pledge 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 949027d706330a2286744e8230a2bf32dcc70eb96bc92d96ea3ecfcc4cc9c79f
-  data.tar.gz: 746d5466733720404a1ed65c53d635f67f90d7c187e8e77b30148bec9fe71e58
+  metadata.gz: f794b6f397a93e9eaabdfff4928f49537fb0a45b55c042c7dc27c46d27918f5a
+  data.tar.gz: a0291c2d672594938292c7a6a83cc111d3c54679ea412c679e28087b8a870a89
 SHA512:
-  metadata.gz: 75456b41d7c3c77633ce3395cf9c55f5a3d3812ba99cbdeb7ef3a4ff3ef4c9fac4f7e83ecf7ab8501e54b07189b3a9aa53d16c589932f14c40b52e5fa0a3a733
-  data.tar.gz: a75f472530864f085cfd0aa427abd18a871708b1916b2d0f1fabed31a5164a73a695769884e10ab045ef6f1d28333a6bb75ed6081b092f0de92e9b7a1fba8af5
+  metadata.gz: 9242a1de3c01334a60cb13ab98410dbe533e089228cf1a7a7cfdbb55a6d1ca7614aacbb306974ff85db1165b02a68e292ee9704038e41e9fab5100cccc7b68dc
+  data.tar.gz: e51bf3d1b375e5eba599052423fce0438cb21b3810b8dd38d6a26d7543bba2db8e8547edd0b53bbab99c999dfdead8b6f68e88620cfd9368a0c67bfcdf1c3d37

data/CHANGELOG

@@ -1,3 +1,7 @@
+=== 1.3.0 (2022-12-19)
+
+* Allow installation on platforms not supporting pledge, raising NotImplementedError when calling pledge/unveil methods in that case (jcs) (#3)
+
 === 1.2.0 (2019-07-07)
 
 * Add unveil library and Pledge.unveil for access to unveil(2) to control file system access (jeremyevans)

data/Rakefile

@@ -1,7 +1,6 @@
-require "rake"
 require "rake/clean"
 
-CLEAN.include %w'**.rbc rdoc lib/*.so tmp'
+CLEAN.include %w'lib/*.so tmp coverage'
 
 desc "Build the gem"
 task :package do
@@ -11,12 +10,20 @@ end
 desc "Run specs"
 task :spec => :compile do
   ruby = ENV['RUBY'] ||= FileUtils::RUBY 
-  sh %{#{ruby} spec/pledge_spec.rb}
+  sh %{#{ruby} #{"-w" if RUBY_VERSION >= '3'} spec/pledge_spec.rb}
 end
 
 desc "Run specs"
 task :default => :spec
 
+desc "Run specs with coverage"
+task :spec_cov => [:compile] do
+  ruby = ENV['RUBY'] ||= FileUtils::RUBY 
+  ENV['COVERAGE'] = '1'
+  FileUtils.rm_rf('coverage')
+  sh %{#{ruby} spec/unveil_spec.rb}
+end
+
 begin
   require 'rake/extensiontask'
   Rake::ExtensionTask.new('pledge')

data/ext/pledge/extconf.rb

@@ -1,6 +1,6 @@
 require 'mkmf'
 have_header 'unistd.h'
-have_func('pledge') || raise("pledge(2) not present, cannot built extension")
+have_func('pledge')
 have_func('unveil')
 $CFLAGS << " -O0 -g -ggdb" if ENV['DEBUG']
 $CFLAGS << " -Wall"

data/ext/pledge/pledge.c

@@ -13,6 +13,7 @@ static VALUE rb_pledge(int argc, VALUE* argv, VALUE pledge_class) {
   const char * prom = NULL;
   const char * execprom = NULL;
 
+#ifdef HAVE_PLEDGE
   rb_scan_args(argc, argv, "11", &promises, &execpromises);
 
   if (!NIL_P(promises)) {
@@ -41,6 +42,9 @@ static VALUE rb_pledge(int argc, VALUE* argv, VALUE pledge_class) {
         rb_raise(ePledgeError, "pledge error");
     }
   }
+#else
+  rb_raise(rb_eNotImpError, "pledge not supported");
+#endif
 
   return Qnil;
 }

data/lib/unveil.rb

@@ -1,7 +1,6 @@
 # frozen-string-literal: true
 
-require 'pledge'
-raise LoadError, "unveil not supported" unless Pledge.respond_to?(:_unveil, true)
+require_relative 'pledge'
 
 module Pledge
   # Limit access to the file system using unveil(2).  +paths+ should be a hash
@@ -23,6 +22,10 @@ module Pledge
   # which denies all access to the file system if +unveil_without_lock+
   # was not called previously.
   def unveil(paths)
+    # :nocov:
+    raise NotImplementedError, "unveil not supported" unless Pledge.respond_to?(:_unveil, true)
+    # :nocov:
+
     if paths.empty?
       paths = {'/'=>''}
     end
@@ -33,6 +36,10 @@ module Pledge
 
   # Same as unveil, but allows for future calls to unveil or unveil_without_lock.
   def unveil_without_lock(paths)
+    # :nocov:
+    raise NotImplementedError, "unveil not supported" unless Pledge.respond_to?(:_unveil, true)
+    # :nocov:
+
     paths = Hash[paths]
 
     paths.to_a.each do |path, perm|

data/spec/pledge_spec.rb

@@ -1,11 +1,4 @@
-require './lib/pledge'
-
-require 'rubygems'
-ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
-gem 'minitest'
-require 'minitest/autorun'
-
-RUBY = ENV['RUBY'] || 'ruby'
+require_relative 'unveil_spec'
 
 describe "Pledge.pledge" do
   def execpledged(promises, execpromises, code)
@@ -73,8 +66,8 @@ describe "Pledge.pledge" do
 
   it "should allow dns lookups if dns is used" do
     with_lib('socket') do
-      unpledged("Socket.gethostbyname('google.com')")
-      pledged("Socket.gethostbyname('google.com')", "dns")
+      unpledged("Addrinfo.getaddrinfo('google.com', nil)")
+      pledged("Addrinfo.getaddrinfo('google.com', nil)", "dns")
     end
   end
 
@@ -136,79 +129,3 @@ describe "Pledge.pledge" do
     execpledged(nil, "stdio", "$stderr.reopen('/dev/null', 'w'); exit(`cat MIT-LICENSE` == File.read('MIT-LICENSE'))").must_equal false
   end
 end
-
-describe "Pledge.unveil" do
-  def unveiled(unveils, code)
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil(#{unveils.inspect}); #{code}")
-  end
-
-  test_file = "spec/#{$$}_test.rb"
-
-  after do
-    File.delete(test_file) if File.file?(test_file)
-  end
-
-  it "should handle unveiling paths" do
-    unveiled({}, "exit(Dir['*'].empty?)").must_equal true
-    unveiled({'.'=>'r'}, "exit(!Dir['*'].empty?)").must_equal true
-
-    test_read = "exit(((File.read('MIT-LICENSE'); true) rescue false))"
-    unveiled({'.'=>'w'}, test_read).must_equal false
-    unveiled({'.'=>'r'}, test_read).must_equal true
-    unveiled({'.'=>'r'}, "exit(((File.open('MIT-LICENSE', 'w'){}; true) rescue false))").must_equal false
-
-    %w'rwxc rwx rwc rxc rx rw rc'.each do |perm|
-      unveiled({'.'=>perm}, test_read).must_equal true
-    end
-
-    %w'wxc wx wc xc x w c'.each do |perm|
-      unveiled({'.'=>perm}, test_read).must_equal false
-    end
-
-    unveiled({'MIT-LICENSE'=>'r'}, test_read).must_equal true
-    unveiled({'Rakefile'=>'r'}, test_read).must_equal false
-    unveiled({'.'=>'r', 'MIT-LICENSE'=>''}, test_read).must_equal false
-    unveiled({}, "Pledge.unveil{} rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil_without_lock({'.'=>'r'}); Pledge.unveil({}); #{test_read}").must_equal true
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil('foo/bar'=>'r') rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.send(:_unveil, '.', 'f') rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil({1=>'s'}) rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil({'s'=>1}) rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.send(:_unveil, 1, 'r') rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.send(:_unveil, '.', 1) rescue exit(1)").must_equal false
-  end
-
-  it "should handle require after unveil with read access after removing from $LOADED_FEATURES" do
-    [File.join('.', test_file), File.join(Dir.pwd, test_file)].each do |f|
-      f = f.inspect
-      system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', <<-END).must_equal true
-        File.open(#{f}, 'w'){|f| f.write '1'}
-        require #{f}
-        Pledge.unveil('spec'=>'r')
-        $LOADED_FEATURES.delete #{f}
-        require #{f}
-      END
-    end
-  end
-
-  it "should handle :gem value to unveil gems" do
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "$stderr.reopen('/dev/null', 'w'); require 'rubygems'; gem 'minitest'; require 'minitest'; Pledge.unveil({}); require 'minitest/benchmark' rescue exit(1)").must_equal false
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "require 'rubygems'; gem 'minitest'; require 'minitest'; Pledge.unveil('minitest'=>:gem); require 'minitest/benchmark' rescue (p $!; puts $!.backtrace; exit(1))").must_equal true
-
-    system(RUBY, '-I', 'lib', '-r', 'unveil', '-e', "Pledge.unveil('gadzooks!!!'=>:gem) rescue exit(1)").must_equal false
-  end
-
-  it "should need create and write access for writing new files, and create access for removing files" do
-    unveiled({'.'=>'w'}, "File.open(#{test_file.inspect}, 'w'){|f| f.write '1'} rescue exit(1)").must_equal false
-    File.file?(test_file).must_equal false
-    unveiled({'.'=>'c'}, "File.open(#{test_file.inspect}, 'w'){|f| f.write '1'} rescue exit(1)").must_equal false
-    File.file?(test_file).must_equal false
-    unveiled({'.'=>'cw'}, "File.open(#{test_file.inspect}, 'w'){|f| f.write '1'}").must_equal true
-    File.read(test_file).must_equal '1'
-
-    unveiled({'.'=>'w'}, "File.delete(#{test_file.inspect}) rescue exit(1)").must_equal false
-    File.read(test_file).must_equal '1'
-    unveiled({'.'=>'c'}, "File.delete(#{test_file.inspect})").must_equal true
-    File.file?(test_file).must_equal false
-  end
-end if Pledge.respond_to?(:_unveil, true)

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: pledge
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-07 00:00:00.000000000 Z
-dependencies: []
+date: 2022-12-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest-global_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |
   pledge exposes OpenBSD's pledge(2) and unveil(2) system calls to Ruby, allowing
   a program to restrict the types of operations the program can do, and the file
@@ -38,7 +66,7 @@ homepage: https://github.com/jeremyevans/ruby-pledge
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--quiet"
 - "--line-numbers"
@@ -53,15 +81,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.8.7
+      version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Restrict system operations and file system access on OpenBSD
 test_files: []