Class: Cap2::File

Inherits:

Object

• Object
• Cap2::File

Defined in:

lib/cap2/file.rb,
ext/cap2/cap2.c

Overview

A class with methods for managing capabilities for the file with filename provided to the initialize method.

Instance Method Summary

• #allow_inherit(*capabilities) ⇒ Object

  Allow processes executing this file to inherit the given capabilities.

• #clear ⇒ Object

  Clear all capabilites.

• #disable ⇒ Object

  Dont enable the permitted capabilities when a proces executes this file.

• #disallow_inherit(*capabilities) ⇒ Object

  Dont allow processes executing this file to inherit the given capabilities.

• #enable ⇒ Object

  Enable the permitted capabilities when a proces executes this file.

• #enabled? ⇒ Boolean

  Returns whether or not the file has any effective capabilities.

• #getcaps ⇒ Object

  Return a caps hash containing the capabilities of self.

• #inheritable?(*capabilities) ⇒ Boolean

  Returns whether the given capabilities are inheritable.

• #initialize(filename) ⇒ File constructor

  Initialize a new File object for the given filename.

• #permit(*capabilities) ⇒ Object

  Permit processes executing this file to enable the given capabilities.

• #permitted?(*capabilities) ⇒ Boolean

  Returns whether the given capabilities are permitted.

• #save ⇒ Object

  Set the capabilities for self from the caps hash stored in @caps.

• #unpermit(*capabilities) ⇒ Object

  Dont permit processes executing this file to enable the given capabilities.

Constructor Details

#initialize(filename) ⇒ File

Initialize a new File object for the given filename.

# File 'lib/cap2/file.rb', line 6

def initialize(filename)
  @filename = filename
  @caps     = getcaps
end

Instance Method Details

#allow_inherit(*capabilities) ⇒ Object

Allow processes executing this file to inherit the given capabilities.

# File 'lib/cap2/file.rb', line 43

def allow_inherit(*capabilities)
  @caps[:inheritable].merge parse(capabilities)
  save
end

#clear ⇒ Object

Clear all capabilites

# File 'lib/cap2/file.rb', line 67

def clear
  @caps.each_pair { |_, s| s.clear }
  save
end

#disable ⇒ Object

Dont enable the permitted capabilities when a proces executes this file.

# File 'lib/cap2/file.rb', line 61

def disable
  @caps[:effective].clear
  save
end

#disallow_inherit(*capabilities) ⇒ Object

Dont allow processes executing this file to inherit the given capabilities.

# File 'lib/cap2/file.rb', line 49

def disallow_inherit(*capabilities)
  @caps[:inheritable].subtract parse(capabilities)
  save
end

#enable ⇒ Object

Enable the permitted capabilities when a proces executes this file.

# File 'lib/cap2/file.rb', line 55

def enable
  @caps[:effective] = @caps[:permitted] + @caps[:inheritable]
  save
end

#enabled? ⇒ Boolean

Returns whether or not the file has any effective capabilities.

Returns:

• (Boolean)

# File 'lib/cap2/file.rb', line 25

def enabled?
  reload
  !@caps[:effective].empty?
end

#getcaps ⇒ Object

Return a caps hash containing the capabilities of self.

# File 'ext/cap2/cap2.c', line 208

VALUE cap2_file_getcaps(VALUE self) {
  cap_t cap_d;
  char *filename;
  VALUE result;

  filename = cap2_file_filename(self);

  cap_d = cap_get_file(filename);

  if (cap_d == NULL && errno != ENODATA) {
    rb_raise(
      rb_eRuntimeError,
      "Failed to get capabilities for file %s: (%s)\n",
      filename, strerror(errno)
    );
  } else {
    result = cap2_caps_to_hash(cap_d);
    cap_free(cap_d);
    return result;
  }
}

#inheritable?(*capabilities) ⇒ Boolean

Returns whether the given capabilities are inheritable

Returns:

• (Boolean)

# File 'lib/cap2/file.rb', line 18

def inheritable?(*capabilities)
  reload
  @caps[:inheritable].superset? Set[*capabilities]
end

#permit(*capabilities) ⇒ Object

Permit processes executing this file to enable the given capabilities.

# File 'lib/cap2/file.rb', line 31

def permit(*capabilities)
  @caps[:permitted].merge parse(capabilities)
  save
end

#permitted?(*capabilities) ⇒ Boolean

Returns whether the given capabilities are permitted

Returns:

• (Boolean)

# File 'lib/cap2/file.rb', line 12

def permitted?(*capabilities)
  reload
  @caps[:permitted].superset? Set[*capabilities]
end

#save ⇒ Object

Set the capabilities for self from the caps hash stored in @caps.

# File 'ext/cap2/cap2.c', line 233

VALUE cap2_file_setcaps(VALUE self) {
  int i;
  cap_t cap_d;
  char *filename;
  VALUE caps, cap_array, cap_sym;
  cap_value_t cap_values[__CAP_COUNT];

  cap_d = cap_init();

  caps = rb_iv_get(self, "@caps");

  // permitted
  cap_array = rb_funcall(
    rb_hash_aref(caps, ID2SYM(rb_intern("permitted"))),
    rb_intern("to_a"),
    0
  );

  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
    cap_sym = RARRAY_PTR(cap_array)[i];
    cap_values[i] = cap2_sym_to_cap(cap_sym);
  }

  cap_set_flag(cap_d, CAP_PERMITTED, i, cap_values, CAP_SET);

  // effective
  cap_array = rb_funcall(
    rb_hash_aref(caps, ID2SYM(rb_intern("effective"))),
    rb_intern("to_a"),
    0
  );

  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
    cap_sym = RARRAY_PTR(cap_array)[i];
    cap_values[i] = cap2_sym_to_cap(cap_sym);
  }

  cap_set_flag(cap_d, CAP_EFFECTIVE, i, cap_values, CAP_SET);

  // inheritable
  cap_array = rb_funcall(
    rb_hash_aref(caps, ID2SYM(rb_intern("inheritable"))),
    rb_intern("to_a"),
    0
  );

  for(i = 0; i < RARRAY_LEN(cap_array); i++) {
    cap_sym = RARRAY_PTR(cap_array)[i];
    cap_values[i] = cap2_sym_to_cap(cap_sym);
  }

  cap_set_flag(cap_d, CAP_INHERITABLE, i, cap_values, CAP_SET);

  filename = cap2_file_filename(self);

  if(cap_set_file(filename, cap_d) == -1) {
    rb_raise(
      rb_eRuntimeError,
      "Failed to set capabilities for file %s: (%s)\n",
      filename, strerror(errno)
    );
  } else {
    cap_free(cap_d);
    return Qtrue;
  }
}

#unpermit(*capabilities) ⇒ Object

Dont permit processes executing this file to enable the given capabilities.

# File 'lib/cap2/file.rb', line 37

def unpermit(*capabilities)
  @caps[:permitted].subtract parse(capabilities)
  save
end