exec_sandbox 0.2.5 → 0.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/exec_sandbox.gemspec +3 -4
- data/lib/exec_sandbox/spawn.rb +3 -2
- data/spec/exec_sandbox/spawn_spec.rb +72 -51
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 09f406c9093bf2a8b3fb29e4eff7fb66440212e4
|
4
|
+
data.tar.gz: d1843fe96b2b322628773e4c492aa30876939bb9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 72dc4cb65baf9b34dd5329ed9d454e7d9ebc38926337122e5ecba16e851fad4100542130f8e91b032f2543278cd96b5247ca67775a1c551bfab63412eb047bed
|
7
|
+
data.tar.gz: 75139dd187ab0dcb646d1257a4101806480ce6b26911beb1084758e89acebeaae505f8bc9723a7f7372fcf28d608f9764a8f36e8c4bce93021fbc6b5770b08d9
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.2.
|
1
|
+
0.2.6
|
data/exec_sandbox.gemspec
CHANGED
@@ -2,15 +2,14 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: exec_sandbox 0.2.5 ruby lib
|
6
5
|
|
7
6
|
Gem::Specification.new do |s|
|
8
7
|
s.name = "exec_sandbox"
|
9
|
-
s.version = "0.2.
|
8
|
+
s.version = "0.2.6"
|
10
9
|
|
11
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
11
|
s.authors = ["Victor Costan"]
|
13
|
-
s.date = "2014-02-
|
12
|
+
s.date = "2014-02-06"
|
14
13
|
s.description = "Temporary users and groups, rlimits"
|
15
14
|
s.email = "costan@gmail.com"
|
16
15
|
s.extra_rdoc_files = [
|
@@ -51,7 +50,7 @@ Gem::Specification.new do |s|
|
|
51
50
|
s.homepage = "http://github.com/pwnall/exec_sandbox"
|
52
51
|
s.licenses = ["MIT"]
|
53
52
|
s.require_paths = ["lib"]
|
54
|
-
s.rubygems_version = "2.
|
53
|
+
s.rubygems_version = "2.0.14"
|
55
54
|
s.summary = "Run foreign binaries using POSIX sandboxing features"
|
56
55
|
|
57
56
|
if s.respond_to? :specification_version then
|
data/lib/exec_sandbox/spawn.rb
CHANGED
@@ -64,7 +64,7 @@ module Spawn
|
|
64
64
|
# Close all file descriptors not in the redirection table.
|
65
65
|
redirected_fds = Set.new redirects.map(&:first)
|
66
66
|
max_fd = LibC.getdtablesize
|
67
|
-
|
67
|
+
max_fd.downto 0 do |fd|
|
68
68
|
next if redirected_fds.include?(fd)
|
69
69
|
|
70
70
|
next if RubyVM.rb_reserved_fd_p(fd) != 0
|
@@ -164,10 +164,11 @@ module Spawn
|
|
164
164
|
# Maps an internal MRI function that we need.
|
165
165
|
module RubyVM
|
166
166
|
extend FFI::Library
|
167
|
-
ffi_lib
|
167
|
+
ffi_lib FFI::Library::CURRENT_PROCESS
|
168
168
|
begin
|
169
169
|
attach_function :rb_reserved_fd_p, [:int], :int
|
170
170
|
rescue FFI::NotFoundError
|
171
|
+
p 'Using fd_p emulation'
|
171
172
|
# Emulation of internal MRI function.
|
172
173
|
#
|
173
174
|
# This is a fallback, used in case FFI can't find the MRI function.
|
@@ -1,11 +1,13 @@
|
|
1
1
|
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
2
|
|
3
|
+
require 'thread'
|
4
|
+
|
3
5
|
describe ExecSandbox::Spawn do
|
4
6
|
let(:test_user) { Etc.getlogin }
|
5
7
|
let(:test_uid) { Etc.getpwnam(test_user).uid }
|
6
8
|
let(:test_gid) { Etc.getpwnam(test_user).gid }
|
7
9
|
let(:test_group) { Etc.getgrgid(test_gid).name }
|
8
|
-
|
10
|
+
|
9
11
|
describe '#spawn IO redirection' do
|
10
12
|
before do
|
11
13
|
@temp_in = Tempfile.new 'exec_sandbox_rspec'
|
@@ -13,7 +15,7 @@ describe ExecSandbox::Spawn do
|
|
13
15
|
@temp_in.close
|
14
16
|
@temp_out = Tempfile.new 'exec_sandbox_rspec'
|
15
17
|
@temp_out.close
|
16
|
-
|
18
|
+
|
17
19
|
# Force-creating a 2nd thread to make MRI 1.9.3 crash without our fix.
|
18
20
|
@lock = Mutex.new
|
19
21
|
@lock.lock
|
@@ -35,7 +37,7 @@ describe ExecSandbox::Spawn do
|
|
35
37
|
it 'should not crash' do
|
36
38
|
@status[:exit_code].should == 0
|
37
39
|
end
|
38
|
-
|
40
|
+
|
39
41
|
it 'should write successfully' do
|
40
42
|
@temp_out.open
|
41
43
|
begin
|
@@ -45,7 +47,7 @@ describe ExecSandbox::Spawn do
|
|
45
47
|
end
|
46
48
|
end
|
47
49
|
end
|
48
|
-
|
50
|
+
|
49
51
|
describe 'with paths' do
|
50
52
|
before do
|
51
53
|
pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
|
@@ -54,9 +56,28 @@ describe ExecSandbox::Spawn do
|
|
54
56
|
@status = ExecSandbox::Wait4.wait4 pid
|
55
57
|
end
|
56
58
|
|
57
|
-
it_behaves_like 'duplicate.rb'
|
59
|
+
it_behaves_like 'duplicate.rb'
|
58
60
|
end
|
59
|
-
|
61
|
+
|
62
|
+
describe 'with paths and a second thread' do
|
63
|
+
before do
|
64
|
+
@queue = Queue.new
|
65
|
+
@thread = Thread.new { @queue.pop }
|
66
|
+
|
67
|
+
pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
|
68
|
+
{in: @temp_in.path, out: @temp_out.path,
|
69
|
+
err: @temp_out.path}
|
70
|
+
@status = ExecSandbox::Wait4.wait4 pid
|
71
|
+
end
|
72
|
+
|
73
|
+
after do
|
74
|
+
@queue.push 'die'
|
75
|
+
@thread.join
|
76
|
+
end
|
77
|
+
|
78
|
+
it_behaves_like 'duplicate.rb'
|
79
|
+
end
|
80
|
+
|
60
81
|
describe 'with file descriptors' do
|
61
82
|
before do
|
62
83
|
File.open(@temp_in.path, 'r') do |in_io|
|
@@ -70,24 +91,24 @@ describe ExecSandbox::Spawn do
|
|
70
91
|
|
71
92
|
it_behaves_like 'duplicate.rb'
|
72
93
|
end
|
73
|
-
|
94
|
+
|
74
95
|
describe 'without stdout' do
|
75
96
|
before do
|
76
97
|
pid = ExecSandbox::Spawn.spawn bin_fixture(:duplicate),
|
77
98
|
{in: @temp_in.path}
|
78
99
|
@status = ExecSandbox::Wait4.wait4 pid
|
79
100
|
end
|
80
|
-
|
101
|
+
|
81
102
|
it 'should crash' do
|
82
103
|
@status[:exit_code].should_not == 0
|
83
104
|
end
|
84
105
|
end
|
85
|
-
|
106
|
+
|
86
107
|
shared_examples_for 'count.rb' do
|
87
108
|
it 'should not crash' do
|
88
109
|
@status[:exit_code].should == 0
|
89
110
|
end
|
90
|
-
|
111
|
+
|
91
112
|
it 'should write successfully' do
|
92
113
|
@temp_out.open
|
93
114
|
begin
|
@@ -122,7 +143,7 @@ describe ExecSandbox::Spawn do
|
|
122
143
|
after do
|
123
144
|
File.unlink(@temp_path) if File.exist?(@temp_path)
|
124
145
|
end
|
125
|
-
|
146
|
+
|
126
147
|
describe 'with root credentials' do
|
127
148
|
before do
|
128
149
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:write_arg),
|
@@ -131,11 +152,11 @@ describe ExecSandbox::Spawn do
|
|
131
152
|
@status = ExecSandbox::Wait4.wait4 pid
|
132
153
|
@fstat = File.stat(@temp_path)
|
133
154
|
end
|
134
|
-
|
155
|
+
|
135
156
|
it 'should not crash' do
|
136
157
|
@status[:exit_code].should == 0
|
137
158
|
end
|
138
|
-
|
159
|
+
|
139
160
|
it 'should have the UID set to root' do
|
140
161
|
@fstat.uid.should == 0
|
141
162
|
end
|
@@ -147,7 +168,7 @@ describe ExecSandbox::Spawn do
|
|
147
168
|
File.read(@temp_path).should == "Spawn uid test\n"
|
148
169
|
end
|
149
170
|
end
|
150
|
-
|
171
|
+
|
151
172
|
describe 'with non-root credentials' do
|
152
173
|
before do
|
153
174
|
@temp.unlink
|
@@ -156,18 +177,18 @@ describe ExecSandbox::Spawn do
|
|
156
177
|
{uid: test_uid, gid: test_gid}
|
157
178
|
@status = ExecSandbox::Wait4.wait4 pid
|
158
179
|
end
|
159
|
-
|
180
|
+
|
160
181
|
it 'should not crash' do
|
161
182
|
@status[:exit_code].should == 0
|
162
183
|
end
|
163
|
-
|
184
|
+
|
164
185
|
it 'should have the UID set to the test user' do
|
165
186
|
File.stat(@temp_path).uid.should == test_uid
|
166
187
|
end
|
167
188
|
it 'should have the GID set to the test group' do
|
168
189
|
File.stat(@temp_path).gid.should == test_gid
|
169
190
|
end
|
170
|
-
|
191
|
+
|
171
192
|
it 'should have the correct output' do
|
172
193
|
File.read(@temp_path).should == "Spawn uid test\n"
|
173
194
|
end
|
@@ -181,7 +202,7 @@ describe ExecSandbox::Spawn do
|
|
181
202
|
{uid: test_uid, gid: test_gid}
|
182
203
|
@status = ExecSandbox::Wait4.wait4 pid
|
183
204
|
end
|
184
|
-
|
205
|
+
|
185
206
|
it 'should crash (euid is set correctly)' do
|
186
207
|
@status[:exit_code].should_not == 0
|
187
208
|
end
|
@@ -190,7 +211,7 @@ describe ExecSandbox::Spawn do
|
|
190
211
|
File.read(@temp_path).should_not == "Spawn uid test\n"
|
191
212
|
end
|
192
213
|
end
|
193
|
-
|
214
|
+
|
194
215
|
describe 'with non-root credentials and a root-owned redirect file' do
|
195
216
|
before do
|
196
217
|
File.chmod 070, @temp_path
|
@@ -199,7 +220,7 @@ describe ExecSandbox::Spawn do
|
|
199
220
|
{uid: test_uid, gid: test_gid}
|
200
221
|
@status = ExecSandbox::Wait4.wait4 pid
|
201
222
|
end
|
202
|
-
|
223
|
+
|
203
224
|
it 'should crash (egid is set correctly)' do
|
204
225
|
@status[:exit_code].should_not == 0
|
205
226
|
end
|
@@ -208,28 +229,28 @@ describe ExecSandbox::Spawn do
|
|
208
229
|
File.read(@temp_path).should_not == "Spawn uid test\n"
|
209
230
|
end
|
210
231
|
end
|
211
|
-
|
232
|
+
|
212
233
|
describe 'with a working directory' do
|
213
234
|
before do
|
214
235
|
@temp_dir = Dir.mktmpdir 'exec_sandbox_rspec'
|
215
236
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:pwd), @temp_path],
|
216
|
-
{}, {dir: @temp_dir}
|
237
|
+
{}, {dir: @temp_dir}
|
217
238
|
@status = ExecSandbox::Wait4.wait4 pid
|
218
239
|
end
|
219
240
|
after do
|
220
241
|
Dir.rmdir @temp_dir
|
221
242
|
end
|
222
|
-
|
243
|
+
|
223
244
|
it 'should not crash' do
|
224
245
|
@status[:exit_code].should == 0
|
225
246
|
end
|
226
|
-
|
247
|
+
|
227
248
|
it 'should set the working directory' do
|
228
249
|
File.read(@temp_path).should == @temp_dir
|
229
250
|
end
|
230
251
|
end
|
231
252
|
end
|
232
|
-
|
253
|
+
|
233
254
|
describe '#spawn resource limits' do
|
234
255
|
before do
|
235
256
|
@temp = Tempfile.new 'exec_sandbox_rspec'
|
@@ -239,7 +260,7 @@ describe ExecSandbox::Spawn do
|
|
239
260
|
after do
|
240
261
|
File.unlink(@temp_path) if File.exist?(@temp_path)
|
241
262
|
end
|
242
|
-
|
263
|
+
|
243
264
|
describe 'buffer.rb with 512 megs' do
|
244
265
|
describe 'without limitations' do
|
245
266
|
before do
|
@@ -251,28 +272,28 @@ describe ExecSandbox::Spawn do
|
|
251
272
|
it 'should not crash' do
|
252
273
|
@status[:exit_code].should == 0
|
253
274
|
end
|
254
|
-
|
275
|
+
|
255
276
|
it 'should output 512 megs' do
|
256
277
|
File.stat(@temp_path).size.should == 512 * 1024 * 1024
|
257
278
|
end
|
258
279
|
end
|
259
|
-
|
280
|
+
|
260
281
|
describe 'with 256mb memory limitation' do
|
261
282
|
before do
|
262
283
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
|
263
284
|
(512 * 1024 * 1024).to_s], {}, {}, {data: 256 * 1024 * 1024}
|
264
285
|
@status = ExecSandbox::Wait4.wait4 pid
|
265
286
|
end
|
266
|
-
|
287
|
+
|
267
288
|
it 'should crash' do
|
268
289
|
@status[:exit_code].should_not == 0
|
269
290
|
end
|
270
|
-
|
291
|
+
|
271
292
|
it 'should not have a chance to output data' do
|
272
293
|
File.stat(@temp_path).size.should == 0
|
273
294
|
end
|
274
295
|
end
|
275
|
-
|
296
|
+
|
276
297
|
describe 'with 256mb output limitation' do
|
277
298
|
before do
|
278
299
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
|
@@ -280,28 +301,28 @@ describe ExecSandbox::Spawn do
|
|
280
301
|
{file_size: 64 * 1024 * 1024}
|
281
302
|
@status = ExecSandbox::Wait4.wait4 pid
|
282
303
|
end
|
283
|
-
|
304
|
+
|
284
305
|
it 'should crash' do
|
285
306
|
@status[:exit_code].should_not == 0
|
286
307
|
end
|
287
|
-
|
308
|
+
|
288
309
|
it 'should not output more than 256 megs' do
|
289
310
|
File.stat(@temp_path).size.should <= 256 * 1024 * 1024
|
290
311
|
end
|
291
312
|
end
|
292
313
|
end
|
293
|
-
|
314
|
+
|
294
315
|
describe 'buffer.rb with 128 megs' do
|
295
316
|
shared_examples_for 'working' do
|
296
317
|
it 'should not crash' do
|
297
318
|
@status[:exit_code].should == 0
|
298
319
|
end
|
299
|
-
|
320
|
+
|
300
321
|
it 'should output 128 megs' do
|
301
322
|
File.stat(@temp_path).size.should == 128 * 1024 * 1024
|
302
323
|
end
|
303
324
|
end
|
304
|
-
|
325
|
+
|
305
326
|
describe 'without limitations' do
|
306
327
|
before do
|
307
328
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
|
@@ -311,17 +332,17 @@ describe ExecSandbox::Spawn do
|
|
311
332
|
|
312
333
|
it_behaves_like 'working'
|
313
334
|
end
|
314
|
-
|
335
|
+
|
315
336
|
describe 'with 256mb memory limitation' do
|
316
337
|
before do
|
317
338
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
|
318
339
|
(128 * 1024 * 1024).to_s], {}, {}, {data: 256 * 1024 * 1024}
|
319
340
|
@status = ExecSandbox::Wait4.wait4 pid
|
320
341
|
end
|
321
|
-
|
342
|
+
|
322
343
|
it_behaves_like 'working'
|
323
344
|
end
|
324
|
-
|
345
|
+
|
325
346
|
describe 'with 256mb output limitation' do
|
326
347
|
before do
|
327
348
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:buffer), @temp_path,
|
@@ -329,12 +350,12 @@ describe ExecSandbox::Spawn do
|
|
329
350
|
{file_size: 256 * 1024 * 1024}
|
330
351
|
@status = ExecSandbox::Wait4.wait4 pid
|
331
352
|
end
|
332
|
-
|
353
|
+
|
333
354
|
it_behaves_like 'working'
|
334
355
|
end
|
335
356
|
end
|
336
|
-
|
337
|
-
|
357
|
+
|
358
|
+
|
338
359
|
describe 'fork.rb' do
|
339
360
|
describe 'without limitations' do
|
340
361
|
before do
|
@@ -346,29 +367,29 @@ describe ExecSandbox::Spawn do
|
|
346
367
|
it 'should not crash' do
|
347
368
|
@status[:exit_code].should == 0
|
348
369
|
end
|
349
|
-
|
370
|
+
|
350
371
|
it 'should output 10 +es' do
|
351
372
|
File.stat(@temp_path).size.should == 10
|
352
373
|
end
|
353
374
|
end
|
354
|
-
|
375
|
+
|
355
376
|
describe 'with sub-process limitation' do
|
356
377
|
before do
|
357
378
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:fork), @temp_path,
|
358
379
|
10.to_s], {}, {}, {processes: 4}
|
359
380
|
@status = ExecSandbox::Wait4.wait4 pid
|
360
381
|
end
|
361
|
-
|
382
|
+
|
362
383
|
it 'should crash' do
|
363
384
|
@status[:exit_code].should_not == 0
|
364
385
|
end
|
365
|
-
|
386
|
+
|
366
387
|
it 'should output less than 5 +es' do
|
367
388
|
File.stat(@temp_path).size.should < 5
|
368
389
|
end
|
369
390
|
end
|
370
391
|
end
|
371
|
-
|
392
|
+
|
372
393
|
describe 'churn.rb' do
|
373
394
|
describe 'without limitations' do
|
374
395
|
before do
|
@@ -380,16 +401,16 @@ describe ExecSandbox::Spawn do
|
|
380
401
|
it 'should not crash' do
|
381
402
|
@status[:exit_code].should == 0
|
382
403
|
end
|
383
|
-
|
404
|
+
|
384
405
|
it 'should run for at least 2 seconds' do
|
385
406
|
(@status[:user_time] + @status[:system_time]).should > 2
|
386
407
|
end
|
387
|
-
|
408
|
+
|
388
409
|
it 'should output something' do
|
389
410
|
File.stat(@temp_path).size.should > 0
|
390
411
|
end
|
391
412
|
end
|
392
|
-
|
413
|
+
|
393
414
|
describe 'with CPU time limitation' do
|
394
415
|
before do
|
395
416
|
pid = ExecSandbox::Spawn.spawn [bin_fixture(:churn), @temp_path,
|
@@ -404,7 +425,7 @@ describe ExecSandbox::Spawn do
|
|
404
425
|
it 'should run for less than 2 seconds' do
|
405
426
|
(@status[:user_time] + @status[:system_time]).should < 2
|
406
427
|
end
|
407
|
-
|
428
|
+
|
408
429
|
it 'should not have a chance to output' do
|
409
430
|
File.stat(@temp_path).size.should == 0
|
410
431
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: exec_sandbox
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Victor Costan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-02-
|
11
|
+
date: 2014-02-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ffi
|
@@ -179,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
179
179
|
version: '0'
|
180
180
|
requirements: []
|
181
181
|
rubyforge_project:
|
182
|
-
rubygems_version: 2.
|
182
|
+
rubygems_version: 2.0.14
|
183
183
|
signing_key:
|
184
184
|
specification_version: 4
|
185
185
|
summary: Run foreign binaries using POSIX sandboxing features
|