Module: Capsicum

Defined in:

lib/capsicum.rb,
lib/capsicum/version.rb

Defined Under Namespace

Modules: LibC Classes: IntPtr

Constant Summary

VERSION =

"0.1.0"

Class Method Summary

• .enter! ⇒ Boolean

  Enter capability sandbox mode.

• .sandboxed? ⇒ Boolean

  Check if we’re in capability mode.

• .within_sandbox { ... } ⇒ Process::Status

  Run the block within a forked process in capability mode and wait for it to complete.

Class Method Details

.enter! ⇒ Boolean

Enter capability sandbox mode.

Returns:

• (Boolean) —

  true if we’ve entered capability mode.

Raises:

• (Errno::ENOTCAPABLE) —

  • Capsicum not enabled.

See Also:

• cap_enter(2)

# File 'lib/capsicum.rb', line 42

def enter!
  ret = LibC.cap_enter

  if ret == 0
    return true
  else
    raise SystemCallError.new("cap_enter", LibC.errno)
  end
end

.sandboxed? ⇒ Boolean

Check if we’re in capability mode.

Returns:

• (Boolean) —

  true if we’ve entered capability mode

Raises:

• (Errno::ENOTCAPABLE) —

  • Capsicum not enabled.

See Also:

• cap_getmode(2)

# File 'lib/capsicum.rb', line 25

def sandboxed?
  ptr = IntPtr.new
  ret = LibC.cap_getmode(ptr)

  if ret == 0
    ptr[:value] == 1
  else
    raise SystemCallError.new("cap_getmode", LibC.errno)
  end
end

.within_sandbox { ... } ⇒ Process::Status

Run the block within a forked process in capability mode and wait for it to complete.

Yields:

• block to run within the forked child.

Returns:

• (Process::Status) —

  exit status of the forked child.

# File 'lib/capsicum.rb', line 57

def within_sandbox
  return enum_for(:within_sandbox) unless block_given?

  pid = fork do
    Capsicum.enter!
    yield
  end

  Process.waitpid2(pid).last
end