unicorn-lockdown 1.1.0 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +10 -0
- data/files/rc.unicorn +3 -11
- data/files/rc.unicorn.71 +21 -0
- data/files/unicorn_lockdown_add.rb +8 -3
- data/files/unicorn_lockdown_setup.rb +5 -1
- data/lib/unveiler.rb +22 -3
- metadata +7 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5f259ec0943a03a9e2a80a569eea0bb121c0fac02eec20236f8882820f59d512
|
4
|
+
data.tar.gz: c2a19c1f58425582eb16654aadfac8d8fa2717f5265e27aaf882a49fdf9fa42d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 53c95408bc17f6d1285b7d48c35ae3c42b9d327075b6829f504b40d2ebc600d87279cc66c0134f40f2457cf00ce646d2c43475e7c825abc28e564ecf57d9c130
|
7
|
+
data.tar.gz: d5db79ff12242b857b03b7bacc058dec630436c20a73bf3308c76008cd67cb87ce9182b4fffd7eaf606cc2404f2dac1a448bed5eae3af369a2341db1e832ad6e
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
= 1.2.0 (2022-11-16)
|
2
|
+
|
3
|
+
* Remove access_log format from generated nginx configurations (jeremyevans)
|
4
|
+
|
5
|
+
* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
|
6
|
+
|
7
|
+
* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
|
8
|
+
|
9
|
+
* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
|
10
|
+
|
1
11
|
= 1.1.0 (2022-07-18)
|
2
12
|
|
3
13
|
* Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)
|
data/files/rc.unicorn
CHANGED
@@ -2,20 +2,12 @@
|
|
2
2
|
|
3
3
|
daemon="/usr/local/bin/unicorn"
|
4
4
|
daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
|
5
|
-
|
6
|
-
[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
|
7
|
-
[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
|
5
|
+
rc_stop_signal=QUIT
|
8
6
|
|
9
7
|
. /etc/rc.d/rc.subr
|
10
8
|
|
11
9
|
pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
|
12
|
-
|
13
|
-
|
14
|
-
${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
|
15
|
-
}
|
16
|
-
|
17
|
-
rc_stop() {
|
18
|
-
pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
|
19
|
-
}
|
10
|
+
[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
|
11
|
+
[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
|
20
12
|
|
21
13
|
rc_cmd $1
|
data/files/rc.unicorn.71
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
|
2
|
+
|
3
|
+
daemon="/usr/local/bin/unicorn"
|
4
|
+
daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
|
5
|
+
|
6
|
+
[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
|
7
|
+
[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
|
8
|
+
|
9
|
+
. /etc/rc.d/rc.subr
|
10
|
+
|
11
|
+
pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
|
12
|
+
|
13
|
+
rc_start() {
|
14
|
+
${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
|
15
|
+
}
|
16
|
+
|
17
|
+
rc_stop() {
|
18
|
+
pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
|
19
|
+
}
|
20
|
+
|
21
|
+
rc_cmd $1
|
@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
|
|
146
146
|
# More pledges may be needed depending on application
|
147
147
|
:pledge=>'rpath prot_exec inet unix flock',
|
148
148
|
:master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
|
149
|
-
:master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
|
149
|
+
:master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
|
150
150
|
|
151
151
|
# More unveils may be needed depending on application
|
152
152
|
:unveil=>{
|
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
|
|
169
169
|
}
|
170
170
|
server {
|
171
171
|
server_name #{app};
|
172
|
-
access_log #{nginx_access_log_file}
|
172
|
+
access_log #{nginx_access_log_file};
|
173
173
|
error_log #{nginx_error_log_file} warn;
|
174
174
|
root #{dir}/public;
|
175
175
|
error_page 500 503 /500.html;
|
@@ -212,12 +212,17 @@ end
|
|
212
212
|
# Setup /etc/rc.d/unicorn_* file for daemon management
|
213
213
|
unless File.file?(rc_file)
|
214
214
|
puts "Creating #{rc_file}"
|
215
|
+
|
216
|
+
# :nocov:
|
217
|
+
dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
|
218
|
+
# :nocov:
|
219
|
+
|
215
220
|
File.binwrite(rc_file, <<END)
|
216
221
|
#!/bin/ksh
|
217
222
|
|
218
223
|
daemon_user=#{user}
|
224
|
+
#{dir_var}=#{dir}
|
219
225
|
unicorn_app=#{app}
|
220
|
-
unicorn_dir=#{dir}
|
221
226
|
#{unicorn}#{rackup}
|
222
227
|
. /etc/rc.d/rc.unicorn
|
223
228
|
END
|
@@ -68,7 +68,11 @@ end
|
|
68
68
|
# Setup rc.unicorn file
|
69
69
|
unless File.file?(rc_unicorn_file)
|
70
70
|
puts "Creating #{rc_unicorn_file}"
|
71
|
-
|
71
|
+
filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
|
72
|
+
# :nocov:
|
73
|
+
filename << ".71" if `/usr/bin/uname -r` < '7.2'
|
74
|
+
# :nocov:
|
75
|
+
File.binwrite(rc_unicorn_file, File.binread(filename))
|
72
76
|
File.chmod(0644, rc_unicorn_file)
|
73
77
|
chown.(root_id, root_id, rc_unicorn_file)
|
74
78
|
end
|
data/lib/unveiler.rb
CHANGED
@@ -27,16 +27,35 @@ module Unveiler
|
|
27
27
|
end
|
28
28
|
end
|
29
29
|
|
30
|
-
Pledge.unveil(unveil)
|
31
|
-
|
32
30
|
# :nocov:
|
33
31
|
if defined?(SimpleCov)
|
34
32
|
# :nocov:
|
35
|
-
# If running coverage tests, add necessary pledges for
|
33
|
+
# If running coverage tests, add necessary pledges and unveils for
|
36
34
|
# coverage testing to work.
|
35
|
+
dir = SimpleCov.coverage_dir
|
36
|
+
unveil[dir] = 'rwc'
|
37
|
+
|
38
|
+
# Unveil read access to the entire current directory, since any part
|
39
|
+
# that has covered code needs to be read to generate the coverage
|
40
|
+
# information.
|
41
|
+
unveil['.'] = 'r'
|
42
|
+
|
43
|
+
if defined?(Gem)
|
44
|
+
# Unveil access to the simplecov-html gem, since that is used by default
|
45
|
+
# to build the coverage pages.
|
46
|
+
unveil['simplecov-html'] = :gem
|
47
|
+
end
|
48
|
+
|
49
|
+
# :nocov:
|
50
|
+
# Must create directory before attempting to unveil it.
|
51
|
+
# When running unveiler tests, the coverage directory is already created.
|
52
|
+
Dir.mkdir(dir) unless File.directory?(dir)
|
53
|
+
# :nocov:
|
54
|
+
|
37
55
|
pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
|
38
56
|
end
|
39
57
|
|
58
|
+
Pledge.unveil(unveil)
|
40
59
|
Pledge.pledge(pledge)
|
41
60
|
end
|
42
61
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: unicorn-lockdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeremy Evans
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-11-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: pledge
|
@@ -94,7 +94,7 @@ dependencies:
|
|
94
94
|
- - ">="
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
|
-
description:
|
97
|
+
description:
|
98
98
|
email: code@jeremyevans.net
|
99
99
|
executables:
|
100
100
|
- unicorn-lockdown-add
|
@@ -108,6 +108,7 @@ files:
|
|
108
108
|
- bin/unicorn-lockdown-add
|
109
109
|
- bin/unicorn-lockdown-setup
|
110
110
|
- files/rc.unicorn
|
111
|
+
- files/rc.unicorn.71
|
111
112
|
- files/unicorn_lockdown_add.rb
|
112
113
|
- files/unicorn_lockdown_setup.rb
|
113
114
|
- lib/rack/email_exceptions.rb
|
@@ -122,7 +123,7 @@ metadata:
|
|
122
123
|
changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
|
123
124
|
mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
|
124
125
|
source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
|
125
|
-
post_install_message:
|
126
|
+
post_install_message:
|
126
127
|
rdoc_options: []
|
127
128
|
require_paths:
|
128
129
|
- lib
|
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
138
139
|
version: '0'
|
139
140
|
requirements: []
|
140
141
|
rubygems_version: 3.3.7
|
141
|
-
signing_key:
|
142
|
+
signing_key:
|
142
143
|
specification_version: 4
|
143
144
|
summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
|
144
145
|
test_files: []
|