exec_sandbox 0.2.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. data/Gemfile +5 -4
  2. data/Gemfile.lock +21 -14
  3. data/VERSION +1 -1
  4. data/exec_sandbox.gemspec +15 -12
  5. data/lib/exec_sandbox/sandbox.rb +5 -3
  6. data/lib/exec_sandbox/spawn.rb +5 -4
  7. data/spec/exec_sandbox/spawn_spec.rb +55 -10
  8. metadata +34 -23
data/Gemfile CHANGED
@@ -8,10 +8,11 @@ gem 'ffi', '>= 1.0.11'
8
8
  # Include everything needed to run rake, tests, features, etc.
9
9
  group :development do
10
10
  gem 'rdoc', '>= 3.10'
11
- gem 'rspec', '>= 2.6.0'
12
- gem 'yard', '>= 0.7.2'
11
+ gem 'rspec', '>= 2.8.0'
12
+ gem 'yard', '>= 0.7.5'
13
13
  gem 'yard-rspec', '>= 0.1'
14
14
  gem 'bundler', '>= 1.0.21'
15
- gem 'jeweler', '>= 1.6.4'
16
- gem 'rcov', '>= 0'
15
+ gem 'jeweler', '>= 1.8.3'
16
+ gem 'rcov', '>= 0', :platform => [:mri_18]
17
+ gem 'simplecov', '>= 0', :platform => [:mri_19]
17
18
  end
data/Gemfile.lock CHANGED
@@ -4,24 +4,30 @@ GEM
4
4
  diff-lcs (1.1.3)
5
5
  ffi (1.0.11)
6
6
  git (1.2.5)
7
- jeweler (1.6.4)
7
+ jeweler (1.8.3)
8
8
  bundler (~> 1.0)
9
9
  git (>= 1.2.5)
10
10
  rake
11
- json (1.6.3)
11
+ rdoc
12
+ json (1.6.5)
13
+ multi_json (1.0.4)
12
14
  rake (0.9.2.2)
13
- rcov (0.9.11)
15
+ rcov (1.0.0)
14
16
  rdoc (3.12)
15
17
  json (~> 1.4)
16
- rspec (2.7.0)
17
- rspec-core (~> 2.7.0)
18
- rspec-expectations (~> 2.7.0)
19
- rspec-mocks (~> 2.7.0)
20
- rspec-core (2.7.1)
21
- rspec-expectations (2.7.0)
18
+ rspec (2.8.0)
19
+ rspec-core (~> 2.8.0)
20
+ rspec-expectations (~> 2.8.0)
21
+ rspec-mocks (~> 2.8.0)
22
+ rspec-core (2.8.0)
23
+ rspec-expectations (2.8.0)
22
24
  diff-lcs (~> 1.1.2)
23
- rspec-mocks (2.7.0)
24
- yard (0.7.4)
25
+ rspec-mocks (2.8.0)
26
+ simplecov (0.5.4)
27
+ multi_json (~> 1.0.3)
28
+ simplecov-html (~> 0.5.3)
29
+ simplecov-html (0.5.3)
30
+ yard (0.7.5)
25
31
  yard-rspec (0.1)
26
32
  yard
27
33
 
@@ -31,9 +37,10 @@ PLATFORMS
31
37
  DEPENDENCIES
32
38
  bundler (>= 1.0.21)
33
39
  ffi (>= 1.0.11)
34
- jeweler (>= 1.6.4)
40
+ jeweler (>= 1.8.3)
35
41
  rcov
36
42
  rdoc (>= 3.10)
37
- rspec (>= 2.6.0)
38
- yard (>= 0.7.2)
43
+ rspec (>= 2.8.0)
44
+ simplecov
45
+ yard (>= 0.7.5)
39
46
  yard-rspec (>= 0.1)
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.2.0
1
+ 0.2.1
data/exec_sandbox.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "exec_sandbox"
8
- s.version = "0.2.0"
8
+ s.version = "0.2.1"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Victor Costan"]
12
- s.date = "2011-12-20"
12
+ s.date = "2012-02-09"
13
13
  s.description = "Temporary users and groups, rlimits"
14
14
  s.email = "costan@gmail.com"
15
15
  s.extra_rdoc_files = [
@@ -50,7 +50,7 @@ Gem::Specification.new do |s|
50
50
  s.homepage = "http://github.com/pwnall/exec_sandbox"
51
51
  s.licenses = ["MIT"]
52
52
  s.require_paths = ["lib"]
53
- s.rubygems_version = "1.8.12"
53
+ s.rubygems_version = "1.8.15"
54
54
  s.summary = "Run foreign binaries using POSIX sandboxing features"
55
55
 
56
56
  if s.respond_to? :specification_version then
@@ -59,31 +59,34 @@ Gem::Specification.new do |s|
59
59
  if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
60
60
  s.add_runtime_dependency(%q<ffi>, [">= 1.0.11"])
61
61
  s.add_development_dependency(%q<rdoc>, [">= 3.10"])
62
- s.add_development_dependency(%q<rspec>, [">= 2.6.0"])
63
- s.add_development_dependency(%q<yard>, [">= 0.7.2"])
62
+ s.add_development_dependency(%q<rspec>, [">= 2.8.0"])
63
+ s.add_development_dependency(%q<yard>, [">= 0.7.5"])
64
64
  s.add_development_dependency(%q<yard-rspec>, [">= 0.1"])
65
65
  s.add_development_dependency(%q<bundler>, [">= 1.0.21"])
66
- s.add_development_dependency(%q<jeweler>, [">= 1.6.4"])
66
+ s.add_development_dependency(%q<jeweler>, [">= 1.8.3"])
67
67
  s.add_development_dependency(%q<rcov>, [">= 0"])
68
+ s.add_development_dependency(%q<simplecov>, [">= 0"])
68
69
  else
69
70
  s.add_dependency(%q<ffi>, [">= 1.0.11"])
70
71
  s.add_dependency(%q<rdoc>, [">= 3.10"])
71
- s.add_dependency(%q<rspec>, [">= 2.6.0"])
72
- s.add_dependency(%q<yard>, [">= 0.7.2"])
72
+ s.add_dependency(%q<rspec>, [">= 2.8.0"])
73
+ s.add_dependency(%q<yard>, [">= 0.7.5"])
73
74
  s.add_dependency(%q<yard-rspec>, [">= 0.1"])
74
75
  s.add_dependency(%q<bundler>, [">= 1.0.21"])
75
- s.add_dependency(%q<jeweler>, [">= 1.6.4"])
76
+ s.add_dependency(%q<jeweler>, [">= 1.8.3"])
76
77
  s.add_dependency(%q<rcov>, [">= 0"])
78
+ s.add_dependency(%q<simplecov>, [">= 0"])
77
79
  end
78
80
  else
79
81
  s.add_dependency(%q<ffi>, [">= 1.0.11"])
80
82
  s.add_dependency(%q<rdoc>, [">= 3.10"])
81
- s.add_dependency(%q<rspec>, [">= 2.6.0"])
82
- s.add_dependency(%q<yard>, [">= 0.7.2"])
83
+ s.add_dependency(%q<rspec>, [">= 2.8.0"])
84
+ s.add_dependency(%q<yard>, [">= 0.7.5"])
83
85
  s.add_dependency(%q<yard-rspec>, [">= 0.1"])
84
86
  s.add_dependency(%q<bundler>, [">= 1.0.21"])
85
- s.add_dependency(%q<jeweler>, [">= 1.6.4"])
87
+ s.add_dependency(%q<jeweler>, [">= 1.8.3"])
86
88
  s.add_dependency(%q<rcov>, [">= 0"])
89
+ s.add_dependency(%q<simplecov>, [">= 0"])
87
90
  end
88
91
  end
89
92
 
data/lib/exec_sandbox/sandbox.rb CHANGED
@@ -84,7 +84,7 @@ class Sandbox
84
84
  # @param [Array, String] command to be run; use an array to pass arguments to
85
85
  # the command
86
86
  # @param [Hash] options stdin / stdout redirection and resource limitations
87
- # @option options [Hash] :limits see {Spawn#set_limits}
87
+ # @option options [Hash] :limits see {Spawn.limit_resources}
88
88
  # @option options [String] :in path to a file that is set as the child's stdin
89
89
  # @option options [String] :in_data contents to be written to a pipe that is
90
90
  # set as the child's stdin; if neither :in nor :in_data are specified, the
@@ -95,7 +95,7 @@ class Sandbox
95
95
  # @option options [Symbol] :err :none closes the child's stderr, :out
96
96
  # redirects the child's stderr to stdout; by default, the child's stderr
97
97
  # is the same as the parent's
98
- # @return [Hash] the result of {Wait4#wait4}, plus an :out_data key if no :out
98
+ # @return [Hash] the result of {Wait4.wait4}, plus an :out_data key if no :out
99
99
  # option is given
100
100
  def run(command, options = {})
101
101
  limits = options[:limits] || {}
@@ -172,6 +172,8 @@ end # module ExecSandbox::Sandbox
172
172
  #
173
173
  # @param [String] admin the name of a user who will be able to peek into the
174
174
  # sandbox (optional)
175
+ # @yieldparam [Sandbox] sandbox a Sandbox instance that will be automatically
176
+ # destroyed after the block returns
175
177
  # @return the value returned from the block passed to this method
176
178
  def self.use(admin = Etc.getlogin, &block)
177
179
  sandbox = ExecSandbox::Sandbox.new admin
@@ -190,7 +192,7 @@ end # module ExecSandbox::Sandbox
190
192
  #
191
193
  # @param [String] admin the name of a user who will be able to peek into the
192
194
  # sandbox (optional)
193
- # @return the value returned from the block passed to this method
195
+ # @return [Sandbox] the newly created sandbox
194
196
  def self.open(admin = Etc.getlogin)
195
197
  ExecSandbox::Sandbox.new admin
196
198
  end
data/lib/exec_sandbox/spawn.rb CHANGED
@@ -82,8 +82,7 @@ module Spawn
82
82
  begin
83
83
  Process::Sys.setresgid principal[:gid], principal[:gid], principal[:gid]
84
84
  rescue NotImplementedError
85
- Process.gid = principal[:gid]
86
- Process.egid = principal[:gid]
85
+ Process::Sys.setgid principal[:gid]
87
86
  end
88
87
  end
89
88
  if principal[:uid]
@@ -96,8 +95,7 @@ module Spawn
96
95
  begin
97
96
  Process::Sys.setresuid principal[:uid], principal[:uid], principal[:uid]
98
97
  rescue NotImplementedError
99
- Process.uid = principal[:uid]
100
- Process.euid = principal[:uid]
98
+ Process::Sys.setuid principal[:uid]
101
99
  end
102
100
  end
103
101
  end
@@ -137,8 +135,11 @@ module Spawn
137
135
  limits[:open_files]
138
136
  end
139
137
  if limits[:data]
138
+ Process.setrlimit Process::RLIMIT_AS, limits[:data], limits[:data]
140
139
  Process.setrlimit Process::RLIMIT_DATA, limits[:data], limits[:data]
141
140
  Process.setrlimit Process::RLIMIT_STACK, limits[:data], limits[:data]
141
+ Process.setrlimit Process::RLIMIT_MEMLOCK, limits[:data], limits[:data]
142
+ Process.setrlimit Process::RLIMIT_RSS, limits[:data], limits[:data]
142
143
  end
143
144
  end
144
145
 
data/spec/exec_sandbox/spawn_spec.rb CHANGED
@@ -227,11 +227,11 @@ describe ExecSandbox::Spawn do
227
227
  File.unlink(@temp_path) if File.exist?(@temp_path)
228
228
  end
229
229
 
230
- describe 'buffer.rb' do
230
+ describe 'buffer.rb with 512 megs' do
231
231
  describe 'without limitations' do
232
232
  before do
233
233
  pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
234
- (100 * 1024 * 1024).to_s], {:err => STDERR}, {}, {}
234
+ (512 * 1024 * 1024).to_s], {:err => STDERR}, {}, {}
235
235
  @status = ExecSandbox::Wait4.wait4 pid
236
236
  end
237
237
 
@@ -239,15 +239,15 @@ describe ExecSandbox::Spawn do
239
239
  @status[:exit_code].should == 0
240
240
  end
241
241
 
242
- it 'should output 100 megs' do
243
- File.stat(@temp_path).size.should == 100 * 1024 * 1024
242
+ it 'should output 512 megs' do
243
+ File.stat(@temp_path).size.should == 512 * 1024 * 1024
244
244
  end
245
245
  end
246
246
 
247
- describe 'with memory limitation' do
247
+ describe 'with 256mb memory limitation' do
248
248
  before do
249
249
  pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
250
- (100 * 1024 * 1024).to_s], {}, {}, {:data => 64 * 1024 * 1024}
250
+ (512 * 1024 * 1024).to_s], {}, {}, {:data => 256 * 1024 * 1024}
251
251
  @status = ExecSandbox::Wait4.wait4 pid
252
252
  end
253
253
 
@@ -260,10 +260,11 @@ describe ExecSandbox::Spawn do
260
260
  end
261
261
  end
262
262
 
263
- describe 'with output limitation' do
263
+ describe 'with 256mb output limitation' do
264
264
  before do
265
265
  pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
266
- (100 * 1024 * 1024).to_s], {}, {}, {:file_size => 8 * 1024 * 1024}
266
+ (512 * 1024 * 1024).to_s], {}, {},
267
+ {:file_size => 64 * 1024 * 1024}
267
268
  @status = ExecSandbox::Wait4.wait4 pid
268
269
  end
269
270
 
@@ -271,12 +272,56 @@ describe ExecSandbox::Spawn do
271
272
  @status[:exit_code].should_not == 0
272
273
  end
273
274
 
274
- it 'should not output more than 16 megs' do
275
- File.stat(@temp_path).size.should <= 16 * 1024 * 1024
275
+ it 'should not output more than 256 megs' do
276
+ File.stat(@temp_path).size.should <= 256 * 1024 * 1024
276
277
  end
277
278
  end
278
279
  end
279
280
 
281
+ describe 'buffer.rb with 128 megs' do
282
+ shared_examples_for 'working' do
283
+ it 'should not crash' do
284
+ @status[:exit_code].should == 0
285
+ end
286
+
287
+ it 'should output 128 megs' do
288
+ File.stat(@temp_path).size.should == 128 * 1024 * 1024
289
+ end
290
+ end
291
+
292
+ describe 'without limitations' do
293
+ before do
294
+ pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
295
+ (128 * 1024 * 1024).to_s], {:err => STDERR}, {}, {}
296
+ @status = ExecSandbox::Wait4.wait4 pid
297
+ end
298
+
299
+ it_behaves_like 'working'
300
+ end
301
+
302
+ describe 'with 256mb memory limitation' do
303
+ before do
304
+ pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
305
+ (128 * 1024 * 1024).to_s], {}, {}, {:data => 256 * 1024 * 1024}
306
+ @status = ExecSandbox::Wait4.wait4 pid
307
+ end
308
+
309
+ it_behaves_like 'working'
310
+ end
311
+
312
+ describe 'with 256mb output limitation' do
313
+ before do
314
+ pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
315
+ (128 * 1024 * 1024).to_s], {}, {},
316
+ {:file_size => 256 * 1024 * 1024}
317
+ @status = ExecSandbox::Wait4.wait4 pid
318
+ end
319
+
320
+ it_behaves_like 'working'
321
+ end
322
+ end
323
+
324
+
280
325
  describe 'fork.rb' do
281
326
  describe 'without limitations' do
282
327
  before do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: exec_sandbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2011-12-20 00:00:00.000000000Z
12
+ date: 2012-02-09 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: ffi
16
- requirement: &26627980 !ruby/object:Gem::Requirement
16
+ requirement: &15141280 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: 1.0.11
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *26627980
24
+ version_requirements: *15141280
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rdoc
27
- requirement: &26627380 !ruby/object:Gem::Requirement
27
+ requirement: &15140420 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ! '>='
@@ -32,32 +32,32 @@ dependencies:
32
32
  version: '3.10'
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *26627380
35
+ version_requirements: *15140420
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: rspec
38
- requirement: &26626760 !ruby/object:Gem::Requirement
38
+ requirement: &15139620 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ! '>='
42
42
  - !ruby/object:Gem::Version
43
- version: 2.6.0
43
+ version: 2.8.0
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *26626760
46
+ version_requirements: *15139620
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: yard
49
- requirement: &26626260 !ruby/object:Gem::Requirement
49
+ requirement: &15138880 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ! '>='
53
53
  - !ruby/object:Gem::Version
54
- version: 0.7.2
54
+ version: 0.7.5
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *26626260
57
+ version_requirements: *15138880
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: yard-rspec
60
- requirement: &26625740 !ruby/object:Gem::Requirement
60
+ requirement: &15138100 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '0.1'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *26625740
68
+ version_requirements: *15138100
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: bundler
71
- requirement: &26625220 !ruby/object:Gem::Requirement
71
+ requirement: &15131120 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,21 +76,21 @@ dependencies:
76
76
  version: 1.0.21
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *26625220
79
+ version_requirements: *15131120
80
80
  - !ruby/object:Gem::Dependency
81
81
  name: jeweler
82
- requirement: &26624740 !ruby/object:Gem::Requirement
82
+ requirement: &15130400 !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
85
  - - ! '>='
86
86
  - !ruby/object:Gem::Version
87
- version: 1.6.4
87
+ version: 1.8.3
88
88
  type: :development
89
89
  prerelease: false
90
- version_requirements: *26624740
90
+ version_requirements: *15130400
91
91
  - !ruby/object:Gem::Dependency
92
92
  name: rcov
93
- requirement: &26624240 !ruby/object:Gem::Requirement
93
+ requirement: &15129480 !ruby/object:Gem::Requirement
94
94
  none: false
95
95
  requirements:
96
96
  - - ! '>='
@@ -98,7 +98,18 @@ dependencies:
98
98
  version: '0'
99
99
  type: :development
100
100
  prerelease: false
101
- version_requirements: *26624240
101
+ version_requirements: *15129480
102
+ - !ruby/object:Gem::Dependency
103
+ name: simplecov
104
+ requirement: &15128580 !ruby/object:Gem::Requirement
105
+ none: false
106
+ requirements:
107
+ - - ! '>='
108
+ - !ruby/object:Gem::Version
109
+ version: '0'
110
+ type: :development
111
+ prerelease: false
112
+ version_requirements: *15128580
102
113
  description: Temporary users and groups, rlimits
103
114
  email: costan@gmail.com
104
115
  executables: []
@@ -151,7 +162,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
151
162
  version: '0'
152
163
  segments:
153
164
  - 0
154
- hash: -1397950588643828772
165
+ hash: -4546133862782205398
155
166
  required_rubygems_version: !ruby/object:Gem::Requirement
156
167
  none: false
157
168
  requirements:
@@ -160,7 +171,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
160
171
  version: '0'
161
172
  requirements: []
162
173
  rubyforge_project:
163
- rubygems_version: 1.8.12
174
+ rubygems_version: 1.8.15
164
175
  signing_key:
165
176
  specification_version: 3
166
177
  summary: Run foreign binaries using POSIX sandboxing features