bsdcapsicum.rb/lib/capsicum.rb

# frozen_string_literal: true

require "capsicum/version"
require "fiddle"

module Capsicum
  # @api private
  module LibC
    module_function

    ##
    # Provides a Ruby interface for cap_enter(2)
    # @return [Integer]
    def cap_enter
      Fiddle::Function.new(
        libc["cap_enter"],
        [],
        Fiddle::Types::INT
      ).call
    end

    ##
    # Provides a Ruby interface for cap_getmode(2)
    # @param [Fiddle::Pointer] uintp
    # @return [Integer]
    def cap_getmode(uintp)
      Fiddle::Function.new(
        libc["cap_getmode"],
        [Fiddle::Types::INTPTR_T],
        Fiddle::Types::INT
      ).call(uintp)
    end

    ##
    # @api private
    def libc
      @libc ||= Fiddle.dlopen Dir["/lib/libc.*"].first
    end
  end

  module_function

  ##
  # Check if we're in capability mode.
  #
  # @see cap_getmode(2)
  # @raise [SystemCallError]
  #  Might raise a subclass of SystemCallError
  # @return [Boolean]
  #  Returns true if the current process is in capability mode
  def sandboxed?
    uintp = Fiddle::Pointer.malloc(Fiddle::SIZEOF_UINT)
    ret = LibC.cap_getmode(uintp)

    if ret == 0
      uintp[0, Fiddle::SIZEOF_UINT].unpack("i") == [1]
    else
      raise SystemCallError.new("cap_getmode", Fiddle.last_error)
    end
  ensure
    uintp.call_free
  end
  alias_method :capability_mode?, :sandboxed?

  ##
  # Enter capability mode
  #
  # @see cap_enter(2)
  # @raise [SystemCallError]
  #  Might raise a subclass of SystemCallError
  # @return [Boolean]
  #  Returns true when the current process is in capability mode
  def enter!
    if LibC.cap_enter == 0
      true
    else
      raise SystemCallError.new("cap_enter", Fiddle.last_error)
    end
  end
end
Add standard Add the 'standard' linter library Commit fixes generated via 'bundle exec rubocop -A' 2024-06-24 03:38:24 +02:00			`# frozen_string_literal: true`

Initial commit. 2017-05-24 02:18:05 +02:00			`require "capsicum/version"`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`require "fiddle"`
Initial commit. 2017-05-24 02:18:05 +02:00
			`module Capsicum`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`# @api private`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`module LibC`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`module_function`

Add small improvements 2024-06-25 03:48:14 +02:00			`##`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`# Provides a Ruby interface for cap_enter(2)`
			`# @return [Integer]`
			`def cap_enter`
			`Fiddle::Function.new(`
			`libc["cap_enter"],`
			`[],`
			`Fiddle::Types::INT`
			`).call`
			`end`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00
Add small improvements 2024-06-25 03:48:14 +02:00			`##`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`# Provides a Ruby interface for cap_getmode(2)`
			`# @param [Fiddle::Pointer] uintp`
			`# @return [Integer]`
			`def cap_getmode(uintp)`
			`Fiddle::Function.new(`
			`libc["cap_getmode"],`
			`[Fiddle::Types::INTPTR_T],`
			`Fiddle::Types::INT`
			`).call(uintp)`
			`end`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00
Add small improvements 2024-06-25 03:48:14 +02:00			`##`
			`# @api private`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`def libc`
			`@libc \|\|= Fiddle.dlopen Dir["/lib/libc.*"].first`
			`end`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`end`

Add small improvements 2024-06-25 03:48:14 +02:00			`module_function`

			`##`
Add some API documentation 2017-05-24 17:33:39 +02:00			`# Check if we're in capability mode.`
			`#`
			`# @see cap_getmode(2)`
Add small improvements 2024-06-25 03:48:14 +02:00			`# @raise [SystemCallError]`
			`# Might raise a subclass of SystemCallError`
			`# @return [Boolean]`
			`# Returns true if the current process is in capability mode`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`def sandboxed?`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`uintp = Fiddle::Pointer.malloc(Fiddle::SIZEOF_UINT)`
			`ret = LibC.cap_getmode(uintp)`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00
			`if ret == 0`
Add standard Add the 'standard' linter library Commit fixes generated via 'bundle exec rubocop -A' 2024-06-24 03:38:24 +02:00			`uintp[0, Fiddle::SIZEOF_UINT].unpack("i") == [1]`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`else`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`raise SystemCallError.new("cap_getmode", Fiddle.last_error)`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`end`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`ensure`
			`uintp.call_free`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`end`
Alias sandboxed? as capability_mode? 2024-06-25 03:40:37 +02:00			`alias_method :capability_mode?, :sandboxed?`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00
Add small improvements 2024-06-25 03:48:14 +02:00			`##`
			`# Enter capability mode`
Add some API documentation 2017-05-24 17:33:39 +02:00			`#`
			`# @see cap_enter(2)`
Add small improvements 2024-06-25 03:48:14 +02:00			`# @raise [SystemCallError]`
			`# Might raise a subclass of SystemCallError`
			`# @return [Boolean]`
			`# Returns true when the current process is in capability mode`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`def enter!`
Add small improvements 2024-06-25 03:48:14 +02:00			`if LibC.cap_enter == 0`
Add standard Add the 'standard' linter library Commit fixes generated via 'bundle exec rubocop -A' 2024-06-24 03:38:24 +02:00			`true`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`else`
Replace ffi with fiddle The fiddle library is part of Ruby's standard library, and works out of the box for me on HardenedBSD - where as the ffi library raises an error on require 2024-06-23 23:18:33 +02:00			`raise SystemCallError.new("cap_enter", Fiddle.last_error)`
First cut of the capsicum gem. 2017-05-24 02:18:47 +02:00			`end`
			`end`
Initial commit. 2017-05-24 02:18:05 +02:00			`end`