pledge 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1ff2e2250fd7b7b8b8edab08f84d75d1140b75ee
+  data.tar.gz: 14e9e9cdc750d16d575e014e5e5b29769816f19d
+SHA512:
+  metadata.gz: a5e05296eac3da536dbf96189899d810baecef6c791ef9f356628f2f81a04c13f00a892247cf7e9495749f357e9316aefe6b5af324a8361112925861f1786b45
+  data.tar.gz: 3f7e3289b7011e2b54eac6b1ce35798667dda2d08b51815517a57b6476255ffd3628bb37fee313d24f4649a1f0bc654af1590bf0617401a5a8381fdebff16c06

data/CHANGELOG

@@ -0,0 +1,3 @@
+=== 1.0.0 (2016-11-04)
+
+* Initial Public Release

data/MIT-LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2016 Jeremy Evans
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,99 @@
+= pledge
+
+pledge exposes OpenBSD's pledge(2) system call to ruby, allowing a
+program to restrict the types of operations the program
+can do after that point.  Unlike other similar systems,
+pledge is specifically designed for programs that need to
+use a wide variety of operations on initialization, but
+a fewer number after initialization (when user input will
+be accepted).
+
+plege(2) is supported on OpenBSD 5.9+.
+
+== Usage
+
+First, you need to require the library
+
+  require 'pledge'
+
+Then you can use +Pledge.pledge+ as the interface to the pledge(2)
+system call.  You pass +Pledge.pledge+ a string containing tokens
+for the operations you would like to allow (called promises).
+For example, if you want to give the process the ability to read
+from the the file system, but not read from the file system or
+allow network access:
+
+  Pledge.pledge("rpath")
+
+To allow read/write filesystem access, but not network access:
+
+  Pledge.pledge("rpath wpath cpath")
+
+To allow inet/unix socket access and DNS queries, but not
+filesystem access:
+
+  Pledge.pledge("inet unix dns")
+
++Pledge+ is a module that extends itself, you can include it
+in other classes:
+
+  Object.send(:include, Pledge)
+  pledge("rpath")
+
+== Options
+
+See the pledge(2) man page for a description of the allowed
+promises in the string passed to +Pledge.pledge+.
+
+Using an unsupported promise will raise an exception.  The "stdio"
+promise is added automatically, as ruby does not function without
+
+it. 
+
+== Reporting issues/bugs
+
+This library uses GitHub Issues for tracking issues/bugs:
+
+  https://github.com/jeremyevans/ruby-pledge/issues
+
+== Contributing
+
+The source code is on GitHub:
+
+  https://github.com/jeremyevans/ruby-pledge
+
+To get a copy:
+
+  git clone git://github.com/jeremyevans/ruby-pledge.git
+
+== Requirements
+
+* OpenBSD 5.9+
+* ruby 1.8.7+
+* rake-compiler (if compiling)
+
+== Compiling
+
+To build the library from a git checkout, use the compile task.
+
+  rake compile
+
+== Running the specs
+
+The rake spec task runs the specs.  This is also the default rake
+task.  This will compile the library if not already compiled. 
+
+  rake
+
+== Known Issues
+
+* You cannot create new threads after running +Pledge.pledge+, as
+  it uses syscalls that are not currently allowed by pledge(2).  +fork+
+  still works, assuming you are using the +proc+ pledge.
+
+* You cannot currently test +Pledge.pledge+ in irb/pry, as they use an
+  ioctl that is not currently allowed by pledge(2).
+
+== Author
+
+Jeremy Evans <code@jeremyevans.net>

data/Rakefile

@@ -0,0 +1,30 @@
+require "rake"
+require "rake/clean"
+
+CLEAN.include %w'**.rbc rdoc'
+
+desc "Do a full cleaning"
+task :distclean do
+  CLEAN.include %w'tmp pkg tame*.gem lib/*.so'
+  Rake::Task[:clean].invoke
+end
+
+desc "Build the gem"
+task :package do
+  sh %{gem build pledge.gemspec}
+end
+
+desc "Run specs"
+task :spec => :compile do
+  ruby = ENV['RUBY'] ||= FileUtils::RUBY 
+  sh %{#{ruby} spec/pledge_spec.rb}
+end
+
+desc "Run specs"
+task :default => :spec
+
+begin
+  require 'rake/extensiontask'
+  Rake::ExtensionTask.new('pledge')
+rescue LoadError
+end

data/ext/pledge/extconf.rb

@@ -0,0 +1,5 @@
+require 'mkmf'
+have_header 'pledge'
+$CFLAGS << " -O0 -g -ggdb" if ENV['DEBUG']
+$CFLAGS << " -Wall"
+create_makefile("pledge")

data/ext/pledge/pledge.c

@@ -0,0 +1,40 @@
+#include <errno.h>
+#include <ruby.h>
+#include <unistd.h>
+
+static VALUE ePledgeInvalidPromise;
+static VALUE ePledgePermissionIncreaseAttempt;
+static VALUE ePledgeError;
+
+static VALUE rb_pledge(VALUE pledge_class, VALUE promises) {
+  SafeStringValue(promises);
+  promises = rb_str_dup(promises);
+
+  /* required for ruby to work */
+  rb_str_cat2(promises, " stdio");
+  promises = rb_funcall(promises, rb_intern("strip"), 0);
+  SafeStringValue(promises);
+
+  if (pledge(RSTRING_PTR(promises), NULL) != 0) {
+    switch(errno) {
+    case EINVAL:
+        rb_raise(ePledgeInvalidPromise, "invalid promise in promises string");
+    case EPERM:
+        rb_raise(ePledgePermissionIncreaseAttempt, "attempt to increase permissions");
+    default:
+        rb_raise(ePledgeError, "pledge error");
+    }
+  }
+
+  return Qnil;
+}
+
+void Init_pledge(void) {
+  VALUE cPledge;
+  cPledge = rb_define_module("Pledge");
+  rb_define_method(cPledge, "pledge", rb_pledge, 1);
+  rb_extend_object(cPledge, cPledge);
+  ePledgeError = rb_define_class_under(cPledge, "Error", rb_eStandardError);
+  ePledgeInvalidPromise = rb_define_class_under(cPledge, "InvalidPromise", ePledgeError);
+  ePledgePermissionIncreaseAttempt = rb_define_class_under(cPledge, "PermissionIncreaseAttempt", ePledgeError);
+}

data/spec/pledge_spec.rb

@@ -0,0 +1,112 @@
+require './lib/pledge'
+
+require 'rubygems'
+gem 'minitest'
+require 'minitest/autorun'
+
+RUBY = ENV['RUBY'] || 'ruby'
+
+describe "Pledge.pledge" do
+  def _pledged(status, promises, code)
+    system(RUBY, '-I', 'lib', '-r', 'pledge', '-e', "Pledge.pledge(#{promises.inspect}); #{code}").must_equal status
+  end
+
+  def pledged(code, promises="")
+    _pledged(true, promises, code)
+  end
+
+  def unpledged(code, promises="")
+    _pledged(false, promises, code)
+  end
+
+  def with_lib(lib)
+    rubyopt = ENV['RUBYOPT']
+    ENV['RUBYOPT'] = "#{rubyopt} -r#{lib}"
+    yield
+  ensure
+    ENV['RUBYOPT'] = rubyopt
+  end
+
+  after do
+    Dir['spec/_*'].each{|f| File.delete(f)}
+    Dir['*.core'].each{|f| File.delete(f)}
+  end
+
+  it "should raise a Pledge::InvalidPromise for unsupported promises" do
+    proc{Pledge.pledge("foo")}.must_raise Pledge::InvalidPromise
+  end
+
+  it "should raise a Pledge::PermissionIncreaseAttempt if attempting to increase permissinos" do
+    pledged("begin; Pledge.pledge('rpath'); rescue Pledge::PermissionIncreaseAttempt; exit 0; end; exit 1")
+  end
+
+  it "should produce a core file on failure" do
+    unpledged("File.read('#{__FILE__}')")
+    Dir['*.core'].wont_equal []
+  end
+
+  it "should allow reading files if rpath is used" do
+    unpledged("File.read('#{__FILE__}')")
+    pledged("File.read('#{__FILE__}')", "rpath")
+  end
+
+  it "should allow creating files if cpath and wpath are used" do
+    unpledged("File.open('spec/_test', 'w'){}")
+    unpledged("File.open('spec/_test', 'w'){}", "cpath")
+    unpledged("File.open('spec/_test', 'w'){}", "wpath")
+    File.file?('spec/_test').must_equal false
+    pledged("File.open('#{'spec/_test'}', 'w'){}", "cpath wpath")
+    File.file?('spec/_test').must_equal true
+  end
+
+  it "should allow writing to files if wpath and rpath are used" do
+    File.open('spec/_test', 'w'){}
+    unpledged("File.open('spec/_test', 'r+'){}")
+    pledged("File.open('#{'spec/_test'}', 'r+'){|f| f.write '1'}", "wpath rpath")
+    File.read('spec/_test').must_equal '1'
+  end
+
+  it "should allow dns lookups if dns is used" do
+    with_lib('socket') do
+      unpledged("Socket.gethostbyname('google.com')")
+      pledged("Socket.gethostbyname('google.com')", "dns")
+    end
+  end
+
+  it "should allow internet access if inet is used" do
+    with_lib('net/http') do
+      unpledged("Net::HTTP.get('127.0.0.1', '/index.html') rescue nil")
+      promises = "inet"
+      # rpath necessary on ruby < 2.1, as it calls stat
+      promises << " rpath" if RUBY_VERSION < '2.1'
+      pledged("Net::HTTP.get('127.0.0.1', '/index.html') rescue nil", promises)
+    end
+  end
+
+  it "should allow killing programs if proc is used" do
+    unpledged("Process.kill(:URG, #{$$})")
+    pledged("Process.kill(:URG, #{$$})", "proc")
+  end
+
+  it "should allow creating temp files if tmppath and rpath are used" do
+    with_lib('tempfile') do
+      unpledged("Tempfile.new('foo')")
+      unpledged("Tempfile.new('foo')", "tmppath")
+      unpledged("Tempfile.new('foo')", "rpath")
+      promises = "tmppath rpath"
+      # cpath necessary on ruby < 2.0, as it calls mkdir
+      promises << " cpath" if RUBY_VERSION < '2.0'
+      pledged("Tempfile.new('foo')", promises)
+    end
+  end
+
+  it "should allow unix sockets if unix and rpath is used" do
+    require 'socket'
+    us = UNIXServer.new('spec/_sock')
+    with_lib('socket') do
+      unpledged("UNIXSocket.new('spec/_sock').send('u', 0)")
+      pledged("UNIXSocket.new('spec/_sock').send('t', 0)", "unix")
+    end
+    us.accept.read.must_equal 't'
+  end
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification
+name: pledge
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Jeremy Evans
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-11-03 00:00:00.000000000 Z
+dependencies: []
+description: |
+  pledge exposes OpenBSD's pledge(2) system call to ruby, allowing a
+  program to restrict the types of operations the program
+  can do after that point.  Unlike other similar systems,
+  pledge is specifically designed for programs that need to
+  use a wide variety of operations on initialization, but
+  a fewer number after initialization (when user input will
+  be accepted).
+email: code@jeremyevans.net
+executables: []
+extensions:
+- ext/pledge/extconf.rb
+extra_rdoc_files:
+- README.rdoc
+- CHANGELOG
+- MIT-LICENSE
+files:
+- CHANGELOG
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- ext/pledge/extconf.rb
+- ext/pledge/pledge.c
+- spec/pledge_spec.rb
+homepage: https://github.com/jeremyevans/ruby-pledge
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--quiet"
+- "--line-numbers"
+- "--inline-source"
+- "--title"
+- 'pledge: restrict system operations on OpenBSD'
+- "--main"
+- README.rdoc
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Restrict system operations on OpenBSD
+test_files: []