Add GitLab

.rubocop.yml

@@ -26,6 +26,8 @@ Layout/MultilineOperationIndentation:
   Enabled: False
 Layout/MultilineArrayBraceLayout:
   Enabled: false
+Layout/MultilineArrayBraceLayout:
+  Enabled: false
 Layout/ExtraSpacing:
   Exclude:
     - lib/bsd/capsicum/constants.rb

LICENSE

@@ -1,21 +1,15 @@
-The MIT License (MIT)
+Copyright (C) 2023 by 0x1eef <0x1eef@protonmail.com>
 
-Copyright (c) 2017 Thomas Hurst
+Permission to use, copy, modify, and/or distribute this
+software for any purpose with or without fee is hereby
+granted.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
+ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
+EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
+OF THIS SOFTWARE.

LICENSE.ruby-capsicum

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Thomas Hurst
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -20,9 +20,9 @@ manual page for more details:
 #!/usr/bin/env ruby
 require "bsd/capsicum"
 
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
-print "Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
+print "Enter capability mode: ", (BSD::Capsicum.enter! ? "ok" : "error"), "\n"
+print "In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 
 begin
   File.new(File::NULL)
@@ -48,15 +48,15 @@ certain tasks but with restrictions in place:
 #!/usr/bin/env ruby
 require "bsd/capsicum"
 
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 fork do
-  print "[subprocess] Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-  print "[subprocess] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+  print "[subprocess] Enter capability mode: ", (BSD::Capsicum.enter! ? "ok" : "error"), "\n"
+  print "[subprocess] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
   print "[subprocess] Exit", "\n"
   exit 42
 end
 Process.wait
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 
 ##
 # [parent] In capability mode: no
@@ -71,8 +71,8 @@ __Rights__
 The
 [BSD::Capsicum.set_rights!](http://0x1eef.github.io/x/bsdcapsicum.rb/BSD/Capsicum.html#set_rights!-instance_method)
 method can reduce the capabilities of a file descriptor. The following
-example obtains a file descriptor in a parent process (with both read and
-write permissions), then limits the capabilities of the file descriptor
+example obtains a file descriptor in a parent process (with full capabilities),
+then limits the capabilities of the file descriptor
 in a child process to allow only read operations. See the
 [rights(4)](https://man.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=4&format=html)
 man page for a full list of capabilities:
@@ -84,13 +84,13 @@ require "bsd/capsicum"
 path = File.join(Dir.home, "bsdcapsicum.txt")
 file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
 file.sync = true
-print "[parent] obtain file descriptor (with read+write permissions)", "\n"
+print "[parent] Obtain file descriptor (with all capabilities)", "\n"
 fork do
   BSD::Capsicum.set_rights!(file, %i[CAP_READ])
-  print "[subprocess] reduce rights to read-only", "\n"
+  print "[subprocess] Reduce capabilities to read", "\n"
 
   file.gets
-  print "[subprocess] read successful", "\n"
+  print "[subprocess] Read OK", "\n"
 
   begin
     file.write "foo"
@@ -100,14 +100,14 @@ fork do
 end
 Process.wait
 file.write "[parent] Hello from #{Process.pid}", "\n"
-print "[parent] write successful", "\n"
+print "[parent] Write OK", "\n"
 
 ##
-# [parent] obtain file descriptor (with read+write permissions)
-# [subprocess] reduce rights to read-only
-# [subprocess] read successful
+# [parent] Obtain file descriptor (with all capabilities)
+# [subprocess] Reduce capabilities to read
+# [subprocess] Read OK
 # [subprocess] Error: Capabilities insufficient @ io_write - /home/user/bsdcapsicum.txt (Errno::ENOTCAPABLE)
-# [parent] write successful
+# [parent] Write OK
 ```
 
 ## Documentation
@@ -123,6 +123,7 @@ bsdcapsicum.rb is available via rubygems.org:
 ## Sources
 
 * [GitHub](https://github.com/0x1eef/bsdcapsicum.rb#readme)
+* [GitLab](https://gitlab.com/0x1eef/bsdcapsicum.rb#about)
 * [git.HardenedBSD.org](https://git.hardenedbsd.org/0x1eef/bsdcapsicum.rb#about)
 
 ## See also
@@ -133,5 +134,15 @@ bsdcapsicum.rb is available via rubygems.org:
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
-
+bsdcapsicum.rb
+<br>
+[BSD Zero Clause](https://choosealicense.com/licenses/0bsd/)
+<br>
+See [LICENSE](./LICENSE)
+<br><br>
+ruby-capsicum
+<br>
+[Freaky/ruby-capsicum](https://github.com/Freaky/ruby-capsicum) is released
+under the terms of the MIT license
+<br>
+See [LICENSE.ruby-capsicum](/.LICENSE-ruby-capsicum)

bsdcapsicum.rb.gemspec

@@ -11,8 +11,8 @@ Gem::Specification.new do |spec|
 
   spec.summary       = "Ruby bindings for FreeBSD's capsicum(4)"
   spec.homepage      = "https://github.com/0x1eef/bsdcapsicum.rb"
-  spec.license       = "MIT"
-  spec.files         = Dir["lib/*.rb", "lib/**/*.rb", "README.md", "LICENSE", "*.gemspec"]
+  spec.licenses      = ["0BSD", "MIT"]
+  spec.files         = Dir["lib/*.rb", "lib/**/*.rb", "README.md", "LICENSE", "LICENSE.ruby-capsicum", "*.gemspec"]
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "fiddle", "~> 1.1"

lib/bsd/capsicum.rb

@@ -47,9 +47,10 @@ module BSD::Capsicum
   # Restrict the capabilities of a file descriptor
   #
   # @see https://man.freebsd.org/cgi/man.cgi?query=cap_rights_limit&apropos=0&sektion=2&format=html cap_rights_limit(2)
+  # @see BSD::Capsicum::Constants See Constants for a full list of capabilities
   # @example
-  #   # Allow: READ, WRITE on standard output
-  #   BSD::Capsicum.set_rights!(STDOUT, [:CAP_READ, :CAP_WRITE])
+  #   # Restrict capabilities of STDOUT to read / write
+  #   BSD::Capsicum.set_rights!(STDOUT, %i[CAP_READ CAP_WRITE])
   # @raise [SystemCallError]
   #  Might raise a subclass of SystemCallError
   # @param [#to_i] io

lib/bsd/capsicum/version.rb

@@ -4,5 +4,5 @@ module BSD
 end unless defined?(BSD)
 
 module BSD::Capsicum
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

share/ruby-capsicum/examples/1_capability_mode_example.rb

@@ -1,9 +1,9 @@
 require "bundler/setup"
 require "bsd/capsicum"
 
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
-print "Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-print "In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
+print "Enter capability mode: ", (BSD::Capsicum.enter! ? "ok" : "error"), "\n"
+print "In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 
 begin
   File.new(File::NULL)

share/ruby-capsicum/examples/2_fork_example.rb

@@ -1,15 +1,15 @@
 require "bundler/setup"
 require "bsd/capsicum"
 
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 fork do
-  print "[subprocess] Enter capability mode: ", BSD::Capsicum.enter! ? "ok" : "error", "\n"
-  print "[subprocess] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+  print "[subprocess] Enter capability mode: ", (BSD::Capsicum.enter! ? "ok" : "error"), "\n"
+  print "[subprocess] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
   print "[subprocess] Exit", "\n"
   exit 42
 end
 Process.wait
-print "[parent] In capability mode: ", BSD::Capsicum.in_capability_mode? ? "yes" : "no", "\n"
+print "[parent] In capability mode: ", (BSD::Capsicum.in_capability_mode? ? "yes" : "no"), "\n"
 
 ##
 # [parent] In capability mode: no

share/ruby-capsicum/examples/3_set_rights_example.rb

@@ -4,13 +4,13 @@ require "bsd/capsicum"
 path = File.join(Dir.home, "bsdcapsicum.txt")
 file = File.open(path, File::CREAT | File::TRUNC | File::RDWR)
 file.sync = true
-print "[parent] obtain file descriptor (with read+write permissions)", "\n"
+print "[parent] Obtain file descriptor (with all capabilities)", "\n"
 fork do
   BSD::Capsicum.set_rights!(file, %i[CAP_READ])
-  print "[subprocess] reduce rights to read-only", "\n"
+  print "[subprocess] Reduce capabilities to read", "\n"
 
   file.gets
-  print "[subprocess] read successful", "\n"
+  print "[subprocess] Read OK", "\n"
 
   begin
     file.write "foo"
@@ -20,11 +20,11 @@ fork do
 end
 Process.wait
 file.write "[parent] Hello from #{Process.pid}", "\n"
-print "[parent] write successful", "\n"
+print "[parent] Write OK", "\n"
 
 ##
-# [parent] obtain file descriptor (with read+write permissions)
-# [subprocess] reduce rights to read-only
-# [subprocess] read successful
-# [subprocess] Error: Capabilities insufficient @ io_write - /home/0x1eef/bsdcapsicum.txt (Errno::ENOTCAPABLE)
-# [parent] write successful
+# [parent] Obtain file descriptor (with all capabilities)
+# [subprocess] Reduce capabilities to read
+# [subprocess] Read OK
+# [subprocess] Error: Capabilities insufficient @ io_write - /home/user/bsdcapsicum.txt (Errno::ENOTCAPABLE)
+# [parent] Write OK

test/readme_test.rb

@@ -6,10 +6,10 @@ require "test-cmd"
 class ReadMeTest < Minitest::Test
   def test_1_capability_mode_example
     r = ruby(readme_example("1_capability_mode_example.rb"))
-    assert_match %r{In capability mode: no\n}, r.stdout
-    assert_match %r{Enter capability mode: ok\n}, r.stdout
-    assert_match %r{In capability mode: yes\n}, r.stdout
-    assert_match %r{Error:.+\(Errno::ECAPMODE\)\n}, r.stdout
+    assert_match %r|In capability mode: no\n|, r.stdout
+    assert_match %r|Enter capability mode: ok\n|, r.stdout
+    assert_match %r|In capability mode: yes\n|, r.stdout
+    assert_match %r|Error:.+\(Errno::ECAPMODE\)\n|, r.stdout
   end
 
   def test_2_fork_example
@@ -24,11 +24,11 @@ class ReadMeTest < Minitest::Test
 
   def test_3_set_rights_example
     r = ruby(readme_example("3_set_rights_example.rb"))
-    ["[parent] obtain file descriptor (with read+write permissions)\n",
-     "[subprocess] reduce rights to read-only\n",
-     "[subprocess] read successful\n",
-     %r{\[subprocess\] Error:.+\(Errno::ENOTCAPABLE\)\n},
-     "[parent] write successful\n"
+    ["[parent] Obtain file descriptor (with all capabilities)\n",
+     "[subprocess] Reduce capabilities to read\n",
+     "[subprocess] Read OK\n",
+     %r|\[subprocess\] Error:.+\(Errno::ENOTCAPABLE\)\n|,
+     "[parent] Write OK\n"
     ].each { assert_match((Regexp === _1) ? _1 : /#{Regexp.escape(_1)}/, r.stdout) }
   ensure
     FileUtils.rm File.join(Dir.home, "bsdcapsicum.txt")