diff --git a/README.md b/README.md index ecc8693..c6bbc85 100644 --- a/README.md +++ b/README.md @@ -71,8 +71,8 @@ __Rights__ The [BSD::Capsicum.set_rights!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#set_rights!-instance_method) method can reduce the capabilities of a file descriptor. The following -example obtains a file descriptor in a parent process (with both read and -write permissions), then limits the capabilities of the file descriptor +example obtains a file descriptor in a parent process (with full capabilities), +then limits the capabilities of the file descriptor in a child process to allow only read operations. See the [rights(4)](https://man.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=4&format=html) man page for a full list of capabilities: @@ -84,13 +84,13 @@ require "bsd/capsicum" path = File.join(Dir.home, "bsdcapsicum.txt") file = File.open(path, File::CREAT | File::TRUNC | File::RDWR) file.sync = true -print "[parent] obtain file descriptor (with read+write permissions)", "\n" +print "[parent] Obtain file descriptor (with all capabilities)", "\n" fork do BSD::Capsicum.set_rights!(file, %i[CAP_READ]) - print "[subprocess] reduce rights to read-only", "\n" + print "[subprocess] Reduce capabilities to read", "\n" file.gets - print "[subprocess] read successful", "\n" + print "[subprocess] Read OK", "\n" begin file.write "foo" @@ -100,14 +100,14 @@ fork do end Process.wait file.write "[parent] Hello from #{Process.pid}", "\n" -print "[parent] write successful", "\n" +print "[parent] Write OK", "\n" ## -# [parent] obtain file descriptor (with read+write permissions) -# [subprocess] reduce rights to read-only -# [subprocess] read successful +# [parent] Obtain file descriptor (with all capibilites) +# [subprocess] Reduce capabilities to read +# [subprocess] Read OK # [subprocess] Error: Capabilities insufficient @ io_write - /home/user/bsdcapsicum.txt (Errno::ENOTCAPABLE) -# [parent] write successful +# [parent] Write OK ``` ## Documentation diff --git a/share/ruby-capsicum/examples/3_set_rights_example.rb b/share/ruby-capsicum/examples/3_set_rights_example.rb index 811f180..4b19cf3 100644 --- a/share/ruby-capsicum/examples/3_set_rights_example.rb +++ b/share/ruby-capsicum/examples/3_set_rights_example.rb @@ -4,13 +4,13 @@ require "bsd/capsicum" path = File.join(Dir.home, "bsdcapsicum.txt") file = File.open(path, File::CREAT | File::TRUNC | File::RDWR) file.sync = true -print "[parent] obtain file descriptor (with read+write permissions)", "\n" +print "[parent] Obtain file descriptor (with all capabilities)", "\n" fork do BSD::Capsicum.set_rights!(file, %i[CAP_READ]) - print "[subprocess] reduce rights to read-only", "\n" + print "[subprocess] Reduce capabilities to read", "\n" file.gets - print "[subprocess] read successful", "\n" + print "[subprocess] Read OK", "\n" begin file.write "foo" @@ -20,11 +20,11 @@ fork do end Process.wait file.write "[parent] Hello from #{Process.pid}", "\n" -print "[parent] write successful", "\n" +print "[parent] Write OK", "\n" ## -# [parent] obtain file descriptor (with read+write permissions) -# [subprocess] reduce rights to read-only -# [subprocess] read successful -# [subprocess] Error: Capabilities insufficient @ io_write - /home/0x1eef/bsdcapsicum.txt (Errno::ENOTCAPABLE) -# [parent] write successful +# [parent] Obtain file descriptor (with all capibilites) +# [subprocess] Reduce capabilities to read +# [subprocess] Read OK +# [subprocess] Error: Capabilities insufficient @ io_write - /home/user/bsdcapsicum.txt (Errno::ENOTCAPABLE) +# [parent] Write OK diff --git a/test/readme_test.rb b/test/readme_test.rb index 4e167a5..e32ef5b 100644 --- a/test/readme_test.rb +++ b/test/readme_test.rb @@ -24,11 +24,11 @@ class ReadMeTest < Minitest::Test def test_3_set_rights_example r = ruby(readme_example("3_set_rights_example.rb")) - ["[parent] obtain file descriptor (with read+write permissions)\n", - "[subprocess] reduce rights to read-only\n", - "[subprocess] read successful\n", + ["[parent] Obtain file descriptor (with all capabilities)\n", + "[subprocess] Reduce capabilities to read\n", + "[subprocess] Read OK\n", %r|\[subprocess\] Error:.+\(Errno::ENOTCAPABLE\)\n|, - "[parent] write successful\n" + "[parent] Write OK\n" ].each { assert_match((Regexp === _1) ? _1 : /#{Regexp.escape(_1)}/, r.stdout) } ensure FileUtils.rm File.join(Dir.home, "bsdcapsicum.txt")