2.1 KiB
About
hbsdctl.rb is a C extension that binds libhbsdcontrol from the hardenedbsd project to Ruby. Through this library, you can query what features are available and if root: enable, disable or query the status of a feature for a given file.
Examples
Features
As a regular user account, you can obtain a list of available features. But to enable, disable or query the status of a feature for a given file a superuser account is required:
#!/usr/bin/env ruby
# As a regular user account
require "hbsdctl"
BSD::Control
.available_features
.each do
print "The ", _1.name, " feature is available", "\n"
end
Enable
As a superuser account, you can enable or disable a feature for a given file. The example enables the mprotect feature for the emacs binary:
#!/usr/bin/env ruby
# As a superuser account
require "hbsdctl"
BSD::Control
.feature(:mprotect)
.enable!("/usr/local/bin/emacs-29.2")
Status
As a superuser account, you can query whether or not a feature is enabled or disabled
for a given file. There are four statuses that can be returned: conflict, sysdef,
enabled, and disabled. The first status (conflict) is rare and indicates that a
feature is both enabled and disabled. The other three are more common. The sysdef
status indicates that a feature takes its settings from the system default (sysctl):
#!/usr/bin/env ruby
# As a superuser account
require "hbsdctl"
BSD::Control
.feature(:mprotect)
.status("/bin/ls") # => :sysdef
Documentation
A complete API reference is available at 0x1eef.github.io/x/hbsdctl.rb.
Install
Git
hbsdctl.rb is distributed as a RubyGem through its git repositories.
git.hardenedbsd.org,
GitHub,
and
GitLab
are available as sources.
Rubygems.org
hbsdctl.rb can also be installed via rubygems.org.
gem install hbsdctl.rb
License
BSD Zero Clause.
See LICENSE.