tame 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG +3 -0
  3. data/MIT-LICENSE +18 -0
  4. data/README.rdoc +111 -0
  5. data/Rakefile +30 -0
  6. data/ext/tame/extconf.rb +4 -0
  7. data/ext/tame/tame.c +45 -0
  8. metadata +67 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: e9d2493ff758b598a3988a39552012eb3b086e22
4
+ data.tar.gz: 6ed68100d75fc8fc524ba0955b3d4f5d18f53139
5
+ SHA512:
6
+ metadata.gz: 1afe5a3f09dc781dd35e3c70720434178861aec0aa9171453929c34842b022d003bb940f59d05857cc73db44f096b0b689db3cc1de02cfbec265200809755bc0
7
+ data.tar.gz: eb16dcd0a7b6b5b981ca3f9eb7c8e41648d2668bf4022d10060f51e854f3fb10631861a3ca7bb8a5e2df2b577dfab0f587914787bff14486f8a5ebecf3e057db
data/CHANGELOG ADDED
@@ -0,0 +1,3 @@
1
+ === 1.0.0 (2015-07-20)
2
+
3
+ * Initial Public Release
data/MIT-LICENSE ADDED
@@ -0,0 +1,18 @@
1
+ Copyright (c) 2015 Jeremy Evans
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining a copy
4
+ of this software and associated documentation files (the "Software"), to
5
+ deal in the Software without restriction, including without limitation the
6
+ rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
7
+ sell copies of the Software, and to permit persons to whom the Software is
8
+ furnished to do so, subject to the following conditions:
9
+
10
+ The above copyright notice and this permission notice shall be included in
11
+ all copies or substantial portions of the Software.
12
+
13
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
16
+ THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
17
+ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
18
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,111 @@
1
+ = tame
2
+
3
+ tame exposes OpenBSD's tame(2) system call to ruby, allowing a
4
+ program to restrict the types of operations the program
5
+ can do after that point. Unlike other similar systems,
6
+ tame is specifically designed for programs that need to
7
+ use a wide variety of operations on initialization, but
8
+ a fewer number after initialization (when user input will
9
+ be accepted).
10
+
11
+ tame(2) is supported on OpenBSD 5.8+.
12
+
13
+ == Usage
14
+
15
+ First, you need to require the library
16
+
17
+ require 'tame'
18
+
19
+ Then you can use +Tame.tame+ as the interface to the tame(2) system
20
+ call. You pass +Tame.tame+ symbols representing the operations you
21
+ would like to allow. For example, if you want to give the process
22
+ the ability to read from the the file system, but not read from the
23
+ file system or allow network access:
24
+
25
+ Tame.tame(:rpath)
26
+
27
+ To allow read/write filesystem access, but not network access:
28
+
29
+ Tame.tame(:rpath, :wpath, :cpath)
30
+
31
+ To allow inet/unix socket access and DNS queries, but not
32
+ filesystem access:
33
+
34
+ Tame.tame(:inet, :unix, :dns)
35
+
36
+ +Tame+ is a module that extends itself, you can include it
37
+ in other classes:
38
+
39
+ Object.send(:include, Tame)
40
+ tame(:rpath)
41
+
42
+ == Options
43
+
44
+ Here are the symbols that are supported, along with the tame(2)
45
+ permission they grant.
46
+
47
+ :abort :: TAME_ABORT
48
+ :cmsg :: TAME_CMSG
49
+ :cpath :: TAME_CPATH
50
+ :dns :: TAME_DNS
51
+ :getpw :: TAME_GETPW
52
+ :inet :: TAME_INET
53
+ :ioctl :: TAME_IOCTL
54
+ :proc :: TAME_PROC
55
+ :rpath :: TAME_RPATH
56
+ :tmppath :: TAME_TMPPATH
57
+ :unix :: TAME_UNIX
58
+ :wpath :: TAME_WPATH
59
+
60
+ Using an unsupported symbol will raise an exception. The TAME_STDIO
61
+ permission is automatically used, as ruby does not function without
62
+ it. See the tame(2) manual for details about what permissions the
63
+ options grant.
64
+
65
+ == Reporting issues/bugs
66
+
67
+ This library uses GitHub Issues for tracking issues/bugs:
68
+
69
+ https://github.com/jeremyevans/tame_libs/issues
70
+
71
+ == Contributing
72
+
73
+ The source code is on GitHub:
74
+
75
+ https://github.com/jeremyevans/tame_libs/tree/master/ruby
76
+
77
+ To get a copy:
78
+
79
+ git clone git://github.com/jeremyevans/tame_libs.git
80
+
81
+ == Requirements
82
+
83
+ * OpenBSD 5.8+
84
+ * ruby 1.8.7+
85
+ * rake-compiler (if compiling)
86
+
87
+ == Compiling
88
+
89
+ To build the library from a git checkout, use the compile task.
90
+
91
+ rake compile
92
+
93
+ == Running the specs
94
+
95
+ The rake spec task runs the specs. This is also the default rake
96
+ task. This will compile the library if not already compiled.
97
+
98
+ rake
99
+
100
+ == Known Issues
101
+
102
+ * You cannot create new threads after running +Tame.tame+, as
103
+ it uses syscalls that are not currently allowed by tame(2). +fork+
104
+ still works.
105
+
106
+ * You cannot currently test +Tame.tame+ in irb/pry, as they use an
107
+ ioctl that is not currently allowed by tame(2).
108
+
109
+ == Author
110
+
111
+ Jeremy Evans <code@jeremyevans.net>
data/Rakefile ADDED
@@ -0,0 +1,30 @@
1
+ require "rake"
2
+ require "rake/clean"
3
+
4
+ CLEAN.include %w'**.rbc rdoc'
5
+
6
+ desc "Do a full cleaning"
7
+ task :distclean do
8
+ CLEAN.include %w'tmp pkg tame*.gem lib/*.so'
9
+ Rake::Task[:clean].invoke
10
+ end
11
+
12
+ desc "Build the gem"
13
+ task :package do
14
+ sh %{gem build tame.gemspec}
15
+ end
16
+
17
+ desc "Run specs"
18
+ task :spec => :compile do
19
+ ruby = ENV['RUBY'] ||= FileUtils::RUBY
20
+ sh %{#{ruby} spec/tame_spec.rb}
21
+ end
22
+
23
+ desc "Run specs"
24
+ task :default => :spec
25
+
26
+ begin
27
+ require 'rake/extensiontask'
28
+ Rake::ExtensionTask.new('tame')
29
+ rescue LoadError
30
+ end
data/ext/tame/extconf.rb ADDED
@@ -0,0 +1,4 @@
1
+ require 'mkmf'
2
+ have_header 'tame'
3
+ $CFLAGS << " -O0 -g -ggdb" if ENV['DEBUG']
4
+ create_makefile("tame")
data/ext/tame/tame.c ADDED
@@ -0,0 +1,45 @@
1
+ #include <ruby.h>
2
+ #include <sys/tame.h>
3
+
4
+ static VALUE cTameFlags;
5
+
6
+ static VALUE rb_tame(int argc, VALUE *argv, VALUE self) {
7
+ /* required for ruby to work */
8
+ int tame_flags = TAME_STDIO;
9
+ int i;
10
+ VALUE v;
11
+
12
+ for(i = 0; i < argc; i++) {
13
+ v = rb_hash_aref(cTameFlags, argv[i]);
14
+ if (RTEST(v) == 0) {
15
+ rb_raise(rb_eArgError, "unsupported tame argument");
16
+ }
17
+ tame_flags |= FIX2INT(v);
18
+ }
19
+
20
+ tame(tame_flags);
21
+ return Qnil;
22
+ }
23
+
24
+ void Init_tame(void) {
25
+ VALUE cTame;
26
+ cTame = rb_define_module("Tame");
27
+ rb_define_method(cTame, "tame", rb_tame, -1);
28
+ rb_extend_object(cTame, cTame);
29
+
30
+ cTameFlags = rb_hash_new();
31
+ rb_global_variable(&cTameFlags);
32
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("abort")), INT2FIX(TAME_ABORT));
33
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("cmsg")), INT2FIX(TAME_CMSG));
34
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("cpath")), INT2FIX(TAME_CPATH));
35
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("dns")), INT2FIX(TAME_DNS));
36
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("getpw")), INT2FIX(TAME_GETPW));
37
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("inet")), INT2FIX(TAME_INET));
38
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("ioctl")), INT2FIX(TAME_IOCTL));
39
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("proc")), INT2FIX(TAME_PROC));
40
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("rpath")), INT2FIX(TAME_RPATH));
41
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("tmppath")), INT2FIX(TAME_TMPPATH));
42
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("unix")), INT2FIX(TAME_UNIX));
43
+ rb_hash_aset(cTameFlags, ID2SYM(rb_intern("wpath")), INT2FIX(TAME_WPATH));
44
+ rb_hash_freeze(cTameFlags);
45
+ }
metadata ADDED
@@ -0,0 +1,67 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: tame
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Jeremy Evans
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2015-07-20 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: |
14
+ tame exposes OpenBSD's tame(2) system call to ruby, allowing a
15
+ program to restrict the types of operations the program
16
+ can do after that point. Unlike other similar systems,
17
+ tame is specifically designed for programs that need to
18
+ use a wide variety of operations on initialization, but
19
+ a fewer number after initialization (when user input will
20
+ be accepted).
21
+ email: code@jeremyevans.net
22
+ executables: []
23
+ extensions:
24
+ - ext/tame/extconf.rb
25
+ extra_rdoc_files:
26
+ - README.rdoc
27
+ - CHANGELOG
28
+ - MIT-LICENSE
29
+ files:
30
+ - CHANGELOG
31
+ - MIT-LICENSE
32
+ - README.rdoc
33
+ - Rakefile
34
+ - ext/tame/extconf.rb
35
+ - ext/tame/tame.c
36
+ homepage: http://github.com/jeremyevans/tame_libs/ruby
37
+ licenses:
38
+ - MIT
39
+ metadata: {}
40
+ post_install_message:
41
+ rdoc_options:
42
+ - "--quiet"
43
+ - "--line-numbers"
44
+ - "--inline-source"
45
+ - "--title"
46
+ - 'tame: restrict system operations on OpenBSD'
47
+ - "--main"
48
+ - README.rdoc
49
+ require_paths:
50
+ - lib
51
+ required_ruby_version: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - ">="
54
+ - !ruby/object:Gem::Version
55
+ version: 1.8.7
56
+ required_rubygems_version: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - ">="
59
+ - !ruby/object:Gem::Version
60
+ version: '0'
61
+ requirements: []
62
+ rubyforge_project:
63
+ rubygems_version: 2.4.5
64
+ signing_key:
65
+ specification_version: 4
66
+ summary: Restrict system operations on OpenBSD
67
+ test_files: []