haconiwa 0.0.1.pre2 → 0.0.1.pre3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5118b20649292936469ac7f8c20186aba2b43609
-  data.tar.gz: ce1583a83126f75f922bc83d40098df36afb6340
+  metadata.gz: 1977a089936273a9c144d238d24a65371b8b5f97
+  data.tar.gz: f08c51b80e7450b969ee8352faacf5d85d69ee2a
 SHA512:
-  metadata.gz: 423cff4515ed3116b3ca8f317cc8d7cfaf392c77a6725948041edb35b92b4e24fd32da208d1b73b885178e971eeeb24f01da871ddeabc541ffc5377fb83ea8c6
-  data.tar.gz: 3ce74b9dde1970f2a8b87fe27f4f0d988f83620c968010e98e1b6dffced9d2436e91b3397fadf8f602c6cf9b8ec4fe591d98ad32c91cb799bf300a352ad2f788
+  metadata.gz: 6c2131693b7224ad6beba0ff59bbbc131cb3a5068552d812e06372ba1aa48134d0e32c721fe0ea32d22a1ce805cae8a9d80ca2076287ccacdbcbffb708a8c05e
+  data.tar.gz: 107f85c23c0d32e17c876ea2e892f26bdf20b15a6a9899cf68cae0032c76f1d143033c7be36f6b8c7ea872268ed168e4a30716e5e1ad2d983be997f746535920

data/bin/console

@@ -7,8 +7,5 @@ require "haconiwa"
 # with your gem easier. You can also use a different console, if you like.
 
 # (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require "irb"
-IRB.start
+require "pry"
+Pry.start

data/examples/drop_cap_sys_time.rb

@@ -0,0 +1,25 @@
+require 'haconiwa'
+require 'pathname'
+haconiwa = Haconiwa::Base.define do |config|
+  config.name = "drop-time001" # to be hostname
+
+  root = Pathname.new("/var/haconiwa/root")
+  config.add_mount_point "/var/haconiwa/rootfs", to: root, readonly: true
+  config.add_mount_point "/lib64", to: root.join("lib64"), readonly: true
+  config.add_mount_point "/sbin", to: root.join("sbin"), readonly: true
+  config.add_mount_point "/usr/bin", to: root.join("usr/bin"), readonly: true
+  config.add_mount_point "/usr/local/rbenv", to: root.join("usr/local/rbenv")
+  config.add_mount_point "tmpfs", to: root.join("tmp"), fs: "tmpfs"
+  config.mount_independent_procfs
+  config.chroot_to root
+
+  config.namespace.unshare "mount"
+  config.namespace.unshare "ipc"
+  config.namespace.unshare "uts"
+  config.namespace.unshare "pid"
+
+  config.capabilities.allow :all
+  config.capabilities.drop "cap_sys_time"
+end
+
+haconiwa.start("/bin/bash")

data/lib/haconiwa/capabilities.rb

@@ -1,3 +1,5 @@
+require 'haconiwa/small_libcap'
+
 module Haconiwa
   class Capabilities
     def initialize
@@ -8,11 +10,28 @@ module Haconiwa
     def allow(*keys)
       if keys.first == :all
         @whitelist.clear
+      else
+        @whitelist.concat(keys)
       end
     end
 
     def drop(*keys)
       @blacklist.concat(keys)
     end
+
+    def apply!
+      if acts_as_whitelist?
+        SmallLibcap.apply_cap_whitelist(list: @whitelist.uniq)
+      else
+        @blacklist.uniq.each do |n|
+          SmallLibcap.drop_cap_by_name(n)
+        end
+      end
+    end
+
+    private
+    def acts_as_whitelist?
+      ! @whitelist.empty?
+    end
   end
 end

data/lib/haconiwa/runners/linux.rb

@@ -28,6 +28,8 @@ module Haconiwa::Runners
         wrapper.close
         FileUtils.chmod 0700, wrapper.path
 
+        base.capabilities.apply!
+
         if base.namespace.use_pid_ns
           Bundler.with_clean_env {
             exec "unshare", "--pid", "--", wrapper.path, init_command

data/lib/haconiwa/small_libcap.rb

@@ -0,0 +1,62 @@
+require 'ffi'
+
+module Haconiwa
+  class Cap_T < FFI::ManagedStruct
+    layout :head, :pointer,
+           :set, :pointer
+
+    def self.release(ptr)
+      SmallLibcap.cap_free ptr
+    end
+  end
+
+  class SmallLibcap
+    class CapError < StandardError; end
+
+    extend FFI::Library
+    ffi_lib "libcap.so.2"
+
+    attach_function :cap_get_proc,   [], Cap_T.ptr
+    attach_function :cap_set_proc,   [Cap_T.ptr], :int
+    attach_function :cap_from_name,  [:string, :pointer], :int
+    attach_function :cap_drop_bound, [:int], :int
+    attach_function :cap_get_bound,  [:int], :int
+
+    attach_function :cap_free, [:pointer], :int
+
+    def self.cap_supported?(cap)
+      cap_get_bound(cap) >= 0
+    end
+
+    def self._name2cap(name)
+      ptr = FFI::MemoryPointer.new(:int)
+      err = cap_from_name(name, ptr)
+      if err < 0
+        raise CapError, "Invalid or unsupported capability name: #{name}"
+      end
+      ptr.read_int
+    end
+
+    def self.drop_cap_by_name(name)
+      err = cap_drop_bound(_name2cap(name))
+      if err < 0
+        raise CapError, "Failed to drop capability name: #{name} from bounding set"
+      end
+      true
+    end
+
+    def self.apply_cap_whitelist(list: [])
+      whitelist = list.map{|n| _name2cap(n) }
+
+      loop.with_index(0) do |_, cap_value|
+        return(true) unless cap_supported?(cap_value)
+        next if whitelist.include?(cap_value)
+
+        err = cap_drop_bound(cap_value)
+        if err < 0
+          raise CapError, "Failed to drop capability cap_value_t: #{cap_value} from bounding set"
+        end
+      end
+    end
+  end
+end

data/lib/haconiwa/version.rb

@@ -1,3 +1,3 @@
 module Haconiwa
-  VERSION = "0.0.1.pre2"
+  VERSION = "0.0.1.pre3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: haconiwa
 version: !ruby/object:Gem::Version
-  version: 0.0.1.pre2
+  version: 0.0.1.pre3
 platform: ruby
 authors:
 - Uchio KONDO
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-05-31 00:00:00.000000000 Z
+date: 2016-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -128,6 +128,7 @@ files:
 - bin/setup
 - examples/chroot.rb
 - examples/cpu.rb
+- examples/drop_cap_sys_time.rb
 - haconiwa.gemspec
 - lib/haconiwa.rb
 - lib/haconiwa/base.rb
@@ -139,6 +140,7 @@ files:
 - lib/haconiwa/runners.rb
 - lib/haconiwa/runners/linux.rb
 - lib/haconiwa/small_cgroup.rb
+- lib/haconiwa/small_libcap.rb
 - lib/haconiwa/version.rb
 homepage: https://github.com/udzura/haconiwa
 licenses: