1}
+          @status = ExecSandbox::Wait4.wait4 pid
+        end
+
+        it 'should run for at least 0.5 seconds' do
+          (@status[:user_time] + @status[:system_time]).should >= 0.5
+        end
+
+        it 'should run for less than 2 seconds' do
+          (@status[:user_time] + @status[:system_time]).should < 2
+        end
+        
+        it 'should not have a chance to output' do
+          File.stat(@temp_path).size.should == 0
+        end
+      end
+    end
+  end
+end

data/spec/exec_sandbox/users_spec.rb

@@ -0,0 +1,125 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe ExecSandbox::Users do
+  let(:test_user) { 'exec_sandbox_rspec' }
+  let(:test_group) { Etc.getgrgid(Etc.getpwnam(Etc.getlogin).gid).name }
+  
+  describe '#temp' do
+    before { @user_name = ExecSandbox::Users.temp 'exsbx.rspec' }
+    after { ExecSandbox::Users.destroy @user_name }
+    
+    it 'should create a user whose name starts with the prefix' do
+      @user_name.should match(/^exsbx\.rspec/)
+    end
+
+    it 'should create a user' do
+      Etc.getpwnam(@user_name).should_not be_nil
+    end
+    
+    it 'should create a group with the same name' do
+      Etc.getgrgid(Etc.getpwnam(@user_name).gid).name.should == @user_name
+    end
+    
+    it 'should create a home directory for the user' do
+      File.exist?(Etc.getpwnam(@user_name).dir).should be_true
+    end
+  end
+  
+  describe '#create' do    
+    shared_examples_for 'user creation' do
+      it 'should return the UID of a user with the right name' do
+        Etc.getpwuid(@uid).name.should == test_user
+      end
+  
+      it "should create the new user's home directory" do
+        File.exist?(Etc.getpwuid(@uid).dir).should be_true
+      end
+
+      it "should have the new user's name in its home directory" do
+        Etc.getpwuid(@uid).dir.should match(test_user)
+      end
+    end
+    
+    describe 'with no group' do
+      before do
+        @uid = ExecSandbox::Users.create test_user
+      end
+      
+      after do
+        ExecSandbox::Users.destroy test_user
+      end
+      
+      it_should_behave_like 'user creation'
+
+      it "should create a group with the user's name" do
+        Etc.getgrnam(test_user).should_not be_nil
+      end
+      
+      it "should set the new user's GID to the group" do
+        Etc.getpwuid(@uid).gid.should == Etc.getgrnam(test_user).gid
+      end
+    end
+    
+    describe 'with given group' do
+      before do
+        @uid = ExecSandbox::Users.create test_user, test_group
+      end
+      
+      after do
+        ExecSandbox::Users.destroy test_user
+      end
+      
+      it_should_behave_like 'user creation'
+  
+      it "should not create a group with the user's name" do
+        lambda {
+          Etc.getgrnam(test_user)
+        }.should raise_error(ArgumentError)
+      end
+      
+      it "should set the new user's GID to the correct group" do
+        Etc.getpwuid(@uid).gid.should == Etc.getgrnam(test_group).gid
+      end
+    end
+  end
+  
+  describe '#destroy' do
+    describe 'with single-use group' do
+      before do
+        ExecSandbox::Users.create test_user
+        @home_dir = Etc.getpwnam(test_user)
+        ExecSandbox::Users.destroy test_user
+      end
+      
+      it 'should remove the user' do
+        lambda {
+          Etc.getpwnam(test_user)
+        }.should raise_error(ArgumentError)
+      end
+  
+      it "should remove the user's group" do
+        lambda {
+          Etc.getgrnam(test_user)
+        }.should raise_error(ArgumentError)
+      end
+    end
+    
+    describe 'delete_user with shared group' do
+      before do
+        ExecSandbox::Users.create test_user, test_group
+        @home_dir = Etc.getpwnam(test_user)
+        ExecSandbox::Users.destroy test_user
+      end
+      
+      it 'should remove the user' do
+        lambda {
+          Etc.getpwnam(test_user)
+        }.should raise_error(ArgumentError)
+      end
+  
+      it "should not remove the generic group" do
+        Etc.getgrnam(test_group).should_not be_nil
+      end
+    end
+  end
+end