exec_sandbox 0.1.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>exec_sandbox</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/.rspec

@@ -0,0 +1 @@
+--color

data/Gemfile

@@ -0,0 +1,17 @@
+source :rubygems
+# Add dependencies required to use your gem here.
+# Example:
+#   gem 'activesupport', '>= 2.3.5'
+gem 'ffi', '>= 1.0.9'
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem 'rdoc', '>= 3.10'
+  gem 'rspec', '>= 2.6.0'
+  gem 'yard', '>= 0.7.2'
+  gem 'yard-rspec', '>= 0.1'
+  gem 'bundler', '>= 1.0.21'
+  gem 'jeweler', '>= 1.6.4'
+  gem 'rcov', '>= 0'
+end

data/Gemfile.lock

@@ -0,0 +1,39 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    ffi (1.0.9)
+    git (1.2.5)
+    jeweler (1.6.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+    json (1.6.1)
+    rake (0.9.2)
+    rcov (0.9.11)
+    rdoc (3.10)
+      json (~> 1.4)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    yard (0.7.2)
+    yard-rspec (0.1)
+      yard
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (>= 1.0.21)
+  ffi (>= 1.0.9)
+  jeweler (>= 1.6.4)
+  rcov
+  rdoc (>= 3.10)
+  rspec (>= 2.6.0)
+  yard (>= 0.7.2)
+  yard-rspec (>= 0.1)

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Victor Costan
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,19 @@
+= exec_sandbox
+
+Description goes here.
+
+== Contributing to exec_sandbox
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Victor Costan. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,42 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "exec_sandbox"
+  gem.homepage = "http://github.com/pwnall/exec_sandbox"
+  gem.license = "MIT"
+  gem.summary = %Q{Run foreign binaries using POSIX sandboxing features}
+  gem.description = %Q{Temporary users and groups, rlimits}
+  gem.email = "costan@gmail.com"
+  gem.authors = ["Victor Costan"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/exec_sandbox/sandbox.rb

@@ -0,0 +1,169 @@
+# namespace
+module ExecSandbox
+
+# Manages sandboxed processes.
+class Sandbox
+  # The path to the sandbox's working directory.
+  attr_reader :path
+  
+  # Empty sandbox.
+  #
+  # @param [String] admin the name of a user who will be able to peek into the
+  #                       sandbox (optional)
+  def initialize(admin = nil)
+    @user_name = ExecSandbox::Users.temp
+    user_pwd = Etc.getpwnam @user_name
+    @user_uid = user_pwd.uid
+    @user_gid = user_pwd.gid
+    @path = user_pwd.dir
+    if @admin_name = admin
+      admin_pwd = Etc.getpwnam(@admin_name)
+      @admin_uid = admin_pwd.uid
+      @admin_gid = admin_pwd.gid
+    else
+      @admin_uid = @user_uid
+      @admin_gid = @user_gid
+    end
+    @destroyed = false
+    
+    # principal argument for Spawn.spawn()
+    @principal = { :uid => @user_uid, :gid => @user_gid, :dir => @path }
+  end
+  
+  # Copies a file or directory to the sandbox.
+  #
+  # @param [String] from path to the file or directory to be copied
+  # @param [Hash] options tweaks the permissions and the path inside the sandbox
+  # @option options [String] :to the path inside the sandbox where the file or
+  #     directory will be copied (defaults to the name of the source)
+  # @option options [Boolean] :read_only if true, the sandbox user will not be
+  #     able to write to the file / directory
+  # @return [String] the absolute path to the copied file / directory inside the
+  #                  sandbox
+  def push(from, options = {})
+    to = File.join @path, (options[:to] || File.basename(from))
+    FileUtils.cp_r from, to
+    
+    permissions = options[:read_only] ? 0770 : 0750
+    FileUtils.chmod_R permissions, to
+    FileUtils.chown_R @admin_uid, @user_gid, to
+    # NOTE: making a file / directory read-only is useless -- the sandboxed
+    #       process can replace the file with another copy of the file; this can
+    #       be worked around by noting the inode number of the protected file /
+    #       dir, and making a hard link to it somewhere else so the inode won't
+    #       be reused.
+    
+    to
+  end
+
+  # Copies a file or directory from the sandbox.
+  #
+  # @param [String] from relative path to the sandbox file or directory
+  # @param [String] to path where the file/directory will be copied
+  # @param [Hash] options tweaks the permissions and the path inside the sandbox
+  # @return [String] the path to the copied file / directory outside the sandbox
+  def pull(from, to)
+    from = File.join @path, from
+    FileUtils.cp_r from, to
+    
+    FileUtils.chmod_R 0770, to
+    FileUtils.chown_R @admin_uid, @admin_gid, to
+    # NOTE: making a file / directory read-only is useless -- the sandboxed
+    #       process can replace the file with another copy of the file; this can
+    #       be worked around by noting the inode number of the protected file /
+    #       dir, and making a hard link to it somewhere else so the inode won't
+    #       be reused.
+    
+    to
+  end
+  
+  # Runs a command in the sandbox.
+  #
+  # @param [Array, String] command to be run; use an array to pass arguments to
+  #                        the command
+  # @param [Hash] options stdin / stdout redirection and resource limitations
+  # @option options [Hash] :limits see {Spawn#set_limits}
+  # @option options [String] :in path to a file that is set as the child's stdin
+  # @option options [String] :in_data contents to be written to a pipe that is
+  #     set as the child's stdin; if neither :in nor :in_data are specified, the
+  #     child will receive the read end of an empty pipe
+  # @option options [String] :out path to a file that is set as the child's
+  #     stdout; if not set, the child will receive the write end of a pipe whose
+  #     contents is returned in :out_data
+  # @return [Hash] the result of {Wait4#wait4}, plus an :out_data key if no :out
+  #                option is given
+  def run(command, options = {})
+    limits = options[:limits] || {}
+    
+    io = {}
+    if options[:in]
+      io[:in] = options[:in]
+      in_rd = nil
+    else
+      in_rd, in_wr = IO.pipe
+      in_wr.write options[:in_data] if options[:in_data]
+      in_wr.close
+      io[:in] = in_rd
+    end
+    if options[:out]
+      io[:out] = options[:out]
+    else
+      out_rd, out_wr = IO.pipe
+      io[:out] = out_wr
+    end
+    io[:err] = STDERR unless options[:no_stderr]
+    
+    pid = ExecSandbox::Spawn.spawn command, io, @principal, limits
+    # Close the pipe ends that are meant to be used in the child.
+    in_rd.close if in_rd
+    out_wr.close if out_wr
+    
+    # Collect information about the child.
+    status = ExecSandbox::Wait4.wait4 pid
+    if out_rd
+      status[:out_data] = out_rd.read
+      out_rd.close
+    end
+    status
+  end
+  
+  # Removes the files and temporary user associated with this sandbox.
+  def close
+    return if @destroyed
+    ExecSandbox::Users.destroy @user_name
+    @destroyed = true
+  end
+  
+  # Cleans up when the sandbox object is garbage-collected.
+  def finalize
+    close
+  end
+end  # module ExecSandbox::Sandbox
+  
+  # Creates a sandbox, yields it, and destroys it.
+  #
+  # @param [String] admin the name of a user who will be able to peek into the
+  #                       sandbox (optional)
+  # @return the value returned from the block passed to this method
+  def self.use(admin = nil, &block)
+    sandbox = ExecSandbox::Sandbox.new admin
+    begin
+      return yield(sandbox)
+    ensure
+      sandbox.close
+    end
+  end
+  
+  # Creates a sandbox.
+  #
+  # The sandbox should be disposed of by calling {Sandbox#close} on it. This
+  # method is much less convenient than #use, so make sure you have a good
+  # reason to call it.
+  #
+  # @param [String] admin the name of a user who will be able to peek into the
+  #                       sandbox (optional)
+  # @return the value returned from the block passed to this method
+  def self.open(admin = nil)
+    ExecSandbox::Sandbox.new admin
+  end
+end  # namespace ExecSandbox

data/lib/exec_sandbox/spawn.rb

@@ -0,0 +1,143 @@
+# namespace
+module ExecSandbox
+
+# Manages sandboxed processes.
+module Spawn
+  # Spawns a child process.
+  #
+  # @param [String, Array] command the command to be executed via exec
+  # @param [Hash] io see limit_io
+  # @param [Hash] principal the principal for the enw process
+  # @param [Hash] resources see limit_resources
+  # @return [Fixnum] the child's PID
+  def self.spawn(command, io = {}, principal = {}, resources = {})
+    fork do
+      limit_io io
+      limit_resources resources
+      set_principal principal
+      if command.respond_to? :to_str
+        Process.exec command
+      else
+        Process.exec *command
+      end
+    end
+  end
+
+  # Constraints the available file descriptors.
+  #
+  # @param [Hash] io associates file descriptors with IO objects or file paths;
+  #                  all file descriptors not covered by io will be closed
+  def self.limit_io(io)
+    [:in, :out, :err].each_with_index do |sym, fd_num|
+      if target = io.delete(sym)
+        io[fd_num] = target
+      end
+    end
+    io.each do |k, v|
+      if v.respond_to?(:fileno)
+        if v.fileno != k
+          LibC.close k
+          LibC.dup2 v.fileno, k
+        end
+      else
+        LibC.close k
+        open_fd = IO.sysopen(v, 'r+')
+        if open_fd != k
+          LibC.dup2 open_fd, k
+          LibC.close open_fd
+        end
+      end
+    end
+    
+    # Close all file descriptors.
+    max_fd = LibC.getdtablesize
+    0.upto(max_fd) do |fd|
+      next if io[fd]
+      LibC.close fd
+    end
+  end
+  
+  # Sets the process' principal for access control.
+  #
+  # @param [Hash] principal information about the process' principal
+  # @option principal [String] :dir the process' working directory
+  # @option principal [Fixnum] :uid the new user ID
+  # @option principal [Fixnum] :gid the new group ID
+  def self.set_principal(principal)
+    Dir.chdir principal[:dir] if principal[:dir]
+    
+    if principal[:gid]
+      begin
+        Process::Sys.setresgid principal[:gid], principal[:gid], principal[:gid]
+      rescue NotImplementedError
+        Process.gid = principal[:gid]
+        Process.egid = principal[:gid]
+      end
+    end
+    if principal[:uid]
+      begin
+        Process.initgroups Etc.getpwuid(principal[:uid]).name,
+                           principal[:gid] || Process.gid
+      rescue NotImplementedError
+      end
+      
+      begin
+        Process::Sys.setresuid principal[:uid], principal[:uid], principal[:uid]
+      rescue NotImplementedError
+        Process.uid = principal[:uid]
+        Process.euid = principal[:uid]
+      end
+    end
+  end
+  
+  # Constrains the resource usage of the current process.
+  #
+  # @param [Hash{Symbol => Number}] limits the constraints to be applied
+  # @option limits [Fixnum] :cpu maximum CPU time (for best results, give it an
+  #     extra second, and measure actual resource usage after the process
+  #     completes)
+  # @option limits [Fixnum] :processes number of processes that can be spawned
+  #     by the user who owns this process (useful in conjunction with temporary
+  #     users)
+  # @option limits [Fixnum] :file_size maximum size of a file created by the
+  #     process; the process can still fill the disk by creating many files of
+  #     this size
+  # @option limits [Fixnum] :open_files maximum number of open files; remember
+  #     that any process uses 3 open files for STDIN, STDOUT, and STDERR
+  # @option limits [Fixnum] :data maximum data segment size (static data plus
+  #     heap) and stack; allow slack for the libraries used by the process;
+  #     mostly useful to prevent a process from freezing the machine by pushing
+  #     everything into swap
+  def self.limit_resources(limits)
+    if limits[:cpu]
+      Process.setrlimit Process::RLIMIT_CPU, limits[:cpu], limits[:cpu]
+    end
+    if limits[:processes]
+      Process.setrlimit Process::RLIMIT_NPROC, limits[:processes],
+                                               limits[:processes]
+    end
+    if limits[:file_size]
+      Process.setrlimit Process::RLIMIT_FSIZE, limits[:file_size],
+                                               limits[:file_size]
+    end
+    if limits[:open_files]
+      Process.setrlimit Process::RLIMIT_NOFILE, limits[:open_files],
+                                                limits[:open_files]
+    end
+    if limits[:data]
+      Process.setrlimit Process::RLIMIT_DATA, limits[:data], limits[:data]
+      Process.setrlimit Process::RLIMIT_STACK, limits[:data], limits[:data]
+    end
+  end
+  
+  # Maps raw I/O functions.
+  module LibC
+    extend FFI::Library
+    ffi_lib FFI::Library::LIBC
+    attach_function :close, [:int], :int
+    attach_function :getdtablesize, [], :int
+    attach_function :dup2, [:int, :int], :int
+  end  # module ExecSandbox::Spawn::Libc
+end  # module ExecSandbox::Spawn
+  
+end  # namespace ExecSandbox

data/lib/exec_sandbox/users.rb

@@ -0,0 +1,156 @@
+# namespace
+module ExecSandbox
+
+# Manages sandbox users.
+#
+# @see Users#temp
+# @see Users#destroy
+module Users
+  # Creates an unprivileged user.
+  #
+  # @return [String] the user's name
+  def self.temp(prefix = 'xsbx.rb')
+    loop do
+      user_name = prefix + '-%x.%x.%x' % [$PID, Time.now.to_i, rand(65536)]
+      etc = nil
+      begin
+        etc = Etc.getpwnam(name)
+      rescue ArgumentError
+        # User not found: good!
+      end
+      next if etc
+      
+      create user_name
+      return user_name
+    end
+  end
+  
+  # Creates a user for unprivileged operations.
+  #
+  # @param [String] user_name the user's short (UNIX) name (should be unique)
+  # @param [String] primary_group_name; if no name is supplied, the user's
+  #                 primary group will be set to a new group
+  #
+  # @return [Fixnum] the new user's UID
+  def self.create(user_name, primary_group_name = nil)
+    group_id = primary_group_name && Etc.getgrnam(primary_group_name).gid 
+    
+    if RUBY_PLATFORM =~ /darwin/  # OSX
+      home_dir = "/Users/#{user_name}" 
+      unless group_id
+        # Create a group with the same name as the user.
+        group_id = `dscl . -list /Groups`.split.
+            map { |g| `dscl . -read /Groups/#{g} PrimaryGroupID`.split.last.
+            to_i }.sort.last + 1
+
+        # Simulate adduser's group creation.
+        command_prefix = ['dscl', '.', '-create', "/Groups/#{user_name}"]
+        [
+          [],
+          ['PrimaryGroupID', group_id.to_s],
+        ].each do |command_suffix|
+          command = command_prefix + command_suffix
+          unless Kernel.system(*command)
+            raise RuntimeError, "User creation failed at #{command.inspect}!"
+          end
+        end
+      end
+      
+      # Find an available UID.
+      user_id = `dscl . -list /Users`.split.
+          map { |u| `dscl . -read /Users/#{u} UniqueID`.split.last.to_i }.
+          sort.last + 1
+    
+      # Simulate adduser.
+      command_prefix = ['dscl', '.', '-create', "/Users/#{user_name}"]
+      [
+        [],
+        ['UserShell', '/bin/bash'],
+        ['UniqueID', user_id.to_s],
+        ['PrimaryGroupID', group_id.to_s],
+        ['NFSHomeDirectory', home_dir],
+      ].each do |command_suffix|
+        command = command_prefix + command_suffix
+        unless Kernel.system(*command)
+          raise RuntimeError, "User creation failed at #{command.inspect}!"
+        end
+      end
+      
+    elsif RUBY_PLATFORM =~ /win/  # Windows
+      raise 'Windows is not supported; patches welcome!'
+      
+    else  # Linux
+      if group_id
+        command = ['useradd', '--gid', group_id.to_s,
+                            '--no-create-home', '--no-user-group', user_name]
+      else
+        command = ['useradd', '--no-create-home', user_name]
+      end
+      unless Kernel.system(*command)
+        raise RuntimeError, "User creation failed at #{command.inspect}!"
+      end
+    
+      home_dir = File.join '/home', user_name
+      user_id = Etc.getpwnam(user_name).uid
+      group_id = Etc.getpwnam(user_name).gid
+    end  # RUBY_PLATFORM
+
+    FileUtils.mkdir_p home_dir
+    FileUtils.chown_R user_id, group_id, home_dir
+    FileUtils.chmod_R 0750, home_dir
+    
+    user_id
+  end
+  
+  # Removes a user that was previously created by create.
+  #
+  # @param [String] user_name the user's short (UNIX) name
+  def self.destroy(user_name)
+    user_pw = Etc.getpwnam(user_name)
+    home_dir = user_pw.dir
+    FileUtils.rm_rf home_dir
+    
+    user_gid = user_pw.gid
+    group_name = Etc.getgrgid(user_gid).name
+    # If the group name matches the user name, the group is a temp.
+    destroy_group = user_name == group_name
+    
+    if RUBY_PLATFORM =~ /darwin/  # OSX
+      command = ['dscl', '.', '-delete', "/Users/#{user_name}"]
+      unless Kernel.system(*command)
+        raise RuntimeError, "User removal failed at #{command.inspect}!"
+      end
+
+      if destroy_group
+        command = ['dscl', '.', '-delete', "/Groups/#{group_name}"]
+        unless Kernel.system(*command)
+          raise RuntimeError, "User removal failed at #{command.inspect}!"
+        end
+      end
+    elsif RUBY_PLATFORM =~ /win/  # Windows
+      raise 'Windows is not supported; patches welcome!'
+      ['userdel', git_user]
+    else  # Linux
+      command = ['userdel', user_name]
+      unless Kernel.system(*command)
+        raise RuntimeError, "User removal failed at #{command.inspect}!"
+      end
+      if destroy_group
+        # Make sure that the group exists. userdel might remove it.
+        begin
+          Etc.getgrnam(group_name)
+        rescue ArgumentError
+          destroy_group = false
+        end
+      end
+      if destroy_group
+        command = ['groupdel', group_name]
+        unless Kernel.system(*command)
+          raise RuntimeError, "User removal failed at #{command.inspect}!"
+        end
+      end
+    end  # RUBY_PLATFORM
+  end
+end  # module ExecSandbox::Users
+  
+end  # namespace ExecSandbox