pledge 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/CHANGELOG +4 -0
- data/MIT-LICENSE +1 -1
- data/README.rdoc +19 -15
- data/ext/pledge/pledge.c +24 -9
- data/spec/pledge_spec.rb +26 -0
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 7369f71bb2bfdbbea7dd07d98c86f443b8c0a09ddaf13090c6c0a379c2fe6eed
|
|
4
|
+
data.tar.gz: bea75bb0d79544311c633aeb04ad7bcb3d2061ace0c6f9f0829e05dd387068e0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4031731b34fe1c2497cfa84ffad17b698ada329362cbb0f8730ea2bfa4f094c0429150b92364a8764d04eef1397be3cdb7d70145ccc9ea88b6e0dadb425d36b7
|
|
7
|
+
data.tar.gz: 3509a67789e3876149e8880bc031fdb0d5df2bf111cd65b7f112132b1dd64696ff38ef9f70efc854d5ba99eb4c83d1256b4d68ba5805e879725fc5e6ed14a735
|
data/CHANGELOG
CHANGED
data/MIT-LICENSE
CHANGED
data/README.rdoc
CHANGED
|
@@ -8,7 +8,8 @@ use a wide variety of operations on initialization, but
|
|
|
8
8
|
a fewer number after initialization (when user input will
|
|
9
9
|
be accepted).
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
pledge(2) is supported on OpenBSD 5.9+. pledge(2) supports a second
|
|
12
|
+
argument for execpromises on OpenBSD 6.3+.
|
|
12
13
|
|
|
13
14
|
== Usage
|
|
14
15
|
|
|
@@ -20,7 +21,7 @@ Then you can use +Pledge.pledge+ as the interface to the pledge(2)
|
|
|
20
21
|
system call. You pass +Pledge.pledge+ a string containing tokens
|
|
21
22
|
for the operations you would like to allow (called promises).
|
|
22
23
|
For example, if you want to give the process the ability to read
|
|
23
|
-
from the
|
|
24
|
+
from the file system, but not write to the file system or
|
|
24
25
|
allow network access:
|
|
25
26
|
|
|
26
27
|
Pledge.pledge("rpath")
|
|
@@ -34,6 +35,18 @@ filesystem access:
|
|
|
34
35
|
|
|
35
36
|
Pledge.pledge("inet unix dns")
|
|
36
37
|
|
|
38
|
+
If you want to use pledging in a console application such as
|
|
39
|
+
irb or pry, you must include the tty promise:
|
|
40
|
+
|
|
41
|
+
Pledge.pledge("tty rpath")
|
|
42
|
+
|
|
43
|
+
You can pass a second string argument containing tokens for
|
|
44
|
+
the operations you would like to allow in spawned processes
|
|
45
|
+
(called execpromises). To allow spawning processes that have
|
|
46
|
+
read/write filesystem access only, but not network access:
|
|
47
|
+
|
|
48
|
+
Pledge.pledge("proc exec rpath", "stdio rpath wpath cpath")
|
|
49
|
+
|
|
37
50
|
+Pledge+ is a module that extends itself, you can include it
|
|
38
51
|
in other classes:
|
|
39
52
|
|
|
@@ -43,12 +56,12 @@ in other classes:
|
|
|
43
56
|
== Options
|
|
44
57
|
|
|
45
58
|
See the pledge(2) man page for a description of the allowed
|
|
46
|
-
promises in the
|
|
59
|
+
promises in the strings passed to +Pledge.pledge+.
|
|
47
60
|
|
|
48
61
|
Using an unsupported promise will raise an exception. The "stdio"
|
|
49
|
-
promise is added automatically
|
|
50
|
-
|
|
51
|
-
|
|
62
|
+
promise is added automatically to the current process's promises,
|
|
63
|
+
as ruby does not function without it, but it is not added to
|
|
64
|
+
the execpromises (as you can execute non-ruby programs).
|
|
52
65
|
|
|
53
66
|
== Reporting issues/bugs
|
|
54
67
|
|
|
@@ -85,15 +98,6 @@ task. This will compile the library if not already compiled.
|
|
|
85
98
|
|
|
86
99
|
rake
|
|
87
100
|
|
|
88
|
-
== Known Issues
|
|
89
|
-
|
|
90
|
-
* You cannot create new threads after running +Pledge.pledge+, as
|
|
91
|
-
it uses syscalls that are not currently allowed by pledge(2). +fork+
|
|
92
|
-
still works, assuming you are using the +proc+ pledge.
|
|
93
|
-
|
|
94
|
-
* You cannot currently test +Pledge.pledge+ in irb/pry, as they use an
|
|
95
|
-
ioctl that is not currently allowed by pledge(2).
|
|
96
|
-
|
|
97
101
|
== Author
|
|
98
102
|
|
|
99
103
|
Jeremy Evans <code@jeremyevans.net>
|
data/ext/pledge/pledge.c
CHANGED
|
@@ -6,16 +6,31 @@ static VALUE ePledgeInvalidPromise;
|
|
|
6
6
|
static VALUE ePledgePermissionIncreaseAttempt;
|
|
7
7
|
static VALUE ePledgeError;
|
|
8
8
|
|
|
9
|
-
static VALUE rb_pledge(VALUE
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
static VALUE rb_pledge(int argc, VALUE* argv, VALUE pledge_class) {
|
|
10
|
+
VALUE promises = Qnil;
|
|
11
|
+
VALUE execpromises = Qnil;
|
|
12
|
+
const char * prom = NULL;
|
|
13
|
+
const char * execprom = NULL;
|
|
12
14
|
|
|
13
|
-
|
|
14
|
-
rb_str_cat2(promises, " stdio");
|
|
15
|
-
promises = rb_funcall(promises, rb_intern("strip"), 0);
|
|
16
|
-
SafeStringValue(promises);
|
|
15
|
+
rb_scan_args(argc, argv, "11", &promises, &execpromises);
|
|
17
16
|
|
|
18
|
-
if (
|
|
17
|
+
if (!NIL_P(promises)) {
|
|
18
|
+
SafeStringValue(promises);
|
|
19
|
+
promises = rb_str_dup(promises);
|
|
20
|
+
|
|
21
|
+
/* required for ruby to work */
|
|
22
|
+
rb_str_cat2(promises, " stdio");
|
|
23
|
+
promises = rb_funcall(promises, rb_intern("strip"), 0);
|
|
24
|
+
SafeStringValue(promises);
|
|
25
|
+
prom = RSTRING_PTR(promises);
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
if (!NIL_P(execpromises)) {
|
|
29
|
+
SafeStringValue(execpromises);
|
|
30
|
+
execprom = RSTRING_PTR(execpromises);
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
if (pledge(prom, execprom) != 0) {
|
|
19
34
|
switch(errno) {
|
|
20
35
|
case EINVAL:
|
|
21
36
|
rb_raise(ePledgeInvalidPromise, "invalid promise in promises string");
|
|
@@ -32,7 +47,7 @@ static VALUE rb_pledge(VALUE pledge_class, VALUE promises) {
|
|
|
32
47
|
void Init_pledge(void) {
|
|
33
48
|
VALUE cPledge;
|
|
34
49
|
cPledge = rb_define_module("Pledge");
|
|
35
|
-
rb_define_method(cPledge, "pledge", rb_pledge, 1);
|
|
50
|
+
rb_define_method(cPledge, "pledge", rb_pledge, -1);
|
|
36
51
|
rb_extend_object(cPledge, cPledge);
|
|
37
52
|
ePledgeError = rb_define_class_under(cPledge, "Error", rb_eStandardError);
|
|
38
53
|
ePledgeInvalidPromise = rb_define_class_under(cPledge, "InvalidPromise", ePledgeError);
|
data/spec/pledge_spec.rb
CHANGED
|
@@ -1,12 +1,17 @@
|
|
|
1
1
|
require './lib/pledge'
|
|
2
2
|
|
|
3
3
|
require 'rubygems'
|
|
4
|
+
ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
|
|
4
5
|
gem 'minitest'
|
|
5
6
|
require 'minitest/autorun'
|
|
6
7
|
|
|
7
8
|
RUBY = ENV['RUBY'] || 'ruby'
|
|
8
9
|
|
|
9
10
|
describe "Pledge.pledge" do
|
|
11
|
+
def execpledged(promises, execpromises, code)
|
|
12
|
+
system(RUBY, '-I', 'lib', '-r', 'pledge', '-e', "Pledge.pledge(#{promises.inspect}, #{execpromises.inspect}); #{code}")
|
|
13
|
+
end
|
|
14
|
+
|
|
10
15
|
def _pledged(status, promises, code)
|
|
11
16
|
system(RUBY, '-I', 'lib', '-r', 'pledge', '-e', "Pledge.pledge(#{promises.inspect}); #{code}").must_equal status
|
|
12
17
|
end
|
|
@@ -109,4 +114,25 @@ describe "Pledge.pledge" do
|
|
|
109
114
|
end
|
|
110
115
|
us.accept.read.must_equal 't'
|
|
111
116
|
end
|
|
117
|
+
|
|
118
|
+
it "should raise ArgumentError if given in invalid number of arguments" do
|
|
119
|
+
proc{Pledge.pledge()}.must_raise ArgumentError
|
|
120
|
+
proc{Pledge.pledge("", "", "")}.must_raise ArgumentError
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
it "should handle both promises and execpromises arguments" do
|
|
124
|
+
execpledged("proc exec rpath", "stdio rpath", "exit(`cat MIT-LICENSE` == File.read('MIT-LICENSE') ? 0 : 1)").must_equal true
|
|
125
|
+
execpledged("proc exec", "stdio rpath", "$stderr.reopen('/dev/null', 'w'); exit(`cat MIT-LICENSE` == File.read('MIT-LICENSE') ? 0 : 1)").must_equal false
|
|
126
|
+
execpledged("proc exec rpath", "stdio", "$stderr.reopen('/dev/null', 'w'); exit(`cat MIT-LICENSE` == File.read('MIT-LICENSE') ? 0 : 1)").must_equal false
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
it "should handle nil arguments" do
|
|
130
|
+
Pledge.pledge(nil).must_be_nil
|
|
131
|
+
Pledge.pledge(nil, nil).must_be_nil
|
|
132
|
+
execpledged("proc exec rpath", nil, "`cat MIT-LICENSE`").must_equal true
|
|
133
|
+
execpledged("", nil, "`cat MIT-LICENSE`").must_equal false
|
|
134
|
+
execpledged(nil, "stdio rpath", "`cat MIT-LICENSE`").must_equal true
|
|
135
|
+
execpledged(nil, "stdio", "File.read('MIT-LICENSE')").must_equal true
|
|
136
|
+
execpledged(nil, "stdio", "$stderr.reopen('/dev/null', 'w'); exit(`cat MIT-LICENSE` == File.read('MIT-LICENSE') ? 0 : 1)").must_equal false
|
|
137
|
+
end
|
|
112
138
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pledge
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2019-04-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: |
|
|
14
14
|
pledge exposes OpenBSD's pledge(2) system call to ruby, allowing a
|
|
@@ -60,8 +60,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
61
|
version: '0'
|
|
62
62
|
requirements: []
|
|
63
|
-
|
|
64
|
-
rubygems_version: 2.5.1
|
|
63
|
+
rubygems_version: 3.0.3
|
|
65
64
|
signing_key:
|
|
66
65
|
specification_version: 4
|
|
67
66
|
summary: Restrict system operations on OpenBSD
|