tame 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG +3 -0
  3. data/MIT-LICENSE +18 -0
  4. data/README.rdoc +111 -0
  5. data/Rakefile +30 -0
  6. data/ext/tame/extconf.rb +4 -0
  7. data/ext/tame/tame.c +45 -0
  8. metadata +67 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: e9d2493ff758b598a3988a39552012eb3b086e22
4
+ data.tar.gz: 6ed68100d75fc8fc524ba0955b3d4f5d18f53139
5
+ SHA512:
6
+ metadata.gz: 1afe5a3f09dc781dd35e3c70720434178861aec0aa9171453929c34842b022d003bb940f59d05857cc73db44f096b0b689db3cc1de02cfbec265200809755bc0
7
+ data.tar.gz: eb16dcd0a7b6b5b981ca3f9eb7c8e41648d2668bf4022d10060f51e854f3fb10631861a3ca7bb8a5e2df2b577dfab0f587914787bff14486f8a5ebecf3e057db
data/CHANGELOG ADDED
@@ -0,0 +1,3 @@
1
+ === 1.0.0 (2015-07-20)
2
+
3
+ * Initial Public Release
data/MIT-LICENSE ADDED
@@ -0,0 +1,18 @@
1
+ Copyright (c) 2015 Jeremy Evans
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining a copy
4
+ of this software and associated documentation files (the "Software"), to
5
+ deal in the Software without restriction, including without limitation the
6
+ rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
7
+ sell copies of the Software, and to permit persons to whom the Software is
8
+ furnished to do so, subject to the following conditions:
9
+
10
+ The above copyright notice and this permission notice shall be included in
11
+ all copies or substantial portions of the Software.
12
+
13
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
16
+ THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
17
+ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
18
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,111 @@
1
+ = tame
2
+
3
+ tame exposes OpenBSD's tame(2) system call to ruby, allowing a
4
+ program to restrict the types of operations the program
5
+ can do after that point. Unlike other similar systems,
6
+ tame is specifically designed for programs that need to
7
+ use a wide variety of operations on initialization, but
8
+ a fewer number after initialization (when user input will
9
+ be accepted).
10
+
11
+ tame(2) is supported on OpenBSD 5.8+.
12
+
13
+ == Usage
14
+
15
+ First, you need to require the library
16
+
17
+ require 'tame'
18
+
19
+ Then you can use +Tame.tame+ as the interface to the tame(2) system
20
+ call. You pass +Tame.tame+ symbols representing the operations you
21
+ would like to allow. For example, if you want to give the process
22
+ the ability to read from the the file system, but not read from the
23
+ file system or allow network access:
24
+
25
+ Tame.tame(:rpath)
26
+
27
+ To allow read/write filesystem access, but not network access:
28
+
29
+ Tame.tame(:rpath, :wpath, :cpath)
30
+
31
+ To allow inet/unix socket access and DNS queries, but not
32
+ filesystem access:
33
+
34
+ Tame.tame(:inet, :unix, :dns)
35
+
36
+ +Tame+ is a module that extends itself, you can include it
37
+ in other classes:
38
+
39
+ Object.send(:include, Tame)
40
+ tame(:rpath)
41
+
42
+ == Options
43
+
44
+ Here are the symbols that are supported, along with the tame(2)
45
+ permission they grant.
46
+
47
+ :abort :: TAME_ABORT
48
+ :cmsg :: TAME_CMSG
49
+ :cpath :: TAME_CPATH
50
+ :dns :: TAME_DNS
51
+ :getpw :: TAME_GETPW
52
+ :inet :: TAME_INET
53
+ :ioctl :: TAME_IOCTL
54
+ :proc :: TAME_PROC
55
+ :rpath :: TAME_RPATH
56
+ :tmppath :: TAME_TMPPATH
57
+ :unix :: TAME_UNIX
58
+ :wpath :: TAME_WPATH
59
+
60
+ Using an unsupported symbol will raise an exception. The TAME_STDIO
61
+ permission is automatically used, as ruby does not function without
62
+ it. See the tame(2) manual for details about what permissions the
63
+ options grant.
64
+
65
+ == Reporting issues/bugs
66
+
67
+ This library uses GitHub Issues for tracking issues/bugs:
68
+
69
+ https://github.com/jeremyevans/tame_libs/issues
70
+
71
+ == Contributing
72
+
73
+ The source code is on GitHub:
74
+
75
+ https://github.com/jeremyevans/tame_libs/tree/master/ruby
76
+
77
+ To get a copy:
78
+
79
+ git clone git://github.com/jeremyevans/tame_libs.git
80
+
81
+ == Requirements
82
+
83
+ * OpenBSD 5.8+
84
+ * ruby 1.8.7+
85
+ * rake-compiler (if compiling)
86
+
87
+ == Compiling
88
+
89
+ To build the library from a git checkout, use the compile task.
90
+
91
+ rake compile
92
+
93
+ == Running the specs
94
+
95
+ The rake spec task runs the specs. This is also the default rake
96
+ task. This will compile the library if not already compiled.
97
+
98
+ rake
99
+
100
+ == Known Issues
101
+
102
+ * You cannot create new threads after running +Tame.tame+, as
103
+ it uses syscalls that are not currently allowed by tame(2). +fork+
104
+ still works.
105
+
106
+ * You cannot currently test +Tame.tame+ in irb/pry, as they use an
107
+ ioctl that is not currently allowed by tame(2).
108
+
109
+ == Author
110
+
111
+ Jeremy Evans <code@jeremyevans.net>
data/Rakefile ADDED
@@ -0,0 +1,30 @@
1
+ require "rake"
2
+ require "rake/clean"
3
+
4
+ CLEAN.include %w'**.rbc rdoc'
5
+
6
+ desc "Do a full cleaning"
7
+ task :distclean do
8
+ CLEAN.include %w'tmp pkg tame*.gem lib/*.so'
9
+ Rake::Task[:clean].invoke
10
+ end
11
+
12
+ desc "Build the gem"
13
+ task :package do
14
+ sh %{gem build tame.gemspec}
15
+ end
16
+
17
+ desc "Run specs"
18
+ task :spec => :compile do
19
+ ruby = ENV['RUBY'] ||= FileUtils::RUBY
20
+ sh %{#{ruby} spec/tame_spec.rb}
21
+ end
22
+
23
+ desc "Run specs"
24
+ task :default => :spec
25
+
26
+ begin
27
+ require 'rake/extensiontask'
28
+ Rake::ExtensionTask.new('tame')
29
+ rescue LoadError
30
+ end
data/ext/tame/extconf.rb ADDED
@@ -0,0 +1,4 @@
1
+ require 'mkmf'
2
+ have_header 'tame'
3
+ $CFLAGS << " -O0 -g -ggdb" if ENV['DEBUG']
4
+ create_makefile("tame")
data/ext/tame/tame.c ADDED
@@ -0,0 +1,45 @@
1
+ #include <ruby.h>
2
+ #include <sys/tame.h>
3
+
4
+ static VALUE cTameFlags;
5
+
6
+ static VALUE rb_tame(int argc, VALUE *argv, VALUE self) {
7
+ /* required for ruby to work */
8
+ int tame_flags = TAME_STDIO;
9
+ int i;
10
+ VALUE v;
11
+
12
+ for(i = 0; i < argc; i++) {
13
+ v = rb_hash_aref(cTameFlags, argv[i]);
14
+ if (RTEST(v) == 0) {
15
+ rb_raise(rb_eArgError, "unsupported tame argument");
16
+ }
17
+ tame_flags |= FIX2INT(v);
18
+ }
19
+
20
+ tame(tame_flags);
21
+ return Qnil;
22
+ }
23
+
24
+ void Init_tame(void) {
25
+ VALUE cTame;
26
+ cTame = rb_define_module("Tame");
27
+ rb_define_method(cTame, "tame", rb_tame, -1);
28
+ rb_extend_object(cTame, cTame);
29
+
30
+ cTameFlags = rb_hash_new();
31
+ rb_global_variable(&cTameFlags);
32
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("abort")), INT2FIX(TAME_ABORT));
33
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("cmsg")), INT2FIX(TAME_CMSG));
34
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("cpath")), INT2FIX(TAME_CPATH));
35
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("dns")), INT2FIX(TAME_DNS));
36
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("getpw")), INT2FIX(TAME_GETPW));
37
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("inet")), INT2FIX(TAME_INET));
38
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("ioctl")), INT2FIX(TAME_IOCTL));
39
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("proc")), INT2FIX(TAME_PROC));
40
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("rpath")), INT2FIX(TAME_RPATH));
41
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("tmppath")), INT2FIX(TAME_TMPPATH));
42
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("unix")), INT2FIX(TAME_UNIX));
43
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("wpath")), INT2FIX(TAME_WPATH));
44
+ rb_hash_freeze(cTameFlags);
45
+ }
metadata ADDED
@@ -0,0 +1,67 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: tame
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Jeremy Evans
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2015-07-20 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: |
14
+ tame exposes OpenBSD's tame(2) system call to ruby, allowing a
15
+ program to restrict the types of operations the program
16
+ can do after that point. Unlike other similar systems,
17
+ tame is specifically designed for programs that need to
18
+ use a wide variety of operations on initialization, but
19
+ a fewer number after initialization (when user input will
20
+ be accepted).
21
+ email: code@jeremyevans.net
22
+ executables: []
23
+ extensions:
24
+ - ext/tame/extconf.rb
25
+ extra_rdoc_files:
26
+ - README.rdoc
27
+ - CHANGELOG
28
+ - MIT-LICENSE
29
+ files:
30
+ - CHANGELOG
31
+ - MIT-LICENSE
32
+ - README.rdoc
33
+ - Rakefile
34
+ - ext/tame/extconf.rb
35
+ - ext/tame/tame.c
36
+ homepage: http://github.com/jeremyevans/tame_libs/ruby
37
+ licenses:
38
+ - MIT
39
+ metadata: {}
40
+ post_install_message:
41
+ rdoc_options:
42
+ - "--quiet"
43
+ - "--line-numbers"
44
+ - "--inline-source"
45
+ - "--title"
46
+ - 'tame: restrict system operations on OpenBSD'
47
+ - "--main"
48
+ - README.rdoc
49
+ require_paths:
50
+ - lib
51
+ required_ruby_version: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - ">="
54
+ - !ruby/object:Gem::Version
55
+ version: 1.8.7
56
+ required_rubygems_version: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - ">="
59
+ - !ruby/object:Gem::Version
60
+ version: '0'
61
+ requirements: []
62
+ rubyforge_project:
63
+ rubygems_version: 2.4.5
64
+ signing_key:
65
+ specification_version: 4
66
+ summary: Restrict system operations on OpenBSD
67
+ test_files: []